Managing Organization-wide TLS Inspection
Implementing Transport Layer Security (TLS) decryption and inspection can substantially improve your security protocols; yet, it is not a simple task to decrypt all data. Specific segments of TLS traffic may be protected by legal provisions concerning the confidentiality of communications. Decrypting and analyzing this message may be deemed illegal in certain jurisdictions. Depending on your sector, geographical location, and legal obligations, you may encounter certain sorts of data traffic that must remain undisclosed, such as sensitive medical or financial information.
Consequently, it may be superfluous to analyze the TLS traffic for certain websites and applications. To safeguard the confidentiality of such connections, it is important to establish filters and regulations for TLS inspection setup.
Zenconsole allows for the selective designation of websites and applications whose traffic will be exempt from inspection on a global scale.
Zenconsole enables the management of full TLS inspection configurations across the entire organization. You can perform the following full TLS inspection tasks:
- Manage TLS Inspection Bypassed Applications
- Manage TLS Inspection Bypassed Sites
These TLS inspection settings are automatically applied to all gateways and endpoints in your organization.
Figure 1. Organization-wide TLS Inspection
Manage TLS Inspection Bypassed Applications
Certain applications, particularly the majority of mobile applications, make use of their pinned certificates. This means that they only trust specific server certificates and reject any other certificate as unauthorized. Man-in-the-Middle (MiTM) attacks are effectively mitigated by the certificate-pinning security measure; however, they also impede the operation of trustworthy MiTM entities.
This method is frequently employed in iOS and Android applications, which presents difficulties in administering these environments. It is impossible to examine the encrypted traffic of these applications, and it is necessary to circumvent TLS inspection for the websites that these applications utilize.
The industry is gradually discontinuing the use of certificate pinning as a result of certificate complications that lead to a loss of access. Application vendors, including public certificate authorities (CAs), are transitioning to intermediate certificate authorities (CAs) with shortened durations. Developers who persist in employing certificate pinning are compromising the service's accessibility and increasing the costs associated with certificate maintenance.
Zenconsole enables the management of bypassed / certificate-pinned applications that require exclusion from TLS inspection.
In the event that you encounter certificate pinning, you may either locate an alternative route to avoid the traffic or substitute the program. The application traffic should only be bypassed if the potential hazards of not verifying the application traffic are deemed acceptable and the application has significant value to the company.
Excluding an Application from TLS Inspection
You may follow the next steps to select an application that is excluded from TLS inspection:
-
Login Zenconsole and then select the organization you want to manage.
-
Go to Organization TLS Inspection page by navigating to the Settings > TLS Inspection page on Zenconsole.
-
Scroll down to the TLS Inspection Bypassed Applications pane.
-
Click on the Select an application... drop-down menu.
-
Find the application that will not be inspected by Zenarmor either using the Search bar or scrolling down.
-
You may leave the Inspection Status option as the default Do not Inspect.
-
Click Add button. This will automatically add the application to your certificate-pinned applications list. As of now, network packets belonging to this application will not be inspected by Zenarmor.
Figure 2. TLS Inspection Bypassed Applications
Removing an Application from TLS Inspection Bypassed Applications
To remove an application from the TLS inspection bypassed applications list and start to inspect the traffic belonging to this application, you may follow the next steps:
-
Login Zenconsole and then select the organization you want to manage.
-
Go to Organization TLS Inspection page by navigating to the Settings > TLS Inspection page on Zenconsole.
-
Scroll down to the TLS Inspection Bypassed Applications pane.
-
Click Remove button next to the application in the list. A dialog box will be displayed for confirmation of the application removal.
-
Click Remove to confirm the deletion of the application.
Figure 3. Removing an Application from TLS Inspection Bypassed Applications
Changing Status of TLS Inspection Bypassed Application
After adding an application to the TLS inspection bypassed application list, in some cases, you may temporarily need to inspect the application. To change the inspection status of the TLS inspection bypassed application, you may follow the next steps:
-
Login Zenconsole and then select the organization you want to manage.
-
Go to Organization TLS Inspection page by navigating to the Settings > TLS Inspection page on Zenconsole.
-
Scroll down to the TLS Inspection Bypassed Applications pane.
-
Click Status toggle bar next to the application in the list. This will automatically enable or disable inspection for the application traffic.
Figure 4. Changing Status of TLS Inspection Bypassed Applications
Manage TLS Inspection Bypassed Sites
Zenconsole enables the management of bypassed or certificate-pinned websites that require exclusion from TLS inspection.
Figure 5. TLS Inspection Bypassed Sites
Zenarmor recommends conducting full TLS inspection for all internet traffic, permitting bypasses just in well-managed and clearly defined extraordinary circumstances. TLS traffic should be exempt from inspection under specific circumstances. Bypasses are typically pertinent solely for the specific uses enumerated below:
- Healthcare destinations
- Banking and financial destinations
- Business operations that need the use of certificate-pinned websites or apps
- Business operations that need the use of traffic that cannot be decrypted
- Applications, such as certain components of Office 365, encounter problems during the inspection.
Excluding a Website from TLS Inspection
There are over 80 predefined domains that are automatically excluded from the TLS inspection and retrieved from the Zenarmor signature database. The TLS Inspection Bypassed Sites pane displays these predefined domains with a DB storage icon.
Additionally, users have the option to explicitly designate a particular domain in order to prevent its TLS traffic from being inspected. The TLS Inspection Bypassed Sites pane displays these user-defined websites with a user icon.
You may follow the next steps to exclude a website from TLS inspection:
- Login Zenconsole and then select the organization you want to manage.
- Go to Organization TLS Inspection page by navigating to the Settings > TLS Inspection page on Zenconsole.
- Scroll down to the TLS Inspection Bypassed Sites pane.
- Type the domain name of the website.
- You may leave the Inspection Status option as the default, Do not Inspect.
- Click Add button. This will automatically add the domain to your TLS inspection bypassed websites list. As of now, network packets belonging to the website(s) under this domain will not be inspected by Zenarmor.
Domains match all subdomains. No need to use an asterisk, Zenarmor will match all subdomains and fully qualified domain names under this domain. If you would like anything under domain.com (sub.domain.com, host.sub.domain.com) to be bypassed or inspected, just put domain.com and Zenarmor matches all.
The best practices for excluding a website from TLS inspection are given below:
-
Do not include major domains that allow any user to create their own file storage subdomain in the list of TLS inspection bypassed sites. The following domains ought not to be granted exemptions for TLS inspections:
.cloudfront.net(.s3).amazonaws.com(.blob.core).windows.net
Not inspecting these domains implies that no inspection takes place for any AWS S3 or Azure Blob storage account, and they should not be exempted without careful thought.
-
Instead of using base domain names when adding domains, try using the most specific ones (for example, add
corp.example.comandeng.example.cominstead ofexample.com).
Removing a Website from TLS Inspection Bypassed Sites
To remove a domain from the TLS inspection bypassed websites list and start to inspect the traffic belonging to the website(s) under this domain, you may follow the next steps:
-
Login Zenconsole and then select the organization you want to manage.
-
Go to Organization TLS Inspection page by navigating to the Settings > TLS Inspection page on Zenconsole.
-
Scroll down to the TLS Inspection Bypassed Sites pane.
-
Click Remove button next to the domain in the list. A dialog box will be displayed for confirmation of the domain removal.
-
Click Remove to confirm the deletion of the domain.
Figure 6. Removing a Website from TLS Inspection Bypassed Sites
Changing Status of TLS Inspection Bypassed Sites
In some cases, you may need to inspect the websites that are excluded from the TLS inspection in the Zenarmor signature database. To change the inspection status of the TLS inspection bypassed websites, you may follow the next steps:
-
Login Zenconsole and then select the organization you want to manage.
-
Go to Organization TLS Inspection page by navigating to the Settings > TLS Inspection page on Zenconsole.
-
Scroll down to the TLS Inspection Bypassed Sites pane.
-
Click Status toggle bar next to the domain in the list. This will automatically enable or disable inspection for the TLS traffic belonging the websites under the domain.
Figure 7. Changing Status of TLS Inspection Bypassed Sites