TLS Decryption for NGFW + IPS

Nubeva SKI Enables Inline Inspection To Solve Decryption Gaps   

Host-Based Systems - white

PROBLEM: To support deep packet inspection, firewalls and other inline security devices employ multiple TLS decryption engines depending on the application. While forward proxy/MITM and reverse proxy/termination methods are broadly accepted, they are not ideal.  These methods have multiple growing limitations on capability and serious performance considerations. DPI issues facing these inspection tools include:

  • Pinned certificate traffic

  • Client certificates/MTLS traffic

  • Latency sensitive traffic

  • Price-performance

  • Server cert/key pairs, CA pushes, and PKI

  • Bypass and exception administration

BUSINESS IMPLICATIONS: The standard answer is to architect and implement around these issues.  

To the end-user, this means growing gaps and rising CAPEX and OPEX costs for full deep packet inspection on their growing traffic volumes. The outcome is to employ DPI less, and when and where required, there is an endless burden of bypass management of “lower risk” or “problematic” traffic. Ultimately, this reduces the overall security protection offered by the product, increases risk, complexity, and TCO. 

For manufacturers and service providers, this means that existing offerings are missing required functionality. And while the industry accepts it as status quo, sales teams must sell around the technical shortcomings rather than face them head-on and, are forced to push a false sense of security to justify the need to bypass traffic that cannot be inspected. This results in higher sales friction, increased pre and post-sales engineering and support, and, ultimately, a reduced market opportunity around high-valued DPI services. 

Fact: Proxy-based inspection products experience significant performance reduction with modern TLS

Nubeva SKI for Inline Inspection Systems

Nubeva SKI is a simple and complete approach to TLS decryption that unlocks traffic other techniques cannot decrypt. SKI offers significant growth potential, with relatively low effort for NGFW, IPS, DPS, APT, and any other inline systems with simple integration options. The = solution enables line-rate performance, low latency, low-cost decryption of the TLS traffic with virtually no administrative burden.  SKI can be applied to any traffic - inbound, outbound, east-west, containers, and more in physical, virtual, and hybrid scenarios.

SKI is delivered as a suite of modular software components that can be easily integrated into any system and that operate with very small resource (CPU and Memory) requirements with commodity hardware.  Add SKI to your product as a new engine that can increase capability and simplify operations for expanded product value,  increase market velocity and reduce support.

Learn About SKI
Inspect More Traffic

Fill Decryption Gaps

Technical Advantage 

Decrypt Any Traffic

No need to bypass traffic.  Decrypt pinned and client certificate traffic unlocking applications such as MS365, G-Suite, iCloud, Dropbox, DocuSign, etc as well as, MTLS/client-side cert-based sessions.

High Throughput Low Latency

SKI decryption operates at wire-speed does not create or participate in TLS session creation and handshakes allowing DPI on latency-sensitive applications.

Reduce Operational Overhead

SKI decryption does not require CA installs, server keys, or PKI integration.  SKI can also dramatically decrease the operational overhead required to maintain bypass configurations. 

Deliver More Value to Your Customers

Business Advantages

Increase Product Value

Expand DPI capabilities to improve visibility, provide a stronger security posture to customers and expand mission-critical functionality for today and into the future.

Expand Market Opportunity 

Break the status quo and rise above the competition by offering elevated deep packet inspection functionality and reduced operational complexity. 

Sales Acceleration

By eliminating product barriers, the selling process is simplified, win rates and deal sizes grow, and customer adoption and value realized dramatically improve.

deliver-more-value

Add Nubeva SKI Support into Your Product Suite

Adding Nubeva SKI into your products can be fast and easy, allowing you to get to market quickly with low entry hurdles. As an incremental capability, SKI is not meant to "rip-and-replace" existing decryption engines, but rather as another option to address visibility gaps inline systems are experiencing. SKI can work on top of existing decryption systems through a range of integration options or can be implemented as a primary decryption capability pending need. 

The core concept of SKI is to capture session keys from endpoints, either from TLS servers and TLS clients, and forward them to the inspection system for use in decryption in real-time. SKI can deliver keys before TLS handshakes are complete and before the first packet arrives. With session keys available, you can bypass the proxy/MITM decryption engine and simply match traffic with keys using a session client random value, decrypt, inspect, and process traffic accordingly.  If sensors are not deployed, and no session keys are available, existing decryption engines are utilized. 

 

Inline Decryption

 

Nubeva provides software to get keys and to decrypt using keys. Our comprehensive suite of software components, available in source or binary forms, enables fast and flexible SKI decryption implementation into most product sets. While there are many implementation models and options for inline inspection systems, here are the basics.

Get Session Keys

Nubeva has perfected the learning and exporting keys from applications by inspecting process memory during the TLS handshake. Simply deploy our session key learning sensor software on any VM, node, or endpoint. A sensor is only required on one side of the connection, therefore when deployed on server environments, sensors can capture keys from all client connections. 

Key learning software is delivered as a C library or turnkey agents and containers in binary or source code form. Key extraction is 100% reliable. This read-only micro-process is ultra-secure,  transparent, and non-disruptive to application code, does not impact applications, and operates with minute memory and CPU requirements. Get Keys from:

  • Any TLS 1.3, 1.2, and legacy. 

  • Any session N-S-E-W including pinned and client certificate sessions.

  • Traffic to internet, cloud, and other 3rd party servers and services

  • Bare metal, VM's, container hosts in datacenter or cloud and/or client endpoints.

  • OS and commercial applications as well as malware communications 

 

Get Started: 

Have an agent? - Add the ability to get session keys simply and easily using the SKI Sensor C Library

No agent? - Add to your portfolio with Nubeva's off-the-shelf SKI Sensor Agents and Containers 

Don't want to have an agent? - Resell Nubeva labeled sensors. Or, simply add the ability to receive and decrypt using session keys to your system and let your customers provide the keys from a growing list of systems with Nubeva SKI Sensor Technology or any other key source.

Decrypt with Session Keys

Nubeva complements session key discovery with a suite of decryption support options enabling NGFW, IPS, and other inline systems to add the ability to receive session keys and decrypt. We offer a multitude of implementation options to meet virtually any architectural model and go-to-market packaging scenario. Inspection systems need only minor modifications to receive keys and to decrypt using them. Decrypt using keys: 

  • Enhance existing datapath or add new datapath

  • Any traffic and any session

  • Leverage crypto instruction set acceleration in standard CPUs

  • Achieve ultra high throughputs over 25Gb/s per core

  • Miniscule CPU and memory resource requirements 

 

Get Started: 

There are a myriad of implementation options spanning key acquisition, key transport, and handling, as well as decryption. With simple modifications, add the ability to receive keys on existing decryption engines. Nubeva offers component software including SKI Decrypt TLS C library, KeyServers, and reference code to facilitate rapid adoption. 


 

Nubeva works with our customers to develop the ideal architecture and craft highly customized licensing programs and support services to enable customer success.

Let's discuss how SKI can work with your systems.

Get a Demo

Resources

Tech Brownbag - Nubeva's Key Discovery is Evolving. First TLS. Now, Ransomware. Nubeva develops and licenses enterprise-class software for decryption to enable world-class application monitoring and n...
In this comprehensive paper entitled A Definitive Guide to Modern Network Decryption: A Case for Nubeva SKI in a TLS 1.3 World and Beyond we cover the following:  Part 1: The State of the Visibility o...
  Nubeva SKI Decryptors are turnkey container solutions that receive encrypted mirrored traffic and output decrypted traffic on a standard network interface.  SKI Decryptors decrypt TLS records with T...