What is TLS Inspection

Secure Sockets Layer/Transport Layer Security (SSL/TLS) is the network protocol that encrypts and authenticates most network traffic. It’s the difference between HTTP and HTTPS web browsing and is used to protect sensitive information traveling over the network, such as login credentials or credit card data.

However, SSL/TLS can also be used to conceal malicious content in web traffic. TLS inspection involves unwrapping SSL/TLS from web traffic to search for malware, data exfiltration, and other potential threats.

Request a Demo Miercom’s 2024 NGFW Security Benchmark

The Need for TLS Inspection

In recent years, the proportion of Internet traffic using encrypted HTTPS has grown dramatically, providing significant privacy and security benefits. However, one of the swiftest-growing types of encrypted traffic is malicious traffic, which uses SSL/TLS to hide from network security tools.

TLS inspection is necessary to identify malware command and control (C2) traffic, attempted data exfiltration, and other malicious traffic on a company’s network. By stripping away the protection provided by SSL/TLS, corporate network security solutions can identify and block threats at the network level.

How Does TLS Inspection Work?

SSL/TLS securely encrypts network traffic, making it impossible to eavesdrop upon it. To enable TLS inspection, many companies will set up a web proxy with a wildcard digital certificate. Each company-owned computer will be configured to trust that digital certificate to authenticate for any website on the Internet.

When a user attempts to browse a website, the proxy server will receive the request and create an SSL/TLS encrypted connection between itself and the client using the wildcard certificate. It will then create its connection to the requested website. Data flowing between the client and server will flow over one encrypted connection, be decrypted by the proxy server, and then re-encrypted and flow over the other encrypted connection to its destination.

 

By decrypting traffic en route, the proxy server can read the content of the web traffic. This enables it to identify malicious content in the traffic even though it is an encrypted SSL/TLS connection.

Benefits of TLS Inspection

TLS inspection provides a few benefits for an organization, including:

  • Enhanced Security: TLS inspection enables an organization to identify malicious content in encrypted network traffic. By blocking malware communications or attempted exploitation of vulnerable software, it enhances the company’s overall security posture.
  • Policy Enforcement: SSL/TLS encryption can permit violations of corporate security policies, such as browsing unapproved websites. TLS inspection enables an organization to perform URL filtering and enforce its security policies.
  • Regulatory Compliance: Data privacy laws mandate that companies protect and control access to sensitive information. TLS inspection allows organizations to identify and block attempted theft of sensitive customer or company data.

Performance Impact of TLS Inspection

TLS inspection has its benefits, but it can also have performance impacts on network traffic. TLS inspection adds additional steps that a device must perform before routing a network packet toward its destination.

With TLS inspection, a device must decrypt the traffic, inspect it for threats, and re-encrypt it before sending it on its way. All of these steps take time and resources and create network latency, especially when being performed at line speed on high-bandwidth network connections.

Best Practices for Configuring TLS Inspection

Some best practices for configuring TLS inspection include the following:

  • Inbound vs. Outbound Inspection: Inbound and outbound traffic carry different potential risks to the business. Companies can configure one or both based on a device’s role in the organization and the type of threats that it is looking to manage.
  • Respect Privacy Concerns: Under PCI DSS, HIPAA, GDPR, and similar laws, an organization may have no need or right to inspect certain types of data (PII, PHI, etc.). TLS inspection should be configured to skip traffic to sites such as financial institutions, healthcare providers, etc.
  • Bypass List: Some websites may be trusted by the organization, and traffic to these sites doesn’t require inspection. Configuring TLS inspection to ignore these sites avoids potential network latency.
  • Proxy Certificate: Importing a proxy certificate on company-owned devices enables encrypted connections between them and the gateway and eliminates in-browser warnings for users. Doing so enhances the user experience and can improve network security.

TLS Inspection with Quantum

TLS inspection is a core capability of a next-generation firewall (NGFW). Without this functionality, an NGFW lacks the visibility necessary to apply its other built-in security functions, such as URL filtering, intrusion prevention systems (IPS), access control, and more. Learn more about what to look for in an NGFW in this NGFW buyer’s guide.

Check Point Quantum offers TLS inspection while minimizing network latency and performance impacts. Find out more about its capabilities in Miercom’s 2024 NGFW Security Benchmark. Then, see what it can do for yourself by signing up for a free demo.

Get Started

Schedule a Next-Generation Firewall demo 

Next Generation Firewall Buyer’s Guide

Miercom’s 2024 NGFW Security Benchmark

Read the Frost & Sullivan Report

Related Topics

What is SSL Inspection?

6 Types of Network Security Protocols

What is the OSI Model?

PCI-DSS Complaince

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK