SCENARIO
Decryption is an important capability that many enterprises have deployed or intend to deploy in the near future. However, any organization that is currently using SSL or Transport Layer Security (TLS) for passive SSL decryption will need to change their architecture or lose the ability for DPI, threat hunting, data loss prevention (DLP), and the use of intrusion detection systems (IDS).
Adoption of TLS 1.3 will introduce significant changes for many IT teams. Here are four common architecture changes necessary to implement TLS1.3 successfully:
• The use of ephemeral keys • Adoption of a man-in-the-middle (MITM) architecture
• Elimination of passive SSL decryption
• Reconfiguration of equipment for different key exchange mechanisms and a reduced cipher list
IXIA SOLUTIONS
Ixia offers two types of functionality to solve these issues. The first is the ability to perform SSL/TLS decryption natively within a packet broker.
The Vision ONE NPB with the SecureStack application offers full support for SSL and TLS 1.3 decryption. This allows the NPB to perform these functions:
• Offload SSL decryption from security appliances – this increases efficiency and reduces cost
• Perform passive and active SSL/TLS encryption – this applies to inline and out-ofband architectures
• Generate internal reporting – real-time onscreen analytics that includes details on throughput, sessions and crypto data
• Support all leading ciphers for TLS 1.1, 1.2 and 1.3 and built-in policy management