DECRYPT SSL AND SSH TRAFFIC TO DISRUPT ATTACKER COMMUNICATIONS AND THEFT SUMMARY Industry Federal Government Use Case Prevent potentially obfuscated successful cyberattacks against federal agencies using the integrated SSL/ SSH decryption in Palo Alto Networks next-generation security appliances, physical and virtual. Business Benefits Protect government networks and data from threats hiding in encrypted traffic. Comply with government mandates to ensure encrypted traffic is decrypted and examined for threats, unauthorized access or other indicators of compromise. Operational Benefits Streamlined and more cost-effective approach to decryption and security. Resource improvements spanning time, personnel and expenditures. Reduced latency, particularly for time-sensitive applications and networks. Higher decryption throughput. Shorter decision loop for swifter prevention. Security Benefits Swifter prevention, with visibility to attempted attacks using encryption to hide. Reduced risk of successful attacks, including exfiltration of PII and other sensitive or classified data. Reduced risk of attackers using public key infrastructure to attack government networks. Prevent use of counterfeit, expired and invalid certificates to mount attacks. Business Problem According to the latest research, 25 to 35 percent of typical enterprise traffic is SSL-encrypted, and depending on the industry (e.g., financial services), that number may be as high as 70 percent. The figure tends to be higher on government networks due to regulations, resulting in multiple blind spots for security monitoring tools. As more internet traffic is encrypted using Secure Socket Layer or its successor, Transport Layer Security, more attackers including state-sponsored actors are using the technology to hide malware and escalate the likelihood of successful attacks. Secure Shell for encrypted tunneling can also be used to hide malware and botnet-based command-and-control traffic to exfiltrate data. For example, a recent successful phishing attack against the public email system of a prominent western defense agency used SSL to encrypt malware downloaded by unsuspecting users who clicked on an infected web link. Even organizations with more mature security capabilities can be breached if they are not monitoring encrypted traffic for malware. Business Drivers The number, scale and sophistication of cyberattacks against governments has increased in recent years. Attackers continue to use SSL/SSH encryption to hide their operations and pursue target data. Since SSL requires a certificate authority and public key infrastructure to create and sign certificates as well as verify certificate validity, government agencies must also ensure attackers are not using the PKI to attack the government network. Given this, governments have started to consider or mandate the decryption of encrypted communications moving into and out of government networks. In the U.S., the National Institute of Standards and Technology has issued guidelines and regulations for U.S. government agencies, primarily in the form of Federal Information Processing Standards and Special Publications (800-series). FIPS mandates that encrypted internet traffic, inbound or outbound, be decrypted and examined for the presence of malware or other unsuitable content, unauthorized access, or other indications of a cyberattack. Other governments have issued top cyber intrusion mitigation strategies and use ISO standards to ensure the protection of their infrastructure. These have not yet included a recommendation for decryption, but may in the future given the growth of this attack technique. Governments must consider scrutinizing encrypted communications within their networks to address this attack technique. A comprehensive security strategy for federal and other government agencies requires in-depth analysis of encrypted traffic to detect and prevent hidden attacks and data leakage. Palo Alto Networks Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft Use Case 1
Traditional Approach Traditional approaches to decryption typically comprise a pair of dedicated decryption devices (e.g., an SSL decryption product or load balancer) with multiple security products deployed in-line. Depending on an organization s specific requirements, security products layered between the decryption mechanisms might include a firewall, intrusion prevention system, URL system, URL filtering, unified threat management or data loss prevention technology. Each of these security functions is traditionally executed individually once traffic passes through the initial decryption device in the stack. While this process can be effective in uncovering the identity of encrypted traffic, it poses several issues: Added Latency. With numerous security devices, latency increases. This is particularly problematic for applications on the government network that are sensitive to latency. For example, voice and video are prevalent, and demand low latency and predictable jitter. Increased Time to Resolution. Decryption of SSL traffic can be complex. With the traditional approach, if an organization needs to resolve a problem or security incident, it can be difficult to troubleshoot issues in the decryption flow and handling. Individual products are not integrated and do not cross-communicate. There are often separate subject matter experts for each product, and many logs to review to find the source of an issue and apply timely, appropriate security efforts to remediate effectively. Increased Personnel and Operational Costs. Even without decryption, stand-alone security products and capabilities require individual, dedicated subject matter experts. This adds to resource and operational expenditures, and can often result in a separation of minds and misalignment of security goals. Cumbersome and Costly SIEM. Each security device deployed in-line can add to Security Incident and Event Management expenses. The additional personnel and correlation requirements between divided resources can become costly and cumbersome over time. Palo Alto Networks Approach Palo Alto Networks Next-Generation Security Platform integrates SSL/SSH decryption with optional hardware security module support for enhanced performance and security of certificate and key management. Available application, content and user identification capabilities on the appliances, referred to as App-ID, Content-ID and User-ID technology respectively, enable security administrators to identify the applications, URL categories or content types, and individual users or groups accessing the network. These and other related features offer government administrators integrated, comprehensive SSL/SSH inspection with their security appliances. The virtual and physical appliances integrate security mechanisms up through Layer 7 to gain complete control over network activity at the firewall level. As displayed in Figure 1, administrators can apply decryption to determine the identity and intended activity of HTTPS traffic. Using SharePoint, policy can be applied to control what activity is allowed. For example, an administrator can allow access to SharePoint, but deny document sharing. With integrated SSL/SSH decryption, this can be done without having to go through multiple locations and devices to determine port/protocol, application, signature, etc., and then decrypt the communications. Certificate and key management features can be used to block expired certificates, terminate sessions with untrusted issuers or certificates signed by untrusted CAs, and block unsupported certificate versions and ciphers. Start IP/Port Initiator Receiver SYN SYN ACK ACK Connection Established Stateful Firewall Stops HERE Application Signatures Web Browser Report and Enforce Policy SharePoint Docs SharePoint Additional benefits include: Figure 1: Decrypting communications using Palo Alto Networks Complete safe enablement of traffic Next-Generation Security Platform and applications in the network, including encrypted communications. Streamlined and more effective approach to decryption and security. Resource improvements spanning time, personnel and expenditures. Reduced latency, particularly for time-sensitive applications and networks. Greater decryption throughput. Shorter decision loop for swifter prevention. Policy HTTPS Decryption (SSL or SSH) Policy Known Protocol Decoder Decode Signatures Identified Traffic (No Decoding) Unknown Protocol Decoder Apply Heuristics Policy Policy Palo Alto Networks Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft Use Case 2
The appliances use the previously mentioned identification technologies to analyze network traffic and enforce security policy. SSL/TLS and SSH decryption policies are integrated with these technologies and allow simple, effective policy enforcement. Source zone, IP address and User-ID, destination zone and address, as well as URL category (including any custom ones created), action (to decrypt or not), type (SSL Forward Proxy, SSL Inbound Inspection or SSH Proxy) and decryption profile are all c onfigurable options (see Figure 2). Source Name Zone Address User Zone Address URL Category 1 No Decryp L3-Trust 1 any any L3-Trust 1 any Financial- Services government health and medi shopping Destination Action Type Decryption Profile no-decrypt ssl-forward-proxy DecryptProfile-block 2 Decrypt Important L3-Trust 1 any any L3-Untrust 1 any alcohol- andtoba entertainment-an internet-portals decrypt ssl-forward-proxy DecryptProfile-block 3 ssh proxy L3-Trust 1 any any L3-Untrust 1 any any decrypt ssl-proxy DecryptProfile-block 4 inbound policy L3- Untrust 1 any any L3-Trust 1 any any decrypt ssl-inbound inspection PAN-SSL Decrypt DecryptProfile-block Figure 2: Example decryption policy on Palo Alto Networks Next-Generation Security Platform Security and network administrators can apply additional enforcement options to protect agency assets, including the ability to: Block expired certificates to stop user click through for those users who tend to click OK to everything. Block sessions with untrusted issuers or certificates signed by untrusted certificate authorities. It sometimes helps to be able to edit which root certificate administrators want the users to trust. Block or bypass unsupported certificate versions and ciphers. Most of the time, unsupported versions and ciphers are being used to circumvent the security and policy. Block or bypass if resources are not available. The types of decryption an administrator can choose, depending on objectives and network considerations, include SSL Forward Proxy, SSL Inbound Inspection and SSH Proxy. There are other considerations for how government agencies may approach decryption on their network to search for attacker communications. More information on these and other details for SSL and SSH decryption can be found in the following resources: Enforcing SSL and SSH Security for Federal Agencies PAN-OS 8.0 Administrator s Guide: Decrypt Traffic for Full Visibility and Threat Inspection LIVE Community: Safely inspecting SSL transactions Real-World Federal Government Customer Deployment In this real-world example, a large federal institution with more than 400,000 users throughout the continental U.S. needed to protect its network from malware and threats hiding in encrypted traffic. Already a long-time Palo Alto Networks customer, the institution saw a 40 percent increase in encrypted traffic. With the original specifications for the network, however, security was only able to secure 50 percent of all traffic coming out of the network perimeter, and they were seeing a significant spike in CPU utilization. Meanwhile, with significant investments in security practitioners, operations and products, the security team was faced with a vexing question: How does it feel that after all your security processes, procedures and money spent, you are only protecting about a quarter of your internet traffic? To offset disruption and continue to enforce maximum security and operational efficiency, the team discussed the institution s networking needs, accounting for the full level of SSL decryption required for their security. Ultimately, they chose to meet these needs with Palo Alto Networks PA-7000 Series appliances and on-board SSL decryption. With SSL decryption in operation, the customer can safely enable traffic and applications in their network, including the vast increase in encrypted communications. Palo Alto Networks Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft Use Case 3
PA-5260 PA-5260 USE CASE: Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft Implementation Overview Products deployed: Palo Alto Networks PA-7080 next-generation firewalls Subscriptions include: URL Filtering, Threat Prevention, WildFire cloud-based threat analysis service How customer implemented (high level): Deployed a pair of highly available Palo Alto Networks firewalls at each trusted perimeter gateway. Each gateway, or TIC, averages 450,000 sustained sessions with more than 5 Gbps of throughput. Based on App-ID deployment, the customer became able to accurately, confidently identify encrypted traffic traversing the network, ultimately deciding to implement SSL decryption as a result. Security methodically enables SSL decryption on a subset of URL Filtering categories in PAN-DB while monitoring device performance impact and user impact. Simultaneously, they are monitoring both device performance and user impact. Although deployment is in the preliminary stages, the customer has gained insight into more than 100 million SSL sessions per day to which they were previously blind, applying advanced threat protection to mitigate risk. How customer s SSL decryption works (high level): Using policy-based decryption, PA-7080 appliances decrypt, inspect and control inbound as well as outbound SSL and SSH connections to: Prevent malware concealed as encrypted traffic. Prevent sensitive information from moving Ensure only whitelisted applications are running on the secure network. To account for security risks introduced by the end user community, SSL Forward Proxy capability (see Figure 3) is used to decrypt internet traffic sourced from internal users. Hardware security module integration with third-party solution to manage, process and store cryptographic keys required for SSL decryption. Future security capabilities to include Decryption Port Mirroring, as shown in Figure 4, on PA-7080 appliances for analysis of traffic on Box.com. Benefits of Using Palo Alto Networks for Decryption Business Benefits: Prevent undesired applications and malicious content from impacting government networks. Block unauthorized attempts to access vital government IT and computers. Maintain compliance with government mandates to ensure SSL/SSH traffic is decrypted and examined for malware, unauthorized access, or other indicators of a cyberattack. Internal User Request SSL connecion Firewall generates and sends certificate to the user Client verifies certificate from the firewall Server sends certificate to firewall Session Key 1 Session Key 2 Figure 3: Palo Alto Networks SSL Forward Proxy capability SSL/TLS DATA LEAKAGE PREVENTION SSL/TLS PLAINTEXT GOOGLE.COM Figure 4: Palo Alto Networks Decryption Port Mirroring External Server Palo Alto Networks Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft Use Case 4
Operational Benefits: Support government agency requirements to selectively decrypt and inspect potentially malicious traffic across primary use cases (e.g., SSL Forward Proxy, SSL Inbound Inspection, SSH Proxy). Flexibility in configurations. Hardware security module approach to key management also supported. Security Benefits: Identify, inspect and control inbound and outbound SSL communication; identify and control SSH tunneling traffic. Reduce the likelihood of successful state-sponsored attacks against governments, including preventing the exfiltration of PII and other sensitive or classified data. Detect and prevent threats, hidden attacks and data leakage. Ensure attackers are not using public key infrastructure to attack government networks and prevent attackers use of counterfeit, expired and invalid certificates to mount an attack. Conclusion As more internet traffic is encrypted using SSL or TLS, along with the continued availability of SSH for remote communications, increasing numbers of attackers including state-sponsored actors are using these technologies to hide their efforts and launch successful attacks. A comprehensive security strategy for government agencies requires in-depth analysis of encrypted traffic to detect and prevent hidden attacks and data leakage. Palo Alto Networks Next-Generation Security Platform provides the most effective approach, with integrated core security capabilities, including SSL/SSH decryption. With a comprehensive encryption inspection approach that supports different encryption options and multiple use cases for flexibility, the appliances can support government agencies decryption efforts. In addition, open APIs support integration to meet additional requirements. Remember to follow recommended best practices to meet your network considerations. 4401 Great America Parkway Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www. paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. decrypt-ssl-and-ssh- trafficto disrupt-attacker-communications-and-theft-uc-062617