Overview of SSL-Encrypted Traffic Detection
This section describes the background and basic concepts of SSL-encrypted traffic detection.
Security and privacy issues drive more networks to adopt SSL-encrypted traffic transmission. Because early security devices cannot directly check content (including antivirus, IPS, URL filtering, content filtering, file filtering, and mail filtering) and auditing of SSL-encrypted traffic, SSL-encrypted traffic once becomes a vulnerability of security defense and is used by illegal users to maliciously attack the network.
SSL-encrypted traffic detection improves traffic threat defense for SSL-encrypted traffic. Huawei FW provides the SSL-encrypted traffic detection technology to decrypt SSL-encrypted traffic and performs in-depth detection on decrypted packets to prevent malicious attacks from entering the enterprise network or prevent enterprise confidential information from being disclosed.
As shown in Figure 1, the FW decrypts SSL-encrypted traffic using the SSL-encrypted traffic detection function, and then checks content and auditing of decrypted traffic. The FW re-encrypts traffic that passes the content security check and sends the traffic to the server. In this way, traffic decrypted by the FW is still safe upon leaving the FW. The FW blocks traffic that does not pass the content security check, and therefore intercepting SSL-encrypted traffic attacks.
The FW supports server protection through SSL-encrypted traffic detection, client protection through SSL-encrypted traffic detection, SSL decryption-exempted scenario, and mirroring of SSL-decrypted packets. You can configure detection policies and detection profiles based on the actual network traffic to determine traffic that needs to be decrypted and traffic that does not need to be decrypted.
You can determine the scenario based on the following conditions.
Scenario |
Description |
|---|---|
The FW is deployed on a network where an SSL client is located. When a request for the SSL client to access the server passes through the FW, the FW serves as a proxy to decrypt the traffic and performs the security check to ensure that the target is secure for client protection. When the FW establishes an SSL connection with the server, it cannot obtain the server certificate. Instead, the FW needs to issue a server certificate to the client using the SSL decryption certificate for verification, then the traffic sent by the client can be decrypted. Therefore, you need to install the SSL decryption certificate on the client. |
|
The FW is deployed on a network where an SSL server is located. When a request for the SSL client to access the server passes through the FW, the FW serves as a proxy to decrypt the traffic and performs the security check to ensure that the traffic is secure for server protection. When the FW establishes an SSL connection with the server, it needs to obtain and send the server certificate to the client for verification, then the traffic sent by the client can be decrypted. Therefore, you need to obtain the server certificate and private key of the certificate and import them to the FW. |
|
For sensitive information involving privacy data (such as financial data) that requires SSL encryption or some encrypted packets that do not need to be decrypted for the sake of performance, this scenario is applied. |
|
To send decrypted packets to a third-party device for detection through the mirroring interface, you can configure mirroring of SSL-decrypted packets. |