author photo
By Bruce Sussman
Tue | Nov 19, 2019 | 1:30 PM PST

Remember those Spy vs. Spy cartoons from Mad Magazine?

Well, you could say Transport Layer Security Inspection (TLSI) is a little like that.

What is Transport Layer Security Inspection?

TLSI is about encryption vs. encryption. The National Security Agency simplifies it like this:

"To protect enterprise data and intellectual property, network security administrators enforce encryption policies to secure traffic to and from their networks.

However, adversaries also use encryption, often using it to hide their activities.

Normally, these activities—like command and control, loading malware into a network, and exfiltration of sensitive data—would be detected by traffic inspection devices, but those devices typically cannot inspect encrypted traffic."

A way around this challenge is TLS break and inspect, where security teams decrypt traffic, inspect the decrypted content for threats, and then re-encrypt the traffic before it enters or leaves the network. 

How can you mitigate the risks of TLSI?

And while this method helps with the original problem, it introduces new risks. Risks that the NSA wants to help organizations tackle.

Cybercriminals may target the decryption point specifically, for example.

The NSA issued a new Cyber Advisory on mitigating Transport Layer Security Inspection risk, and here are three key takeaways:

  • Breaking and inspecting TLS traffic should only be conducted once within the enterprise network.
  • Redundant TLSI, wherein a client-server traffic flow is decrypted, inspected, and re-encrypted by one forward proxy and is then forwarded to a second forward proxy for more of the same, should not be performed.
  • Inspecting multiple times can greatly complicate diagnosing network issues with TLS traffic. Also, multi-inspection further obscures
    certificates when trying to ascertain whether a server should be trusted.
  • In this case, the "outermost" proxy makes the decisions on what server certificates or CAs should be trusted and is the only location where certificate pinning can be performed.
  • Finally, a single TLSI implementation is sufficient for detecting encrypted traffic threats; additional TLSI will have access to the same traffic. If the first TLSI implementation detected a threat, killed the session, and dropped the traffic, then additional TLSI implementations would be rendered useless since they would not even receive the dropped traffic for further inspection.
  • Redundant TLSI increases the risk surface, provides additional opportunities for adversaries to gain unauthorized access to decrypted traffic, and offers no additional benefits.

See the complete NSA Cyber Advisory on Transport Layer Security Inspection.