The Issue – Monitoring Encrypted Traffic
Many businesses utilize an intranet to enhance their security posture. By creating an enclave, you reduce the surface area available for a cyber attack. An added benefit of creating your own intranet is additional ease in security monitoring. By restricting all traffic flow to a controlled gateway, security analysts can monitor all network traffic in a centralized location. The main issue when utilizing a gateway is the inspection of encrypted traffic. How do you properly analyze encrypted traffic when the intended recipient is downstream? Enter break and inspect, which allows detailed review and controlled traffic flow.
What is Break and Inspect?
Break and inspect is the process in which security architecture allows for encrypted traffic analysis. In a traditional enclaved environment, a workstation sends encrypted packets through a gateway to its intended destination, usually an external web server. Following a standard encryption handshake, the web server then returns packets that can only be decrypted by the requesting host, not allowing a detailed inspection by the gateway processing the request. This sparks the question; how can a proxied network properly analyze incoming traffic that it does not have access to read? Break and inspect solves this problem by changing the requesting party in the encryption handshake. By utilizing two layers of network address translation (NAT), architects can reap the benefits of proxied traffic and the decrypted traffic needed for advanced inspection. In essence, break and inspect is achieved by routing traffic twice, once unencrypted to a primary gateway that serves as an internal proxy, then encrypted through a secondary gateway that serves as the external proxy. The inner gateway functions as the receiving party to all outgoing traffic, negating the need for encryption that blocks traffic inspection; the outer gateway then assumes the role of the requesting party to the initial web request, allowing encrypted traffic to pass outside of the network. Many organizations then place their intrusion prevention systems (IPSs) between the two gateways, allowing automated inspection of all traffic while it is unencrypted. By routing traffic twice, you present two faces to all network traffic; an inner face that enables the passing of unencrypted and readable traffic, as well as an outer face that initiates all encrypted traffic on behalf of the network.