SSL inspection to improve network visibility

Implementing SSL Inspection

Jake Ludin Uncategorized

Implementing SSL Inspection

The proliferation of HTTPS websites has been a benefit and a challenge for network administrators. Overall, HTTPS enhances the overall security of websites because it encrypts the communications between the web server and client while HTTP sites do not. The issue arises because it blocks the network admins from monitoring traffic and the visibility of what network users are browsing. The lack of transparency opens the door to complicating the enforcement of use policies and potentially harmful code embedded within a website’s communications.

When a user accesses an HTTP site, there is no encryption of the communications between the web server and client. If the user is connected to the organization’s network, the domain and page they visit is reported and the admin can ensure that users are adhering to use policies and safety standards. But over 50% of the one million most visited websites use HTTPS and complicate this process. They are able to see the domain of the website, but not individual pages or communications transferred between the two parties.

So how do you improve the transparency on your network with the arrival of HTTPS? SSL inspection certificates decrypt the communications between the web server and the client, analyze and report the data, and re-encrypts it to send to the user. The network admin is reported the domain and pages visited to confirm that the user adheres to use policies. In addition, an increasing number of hostile HTTPS sites are appearing. These sites embed malicious code within the encrypted traffic to sneak malware onto a user’s device. Without SSL inspection enabled, these attempts to infect users’ devices with malware are often successful. Once a device is equipped with an SSL inspection certificate, the decrypted traffic is analyzed for malicious code and, if found, blocks the user from accessing it to avoid the potential risks.

The inherent benefits of SSL inspection certificates are substantial, but the process of enrolling devices for certificates can deter some from embracing the security benefits. The manual process can be difficult for casual internet users. Below is an abridged version of the process for Windows device users:

  1. Downloading the certificate file
  2. Opening the certificate file and choosing to install the certificate
  3. Choosing the Certificate Store that will house the certificate
  4. Choose the Trusted Root Certification Authorities for the storage location in the Certificate Store

To see the steps in detail, click here

The process for Windows devices is less complex than Mac and Linux devices due to Active Directory and Group Policy, but all require high level IT knowledge to understand the steps. Multiple root CAs and self-signed certificates are needed, which demands an involved management process overtime. An alternate approach is utilizing a 3rd party private CA and reducing the number of root CAs to one. This simplifies the certificate management demands, but there is still a high probability of multiple users configuring incorrectly and sacrificing the SSL inspection benefits. To assure that every user is distributed an SSL inspection certificate, many organizations employ an onboarding client.

Onboarding solutions, such as those offered by SecureW2, simplify the onboarding process and automatically configure the device for secure network access. A new user seeking secure access would use a BYOD device and follow a few quick steps to successfully enroll for a certificate. Once enrolled, they would be distributed an SSL inspection certificate and be connected to the secure SSID with SSL inspection enabled. For those organizations with a managed device network, the key is the use of a SCEP gateway (or a WSTEP gateway for Windows customers) to distribute certificates with no end user interaction. The alternative for managed devices is to manually enroll each device for a certificate, which can be an unreasonable request, especially since some organizations have hundreds or even thousands of devices. The process for getting the SSL inspection certificates onto devices is fast and straightforward, resulting in every user equipped with a certificate and connected to the secure network.

The online landscape is constantly improving and updating, and those organizations that adapt with it find the most success. New security features that solve known issues often raise unanticipated challenges. Implementing SSL inspection certificates ensures a smooth and secure user experience while protecting the network and preparing for the challenges that lay ahead. Use policies and network transparency confirms that an organization’s network is used solely for approved purposes.