Inline TLS/SSL Decryption
Note: In this section, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) mean the same thing. The terms are used interchangeably.
Before you proceed, make sure you understand the TLS/SSL Terminology and Acronyms
Inline TLS/SSL decryption gives your security tools access to encrypted traffic. It works by decrypting packets and sending them to tools that are placed either inline (directly in the data path) or out-of-band (off the path). These tools then scan the decrypted traffic for threats, such as viruses and malware.
Unlike passive decryption, which only sends decrypted traffic to out-of-band tools that can alert but not act, inline decryption enables tools to take immediate action on threats.
Why Decrypt TLS/SSL Traffic
Most Internet traffic is now encrypted using SSL or TLS. While encryption protects data, it also makes it harder to inspect packets for threats. As a result, malware and other attacks often conceal themselves within encrypted traffic. Without decryption, these threats go unseen.
By decrypting TLS/SSL traffic:
|
■
|
You can detect hidden threats across any port or application (e.g., HTTPS, email, VoIP). |
|
■
|
You reduce risk and gain visibility into encrypted sessions within your network. |
Inline vs. Passive Decryption
Inline TLS/SSL decryption is active. It enables tools to inspect traffic in real-time and take action when a threat is detected. This is different from passive decryption, such as the existing GigaSMART SSL/TLS solution. Passive decryption only sends traffic to tools out-of-band. These tools can detect threats and alert users, but cannot stop threats directly.
Inline decryption does more. It offloads the complex decryption task so tools can focus on detecting and stopping threats faster and more effectively.
How Inline TLS/SSL Decryption Works
Inline TLS/SSL decryption performs the following key functions:
|
■
|
Detects encrypted traffic across any port in your network. |
|
■
|
Intercepts encrypted flows between clients and servers. |
|
■
|
Filters traffic by policy, allowing sensitive flows (e.g., healthcare or financial data) to bypass decryption. |
|
■
|
Decrypts packets at a single, centralized point. |
|
■
|
Forwards decrypted data to one or more tools for inspection. These tools can be inline or out-of-band. |
|
■
|
Takes action on threats: |
|
o
|
Tools can modify traffic (e.g., remove malware) or terminate sessions. |
|
o
|
If modified, GigaSMART re-encrypts the packets. |
|
o
|
If the session is terminated, GigaSMART ends the connection between client and server. |
|
■
|
Re-encrypts traffic after inspection and sends it back into the network. |
Mutual TLS (mTLS) with Inline TLS/SSL Decryption
Mutual TLS (mTLS) is an extension of TLS/SSL in which both the client and the server present and validate certificates during the TLS handshake. This creates a two‑way trust relationship, the client verifies that it is talking to the expected server, and the server verifies that it is talking to an authenticated client.
In a standard Inline TLS/SSL deployment, Gigamon validates the server certificate and optionally enforces certificate/revocation policies before re‑signing traffic and forwarding it to inline tools for inspection. With mTLS support, Gigamon can additionally:
|
■
|
Validate client certificates presented to the server. |
|
■
|
Enforce client‑authentication policies (for example, drop connections with unknown or self‑signed client certificates). |
|
■
|
Offload the client‑auth handshake to the inline TLS/SSL solution so attached tools can focus on inspection rather than certificate processing. |
In an inbound deployment with mTLS enabled, the high‑level flow is as follows:
|
1.
|
The client initiates a TLS connection to the protected server. |
|
2.
|
The GigaVUE node , acting as a Man‑in‑the‑Middle (MitM), terminates the client‑side TLS session and validates the server certificate as in a regular inbound deployment. |
|
3.
|
When the server requests a client certificate, the client sends its certificate to the GigaVUE node. |
|
4.
|
The client certificate chain is validated against a client trust store and applies client‑auth policy (expired, self‑signed, unknown CA, revocation status, and so on). |
|
5.
|
If the client is accepted, Gigamon completes the mTLS handshake on both sides, decrypts the traffic, and forwards clear‑text packets to inline tools for inspection. |
|
6.
|
After inspection, Gigamon re‑encrypts traffic and forwards it to the server, maintaining the mTLS session semantics on the wire. |
Note: Mutual TLS (mTLS) functionality is now supported only for Inbound and Hybrid Inline TLS/SSL Decryption in Flexible Inline deployments. Outbound deployments continue to use one‑way TLS/SSL decryption without client authentication.
Mutual TLS Inline TLS/SSL Decryption is on GigaVUE-HC Series Gen3 platforms used for Inline TLS/SSL decryption such as : GigaVUE‑HC1 Gen3, GigaVUE‑HC3 Gen3, GigaVUE‑HC1‑Plus.
The following feature combinations are not supported with Mutual TLS Inline TLS/SSL Decryption:
- Inline TLS/SSL L3 Tool NAT/PAT Support
- Entrust nShield and Thales Luna HSM for iSSL
- Post‑quantum client authentication using PQC certificates (PQC cipher support is limited to server side).
- One‑Arm mode and Tool Early Engage.
- Tool Early Inspect.
- Inline TLS/SSL deployments with ICAP .
Privacy and Sensitive Data Handling
Decrypted traffic may expose sensitive information, such as:
|
■
|
Usernames and passwords in email |
|
■
|
Social security numbers in financial records |
To protect user privacy and meet compliance standards, you can define policies that exclude certain traffic from decryption. This helps align with acceptable use, legal, and regulatory requirements.
What Applications Use TLS/SSL
Many applications such as email, websites, and voice calls over IP (VoIP), use TLS/SSL to secure data. Encryption ensures that sensitive data stays private while traveling over the Internet. But when data is encrypted, network tools cannot inspect it. This creates blind spots where threats can hide.
Decrypting this traffic removes those blind spots. It allows your tools to inspect data on any port or application, such as HTTPS (port 443), email, web, VoIP, FTPS, SMTP, IMAP, and POP3 (via StartTLS).
