A new era has arrived for Internet security. Browsers, security tools and service providers are adapting to the new encryption standard, are you ready to follow suit? In August of this year, the IETF (Internet Engineering Task Force) published version 1.3 of the TLS (Transport Layer Security) protocol. The new version, designed for the "modern Internet", offers significant improvements to previous encryption protocols in the areas of security, technical features and privacy. Most importantly, the use of PFS (perfect forward secrecy), which was optional in version 1.2, is now mandatory for all sessions in TLS 1.3. PFS requires ephemeral key cryptography to be used, which generates a new encryption key for each client/server interaction. Previous and future sessions are kept private, because the same key is never used twice. In this way, even if a hacker manages to compromise a session, it will be difficult for him to decipher all the sensitive traffic on the network. It can be deployed as long as the network supports TLS 1.2 and 1.3 ephemeral ciphers. Here are 6 tips for monitoring and processing encrypted data on the network when PFS becomes the norm. Remove bad traffic before decryption. An intelligent threat detection gateway is a device that can detect and block malicious traffic before it is deciphered.
By cross-referencing a database of known malware, the gateway device can recognize dangerous IP addresses in a packet header and block the transmission of that packet's data. Since a packet header is in plain text, it is not necessary to decrypt it. An intelligent threat detection solution reduces false positives in threat detection, has significantly higher blocking capacity than other security tools, and does not require manual rule creation if conditions change. By blocking malware before decryption, tools can work more efficiently with increased protection. 1. Use active SSL decryption. Encrypted traffic is growing and so is encrypted malware. At a minimum, security developments should include passive SSL decryption. But it is recommended to transition to active SSL decryption. By actively decrypting data on the network, the security system can detect malicious activity in real time and reduce security risks to the business. 2.
Have an independent and dedicated device. The introduction of active SSL in security development may require a major redesign of the network infrastructure. Some current monitoring devices, such as next-generation firewalls, may support active SSL decryption, but also negatively affect network performance. Enabling Active SSL in security tools can reduce overall performance, increase latency and congestion, and require additional processing power. Additionally, firewalls, IPS solutions, or other security devices may not be able to decrypt the traffic. Having a dedicated active SSL solution to decrypt and encrypt traffic for all tools will improve efficiency throughout the process and ease the burden on security tools. 3. Protect data in plain text. Once the data is decrypted, the plaintext is sent to out-of-band monitoring and analysis tools.
This poses a new risk, as plaintext data could be intercepted in transmission or accessed through the receiving tool. Having a device with data masking capabilities can offer additional security for sensitive information such as passwords, credit card numbers, social security numbers, email addresses, and health data. Intelligent data masking systems can scan data packets for patterns consistent with privacy regulations and block all but the last few characters of a string. 4. Validate device capabilities. To verify that security devices work as expected, validation tests must be performed on the network. A test solution that can deliver encrypted malware and other IT attacks will help expose weaknesses in security system development. In addition, possible solutions can be evaluated, configurations refined and the performance of existing tools measured. 5.
Outsource the project. Given the shortage of IT and security professionals, outsourcing logistics planning and infrastructure restructuring may be the most cost-effective way to implement TLS 1.3. In addition to upgrading the web server software, devices that do not support the new standard may need to be replaced and traffic re-routed. Having a trusted third-party company develop plans, select new providers, optimize configurations, and manage changes significantly reduces implementation time and risks associated with a network transition. Before you know it, most of your network traffic will be encrypted. With the new standard requiring PFS, security development needs to be TLS 1.3 compliant in addition to decrypting, processing, and protecting data quickly and efficiently. If you want to build a strong security architecture for your business and implement TLS 1.3, keep these tips in mind so that hackers don't have a chance to break into your network.
