From : Regan Herbst @reganherbst 5
#askpanw Significant increases in encrypted traffic are impacting the visibility of traffic. How does Palo Alto Networks address this?
Great question given the increasing prevalence of encrypted traffic flows and the continued exploitation of those flows by cybersecurity adversaries to cover their tracks. PAN-OS provides two forms of decryption in order to secure encrypted web traffic. First, for traffic destined for arbitrary hosts on the Internet, PAN-OS utilizes a forward proxy capability to decrypt that traffic, inspect it, and then re-encrypt prior to forwarding on to the correct destination. The forward proxy decryption capability allows a security administrator to make decryption decisions based on user identity, URL categorization of the website, and also provides extensive controls related to how SSL or TLS is being used on the server side. As an example, a security administrator can choose to prevent employees from connecting to websites that use invalid or expired certificates. They can also eliminate the use of ciphers or TLS protocol versions with known vulnerabilities. This is all possible even in cases where the server utilizes perfect forward secrecy (as of PAN-OS 7.1).
The second type of decryption PAN-OS provides is known as inbound inspection. In this case, the enterprise is decrypting traffic destined for a server under its control (either in its datacenter or in a public cloud instance). The primary distinction from forward proxy is that PAN-OS will use the server's key to decrypt flows, providing for a more efficient decryption operation. Ultimately, both forms of decryption permit PAN-OS to apply its advanced security capabilities to block known threats, discover new threats, and break open the adversary's most effective and pervasive evasion mechanism.
Thanks for the response Nick. The ever increasing use of decryption is putting a strain on the ability of of the Palo Alto Networks product to scale within a reasonable cost model. Do the newly announced hardware models improve the SSL Decrypt scale/price point??
Another challenge is the ever increasing list of applications (more than 90) that cannot be decrypted due to the use of proprietary encryption scheme or non-standard SSL. Can you comment on how to address this issue?
The newly announced hardware models provide for substantially higher decryption performance and decrypted session capacity. A byproduct of that is an improvement of the decryption performance / price ratio.
You bring up a very important point regarding those applications that cannot be decrypted. There are several causes for that. In some cases, browsers like Chrome are using pinning to ensure that the server's certificate is signed (somewhere in the certificate hierarchy) by a CA known to be associated with that particular site. This is an important security feature as it permits Chrome (or insert your favorite browser here) to recognize when a rogue or misbehaving Certificate Authority accidentally issues a certificate for a domain without verifying ownership - which represents a real risk as an adversary can maquerade as the legitimate site for which they've procured a certificate. Fortunately, most browsers will also permit access to those same sites if their certificate chain can be followed back to a trusted root loaded on the operating system's CA store by an admin within the enterprise. So in this case, there are no issues decrypting and securing traffic.
Other cases involve the use of mutual authentication (which cannot be decrypted in forward proxy mode) or certificate hard coding, where the client itself looks for a specific server certificate. Naturally the client will not see that hard coded certificate if forward proxy mode decryption is in use. PAN-OS versions prior to 8.0 utilize a certificate exclude list in an attempt to maintain availability of such services that offer some value to the enterprise. Fortunately, PAN-OS 8.0 introduces new controls to help administrators get a handle on these cases. On the Device Tab > Certificate Management folder > SSL Decryption Exclusion node, PAN-OS/Panorama administrators can now view all of the exclusions published by Palo Alto Networks. They can also decide whether to accept these exclusions in favor of availability, or to disable these exclusions in favor of security (in which case the user will generally have to use the same application via a browser-based interface to ensure we can secure its usage).
From our perspective, we are starting to see some application developers come around on the subject of hard coding, particularly those interested in selling valuable services to enterprises. Usage of hard coded certificate verification is a subject worth discussing prior to adopting new SaaS services given the severe implications the behavior has on security.
Hope this helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!