About Inline TLS/SSL Decryption
This section introduces inline TLS/SSL decryption.
Inline TLS/SSL decryption provides the following:
Identifies/detects encrypted traffic flows (TLS/SSL traffic) in a network across any port. |
Intercepts encrypted traffic flows between a client and a server. |
Filters encrypted traffic flows based on policy. For example, if the encrypted traffic flows contain health care or financial information, let those flows bypass decryption. |
Decrypts packets. Inline TLS/SSL decryption decrypts packets once at a single decryption point. |
Delivers decrypted traffic flows to multiple security tools. The tools can be inline or out-of-band. The tools can detect threats such as malware in the decrypted traffic flows. |
Re-encrypts traffic flows after receiving them back from the inline tools. |
If a tool acts on traffic flows based on the threats it finds, when malware is found in the decrypted traffic flows, the tool can: |
modify the traffic flows |
terminate the connection |
If the tool modifies the packets, GigaSMART will re-encrypt them. If the tool terminates the connection, GigaSMART will terminate the connection between the client and the server. |
When TLS/SSL traffic is decrypted, sensitive data will be exposed in the connected tools. For example, if email traffic is decrypted, user passwords might be exposed or if financial data is decrypted, social security numbers might be exposed in the decrypted traffic.
Because TLS/SSL connections might carry sensitive data, not all connections should be inspected. Some of the TLS/SSL connections carrying user data such as financial or medical information should be bypassed without inspection, based on a configured policy.
Inline TLS/SSL decryption addresses acceptable use policies and adheres to privacy and compliance requirements. It offers advanced controls to select the traffic to decrypt.
Inline TLS/SSL supports the following applications:
- HTTPS
- FTPS
- StartTLS can be used to decrypt SMTP, IMAP, and POP3 (refer to StartTLS and HTTP CONNECT.
This following list describes important caveats and limitations of working with Inline TLS/SSL:
- Clustering is not supported with inline TLS/SSL.
-
IPV6 traffic decryption is supported only for GEN 3 cards. Refer to the GigaVUE-HC1 Hardware Installation Guide and GigaVUE-HC3 Hardware Installation Guide for the list of GEN 3 card numbers.
-
IPV6 traffic decryption is not supported for the One-Arm mode.
- Gigamon Resiliency for Inline Protection (GRIP) support with inline TLS/SSL can be referred through the validated design Active Standby Resilient Inline SSL Solution using GRIP (5.10.01).
- Resilient Inline Arrangements (RIA) configurations is supported with inline SSL for asymmetric traffic visibility with TLS/SSL Decryption.
Note: Inline SSL is not supported in clusters nor on any nodes that are part of a cluster. Do not attempt to enable inline SSL on individual nodes that are part of a cluster or have inline networks and inline tools distributed among various nodes in a cluster.
Inline TLS/SSL decryption supports modern cryptographic algorithms. It supports the commonly-supported TLS 1.2 and TLS 1.3 ciphers.
Combining the following ciphers, MACs, and Key Exchange Algorithms results in many cipher suites:
Ciphers: AES_128_CBC, AES_128_GCM, AES_256_GCM, AES_256_CBC, Camellia, Chacha20 |
MAC: SHA, SHA256, SHA384, Poly1305 |
Key Exchange Algorithms: RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA. |
Cipher Name |
Encryption (Enc) |
MAC |
TLS_AES_256_GCM_SHA384 |
AES_ 256_GCM |
SHA384 |
TLS_CHACHA20_POLY1305_SHA256 |
CHACHA20_POLY1305 |
SHA256 |
TLS_AES_128_GCM_SHA256 |
AES_128_GCM |
SHA256 |
Cipher Name |
Key Exchange (Kx) |
Authentication(Au) |
Encryption (Enc) |
MAC |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA | DHE | RSA | AES128_CBC | SHA |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA | DHE | RSA | AES256_CBC | SHA |
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA | DHE | RSA | CAMELLIA128 | SHA |
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA | RSA | RSA | CAMELLIA128 | SHA |
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA | RSA | RSA | CAMELLIA256 | SHA |
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA | DHE | RSA | CAMELLIA256 | SHA |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | DHE | RSA | AES128_CBC | SHA256 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | DHE | RSA | AES256_CBC | SHA256 |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | DHE | RSA | AES128_GCM | SHA256 |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | DHE | RSA | AES256_GCM | SHA384 |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 | ECDHE | RSA | CHACAH20 | POLY1305 |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 | ECDHE | ECDSA | CHACAH20 | POLY1305 |
TLS_DHE_RSA_WITH_CHACHA20_POLY1305 | DHE | RSA | CHACAH20 | POLY1305 |
TLS_RSA_WITH_AES_128_CBC_SHA | RSA | RSA | AES128_CBC | SHA |
TLS_RSA_WITH_AES_256_CBC_SHA | RSA | RSA | AES256_CBC | SHA |
TLS_RSA_WITH_AES_128_CBC_SHA256 | RSA | RSA | AES128_CBC | SHA256 |
TLS_RSA_WITH_AES_256_CBC_SHA256 | RSA | RSA | AES256_CBC | SHA256 |
TLS_RSA_WITH_AES_128_GCM_SHA256 | RSA | RSA | AES128_GCM | SHA256 |
TLS_RSA_WITH_AES_256_GCM_SHA384 | RSA | RSA | AES256_GCM | SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ECDHE | ECDSA | AES128_CBC | SHA |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ECDHE | ECDSA | AES256_CBC | SHA |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ECDHE | RSA | AES128_CBC | SHA |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDHE | RSA | AES256_CBC | SHA |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ECDHE | ECDSA | AES128_CBC | SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | ECDHE | ECDSA | AES256_CBC | SHA384 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ECDHE | RSA | AES128_CBC | SHA256 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ECDHE | RSA | AES256_CBC | SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ECDHE | ECDSA | AES128_GCM | SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ECDHE | ECDSA | AES256_GCM | SHA384 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ECDHE | RSA | AES128_GCM | SHA256 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ECDHE | RSA | AES256_GCM | SHA384 |
Diffie Hellman Ephemeral (DHE) is a key exchange protocol.
Inline TLS/SSL decryption supports key cipher suites and exchanges without downgrading cryptography levels of the organization.
Ciphersuites are a standard combination of the following:
bulk encryption algorithm—Specifies how to encrypt communications, including the algorithm, key size, and the cryptographic mode used. For example, AES_128_CBC is AES with 128-bit keys in Cipher Block Chaining mode. |
key exchange algorithm—Specifies how both sides authenticate each other during the TLS/SSL handshake. For example, RSA. |
message authentication code (MAC)—Specifies the hash algorithm used to verify that communications have not been tampered with. For example, SHA. |
pseudorandom function—Specifies how a 384-bit master secret, which is used as a source of randomness for session keys, is generated. |
Note
- TLS/SSL transactions with unsupported ciphers will be bypassed/TCP proxied.
- The new TLS1.3 cipher suites are defined differently and do not specify the certificate types (RSA/DSA/ECDSA) or the key exchange mechanism (DHE/ECHDE).
- The Inline TLS/SSL session is now equipped to receive a client hello with the key exchange X25519Kyber768 and now fall back to using just X25519. This ensures the system maintains secure and functional connections, even if it cannot use the newer, quantum-resistant algorithm now.
The following key sizes are supported:
RSA—2048, 3072, 4096, 8192 |
DH—1024, 2048, 4096 |
ECC—prime256v1, ecsecp256r1, ecsecp384r1, ecsecp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, secp256r1, secp384r1, secp521r1, brainpoolP256r1, brainpoolP384r1, brainpool512r1, X25519, X448 |
The following TLS extension is supported:
RFC7301—Application-Layer Protocol Negotiation (ALPN) |
Refer to the following sections for additional details: