Skip to main content

Best Practices for TLS Inspection

Published on:
.
3 min read

This article illustrates our best practices and recommendations for activating the full TLS inspection feature on your Zenarmor® firewall. The best practices for enabling TLS inspection in a network are given below:

  1. Cooperation: Implementing TLS inspection is a complex endeavor that involves both technical expertise and organizational readiness. Organizations generally need to revise computer use rules, acceptable use agreements, and other internal documents pertaining to IT systems. Full TLS inspection in many locations and nations necessitates the participation of workers' groups and unions.

    Obtain the necessary authorizations to decipher web traffic in order to protect your organization. Create revised computer use rules for legal and HR purposes. Distribute these policies to all employees, contractors, partners, visitors, and any other individuals using the network. The purpose of this distribution is to ensure that users are aware that their data may be decrypted and scanned for potential risks when the decryption is implemented.

  2. Defining Goal: Intend to inspect as much non-private or non-sensitive TLS traffic as your firewall's resources allow. This minimizes the attack surface by identifying and blocking encrypted threats. Familiarize yourself with the local legislation and rules pertaining to the traffic that you are lawfully allowed to decrypt, as well as the requirements for notifying users.

  3. Privacy Concerns: Certain bits of information are safeguarded by legislation such as GDPR, PCI DSS, and HIPAA. In order to effectively use HTTPS inspection, it is important to acknowledge and uphold the privacy considerations associated with the data involved. In order to do this, it is necessary to design the HTTPS inspection rules in a manner that permits the exclusion of traffic that is likely to include sensitive information. This is particularly vital for areas such as banking and healthcare which are obligated to comply with data privacy requirements.

  4. Traffic Exclusion: Determine and prioritize the TLS traffic to be inspected. You should identify the specific web categories and apps to examine and determine encrypted traffic that is not possible to decipher. Some network packets cannot be inspected due to technological limitations such as certificate pinning, unsupported ciphers, or mutual authentication. Web categories such as financial, health, government, and other sensitive categories, as well as users such as executives, should not undergo inspection because of privacy concerns. It is important to have a comprehensive understanding of the traffic that you choose to exclude from the examination. Be cautious since you lack the ability to see encrypted traffic and the firewall is unable to enforce threat prevention profiles on encrypted traffic.

  5. Gradual Deployment: Zenarmor recommends beginning the deployment of your inspection rollout by focusing on a limited group of users and policies from various departments or business units. Establish proofs of concept (POCs) to validate the deployment strategy prior to its general user rollout. Assess the impact of the TLS inspection proof-of-concept deployment on the CPU and memory utilization of the firewall in order to validate the accuracy of the firewall sizing. This strategy allows you to gain expertise while applying it, with little disruption.

  6. Planning: Execute the testing and production stages in a detailed and precise manner. Full TLS inspection may be implemented using criteria outside user groups and locations. Utilizing web categories often causes less disturbance in production situations. Conduct a test inspection on web categories that have lower importance to your company before proceeding to the more crucial ones. This will assist verify the effectiveness of the inspection process while minimizing the likelihood of encountering problems in production.

  7. Certificate Installation: When a client, such as a web browser, establishes a connection with a website, Zenarmor transmits its certificate to the browser as a component of the TLS negotiation process. In order for the client to authenticate the validity of this certificate, it is necessary to install Zenarmor's certificate on all clients and devices. The certificate may be downloaded from the Certificate Authority Settings page. Make sure to install the Zenarmor CA certificate on all client devices that need TLS traffic inspection. You must choose between using Zenarmor's Certificate Authority (CA) or employing your own pre-existing CA in conjunction with Zenarmor. You must determine the method for deploying the certificate to all required devices.

  8. Server Inspection: Implementing full TLS inspection for servers might pose difficulties, which vary based on the environment, management structure, and services used. Server networks are usually removed from the first full TLS inspection projects due to their potential complexity. They are implemented after inspection is accomplished for clients' traffic in the production environment.

    Zenarmor advises implementing access restrictions on servers, allowing only explicitly approved destinations while limiting all other access. This measure significantly reduces the security risks of non-inspection, both before and after enabling inspection.

  9. Browsers: Internet Explorer browser-installed TLS certificates are not supported by Firefox. If your organization permits Firefox browsers, you are required to independently install TLS certificates on those browsers. Chrome, on the other hand, operates from the same certificate store as Windows Explorer.

  10. Certificate-Pinning Sites Inspection: Some client applications, such as Dropbox, employ a method known as certificate pinning, in which the client application is hardcoded to accept a single client certificate. Certificate-pinning-dependent applications may not function with SSL inspection. It is recommended that these web categories be added to the list of those that prevent TLS transactions from being decrypted. You may easily add a certificate-pinned site to the TLS Inspection Bypassed Sites list via the TLS Inspections Settings page.

  11. Web Category Selection: Start your deployment by enabling TLS inspection exclusively for high-risk web categories, such as Adult, Warez, and Gambling. Alternately, inspect the web categories that do not impact your business first, like news and shopping, so that if something goes badly, it will not affect your company. Decrypt a limited number of web categories in both scenarios, monitor user feedback, and generate reports to verify proper operation. Subsequently, incrementally decrypt an additional few web categories, and so forth. Once your organization is prepared and initial tests are completed successfully, enable TLS inspection for all web categories except for Finance and Health, to alleviate internal privacy concerns. Develop a strategy to exclude websites from decryption if technical constraints prevent you from doing so or if you prefer not to decrypt them.

  12. BYOD Inspection: Inspecting Bring Your Own Device (BYOD) and guest network traffic is often unfeasible due to the inability to deploy the Zenarmor CA Certificate on these devices. Make sure that any BYOD and guest networks are fully isolated from your organization's network, with no possibility of accessing anything other than the Internet.

  13. IoT Device Inspection: Although it is possible to handle and adjust IoT devices, the majority of them do not allow adjustments to the certificate trust store. If your IoT devices are compatible, inspection may still be feasible, however, probably, a custom policy and the establishment of one or more sub-networks dedicated to these nodes would be necessary.

  14. QUIC Inspection: Quick UDP Internet Connections (QUIC) protocol is a network protocol created by Google to enhance the speed of internet access on its browsers and devices. QUIC protocol achieves this enhancement by bypassing the TCP handshake and using UDP instead. Since TLS inspection is dependent on TCP session metadata, so Zenarmor advises the prohibition of Google QUIC protocol. You can easily block QUIC connections via TLS Controls in a policy configuration. When a browser or device is unable to establish a QUIC connection, it resorts to using TCP connections as an alternative.

  15. Undecryptable Traffic: Some websites may employ their own encryption protocols. Typically, this occurs when nation-state actors employ specialized encryption for confidential communications. Access to those protocols is restricted and not provided to Zenarmor. Custom encryption schemes are not commonly encountered unless one has a background in government work or contracting. You may prevent this traffic in the majority of situations. If your organization utilizes any of these protocols, it is necessary to bypass the corresponding TLS traffic.

Last updated on by Zenarmor