October 25, 2018

Simplify Your IT

Denver Biz Tech Expo

Mile High Stadium
9:00 am – 3:30 pm

How to Protect Your Company’s Website & Internet Browsing at the Necessary SSL Encryption Level

Statement: SSL encryption (port 443) is the de-facto encryption technology for delivering secure Web browsing, and the benefits it provides.  SSL encryption is driving the levels of SSL Web traffic to new heights. According to different industry authorities such as Google, Gartner & Forester in 2018 about 70% of all casual Web traffic is now HTTPS encrypted.  Some industries such as finance, government, healthcare & legal are even higher. Warning -not all SSL traffic is benign. Without the right security tools, SSL is a blind spot in your network rendering gateway security measures neutered.

Next Generation Firewalls (NGFW) using Web filters, Application Awareness, Anti-Virus Gateway, and IDS/IPS can only provide limited protection against malicious SSL traffic.  Advanced Threat Protection (ATP) sandboxes provided limited protection against HTTPS traffic too. A more advanced approach of intercepting the SSL traffic allowing the NGFW & ATP devices to examine all Web traffic HTTP & HTTPS traffic is fast becoming a critical requirement.

Description:  TLS and its predecessor SSL, are important Internet protocols that encrypt communications over the Internet between the client and server. These protocols (and protocols that make use of TLS & SSL, such as HTTPS) use certificates to establish an identity chain showing that the connection is with a legitimate server verified by a trusted third-party certificate authority.

HTTPS inspection works by intercepting the HTTPS network traffic and performing an authorized Man-In-The-Middle (MITM) attack on the connection. In MITM attacks, sensitive client data can be transmitted to a malicious party spoofing the intended server. To perform HTTPS inspection without presenting client warnings, administrators must install trusted certificates on client devices. Browsers and other client applications use this certificate to validate encrypted connections created by the HTTPS inspection product. In addition to the problem of not being able to verify a web server’s certificate, the protocols and ciphers that an HTTPS inspection product negotiates with web servers may also be invisible to a client. The problem with this architecture is that the client systems have no way of independently validating the HTTPS connection. The client can only verify the connection between itself and the HTTPS interception product. Clients must rely on the HTTPS validation performed by the HTTPS interception products.

  • What uses SSL:

    HTTPS – Hypertext Transfer Protocol Secure (port 443)
    FTPS – File Transfer Protocol Secure (port 21, 990, 989)
    LDAPS – Lightweight Directory Access Protocol Secure (port 636)
    SMTPS – Simple Mail Transfer Protocol Secure (port 465)
    POPS – Post Office Protocol Secure (port 995)
    IMAPS  – Internet Message Access Protocol Secure (port 993)
    NNTPS – Network News Transfer Protocol Secure (port 563)
    TelnetS – Telnet Secure (port 992)
    IRCS – Internet Relay Chat Secure (port 6697)

    Sanctioned MITM Attack steps allowing for “data in the clear” to be inspected by NGFW:

    SSL Exploits: Criminals can exploit the trust that users put in SSL to create a fake web page that will trick victims into providing confidential information.  Using HTTPS helps criminals bypass gateway security measures. According to MediaPro, 43% of all data breaches involve phishing, and nearly all phishing attacks are cloaked via HTTPS. 2

    Compliance: While IT security teams have deployed a wide array of products to detect attacks, data leaks and malware – and rightfully so – they must walk a thin line between protecting employees and intellectual property, and violating employees’ privacy rights. Privacy and regulatory concerns have emerged as one of the top hurdles preventing organizations from inspecting SSL traffic.

    To address regulatory requirements such as HIPAA, FISMA, PCI, and SOX, an SSL inspection platform should be able to bypass sensitive traffic, such as traffic to banking and healthcare sites. By bypassing sensitive traffic, IT security teams can rest easy knowing that confidential banking or healthcare records will not be sent to security devices or stored in log management systems. 3

    Securely Manage Certificates and Keys: Whether providing visibility to outbound or inbound SSL traffic, SSL inspection devices must securely manage SSL certificates and keys.  When SSL inspection devices are deployed in front of corporate applications to inspect inbound traffic, they may need to manage tens, hundreds or even thousands of certificates. As the number of SSL key and certificate pairs grows, certificate management becomes more challenging.

    Organizations constantly add, remove or redeploy servers to meet business needs. This fluid and dynamic environment makes it difficult for organizations to account for all SSL certificates at any given time and ensure that certificates have not expired.

    SSL certificates and keys form the basis of trust for encrypted communications. If they are compromised, attackers can use them to impersonate legitimate sites and steal data. 4

    Stop Tor:  Tor is an SSL encrypted browser for anonymous communication over the Internet. Tor is the gateway to the Dark Web for criminals.  Tor can bounce your Internet signal all over the world. Consisting of more than 7000 relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis.  Tor’s intended use is to protect the personal privacy of its users, as well as their freedom and ability to conduct confidential & criminal communication by keeping their Internet activities from being monitored.  Tor is used to set encryption keys for ransomware. 5

    Conclusion: Encrypted traffic accounts for a large and growing percentage of all network traffic. While the adoption of SSL and its successor, Transport Layer Security (TLS), should be cause for celebration – since encryption improves confidentiality and message integrity – it also puts organizations at risk. This is because hackers can leverage encryption to conceal their exploits from security devices that do not inspect SSL traffic. Attackers are wising up and taking advantage of this gap in corporate defenses.

    Organizations that do not inspect SSL communications are providing an open door for attackers to infiltrate defenses undetected and steal data. To prevent cyber-attacks, enterprises need to inspect all Web traffic (HTTP & HTTPS), and in particular encrypted traffic, to combat advanced threats.

    References:

    1. Department of Homeland Security. (March 16, 2017). Alert (TA17-075A) HTTPS Interception Weakens TLS Security. https://www.us-cert.gov/ncas/alerts/TA17-075A

    2. SC Magazine. (May 2018). Data Bank Threat Stats. MediaPro pp 7.
    3. Cross, Kasey. InfoSec Island. (April 17, 2015). The Current State of Insecurity: Strategies for Inspecting SSL Traffic. http://www.infosecisland.com/blogview/24466-The-Current-State-of-Insecurity-Strategies-for-Inspecting-SSL-Traffic.html
    4. Cross, Kasey. InfoSec Island. (April 17, 2015). The Current State of Insecurity: Strategies for Inspecting SSL Traffic. http://www.infosecisland.com/blogview/24466-The-Current-State-of-Insecurity-Strategies-for-Inspecting-SSL-Traffic.html
    5. Wikipedia. (2018)  Tor (anonymity network), an Internet communication method for enabling online anonymity  https://en.wikipedia.org/wiki/Tor_(anonymity_network)
Jeff Bird

Jeff Bird

Senior Security Specialist

As a Senior Security Specialist for Juniper Networks Jeff is responsible for educating internal teams, partners, and customers on the Juniper Networks security portfolio.  Jeff is passionate about the role Juniper’s solutions can play in combatting the threat cyber-attacks pose to corporations and state entities. Juniper’s continued focus on automation with Software-Defined Secure Networking (SDSN) can streamline security operations, so threats are mitigated faster with less reliance on expensive and increasingly scarce cybersecurity human resources.  Jeff is a 20+ year veteran of the Information Security & Networking industry and has held positions with multiple Silicon Valley security-focused companies such as McAfee, Blue Coat, Sophos, and Dell. Over the years, Jeff has worked in technical sales roles assisting service providers, resellers, and end users to secure their networks. Jeff holds a Bachelor of Science in Engineering from Indiana University of Pennsylvania and a Master of Arts in Management from City University of Seattle.