SSL Decryption with NNM

SSL Overview

If an attacker is able to intercept all data being sent between a browser and a web server, they can see and use that information. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), provide privacy and data integrity allowing secure transmission of sensitive information such as credit card numbers, social security numbers, and login credentials. SSL decryption uses keys to decode the traffic between the client and server so you are only going to be able to decrypt traffic if you have access to the private key used to encrypt it.

NNM and SSL Encrypted Traffic

As websites and services begin to default to encrypted connections, you can use a decryption appliance with NNM to improve visibility to your network infrastructure by decrypting encrypted traffic and eliminating blind spots.

In order for NNM to successfully detect threats and vulnerabilities within encrypted traffic, a decryption appliance must be employed which will decrypt the SSL traffic and enable NNM to successfully process these packets.

Decryption Limitations

A decryption appliance will provide NNM the ability to successfully process encrypted traffic, however, additional technologies also exist that could still prevent NNM from being able to process packets from some sessions. The following are two of the most common ways that sessions are further secured that will prevent traffic from being able to be processed by NNM.

HTTP Strict Transport Security (HSTS)

HSTS is a web security policy mechanism which allows web servers to require clients to communicate via encrypted channels. HSTS is used in order to prevent SSL stripping attacks which convert a secure HTTPS connection into a plain HTTP connection.

HSTS Preloading and Public Key Pinning

When connecting to an HSTS host for the first time, the browser will not know whether or not to use a secure connection. Consequently, an attacker could prevent the browser from ever connecting securely. To mitigate this attack, browsers include a preloaded list of websites that want HSTS enforced by default, like Google, Dropbox, and Facebook, which can prevent detection by NNM. Also, browsers include a variation of certificate pinning using the HSTS mechanism. A preloaded set of public key hashes in the HSTS configuration limits the valid certificates to only those which indicate the specified public key.