Traditional Intrusion Detection Systems (IDSs) make use of deep packet inspection (DPI) in order to scan the content of network traffic for signs of malicious behavior. However, end-to-end encryption interferes with this process by obscuring the traffic to all devices in between the source and the destination.
To work around this problem, many organizations have employed “man in the middle” (MITM) techniques by using SSL appliances. These techniques restore some visibility to DPI-based tools, but introduce problems of their own.
What is a “man in the middle”?
End-to-end encryption is used to guarantee the privacy of the network traffic exchanged by two communicating endpoints. It’s important to make sure that sensitive data (such as financial information) is transmitted using strong encryption – this ensures that only the sender and the designated recipient can see it. End-to-end encryption prevents a would-be attacker that has access to network traffic in transit (the “man in the middle”) from seeing the sensitive data.
SSL appliances work by tricking both the sender on the local network and the recipient on the Internet:
This trick lets the SSL appliance, which sits in the middle between the sender and recipient, and any other appliances to which the decrypted data is then routed, see both sides of every conversation.
This approach restores visibility to DPI tools and would seem to be a win for security. However, it represents a tradeoff. Because SSL appliances have visibility to unencrypted network traffic, they are a valuable target for a real attacker. If the attacker can compromise the SSL appliance, they don’t have to compromise each endpoint individually.
Using MITM has other downsides:
Avoiding the man in the middle
One of the main goals of using encryption is to protect against snooping by a hostile man in the middle. Undermining that goal by design in your own network should be avoided if possible.
As we mentioned in a previous blog, endpoint modeling is a safe and more cost-effective option to monitor network traffic that ensures it remains encrypted. Endpoint modeling does not require third-party technology or the installation of agents that decrypt traffic. Instead, endpoint modeling collects metadata from switches representing network communication by devices on the network and between local devices. It analyzes the data for suspicious events in real time based on a model of normal for each individual device, which is dynamically built from its network metadata. Altered behavior is reported immediately, allowing you to discover malicious activity and act before an attack has taken place.
Getting better visibility into your network and improving your security couldn’t be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.
Detect Threats Faster – Start Your Free, No-Risk Trial