End-of-Life (EoL)

How to Decrypt Data Center Traffic

Use Decryption to inspect all encrypted network traffic and make hidden threats visible.
You can’t protect your network against threats you can’t see and inspect. Decrypting traffic to expose malware is critical because the majority of a typical network’s traffic is encrypted and the amount is rising. A larger and larger percentage of malware campaigns that conceal network intrusions, install command-and-control malware, and exfiltrate data use encryption as well.
To expose encrypted applications and threats, position physical or virtual next-generation firewalls so that they see all data center traffic. Decrypt all the traffic you can, especially high-risk traffic categories, traffic destined for critical servers, and business-critical traffic. Decrypting traffic identifies that traffic so that the firewall can apply antivirus, vulnerability protection, WildFire, and other threat protections appropriately.
To apply decryption to traffic, create decryption profiles that specify how to handle TLS and SSH traffic and traffic that you choose not to or can’t decrypt. Decryption profiles set the allowed protocols, algorithms, modes, and session characteristics for traffic. You apply Decryption profiles to Decryption policy rules, which specify the traffic to which the firewall applies the Decryption profiles.
The firewall supports two types of SSL/TLS decryption and SSH decryption:
Within the data center, decrypt as much east-west traffic as possible. If performance considerations due to incorrect firewall sizing prevent you from decrypting all traffic, prioritize the most critical servers, the highest risk traffic categories, and less trusted segments and IP subnets, and decrypt as much traffic as you can while retaining acceptable performance. Key questions to ask are: “What happens if this server is compromised?”, “How much risk does each category of traffic represent?”, and “How much risk am I willing to take in relation to the level of performance I want to achieve inside the data center?”
For traffic flowing from the data center to the internet, decrypt everything except traffic for which you must make exceptions. The visibility that decryption provides is especially important because you don’t want servers in the data center to connect to malicious sites, transfer malicious files, or be vulnerable to malware downloads.
When you plan your decryption policy, consider your company’s security compliance rules and positions. For traffic from users to the data center, although a tight Decryption policy may initially cause a few complaints, those complaints can draw your attention to unsanctioned or undesirable websites that are blocked because they use weak algorithms or have certificate issues. Use complaints as a tool to better understand the traffic on your network.
In addition, enable Decryption logging in Decryption policies and if resources allow, log both successful and unsuccessful SSL handshakes. Take advantage of all of the Decryption monitoring and troubleshooting tools to examine your deployment and refine your policies and profiles.
Decrypting traffic consumes firewall resources. The amount of traffic to decrypt varies with each data center. When sizing the firewall deployment to maintain acceptable performance while supporting decryption, take into account the amount of traffic you expect to decrypt (some applications must be decrypted while other applications aren’t encrypted and don’t need to be decrypted), the decryption cipher (stronger, more complex ciphers require more processing power to decrypt), the size of the keys (larger keys consume more decryption resources), the type of key exchange (for example, RSA key exchanges consume more processing resources than PFS keys), and the capacity of the firewalls. Work with your Palo Alto Networks sales team and representatives to size the firewall deployment appropriately for your particular network so that you can decrypt traffic and expose threats.
Companies with businesses such as banking that require extremely strong security for their private keys can use a third-party hardware security module (HSM) to safeguard and manage the company’s private key instead of storing it on the firewall.

Recommended For You