Man in the Middle: Smart Security Decision or Vulnerable Approach?

Should you exert more effort to monitor your network after investing in technology to monitor your network?

Traditional Intrusion Detection Systems (IDSs) make use of deep packet inspection (DPI) in order to scan the content of network traffic for signs of malicious behavior. However, end-to-end encryption interferes with this process by obscuring the traffic to all devices in between the source and the destination.

To work around this problem, many organizations have employed “man in the middle” (MITM) techniques by using SSL appliances. These techniques restore some visibility to DPI-based tools, but introduce problems of their own.

What is a “man in the middle”?

End-to-end encryption is used to guarantee the privacy of the network traffic exchanged by two communicating endpoints. It’s important to make sure that sensitive data (such as financial information) is transmitted using strong encryption – this ensures that only the sender and the designated recipient can see it. End-to-end encryption prevents a would-be attacker that has access to network traffic in transit (the “man in the middle”) from seeing the sensitive data.

SSL appliances work by tricking both the sender on the local network and the recipient on the Internet:

  • The sender’s machine is configured to trust the SSL appliance as if it were the designated recipient (by installing a certificate on the machine).
  • The SSL appliance then intercepts traffic from the sender, decrypts it for inspection, and re-encrypts it before sending it to the recipient. The recipient doesn’t know that the SSL appliance isn’t the original sender.
  •  Responses from the recipient are also intercepted, decrypted, and re-encrypted. The original sender trusts the response because the certificate essentially impersonates the original recipient.

This trick lets the SSL appliance, which sits in the middle between the sender and recipient, and any other appliances to which the decrypted data is then routed, see both sides of every conversation.

This approach restores visibility to DPI tools and would seem to be a win for security. However, it represents a tradeoff. Because SSL appliances have visibility to unencrypted network traffic, they are a valuable target for a real attacker. If the attacker can compromise the SSL appliance, they don’t have to compromise each endpoint individually.

Using MITM has other downsides:

  • Added investment: With the increasing cost of protecting networks, you can ill afford to invest in additional technology that doesn’t inspire confidence.
  • People and training: Remember, the cost of the technology isn’t your only investment. It’s one thing to invest in the technology, it’s another to train and certify personnel in the management of that technology and dedicate them to maintaining these solutions for the long term. And because of the risks associated with man in the middle configurations, your staff will need to monitor network traffic to ensure protection during any period of decryption.
    Think of it this way: Should you really be exerting more effort in monitoring your network after investing in technology to monitor your network?
  • Unwanted complexity: Adding third-party layers to your security profile inevitably introduces complexity and reliability implications that you’d rather avoid. It means more exposed outlets that are not always within your control, and more opportunities for attacks you may not even be aware of.
  • Compliance: Industry regulations require encryption, yet if the organizations continue to use DPI, they may be subject to more compliance risk than they know. This is especially critical in financial services, retail, and healthcare – industries most responsible for safeguarding confidential information.

Avoiding the man in the middle

One of the main goals of using encryption is to protect against snooping by a hostile man in the middle. Undermining that goal by design in your own network should be avoided if possible.

As we mentioned in a previous blog, endpoint modeling is a safe and more cost-effective option to monitor network traffic that ensures it remains encrypted. Endpoint modeling does not require third-party technology or the installation of agents that decrypt traffic. Instead, endpoint modeling collects metadata from switches representing network communication by devices on the network and between local devices. It analyzes the data for suspicious events in real time based on a model of normal for each individual device, which is dynamically built from its network metadata. Altered behavior is reported immediately, allowing you to discover malicious activity and act before an attack has taken place.

Experience Dynamic Endpoint Modeling on Your Own Network or Your AWS Implementation

Getting better visibility into your network and improving your security couldn’t be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.

Detect Threats Faster – Start Your Free, No-Risk Trial