SSL Inspection & Security Services - Best Practice for Firewalls

The article provides a step-by-step guide on configuring SSL Inspection on Zyxel firewalls [USG FLEX, ATP Series], ensuring SSL traffic is decrypted, scanned, and re-encrypted, followed by SSL Inspection best practices. These practices include enabling SSL Inspection, determining exception criteria, identifying critical websites, and regularly updating the list of trusted sites.

Table of Content

1) Configure SSL Inspection

2) SSL Inspection Best Practices

3) SSL Inspection Website Exception List Recommendations

Introduction

SSL Inspection, also known as SSL/TLS decryption or SSL decryption, is a security technique employed to monitor encrypted network traffic for potential threats. With the widespread adoption of HTTPS, encrypted traffic has become the norm, which poses a challenge for traditional security measures to detect and mitigate threats. SSL Inspection overcomes this limitation by decrypting SSL-encrypted data, inspecting it for malicious content, and re-encrypting it for secure delivery.

Zyxel offers SSL Inspection and a range of security services, including IP reputation filtering, to enhance network security and protect against evolving cyber threats. By properly configuring these services and creating an exception list for certain sites, you can strike the right balance between efficiency and safety in your network environment.

1) Configure SSL Inspection

SSL Inspection allows you to check SSL-encrypted packages in order to let several other UTM Profiles work properly with HTTPS traffic. This video will guide you through a generic configuration setup!

In Zyxel firewalls, you can exclude Content filter Categories from the SSL Inspection.

This can be done by scrolling to the bottom of the "Exclude List" and clicking on "Advanced".

Walkthrough Steps:

1. Access your device by entering its IP address in the browser address line and login by using the device’s credential
2. Navigate to Configuration > Object > Certificate
3. Edit the default self-signed certificate and export it
4. On windows, you need to run certmgr.msc and import the certificate into Trusted Root Certificate Authorities > Certificates
5. On the USG, navigate to Configuration > UTM Profile > SSL Inspection
6. Add a new profile and select the profile which you have exported before
7. Select the action which should be applied to the SSL traffic
8. Navigate to Configuration > Security Policy > Policy Control
9. Add a new rule with SSL Inspection ticked
10. If for example using Application Patrol, you can then set the rule from LAN to WAN and select the Application Patrol Profile you want to use

Any outgoing SSL traffic from LAN to WAN will then first be decrypted, scanned and either dropped or encrypted again.

Here You chose the Categories to exclude and click on "apply":

2) SSL Inspection Best Practices

1. Enabling SSL Inspection: Before creating an exception list, ensure that SSL Inspection is correctly enabled on your Zyxel security appliance. This step may involve generating and installing SSL certificates to avoid security warnings on client devices (see this article).

2. Determining Exception Criteria: Define clear criteria for adding websites to the exception list. Typically, these criteria should include a thorough assessment of the site's reputation, purpose, and level of trustworthiness. Only trusted websites should be considered for exceptions.

3. Critical Websites and Services: Identify critical websites and services that must remain exempt from SSL Inspection to ensure uninterrupted functionality. These may include essential business applications, financial portals, or online payment gateways.

4. Updating Trusted Sites Regularly: Cyber threats are constantly evolving, and websites that are safe today might become compromised tomorrow. Continuously review and update the list of trusted sites to ensure the security of your network environment.

5. Whitelisting and Blacklisting: Utilize both whitelisting and blacklisting approaches for IP reputation filtering. Whitelist reputable sites to bypass SSL Inspection, and blacklist known malicious sites to enhance security measures.

6. Internal Resources: Exclude internal network resources, such as intranet sites and trusted servers, from SSL Inspection to prevent unnecessary decryption and re-encryption overhead.

7. Exemption for Sensitive Data: Sites handling sensitive data, such as medical records or personal information, should be considered for exemption to protect user privacy and comply with data protection regulations.

8. Collaboration with Users: Involve key stakeholders and end-users when creating the exception list. Gathering feedback and insights from employees can help identify essential websites and improve the overall efficiency of the network.

9. Periodic Reviews: Conduct regular reviews of the exception list to ensure its relevance and efficacy. Remove unnecessary entries and add new trusted sites as required.

10. Logging and Monitoring: Enable detailed logging and monitoring of SSL Inspection and security services to detect any potential anomalies or unauthorized access attempts.

3) SSL Inspection Website Exception List Recommendations

Because a list of trusted websites must be constantly monitored and reviewed for security reasons, we can suggest some categories of websites that are commonly considered for exceptions in SSL inspection:

1. Financial Institutions: Websites of banks, credit unions, and other financial institutions that handle sensitive financial transactions and personal data.

2. Government and Official Websites: Government websites, official portals, and public services that require secure communication.

3. Healthcare Providers: Websites of hospitals, clinics, and healthcare providers handling confidential medical information.

4. Educational Institutions: Websites of schools, universities, and educational platforms where students access learning materials and resources.

5. Internal Network Resources: Intranet sites, internal servers, and other trusted resources used solely by the organization.

6. Collaboration and Communication Tools: Trusted communication tools, like video conferencing platforms or company-wide messaging systems.

7. Legal and Law Enforcement Websites: Websites of law firms, legal services, and law enforcement agencies that handle sensitive information.

8. Reputable News and Media Outlets: Well-known and established news websites and media outlets.

9. Software and System Update Servers: Websites providing software updates and patches from official sources.

10. Software-as-a-Service (SaaS) Providers: Trusted cloud-based services that are critical for business operations.

Remember that the list of trusted websites will vary depending on your organization's specific needs and requirements. Always involve key stakeholders, such as IT administrators, department heads, and end-users, in the process of creating and maintaining the exception list. Regularly review and update the list to ensure its relevance and effectiveness in providing a balance between network efficiency and security.