The use of encryption for all network applications is growing rapidly. When traffic is encrypted, the Palo Alto Networks firewall loses visibility into packet contents, thus making Content-ID impossible. Because of this lack of visibility, malware might be able to pass unchallenged to an endpoint, at which point it is decrypted and able to attack. Decryption policies maximize the firewall’s visibility into packet content to allow for content inspection.
Decryption
The Secure Sockets Layer (SSL) and Secure Shell (SSH) encryption protocols secure traffic between two
entities, such as a web server and a client. SSL encapsulates traffic, encrypting data so that it is meaningless to entities other than the client and server with the certificates to affirm trust between the devices and the keys to decode the data. (SSH does not use certificates to encrypt or decrypt traffic.) Decrypt SSL and SSH traffic to accomplish the following:
- Prevent malware concealed as encrypted traffic from being introduced into your network. For example, an attacker compromises a website that uses SSL encryption. Employees visit that website and unknowingly download an exploit or malware. The malware then uses the infected employee endpoint to move laterally through the network and compromise other systems.
- Prevent sensitive information from moving outside the network
- Ensure the appropriate applications are running on a secure network
- Selectively decrypt traffic; for example, create a Decryption policy and profile to exclude traffic for financial or healthcare sites from decryption.
Palo Alto Networks firewall decryption is policy-based and can decrypt, inspect, and control inbound and
outbound SSL and SSH connections.
The firewall provides three types of Decryption policy rules: SSL Forward Proxy to control outbound SSL
traffic, SSL Inbound Inspection to control inbound SSL traffic, and SSH Proxy to control tunneled SSH traffic. You can attach a Decryption profile to a policy rule to apply granular access settings to traffic, such as checks for server certificates, unsupported modes, and failures. SSL decryption (both forward proxy and inbound inspection) requires certificates to establish the firewall as a trusted third party, and to establish trust between a client and a server to secure an SSL/TLS connection.
Keys and Certificates
Encryption technology uses keys to transform cleartext strings into ciphertext. These keys are generated
using passwords and other shared secrets. Palo Alto Networks firewalls decrypt encrypted traffic by using the keys to transform encrypted strings into cleartext and then enforces App-ID and security settings on the plaintext traffic, including Decryption, Antivirus, Vulnerability, Anti-Spyware, URL Filtering, and File Blocking profiles. You can integrate a hardware security module (HSM) with a firewall to enable enhanced security for the private keys used in SSL Forward Proxy and SSL Inbound Inspection decryption.
After traffic is decrypted and inspected on the firewall, the plaintext traffic is re-encrypted as it exits the
firewall to ensure privacy and security.
Decryption Exclusions
In some cases it is required not to decrypt traffic. You can exclude two types of traffic from decryption:
- Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an incomplete certificate chain, unsupported ciphers, or mutual authentication (decrypting blocks the traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list (Device>>Certificate management>>SSL Decryption Exclusion) that excludes hosts with applications and services that are known to break decryption technically from SSL Decryption by default. If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to list manually by server hostname. The firewall blocks sites whose applications and services break decryption technically unless you add them to the SSL Decryption Exclusion list.
- Traffic that you choose not to decrypt because of business, regulatory, personal, or other reasons, such as financial-services, health-and-medicine, or government traffic. You can choose to exclude traffic based on source, destination, URL category, and service.
Hardware of enabling decryption
PAN-OS can decrypt and inspect inbound and outbound SSL connections going through a Palo Alto Networks firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2, or Layer 3 mode by using the SSL rule base to configure which traffic to decrypt. In particular, decryption can be based upon URL categories, source users, and source/destination IP addresses. Once traffic is decrypted, tunneled applications can be detected and controlled, and the decrypted data can be inspected for threats, URL filtering, file blocking, or data filtering. Decrypted traffic can also be sent off the device by using a Decryption Port mirror.