Hackers are simply seizing on the increased use of encryption for legitimate purposes. Most organizations today use the technology to maintain data privacy — in fact, it is mandated by a host of data privacy laws. Because of this increased reliance on encryption, many organizations actually configure their perimeter defenses to let encrypted traffic pass through firewalls without inspection.
With little to no visibility into encrypted traffic, organizations are hard-pressed to identify, prevent or mitigate threats. According to a recent Vanson Bourne survey of 3,100 IT managers in 12 countries, 68 percent of respondents experienced a cyberattack last year, even though 91 percent had advanced security measures such as next-generation firewalls (NGFWs) in place. What’s more, even after extensive post-attack forensic analysis, 20 percent were never able to identify the source of the attack.
The survey also found that only 3.5 percent of organizations are decrypting traffic in order to inspect it. It’s a tradeoff most have made in order to avoid intolerable performance degradations.
New Protocol Helps
The Secure Socket Layer (SSL) protocol and its successor, the Transport Layer Security (TLS) protocol, are the industry standards for encrypting data in transit. Although many NGFWs can decrypt and inspect SSL/TLS traffic, it is a computationally intensive task. According to a 2018 NGFW security and performance test, SSL/TSL decryption caused an average 92 percent degradation of NGFW connections, a 60 percent drop in throughput and a 672 percent rise in latency.
The latest version of the TLS protocol — TLS 1.3 — attempts to resolve these issues, primarily through stronger cryptographic ciphers and an improved handshake process for establishing encrypted communication sessions.
When initiating communication between two devices, TLS requires a handshake negotiation between the two sides. This involves exchanging messages to acknowledge each other, verify each other, establish the encryption algorithms they will use, and agree on session keys. In previous versions of the protocol, this required approximately a half-dozen round-trip communications, which added significant latency. TLS 1.3 cuts the required round-trips in half, making the entire process a bit quicker and more responsive.
Older versions also offered dozens of different choices for cipher suites, the set of algorithms that secure the connections. The process of negotiating which suite would be used was time-consuming, again adding to latency. In TLS 1.3, that process is much faster because there are now only five recommended cipher suites. The suites themselves are smaller, too, comprising fewer ciphers.
Inspection without Decryption
Cisco Firepower Threat Defense (FTD) firewalls are among the NGFWs that support the TLS 1.3 protocol. Cisco says they boost performance by three times when compared to the previous generation of NGFWs, and they also feature unique capabilities for inspecting encrypted traffic at scale without requiring decryption.
FTD firewalls work in conjunction with Cisco’s Encrypted Traffic Analytics (ETA), a software platform that monitors network packet metadata to detect malicious traffic. ETA inspects an encrypted message’s initial data packet, records the size, shape and sequence of packets, and how long they take to traverse the network. It also monitors for other unusual characteristics. If anything seems suspicious, the packets are flagged for deep packet inspection and blocked by the FTD firewall.
While encryption has become essential for data privacy, it has also become an incredibly efficient delivery mechanism for malware. However, recent firewall enhancements can give organizations the tools they need to expose those hidden threats. Give us a call to learn more about how these the latest firewalls can improve your organization’s perimeter defenses.