My organization wants to keep watch over outbound network traffic to make sure that valuable IP isn't leaking out, so we're considering SSL decryption. Could you walk through some pros and cons? Ultimately, is this a viable technique or should we consider other options?
The concept of SSL decryption has been around for quite some time, but it's usually carried out by nefarious individuals as part of man-in-the-middle attacks. Semantics aside, this technique as it relates to enterprise security has steadily picked up steam recently. When an end user inside of a local area network attempts to connect to an SSL-protected server via a Web browser, the server responds with a certificate (public key). The browser then checks the certificate's signature against its list of trusted certificate authorities, and if the certificate is properly signed, the browser responds that it is ready to begin communicating. The server responds with a digitally signed acknowledgement to start an SSL session. In the case of SSL decryption, a commonly used mechanism is to insert a firewall that intercepts the initial message from the end user and sends it to the SSL-protected server in place of the end user. The SSL server thinks that it is communicating with the end user inside the aforementioned local area network, and the above described process is carried out in a manner that is completely transparent to the end user and the SSL-protected server.
The reasons for employing SSL decryption are varied, but better security is definitely one of the pros of SSL decryption. This technique provides the enterprise with a better handle on exactly what data is leaving the network. Are your employees disclosing proprietary information or important company financials to outside sources? What about the sensitive information of important third-party partners? It's easy to see how this technique could provide much value for security professionals, since it prevents the use of encryption to obfuscate exfiltration of sensitive data.
The yin to this SSL yang is really twofold. First, what about privacy? If an organization chooses to utilize SSL decryption, it runs the risk of alienating a significant chunk of the workforce. If an employee happens to be checking his or her personal email or bank account information, they may find it disturbing that they could at any moment trigger a firewall incident due to some poorly chosen keywords. So a certain expectation of privacy for the end user is relinquished when SSL decryption is implemented, because innocent bystanders who have no interest in revealing sensitive corporate information may have their network traffic monitored as a result of inadvertently triggering the firewall. Also, SSL decryption tends to place a heavy strain on network resources, since it typically results in a bottleneck.
If an organization has sensitive, proprietary data that its employees can routinely access, I would recommend implementing SSL decryption. However, you must ensure that a splash page or some other disclaimer is prominently displayed that details exactly what end users are subjecting themselves to should they choose to access SSL data that resides outside the corporate network.
This was first published in April 2013