DECRYPT SSL AND SSH TRAFFIC TO DISRUPT ATTACKER COMMUNICATIONS AND THEFT

Similar documents
GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

APP-ID. A foundation for visibility and control in the Palo Alto Networks Security Platform

Palo Alto Networks PAN-OS

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Protecting Against Encrypted Threats

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

FIREWALL OVERVIEW. Palo Alto Networks Next-Generation Firewall

PROTECT WORKLOADS IN THE HYBRID CLOUD

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

SEGMENTATION TO A TRADITIONAL DATA CENTER

Next-Generation Firewall Overview

Palo Alto Networks PCNSE7 Exam

Seceon s Open Threat Management software

CloudSOC and Security.cloud for Microsoft Office 365

Building Resilience in a Digital Enterprise

Security by Default: Enabling Transformation Through Cyber Resilience

KEY FINDINGS INTERACTIVE GUIDE. Uncovering Hidden Threats within Encrypted Traffic

Configuring F5 for SSL Intercept

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

VM-SERIES FOR VMWARE VM VM

Security+ SY0-501 Study Guide Table of Contents

Corrigendum 3. Tender Number: 10/ dated

RSA INCIDENT RESPONSE SERVICES

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Aligning Agency Cybersecurity Practices with the Cybersecurity Framework

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

RSA INCIDENT RESPONSE SERVICES

Sun Mgt Bonus Lab 11: Auto-Tagging in PAN-OS 8.X

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

Managing SSL/TLS Traffic Flows

The Interactive Guide to Protecting Your Election Website

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Comprehensive datacenter protection

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Comprehensive Database Security

SSL INSIGHT SSL ENCRYPTION CHALLENGES SSL USE EXPOSES A BLIND SPOT IN CORPORATE DEFENSES SOLUTION BRIEF UNCOVER HIDDEN THREATS IN ENCRYPTED TRAFFIC

A Comprehensive CyberSecurity Policy

Outwit Cyber Criminals with Comprehensive Malware and Exploit Protection.

PREVENT CREDENTIAL THEFT IN HEALTHCARE

RSA NetWitness Suite Respond in Minutes, Not Months

A Modern Framework for Network Security in Government

TRAPS ADVANCED ENDPOINT PROTECTION

align security instill confidence

PCI DSS Compliance. White Paper Parallels Remote Application Server

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Citrix SD-WAN for Optimal Office 365 Connectivity and Performance

USM Anywhere AlienApps Guide

IBM Security Network Protection Solutions

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

VM-SERIES ON GOOGLE CLOUD DEPLOYMENT GUIDELINES

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Cisco Security: Advanced Threat Defense for Microsoft Office 365

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Rethinking Security CLOUDSEC2016. Ian Farquhar Distinguished Sales Engineer Field Lead for the Gigamon Security Virtual Team

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Information Security Controls Policy

THE ACCENTURE CYBER DEFENSE SOLUTION

Rethinking Security: The Need For A Security Delivery Platform

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

CABLE MSO AND TELCO USE CASE HANDBOOK

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

SIEMLESS THREAT DETECTION FOR AWS

SECURING DEVICES IN THE INTERNET OF THINGS

Future-ready security for small and mid-size enterprises

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Simple and Powerful Security for PCI DSS

Securing Your Amazon Web Services Virtual Networks

Isla Web Malware Isolation and Network Sandbox Solutions Security Technology Comparison and Integration Guide

DDoS Hybrid Defender. SSL Orchestrator. Comprehensive DDoS protection, tightly-integrated on-premises and cloud

Security 2.0: Balancing Business Enablement and Information Security

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Understanding the Dynamic Update Mechanism Tech Note

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Office 365 Buyers Guide: Best Practices for Securing Office 365

Subscriber Data Correlation

Securing Your Microsoft Azure Virtual Networks

PANORAMA. Key Security Features

SIEM: Five Requirements that Solve the Bigger Business Issues

White Paper February McAfee Network Protection Solutions. Encrypted Threat Protection Network IPS for SSL Encrypted Traffic.

Security Assessment Checklist

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

Compare Security Analytics Solutions

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Cisco s Appliance-based Content Security: IronPort and Web Security

TIBCO Cloud Integration Security Overview

ACTIONABLE SECURITY INTELLIGENCE

PROTECTING INFORMATION ASSETS NETWORK SECURITY

IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATES

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

Verizon Software Defined Perimeter (SDP).

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

with Advanced Protection

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

Paloalto Networks PCNSA EXAM

SentryWire Next generation packet capture and network security.

Transcription:

DECRYPT SSL AND SSH TRAFFIC TO DISRUPT ATTACKER COMMUNICATIONS AND THEFT SUMMARY Industry Federal Government Use Case Prevent potentially obfuscated successful cyberattacks against federal agencies using the integrated SSL/ SSH decryption in Palo Alto Networks next-generation security appliances, physical and virtual. Business Benefits Protect government networks and data from threats hiding in encrypted traffic. Comply with government mandates to ensure encrypted traffic is decrypted and examined for threats, unauthorized access or other indicators of compromise. Operational Benefits Streamlined and more cost-effective approach to decryption and security. Resource improvements spanning time, personnel and expenditures. Reduced latency, particularly for time-sensitive applications and networks. Higher decryption throughput. Shorter decision loop for swifter prevention. Security Benefits Swifter prevention, with visibility to attempted attacks using encryption to hide. Reduced risk of successful attacks, including exfiltration of PII and other sensitive or classified data. Reduced risk of attackers using public key infrastructure to attack government networks. Prevent use of counterfeit, expired and invalid certificates to mount attacks. Business Problem According to the latest research, 25 to 35 percent of typical enterprise traffic is SSL-encrypted, and depending on the industry (e.g., financial services), that number may be as high as 70 percent. The figure tends to be higher on government networks due to regulations, resulting in multiple blind spots for security monitoring tools. As more internet traffic is encrypted using Secure Socket Layer or its successor, Transport Layer Security, more attackers including state-sponsored actors are using the technology to hide malware and escalate the likelihood of successful attacks. Secure Shell for encrypted tunneling can also be used to hide malware and botnet-based command-and-control traffic to exfiltrate data. For example, a recent successful phishing attack against the public email system of a prominent western defense agency used SSL to encrypt malware downloaded by unsuspecting users who clicked on an infected web link. Even organizations with more mature security capabilities can be breached if they are not monitoring encrypted traffic for malware. Business Drivers The number, scale and sophistication of cyberattacks against governments has increased in recent years. Attackers continue to use SSL/SSH encryption to hide their operations and pursue target data. Since SSL requires a certificate authority and public key infrastructure to create and sign certificates as well as verify certificate validity, government agencies must also ensure attackers are not using the PKI to attack the government network. Given this, governments have started to consider or mandate the decryption of encrypted communications moving into and out of government networks. In the U.S., the National Institute of Standards and Technology has issued guidelines and regulations for U.S. government agencies, primarily in the form of Federal Information Processing Standards and Special Publications (800-series). FIPS mandates that encrypted internet traffic, inbound or outbound, be decrypted and examined for the presence of malware or other unsuitable content, unauthorized access, or other indications of a cyberattack. Other governments have issued top cyber intrusion mitigation strategies and use ISO standards to ensure the protection of their infrastructure. These have not yet included a recommendation for decryption, but may in the future given the growth of this attack technique. Governments must consider scrutinizing encrypted communications within their networks to address this attack technique. A comprehensive security strategy for federal and other government agencies requires in-depth analysis of encrypted traffic to detect and prevent hidden attacks and data leakage. Palo Alto Networks Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft Use Case 1

Traditional Approach Traditional approaches to decryption typically comprise a pair of dedicated decryption devices (e.g., an SSL decryption product or load balancer) with multiple security products deployed in-line. Depending on an organization s specific requirements, security products layered between the decryption mechanisms might include a firewall, intrusion prevention system, URL system, URL filtering, unified threat management or data loss prevention technology. Each of these security functions is traditionally executed individually once traffic passes through the initial decryption device in the stack. While this process can be effective in uncovering the identity of encrypted traffic, it poses several issues: Added Latency. With numerous security devices, latency increases. This is particularly problematic for applications on the government network that are sensitive to latency. For example, voice and video are prevalent, and demand low latency and predictable jitter. Increased Time to Resolution. Decryption of SSL traffic can be complex. With the traditional approach, if an organization needs to resolve a problem or security incident, it can be difficult to troubleshoot issues in the decryption flow and handling. Individual products are not integrated and do not cross-communicate. There are often separate subject matter experts for each product, and many logs to review to find the source of an issue and apply timely, appropriate security efforts to remediate effectively. Increased Personnel and Operational Costs. Even without decryption, stand-alone security products and capabilities require individual, dedicated subject matter experts. This adds to resource and operational expenditures, and can often result in a separation of minds and misalignment of security goals. Cumbersome and Costly SIEM. Each security device deployed in-line can add to Security Incident and Event Management expenses. The additional personnel and correlation requirements between divided resources can become costly and cumbersome over time. Palo Alto Networks Approach Palo Alto Networks Next-Generation Security Platform integrates SSL/SSH decryption with optional hardware security module support for enhanced performance and security of certificate and key management. Available application, content and user identification capabilities on the appliances, referred to as App-ID, Content-ID and User-ID technology respectively, enable security administrators to identify the applications, URL categories or content types, and individual users or groups accessing the network. These and other related features offer government administrators integrated, comprehensive SSL/SSH inspection with their security appliances. The virtual and physical appliances integrate security mechanisms up through Layer 7 to gain complete control over network activity at the firewall level. As displayed in Figure 1, administrators can apply decryption to determine the identity and intended activity of HTTPS traffic. Using SharePoint, policy can be applied to control what activity is allowed. For example, an administrator can allow access to SharePoint, but deny document sharing. With integrated SSL/SSH decryption, this can be done without having to go through multiple locations and devices to determine port/protocol, application, signature, etc., and then decrypt the communications. Certificate and key management features can be used to block expired certificates, terminate sessions with untrusted issuers or certificates signed by untrusted CAs, and block unsupported certificate versions and ciphers. Start IP/Port Initiator Receiver SYN SYN ACK ACK Connection Established Stateful Firewall Stops HERE Application Signatures Web Browser Report and Enforce Policy SharePoint Docs SharePoint Additional benefits include: Figure 1: Decrypting communications using Palo Alto Networks Complete safe enablement of traffic Next-Generation Security Platform and applications in the network, including encrypted communications. Streamlined and more effective approach to decryption and security. Resource improvements spanning time, personnel and expenditures. Reduced latency, particularly for time-sensitive applications and networks. Greater decryption throughput. Shorter decision loop for swifter prevention. Policy HTTPS Decryption (SSL or SSH) Policy Known Protocol Decoder Decode Signatures Identified Traffic (No Decoding) Unknown Protocol Decoder Apply Heuristics Policy Policy Palo Alto Networks Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft Use Case 2

The appliances use the previously mentioned identification technologies to analyze network traffic and enforce security policy. SSL/TLS and SSH decryption policies are integrated with these technologies and allow simple, effective policy enforcement. Source zone, IP address and User-ID, destination zone and address, as well as URL category (including any custom ones created), action (to decrypt or not), type (SSL Forward Proxy, SSL Inbound Inspection or SSH Proxy) and decryption profile are all c onfigurable options (see Figure 2). Source Name Zone Address User Zone Address URL Category 1 No Decryp L3-Trust 1 any any L3-Trust 1 any Financial- Services government health and medi shopping Destination Action Type Decryption Profile no-decrypt ssl-forward-proxy DecryptProfile-block 2 Decrypt Important L3-Trust 1 any any L3-Untrust 1 any alcohol- andtoba entertainment-an internet-portals decrypt ssl-forward-proxy DecryptProfile-block 3 ssh proxy L3-Trust 1 any any L3-Untrust 1 any any decrypt ssl-proxy DecryptProfile-block 4 inbound policy L3- Untrust 1 any any L3-Trust 1 any any decrypt ssl-inbound inspection PAN-SSL Decrypt DecryptProfile-block Figure 2: Example decryption policy on Palo Alto Networks Next-Generation Security Platform Security and network administrators can apply additional enforcement options to protect agency assets, including the ability to: Block expired certificates to stop user click through for those users who tend to click OK to everything. Block sessions with untrusted issuers or certificates signed by untrusted certificate authorities. It sometimes helps to be able to edit which root certificate administrators want the users to trust. Block or bypass unsupported certificate versions and ciphers. Most of the time, unsupported versions and ciphers are being used to circumvent the security and policy. Block or bypass if resources are not available. The types of decryption an administrator can choose, depending on objectives and network considerations, include SSL Forward Proxy, SSL Inbound Inspection and SSH Proxy. There are other considerations for how government agencies may approach decryption on their network to search for attacker communications. More information on these and other details for SSL and SSH decryption can be found in the following resources: Enforcing SSL and SSH Security for Federal Agencies PAN-OS 8.0 Administrator s Guide: Decrypt Traffic for Full Visibility and Threat Inspection LIVE Community: Safely inspecting SSL transactions Real-World Federal Government Customer Deployment In this real-world example, a large federal institution with more than 400,000 users throughout the continental U.S. needed to protect its network from malware and threats hiding in encrypted traffic. Already a long-time Palo Alto Networks customer, the institution saw a 40 percent increase in encrypted traffic. With the original specifications for the network, however, security was only able to secure 50 percent of all traffic coming out of the network perimeter, and they were seeing a significant spike in CPU utilization. Meanwhile, with significant investments in security practitioners, operations and products, the security team was faced with a vexing question: How does it feel that after all your security processes, procedures and money spent, you are only protecting about a quarter of your internet traffic? To offset disruption and continue to enforce maximum security and operational efficiency, the team discussed the institution s networking needs, accounting for the full level of SSL decryption required for their security. Ultimately, they chose to meet these needs with Palo Alto Networks PA-7000 Series appliances and on-board SSL decryption. With SSL decryption in operation, the customer can safely enable traffic and applications in their network, including the vast increase in encrypted communications. Palo Alto Networks Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft Use Case 3

PA-5260 PA-5260 USE CASE: Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft Implementation Overview Products deployed: Palo Alto Networks PA-7080 next-generation firewalls Subscriptions include: URL Filtering, Threat Prevention, WildFire cloud-based threat analysis service How customer implemented (high level): Deployed a pair of highly available Palo Alto Networks firewalls at each trusted perimeter gateway. Each gateway, or TIC, averages 450,000 sustained sessions with more than 5 Gbps of throughput. Based on App-ID deployment, the customer became able to accurately, confidently identify encrypted traffic traversing the network, ultimately deciding to implement SSL decryption as a result. Security methodically enables SSL decryption on a subset of URL Filtering categories in PAN-DB while monitoring device performance impact and user impact. Simultaneously, they are monitoring both device performance and user impact. Although deployment is in the preliminary stages, the customer has gained insight into more than 100 million SSL sessions per day to which they were previously blind, applying advanced threat protection to mitigate risk. How customer s SSL decryption works (high level): Using policy-based decryption, PA-7080 appliances decrypt, inspect and control inbound as well as outbound SSL and SSH connections to: Prevent malware concealed as encrypted traffic. Prevent sensitive information from moving Ensure only whitelisted applications are running on the secure network. To account for security risks introduced by the end user community, SSL Forward Proxy capability (see Figure 3) is used to decrypt internet traffic sourced from internal users. Hardware security module integration with third-party solution to manage, process and store cryptographic keys required for SSL decryption. Future security capabilities to include Decryption Port Mirroring, as shown in Figure 4, on PA-7080 appliances for analysis of traffic on Box.com. Benefits of Using Palo Alto Networks for Decryption Business Benefits: Prevent undesired applications and malicious content from impacting government networks. Block unauthorized attempts to access vital government IT and computers. Maintain compliance with government mandates to ensure SSL/SSH traffic is decrypted and examined for malware, unauthorized access, or other indicators of a cyberattack. Internal User Request SSL connecion Firewall generates and sends certificate to the user Client verifies certificate from the firewall Server sends certificate to firewall Session Key 1 Session Key 2 Figure 3: Palo Alto Networks SSL Forward Proxy capability SSL/TLS DATA LEAKAGE PREVENTION SSL/TLS PLAINTEXT GOOGLE.COM Figure 4: Palo Alto Networks Decryption Port Mirroring External Server Palo Alto Networks Decrypt SSL and SSH Traffic to Disrupt Attacker Communications and Theft Use Case 4

Operational Benefits: Support government agency requirements to selectively decrypt and inspect potentially malicious traffic across primary use cases (e.g., SSL Forward Proxy, SSL Inbound Inspection, SSH Proxy). Flexibility in configurations. Hardware security module approach to key management also supported. Security Benefits: Identify, inspect and control inbound and outbound SSL communication; identify and control SSH tunneling traffic. Reduce the likelihood of successful state-sponsored attacks against governments, including preventing the exfiltration of PII and other sensitive or classified data. Detect and prevent threats, hidden attacks and data leakage. Ensure attackers are not using public key infrastructure to attack government networks and prevent attackers use of counterfeit, expired and invalid certificates to mount an attack. Conclusion As more internet traffic is encrypted using SSL or TLS, along with the continued availability of SSH for remote communications, increasing numbers of attackers including state-sponsored actors are using these technologies to hide their efforts and launch successful attacks. A comprehensive security strategy for government agencies requires in-depth analysis of encrypted traffic to detect and prevent hidden attacks and data leakage. Palo Alto Networks Next-Generation Security Platform provides the most effective approach, with integrated core security capabilities, including SSL/SSH decryption. With a comprehensive encryption inspection approach that supports different encryption options and multiple use cases for flexibility, the appliances can support government agencies decryption efforts. In addition, open APIs support integration to meet additional requirements. Remember to follow recommended best practices to meet your network considerations. 4401 Great America Parkway Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www. paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. decrypt-ssl-and-ssh- trafficto disrupt-attacker-communications-and-theft-uc-062617

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback