Network Security
Develop a Decryption Strategy
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Develop a Decryption Strategy
To understand the traffic you should and shouldn't decrypt, work with invested
groups, including finance, HR, legal, and IT to ensure that you don’t decrypt sensitive
traffic.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
No separate license required for decryption when using NGFWs or
Prisma Access.
Note: The features and capabilities available to you in
Strata Cloud Manager depend on your active license(s).
|
Work with stakeholders such as legal, finance, HR, executives, security, and IT or
support personnel to develop a decryption deployment strategy. Start by getting the
required approvals to decrypt traffic to secure the corporation. Decrypting traffic
involves understanding how legal regulations and business needs affect what you can and
can’t decrypt.
Identify and prioritize the traffic you want to decrypt. Best practice is to
decrypt as much traffic as you can to gain visibility into potential threats in
encrypted traffic and prevent those threats. If incorrect NGFW
sizing prevents you from decrypting all the
traffic you want to decrypt, prioritize the most critical servers, the highest-risk
traffic categories, and less trusted segments and IP subnets. To help prioritize, ask
yourself questions such as, “What happens if this server is compromised?” and “How much
risk am I willing to take in relation to the level of performance I want to
achieve?”
Identify traffic that you can’t decrypt because the traffic breaks decryption for
technical reasons such as a pinned certificate, an incomplete certificate chain,
unsupported ciphers, or mutual authentication. Decrypting sites that break
decryption technically results in blocking that traffic. Evaluate websites that break
decryption technically and ask yourself if access to those sites is needed for business
reasons. If you don’t need access to those sites, allow decryption to block them. If
access to any of those sites is needed for business purposes, add them to the SSL Decryption Exclusion list. The SSL Decryption
Exclusion list is exclusively for sites that break decryption technically.
Identify sensitive traffic that you choose not to decrypt for legal,
regulatory, personal, or other reasons, such as financial, health, or government
traffic, or the traffic of certain executives. This is not traffic that breaks
decryption technically, so don’t use the SSL Decryption Exclusion list to exclude this
traffic from decryption. Instead, create a policy-based decryption exclusion to identify and
control traffic you choose not to decrypt and apply the no-decrypt decryption profile to
the policy rule to prevent servers with certificate issues from accessing the network.
Policy-based decryption exclusions are only for traffic you choose not to decrypt.
When planning your decryption policy, consider your company’s security compliance
rules, computer usage policy, and business goals. Strict controls can impact
user experience by preventing access to nonbusiness sites that users could previously
access (and which may be required for government or financial institutions). There is
always a tradeoff between usability, management overhead, and security. The tighter the
decryption policy, the greater the chance that a website will become unreachable, which
may result in user complaints and the need to modify the rulebase.
Use complaints as a tool to better understand the traffic on your network. Although a tight
decryption policy may initially cause a few user complaints, those complaints can
draw your attention to unsanctioned or undesirable websites that are blocked because
they use weak algorithms or have certificate issues.
Different groups of users and individuals may require different decryption policy
rules, or you may want to apply the same rules to all users. For example,
executives may be exempted from decryption policy rules that apply to other employees.
You may also want to apply different rules to employee groups, contracts, partners, and
guests. Prepare updated legal and HR computer usage policies for distribution to all
employees, contractors, partners, guests, and any other network users so that when you
roll out decryption, users understand their data can be decrypted and scanned for
threats.
How you handle guest users depends on the access they require. Isolate guests from the rest of
your network by placing them on a separate VLAN and a separate SSID for wireless
access. If guests don’t need to access your corporate network, restrict their
access. There will be no need to decrypt their traffic. If guests need to access
your corporate network, decrypt their traffic.
- Enterprises don’t control guest devices. Decrypt guest traffic and subject it to your guest Security policy rules so the NGFW inspects the traffic and prevents threats. To do this, redirect guest users through an Authentication Portal, instruct them how to download and install the CA certificate, and clearly notify guests that their traffic will be decrypted. Include this process in your company’s privacy and computer usage policy.
- Create separate decryption policy rules and Security policy rules to limit their access to the areas of your network that they need to access.
Decide which devices, websites, and applications to decrypt. Today’s networks
support not only corporate devices, but BYOD, mobile, remote-user and other devices,
including contractor, partner, and guest devices. Today’s users attempt to access many
sites, both sanctioned and unsanctioned, and you should decide how much of that traffic
you want to decrypt.
Enterprises don’t control BYOD devices. If you allow BYOD devices on your network, decrypt their
traffic and subject it to the same Security policy rules that you apply to other
network traffic so the NGFW can inspect the traffic and prevent
threats. To do this, redirect BYOD users through an Authentication Portal, instruct
them how to download and install the CA certificate, and clearly notify users that
their traffic will be decrypted. Educate BYOD users about the process and include it
in your company’s privacy and computer usage policy.
Decide what traffic to log, and investigate what traffic you can log. Be aware of
local laws regarding data logging and storage, including where you can log and store the
data. For example, local laws may prevent the logging and storing of personal
information such as health and financial data.
Decide how to handle bad certificates. For example, will you block or allow
sessions for which the certificate status is "unknown"? Understanding your approach to
bad certificates will help you configure the decryption profiles that you attach to
decryption policy rules to control the sessions you allow based on server certificate
verification status.