Info Image

Encryption and Its Impact on Network Security: Transparent vs Forward Proxies and Other Methodologies

Encryption and Its Impact on Network Security: Transparent vs Forward Proxies and Other Methodologies Image Credit: Emblasoft

The Fast Mode spoke to Srini Addepalli, Chief Technology Officer at Aryaka on new encryption technologies and their impact on today's networks. Srini joins us in a series of discussions with leading vendors in the traffic management, service assurance, traffic monitoring, analytics, policy control and network security space, assessing various attributes of encryption, its benefits as well as the challenges it poses, specifically loss of visibility that makes networking increasingly complex.

Tara: How does encryption affect network security?

Srini: Encryption technologies have been used for a while to secure traffic from being eavesdropped. However, new TLS 1.3+ extensions can impact visibility, access control, and threat security enforcement at the network level.

Network security is predominantly categorized into two categories: outbound security and inbound security. Outbound network security is applied to connections going to public sites from enterprise clients, while inbound security is applied to connections to enterprise services.

Outbound network security is typically achieved with transparent proxy technologies. These proxies intercept traffic from the network layer, terminate and originate TLS connections, provide access control, analyze traffic for threats, and allow data to pass through only if everything is secure. SNI (Server Name Indication) in the TLS protocol is a key piece of information used by transparent proxies to make decisions. However, there have been privacy concerns about eavesdroppers inferring communication information about clients and services. ESNI (Encrypted SNI) and new ECH (Encrypted Client Hello) extensions to the TLS protocol have been created to address these concerns.

In summary, while inbound security is not a challenge, there may be challenges in applying outbound security effectively when ECH is adopted. Technologies such as forward proxy functionality, AI/ML-based threat detection, and client-side security technologies can potentially help deliver visibility into encrypted traffic.

Tara: What technologies/techniques can potentially help in delivering visibility into encrypted traffic?

Srini: Visibility into user-based access and user-based access control to various internet sites is a critical aspect of any outbound network security technology. Forward proxy functionality can help achieve this in a consistent and reliable manner. This technology enables network security services to authenticate users and provide visibility into the hostname of the destination service or site being visited. It does not rely on SNI, so it can work even with ECH.

There are also additional benefits to using forward proxy functionality over transparent proxies. For instance, transparent proxy-based technologies often use SNI to determine if they should perform TLS decryption. However, in situations where client applications have adopted certificate pinning or when communicating with financial and healthcare sites, SNI may not be available. In such cases, transparent proxy functions cannot decide to perform TLS decryption.

In contrast, in a forward proxy scenario, clients are configured to work with proxies. Clients send sufficient information about the destination service via an HTTP CONNECT request to the proxy. The proxy then can understand the destination service or site's FQDN (Fully Qualified Domain Name) via the host request header of the HTTP CONNECT request. This FQDN can be used to decide whether to perform any TLS decryption. Additionally, forward proxies can authenticate users via the HTTP CONNECT transaction. This means that forward proxy methods allow proxies to not only intercept traffic but also authenticate users and understand the ultimate destination of the TLS session.

However, there may be situations where forward proxy functionality cannot be adopted. In such cases, alternative techniques such as explicit portal authentication can be used. This method requires users to explicitly authenticate themselves to security services such as SASE before they can access the internet. Techniques such as browser notifications and special client agents can be used to prompt users to authenticate. These techniques tend to whitelist the IP address of the user's machine upon successful authentication. This means that all applications on the client machine have access to the internet, including any malware. Therefore, it is crucial to carefully consider the implications of whitelisting the IP address before enabling this functionality. Other techniques that require further research include mimicking the DNS server functionality in DNS proxies and controlling the encryption keys of ECH. This is an area that needs more study.

This interview is a part of The Fast Mode's Real-time Visibility for Encrypted Traffic segment, featuring 34 leading IP networking solution providers and their views on the impact of encryption on traffic visibility. A research report on this topic will be published in February 2023 - for more information, visit here.

Author

Srini Addepalli is a security and edge computing expert with 25+ years of experience. Before joining Aryaka, Srini was at Intel, where he incubated multiple open-source edge computing and security initiatives including Service Mesh, cloud native SASE framework, Distributed HSM and Multi Edge/Cloud orchestration technologies. Before Intel, he held the Fellow position at Freescale and CTO position at Intoto Inc. As part of Intoto, which was acquired by Freescale, he is instrumental in leading the development of Gateway and UTM (Unified Threat Management) product lines. Srini has multiple patents in networking and security technologies. He holds a BE (Hons) degree in Electrical and Electronics Engineering from BITS, Pilani in India.

PREVIOUS POST

Enhancing Network Programmability and Automation With Nokia Altiplano for SDAN

NEXT POST

The Future of Edge-Driven Manufacturing