How to Decrypt Data Center Traffic
Table of Contents
10.2
Expand all | Collapse all
-
- What Is a Data Center Best Practice Security Policy?
- Why Do I Need a Data Center Best Practice Security Policy?
- Data Center Best Practice Methodology
- How Do I Deploy a Data Center Best Practice Security Policy?
- How to Assess Your Data Center
-
- Create the Data Center Best Practice Antivirus Profile
- Create the Data Center Best Practice Anti-Spyware Profile
- Create the Data Center Best Practice Vulnerability Protection Profile
- Create the Data Center Best Practice File Blocking Profile
- Create the Data Center Best Practice WildFire Analysis Profile
- Use Cortex XDR Agent to Protect Data Center Endpoints
- Create Data Center Traffic Block Rules
- Order the Data Center Security Policy Rulebase
- Maintain the Data Center Best Practice Rulebase
- Use Palo Alto Networks Assessment and Review Tools
How to Decrypt Data Center Traffic
Use Decryption to inspect all encrypted network traffic
and make hidden threats visible.
You can’t protect your network against threats you can’t
see and inspect. Decrypting traffic to expose malware is
critical because the majority of a typical network’s traffic is
encrypted and the amount is rising. A larger and larger percentage
of malware campaigns that conceal network intrusions, install command-and-control
malware, and exfiltrate data use encryption as well.
To expose encrypted applications and threats, position physical
or virtual next-generation firewalls so that they see all data center
traffic. Decrypt all the traffic you can, especially high-risk traffic
categories, traffic destined for critical servers, and business-critical
traffic. Decrypting traffic identifies that traffic so that the
firewall can apply antivirus, vulnerability protection, WildFire,
and other threat protections appropriately.
To apply decryption to traffic, create decryption profiles that
specify how to handle TLS and SSH traffic and traffic that you choose
not to or can’t decrypt. Decryption profiles set the allowed protocols,
algorithms, modes, and session characteristics for traffic. You
apply Decryption profiles to Decryption policy rules, which specify
the traffic to which the firewall applies the Decryption profiles.
The firewall supports two types of SSL/TLS decryption and SSH
decryption:
- SSL forward proxy (outbound traffic)
- SSL inbound inspection (inbound traffic)
- SSH proxy (usually for secure access for administrators who manage network devices)
Within the data center, decrypt as much east-west traffic as
possible. If performance considerations due to incorrect firewall
sizing prevent you from decrypting all traffic, prioritize the most
critical servers, the highest risk traffic categories, and less trusted
segments and IP subnets, and decrypt as much traffic as you can
while retaining acceptable performance. Key questions to ask are:
“What happens if this server is compromised?”, “How much risk does
each category of traffic represent?”, and “How much risk am I willing
to take in relation to the level of performance I want to achieve
inside the data center?”
For traffic flowing from the data center to the internet, decrypt
everything except traffic for which you must make exceptions. The
visibility that decryption provides is especially important because
you don’t want servers in the data center to connect to malicious
sites, transfer malicious files, or be vulnerable to malware downloads.
When you plan your decryption policy, consider your company’s
security compliance rules and positions. For traffic from users
to the data center, although a tight Decryption policy may initially
cause a few complaints, those complaints can draw your attention
to unsanctioned or undesirable websites that are blocked because
they use weak algorithms or have certificate issues. Use complaints
as a tool to better understand the traffic on your network.
In addition, enable Decryption logging in
Decryption policies and if resources allow, log both successful
and unsuccessful SSL handshakes. Take advantage of all of the Decryption monitoring and troubleshooting
tools to examine your deployment and refine your policies
and profiles.
Decrypting traffic consumes firewall resources. The amount
of traffic to decrypt varies with each data center. When sizing
the firewall deployment to maintain acceptable performance while
supporting decryption, take into account the amount of traffic you
expect to decrypt (some applications must be decrypted while other
applications aren’t encrypted and don’t need to be decrypted), the
decryption cipher (stronger, more complex ciphers require more processing
power to decrypt), the size of the keys (larger keys consume more
decryption resources), the type of key exchange (for example, RSA
key exchanges consume more processing resources than PFS keys),
and the capacity of the firewalls. Work with your Palo Alto Networks
sales team and representatives to size the firewall deployment appropriately
for your particular network so that you can decrypt traffic and
expose threats.
Companies with businesses such as banking that require extremely
strong security for their private keys can use a third-party hardware security module (HSM) to safeguard
and manage the company’s private key instead of storing it on the
firewall.