To the Depth of TLS Invisibility and Beyond

Encrypted traffic is changing the threat landscape. Today’s digital businesses rely on encryption of application traffic for information sharing. The fact that the Internet is becoming increasingly “dark” is not debated with all indicators showing a steady increase. Compounding this issue is the potential of East/West traffic within an environment that could be hiding threats such as data hoarding or exfiltration that doesn’t leave over the Internet boundary.

Encryption technology enables greater privacy and security to communicate and transact business online. Mobile, cloud, and web applications rely on well-implemented encryption mechanisms, using keys and certificates, to ensure confidentiality and trust. Bad actors leverage these same benefits to evade detection, hiding malicious activities.

The encryption ecosystem is a significant portion of the IT organization’s charter and not without its challenges. Security and Network administrators need the firewalls to decrypt / analyze benign and malicious encrypted traffic to enforce policy without significantly affecting the user experience, while maintaining required privacy. Shadow IT adds another degree of complexity. Most of the modern applications communicate over TLS-encrypted sessions and are used by employees without IT knowledge or approval. Common threats lurking within TLS include: command and control, data exfiltration, malware downloads, and compromised website access.

Supporting in-line TLS decryption and inspection is a basic requirement for any NGFW solution. Performing this at scale is another matter entirely. There are two distinct phases to each encrypted connection. The first phase, TLS session establishment, involves a message exchange between the TLS client and server with session parameters like identities, certificates, cipher suites, and secret keys established. Most NGFW products process this part of a TLS session in the software, since it perceivably involves a little amount of data. This function is the highest overhead element of the TLS session – bulk encryption is nearly nothing by comparison. Doing this in SW is the mistake most vendors make. The overhead certainly adds up when the same handshake precedes every HTTPS connection in a very transactional traffic profile; it typically has a tremendous impact on the number of new and existing TLS connections that an NGFW can process per unit of time.

The second phase, encrypted record exchange, follows the TLS handshake with an actual encrypted payload exchange, using the previously established parameters. Most NGFW vendors accelerate encrypted record processing in hardware, where the bulk data exchange occurs; this improves the throughput numbers on paper unless you subject the NGFW to a highly transactional traffic profile – which is typically what is observed at the Extranet edge.

The Firepower Engineering team enabled hardware-assisted TLS inspection across all Firepower 2100, 4100, and 9300 appliances in FTD 6.3 by default. Unlike many other vendors, we implemented TLS session establishment processing in the hardware as well. This means that FTD NGFW provides the necessary scale for transactional traffic profiles prevalent at the extranet edge, yielding an up to 6x improvement for the throughput and up to 25x increase in the number of TLS connections processed per second as compared to similar software-only implementations.

Our superior TLS inspection performance was positively validated against competitors in both internal as well as customer testing. Best of all, existing Firepower customers only need an FTD 6.3 software upgrade; the necessary hardware was always included with their 2100, 4100, and 9300 appliances – no costly upgrades or replacements required. Customers can continue to leverage the powerful control of the FTD software to manage their TLS/SSL policies to determine what should and should not get encrypted – a critical element in maintaining privacy standards at scale. See the following data sheet for a detailed explanation of the testing methodologies and FTD 6.3 performance with TLS.

Cisco publishes the TLS decryption rate in the data sheet with NGFW services enabled and a TLS mix using strong ciphers and strong keys on every packet. When evaluating vendors, customers should make sure the TLS performance numbers are based on the use case and volume they expect.

Gain greater awareness and control of the encrypted applications and traffic in your network with TLS/SSL inspection: