- The U.S. National Security Agency (NSA) has released an advisory about the dangers of transport layer security inspection.
- The advisory also provides mitigation measures for organizations using the TLSI.
What is the Transport Layer Security Inspection?
Transport Layer Security Inspection (TLSI) or TLS break and inspect, is a security measure that involves decrypting traffic, inspecting decrypted content, and encrypting the traffic again before it enters or leaves the network.
This process involves proxy devices, firewalls, and intrusion detection or prevention systems (IDS/IPS).
Risks involved with TLSI
Although TLSI is useful for monitoring potential threats, it also brings with it multiple risk factors.
- The primary risk involved is the exploitation of a certification authority to issue unauthorized certificates. This can allow the deployment of malicious services or allow malicious code to bypass intrusion detection or prevention systems.
- Bad actors may focus their efforts on targeting the specific device where traffic they need is decrypted.
- TLSI improves insider threat risks, especially in the case of those employees directly managing the implementation of TLSI.
Apart from this, certain countries have laws governing TLSI capabilities in enterprises. Before implementing TLSI, organizations must be aware of the requirements and compliances mandated by law.
What does the advisory say?
The advisory begins by exploring what TLSI is and goes on to describe the several risks associated. Apart from this, it also provides mitigation measures enterprises can take to prevent these risks.
“To minimize the risks described above, breaking and inspecting TLS traffic should only be conducted once within the enterprise network. Redundant TLSI, wherein a client-server traffic flow is decrypted, inspected, and re-encrypted by one forward proxy and is then forwarded to a second forward proxy for more of the same, should not be performed,” reads the advisory.