TLS Decryption for SWG + SASE
Nubeva SKI for Inline Inspectors of Out-Bound Traffic
PROBLEM: There is a growing amount of traffic that cannot be decrypted by forward-proxy/man-in-the-middle methods including traffic authenticated with pinned certificates, mutual TLS, or client certificates, as well as, an increasing number of latency-sensitive applications and protocols. As a result, inspection systems such as secure web gateways (SWG), secure access service edge (SASE), and other systems that rely on the forward-proxy method, including next-gen firewalls (NGFW) and intrusion prevention systems (IPS) are losing inspection and protection capabilities. Additionally, the rise of increasing administrative and support burden on the end-user customer for management and configuration adds to the overall impact on user experience and overall security to the enterprise.
BUSINESS IMPLICATIONS: These technical realities lead to business implications for providers of inline inspection tools. With reduced product efficacy, products provide reduced value and increased overhead to customers. Long, complicated demos, evaluations, and POC's, compacted by growing selling obstacles, slowing sales velocity, and higher volumes of more complex support tickets, the overall cost to the business increases. In short, TLS decryption is hard and getting harder and has a growing negative impact on business performance for providers.
Fact: A growing amount of traffic cannot be decrypted with the forward-proxy method.
Inspection product value, sales velocity, and support requirements are negatively impacted.
Nubeva SKI for Forward-Proxy Inspection Systems
Nubeva delivers a breakthrough solution to modern TLS decryption for the SWG/SASE industry. SKI is a software-based TLS decryption technology that can be easily added to any system as an optional, incremental engine to decrypt pinned certificate and TLS/client-certificate-based traffic as well as all other TLS traffic as needed. And SKI operates with insignificant latency allowing support for latency-sensitive applications as well as improving user experience on any other TLS traffic desired.
SKI fills the growing gaps left behind by man-in-the-middle engines allowing solution providers to dramatically increase product effectiveness and value, and reduce administrative overhead to customers, and in doing so, increase sales velocity and reduce support costs.
Add Incremental Value to Your Product
Technical Advantage
Decrypt Pinned and Client Cert Traffic
Decrypt pinned and client certificate traffic unlocking applications such as MS365, G-Suite, iCloud, Dropbox, DocuSign, and other pinned traffic as well as MTLS/client-side cert-based sessions.
Negligible Latency
SKI-based decryption does not proxy handshakes or connections nor does it modify production packets enabling DPI on latency-sensitive applications.
Reduce Operational Overhead
SKI decryption does not require CA installs, server keys, or PKI integration. SKI can dramatically decrease the operational overhead of bypassing difficult traffic.
Deliver More Value to Your Customers
Business Advantages
Increase Product Value
With expanded DPI capabilities, provide an expanded solution option to customers and remove the need for inline decryption projects and budgets.
Sales Acceleration
With increased functionality and reduced complexity, the selling process is simplified, win rates and deal sizes grow, and customer adoption and value realized dramatically improve.
Lower Support Complexities
SKI reduces pre and post-sales engineering requirements and support ticket quantity and complexity leading to reduced cost of sales and support.
Add Nubeva SKI into Your Product Suite
Adding Nubeva SKI into your products can be fast and easy, allowing you to get to market quickly with low entry hurdles. SKI can be added as an optional engine on top of existing decryption or as the primary engine to easy-of-use and performance improvements on all TLS and falling back to man-in-the-middle as needed.
The core concept of SKI is to capture session keys from TLS servers and clients and forward them to the SWG/SASE system for use in decryption in real-time. SKI can deliver keys before TLS handshakes complete and before the first packet arrives. With session keys available, simple, high speed, and low-cost bulk decryption are available into any traffic in real-time. Simply match traffic with keys using a systems client random, decrypt, inspect, and process traffic accordingly. The same keys can be used to re-encrypt traffic in the event it needs to be modified. If no session key is provided, simply continue using the existing decryption engine.
Nubeva provides software to get keys and to decrypt using keys. Our comprehensive suite of software components, available in source or binary forms, enables fast and flexible SKI decryption implementation into most product sets. While there are many implementation models and options for inline inspection systems, here are the basics.
Get Session Keys
Nubeva has perfected the learning and exporting keys from application and TLS process memory as they are created during the TLS handshake. Simply deploy our session key learning software on any VM, node, or endpoint.
Key learning software is delivered as a C library or turnkey agents and containers in binary or source code form. Key extraction is 100% reliable. This read-only micro-process is ultra-secure, transparent, and non-disruptive to application code, does not impact applications, and operates with minute memory and CPU requirements. Get Keys for:
-
Any TLS 1.3, 1.2, and legacy.
-
Any session N-S-E-W including pinned and client certificate sessions.
-
Traffic to internet, cloud, and other 3rd party servers and services
-
For metal, VM's, container hosts in datacenter or cloud and/or client endpoints.
-
From OS and commercial applications as well as malware communications
Get Started:
Have an agent? - Add the ability to get session keys simply and easily using the SKI Sensor C Library
No agent? - Add to your portfolio with Nubeva's off-the-shelf SKI Sensor Agents and Containers
Don't want to have an agent? - Resell Nubeva labeled sensors. Or, simply add the ability to receive and decrypt using session keys to your system and let your customers provide the keys from a growing list of systems with Nubeva SKI Sensor Technology or any other key source.
Decrypt with Session Keys
Nubeva complements session key discovery with a suite of decryption support options enabling IDS, NDR, and other passive vendors to add the ability to receive session keys and decrypt. We offer a multitude of implementation options to meet virtually any architectural model and go-to-market packaging scenario. Inspection systems need only minor modifications to receive keys and to decrypt using them. Decrypt using keys:
-
Enhance existing datapath or add net new
-
Any traffic and any session
-
Leverage crypto instruction set acceleration in standard CPUs
-
Achieve ultra high throughputs over 25Gb/s per core
-
Miniscule CPU and memory resource requirements
Get Started:
Already have Decryption? – Add the ability to receive keys and decrypt by modifying your existing engine or utilizing Nubeva’s SKI Decrypt TLS C library and reference code.
Don't have Decryption? Nubeva’s Decryptor Containers and Keyserver Container provide a fast and easy implementation to receive keys and decrypt traffic onboard
There are a myriad of implementation options spanning key acquisition, key transport, and handling, as well as decryption.
Nubeva works with our customers to develop the ideal architecture and craft highly customized licensing programs and support services to enable customer success.
Let's discuss how SKI can work with your systems.
