The U.S. National Security Agency (NSA) has published an advisory to provide information on possible mitigations for risks associated with Transport Layer Security Inspection (TLSI).
Also known as TLS break and inspect, TLSI is a mechanism that allows for the inspection of encrypted traffic within a network and involves the decryption of that traffic, inspection of contents, and re-encryption.
TLSI is usually performed by a proxy device to expose the underlying plaintext of a TLS session and allow firewalls, and intrusion detection/prevention systems (IDS/IPS) to detect indicators of threat or compromise. Legacy Secure Sockets Layer (SSL) traffic is also inspected.
According to the NSA’s advisory (PDF), one of the risks associated with TLSI is improper control and external processing of decrypted traffic when in a forward proxy or near the enterprise boundary.
A forward proxy is a device that intercepts requests from internal network clients and forwards them to external servers. It also receives responses from those servers and sends them to internal network clients.
In a forward proxy, the TLSI mechanism manages forward proxy traffic flows, establishes TLS sessions, and issues trusted certificates. Thus, it can protect enterprise clients from the high risk environment outside the forward proxy.
However, the forward proxy could misroute the traffic, thus exposing it to unauthorized or weakly protected networks, the NSA advisory says.
Deploying firewalls and monitoring network traffic flow can protect the TLSI implementation from potential exploits, while implementing analytics on the logs ensures the system is operating as expected. Moreover, these mitigations can also detect abuse by security admins and misrouted traffic.
TL ..
Support the originator by clicking the read the rest link below.
