Decryption Overview
The Secure Sockets Layer (SSL) and Secure Shell (SSH)
encryption protocols secure traffic between two entities, such as
a web server and a client. SSL and SSH encapsulate traffic, encrypting
data so that it is meaningless to entities other than the client
and server with the certificates to affirm trust between the devices
and the keys to decode the data. Decrypt SSL and SSH traffic to:
Prevent malware concealed as encrypted traffic from being introduced
into your network. For example, an attacker compromises a website that
uses SSL encryption. Employees visit that website and unknowingly
download an exploit or malware. The malware then uses the infected
employee endpoint to move laterally through the network and compromise
other systems.
Prevent sensitive information from moving outside the network.
Ensure the appropriate applications are running on a secure network.
Selectively decrypt traffic; for example, create a Decryption
policy and profile to exclude traffic for financial or healthcare
sites from decryption.
Palo Alto Networks firewall decryption is policy-based, and can
decrypt, inspect, and control inbound and outbound SSL and SSH connections.
A Decryption policy enables you to specify traffic to decrypt by
destination, source, service, or URL category, and to block, restrict,
or forward the specified traffic according to the security settings
in the associated Decryption profile. A Decryption profile controls
SSL protocols, certificate verification, and failure checks to prevent
traffic that uses weak algorithms or unsupported modes from accessing
the network. The firewall uses certificates and keys to decrypt
traffic to plaintext, and then enforces App-ID and security settings
on the plaintext traffic, including Decryption, Antivirus, Vulnerability,
Anti-Spyware, URL Filtering, WildFire, and File-Blocking profiles.
After decrypting and inspecting traffic, the firewall re-encrypts
the plaintext traffic as it exits the firewall to ensure privacy
and security.
The firewall provides three types of Decryption policy rules:
SSL
Forward Proxy to control outbound SSL traffic,
SSL
Inbound Inspection to control inbound SSL traffic, and
SSH
Proxy to control tunneled SSH traffic. You can attach a Decryption
profile to a policy rule to apply granular access settings to traffic,
such as checks for server certificates, unsupported modes, and failures.
SSL decryption (both forward proxy and inbound inspection) requires
certificates to establish the firewall as a trusted third party,
and to establish trust between a client and a server to secure an
SSL/TLS connection. You can also use certificates when excluding
servers from SSL decryption for technical reasons (the site breaks decryption
for reasons such as certificate pinning, unsupported ciphers, or
mutual authentication). SSH decryption does not require certificates.
You can integrate a hardware security module (HSM) with a firewall
to enable enhanced security for the private keys used in SSL forward
proxy and SSL inbound inspection decryption. To learn more about
storing and generating keys using an HSM and integrating an HSM
with your firewall, see
Secure
Keys with a Hardware Security Module.
You can also use
Decryption
Mirroring to forward decrypted traffic as plaintext to a
third party solution for additional analysis and archiving.
If
you enable Decryption mirroring, be aware of local laws and regulations
about what traffic you can mirror and where and how you can store
the traffic, because all mirrored traffic, including sensitive information,
is forwarded in cleartext.