It ain't easy being a hacker…Especially with TLS 1.3

A new era of internet security is upon us. As browsers, security tools, and service providers move to support the new encryption standard, are you prepared to follow suit? In August of this year, the Internet Engineering Task Force (IETF) released the Transport Layer Security (TLS) Protocol Version 1.3. The new version, designed for the "modern internet," offers major improvements from previous encryption protocols in the areas of security, performance, and privacy. Most notably, the previous optional use of perfect forward secrecy (PFS) in 1.2 is now a requirement for all sessions in TLS 1.3.

PFS requires the use of ephemeral key cryptography, which generates a new encryption key for each client/server interaction. Previous and future sessions maintain secrecy, because the same key is never used twice. This means that even if a hacker manages to compromise one session, it will be difficult for him/her to decrypt all of the sensitive traffic on your network. That is, if your network can support TLS 1.2 and 1.3 ephemeral ciphers. Below are 6 tips for monitoring and processing encrypted data on your network as PFS becomes the norm.

1. Remove bad traffic before decryption. A threat intelligence gateway is a device that can detect and block known malicious traffic before it is decrypted. By cross-referencing a database of known malware, the gateway device can recognize dangerous IP addresses in a packet’s header and block the transmission of that packet’s data. Because a packet’s header is plain text, no decryption is necessary. A threat intelligence solution reduces false positives in threat detection, has significantly more blocking capacity than your other security tools, and does not require any manual rule creation as conditions change. Blocking malware prior to decryption enables your tools to work more efficiently with added protection.
2. Use Active SSL decryption. Encrypted traffic is growing and so is encrypted malware. At a minimum, your security deployment should include passive SSL decryption. However, transitioning to active SSL decryption is recommended. Actively decrypting data on your network allows your security system to detect malicious activity in real time and reduces security risks to your business.
3. Have a standalone, dedicated device. Introducing active SSL to your security deployment may require significant rearchitecting of your network infrastructure. Some existing monitoring devices, such as next generation firewalls, can support active SSL decryption, but can negatively affect network performance. Enabling active SSL on your security tools may reduce overall performance, increase latency, increase congestion, and require added processing capacity. Furthermore, your firewalls, IPS solutions, or other security devices may not be able to decrypt traffic at all. Having a dedicated active SSL solution available to decrypt/encrypt traffic for all your tools will improve efficiency during processing and alleviate the burden on your security tools.
4. Protect your plain text data. Once data is decrypted, the plain text is sent to out-of-band monitoring and analysis tools. This poses a new risk as sensitive plain text data could be intercepted in transmission or accessed through the receiving tool. Having a device with data masking capabilities can provide additional security for sensitive information such as passwords, credit card numbers, social security numbers, email addresses, and healthcare data. Intelligent data masking systems can scan data packets for patterns consistent with privacy regulations and block all but the last several characters in a string.
5. Validate your devices’ abilities. To verify that your security devices are performing as expected, you should carry out validation testing on your network. A test solution that can generate encrypted malware and other IT attacks will help expose any weaknesses in the deployment of your security system. Furthermore, you can evaluate prospective solutions, refine configurations, and measure the performance of your existing tools.
6. Outsource the project. With IT and security professionals in short supply, outsourcing the logistical planning and restructuring of your infrastructure may be the most cost-effective way to implement TLS 1.3. In addition to updating web server software, devices that do not support the new standard may need to be replaced and traffic rerouted. Allowing a trusted third party to develop plans, select new vendors, optimize configurations, and administer changes significantly reduces implementation time and risks associated with network changeover.

Before you know it, most of the traffic on your network will be encrypted. With the new standard requiring perfect forward secrecy, your security deployment must support TLS 1.3 as well as decrypt, process, and protect your data quickly and efficiently. If you want to build a robust security architecture for your business and implement TLS 1.3, follow these suggestions so that hackers don’t stand a chance against your network.

Sarah Gross is a Product Marketing Engineer for network visibility and security products at Keysight Technologies. She aims to create helpful and current technical resources to connect IT professionals and engineers to visibility and monitoring solutions.