Passive, Transparent, and Selective TLS Decryption for Network Security Monitoring

04/20/2021
by   Florian Wilkens, et al.
0

Internet traffic is increasingly encrypted. While this protects the confidentiality and integrity of communication, it prevents network monitoring systems (NMS) and intrusion detection systems (IDSs) from effectively analyzing the now encrypted payloads. Therefore, many enterprise networks have deployed man-in-the-middle (MitM) proxies that intercept TLS connections at the network border to examine packet payloads and thus retain some visibility. However, recent studies have shown that TLS interception often reduces connection security and potentially introduces additional attack vectors to the network. In this paper, we present a cooperative approach in which end-hosts as cryptographic endpoints selectively provide TLS key material to NMS for decryption. This enables endpoints to control who can decrypt which content and lets users retain privacy for chosen connections. We implement a prototype based on the Zeek NMS that is able to receive key material from hosts, decrypt TLS connections and perform analyzes on the cleartext. The patch is freely available and we plan to upstream our changes to Zeek once they are mature enough. In our evaluation, we discuss how our approach conceptually requires significantly less computational resources compared to the commonly deployed MitM proxies. Our experimental results indicate, that TLS decryption increases a runtime overhead of about 2.5 times of the original runtime on cleartext. Additionally, we show that the latency for transmitting keys between hosts and the NMS can be effectively addressed by buffering traffic at the NMS for at least 40ms, allowing successful decryption of 99.99 connections.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
02/11/2020

zeek-osquery: Host-Network Correlation for Advanced Monitoring and Intrusion Detection

Intrusion Detection Systems (IDSs) can analyze network traffic for signs...
research
09/02/2022

Tweaking Metasploit to Evade Encrypted C2 Traffic Detection

Command and Control (C2) communication is a key component of any structu...
research
01/07/2020

Towards Practical Encrypted Network Traffic Pattern Matching for Secure Middleboxes

Network Function Virtualisation (NFV) advances the development of compos...
research
10/18/2018

Deep Learning for Encrypted Traffic Classification: An Overview

Traffic classification has been studied for two decades and applied to a...
research
11/01/2017

Improving SIEM capabilities through an enhanced probe for encrypted Skype traffic detection

Nowadays, the Security Information and Event Management (SIEM) systems t...
research
10/22/2018

Challenges in Network Management of Encrypted Traffic

This paper summarizes the challenges identified at the MAMI Management a...

Please sign up or login with your details

Forgot password? Click here to reset