Zenarmor’s all-new Full TLS Inspection Capability - What to Expect in Zenarmor 1.17

If the title was not enough to give it away, the long-awaited full TLS inspection capability will be officially launched in Zenarmor 1.17 and is our latest enterprise-focused capability for users with existing business subscriptions.

Before we go any further, let's start by first addressing the elephant in the room, full TLS inspection, you either love it or you hate it. TLS inspection has been the center of many debates where those who are pro-security argue that without it, you can't sufficiently secure network traffic because you are blind to the many threats that hide within encrypted traffic, considering that according to Google roughly 96% of traffic is encrypted, leaves a considerable blind spot to worry about.

On the other hand, you get the pro-privacy user who argues that by using TLS inspection their privacy can be violated because full TLS inspection allows for the encrypted payload to be decrypted, inspected, and encrypted again before it is passed upstream, which has very little technical difference to a man-in-the-middle type “attack” a bad actor may attempt to perform.

Both these arguments can be true. With this said, we find ourselves in a catch-22 situation because encryption benefits both the user and the business but at the same time also benefits the bad actors by giving them a place to hide, however, as soon as we implement TLS inspection we can expose the bad actor's nefarious ways, while at the same time potentially violating the user's privacy, so where do we begin? How do we reach a compromise?

To address these questions, for the remainder of this article, we are first going to briefly explore TLS inspection, looking at some of the pros and cons. Secondly, we will provide a general overview of how TLS inspection is implemented by Zenarmor and provide some steps to get you started with TLS Inspection. Finally, we will discuss some TLS Inspection caveats that you may encounter and how to overcome them.

We are hoping that by the end of this read, you will have all the necessary information you need to make confident decisions as to how you will implement Zenarmor's latest TLS inspection capabilities in your network.

What is full TLS inspection and the pros and cons?

Let's start at the beginning, what is TLS inspection in the Zenarmor product ecosystem? If you are familiar with the previous versions of Zenarmor it won't be the first time that you would have seen us mention TLS inspection in our products or marketing materials. Up until now, the TLS inspection we offered was only Certificate/SNI-based TLS inspection, where Zenarmor inspects the SNI (Server Name Indication) information located in the TLS certificate which is in clear text, and through this, we can determine the hostname of the service the user is attempting to access.

Combining this with other information like port numbers, DNS enrichment, IP addresses, etc, we can categorize the application or services with a high degree of accuracy. SNI-based TLS inspection, unlike full TLS inspection, does not decrypt the encrypted payload, so private information remains intact. For the remainder of this article, let's call the current SNI-based TLS inspection “lite” TLS inspection moving forward.

If we consider the new enterprise-focused Full TLS Inspection capabilities of Zenarmor, this takes TLS inspection even further where we cannot only categorize the application or service with greater accuracy but also inspect the encrypted payload for any nasty things a bad actor may be hiding there.

A very simple explanation as to how Zenarmor achieves this is that Zenarmor acts as an intermediary between the client endpoint and the web server, basically as the trusted “man-in-the-middle.”

1. The client endpoint initiates a connection request which is intercepted by Zenarmor.
2. Zenarmor then forwards the request to the original web server or resource that the client endpoint is requesting.
3. The server responds with its certificate to Zenarmor and a secure connection is formed.
4. Zenarmor then inspects the payload and re-encrypts the content with a certificate that is signed by Zenarmor.
5. Zenarmor then responds to the client endpoint with the original request.

In a nutshell, two TLS negotiations are taking place here, one between the client endpoint and Zenarmor, and another between Zenarmor and the web server resource. Zenarmor is then able to decrypt the payload, inspect it, and then re-encrypt it before passing it to the client endpoint.

For this to work correctly the client endpoint needs to trust Zenarmor and this is achieved by installing the Zenarmor trusted root CA certificate on the endpoint.

While “lite” TLS inspection is powerful and may be all that you require to satisfy your unique security requirements, full TLS inspection, gives you extra visibility into your network traffic which can take your network security to a whole new level.

Some pros of full TLS inspection are:

1. Full visibility of your network traffic even if it's encrypted, which is a requirement for more advanced security functions such as:
   • Cloud Access Security Broker (CASB) offering granular control of cloud applications where you can limit actions like uploads or downloads, changing settings, and almost every aspect of the cloud app.
   • Data Loss Prevention (DLP) to prevent sensitive or private data from leaving your network through unsanctioned uploads to cloud apps like Dropbox or via standard email or IM messages.
   • Preventing users from using their work credentials to sign up with unsanctioned services or apps.
   • Remote Browser Isolation (RBI) and Sandboxing where webpages can be rendered on the firewall or files can be opened in an isolated secure sandbox drastically reducing the possibility of infecting the endpoint from embedded threats.
   • In-stream Antivirus, Malware, Phishing, Ransomware, and Spyware scanning capabilities.
2. Finally, the ability to meet certain compliance requirements that some enterprises, industries, or educational institutions are required to uphold.

These advanced security functions would otherwise not be possible without full TLS Inspection. Without implementing full TLS inspection you are potentially opening a large gap in your overall security posture which is easily pluggable with Zenarmor.

To remain transparent and to empathize with all our users, we acknowledge that full TLS inspection is not for everyone and comes with its own risks and challenges:

1. If used incorrectly, has the potential to violate user privacy and is likely the biggest challenge of full TLS inspection.
2. Potential performance drawbacks due to the decryption and re-encryption process as described earlier in the article.
3. Potential legal issues depending on the country or region you are located in.
4. The potential to cause some applications or websites to function incorrectly, mainly due to certificate pinning issues.

So now that you have a better understanding of the two types of TLS inspection functionality available with Zenarmor, the next step is to talk about how Zenarmor can be used in a flexible way to improve your overall security posture.

A general overview of the full TLS inspection capabilities in Zenarmor

The Full TLS inspection capabilities will be available to everyone with a Zanarmor SSE subscription. If you are an existing, qualified business subscription user, you can upgrade to SSE free of charge for a limited time, so be sure to check your mail explaining the process, or alternatively, contact our sales team for more information.

With licensing out the way, in your Zenarmor policies menu, for each policy, you will see the new “TLS Controls” option. This is where you will apply TLS Inspection on a policy-by-policy basis. Please note that this is the first iteration of TLS Inspection that has been made publicly available, so keep a lookout for further improvements and additional features in the coming months.

Figure 2: The default policy menu showing the usual Zenarmor controls, with the edition of the “TLS Controls”

While some of the options in the TLS Controls menu are self-explanatory, some may not be as straightforward, so let's look at what each new TLS option does referring to Figure 2 above:

1. The first toggle, “Enable full TLS inspection” is one of those self-explanatory options. This simply enables full TLS inspection for the policy. Keep in mind, that Zenarmor offers an easy and flexible way to create and manage policies, and the same applies to full TLS inspection where you can choose exactly which devices, device categories, VLAN, networks, users, or groups you want to apply TLS Inspection for and exclude others should you wish.
2. The second toggle allows for the exclusion of whitelisted websites or apps, including those with pinned certificates which are known to prevent full TLS encryption from functioning correctly. Here you can create your whitelist or add to the database of already defined apps with known pinned certificates, giving you complete control over the exclusion of web URLs and apps you don't wish to apply full TLS inspection to.
   
   Figure 3: Menu to manage pinned sites and application exclusions.
3. The fourth toggle as stated, allows you to exclude traffic flows without hostnames, so pure IP address traffic only will be excluded from TLS Inspection and is once again optional.
4. The final toggles available in the menu allow you to either apply TLS inspection to all web traffic or select the category of web traffic you are interested in.

Another new addition in this release of Zenarmor is URL Blocking which works hand in hand with TLS inspection and is located under the “Web Controls” menu in your policies. This new functionality allows you to block URLs at a more granular level with the ability to use (*) wildcard options in your URL to target specific subdomains or paths globally.

Figure 4: URL Blocking option located in the Web Controls section of the policy

In addition to the policies menu changes, you will also notice that TLS Inspection has been included in the Zenarmor Settings Menu giving you an alternative place to manage your TLS Inspection Bypass settings for Website and Applications. You will also have the option here to manage and set Zenarmor Certificate Authority settings. You can also download your Root CA certificate here in the preferred format which will need to be installed on your endpoints for full TLS Inspection to work correctly.

You also have the ability to import an intermediate CA certificate if you have already installed a certificate authority in your organization that is trusted by your endpoints.

Figure 5: TLS Settings menu located in the general Zenarmor settings menu

Figure 6: Certificate Authority menu allowing you to manage and download your Root CA certificate required for TLS Inspection.

How to get started with Zenarmor TLS inspection

Now that you have a better understanding of what the new TLS Inspection capabilities look like in Zenarmor, let's talk about a high-level overview of how to get started with your implementation.

Overcoming the privacy and legal issues

The first step to deploying TLS inspection should be to overcome any privacy or legal issues in your organization. It may make sense at this point to start involving people from the legal department, people responsible for privacy and compliance, the security department as well as any workers' union representatives if applicable.

The key to this first step is to create full transparency between everyone involved in the organization and to make sure everyone's concerns are addressed. At this stage, you may also need to review any fair usage or privacy policies your organization may have as they will likely need to be updated to reflect the implementation of TLS inspection.

It may also be advisable to hold staff or user training sessions to explain exactly what TLS Inspection is, how it will be implemented, and what they as users can expect from using this technology to secure the organization's networks.

Root Certificate Deployment

The second major step is making sure that Zenarmor is set up as a trusted root certificate authority (CA) on any endpoints that will be secured by TLS inspection to avoid any connection or certificate warning messages in the browser.

For smaller deployments, this may be as simple as distributing the certificate generated by Zenarmor to all endpoints. For larger deployments, on the other hand, you may already have your own certificate authority setup with your endpoints preloaded with your root CA certificate. In this case, you may want to create an intermediate CA certificate and import this to Zenarmor instead. The choice is ultimately yours.

Enabling TLS Inspection

Enabling TLS Inspection is best done in a phased or controlled manner. It's best to establish a pilot group of users or devices other than those operated by IT or security teams as usually, these users will have the means to work around issues and fail to report them successfully. Their work environment may also differ from that of general users in the organization, which may interfere with the accuracy of initial testing. Communication and reporting of issues are important in the early stages of your implementation to ensure that the initial bugs are ironed out before the implementation is made available company-wide.

It's best that you select your pilot group from a closed set of users, preferably with a diverse set of applications or devices in use so that you can thoroughly test if TLS inspection is functioning correctly. It's important to once again communicate with this user group and encourage them to report any issues they are experiencing so that they can be investigated thoroughly before TLS bypassing is put in place as a last resort.

If a phased approach like this is followed potential interruptions can be controlled and minimized should they arise. It is generally encouraged that TLS inspection is applied network-wide where possible to ensure your organization benefits the most from its additional security.

For more information on this be sure to have a look at our TLS Inspection Implementation Guide.

TLS Inspection caveats and how to handle them

TLS Inspection unfortunately comes with a few caveats and other considerations that are important to understand. Not all traffic can be inspected which mainly has to do with the following reasons:

1. Certificate Pinning - mainly used by applications and some websites to force the client to use a pre-defined certificate built into the application which will reject all other certificates. This was created to prevent man-in-the-middle attacks and because TLS inspection follows a similar process these applications won't function correctly. The choices you have here are to bypass these applications from TLS Inspection only under extreme circumstances or apply Zenarmor ‘lite” TLS encryption, or if you need Full TLS inspection, find an alternative application that does not use certificate pinning. The industry has moved in some cases to deprecate certificate pinning due to these and other issues and is important to understand when enabling TLS Inspection as this is most likely the biggest issue you will face.
2. QUIC Transport Protocol - Google and other popular application developers have started to use the QUIC protocol which is mainly used to improve speed and accomplishes this by skipping the TCP handshake by using UDP instead. Because TLS is TCP-based and is relied on for TLS Inspection, It is advised that when using TLS Inspection you block the QUIC protocol on your network. If QUIC is blocked, the services will fall back to TCP/TLS which can be inspected and secured. If you favor security over minimal speed improvements, this is an important consideration.
3. Special Circumstances - in some cases, for legal reasons, you may not be able to apply TLS inspection on banking, financial, healthcare, or other sensitive applications or content that could open your organization to security threats. In these special circumstances you may not have any choice but to bypass TLS inspection or you may also choose to potentially block all applications and content like this from the network depending on its importance to your daily operations and your overall stance on security.

When dealing with TLS Inspection and its caveats, it's important to weigh up the security risks, pros, and cons on a case-by-case basis to determine whether bypassing TLS inspection is justified or if an alternative more secure approach can be followed.

Figure 7: Best Practices for Zenarmor TLS Inspection

Next Steps…

You should now have a pretty good understanding of TLS Inspection and how it's implemented in Zenarmor 1.17 as well as its caveats. It's now time to start your TLS Inspection journey.

If you are an existing partner or business user with an annual business license, you can take advantage of a free-of-charge upgrade to our new Secure Service Edge (SSE) subscription by reaching out to your account manager or our sales team before July 17 2024 to initiate the upgrade. Please note that this process is not automatic and you will need to reach out to us to communicate your interest.

We look forward to hearing from you and are ready to introduce you to a world of advanced cyber security, let us help you get started with your Secure Service Edge (SSE) journey today.

Watch Now