隱藏在加密流量的威脅

A10 Networks
技術顧問
林坤億 / Allen
Always Secure. Always Available.
1 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL
Exploiting The Growing Encrypted Blind Spot

94% of all internet traffic is Almost half of cyber attacks use

encrypted encryption to evade security

2 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Source: Google Transparency Report | Dark Reading Confidential | Do Not Distribute 2
NG Firewall Report
Browser-based
Encrypted traffic is over 90%

3 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 3
Encryption Introduces New Challenges &
Complexity
Encryption gives you Privacy

But it can hurt your Security

4 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 4
Zero Trust Model Will Also Fail Without Decryption Because

Visibility Is Key

5 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 5
現有架構的問題 1
Encrypted Internet Traffic
Decrypted Internet Traffic

SSL/TLS decryption is extremely

No single point of decryption compute-intensive and adds latency
policy control & key management DLP/AV

SWG ATP IPS NGFW

Each device must decrypt and re-encrypt Expensive upgrades required

its own traffic with long latency to scale with rising demands

6 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 6
現有架構的問題 2
Encrypted Internet Traffic
Decrypted Internet Traffic

DLP/AV

X X
SWG (L2) ATP (L2) SW (L3) IPS (L2) NGFW (L3)

加解密設備

網路架構變更 ?

7 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 7
全方位解決方案 – A10 SSL Insight
Encrypted Internet Traffic
Enhanced performance due to Decrypted Internet Traffic
Decryption/Re-encryption offload

SECURE DECRYPT ZONE

DLP/AV SWG ATP IPS NGFW

Improved user experience due to Centralized decryption, policy

reduced latency control and key management
8 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL
Confidential | Do Not Distribute 8
SSL 憑證

Public Root CA

Public Root CA Server Certificate & Key

Encrypted
Clear Text Data Encrypted
Clear Text Data
Internet
Internal Clients

9 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 9
SSL/TLS Cipher Suites ( 憑證加密演算法 )
Encryption  Confidentiality ( 保密性 )
• Key Exchange
• Encryption

Authentication ( 真實性 )
• Signature

 Integrity ( 完整性 )
• Hash Algorithm

10 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 10
 TLS1.2 Traffic Flow (2-RTT)
Public Root CA

Key Exchange (2K key)

Public Root CA Server public certificate (key)
1. Request server public certificate Server certificate &Private
publicKey (Signed by
key/private keyCA)

Server certificate
Validation (Auth) 2. Server public certificate (public key)

symmetric key 3. Send symmetric key symmetric key

Data Encryption (256 bits)

SHA-256(SHA-2) (Hash)
Data transmission

11 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 11
加解密方案首要條件 Public Root CA

Public Root CA Server Certificate & Key

Encrypted
Clear Text Data Encrypted
Clear Text Data
Internet
Internal Clients NG Firewall / ATP / IPS

Public Root CA
Private Root CA

Private Root CA Server Certificate & Key

Clear Text Clear Text

Internet
SSL Decryption SSL Encryption
Internal Clients

13 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 13
 Encrypted Traffic

A10 SSLi 運作流程

Decrypted Traffic
TCP Connections
SSL Connections

443 18443 18443 443

Encrypted Zone Secure Decrypt Zone Encrypted Zone

TCP Handshake

Cache
Client Hello TCP Handshake

Client Hello

Server Hello

SSL Handshake Messages Server Cert + Private Key,

Signed by wellknown CA
SSL Handshake Finished
Proxied Server Cert
Server Hello + Local Private Key,

SSL Handshake Signed by Local CA Connection Reset

SSL Handshake Finished

Encrypted Request TCP Handshake

Cleartext Request TCP Handshake

Client Hello

SSL Handshake

SSL Handshake Finished

Encrypted Request

Encrypted Response Cleartext Response Encrypted Response

15 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL
Confidential | Do Not Distribute 15
無法解密的流量 : Certificate Pinning
Problem
• Certificate Pinning validates against a key embedded in the certificate chain for a domain name
• Some Apps (ex. Twitter, Skype, Windows update ….) contain a predefined list of ‘pinned certificates’, specifically
designed to defeat SSLi type solutions
Solution
o Apply SSLi-Bypass for Pinned-Cert Apps. There is no standard technique to decrypt such apps
o Bypass by SNI in client SSL hello or SAN/Issuer/subject in server certificate (server hello).

Internet
SSL Decryption SSL Encryption
Internal Clients

16 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 16
無法解密的流量 : CAC Authentication ( 自然人憑證 / 數位簽章 )
Problem
• SSLi is not supported for applications requiring client authentication, ex. using a Common Access Card
(CAC) or a Smart Card
Solution
• SSLi is bypassed for a specified remote server(SNI) only if it requests CAC.

Internet
SSL Decryption SSL Encryption
Internal Clients

17 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 17
符合資安法規
Selective bypass option to
 Preserve privacy and compliance
 Meet data privacy regulations (HIPAA, PHI, PCI/DSS etc..) by keeping sensitive data encrypted

Traffic can be bypass based on WEB CLASSIFICATION SERVICE

 A10 Web Classification
 Server Name Indication (SNI)/ Certificate Issuer/ Certificate Subject
 Source & Destination IP Addresses

Option for ssli exception list to intercept traffic for bypass category
 Allow to intercept a domain under a category even if that category is set to bypass

18 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 18
Deployment mode

19 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

 Network A
Network B

Reference Network Topologies Network C

Network D

• SSL Insight in Layer-2 mode with Layer-2 inline Security Device

SECURE DECRYPT Supported Deployments
ZONE • IP-less deployment (bump in wire)
• Single & dual device / dual partition
• Supports both inline and passive security devices
• Supports transparent Proxy as well as ICAP
devices

Internet

• SSL Insight in Layer-2 mode with Layer-3 inline Security Device

SECURE DECRYPT
Supported Deployments
ZONE • Single & dual device/ dual partition
• Supports both L3/NATed inline and passive
security devices
• Supports transparent Proxy as well as ICAP
devices

Internet

20 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 20
 Network A
Network B

Reference Network Topologies Network C

Network D

• SSL Insight in Layer-3 mode with Layer-2 inline Security Device

SECURE DECRYPT Supported Deployments
ZONE • Single & dual device / dual partition
• Supports both inline and passive security devices
• Supports transparent Proxy as well as ICAP
devices
• Supports firewall load balancing

Internet

• SSL Insight in Layer-3 mode with Layer-3 inline Security Device

SECURE DECRYPT
Supported Deployments
ZONE • Single & dual device / dual partition
• Supports both inline and passive security devices
• Supports transparent Proxy as well as ICAP
devices
• Supports firewall load balancing

Internet

21 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 21
IP-less SSL Insight with vWire Support
• Fully transparent, bump-in-the-wire SSL Insight
• Allows for “drop-in” deployments with no dependency on customer’s VLANs or IP addressing
• Supports Static and LACP Trunks (using vWire binding between Trunks)
• Can be used with both inbound and outbound SSL/TLS decryption

Secure Decrypt Zone

e2 e3

vWire 1 vWire 2 Internet

e1 e4
SSL Insight

22 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 22
High Availability: Layer 2 – with AFO

Security device might have

AFO as well

Internet
Active Fail Open Switch

• L2 Inline Deployment with third party Bypass Switch / AFO

• AFO (Active Failover Open) switch utilizes network traffic as a heartbeat. If the network heartbeat
fails, the traffic will switch to bypass mode with network interruptions
• Qualified with InterfaceMasters Niagara switch, and IXIA iBypass AFO
23 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL
Confidential | Do Not Distribute 23
24 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL
Confidential | Do Not Distribute 24
Wizard

25 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 25
Thunder SSLi Appliance Family

Thunder 1040-11 Thunder 3350S

1.5 Gbps 5.5 Gbps

vThunder Thunder 3350E

0.2-8 Gbps 3 Gbps

Entry-Level Mid-Range

26 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

For the complete list of the product family view the datasheet: HTTPS://www.a10networks.com/wp-content/uploads/A10-DS-15113-EN.pdf Confidential | Do Not Distribute 26
Case Study

32 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

33 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL
Confidential | Do Not Distribute 33
34 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL
Confidential | Do Not Distribute 34
35 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL
Confidential | Do Not Distribute 35
Design Case Study

36 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Customer A Internet

BR

o 功能需求
A10 SSLi 0 (outside)
• 提供 Server Farm 服務加解密 ( 外對內 )
• 提供 User Area 流量加解密 ( 內對外 ) IPS

• 維持客戶現有架構
• 提供 URL Filtering Server Farm User Area

• 漸進式流量導入機制 NGFW WP

A10 SSLi 1(inside) A10 SSLi 2(inside)

L3 SW L3 SW

Services Services

Clients
37 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL
Confidential | Do Not Distribute 37
Customer A Internet

BR

A-1 B-1 A10 SSLi (outside)

A-1 A-2 A-3 IPS

A10 SSLi A

Server Farm User Area

B-1 B-2 B-3 NGFW WP

A10 SSLi B
A10 SSLi (inside) A-2 B-2 A-3 B-3 A10 SSLi (inside)

L3 SW L3 SW

Services Services

Clients
38 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL
Confidential | Do Not Distribute 38
Customer B Internet

o 功能需求
• 提供 DMZ 服務加解密 ( 外對內 ) Switch
A10 SSLi B-2
• 提供 Internet 存取服務加解密 ( 內對外 ) A10 SSLi A-2
A10 SSLi A-3 A10 SSLi B-3
A10 SSLi A-4 A10 SSLi B-4

• 不改變客戶現有架構 L3 PA-1
HA
PA-2
DLP
• 整合 DLP (ICAP) / TAP Switch
A1A10 SSLi A-1
TAP SW
A10 SSLi B-1
• 漸進式流量導入機制
Core Core

HA
FW-1 FW-2 OA

DMZ

39 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 39
Customer B Internet

Switch
A-1 A-2 A-3 A-4 A10 SSLi A-2 A10 SSLi B-2
A10 SSLi A-3 A10 SSLi B-3
A10 SSLi A-4 A10 SSLi B-4
A10 SSLi A HA
L3 PA-1 PA-2
DLP

A1A10 SSLi A-1

TAP SW
A10 SSLi B-1
B-1 B-2 B-3 B-4

A10 SSLi B Core Core

HA
FW-1 FW-2 OA

DMZ

40 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL

Confidential | Do Not Distribute 40
 Thank You

41 ©2022 A10 Networks, Inc. All rights reserved. CONFIDENTIAL