How can you check if the web server has been compromised? Learn what is SSL inspection and how does it work?
What Is SSL Inspection and How Does It Work?
SSL Inspection is used by companies to protect their network against attacks. SSL inspection is a mechanism that allows an organization to inspect the encrypted SSL traffic. Then decrypt and inspect it before allowing it to pass to the intended destination.
It is similar to deep packet inspection (DPI) but differs in a way that SSL Inspection is used at the proxy/firewall level. This is while DPI is used at the application or end-host level. SSL inspection is used during internal investigations, employee monitoring, compliance, and regulatory issues.
This is when law enforcement agencies need to monitor encrypted traffic. Thus, it can be used for preventing malware attacks on the network.
Traffic Re-encryption
The packets received by a proxy are first decrypted by the SSL inspection module. So, the decrypted traffic is then subject to various tests like lookup of cookies, URL filtering, anti-virus scanning, etc. If required, the decrypted traffic can be re-encrypted and sent to its destination. In a nutshell:
1. SSL traffic is received by an organization’s proxy server, which decrypts it and forwards it to an SSL inspection engine for further processing.
2. The SSL inspection engine checks for malware or viruses and URL filtering before passing it further on to the intended destination server or client.
3. The encrypted data is re-encrypted with a new key or identity before being sent out of the network to maintain the confidentiality of communication between endpoints.
The main benefits of using SSL inspection are:
SSL Inspection enables organizations to decrypt encrypted data and inspect it before sending it out of their network. Thereby, ensuring that no sensitive information leaks outside of their perimeter. It protects organizations from malware attacks as well as prevents unauthorized users from accessing sensitive data.
This is on their networks without proper authorization and permission. Also, SSL inspection enables organizations to comply with various regulatory and compliance requirements.
Traffic Inspection and Decryption
Since the security of the encryption is maintained, organizations can use SSL inspection services to monitor their employees’ online usage. So, the SSL inspection module is usually deployed at the firewall or proxy server. Also, the packet is decrypted by the SSL Inspection engine and then sent to the intended destination.
If any malware or virus is identified in the packet, it is dropped. So, if URL filtering is required, it is applied before sending the packet further on to its destination. For example, if an organization wants to block its employees from accessing social networking sites during working hours, it can configure its proxy server to do so.
Thus, when an employee tries to access Facebook from his corporate laptop, the SSL Inspection engine will block it. Then it displays a message saying that access to this URL has been blocked. On the other hand, if there are no restrictions on accessing Facebook during working hours, then it will be allowed for viewing.
When traffic inspection and decryption are performed at a proxy server level. This ensures that all traffic passing through it is inspected and decrypted before being sent back out. Thus, making sure that malware cannot escape detection and flow freely into the internet.