The widespread acceptance of encryption started in the mid-1990s, coinciding with the rapid expansion and popularity of the internet. Prior to encryption, data was transmitted in plain text, leaving it susceptible to interception by malicious online actors. The necessity of encryption became evident as online activities grew, necessitating secure sharing of sensitive information such as passwords and financial data.
The inception of SSL (Secure Sockets Layer) and its subsequent evolution into TLS (Transport Layer Security), alongside HTTPS (Hypertext Transfer Protocol Secure), showcased significant progress in internet security by establishing a secure layer for internet communications. SSL and TLS encode data sent between web servers and browsers, guaranteeing that confidential information remains confidential and shielded from interception.
By integrating these protocols, HTTPS secures conventional HTTP transmissions, ensuring the integrity and privacy of data exchanged across the web. These technologies revolutionized the internet into a safer space, fortifying data integrity and privacy against evolving cyber dangers.
As per recent data released by Google, around 95% of web traffic is now encrypted, underscoring the growing emphasis on data security and privacy online.
Several notable trends are reshaping the realm of internet traffic and security, as outlined in Cloudflare’s 2024 Security trend report. Half of web requests now utilize HTTP/2, with 20.5% adopting the newer HTTP/3, reflecting a slight rise from 2023. In terms of encryption, 13.0% of TLS 1.3 traffic is employing post-quantum encryption methodologies. Furthermore, there has been progress in IPv6 adoption, reaching a global adoption rate of 28.5%, led by India and Malaysia. Mobile devices constitute 41.3% of global traffic, highlighting their significance in internet usage.
Despite advancements, security concerns persist, with 6.5% of global traffic identified as potentially malicious. The United States stands out, contributing over a third of global bot traffic. The gambling and gaming industry faces the most attacks, slightly surpassing the financial sector. In email security, 4.3% of emails are labelled as malicious, often containing deceptive links and identity fraud as prominent threats.
While encryption bolsters security by safeguarding data integrity and privacy, it also presents challenges. Cybercriminals are increasingly leveraging encrypted channels to engage in malicious activities, complicating the detection and mitigation of such threats.
Cisco Secure Firewall enhances the safety of encrypted traffic by utilizing cryptographic acceleration hardware, enabling the inspection of encrypted traffic at scale.
Two recommended solutions from Cisco Secure Firewall are:
- Analysing Encrypted Dataflows
- Inspecting Decryptable Traffic
Encrypted Dataflow Analysis
TSID: TLS server identity and discovery
Within Cisco Secure Firewall, TLS Server Identity Discovery is employed to extract the server certificate without decrypting the entire handshake and payload. This is essential as the server certificate is crucial for matching application and URL filtering criteria in access control rules. Enabling this feature is recommended for traffic that necessitates matching according to application or URL criteria, especially for deep inspection. Furthermore, enabling TLS Decryption with TLS Server Identity Discovery enhances reliability by correctly identifying server certificates during the handshake process.
EVE: Utilizing TLS Fingerprinting
Cisco Secure Firewall leverages the encrypted Visibility Engine (EVE) to recognize client applications and processes, thwarting threats without decryption. EVE employs AI/ML to detect malicious activities through analyzing encrypted communication processes, assigning an EVE score based on the likelihood of the client process being malware. This can trigger an Indicators of Compromise (IoC) event to block malevolent encrypted traffic and detect compromised hosts.
This methodology ensures robust protection without compromising performance
Talos Threat Intelligence
Cisco Talos Threat Intelligence bolsters the capacity to detect and intercept nefarious traffic in Cisco Secure Firewall by furnishing exhaustive, real-time threat intelligence. Talos, a prominent commercial threat intelligence unit, provides regular actionable insights to Cisco customers.
This intelligence is seamlessly integrated into Cisco Secure Firewall, empowering swifter threat containment and heightened visibility. Talos governs the official rulesets for Snort.org and ClamAV.net, which are utilized in the firewall’s intrusion detection and prevention systems. Additionally, leveraging data from millions of telemetry-enabled devices, Talos generates precise threat intelligence, aiding in identifying and blocking known and emerging threats. This integration enables Cisco Secure Firewall to preemptively thwart threats, vulnerabilities, and exploits, ameliorating overall security posture.
Decryptable Traffic Inspection
Despite encrypted traffic analysis through metadata such as packet size, timing, and destination patterns, decryption remains indispensable in cybersecurity. While encrypted traffic analysis can uncover certain irregularities, it lacks visibility into the actual content of communication, vital for detecting embedded threats like malware and unauthorized data transfers.
Decryption facilitates exhaustive content inspection, essential for advanced threat identification and data loss prevention (DLP) solutions. It also aids organizations in meeting compliance directives necessitating thorough traffic analysis to safeguard sensitive data. Therefore, while encrypted traffic analysis furnishes valuable insights, decryption constitutes a pivotal component of a robust security strategy, enabling profound packet inspection and ensuring comprehensive defense against sophisticated cyber threats.
Cisco Secure Firewall offers diverse decryption capabilities to ensure comprehensive security monitoring and threat protection:
| Decryption Policy Action | Description | Use Cases |
|---|---|---|
| Decrypt – Resign | Decrypts and examines outbound SSL/TLS traffic before re-encrypting it with the firewall’s certificate. | Utilized for scrutinizing outbound traffic to detect threats. |
| Decrypt – Known Key | Decrypts inbound traffic using a known private key for internal servers, scrutinizes it, and forwards it to the server. | Deployed for inspecting traffic to internal servers with predetermined keys. |
| Do Not Decrypt | Preserves traffic in an encrypted state without content inspection. | Designated for traffic requiring confidentiality and privacy. |
owing to safety standards or regulatory requirements. Additionally, circumvent decryption for applications that cannot be decrypted and exceptional distinguished names.
Decipher Reassign
The decrypt and re-sign function of Cisco Secure Firewall operates as an intermediary, allowing interception and scrutiny of encrypted data flow. It establishes secure connections with both the user and the target server by examining each aspect of the SSL communication. Users receive a CA certificate from the Firewall, which they must trust to establish the link. This mechanism enables the Firewall to decipher, inspect, and re-encrypt data for security evaluation.
Recognized Key
In the recognized key decryption technique, the Firewall employs a pre-established key to decode traffic destined for a specific server. The organization must possess the server’s domain and certificate. By utilizing this key, the Firewall directly decrypts the ciphered data, enabling scrutiny for security risks. In contrast to the re-sign approach, this method does not demand presenting a CA certificate to the user.
Do Not Unscramble
A “do not decrypt” regulation in an encryption policy ensures that designated encrypted data avoids decryption and escapes scrutiny by the Firewall. This data is assessed through access control policies to decide on admission or denial. Such regulations sustain confidentiality, optimize efficiency, and confirm compatibility with certain applications or compliance directives.
Obstruct Directives
A blocking decryption regulation is implemented to halt encrypted connections that present a security hazard. It ceases the data flow and issues a reset packet to both ends, promptly halting the connection and notifying all involved parties of the termination. This strategy boosts security by swiftly addressing potentially malicious encrypted traffic. Moreover, it fortifies security by prohibiting the use of out-of-date certificates, expired certificates, and counterfeit signatures, among others.
Cisco Secure Firewall’s SSL encryption policy furnishes a range of rule filters for proficient control and handling of encrypted traffic. These filters aid organizations in delineating which traffic warrants decryption and scrutiny. Some prevalent varieties of rule filters encompass:
| Rule Filter Type | Description | User Advantages |
|---|---|---|
| Uniform Resource Locators (URLs) | Intensifies security by targeting risky websites and enhances compliance by regulating web access. | |
| Applications | Unravels traffic according to application classification. | Provides precise control to spotlight high-risk applications, boosting security and resource management. |
| Source and Target | Applies decryption rules grounded on source and destination IP addresses or networks. | Reinforces security by pinpointing specific network sectors and prioritizing crucial traffic for assessment. |
| Users and User Categories | Focuses decryption directives on particular users or user clusters. | Backs policy enforcement and compliance by enforcing regulations on specific user profiles or departments. |
| Port and Protocol | Specifies decryption actions according to distinct ports and protocols. | Optimizes network performance by selectively decrypting traffic, curtailing unnecessary decryption overhead. |
| Certificates | Ensures trust and security by solely permitting decryption for verified and trusted certificate holders. | |
| Zones | Imposes decryption rules based on the security zones of the traffic. | Harmonizes with network division strategies, delivering tailored security protocols for diverse trust tiers. |
| Distinctive Name (DN) | Employs the Subject DN and Issuer DN to enact regulations founded on organizational particulars. | Fortifies security and compliance by pinpointing specific entities or reputable certificate authorities. |
| Certificate Status | Enhances security by guaranteeing that solely current and valid certificates are decrypted. | |
| VLAN Tags | Enacts decryption regulations based on VLAN tags, aligning protocols with particular network segments. | Backs efficient network management and performance by harmonizing decryption with network segmentation. |
Decryption Policy Wizard launched in 7.3 and 7.6 Release simplifies Decryption policy configuration and automatically includes bypass directives for specific outbound traffic, streamlining the process.
7.6 Policy Wizard can automatically append do not decrypt directives to avoid decryption for un-decryptable distinguished names, sensitive URL categories, and un-decryptable applications.
By employing TLS/SSL policies in Cisco Secure Firewall, enterprises can boost their security posture by halting server connections that leverage obsolete TLS/SSL versions or vulnerable cipher suites. This capability is pivotal in preventing vulnerabilities associated with outdated encryption regulations that might render systems more susceptible to breaches.
By enforcing stringent encryption norms, these policies help guarantee secure communications aligning with recognized best practices for data safeguarding. This methodology also aids in upholding compliance with industry standards mandating the utilization of robust encryption methodologies.
Wrap-Up
As encryption becomes indispensable in securing web traffic, organizations encounter the dual task of securing data while efficiently identifying and mitigating sophisticated cyber threats. Cisco Secure Firewall offers a comprehensive solution by amalgamating advanced TLS decryption capabilities and threat intelligence, assuring both security and compliance.
By leveraging functionalities like TLS Server Identity Discovery and the Encrypted Visibility Engine alongside comprehensive decryption policies, Cisco empowers organizations to sustain robust security postures without compromising efficacy. Ultimately, adopting such sophisticated measures is indispensable to shield against increasingly complex cyber threats in an evolving digital environment.
Your opinions are valuable to us. Pose a query, leave a comment, and keep in touch with Cisco Secure through social media!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
About Author
