• HTTPS Inspection

  • HTTPS Inspection is the process of examining network traffic that takes place over SSL or TLS. This allows your intrusion prevention/detection devices to examine that encrypted traffic for malware and intrusion attempts.

    HTTPS Inspection is the modern approach to detecting malware and intrusions on your network due to the wide spread adoption of SSL/TLS over the years.

    The adoption of SSL/TLS is largely due to Google’s SEO algorithm ranking sites higher for using SSL/TLS to secure traffic to the site. The shift to SSL/TLS left a lot of organizations behind the curve with their network security posture.

    Deploying HTTPS Inspection

    HTTPS Inspection can be deployed for inbound and outbound traffic. For the purpose of this blog I’m going to focus on outbound traffic.

    A typical scenario for deployment is having a next generation firewall capable of inspecting network traffic and utilizing HTTPS Inspection. There are are devices that can do this, but this is the popular approach.

    • The workflow for deployment looks like this:
    • Enable HTTP Inspection on the firewall
    • Configure the firewall to use the resulting certificate
    • For outbound inspection you need to generate a new certificate for the firewall.
    • Configure your HTTPS Inspection rules
    • Enable the firewall policy

    Once the firewall is configured you need to export the certificate from the firewall then deploy the certificate to your endpoints that access the Internet. Without this step you will get warnings about untrusted certificates.

    At this step you should not have any devices in your new rule set for inspection. If you enable this all at once the result will be many broken web sites and increased support tickets due to related inspection issues. There’s still a lot of work that needs to be done for this deployment.

    Inspection Optimization

    HTTPS Inspection requires tweaking and optimization. If you encounter a web site where the certificate uses a different domain name than the site being visited, that will require an exception to be enabled for that site.

    Most firewall vendors include a default exception that includes the most popular organizations have this issue, for example a lot of software update services, remote meeting services, and content delivery services require these exceptions.

    You also need to be aware of devices on your network that you can’t import the inspection certificate for. These are usually IoT devices and other embedded devices. Devices such as these will also require an exception.

    Inspection Privacy Issues

    You also need to be aware of privacy issues related to HTTPS Inspection, especially if you are utilizing DLP (Data Loss Prevention) simultaneously.

    Data Loss Prevent over HTTPS Inspection can result in alerts that contain the credit card numbers when PCI data exfiltration is detected. In this scenario you should consider adding exceptions for the popular sites such as:

    • Bill pay sites
    • Online Shopping
    • Take out
    • Banking Sites

    In closing, the best approach to a deployment with a large number of endpoints is to create deployment groups. By utilizing deployment or pilot groups you can resolve a lot of the issues for the larger organization before they are encountered.

    Using this approach we have had successful deployments with endpoints ranging from 650 to 5,000 across multiple sites and locations with organizations utilizing our guidance as a virtual CISO.