Privacy and security are in constant tension. Hiding internet activity strengthens privacy—but also makes it easier for bad actors to infiltrate the network. In fact, 63% of threats detected by Cisco Stealthwatch in 2019 were in encrypted traffic. The European Union is concerned enough that it drafted a resolution in November 2020 to ban end-to-end encryption, prompting outcry from privacy advocates.
Along with others in the networking industry, we at Cisco are working to continually improve both security and privacy, without an advance in one area harming the other. In this blog I’ll describe two recent privacy advances—DNS over HTTPS (DoH) and QUIC—and what we’re doing to maintain visibility.
Keeping your destination private: DNS over HTTPS
When you type “example.com” in your browser, the request goes to a DNS server that matches the URL to an IP address. Until recently, DNS messages were sent in the clear. Routers along the path could see your destination—and enough of your device’s IP address to figure out your identity. Privacy suffers when people can snoop on your internet activity and sell your data. And security suffers when bad actors can see a DNS request and divert it to a malicious site masquerading as the intended destination.
DoH prevents both of these problems. As shown in the diagram, the browser encrypts the DNS request so that routers along the path can’t see it. An observer can see only that the message is a lookup—not the sender’s IP address or destination. No snooping, no spoofing.
As DoH becomes mainstream, a couple of changes are needed to maintain security. First, devices and browsers will need to know which DNS servers support DoH. The Adaptive DNS Discovery working group of the IETF has a couple of proposals under review. We’ve already updated Cisco Umbrella so you can turn on DoH support.
Second—the “gotcha”—is making sure the devices you care about connect to a trusted DNS service provider. DoH uses HTTPS, the same transport used by web applications. That means users, applications, and devices can choose a DNS service—potentially skirting services with malware protections (see figure). IT security teams will need to adjust their access policy to only allow connections to approved DNS services. I’ve linked to couple of excellent short articles on this topic at the end of this blog.
A better experience and improved privacy: QUIC and HTTP/3
DNS message encryption (control plane) is new. Connection encryption (data plane) is well established, but recent advances improve the user experience. For example, HTTP/3, soon to be an IETF draft standard, uses a new transport protocol called QUIC, built on top of UDP. QUIC’s advantages:
- It’s secured by TLS 1.3. Built-in encryption and authentication speed the connection setup (see figure).
- UDP transport eliminates performance problems caused by head-of-line blocking.
- QUIC packet headers include a connection ID that helps to smooth the transition between networks—for instance, if you walk out of the building during a Webex session and switch from Wi-Fi to LTE.
As of January 2021, over 5% of the top 10 million websites supported QUIC. Over 4% used HTTPS/3, including Google, YouTube, Facebook, and Uber. (The numbers keep rising – click here for the latest.) As adoption grows, security teams will need a way to detect threats hidden in this encrypted traffic. Keep in mind that with HTTPS/3, analytics will need to pay attention to all transports: TCP, UDP, and QUIC. We’re working on analytics and behavior-based models to detect malicious traffic from a variety of data, especially network telemetry data such as the protocol used, cipher suites, and key lengths.
For visibility that preserves privacy, look to analytics
No matter how privacy protocols evolve, security teams will need visibility into their networks to detect compromised devices and applications. It’s good news for privacy that inspecting TLS traffic is not the only answer to visibility. Analytics achieve the same aim without revealing traffic destination or content. As the threat surface expands, we’ll need to analyze and correlate telemetry information from network devices. Here are some of the ways our solutions already use analytics for visibility:
- Encrypted Traffic Analytics (ETA) uses machine learning to detect threats from visible telemetry information from Cisco switches and routers, such as packet lengths, arrival times, and initial handshake data packets.
- Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud) is a cloud service that uses Encrypted Threat Analytics to spot suspicious activity on the WAN and in cloud-bound traffic.
- Cisco Advanced Malware Protection (AMP) for Endpoints operates on the laptop or mobile device, where files and payloads are created and stored.
- Cisco Umbrella, a DNS resolver, detects, analyze, and reports on malicious websites.
- Extended Detection and Response, part of Cisco SecureX, provides a unified view of enterprise security posture by tying together data from your infrastructure and the Cisco security portfolio.
- Cisco Endpoint Security Analytics (CESA), an integration of Cisco’s Network Visibility Module with Splunk, provides visibility for threat detection.
For more of our latest thinking on visibility in an encrypted world:
- Cryptographic Visibility: Quality Encryption at Your Fingertips
- DoH! What’s All the Fuss About DNS Over HTTPS?
- Preventing Circumvention of Cisco Umbrella with Firewall Rules
I welcome your comments.