How to Decrypt Data Center Traffic
Table of Contents
9.1 (EoL)
Expand all | Collapse all
-
- What Is a Data Center Best Practice Security Policy?
- Why Do I Need a Data Center Best Practice Security Policy?
- Data Center Best Practice Methodology
- How Do I Deploy a Data Center Best Practice Security Policy?
- How to Assess Your Data Center
-
- Create the Data Center Best Practice Antivirus Profile
- Create the Data Center Best Practice Anti-Spyware Profile
- Create the Data Center Best Practice Vulnerability Protection Profile
- Create the Data Center Best Practice File Blocking Profile
- Create the Data Center Best Practice WildFire Analysis Profile
- Use Cortex XDR to Protect Data Center Endpoints
- Create Data Center Traffic Block Rules
- Order the Data Center Security Policy Rulebase
- Maintain the Data Center Best Practice Rulebase
- Use Palo Alto Networks Assessment and Review Tools
End-of-Life (EoL)
How to Decrypt Data Center Traffic
Use SSL Decryption to inspect all encrypted network traffic
and make hidden threats visible.
You can’t protect your network against threats you can’t
see. Decrypting traffic to expose malware is
critical because more than 60 percent of a typical network’s traffic
is encrypted and the percentage is rising. Gartner predicts that
through 2019, more than 80 percent of enterprise web traffic will
be encrypted, and during 2019, more than 50 percent of new malware
campaigns will use various forms of encryption and obfuscation to
conceal delivery and ongoing communications, including data exfiltration.
To expose encrypted applications and threats, position physical
or virtual next-generation firewalls so they see all data center
traffic. The best practice is to decrypt all the traffic you can,
especially high-risk traffic categories and traffic destined for
critical servers. Decrypting traffic correctly identifies it so
that the firewall can apply antivirus, vulnerability protection,
WildFire, and other protections appropriately.
To apply decryption to traffic, create decryption profiles that
specify how to handle SSL and SSH traffic and traffic that you choose
not to or can’t decrypt. Decryption profiles enable you to set
the allowed algorithms, modes, and session characteristics for traffic.
You apply Decryption profiles to Decryption policy rules, which specify
the traffic to which the firewall applies the Decryption profiles.
The firewall supports two types of SSL/TLS decryption and SSH
decryption:
Within the data center, decrypt as much east-west traffic as
possible. If performance considerations due to incorrect firewall
sizing prevent you from decrypting all traffic, prioritize the most
critical servers, the highest risk traffic categories, and less
trusted segments and IP subnets, and decrypt as much traffic as
you can while retaining acceptable performance. Key questions to
ask are: “What happens if this server is compromised?”, “How much
risk does each category of traffic represent?”, and “How much risk
am I willing to take in relation to the level of performance I want
to achieve inside the data center?”
For traffic flowing from the data center to the internet, decrypt
everything except traffic for which you must make exceptions. Decryption’s
visibility is especially important because you don’t want servers
in the data center to connect to malicious sites, transfer malicious
files, or be vulnerable to malware downloads.
When you plan your decryption policy, consider your company’s
security compliance rules and positions. For traffic from users
to the data center, although a tight Decryption policy may initially
cause a few complaints, those complaints can draw your attention
to unsanctioned or undesirable websites that are blocked because
they use weak algorithms or have certificate issues. Use complaints
as a tool to better understand the traffic on your network.
Decrypting traffic consumes firewall resources. The amount
of traffic to decrypt varies with each data center. When sizing
the firewall deployment to maintain acceptable performance while
supporting decryption, take into account the amount of traffic you
expect to decrypt (some applications must be decrypted while other applications
aren’t encrypted and don’t need to be decrypted), the decryption
cipher (stronger, more complex ciphers require more processing power
to decrypt), the size of the keys (larger keys consume more decryption
resources), the type of key exchange (for example, RSA key exchanges
consume more processing resources than PFS keys), and the capacity
of the firewalls. Work with your Palo Alto Networks sales team and
representatives to size the firewall deployment appropriately for
your particular network so that you can decrypt traffic and expose
threats.
Companies with businesses such as banking that require extremely
strong security for their private keys can use a third-party hardware security module (HSM) to safeguard
and manage the company’s private key instead of storing it on the
firewall.