Decryption is a fundamental pillar in combating modern cyber threats, empowering organizations to scrutinize encrypted web traffic and reveal concealed risks. In an era where virtually all online communications are encrypted, including those exploited by cybercriminals, robust decryption policies are essential for spotting and blocking malware, identifying command and control networks, and preventing web application attacks. However, configuring decryption policies can be complex and challenging due to several factors.

Challenges in Configuring Decryption Policies

Decryption rules need to strike a balance between granularity and simplicity. Highly granular rules can provide precise control over which traffic is decrypted, but they can also become complex and difficult to manage. Simplicity aids in easier management and reduces the risk of misconfiguration. The order in which decryption rules are evaluated is critical. Rules are typically processed from top to bottom, and the first matching rule is applied. This means more specific rules should be placed higher to ensure they are applied before more general rules.

Networks are dynamic, with frequent changes in applications, services, and user behaviors. Decryption rules must be regularly updated to adapt to these changes and remain effective in addressing new threats and traffic patterns. Decryption rules often interact with other policies, such as access control and intrusion prevention. It is important to consider these interdependencies to ensure that changes in decryption rules do not inadvertently impact other security measures. Misconfigured decryption rules can lead to false positives, where legitimate traffic is incorrectly decrypted or blocked, and false negatives, where malicious traffic passes through without inspection. Accurate matching criteria are essential to minimize these issues.

Each decryption rule that is applied to traffic consumes system resources. Overloading the system with too many complex rules can degrade performance, so it is important to optimize rule configurations to balance security needs with available resources.

Decryption rules must be configured to handle a variety of encryption protocols and cipher suites. Ensuring compatibility with the latest standards, such as TLS 1.3, is crucial to maintaining security and functionality. Decrypting traffic from sites related to personal, finance or healthcare can raise privacy concerns, necessitating careful policy configuration to bypass such traffic.

Despite these challenges, Cisco's Secure Firewall 7.7 offers solutions Intelligent Decryption Bypass as part of enhanced Decryption Wizard to simplify policy creation and optimize resource utilization, making decryption more manageable and effective, focusing on decryption capabilities to ensure security visibility and effectiveness.

Decryption Policy Wizard: Key Features and Capabilities

Cisco Secure Firewall 7.7 addresses these challenges with advanced decryption capabilities, particularly through enhancements to the Decryption Policy Wizard. These features make it easier to create effective policies while maintaining security, performance, and privacy.

Intelligent Decryption Bypass

The Intelligent Decryption Bypass feature utilizes Cisco's Encrypted Visibility Engine (EVE) to analyze encrypted traffic and determine risk levels without the need for decryption. EVE leverages metadata extracted from TLS Client Hello packets such as TLS versions, cipher suite, TLS extensions etc. This information helps in identifying the application, even when the payload is encrypted.

By using advanced machine learning algorithms, EVE can detect anomalies and classify traffic. These algorithms learn from known patterns of both legitimate and malicious traffic, enabling the identification of potential threats. EVE creates fingerprints based on known traffic patterns of specific applications or services. These fingerprints allow EVE to recognize traffic types and assess whether they are typical or anomalous. By assessing the risk level associated with various traffic types, it determines which connections can safely bypass decryption.

Based on EVE's risk assessment, the firewall can then:

• Bypass Decryption:For low-risk connections, especially those going to trusted websites (determined by URL Category Reputation of the destination).
• Apply Decryption Policies:Use a "client threat" condition, based on EVE's assessment, to selectively decrypt higher-risk traffic.

By bypassing decryption for low-risk connections, the feature conserves system resources, preventing unnecessary processing load on devices by earlier termination of the TLS handshake for bypassed traffic. This optimization enhances overall performance and ensures that resources are allocated to decrypting high-risk traffic where security gains are most substantial. Bypassing decryption for non-threatening traffic reduces the computational overhead, allowing the system to focus on critical areas where threats are more likely to occur.

Enhanced Decryption Wizard

The enhanced wizard provides a streamlined interface with single-click options for configuring decryption policies. This simplicity reduces the complexity typically associated with manual policy tuning.

• Sensitive URL Bypassing: The wizard offers straightforward options to bypass decryption for URLs associated with sensitive data, such as finance and healthcare sites, ensuring privacy is maintained.
• Handling Undecryptable Applications: It allows easy configuration to bypass applications that are undecryptable due to protocol limitations or privacy concerns, simplifying policy management.

The wizard's intuitive design makes it accessible for administrators of all experience levels, reducing the time and effort required to set up effective decryption policies.

By automating the process of identifying sensitive URLs and undecryptable applications, the wizard minimizes the need for ongoing manual adjustments. This efficiency ensures that policies remain effective and up to date without constant administrative input.

The tool ensures security policies do not compromise user privacy by simplifying the process of excluding sensitive communications from decryption.

Blocking Older TLS Versions

The wizard allows administrators to block traffic using older, less secure versions of TLS and SSL. This includes versions like SSL 3.0, TLS1.0 and TLS 1.1, which have known vulnerabilities and are susceptible to several types of attacks. By blocking outdated TLS versions, the firewall prevents potential exploits that target vulnerabilities inherent in these older protocols, such as the POODLE attack on SSL 3.0.

Many security standards and regulations require the use of up-to-date encryption protocols. Blocking older versions helps organizations comply with these requirements, ensuring that only secure connections are allowed.

Limiting traffic to modern TLS versions reduces the attack surface, minimizing the risk of various malicious attacks such as interception attacks, downgrade attacks, replay attacks, and exploits targeting vulnerabilities in outdated protocols or weak encryption mechanisms, thereby preventing the interception or manipulation of encrypted communications.

Certificate Status Management

The wizard includes options to block traffic based on the status of digital certificates. This involves checking for Expired, Invalid Signatures, and Not Yet Valid certificates used in establishing secure connections.

Invalid or compromised certificates can be exploited in attacks where an adversary intercepts and manipulates communications. By blocking these, the firewall helps prevent such security breaches. Ensuring that only valid certificates are accepted reinforces trust in the integrity of the encrypted sessions, preventing unauthorized entities from being impersonated as legitimate servers.

Automatically managing certificate status through the wizard simplifies the enforcement of security policies, reducing administrative overhead and ensuring consistent protection across the network.

Overall Impact

These features collectively enhance the ability of Cisco Secure Firewall to manage encrypted traffic efficiently. By utilizing EVE and simplifying policy creation, the system maintains robust security, optimizes resource utilization, and respects user privacy, ensuring that decryption policies are both effective and sustainable in dynamic network environments.

Decryption Policy Wizard Enhancements in Cisco Secure Firewall 7.6 and 7.7

The Decryption Policy Wizard, introduced in Release 7.4, has been significantly enhanced in Cisco Secure Firewall 7.6 and 7.7. These updates streamline the setup process by automatically adding bypass rules, known as Do Not Decrypt (DnD) or known as decryption exclusions, for specified outbound traffic, making policy configuration more efficient.

In Release 7.6, the wizard can automatically bypass decryption for sensitive URL categories, undecryptable distinguished names, and undecryptable applications.

Release 7.7 further extends this capability to include very low-risk connections, offering a more comprehensive and user-friendly approach to manage encrypted traffic, called Intelligent Decryption or Selective Decryption. Additionally, the wizard allows administrators to block outdated TLS versions and manage invalid certificate statuses, enhancing security by preventing vulnerabilities associated with older protocols and ensuring trust in secure connections.

Below Table summarize the available decryption exclusion list with Decryption Policy Wizard

Decryptions Exclusions Options as available in Decryption Policy Wizard View:

The Decryption Policy Wizard creates policy that adhere to security best practices by:

• Blocking insecure TLS versions and certificate statuses.
• Bypassing decryption for trusted, sensitive, and un-decryptable traffic.
• Implementing both inbound and outbound decryption rules.

Conclusion

Cisco Secure Firewall 7.7 offers advanced decryption capabilities designed to address the challenges of pervasive encryption. With features like Intelligent Decryption Bypass, it intelligently identifies and bypasses very low-risk connections by leveraging EVE and URL reputation, utilizing both client and server insights. This ensures highly accurate decision-making and elevated security awareness, setting it apart from many other vendors. These capabilities empower organizations to maintain strong security visibility and effectiveness in an increasingly encrypted world.

References

• Configuration Guide - Cisco Secure Firewall Management Center Device Configuration Guide, 7.7 -Traffic Decryption Overview
• Configuration Guide - Cisco Secure Firewall Management Center Device Configuration Guide, 7.7 -Decryption Rules and Policy Example
• Release Notes - Cisco Secure Firewall Threat Defense Release Notes, Version 7.7.x
• Documentation - Encrypted Visibility Engine
• Documentation - Encrypted Visibility Custom Application Detectors

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X