The rapid increase in encrypted network traffic, coupled with the inability of most next-generation firewalls to inspect this traffic, has created a perfect security storm – one with dire consequences.
“Over 80% of traffic on most networks is encrypted and it passes through the average firewall completely unfiltered. This is not due to a lack of desire to inspect it. Rather, it’s because most firewalls simply aren’t up to the task. And even if the firewall can inspect encrypted traffic, all too often their TLS inspection solution is poorly implemented, breaking many websites and delivering a poor user experience,” says Ross Anderson, Sophos Product Development Manager at Duxbury Networking.
Unsurprisingly, hackers are catching on to this enormous blind spot in organisational security. They are starting to take advantage of this weakness to get threats onto networks and keep them there.
“People often believe that encrypted internet connections are ‘secure’. But ‘secure’ from what, exactly? Transport Layer Security, or TLS, is the encryption standard used on the internet today. The terms SSL and TLS are often used interchangeably. In fact, SSL is an old standard that has been since eclipsed by TLS. However, SSL remains the more common term. Just know that most people mean TLS when they say SSL,” says Anderson.
TLS is designed to provide confidentiality and authenticity by encrypting the communication between two parties and verifying that the server is who it claims to be, based on its trusted certificate and who issued it. The lock symbol in a browser indicates the connection is encrypted – for privacy by the browser.
What TLS encryption does not do is secure, or provide assurance of, the content of the web page. A site hosting malware payloads can have a perfectly valid encrypted and ‘secure’ connection. “When someone claims their connection to a web server is secure, they really just mean it’s secure from eavesdropping (although even that may not be the case). This is why it’s is so important to inspect encrypted traffic,” Anderson points out.
The challenge with TLS inspection is that TLS is a very complex protocol. Different certificates must be exchanged and the cipher suites to be used need to be negotiated in order to determine how the connection should be encrypted. Compounding matters further, there are several TLS versions, and many applications and web services do things differently. As a result, it is very possible, despite having rigorous standards, for things to be incompatible. This presents enormous challenges for any security solution that attempts to inject itself into the process in order to inspect and secure the content that is exchanged.
The importance of TLS 1.3
The good news is that the latest TLS standard – TLS 1.3 – offers a number of advantages over its predecessors in the area of performance, privacy, and addressing vulnerabilities. TLS 1.3 adoption on servers is still in the early days, but all major browsers now support this standard. However, due to the complexities and R&D effort required to implement it, many firewalls with TLS inspection on the market today do not fully support 1.3. Instead they force a downgrade to TLS 1.2. This opens those connections up for exploitation and attack due to legacy vulnerabilities.
“As with many new technologies, there are a number of myths or common misunderstandings around inspecting TLS 1.3. These include claims that declare that TLS 1.3 cannot be inspected. This is false. While it’s true that passive TLS inspection, which was done on the sidelines, is no longer possible, with the participation of a cooperating endpoint – as you have on a corporate network – inspection is still entirely possible,” says Anderson.
“Another claim is that by inspecting encrypted traffic flows, you are somehow making them less secure. This is true if you downgrade a TLS 1.3 connection to TLS 1.2, as many SSL inspection solutions do today. The vulnerabilities in TLS 1.2 opens the door to possible exploitation by a malicious man-in-the-middle (MITM) attack. TLS 1.3 has been designed to address these vulnerabilities so inspecting this traffic without downgrading the connection does not introduce risk,” he adds.
Lastly, some will claim that certificate pinning makes TLS inspection impossible. While this is true for some applications with hard-coded certificates, most applications use a certificate pinning approach that respects the resigning certificate and will continue to work with SSL inspection solutions.
The importance of certificate validation
Certificate validation Is a fundamental component of TLS as it enables the client (or inspection device like your firewall) to prove the identity of the server that the communication is coming from.
However, for certificate validation to work it needs to be implemented properly. If not, firewalls, and the endpoints they are connected to, can be fooled into thinking they are talking to a server they are not, opening the door for a malicious MITM attack.
“Not all SSL traffic can or should be treated the same. It’s a balancing act: you have to balance privacy, security, compliance, and performance. Some jurisdictions may dictate the balance, while in others, you’re left to your own devices to come up with a suitable balance for your organisation. Unfortunately, the limitations in SSL inspection solutions in most firewalls on the market today force organisations to adopt a very unbalanced approach: security and compliance needs are sacrificed in the struggle to provide essential performance and interoperability,” says Anderson.
Has encryption rendered your firewall irrelevant?
The volume of encrypted traffic is up dramatically in the last two years and trending towards 100%. This dramatic growth in encrypted traffic has created an enormous security blind spot for most organisations. Their current firewalls are simply not up to the task of inspecting this volume of encrypted sessions. In effect, TLS encryption has made most firewalls irrelevant as they no longer have insight into the majority of traffic passing through the network.
“With the explosive growth in TLS encryption in recent years, it’s probably no surprise that hackers are catching onto this trend and leveraging it to help get malware on your network undetected – and keep it there. In fact, according to SophosLabs, around one-third of malware and unwanted applications enter the network through TLS encrypted flows,” says Anderson.
Once a threat gets on the network, it will use every trick in the book to remain undetected. Increasingly, this includes employing TLS encryption to communicate. Many Trojans, like the notorious TrickBot, IcedID, or Dridex, are designed to harvest and steal sensitive information and credentials. They increasingly rely on encryption to transmit data out of the organisation. Using TLS allows commands sent to the client from control servers to remain undetected while also hiding the information collected from the network as well as any further payloads downloaded to the compromised host.
Hackers are also starting to host malicious content on legitimate sharing services like Patebin that utilise TLS encryption to ensure the privacy of the content. This provides perfect obfuscation for malware, enabling threats to get into most networks undetected.
The reality is that most firewalls today lack proper TLS inspection capabilities. They are unable to inspect encrypted traffic without causing an unacceptable impact on network performance. Furthermore, poor inspection implementations that do not support the latest standards result in downgraded security, which in turn opens organisations up to vulnerabilities while also creating a very poor user conditions.
Five things to look for in your next firewall
To minimise the risk from encrypted network traffic, ensure that your next firewall includes these top five TLS inspection capabilities:
The latest TLS 1.3 and cipher suite support. While adoption of TLS 1.3 is still in the early days, it would be unwise to buy a firewall without TLS 1.3 support.
A streaming engine solution that enables inspection of all TLS traffic across all ports/protocols and is faster using fewer connections than a traditional web proxy-based solution.
Robust certificate validation able to handle invalid, self-signed, revoked, or untrusted certificates to avoid potential malicious Man-in-the-Middle (MITM) attacks.
Powerful and flexible policy tools that provide granular control over what to decrypt and inspect, enabling you to build the right balance of privacy, protection, and performance for your organisation.
High performance, with sufficient connection handling, efficient decryption, hardware acceleration, and overall power to handle your encrypted traffic volumes efficiently.
The Xstream architecture in Sophos XG Firewall offers a ground-up solution to eliminating the network traffic blind spot without impacting performance. It delivers:
High performance – a lightweight streaming engine with high connection capacity
Unmatched visibility into your encrypted traffic flows and any errors
Top security, supporting TLS 1.3 and all modern cipher suites with robust certificate validation
Inspection of all traffic, being application- and port-agnostic
A great user experience with extensive interoperability to avoid breaking the internet
Powerful policy tools, offering the perfect balance of performance, privacy, and protection.