The widespread adoption of encryption began in the mid-1990s, coinciding with the internet's rapid growth and increasing popularity. Before encryption data was transmitted in plain text, making it vulnerable to interception by cybercriminals. The need for encryption became apparent as online activities expanded, requiring secure exchange of sensitive information like passwords and financial data.

The introduction to SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), along with HTTPS (Hypertext Transfer Protocol Secure), marked significant advancements in internet security by providing a secure layer over internet communications. SSL and TLS encrypt data transmitted between web servers and browsers, ensuring that sensitive information remains private and protected from interception.

HTTPS incorporates these protocols to secure standard HTTP communications, safeguarding the integrity and confidentiality of data exchanged over the web. These Technologies transformed the web into a safer environment, protecting data integrity and privacy against evolving cyber threats.

According to Google's recent data, approximately 95% of web traffic is now encrypted, reflecting the growing emphasis on data security and privacy across the internet.

Several key trends are shaping the landscape of internet traffic and security as per Cloudflare's 2024 Security trend report. Half of web requests now utilize HTTP/2, with 20.5% employing the newer HTTP/3, showing a slight increase from 2023. When it comes to encryption, 13.0% of TLS 1.3 traffic is leveraging post-quantum encryption techniques. IPv6 adoption has also seen progress, reaching a global adoption rate of 28.5%, with India and Malaysia leading the charge. Mobile devices account for 41.3% of global traffic, underscoring their significance in internet usage.

Security remains a concern, as 6.5% of global traffic is identified as potentially malicious, and the United States is noted for generating over a third of global bot traffic. The gambling and gaming industry is the most attacked, slightly surpassing the finance sector. In email security, 4.3% of emails are classified as malicious, frequently featuring deceptive links and identity deception as prevalent threats.

While encryption enhances security by protecting data integrity and privacy, it also poses challenges. Cybercriminals are increasingly exploiting encrypted channels to conduct malicious activities, making it more difficult to detect and mitigate such threats.

Cisco Secure Firewall helps keep encrypted traffic safe by utilizing cryptographic acceleration hardware, which allows it to inspect encrypted traffic at scale.

Two recommended solutions from Cisco Secure Firewall are:

• Encrypted Dataflow Analysis
• Decryptable Traffic Inspection

Encrypted Dataflow Analysis

TSID: TLS server identity and discovery

In Cisco Secure Firewall, TLS Server Identity Discovery is used to extract the server certificate without decrypting the entire handshake & payload. This is important because the server's certificate is needed to match application and URL filtering criteria in access control rules. The feature can be enabled in the advanced settings of an access control policy or by associating an SSL policy with an access control policy.

It is recommended to enable this feature for traffic that needs to be matched on application or URL criteria, especially for deep inspection. Also, enabling TLS Decryption with TLS Server Identity Discovery increases reliability by accurately identifying server certificates during the handshake process.

EVE: Based on TLS Fingerprinting

Cisco Secure Firewall usages encrypted Visibility Engine to identify client applications and processes and block threats without the need of decryption. Eve leverages AI/ML to detect malicious activity by analyzing encrypted communication processes. It assigned EVE score based on the probability that the client process is malware, which can trigger an IoC event to block malicious encrypted traffic and identify infected hosts.

This approach allows robust protection without compromising performance

Talos Threat Intelligence

Cisco Talos Threat Intelligence enhances the ability to detect and intercept malicious traffic in Cisco Secure Firewall by providing comprehensive, real-time threat intelligence. Talos, one of the largest commercial threat intelligence teams, regularly updates Cisco customers with actionable intelligence.

This intelligence is integrated into Cisco Secure Firewall, allowing for faster threat protection and improved visibility. Talos maintains the official rulesets for Snort.org and ClamAV.net, which are used in the firewall's intrusion detection and prevention systems. Additionally, Talos uses data from millions of telemetry-enabled devices to generate accurate threat intelligence, helping to identify and block known and emerging threats. This integration allows Cisco Secure Firewall to proactively detect and block threats, vulnerabilities, and exploits, enhancing overall security posture.

Decryptable Traffic Inspection

Decryption remains essential in cybersecurity despite analyzing encrypted traffic through metadata, such as packet size, timing, and destination patterns. While encrypted traffic analysis can detect certain anomalies, it does not provide visibility into the actual content of the communication, which is crucial for identifying embedded threats like malware and unauthorized data transfers.

Decryption allows for comprehensive content inspection, necessary for advanced threat detection and data loss prevention (DLP) solutions. It also helps organizations meet compliance requirements that mandate full traffic inspection to protect sensitive data. Thus, while encrypted traffic analysis offers valuable insights, decryption is a critical component of a robust security strategy, enabling deep packet inspection and ensuring complete protection against sophisticated cyber threats.

Cisco Secure Firewall offers several decryption capabilities to ensure comprehensive security monitoring and threat protection:

Decryption Policy Action	Description	Use Cases
Decrypt -Resign	Decrypts and inspects outbound SSL/TLS traffic, then re-encrypts it with the firewall's certificate.	Used for inspecting outbound traffic to detect threats.
Decrypt -Known Key	Decrypts inbound traffic using a known private key for internal servers, inspects it, and forwards it to the server.	Used for inspecting traffic to internal servers with known keys.
Do Not Decrypt	Leaves traffic encrypted and does not inspect content.	Used for traffic that must remain private due to safety or compliance. Also, bypass decryption for un-decryptable applications and un-decryptable distinguished names.
Block/Block with Reset	Blocks server connections e.g., using older TLS/SSL versions or weak cipher suites to ensure strong encryption standards.   Enforces security by restricting expired and not yet valid certificates etc.	Used to enhance security by preventing vulnerabilities associated with outdated or weak encryption protocols.

Decryption Policy Actions: Optimizing Traffic Security and Compliance 

Decrypt Resign

Cisco Secure Firewall's decrypt and re-sign feature functions as a Man-in-the-Middle, allowing it to intercept and inspect encrypted traffic. It securely connects with both the user and destination server by intercepting each side of the SSL communication. The user is presented with a CA certificate from the Firewall, which they must trust to complete the connection. This setup enables the Firewall to decrypt, inspect, and re-encrypt traffic for security analysis.

Known Key

In the known key decryption method, the Firewall uses a pre-shared key to decrypt traffic intended for a specific server. The organization must own the server's domain and certificate. The Firewall decrypts the encrypted traffic directly using this key, allowing it to inspect the data for security threats. Unlike the re-sign method, this approach does not involve presenting a CA certificate to the user.

Do Not Decrypt

A "do not decrypt" rule in a decryption policy ensures that specified encrypted traffic bypasses decryption and remains uninspected by the Firewall. This traffic is evaluated by access control policies to determine if it should be allowed or blocked. Such rules help maintain privacy, improve performance, and ensure compatibility with certain applications or compliance standards.

Block Rules

A block decryption rule is used to terminate encrypted connections that pose a security risk. It blocks the traffic and sends a reset packet to both ends, immediately disrupting the connection and notifying both parties of the termination. This approach enhances security by swiftly addressing potentially harmful encrypted traffic. Also, it enhances security by preventing the use of certificates that are expired, not yet valid, and invalid signatures etc.

Cisco Secure Firewall's SSL decryption policy provides a variety of rule filters to control and manage encrypted traffic effectively. These filters help organizations define which traffic should be decrypted and inspected. Some common types of rule filters include:

Rule Filter Type	Description	Benefits for Users
URLs	Allows or blocks decryption based on specific URLs or categories of URLs.	Enhances security by targeting high-risk websites and improves compliance by controlling access to web content.
Applications	Decrypts traffic based on the application type.	Provides granular control to focus on high-risk applications, improving security and resource allocation.
Source and Destination	Applies decryption rules based on source and destination IP addresses or networks.	Enhances security by targeting specific network segments and prioritizing critical traffic for inspection.
Users and User Groups	Targets decryption policies based on specific users or user groups.	Supports policy enforcement and compliance by applying rules to specific user profiles or departments.
Port and Protocol	Defines decryption actions based on specific ports and protocols.	Optimizes network performance by selectively decrypting traffic, reducing unnecessary decryption overhead.
Certificates	Allows or bypasses decryption based on certificate attributes like issuer or validity.	Ensures trust and security by only allowing decryption for traffic with valid and trusted certificates.
Zones	Applies decryption rules based on the security zones of the traffic.	Aligns with network segmentation strategies, providing tailored security policies for different trust levels.
Distinguished Name (DN)	Uses the Subject DN and Issuer DN to apply rules based on organizational details.	Enhances security and compliance by targeting specific entities or trusted certificate authorities.
Certificate Status	Filters based on the status of a certificate (e.g., valid, expired, revoked).	Improves security by ensuring that only traffic with current and valid certificates is decrypted.
VLAN Tags	Applies decryption rules to traffic based on VLAN tags, aligning policies with specific network segments.	Supports effective network management and performance by aligning decryption with network segmentation.

Advanced Rule Filtering Techniques: Optimizing Decryption for Security and Performance

Decryption Policy Wizard introduced in 7.3 and 7.6 Release simplifies Decryption policy setup and auto adds bypass rules for specified outbound traffic, making the process more efficient.

7.6 Policy Wizard can auto-adds do not decrypt rules to bypass decryption for un-decryptable distinguished names, sensitive URL categories and un-decryptable applications.

Using TLS/SSL policies in Cisco Secure Firewall, organizations can enhance their security by blocking server connections that utilize outdated TLS/SSL versions or weak cipher suites. This capability is crucial for preventing vulnerabilities associated with older encryption standards, such as those that may be more susceptible to attacks.

By enforcing strict encryption standards, these policies help ensure that communications are secure and align with best practices for data protection. This approach also aids in maintaining compliance with industry regulations that mandate the use of strong encryption protocols.

Conclusion

As encryption becomes a standard in securing web traffic, organizations face the dual challenge of safeguarding data while effectively detecting and mitigating advanced cyber threats. Cisco Secure Firewall offers a robust solution by integrating advanced TLS decryption capabilities and threat intelligence, ensuring both security and compliance.

By leveraging features such as TLS Server Identity Discovery and the Encrypted Visibility Engine, along with comprehensive decryption policies, Cisco empowers organizations to maintain strong security postures without compromising performance. Ultimately, adopting such sophisticated measures is vital for protecting against increasingly sophisticated cyber threats in an ever-evolving digital landscape.

---

We'd love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!