Answer

The pros and cons of SSL decryption for enterprise network monitoring

My organization wants to keep watch over outbound network traffic to make sure that valuable IP isn't leaking out, so we're considering SSL decryption. Could you walk through some pros and cons? Ultimately, is this a viable technique or should we consider other options?

    Requires Free Membership to View

The concept of SSL decryption has been around for quite some time, but it's usually carried out by nefarious individuals as part of man-in-the-middle attacks. Semantics aside, this technique as it relates to enterprise security has steadily picked up steam recently. When an end user inside of a local area network attempts to connect to an SSL-protected server via a Web browser, the server responds with a certificate (public key). The browser then checks the certificate's signature against its list of trusted certificate authorities, and if the certificate is properly signed, the browser responds that it is ready to begin communicating. The server responds with a digitally signed acknowledgement to start an SSL session. In the case of SSL decryption, a commonly used mechanism is to insert a firewall that intercepts the initial message from the end user and sends it to the SSL-protected server in place of the end user. The SSL server thinks that it is communicating with the end user inside the aforementioned local area network, and the above described process is carried out in a manner that is completely transparent to the end user and the SSL-protected server.

The reasons for employing SSL decryption are varied, but better security is definitely one of the pros of SSL decryption. This technique provides the enterprise with a better handle on exactly what data is leaving the network. Are your employees disclosing proprietary information or important company financials to outside sources? What about the sensitive information of important third-party partners? It's easy to see how this technique could provide much value for security professionals, since it prevents the use of encryption to obfuscate exfiltration of sensitive data.

The yin to this SSL yang is really twofold. First, what about privacy? If an organization chooses to utilize SSL decryption, it runs the risk of alienating a significant chunk of the workforce. If an employee happens to be checking his or her personal email or bank account information, they may find it disturbing that they could at any moment trigger a firewall incident due to some poorly chosen keywords. So a certain expectation of privacy for the end user is relinquished when SSL decryption is implemented, because innocent bystanders who have no interest in revealing sensitive corporate information may have their network traffic monitored as a result of inadvertently triggering the firewall. Also, SSL decryption tends to place a heavy strain on network resources, since it typically results in a bottleneck.

If an organization has sensitive, proprietary data that its employees can routinely access, I would recommend implementing SSL decryption. However, you must ensure that a splash page or some other  disclaimer is prominently displayed that details exactly what end users are subjecting themselves to should they choose to access SSL data that resides outside the corporate network. 

This was first published in April 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: