Inline TLS/SSL Decryption
Note: In this section, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) mean the same thing. The terms are used interchangeably.
Before you proceed, make sure you understand the TLS/SSL Terminology and Acronyms
Inline TLS/SSL decryption gives your security tools access to encrypted traffic. It works by decrypting packets and sending them to tools that are placed either inline (directly in the data path) or out-of-band (off the path). These tools then scan the decrypted traffic for threats, such as viruses and malware.
Unlike passive decryption, which only sends decrypted traffic to out-of-band tools that can alert but not act, inline decryption enables tools to take immediate action on threats.
Why Decrypt TLS/SSL Traffic
Most Internet traffic is now encrypted using SSL or TLS. While encryption protects data, it also makes it harder to inspect packets for threats. As a result, malware and other attacks often conceal themselves within encrypted traffic. Without decryption, these threats go unseen.
By decrypting TLS/SSL traffic:
|
■
|
You can detect hidden threats across any port or application (e.g., HTTPS, email, VoIP). |
|
■
|
You reduce risk and gain visibility into encrypted sessions within your network. |
Inline vs. Passive Decryption
Inline TLS/SSL decryption is active. It enables tools to inspect traffic in real-time and take action when a threat is detected. This is different from passive decryption, such as the existing GigaSMART SSL/TLS solution. Passive decryption only sends traffic to tools out-of-band. These tools can detect threats and alert users, but cannot stop threats directly.
Inline decryption does more. It offloads the complex decryption task so tools can focus on detecting and stopping threats faster and more effectively.
How Inline TLS/SSL Decryption Works
Inline TLS/SSL decryption performs the following key functions:
|
■
|
Detects encrypted traffic across any port in your network. |
|
■
|
Intercepts encrypted flows between clients and servers. |
|
■
|
Filters traffic by policy, allowing sensitive flows (e.g., healthcare or financial data) to bypass decryption. |
|
■
|
Decrypts packets at a single, centralized point. |
|
■
|
Forwards decrypted data to one or more tools for inspection. These tools can be inline or out-of-band. |
|
■
|
Takes action on threats: |
|
o
|
Tools can modify traffic (e.g., remove malware) or terminate sessions. |
|
o
|
If modified, GigaSMART re-encrypts the packets. |
|
o
|
If the session is terminated, GigaSMART ends the connection between client and server. |
|
■
|
Re-encrypts traffic after inspection and sends it back into the network. |
Privacy and Sensitive Data Handling
Decrypted traffic may expose sensitive information, such as:
|
■
|
Usernames and passwords in email |
|
■
|
Social security numbers in financial records |
To protect user privacy and meet compliance standards, you can define policies that exclude certain traffic from decryption. This helps align with acceptable use, legal, and regulatory requirements.
What Applications Use TLS/SSL
Many applications such as email, websites, and voice calls over IP (VoIP), use TLS/SSL to secure data. Encryption ensures that sensitive data stays private while traveling over the Internet. But when data is encrypted, network tools cannot inspect it. This creates blind spots where threats can hide.
Decrypting this traffic removes those blind spots. It allows your tools to inspect data on any port or application, such as HTTPS (port 443), email, web, VoIP, FTPS, SMTP, IMAP, and POP3 (via StartTLS).
