Network traffic encryption levels continue to steadily increase. In the last year, the percentage of pages loaded over HTTPS as reported by Google has increased from 82% to 87% on the Windows platform. It’s even higher on Macs at 93%. At this rate, we are not far away from a 100% TLS encrypted Internet.
In this second in a series of articles on making the most of the great new features in XG Firewall v18, we’re going to specifically focus on resources available to you in order to help you and your customers make the most of the new Xstream TLS 1.3 inspection solution in XG Firewall v18.
Xstream TLS Inspection
In our last article, we covered the Xstream Architecture and the new Xstream DPI engine in XG Firewall v18. The new TLS Inspection solution is a key component of the new architecture and provides decryption for TLS/SSL encrypted traffic with native support for the latest TLS 1.3 standard.
With most traffic flows transiting the firewall now encrypted, TLS inspection is absolutely critical to opening up this enormous blind spot to enable the firewall to do its job and inspect content coming into the network. As we will discuss in our next article in this series, the DPI engine can be extremely effective at identifying new zero-day variants of Ransomware and other threats, but only if it’s able to inspect the traffic – unencrypted.
How it Works
Encrypted traffic flows destined to be examined by the new DPI engine are passed to the TLS inspection engine for decrypt before being inspected. After inspection, the flow is re-encrypted and sent on to its destination. If you’re interested in learning more about how TLS encryption and inspection works, and why it’s important, I suggest reviewing these two great assets on the topic:
The new Xstream TLS Inspection engine in XG Firewall v18 offers a number of compelling benefits that make it the ideal solution for today’s modern encrypted internet:
- High performance – with high connection capacity
- Unmatched visibility into encrypted traffic flows and surfacing errors
- Easy tools to deal with errors and handle exceptions with just a few clicks
- Support for TLS 1.3 without downgrading
- Support for all modern cipher suites with robust certificate validation
- Inspection of all traffic, being application and port agnostic
- Powerful and flexibility policy tools enabling the perfect balance of performance, privacy, and protection
Getting Started with TLS Inspection
As we mentioned in the last article, taking advantage of the new TLS inspection engine in XG Firewall v18 is super easy. It essentially requires checking one box in the firewall to activate it and then creating a rule on the new SSL/TLS Inspection Rules tab as shown below.
For a quick 5 minute overview of how to create SSL/TLS inspection rules, watch this short How-to video:
For a detailed explanation and step by step guide for creating SSL/TLS inspection rules and decryption profiles, check out the online documentation:
- SSL/TLS Inspection Rules
- Decryption Profiles
- SSL/TLS Inspection Settings
- Deploying the SSL CA certificate
It is recommended that customers start gradually with TLS encryption, with a limited sub-estate of their network or a few test systems. This will allow them to build expertise with the new TLS inspection solution and explore the new rules, logging, reporting, and error-handling options.
Not all applications and servers fully and properly support TLS inspection, so we advise administrators to monitor the Control Center for errors and take advantage of the convenient built-in tools to exclude problematic sites or services. XG Firewall comes with two pre-packaged TLS inspection rules out-of-the-box that make exclusions easy. By default, they exclude trusted domains known to be incompatible with TLS decryption such as icloud, some Microsoft domains, and others. Administrators can easily customize these rules directly through the widget on the Control Center as issues arise, or through updating those exclusion rules directly.
The new widget on the Control Center provides at-a-glance insights
into your encrypted traffic flows and any issues.
Drill down to identify the cause of issues and fix them with just a few clicks.
Once you and your customers are comfortable with the DPI engine and TLS inspection, we recommend applying it more broadly across their networks. When you’re ready for broader TLS inspection and wish to push the CA certificate out to more systems, we recommend using the wizard built into the Microsoft Active Directory Group Policy Management tools to make this task quick and easy.
As you roll-out TLS inspection more broadly, carefully monitor the firewall system performance metrics to ensure the hardware is not becoming a bottleneck. While the Xstream Architecture in XG Firewall v18 offers tremendous performance gains for TLS inspection, going from inspecting 0% of encrypted traffic to 80-90% of your TLS traffic may have an impact on performance depending on your firewalls normal load. If the firewall could benefit from some extra headroom, consider a hardware refresh to a current higher capacity model. It’s definitely not worth taking the risk to NOT inspect TLS traffic given the rate at which hackers and attackers are utilizing this enormous blind spot to their advantage.
Here’s a summary of the resources available to help make the most of the new features in XG Firewall v18 including Xstream TLS Inspection:
- XG Firewall getting started guide
- Full online XG Firewall documentation
- How-to videos on what’s new in v18
- In-depth FAQ on HTTPS decryption
- A full list of recommended community articles on v18
Selling XG Firewall
On the Sophos partner portal, we provide you with a wealth of sales assets. You may filter the list of assets by selecting a category to narrow down the results. And don’t forget to check whether there is a sales promotion available for your region. It’s worth checking back from time to time to make sure you’re not missing out on a great opportunity!