SSL Decryption

Jun 07, 2022

SSL/TLS is an encryption technology used to encrypt end to end communication, meaning that you visit https://anz.co.nz, the connection from your PC to the server hosting the ANZ website is encrypted and secure hence https is “Hypertext Transfer Protocol Secure”. If anyone managed to intercept the traffic (also called man in the middle attack)they would need the keys to decrypt the data which are well protected. With over 85% of all web traffic being SSL and growing ever year, SSL is an important security technology, but this also poses a problem for firewalls since the traffic is encrypted, firewalls are unable to scan traffic for malicious payloads, this can be resolved by implementing SSL Decryption or "SSL Decrypt"

SSL Decryption works by the firewall acting as a broker between you and the remote site by intercepting SSL traffic, decrypting a packet, inspecting it, re-encrypted the packet and forwarding the packet to the destination, this mode is known as “Deep Inspection”. This does require some configuration both on the Firewall and to your PKI environment and requires planning and not just a switch you can turn on, though if you run a MS Active Directory environment this does make implementation easier.

SSL Decryption isn’t without its issues, first is that some websites can detect an intercept which will block or break a website, this mechanism is called “Certificate Pinning”. To resolve this, you would need to add websites to the “SSL Exclusion” or “SSL Bypass List” which means SSL Decryption won’t be applied to the website. Second is performance, since the firewall must do cryptography algorithms on every SSL IP packet, this impacts the CPU and throughput of the firewall as SSL Decrypt can’t be offloaded to hardware. The performance decrease will vary by vendor and model, so sizing of a firewall appliance and SSL decryption will need to be considered, in particular VM based firewalls have very poor SSL decryption throughput. Thirdly is privacy, since your personal information was once private but now visible the question of legality is raised, is SSL Decryption breaking the Privacy Act 2020 or does Search and Surveillance Act 2012 allow companies to use this feature. A discussion with the correct parties within a company maybe required to ensure that no laws or company policies are being broken when SSL Decryption is being implemented.

SSL Decryption can be hard work and no silver bullet for Cyber Security, it requires planning and design to ensure that the feature works as intended and doesn’t break existing user experience and requires watering and feeding as some websites just don’t like SSL Decrypt. But for it’s caveats, I would consider SSL Decrypt a strong tool as giving a firewall visibility of SSL traffic will allow NGFW features like Anti-Virus, IPS and Anti Malware inspection to possibly stop an attack or a host being compromised.

Fortinet Cookbook -note the cookbook uses a simple certificate deployment, this would not be recommended for large environments.

https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/122078/deep-inspection

For larger Microsoft environment a Sub CA Cert would be recommended.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/680736/microsoft-ca-deep-packet-inspection