Back around the beginning of 2015 there was a breaking story about Gogo Inflight issuing fake SSL certificates when folks visiting google branded sites. While I don’t intend to debate or even stir up converstaions around that topic I must say, SSL MITM is a common practice withing enterprise networks. I think every employee withing an organization should assume that their SSL traffic is being decrypted and filtered by IPS and other security tools. The last thing an organization wants to spend time doing is “spying” on the people they employ. However they do have a responsability to ensure a secure computing environment and SSL Decryption is one methods of doing so.
Consider some of the facts. Gartner predicts that over 80% of network traffic will be encrypted by 2019. Any web app can redirect to an encrypted channel whether they need to or not. In fact, I know of several blogs that automatically redirect to port 443. Why? I guess they want to protect my reading experience. At any rate, attackers are not stupid. They know the benefits of encryption and therefore they have now adapted their techniques to hide their network communication inside of encrypted packets. This leaves organizations wide open to malware attacks amongst others. In fact, 33% of malware is now encrypted. So what is an organization to do?
Well for starters they make use of security appliances, however SSL causes an 88% degregation in their performance. This is big. So Gigamon who’s been know as a networking tap company is throwing their hat in the ring with an SSL decryption solution that out-performs the rest. Enter the Gigamon Visibility Platform.
Basically the Gigamon Visibility Platform takes care of decrypting the session. It does this by acting as a MITM. A client attempts a connection to an encrypted service, for example Dropbox.com. The Gigamon Visibility Platform establishes a session with Dropbox, and at the same time it sends the client a certificate claiming to be Dropbox and signed, hopefully, but a CA that the client trusts. This is the catch with SSL certs Anyone can send a cert and say, “Hi, I’m Dropbox.” The problem is that the trusted Certificate Authorities aren’t going to sign that cert unless it really is Dropbox. So how does the enterprise get around this? Easy, they sign the cert with their own CA. The clients trust this because the signing CA is trusted and passed to them via something like active Directory.
Once the Gigamon Visibility Platform has decrypted the traffic from the client it can do what Gigamon does best; forward that traffic to a tool such as a firewall or security appliance for filtering. You can see how combining this capability with something like Cisco FirePOWER might be handy. Clear text data can then be cleaned by the tool. Malware can be dealt with accordingly and clean traffic can be sent and left alone.
Of course there are other important aspects to consider. What about employees who check their bank balance or employees who look up their health records? We’ll discuss those in another post, however I will say that Gigamon has an ethical way of handling these scenarios. In a future post I’ll discuss the configurations that handle them.
For now I’ll leave you with a thought and a recommendation. Until we have visibility our security tools are cripled. Would you walk into a war with a gun thats half loaded? Likely not, but thats what we do when we simply pass SSL traffic through the firewall without decrypting the data and doing something with it. Do we need SSL decryption? Yes. Why not find out more about the Gigamon Visibility Platform and decide for yourself if its the right solution for you. You can start by watching the following video, which was filmed at the Gigamon office during Network Field Day 15. Enjoy!
I attended Network Field Day 15 as a delegate and my travel and expenses were paid for by Gestalt IT. The thoughts and opinions written here are my own and I was not paid to write this post. Gigamon handed out some marketing material, similar to what you would get at a tradeshow if you visited a booth.