Page 1220 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1220
network switches that support port mirroring, and other types of
network taps.
Monitoring Encrypted Traffic
As much as 75 percent of internet traffic is encrypted using
Transport Layer Security (TLS) with Hypertext Transfer Protocol
Secure (HTTPS), and that number continues to climb every year.
While encryption helps ensure privacy of data in transit as it
travels over the internet, it also presents challenges for IDPSs.
As an example, imagine a user unwittingly establishes a secure
HTTPS session with a malicious site. The malicious site then
attempts to download malicious code to the user’s system through
this channel. Because the malicious code is encrypted, the IDPS
cannot examine it, and the code gets through to the client.
Similarly, many botnets have used encryption to bypass inspection
by an IDPS. When a zombie contacts a command-and-control
server, it often establishes an HTTPS session first. It can use this
encrypted session to send harvested passwords and other data it
has collected and to receive commands from the server for future
activity.
One solution that many organizations have begun implementing is
the use of TLS decryptors, sometimes called SSL decryptors. A TLS
decryptor detects TLS traffic, takes steps to decrypt it, and sends
the decrypted traffic to an IDPS for inspection. This can be very
expensive in terms of processing power, so a TLS decryptor is often
a stand-alone hardware appliance dedicated to this function, but it
can be within an IDPS solution, a next-generation firewall, or some
other appliance. Additionally, it is typically placed inline with the
traffic, ensuring that all traffic to and from the internet passes
through it.
The TLS decryptor detects and intercepts a TLS handshake
between an internal client and an internet server. It then
establishes two HTTPS sessions. One is between the internal client
and the TLS decryptor. The second is between the TLS decryptor
