How to Decrypt Data Center Traffic
Use SSL Decryption to inspect all encrypted network traffic and make hidden threats visible.
You can’t protect your network against threats you can’t see. Decrypting traffic to expose malware is critical because more than 60 percent of a typical network’s traffic is encrypted and the percentage is rising. Gartner predicts that through 2019, more than 80 percent of enterprise web traffic will be encrypted, and during 2019, more than 50 percent of new malware campaigns will use various forms of encryption and obfuscation to conceal delivery and ongoing communications, including data exfiltration.
To expose encrypted applications and threats, position physical or virtual next-generation firewalls so they see all data center traffic. The best practice is to decrypt all the traffic you can, especially high-risk traffic categories and traffic destined for critical servers. Decrypting traffic correctly identifies it so that the firewall can apply antivirus, vulnerability protection, WildFire, and other protections appropriately.
To apply decryption to traffic, create decryption profiles that specify how to handle SSL and SSH traffic and traffic that you choose not to or can’t decrypt. Decryption profiles enable you to set the allowed algorithms, modes, and session characteristics for traffic. You apply Decryption profiles to Decryption policy rules, which specify the traffic to which the firewall applies the Decryption profiles.
The firewall supports two types of SSL/TLS decryption and SSH decryption:
Within the data center, decrypt as much east-west traffic as possible. If performance considerations due to incorrect firewall sizing prevent you from decrypting all traffic, prioritize the most critical servers, the highest risk traffic categories, and less trusted segments and IP subnets, and decrypt as much traffic as you can while retaining acceptable performance. Key questions to ask are: “What happens if this server is compromised?”, “How much risk does each category of traffic represent?”, and “How much risk am I willing to take in relation to the level of performance I want to achieve inside the data center?”
For traffic flowing from the data center to the internet, decrypt everything except traffic for which you must make exceptions. Decryption’s visibility is especially important because you don’t want servers in the data center to connect to malicious sites, transfer malicious files, or be vulnerable to malware downloads.
When you plan your decryption policy, consider your company’s security compliance rules and positions. For traffic from users to the data center, although a tight Decryption policy may initially cause a few complaints, those complaints can draw your attention to unsanctioned or undesirable websites that are blocked because they use weak algorithms or have certificate issues. Use complaints as a tool to better understand the traffic on your network.
Decrypting traffic consumes firewall resources. The amount of traffic to decrypt varies with each data center. When sizing the firewall deployment to maintain acceptable performance while supporting decryption, take into account the amount of traffic you expect to decrypt (some applications must be decrypted while other applications aren’t encrypted and don’t need to be decrypted), the decryption cipher (stronger, more complex ciphers require more processing power to decrypt), the size of the keys (larger keys consume more decryption resources), the type of key exchange (for example, RSA key exchanges consume more processing resources than PFS keys), and the capacity of the firewalls. Work with your Palo Alto Networks sales team and representatives to size the firewall deployment appropriately for your particular network so that you can decrypt traffic and expose threats.
Companies with businesses such as banking that require extremely strong security for their private keys can use a third-party hardware security module (HSM) to safeguard and manage the company’s private key instead of storing it on the firewall.