The National Security Agency (NSA) is warning network security administrators this week of the inherent dangers of Transport Layer Security Inspection, or TLSI.
In an advisory pushed out on Monday, the NSA broke down some of the risks of TLS break-and-inspect in enterprises and provided guidance and mitigations for security administrators who oversee TLS inspection.
TLSI is a mechanism that allows for the decryption, then inspection of encrypted traffic within a network. The process, which allows things like firewalls, intrusion detection and prevention systems to function and sniff out indicators of compromise, also helps facilitate the re-encryption of traffic before it either enters or departs the network.
In its advisory, “Managing Risk From Transport Layer Security Inspection,” (PDF) the NSA is reminding admins that in order to minimize risk when it comes to inspecting TLS traffic, it should only be done once and within the enterprise network.
In its advisory, the agency stresses that organizations should ensure that if they use TLSI products, that they're validated to properly implement data flow, TLS, and CA functions. As many products "cut corners," in the words of the NSA, admins would be well served to ensure they conform to criteria outlined by the National Information Assurance Partnership (NIAP), a government initiative managed by the NSA that oversees evaluations of commercial IT products.
Inspecting traffic multiple times can complicate the matter when or if there needs to be a diagnosis of network issues with TLS traffic later down the line. Redundant TLSI, whenever client-server traffic is decrypted, inspected, and re-encrypted by one forward proxy and forwarded to another forward proxy should be avoided as well according to the NSA.
"Redundant TLSIincreases the risk surface, providesadditional opportunities for adversaries to gain unauthorized access to decrypted traffic, and offers no additional benefits," the NSA writes.
As the the agency notes, there are plenty of risks tied to breaking and inspecting TLS traffic.
If using a forward proxy to carry out TLSI, one of those risks could be the improper control and external processing of decrypted traffic. If traffic is misrouted, it could be exposed to an unauthorized or poorly protected network.
In other instances, TLSI implementation can open the door to an insider threat situation. The scenario the NSA is warning about here is one in which security administrators who manage TLSI could abuse their access to surreptitiously grab passwords or other data in encrypted traffic. Orgs should "apply the principles of least privilege and separation of duties" to ensure only authorized admins have access to the data while other admins are prevented, the NSA stresses. "Use a separate auditor role to detect modification of the TLSI policy and other potential administrator privilege abuse."