How next-gen DPI addresses the shortcomings of SSL/TLS inspection

With terabytes of data moving through enterprise LAN, WAN and mobile networks, encryption provides a proven means to safeguarding data privacy, confidentiality and security. Encryption involves the encoding of data using cipher suites or special keys, converting plaintext into ciphertext and making the packet payload invisible to third parties. Encryption is not new, and has evolved over time in tandem with changes in application types, privacy needs and security risks. Today, encryption features advanced protocols such as TLS 1.3, DNS-over-HTTPs, DNS-over-TLS and IPsec tunneling. These protocols use rigorous and hard-to-unlock techniques to conceal packet information as packets are transported far and wide.

The encryption paradox

Application providers and managers benefit tremendously from encryption. Banking, CRM, ERP, m-commerce, government and e-wallet applications, for example, operate on the premise that critical information remains sealed until it reaches the intended recipients. On the outset, this seems to be a great panacea for safeguarding networks from security attacks, such as eavesdropping/man-in-the-middle. However, with the passage of time, network administrators came to realize the paradox of encryption – the very method that safeguards data also opens it up to various vulnerabilities due to the growing gaps in network visibility. Loss of visibility caused by encryption impedes crucial traffics insights for the purposes of routing/controlling traffic and implementing network rules. In addition, threat actors benefit from encryption as they can easily use it to disguise malware and malicious activity.

Decryption vs. encryption

With more packet information rendered unreadable, traditional methods for analyzing applications and traffic flows were fast losing their relevance. This saw network administrators turning to decryption – the obvious solution to encryption – where packets are opened, read and sealed back. It involves the use of specific tools such as SSL/TLS inspection, also known as middleboxes, MiTM, SSL/TLS proxy servers and HTTPS interception.

Decryption using SSL/TLS inspection is admittedly the simplest method to address the loss of traffic visibility due to encryption. Deciphering the payload information using in-line inspection boxes provides all the prerequisite information at the packet level – from the application type to the presence of malware, allowing network administrators to manage and secure traffic flows effectively and efficiently.

Information leakage

However, SSL/TLS inspection has some notable downsides. According to our latest research report released in March 2023, 61.8% of leading networking vendors find that, ironically, SSL/TLS inspection increases their security vulnerabilities. In fact, security is named as the biggest concern for SSL/TLS inspection. The report ‘Deep packet inspection and encrypted traffic visibility for IP networks’ outlines the potential exposure of sensitive data and network encryption keys as traffic is routed through a forward proxy. Malicious parties can tap into these servers using legitimate lines of communications and subtly siphon out the information.

Data privacy concerns

Another pressing concern for administrators who deploy SSL/TLS inspection is the growing regulatory pressure. The report cited this as the second biggest issue for SSL/TLS inspection. Regulatory guidelines, such as the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), mandate personally identifiable information (PII) to be managed confidentially at all times. Exposing this data to middleboxes contravenes most regulations on data privacy and confidentiality, especially across critical sectors such as healthcare and banking.

Unnecessary overheads

Despite its simplicity, SSL/TLS inspection involves extensive configurations. From setting up a forward proxy and authenticating certificates to negotiating cipher suites, establishing SSL/TLS inspection for an unlimited number of user sessions can be time consuming, complicated and involve a high degree of manual intervention. Half of the networking vendors surveyed find configuration complexities a major hindrance to the use of SSL/TLS inspection, according to the report.

Additionally, decryption involves decoding and re-encoding, which requires additional computing resources and can have negative implications on network speeds and latencies. For networks dealing with latency-sensitive applications, processing bottlenecks can lead to poor application performance.

Limited functionalities

Based on the report, a lack of support for new encryption protocols is also a significant issue for SSL/TLS inspection. Passive mode devices, for example, use older protocols or keys, such as RSA, that are depreciated in TLS 1.3. TLS proxy servers configured to the latest standards thus become incompatible with such clients, leaving scores of RSA-dependent applications, such as e-commerce and email suites, unmonitored.

SSL/TLS inspection tools can be configured to bypass certain applications, specifically those relating to sensitive information. This feature could somewhat mitigate concerns relating to PII. Unfortunately, the introduction of newer protocols that encrypt SNI and certificate SAN has resulted in the suppression of previously visible packet information, such as destination addresses, which are typically used as a bypass condition. Under these circumstances, SSL/TLS inspection tools, such as MiTM boxes, end up decrypting every single packet, resulting in massive inefficiencies.

Another concern afflicting a considerable number of networking vendors is the rejection of SSL/TLS-inspected traffic by certain applications, clouds or networks. Applications such as Apple OS, for example, automatically decline connection upon detecting packets that have undergone SSL/TLS inspection.

Non-intrusive techniques to taming encrypted traffic

With increasing security, regulatory and practical constraints, SSL/TLS inspection and other decryption-based methods are making way for non-intrusive, highly advanced alternatives. Leading the way is next-gen deep packet inspection tools such as the DPI engines R&S®PACE 2 and R&S®vPACE by ipoque. The ipoque DPI technology features encrypted traffic intelligence (ETI) which taps into advanced behavioral/statistical and heuristic analysis. ETI merges these analysis methods with cutting-edge AI-based techniques such as machine learning (ML), deep learning (DL) and high-dimensional data analysis as well as advanced caching methods to deliver unparalleled insights into traffic flows.

Behavioral/statistical analysis and heuristics study the physical attributes and movement patterns of packets to identify the underlying protocols, applications and services. Static information (e.g. packet size and packets per flow) are correlated with dynamic data (e.g. arrival intervals) to produce various statistical outputs, such as the mean and variance. These results are then compared with matching parameters of known applications.

ipoque also uses a highly optimized combination of ML and DL techniques such as k-nearest neighbors (k-NN), decision tree learning models, convolutional neural networks (CNN), recurrent neural networks (RNN) and long short-term memory (LSTM) networks. These techniques employ thousands of features including statistical, time-series and packet-level features. ML and DL present a cutting-edge approach to analyzing encrypted traffic, enabling R&S®PACE 2 and R&S®vPACE engines to detect any protocol, application and service type with one of the highest classification accuracy rates in the industry.

Putting ETI to the test

Deep packet inspection with encrypted traffic intelligence addresses many of the challenges associated with SSL/TLS inspection. As it no longer involves the analysis of payload information, ETI circumvents security and regulatory concerns relating to sensitive data. Built into highly-optimized next-gen DPI solutions, ETI comes with high performance, linear scalability and low memory consumption. This retains network latency and minimizes inspection overheads. Next-gen DPI with ETI is also free from backward compatibility issues. More importantly, it caters for existing as well as emerging encryption protocols, delivering network visibility not just for today, but also into the far future.

Would you like to learn more about next-gen DPI and encrypted traffic visibility? Download our whitepaper!