The Increasing Necessity for SSL Decryption

cancel
Showing results for 
Search instead for 
Did you mean: 
Community Team Member

SSL decryption—a process that allows you to inspect Secure HTTP traffic as it passes through your firewall—has always played a large role in protecting and securing your network. Without getting to see the full traffic picture, there is no way to properly protect your network, your users, or your data. Recent changes amplify the need for SSL decryption, making it more important than ever to shine a light on your traffic and activity.

 

Let's unpack SSL Decryption and Palo Alto Networks software and hardware.

 

jdelio_0-1625581995325.png

 

More traffic is being encrypted

With upwards of 95% of traffic being encrypted, weak protocols no longer being supported, SSL certs being easier to obtain than ever before. Plus, more sites are moving to HTTPS, which makes it harder to see the full security picture without decryption.

 

jdelio_1-1625581995260.png


There have been advances in SSL decryption abilities with Palo Alto Networks software with PAN-OS 10.0 and 10.1. We have made it easier and increased performance.

 

Starting with PAN-OS 10.0, TLS 1.3 decryption support has been added in all modes: Forward Proxy, Inbound inspection, Decryption mirror and Decryption broker.

 

This will give you complete visibility and control of TLS 1.3 traffic and leverage all Next-Gen security features.

 

jdelio_2-1625581995347.png

 

Organizations that deploy third-party security controls as part of their overall security suite need to decrypt traffic multiple times to realize the benefits of the full security stack. Doing so introduces operational complexity, increases network latency, and negatively impacts the end-user experience.

 

Although other Firewall vendors offer decryption, they cannot send all the traffic to third-party security tools, creating blind spots. As a result, enterprises end up buying additional appliances such SSL decryption and dedicated packet broker appliances to decrypt, filter, and forward traffic to security tools — which increase cost and operational complexity.

 

jdelio_4-1625581995354.png

 

With the new Network Packet Broker (which is a free), our NGFW can intelligently forward all types of traffic (e.g. TLS, decrypted TLS, and non-TLS) to third-party security tools from a single device. It allows you to optimize your network performance and maximize your existing security tools' efficacy by selectively sending only the necessary traffic to a given third-party security tool. Customers can also eliminate single-point of failures by load-balancing traffic across various appliances.

 

New hardware

With the new software, Palo Alto Networks has also announced new hardware to help take advantage of the new software. 

 

jdelio_5-1625581995428.png

 

Introducing PA-400 Series for the Distributed Enterprise — PA-400 Series is a big performance jump from our previous generation PA-220. Up to 10x Threat+Decryption performance and up to 5x speedup on Boot up times.

 

 

pasted image 0.png

 

 

 

 

 

 

 

* Compared to Cisco 9300 with 2 x SM-56 cards (128 Gbps NGFW)

 

Introducing PA-5450 for Hyperscale Datacenter & Internet Edge — 5x threat+decryption performance compared to the PA-5260. As most enterprise traffic is now encrypted, decryption inside the NGFW is a key requirement, and PA-5450 delivers massive threat + decryption performance improvements, up to 5x the threat + decryption performance on a PA-5260.

 

Along with that, the new DPC cards can improve decryption performance 33%. 


More logs, easier to see

 

pasted image 0 (1).png

 

 

 

 

One of the new improvements is the addition of the new SSL Activity tab inside of the ACC. Inside of this new tab, you will be able to see the following items: 

 

  • TLS version of the SSL traffic
  • Decryption failure reasons
  • Decrypted/Non-Decrypted percentage

 

pasted image 0 (2).png

 

 

 

 

 

 

 

 

 

With the new enhanced view in the ACC, you have the ability to drill down into Decryption related issues much easier, allowing you to get to decryption logs directly from the ACC, and audit traffic that uses any weak TLS versions or weak ciphers. This saves time—and headaches.

 

SSL Decryption technology page

 

pasted image 0 (3).png

 

 

 

 

 

 

 

 

 

 

 

If you didn’t already know, the LIVEcommunity has a dedicated SSL Decryption technology page.This will be the one place in the LIVEcommunity for you to find discussions, articles, blogs, videos and resources all about SSL Decryption.



More Information

For all of the details on best practices, tools and processes, please download the whitepaper on SSL Decryption.

 

Want help planning your SSL deployment? Then we are here to help Plan Your SSL Decryption Best Practice Deployment with the Decryption Best Practices..

 

Thanks for taking time to read my blog. 

If you enjoyed this, please hit the Like (thumb up) button, don't forget to subscribe to the LIVEcommunity Blog area.

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,

Joe Delio

End of line

Register or Sign-in
Labels
Top Liked Authors