Laying Down the Hammer on TLS 1.3


August 15, 2019

Laying Down the Hammer on TLS 1.3

For this week’s Black Hat USA 2019 and DEF CON, Valtix CTO Vijay Chander wrote an E-book titled “TLS Ramifications for Legacy Next-Gen Firewalls” that examines security implications about NGFW firewall deployment and reveals TLS best practices from Valtix for outside-in traffic in Public Cloud. You can download the E-Book today. 

Why it Matters

  • Most of the traffic inspected by firewalls in public cloud is encrypted via TLS
  • Public Cloud is the New Data Center
  • Data center security should work on strong TLS ciphers

Transport Layer Security (TLS) is in the process of embracing newer version of TLS, called TLS 1.3. One of the critical enhancements in TLS 1.3 is removing support for older broken forms of cryptography. One of them specifically is removing support for RSA key during TLS handshake. This CipherSuite does not provide perfect forward secrecy (PFS). Instead, TLS 1.3 prefers ciphers that use ECDHE. This critical feature is also becoming popular in widely adopted TLS 1.2 protocol. Lot of enterprises are now mandating support of TLS 1.2 protocol with cipher-suites that only support PFS.

Perfect Forward Secrecy (PFS)

One can refer to the CloudFlare’s blog at to understand why there is a big move to TLS handshake protocols that only support PFS.

PFS guarantees that a fresh public key is created for every single connection. That means that an adversary would need to break the key for each connection individually to read the communication. And the keys are ephemeral: the server forgets them when connections are done. This is unlike RSA CipherSuite wherein if a server’s private keys are leaked, if someone had recorded TLS connections: with the private key they could all be decrypted.

We are not going in-depth on what TLS 1.3 spec or Diffie Hellman Exchange as there are plenty of other blogs and IETF publishing coverage on this topic.

However, legacy network security solutions such as Firewalls and Intrusion Prevention Systems (IPS) rely on network traffic inspection to implement network security policies. When traffic is encrypted with TLS, typical network security solutions address this problem by becoming a man-in-the-middle (MITM) for the TLS session. 

One side affect of enterprises adopting TLS 1.3 (or TLS 1.2 with PFS CipherSuites) is that firewalls now need to do full TLS proxy before they can inspect the traffic. Doing a full TLS proxy means that firewalls need to participate in TLS handshake which can be quiet CPU intensive. Since legacy firewalls have challenges scaling to cloud scale, the recommended public cloud for outside-in traffic security practice is to prescribe load balancer sandwich that increases complexity and load balancer OPEX as TLS traffic increases.

Above is a basic and common PCI compliant design for AWS cloud workloads. The security impacts from the decrypted clear-text traffic (red zone) between frontend and backend load balancers certainly breaks Encryption Everywhere mandate for cloud migration and security optimization. In the red zone above, clear traffic hits the wire and hypervisor which violates Encryption Everywhere mandate.

Valtix takes a new approach to operationalize network security in Public Cloud with the controller-based Valtix Network Security Platform. The Valtix Cloud Firewall offers native decryption/re-encryption of TLS with Perfect Forward Secrecy (PFS) and full proxy capabilities that greatly simplify your deployment architectures, reduce OPEX expenses and most importantly ensuring the best security practices.

Valtix Security Platform eliminates the need for redundant network components required for TLS decryption/encryption; instead, it support native TLS with the ability to perform: 

  • Vertical scaling from basic to advanced parallel instances accelerating TLS, and 
  • Horizontal scaling (managed fully by Valtix Cloud Controller) by adding more instances in a single cluster to address increased TLS processing requirements. 

This gives security, DevOps and IT teams a complete and secure solution for advanced inspection, monitoring and compliance in their public cloud workloads.

Next Steps

  • Watch Valtix’s CTO Vijay Chander and CPO Brian Lazear on YouTube on TLS security implications and in-depth solution discussion. 
  1. To schedule a meeting at Black Hat USA 2019, schedule your meetup here. 

References: 

https://www.ietf.org/blog/tls13/
https://tools.ietf.org/id/draft-camwinget-tls-use-cases-03.html
https://www.darkreading.com/application-security/tls-13-wont-break-everything/a/d-id/1332767
https://www.techrepublic.com/article/tls-1-3-is-approved-heres-how-it-could-make-the-entire-internet-safer/
https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/
https://blog.cloudflare.com/introducing-tls-1-3/
https://blog.cloudflare.com/staying-on-top-of-tls-attacks/