Skip to main content

Managing Zenarmor TLS Inspection on Zenconsole

Published on:
.
1 min read

Integrating Transport Layer Security (TLS) decryption and inspection may greatly improve your security measures, but it is not a simple task of decrypting all data. Specific segments of the Transport Layer Security (TLS) traffic may be subject to legal safeguards regarding the privacy and secrecy of communications. Decrypting and analyzing this message might be deemed illegal in some jurisdictions. Depending on your industry, location, and legal obligations, you may come across some forms of data flow that must not be decrypted, such as confidential medical or financial information.

Hence, it can be superfluous to examine the TLS traffic for certain websites and applications. In order to safeguard the confidentiality of such connections, it is important to establish filters and restrictions for TLS inspection setup.

Zenconsole allows you to specifically identify websites and programs that will not be examined by your firewall on a global scale.

Figure 1. TLS Inspection Settings

You can easily manage the Zenarmor TLS Inspection feature by performing the following tasks explained in this guide:

  • Managing Certificate Authority to Enforce
  • Managing TLS Inspection Bypassed Sites
  • Managing TLS Inspection Bypassed Applications

Managing Certificate Authority to Enforce

You can view and manage the Certificate Authority enforced for TLS inspection on the page of TLS Inspection settings page by following the next steps:

  1. Select the node that you want to configure full TLS inspection on your Zenconsole account.
  2. Click Settings on the left sidebar menu.
  3. Click TLS inspection menu.
  4. To change the CA certificate used for inspecting the TLS traffic, click on the Manage button next to the certificate in the TLS Inspection pane. This will redirect you to the Certificate Authority page where you can generate or import a new certificate.

Figure 2. Viewing/Changing CA for TLS Inspection

Managing TLS Inspection Bypassed Sites

Zenconsole allows you to manage bypassed / certificate-pinned websites that need to be excluded from TLS inspection.

Figure 3. TLS Inspection Bypassed Sites

Zenarmor strongly recommends doing full TLS inspection for all internet traffic and deploying a bypass only in well-controlled and easily understandable exceptional circumstances. Under some circumstances, it is advisable to exclude TLS communication from inspection. Bypasses are often only applicable for certain uses outlined below:

  • Healthcare destinations
  • Banking and financial destinations
  • Business operations that need the use of certificate-pinned websites or apps
  • Business operations that need the use of traffic that cannot be decrypted
  • Applications, such as certain components of Office 365, encounter problems during the inspection.

Excluding a Website from TLS Inspection

By default, the TLS inspection excludes over 80 preconfigured websites that are retrieved from the Zenarmor signature database. The TLS Inspection Bypassed Sites window shows preconfigured websites that are accompanied by a DB storage symbol.

Users now have the option to explicitly designate a certain domain to exclude its TLS communication from undergoing inspection. The TLS Inspection Bypassed Sites pane shows user-defined websites accompanied by a user symbol.

You may follow the next steps to exclude a website from TLS inspection:

  1. Select the node that you want to configure full TLS inspection on your Zenconsole account.
  2. Click Settings on the left sidebar menu.
  3. Click TLS inspection menu.
  4. Scroll down to the TLS Inspection Bypassed Sites pane.
  5. Type the domain name of the website.
  6. You may leave the Inspection Status option as default Do not Inspect.
  7. Click Add button. This will automatically add the domain to your TLS inspection bypassed websites list. As of now, network packets belonging to the website(s) under this domain will not be inspected by Zenarmor.

Figure 4. Excluding a Website from TLS Inspection

tip

Domain names match all subdomains. There is no need to include an asterisk. Zenarmor will automatically identify and include any subdomains and fully qualified domain names inside this domain. If you want to exempt or examine any content falling under the domain domain.com (including sub.domain.com and host.sub.domain.com), just specify domain.com and Zenarmor will match all corresponding content.

Best Practice

The best practices for excluding a website from TLS inspection are given below:

  • Do not include major domains that allow any user to create their own file storage subdomain in the list of TLS inspection bypassed sites. The following domains ought not to be granted exemptions for TLS inspections:
    • .cloudfront.net
    • (.s3).amazonaws.com
    • (.blob.core).windows.net Not inspecting these domains implies that no inspection takes place for any AWS S3 or Azure Blob storage account, and they should not be exempted without careful thought.
  • Instead of using base domain names when adding domains, try using the most specific ones (for example, add corp.example.com and eng.example.com instead of example.com).

Removing a Website from TLS Inspection Bypassed Sites

To exclude a domain from the list of websites bypassed by TLS inspection and initiate the examination of traffic associated with the website(s) inside this domain, please follow these steps:

  1. Select the node that you want to configure full TLS inspection on your Zenconsole account.
  2. Click Settings on the left sidebar menu.
  3. Click TLS inspection menu.
  4. Scroll down to the TLS Inspection Bypassed Sites pane.
  5. Click Remove button next to the domain in the list. A dialog box will be displayed for confirmation of the domain removal.
  6. Click Remove to confirm the deletion of the domain.

Changing Status of TLS Inspection Bypassed Sites

Occasionally, it may be necessary to examine the websites that have been prohibited from TLS examination in the Zenarmor signature database. To modify the inspection status of the websites that bypass TLS inspection, you may follow the next steps:

  1. Select the node that you want to configure full TLS inspection on your Zenconsole account.
  2. Click Settings on the left sidebar menu.
  3. Click TLS inspection menu.
  4. Scroll down to the TLS Inspection Bypassed Sites pane.
  5. Click Status toggle bar next to the domain in the list. This will automatically enable or disable inspection for the TLS traffic belonging the websites under the domain.

Figure 5. Changing Status of TLS Inspection Bypassed Sites

Managing TLS Inspection Bypassed Applications

Many applications, particularly mobile apps, use pinned certificates. This implies that they only accept certain server certificates that they trust, and reject any other certificates as illegitimate. Certificate-pinning is an effective security solution that successfully reduces the risk of Man-in-the-Middle (MiTM) attacks. However, it may also impede the operations of legitimate MiTM companies.

This strategy is used in iOS and Android applications, thereby creating difficulties in controlling these environments. Inspecting the encrypted traffic of these apps is not feasible, and you need to circumvent TLS inspection for the websites accessed by these programs.

As a consequence of certificate challenges leading to restricted access, the industry is gradually discontinuing the use of certificate pinning. Application vendors, particularly public certificate authorities (CAs), are moving towards using shorter periods for their intermediate certificate authorities (CAs). Developers that persist in using certificate pinning are escalating the costs linked to certificate maintenance and endangering users' capacity to use their service.

Zenconsole enables the management of bypassed/certificate-pinned programs that need exclusion from TLS inspection.

If you encounter certificate pinning, you may either replace the software or discover an alternate path to bypass the traffic. Only divert the traffic if the application has substantial value for the firm and the possible risks of not inspecting the application traffic are considered acceptable.

Excluding an Application from TLS Inspection

You may follow the next steps to select an application that is excluded from TLS inspection:

  1. Select the node that you want to configure full TLS inspection on your Zenconsole account.
  2. Click Settings on the left sidebar menu.
  3. Click TLS inspection menu.
  4. Scroll down to the TLS Inspection Bypassed Applications pane.
  5. Click on the Select an application... drop-down menu.
  6. Find the application that will not be inspected by Zenarmor either using the Search bar or scrolling down.
  7. You may leave the Inspection Status option as default Do not Inspect.
  8. Click Add button. This will automatically add the application to your certificate-pinned applications list. As of now, network packets belonging to this application will not be inspected by Zenarmor.

Figure 6. TLS Inspection Bypassed Applications

Removing an Application from TLS Inspection Bypassed Applications

To remove an application from the TLS inspection bypassed applications list and start to inspect the traffic belonging to this application, you may follow the next steps:

  1. Select the node that you want to configure full TLS inspection on your Zenconsole account.
  2. Click Settings on the left sidebar menu.
  3. Click TLS inspection menu.
  4. Scroll down to the TLS Inspection Bypassed Applications pane.
  5. Click Remove button next to the application in the list. A dialog box will be displayed for confirmation of the application removal.
  6. Click Remove to confirm the deletion of the application.

Changing Status of TLS Inspection Bypassed Application

After adding an application to the TLS inspection bypassed application list, in some cases, you may temporarily need to inspect the application. To change the inspection status of the TLS inspection bypassed application, you may follow the next steps:

  1. Select the node that you want to configure full TLS inspection on your Zenconsole account.
  2. Click Settings on the left sidebar menu.
  3. Click TLS inspection menu.
  4. Scroll down to the TLS Inspection Bypassed Applications pane.
  5. Click Status toggle bar next to the application in the list. This will automatically enable or disable inspection for the application traffic.

Figure 7. Changing Status of TLS Inspection Bypassed Applications

Last updated on by Zenarmor