Lockdown Market Security and Tech Upgrade. These are time limited offers.

#ad

Using Decryption to Block Threats in Encrypted Traffic

With most web traffic encrypted, cyber threats can easily hide within SSL/TLS connections. Decryption is a crucial security measure that allows firewalls to inspect encrypted traffic, preventing malware introduction and sensitive data exfiltration.

Why Decrypt Network Traffic?

Firewalls like Palo Alto Networks can decrypt SSHv2 and SSL/TLS traffic to enhance security. By implementing decryption policy rules, organizations can prevent malicious encrypted content from entering their network while stopping sensitive data from leaving undetected.

Firewall Decryption Types

  • SSL Forward Proxy – Controls outbound SSL traffic.
  • SSL Inbound Inspection – Manages inbound SSL traffic.
  • SSH Proxy – Inspects tunneled SSH traffic.

Certificate Management and Trust

Decryption requires certificate management through Public Key Infrastructure (PKI). Trusted Root CAs certify intermediate CAs and devices, ensuring secure authentication.

USING DECRYPTION TO BLOCK THREATS IN ENCRYPTED TRAFFIC

Configuring SSL Decryption

Certificate Revocation Checking

To ensure secure SSL decryption, administrators must configure certificate revocation checking:

  • Go to Device > Setup > Session > Certificate Revocation Checking.
  • Enable revocation checking to prevent the use of expired or untrusted certificates.

SSL Forward Proxy Review

SSL Forward Proxy allows firewalls to decrypt and inspect traffic between clients and web servers.

  • The firewall acts as a trusted intermediary, establishing two SSL tunnels.
  • It uses Forward Trust and Forward Untrust Certificates to validate web server certificates.

Configuring SSL Forward Proxy

Administrators can configure SSL Forward Proxy with the following steps:

  • Go to Device > Certificate Management > Certificates to configure trust certificates.
  • Renew an SSL Forward Untrust Certificate if necessary.
  • Define decryption policies under Policies > Decryption to enforce SSL inspection.

SSL Inbound Inspection Review

SSL Inbound Inspection ensures secure communication by verifying server certificates.

  • Deploy the server certificate and private key into the firewall.
  • Configure an SSL Inbound Inspection policy under Policies > Decryption.
  • Create corresponding security policy rules to allow encrypted traffic.

SSH Decryption

SSH tunnels are commonly used to bypass security policies. Firewalls decrypt, inspect, and re-encrypt SSHv2 connections.

  • Separate SSH sessions are created between the client, firewall, and server.
  • Define SSH traffic rules under Policies > Security to regulate access.

Decryption Exclusions and Troubleshooting

Not all traffic should be decrypted due to privacy concerns and legal restrictions.

  • Configure exclusions under Device > Certificate Management > SSL Decryption Exclusion.
  • Use Monitor > Logs > Decryption to troubleshoot SSL session terminations.

Network Packet Broker

With PAN-OS 10.1, the Network Packet Broker feature replaces the Decryption Broker, offering enhanced traffic management.

Hardware Security Modules (HSMs)

An HSM is a physical device that generates, stores, and manages digital keys. It provides logical and physical

Hardware Security Modules (HSMs)

Need expert guidance on decryption and cybersecurity? Explore our comprehensive Q&A section for answers to all your networking queries!

1. Which two types of activities does SSL/TLS decryption by the firewall help to block? (Choose two.)
a.
malware introduction
b.
denial of service attacks
c.
sensitive data exfiltration
d.
protocol based attacks
2. True or false? If OCSP and CRL are configured on a firewall, CRL is consulted first.
a.
true
b.
false
3. Which type of firewall decryption requires the administrator to import a server certificate and a private key into the firewall?
a.
SSH decryption
b.
SSH tunnel decryption
c.
SSL Forward Proxy decryption
d.
SSL Inbound Inspection decryption
4. True or false? The SSL forward untrust certificate should not be trusted by the client but should still be a CA certificate.
a.
true
b.
false

1. Which feature can be configured to block sessions that the firewall cannot decrypt?

a. Decryption profile in security policy NO

b. Decryption profile in security profile <--NO

c. Decryption profile in decryption policy

d. Decryption profile in PBF

2. What is default setting for "Action" in a decryption policy rule?

a. Any NO

b. None

c. Decrypt <--NO

d. No-decrypt

3. Which type of Next Generation Firewall decryption inspects SSL traffic between an internal host and an external web server?

a. SSL Forward Proxy

b. SSH

c. SSL Inbound Inspection <--NO

d. SSL Outbound Inspection NO

4. When SSL encrypted traffic first arrives at the Next Generation Firewall, which technology initially identifies the application as web-browsing?

a. Encryption-ID

b. Content-ID

c. App-ID

d. User-ID

5. Which type of Next Generation Firewall decryption inspects SSL traffic coming from external users to internal servers?

a. SSL Forward Proxy

b. SSL Inbound Inspection

c. SSL Outbound Inspection

d. SSH

6 True. In the Next Generation Firewall, even if the Decryption policy rule action is “no-decrypt,” the Decryption Profile attached to the rule can still be configured to block sessions with expired or untrusted certificates.

7. Which two types of activities does SSL/TLS decryption on the firewall help to block? 

If you choose an incorrect choice your question score will be deducted

a. denial-or-service attacks NO

b. malware introduction YES

c. protocol-based attacks

d. sensitive data exfiltration <--

8. false? If OCSP and CRL are configured on a firewall, CRL is consulted first.

9. Which type of firewall decryption requires the administrator to import a server certificate and a private key into the firewall?

a. SSL Inbound Inspection Decryption 

b. SSH Decryption

c. SSH Tunnel Decryption

d. SSL Forward Proxy Decryption

10. True The SSL forward untrusted certificate should not be trusted by the client but should still be a CA certificate.

11. True The firewall still can check for expired or untrusted certificates even if the SSL traffic is not being decrypted.

Stay Protected—Secure Your Network Today!

Cyber threats are becoming more sophisticated—don't let your data be vulnerable! Whether you're looking to enhance security, prevent cyber attacks or protect sensitive information, expert guidance is crucial.

Get in touch now for customized cybersecurity solutions! Contact Us

Comments