Skip to main content

TLS Inspection Rules on Zenconsole

Published on:
.
1 min read

Using encryption methods guarantees the secrecy and accuracy of data sent during communication between the sender and receiver. SSL and its successor, Transport Layer Security (TLS), are protocols designed to guarantee the confidentiality and protection of Internet services. While these measures successfully protect information from illegal access, they also conceal possible threats to the user, device, and organization.

With more than 90% of global Internet traffic being encrypted, the use of encryption effectively prevents most attacks and makes them invisible unless integrated TLS inspection is used. Examining SSL and TLS encrypted communication is crucial in this particular situation.

Transport Layer Security Inspection is a security protocol that allows businesses to decrypt network traffic, examine the decrypted content for possible threats, and then encrypt the data again before it enters or leaves the network. There are two distinct approaches to TLS inspection, which vary in terms of the amount of information they provide and whether or not they involve decrypting the data.

  1. Light-weight (or certificate-based) TLS Inspection: Zenarmor® does an analysis of the first stages of TLS sessions in either the lightweight or certificate-based inspection mode. The indicated sections are not encrypted and include crucial information, such as the distant hostname, web category, and remote application type. Administering certifications does not need any specific credentials since this service is currently available to all levels of membership. When studying lightweight TLS inspection, transparency is complete and unrestricted. Light-weight TLS inspection is available for all Zenarmor subscription tiers, including the Free Edition.
  2. Full TLS Inspection (or TLS decrypt/reencrypt): The Full TLS Inspection technique involves Zenarmor intercepting the TLS connection, decrypting the packet contents, doing a comprehensive packet inspection, and then re-encrypting the packet contents. Zenarmor's Full TLS inspection capabilities enhance the capacity to monitor and regulate encrypted network traffic, hence providing a substantial security advantage. Attackers often use encrypted communications to conceal their malicious activities, due to its widespread use. When used, Zenarmor's Full TLS inspection feature allows for strong threat identification and prevention by decrypting and examining incoming and outgoing TLS packets. This process strengthens network defense by implementing extensive monitoring, threat detection, and control mechanisms for encrypted communications. It effectively prevents the infiltration of dangerous information that may be concealed inside encrypted data flows, ensuring that security measures are not bypassed.

Figure 1. TLS Inspection Rules in a Policy

note

The full TLS inspection feature is available only for SSE, SASE, and ZTNA subscriptions.

You can easily configure the policy-based TLS Inspection feature by performing the following tasks explained in this guide:

  • Enable/Disable Full TLS Inspection
  • Enable/Disable Full TLS Inspection for Specific Sites
  • Enable/Disable Full TLS Inspection for IP Flow without DNS Data
  • Selecting TLS Traffic to Inspect
tip

For inspecting TLS traffic or viewing the Zenarmor block notification page for TLS traffic, you need to install the Zenarmor internal CA certificate on your client devices as a trusted certificate.

tip

Prior to implementing full TLS inspection on an organization, it is recommended to meticulously strategize the TLS inspection deployment and adhere to established best practices.

Enable/Disable Full TLS Inspection

Zenarmor provides a policy-based Full TLS inspection feature that you can easily enable or disable depending on your requirements. You may quickly enable the full TLS inspection feature on your network by following the next steps:

  1. Select the node that you want to enable full TLS inspection on your Zenconsole account.

  2. Click Policies on the left sidebar menu.

  3. Select the policy that you want to enable TLS inspection from the policy list view.

  4. Go to TLS Controls tab.

    Figure 2. Enabling Full TLS Inspection

  5. Click on the toggle bar next to the Enable Full TLS Inspection for this policy option. This will display the full TLS inspection settings below.

  6. Synchronize the policy via the sync button in the policy list view.

Legal Disclaimer:

Please note that it is your responsibility to determine if it is legal to inspect TLS traffic in your jurisdiction. By configuring the TLS Inspection function, you are in effect allowing the service to inspect your users' TLS traffic. While all such inspection is carried out automatically rather than by individuals, such decryption may nonetheless be in breach of privacy laws in certain countries.

By enabling this functionality, you agree that you have the legal right to decrypt this traffic in all relevant jurisdictions where applied and that you have obtained all necessary consents from your users to do so.

tip

Since its inception by Google in 2012, QUIC has been a secure network protocol utilized for data transport. The primary objective of its development was to optimize internet data transfer processes through the reduction of latency and the provision of supplementary functionalities, including the ability to establish connections, manage multiple data streams, and accomplish connection setup in a shorter amount of time when compared to traditional TCP and TLS protocols. Potential benefits include accelerated page loads and an improved user experience.

This enhancement is achieved by the QUIC protocol, which bypasses the TCP greeting in favor of UDP. Due to the reliance on TLS inspection on TCP session metadata, Zenarmor recommends prohibiting the use of the Google QUIC protocol. Effectively blocking QUIC connections is possible through the use of TLS Controls in a policy configuration. A notification message and a toggle bar are presented in the policy when the QUIC protocol is enabled, providing users with the convenience of blocking QUIC UDP connections. When a browser or device is unable to establish a QUIC connection, TCP connections are utilized instead.

Figure 3. Blocking QUIC UDP Protocol

Enabling QUIC Protocol in the policy is a straightforward process through the App Controls tab, should the need arise to permit QUIC UDP connections.

Figure 4. Allowing QUIC UDP Protocol via the App Controls

Enable/Disable Full TLS Inspection for Specific Sites

Certain portions of the Transport Layer Security (TLS) traffic may be subject to legal protections that pertain to the confidentiality and secrecy of communications. Decrypting and analyzing this message might be considered unlawful in many areas. Depending on the specific sector, geographical region, regulatory requirements, the Sarbanes-Oxley Act (SOX), personally identifiable information (PII), and legal responsibilities, there may be some types of data flow that should not be deciphered, such as secret medical or financial information.

Therefore, it may be unnecessary to closely examine the Transport Layer Security (TLS) traffic for certain websites, despite Zenarmor's recommendation to scan as much information as feasible. In order to protect the privacy of these connections, it is crucial to implement filters and constraints for the TLS inspection configuration.

In addition, to prevent Man-in-the-Middle (MiTM) scrutiny, certain suppliers and developers use coding methods called certificate pinning. Zenarmor lacks the capability to examine SSL traffic that comes from websites or programs that use certificate pinning. This includes, but is not limited to, Adobe, Apple, Cisco WebEx, Microsoft Office 365, and the Dropbox app.

Zenconsole provides several websites that are automatically excluded from TLS Inspection. It also enables you to choose to designate websites and applications that will be exempt from scrutiny by your firewall on a global level.

You may easily exclude certificate-pinned and whitelisted websites from TLS inspection in a policy, by following the next steps:

  1. Select the node that you want to configure full TLS inspection on your Zenconsole account.

  2. Click Policies on the left sidebar menu.

  3. Select the policy that you want to configure TLS inspection from the policy list view.

  4. Go to TLS Controls tab.

  5. Click on the Exclude whitelisted/certificate-pinned websites from inspection option.

    Figure 5. Excluding whitelisted/certificate-pinned websites from inspection

  6. You may click Manage button to view and manage TLS Inspection bypassed websites on the global TLS Inspection settings page.

  7. Synchronize the policy via the sync button in the policy list view to activate the settings for the policy.

Enable/Disable Full TLS Inspection for IP Flow without DNS data

Zenconsole enables the exclusion of TLS traffic flows from the examination if they do not include hostnames or web category information. To activate or disable full TLS inspection for IP address-based traffic without any associated hostname, perform these steps:

  1. Select the node that you want to configure full TLS inspection on your Zenconsole account.

  2. Click Policies on the left sidebar menu.

  3. Select the policy that you want to configure TLS inspection from the policy list view.

  4. Go to TLS Controls tab.

  5. Click on the Exclude flows without DNS enrichment data from inspection option.

    Figure 6. Excluding flows without DNS enrichment data from inspection

  6. Synchronize the policy via the sync button in the policy list view to activate the settings for the policy.

Selecting TLS Traffic to Inspect

Choosing TLS traffic for full inspection is a simple procedure on Zenconsole. Zenconsole offers the possibility to enable thorough TLS inspection for all web (HTTPS) connections, or certain web categories, according to your needs.

Inspecting All Web Traffic

You can easily enable full TLS inspection for all HTTPS traffic that matches a policy by following the next steps:

  1. Select the node that you want to configure full TLS inspection on your Zenconsole account.

  2. Click Policies on the left sidebar menu.

  3. Select the policy that you want to configure TLS inspection from the policy list view.

  4. Go to TLS Controls tab.

  5. Ensure that full TLS Inspection is enabled.

  6. Click on the Inspect all web traffic toggle bar.

    Figure 7. Inspecting All Web Traffic

  7. Synchronize the policy via the sync button in the policy list view to activate the settings for the policy.

Inspecting Traffic for a Web Category

You can easily enable full TLS inspection for a web category traffic that matches a policy by following the next steps:

  1. Select the node that you want to configure full TLS inspection on your Zenconsole account.

  2. Click Policies on the left sidebar menu.

  3. Select the policy that you want to configure TLS inspection from the policy list view.

  4. Go to TLS Controls tab.

  5. Ensure that full TLS Inspection is enabled.

  6. Find the web categories that you want to inspect from the web category list at the bottom of the pane. You may also use the search bar to find the web category quickly.

    Figure 8. Inspecting Web Category Traffic

  7. Click on the toggle bar in the Status column next to the web category. This will change Status from Do not Inspect to Inspect.

  8. You may repeat steps 5-6 for each web category traffic that you want to inspect.

  9. Synchronize the policy via the sync button in the policy list view to activate the settings for the policy.

Last updated on by Zenarmor