PROBLEM: To support deep packet inspection, firewalls and other inline security devices employ multiple TLS decryption engines depending on the application. While forward proxy/MITM and reverse proxy/termination methods are broadly accepted, they are not ideal. These methods have multiple growing limitations on capability and serious performance considerations. DPI issues facing these inspection tools include:
Pinned certificate traffic
Client certificates/MTLS traffic
Latency sensitive traffic
Server cert/key pairs, CA pushes, and PKI
Bypass and exception administration
BUSINESS IMPLICATIONS: The standard answer is to architect and implement around these issues.
To the end-user, this means growing gaps and rising CAPEX and OPEX costs for full deep packet inspection on their growing traffic volumes. The outcome is to employ DPI less, and when and where required, there is an endless burden of bypass management of “lower risk” or “problematic” traffic. Ultimately, this reduces the overall security protection offered by the product, increases risk, complexity, and TCO.
For manufacturers and service providers, this means that existing offerings are missing required functionality. And while the industry accepts it as status quo, sales teams must sell around the technical shortcomings rather than face them head-on and, are forced to push a false sense of security to justify the need to bypass traffic that cannot be inspected. This results in higher sales friction, increased pre and post-sales engineering and support, and, ultimately, a reduced market opportunity around high-valued DPI services.
Nubeva SKI is a simple and complete approach to TLS decryption that unlocks traffic other techniques cannot decrypt. SKI offers significant growth potential, with relatively low effort for NGFW, IPS, DPS, APT, and any other inline systems with simple integration options. The = solution enables line-rate performance, low latency, low-cost decryption of the TLS traffic with virtually no administrative burden. SKI can be applied to any traffic - inbound, outbound, east-west, containers, and more in physical, virtual, and hybrid scenarios.
SKI is delivered as a suite of modular software components that can be easily integrated into any system and that operate with very small resource (CPU and Memory) requirements with commodity hardware. Add SKI to your product as a new engine that can increase capability and simplify operations for expanded product value, increase market velocity and reduce support.
Fill Decryption Gaps
No need to bypass traffic. Decrypt pinned and client certificate traffic unlocking applications such as MS365, G-Suite, iCloud, Dropbox, DocuSign, etc as well as, MTLS/client-side cert-based sessions.
SKI decryption operates at wire-speed does not create or participate in TLS session creation and handshakes allowing DPI on latency-sensitive applications.
SKI decryption does not require CA installs, server keys, or PKI integration. SKI can also dramatically decrease the operational overhead required to maintain bypass configurations.
Deliver More Value to Your Customers
Expand DPI capabilities to improve visibility, provide a stronger security posture to customers and expand mission-critical functionality for today and into the future.
Break the status quo and rise above the competition by offering elevated deep packet inspection functionality and reduced operational complexity.
By eliminating product barriers, the selling process is simplified, win rates and deal sizes grow, and customer adoption and value realized dramatically improve.
Adding Nubeva SKI into your products can be fast and easy, allowing you to get to market quickly with low entry hurdles. As an incremental capability, SKI is not meant to "rip-and-replace" existing decryption engines, but rather as another option to address visibility gaps inline systems are experiencing. SKI can work on top of existing decryption systems through a range of integration options or can be implemented as a primary decryption capability pending need.
The core concept of SKI is to capture session keys from endpoints, either from TLS servers and TLS clients, and forward them to the inspection system for use in decryption in real-time. SKI can deliver keys before TLS handshakes are complete and before the first packet arrives. With session keys available, you can bypass the proxy/MITM decryption engine and simply match traffic with keys using a session client random value, decrypt, inspect, and process traffic accordingly. If sensors are not deployed, and no session keys are available, existing decryption engines are utilized.
Nubeva provides software to get keys and to decrypt using keys. Our comprehensive suite of software components, available in source or binary forms, enables fast and flexible SKI decryption implementation into most product sets. While there are many implementation models and options for inline inspection systems, here are the basics.
Nubeva has perfected the learning and exporting keys from applications by inspecting process memory during the TLS handshake. Simply deploy our session key learning sensor software on any VM, node, or endpoint. A sensor is only required on one side of the connection, therefore when deployed on server environments, sensors can capture keys from all client connections.
Key learning software is delivered as a C library or turnkey agents and containers in binary or source code form. Key extraction is 100% reliable. This read-only micro-process is ultra-secure, transparent, and non-disruptive to application code, does not impact applications, and operates with minute memory and CPU requirements. Get Keys from:
Any TLS 1.3, 1.2, and legacy.
Any session N-S-E-W including pinned and client certificate sessions.
Traffic to internet, cloud, and other 3rd party servers and services
Bare metal, VM's, container hosts in datacenter or cloud and/or client endpoints.
OS and commercial applications as well as malware communications
Have an agent? - Add the ability to get session keys simply and easily using the SKI Sensor C Library
No agent? - Add to your portfolio with Nubeva's off-the-shelf SKI Sensor Agents and Containers
Don't want to have an agent? - Resell Nubeva labeled sensors. Or, simply add the ability to receive and decrypt using session keys to your system and let your customers provide the keys from a growing list of systems with Nubeva SKI Sensor Technology or any other key source.
Nubeva complements session key discovery with a suite of decryption support options enabling NGFW, IPS, and other inline systems to add the ability to receive session keys and decrypt. We offer a multitude of implementation options to meet virtually any architectural model and go-to-market packaging scenario. Inspection systems need only minor modifications to receive keys and to decrypt using them. Decrypt using keys:
Enhance existing datapath or add new datapath
Any traffic and any session
Leverage crypto instruction set acceleration in standard CPUs
Achieve ultra high throughputs over 25Gb/s per core
Miniscule CPU and memory resource requirements
There are a myriad of implementation options spanning key acquisition, key transport, and handling, as well as decryption. With simple modifications, add the ability to receive keys on existing decryption engines. Nubeva offers component software including SKI Decrypt TLS C library, KeyServers, and reference code to facilitate rapid adoption.