Here's the page we think you wanted. See search results instead:

Inline TLS Decryption and Encryption

TLS/SSL active SSL

Secure your network with complete visibility into all your encrypted traffic

Already own this product? Visit Technical Support

Keysight's Inline Decryption

As most traffic becomes encrypted and with ephemeral key on its way to becoming the dominant technology, organizations need a way to retain the benefits of Transport Layer Security (TLS) 1.3, while being able to inspect traffic for threats and malware to protect their networks and users.

Keysight's Inline Decryption capability, an addition to the SecureStack feature set, enables organizations to see inside traffic that uses ephemeral key cryptography through its visibility platform. Keysight's Inline Decryption can be used for both inline and out-of-band tools, for outbound and inbound traffic, and it can be used simultaneously with NetStack, PacketStack and AppStack capabilities. The Inline Decryption capability is available via separate high-performance application modules that are compatible with Vision ONE™ and Vision X, both turnkey network packet brokers that provide high-performance, lossless visibility. With a dedicated cryptographic processor, Inline Decryption provides the best throughput integrated with a visibility solution. Moreover, it includes built-in policy management, Uniform Resource Locator (URL) categorization, support for all leading ciphers, and reporting.

Active-SSL

A Security Dilemma

SSL Statistics

Organizations encrypt internet exchanges to protect themselves and their users — in particular, to protect sensitive information such as credit card numbers, social security numbers, etc. As of 2017, both Firefox and Google have shown that over 75% of sites visited via their browsers encrypt traffic. This encryption helps prevent identity theft, security breaches, and data leaks. However, much like a Trojan horse, encryption can also be the way malware and other threats are inserted into networks. Gartner predicts that by 2020, more than 60% of organizations will fail to decrypt Hypertext Transfer Protocol Secure (HTTPS) efficiently, "missing most targeted web malware". Moreover, hackers are becoming more clever and some forms of encryption are becoming more vulnerable.

The solution to this dilemma is two-fold:

  • Use encryption technology that is harder to compromise
  • Inspect all encrypted traffic for threats as part organizations' security and monitoring policies

Why Ephemeral Key

Secure Sockets Layer (SSL) and Transport Layer Security (TLS), both of which are commonly referred to as "SSL", are technologies in which data is scrambled or "encoded" to protect communications over a computer network. As pictured to the right, the technology basically works by exchanging information that is coded via a public key (provided by the server) and sent over the internet. The receiving party (server) is able to decode the data because it has the other half of the equation, the private key.

The dominant encryption technology had been Rivest-Shamir-Adleman (RSA), which uses static keys. This means that a server has a given key for its communications. Now, if this key is somehow compromised, any communication from that server is exposed. To address this concern, many organizations and regulatory bodies are shifting to using and mandating ephemeral key encryption, most commonly Elliptic curve Diffie–Hellman ephemeral (ECDHE), in which a new key is generated for each exchange.

Basic SSL

Perfect Forward Secrecy and TLS 1.3

perfect forward secrecy

Let us consider static keys to be like physical keys — if one is stolen or copied, the person with the key can access all communications locked by that key. In contrast, ephemeral key is like a number generated by a mobile app for a specific exchange. If the number is stolen, it can only be used to unlock that one exchange. All other exchanges are still protected. This perfect forward secrecy is what makes ephemeral key compelling.

Tech industry leaders including Google, Facebook, Mozilla, and more are announcing their shift to using ephemeral key for encryption in order to provide greater security for users. TLS 1.3, the latest TLS protocol standard by the Internet Engineering Task Force (IETF), favors ephemeral key exchange.

Keysight's Inline Decryption

Offload TLS Decryption

Decrypt network traffic once and inspect many times to scale your security and monitoring infrastructure. TLS decryption can take up to 60-80% of a tool's capacity, meaning the majority of time is spent decrypting versus the more critical inspecting of traffic. Moreover, some tools aren't even able to decrypt TLS traffic.

By offloading the TLS decryption, you achieve the following:

  • Better ROI for security and monitoring tool investment
  • Improved performance of security and monitoring tools
  • Ability to scale security and monitoring infrastructure
  • Complete visibility into encrypted traffic, even traffic encrypted with ephemeral key
Decrypt Once and Scale

Inline And Out-of-Band (OOB)

Inline Decryption can be used for both inline and out-of-band tool deployments.

  • Inline: traffic that is coming into or leaving the network can be inspected enroute. With Inline Decryption, data that comes into a network packet broker is decrypted and then sent to security and monitoring tools. After inspection, tools send the data back to the network packet broker where it is re-encrypted with the Inline Decryption capability. By default, the same cipher is used, but you can apply any policy required. Data is then routed back to the network. For optimal security, this is done with a Bypass switch in an active-active resilient architecture. Re-encrypting the data with an ephemeral key ensures network security, while allowing inspection, the best of both worlds!
  • Out-of-band: traffic comes into the network packet broker and is decrypted, copied and sent to out-of-band security and monitoring tools. These tools use the decrypted traffic to generate alerts.
  • Simultaneous deployment: With Keysight's Vision ONE and Vision X, both inline and out-of-band modes can be used at the same time. So security and monitoring tools appropriate for each mode can be used in the same deployment.
Inline and Out of Band

Limitless Visibility

Use Inline Decryption with Keysight's NetStack, PacketStack and AppStack capabilities for flexibility and limitless visibility.

With Keysight, traffic can be decrypted and then packets trimmed, headers stripped and more, before sending to out-of-band security tools. This increases tool efficiency and operating life. Application Identification can be used to send – or exclude – certain applications to those tools, with or without Data Masking Plus to protect personally identifiable information (PII). Geography, browser type, and application type, and even custom apps can be used to select which traffic to forward to out-of-band tools.

For inline deployments, Inline Decryption is fully transparent, requiring no manual proxy configuration on the clients. The built-in load balancing features and heartbeat detection of failed inline devices can be used to maintain a high-performance, highly resilient security deployment with the Vision ONE or Vision X maintaining the service chain and offloading tasks such as TLS decryption and rich Netflow generation.

Using many features concurrently ensures optimized security policy enforcement while allowing tools to operate efficiently. Improving the life of security and monitoring tools. Adding Keysight's Bypass switches and ThreatARMOR yield an optimal best-practices security deployment with ultimate reliability and efficiency.

Limitless

Easy Management

The Inline Decryption capability is easy to configure and manage as part of your Vision ONE or Vision X network packet broker setup and deployment.

Vision ONE and Vision X include flexible policy configuration for maximum security and support of multiple concurrent contexts.

Upgrades to higher throughput are easy with a simple license modification. Active The Vision ONE is offered with 1G, 2G, 4G or 10G licenses. No additional hardware or massive upgrades that require configuration changes are needed to move among licenses. The Vision X offers one license per CPU at up to 25G.

easy management

Real-Time Insight

Keysight's Inline Decryption comes with real-time onscreen analytics that includes details on throughput, sessions and crypto data. With the ability to mouse-over and drill down, it ensures you can keep track of all your data. Inline Decryption also includes error and exception logging and the ability to access historical data.

real-time insight

Supports Leading Ciphers

Inline Decryption already supports many leading ciphers indicated in TLS 1.3 and additional ciphers are continuously being added.

SUPPORTED CIPHERS   KX AU ENC MAC
TLS13-AES-256-GCM-SHA384 TLSv1.3 - - AES-128-GCM AEAD
TLS13-CHACHA20-POLY1305-SHA256 TLSv1.3 - - AES-128-GCM AEAD
TLS13-AES-128-GCM-SHA256 TLSv1.3 - - CHACHA20-POLY1305 AEAD
TLS13-AES-128-CCM-8-SHA256 TLSv1.3 - - AES-128-CCM AEAD
TLS13-AES-128-CCM-SHA256 TLSv1.3 - - AES-128-CCM-8 AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH RSA AESGCM(128) AEAD
ECDHE-ECDSA-AES128-SHA SSLv3 ECDH ECDSA AES(128) SHA1
ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH RSA AES(256) SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 ECDH ECDSA AES(256) SHA384
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 ECDH ECDSA AESGCM(128) AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH RSA AESGCM(128) AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 ECDH ECDSA AESGCM(128) AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH RSA AESGCM(128) AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH RSA AESGCM(128) AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH RSA AES(128) SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 ECDH ECDSA AES(128) SHA256
ECDHE-RSA-AES128-SHA SSLv3 ECDH RSA AES(128) SHA1
DHE-RSA-AES256-SHA SSLv3 DH RSA AES(256) SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 ECDH RSA 3DES(168) SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 ECDH ECDSA 3DES(168) SHA1
AES128-GCM-SHA256 TLSv1.2 RSA RSA AESGCM(128) AEAD
AES256-GCM-SHA384 TLSv1.2 RSA RSA AESGCM(256) AEAD
AES128-SHA256 TLSv1.2 RSA RSA AESGCM(128) SHA256
AES256-SHA256 TLSv1.2 RSA RSA AES(256) SHA256
AES128-SHA SSLv3 RSA RSA AES(128) SHA1
AES256-SHA SSLv3 RSA RSA AES(256) SHA1
ECDHE-RSA-AES256-SHA SSLv3 ECDH RSA AES(256) SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 ECDH ECDSA AES(256) SHA1
DHE-RSA-AES128-SHA256 TLSv1.2 DH RSA AES(128) SHA256
DHE-RSA-AES128-SHA SSLv3 DH RSA AES(128) SHA1
DHE-RSA-AES256-SHA256 TLSv1.2 DH RSA AES(256) SHA256
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 ECDH ECDSA CHACHA20/POLY1305(256) AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 ECDH RSA CHACHA20/POLY1305(256) AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 DH RSA CHACHA20/POLY1305(256) AEAD
CAMELLIA128-SHA256 TLSv1.2 RSA RSA CAMELLIA(128) SHA256
CAMELLIA256-SHA256 TLSv1.2 RSA RSA CAMELLIA(256) SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 DH RSA CAMELLIA(128) SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 DH RSA CAMELLIA(256) SHA256
  • Customer Quote Icon

    “With the TLS 1.3 standard implementing ephemeral keys, organizations will find decrypting and inspecting encrypted traffic to be more complex and resource intensive. Solutions like Inline Decryption will enable organizations to gain visibility into their current network traffic efficiently, with less disruption to their networks, as well as their monitoring tools and security devices.”

    DAN CONDE, ANALYST, ESG

Inline Security with Inline Decryption

Inline Decryption seamlessly integrates into Keysight's fail-safe security architecture for inline deployments. Combined with Keysight's Inline Decryption creates an even more robust inline architecture that can block bad Internet Protocols (IPs), handle encrypted traffic, and protect your network with active-active high availability configurations that ensure continuous traffic inspection and near-instant recovery.

THREATARMOR

Related Information

Data Sheets 2024.03.05

Vision ONE (Model: Vision ONE) Network Packet Broker

Vision ONE (Model: Vision ONE) Network Packet Broker

Amplify your security without changing a cable. Keysight Vision ONE provides IT Operations the ability to deploy resources where they are needed most and secure any traffic in their network. Keysight Vision ONE acts as the first step to security, providing reliable inline connectivity for security tools such as intrusion prevention systems (IPS), data loss prevention (DLP), and Web firewalls. It simultaneously connects out-of-band monitoring tools like intrusion detection systems (IDS) and data recorders. Integrated intelligence features enable you to access encrypted traffic using inline or out-of-band decryption, reduce analysis traffic using advanced packet processing, and precisely select traffic by application type, and geography. Keysight Vision ONE forwards selected traffic in a variety of formats to interoperate with any security tool.

2024.03.05

Data Sheets 2024.04.24

Vision X (Model: Vision X) Network Packet Broker

Vision X (Model: Vision X) Network Packet Broker

Keysight’s Vision X is the next-generation network visibility solution. It delivers expandability and flexibility that meets the ever-evolving needs of the data center. Vision X is a high-density, modular chassis comprised of customizable front modules and multi-speed port choices. It also supports a rear, advanced packet processing module, extending the total packet processing capacity of the chassis. With a small data center footprint, Vision X conserves both power and rack space. Its footprint, along with its upgradable chassis, will improve your overall ROI now and in the future.

2024.04.24

Solution Briefs 2022.01.04

Offload SSL Decryption to Improve Security Tool Performance

Offload SSL Decryption to Improve Security Tool Performance

While many security tools include the ability to decrypt traffic so that incoming data can be analyzed for security purposes, this comes at the expense of CPU performance - which can dramatically slow a security appliance's processing capability. Learn how you can use a network packet broker (NPB) to offload SSL decrypt functionality and increase the performance of your security tools.

2022.01.04

Solution Briefs 2022.01.19

Offload SSL Decryption to Extend Firewall Life

Offload SSL Decryption to Extend Firewall Life

Read this solution brief to see how you can use a network packet broker (NPB) to direct SSL-based traffic to a purpose-built decryption device to eliminate the issue.

2022.01.19

Solution Briefs 2022.01.20

Offload SSL Decryption to Extend Monitoring Tool Life and Value

Offload SSL Decryption to Extend Monitoring Tool Life and Value

Learn how you can implement a cost-effective solution by deploying a network packet broker (NPB) with integrated SSL decryption capability.

2022.01.20

Solution Briefs 2022.01.21

How to Get Ready for TLS 1.3: Keysight’s 10-Point Checklist

How to Get Ready for TLS 1.3: Keysight’s 10-Point Checklist

Adopting the IETF’s newly approved Transport Layer Security (TLS) 1.3 standards for securing encrypted data has far-reaching implications—and powerful benefits—for security and monitoring infrastructures. Download Keysight’s 10-Point Checklist to help your IT team prepare.

2022.01.21

White Papers 2023.03.14

Best Practices For Monitoring Encrypted Data

Best Practices For Monitoring Encrypted Data

Once used to increase the security of Internet traffic, encryption has actually made the work more difficult. Many firewalls and other security tools do not understand encrypted traffic and many organizations have chosen to pass encrypted traffic into their networks without security inspection, just to keep communications flowing. Unfortunately this creates blind spots in network visibility – areas where the organization is unaware of the traffic moving inside and exiting the network.

2023.03.14

Want help or have questions?

Contact Us