Has encryption made your current firewall irrelevant?

Five SSL inspection capabilities you need in your next firewall.

The rapid increase in encrypted network traffic, coupled with the inability of most next-gen firewalls to inspect this traffic, has created a perfect security storm – one with dire consequences.

Over 80% of traffic on most networks is encrypted and it passes through the average firewall completely unfiltered. This is not due to a lack of desire to inspect it. Rather, it’s because most firewalls simply aren’t up to the task. And even if the firewall can inspect encrypted traffic, all too often their TLS inspection solution is poorly implemented, breaking many websites and delivering a poor user experience.

Unsurprisingly, hackers are catching on to this enormous blind spot in organizational security. They are starting to take advantage of this weakness to get threats onto networks and keep them there.

Read this paper to learn about how encryption has made most next-gen firewalls irrelevant, the challenges with TSL inspection, and the five SSL inspection capabilities you need to close this security gap.

Encryption Provides Privacy Not Security

People often believe that encrypted internet connections are “secure.” But “secure” from what, exactly?

Transport Layer Security, or TLS, is the encryption standard used on the internet today. The terms SSL and TLS are often used interchangeably. In fact, SSL is an old standard that has been since eclipsed by TLS. However, SSL remains the more common term. Just know that most people mean TLS when they say SSL.

TLS is designed to provide confidentiality and authenticity by encrypting the communication between two parties and verifying that the server is who it claims to be, based on its certificate and who issued it.


The lock symbol in your browser indicates the connection is encrypted – for privacy.


What TLS encryption does NOT do is secure, or provide assurance of, the content of the web page. A site hosting malware payloads can have a perfectly valid encrypted and ‘secure’ connection.

When someone claims their connection to a web server is secure, they really just mean it’s secure from eavesdropping (although even that may not be the case). This is why it’s is so important to inspect encrypted traffic.

TLS Inspection is Not Easy

The challenge with TLS inspection is that TLS is a very complex protocol. Different certificates must be exchanged and the cipher suites to be used need to be negotiated in order to determine how the connection should be encrypted. Compounding matters further, there are several TLS versions, and many applications and web services do things differently.

As a result, it’s very possible, despite having rigorous standards, for things to be incompatible. This presents enormous challenges for any security solution that attempts to inject itself into the process in order to inspect and secure the content that is exchanged.

Stop the threats your current firewall cannot see

Start seeing malware hiding in encrypted traffic

The Importance of TLS 1.3 and Dispelling Some Myths

The good news is that the latest TLS standard, TLS 1.3, offers a number of advantages over its predecessors in the area of performance, privacy, and addressing vulnerabilities.

TLS 1.3 adoption on servers is still in the early days, but all major browsers now support this standard. However, due to the complexities and R&D effort required to implement it, many firewalls with TLS inspection on the market today don’t fully support 1.3. Instead they force a downgrade to TLS 1.2. This opens those connections up for exploitation and attack due to legacy vulnerabilities.

As with many new technologies, there are a number of myths or common misunderstandings around inspecting TLS 1.3. These include claims that flat-out declare that TLS 1.3 cannot be inspected. This is false. While it’s true that passive TLS inspection, which was done on the side-lines, is no longer possible, with the participation of a cooperating endpoint – as you have on a corporate network – inspection is still entirely possible.

Another claim is that by inspecting encrypted traffic flows, you’re somehow making them less secure. This is true if you downgrade a TLS 1.3 connection to TLS 1.2, as many SSL inspection solutions do today. The vulnerabilities in TLS 1.2 opens the door to possible exploitation by a malicious man-in-the-middle (MITM) attack. TLS 1.3 has been designed to address these vulnerabilities so inspecting this traffic without downgrading the connection does not introduce risk.

And lastly, some will claim that certificate pinning makes TLS inspection impossible. While this is true for some applications with hard-coded certificates, most applications use a certificate pinning approach that respects the resigning certificate and will continue to work with SSL inspection solutions.

The Importance of Certificate Validation

Certificate validation Is a fundamental component of TLS as it enables the client (or inspection device like your firewall) to prove the identity of the server that the communication is coming from.

However for certificate validation to work it needs to be implemented properly. If not, firewalls, and the endpoints they are connected to, can be fooled into thinking they are talking to a server they are not, opening the door for a malicious MITM attack.

Balancing Performance, Privacy, and Protection

In addition to all the technical complexities with TLS encrypted traffic flows, there are policy and regulatory constraints that need to be considered and respected as well. Plus trusted corporate application traffic and streaming media can make up a good portion of SSL encrypted traffic that may justify inspection.

The bottom line is that not all SSL traffic can or should be treated the same. It’s a balancing act: you have to balance privacy, security, compliance, and performance. Some jurisdictions may dictate the balance, while in others, you’re left to your own devices to come up with a suitable balance for your organization.

Unfortunately, the limitations in SSL inspection solutions in most firewalls on the market today force organizations to adopt a very unbalanced approach: security and compliance needs are sacrificed in the struggle to provide essential performance and interoperability.


Have your cake and eat it

Get performance, protection and privacy with Sophos XG Firewall

Encrypted Traffic Volume is Approaching 100%

Most internet connections are now fully encrypted. In fact, on most platforms, over 80% of web sessions are now encrypted according to the Google Transparency Report, a dramatic increase from about 60% just two years ago.


The volume of encrypted traffic is up dramatically in the last two years and trending towards 100%.

Has Encryption Rendered Your Firewall Irrelevant?

This dramatic growth in encrypted traffic has created an enormous security blind spot for most organizations. Their current firewalls are simply not up to the task of inspecting this volume of encrypted sessions. In effect, TLS encryption has made most firewalls irrelevant as they no longer have insight into the majority of traffic passing through the network.

The Real Danger is the Threats Hiding in Encrypted Traffic

With the explosive growth in TLS encryption in recent years, it’s probably no surprise that hackers are catching onto this trend and leveraging it to help get malware on your network undetected – and keep it there. In fact, according to SophosLabs, around one-third of malware and unwanted applications enter the network through TLS encrypted flows.


The percentage of malware and unwanted applications that enters the network through TLS encrypted flows. Source: SophosLabs, 2019


Once a threat gets on the network, it will use every trick in the book to remain undetected. Increasingly, this includes employing TLS encryption to communicate.

Many Trojans, like the notorious TrickBot, IcedID, or Dridex, are designed to harvest and steal sensitive information and credentials. They increasingly rely on encryption to transmit data out of the organization.

Using TLS allows commands sent to the client from control servers to remain undetected while also hiding the information collected from the network as well as any further payloads downloaded to the compromised host.




Hackers are also starting to host malicious content on legitimate sharing services like Pastebin that utilize TLS encryption to ensure the privacy of the content. This provides perfect obfuscation for malware, enabling threats to get into most networks undetected.

It’s not just threats that are utilizing encryption to remain undetected; potentially unwanted applications like spyware, adware, and browser toolbars, as well as peer-to-peer file sharing clients and proxy avoidance tools also use encryption to evade firewall detection.

Most Organizations Are Powerless to Act

As we’ve seen, TLS inspection is complex and resource intensive. As a result, enabling firewalls to properly inspect TLS encrypted traffic in an efficient and effective manner requires very significant R&D investment.

The reality is that most firewalls today lack proper TLS inspection capabilities. They are unable to inspect encrypted traffic without causing an unacceptable impact on network performance.

Furthermore, poor inspection implementations that don’t support the latest standards result in downgraded security, which in turn opens organizations up to vulnerabilities while also creating a very poor user conditions.

Stop worrying about your security blind spot

Start seeing the threats hiding in your encrypted traffic

The rapid increase in encrypted network traffic coupled with the inability of most next-gen firewalls to inspect this traffic has created a perfect security storm.

Five Things to Look for in Your Next Firewall

To minimize the risk from encrypted network traffic, ensure that your next firewall includes these top five TLS Inspection capabilities:

1. The latest TLS 1.3 and cipher suite support. While adoption of TLS 1.3 is still in the early days, it would be unwise to buy a firewall without TLS 1.3 support.

2. A streaming engine solution that enables inspection of all TLS traffic across all ports/protocols and is faster using fewer connections than a traditional web proxy-based solution.

3. Robust certificate validation able to handle invalid, self-signed, revoked, or untrusted certificates to avoid potential malicious Man-in-the-Middle (MITM) attacks.

4. Powerful and flexible policy tools that provide granular control over what to decrypt and inspect, enabling you to build the right balance of privacy, protection, and performance for your organization.

5. High performance, with sufficient connection handling, efficient decryption, hardware acceleration, and overall power to handle your encrypted traffic volumes efficiently.

Sophos XG Firewall – Designed for the Modern Encrypted Internet

The Xstream architecture in XG Firewall offers a ground-up solution to eliminating the network traffic blind spot without impacting performance. It delivers:

  • High performance – a lightweight streaming engine with high connection capacity

  • Unmatched visibility into your encrypted traffic flows and any errors

  • Top security, supporting TLS 1.3 and all modern cipher suites with robust certificate validation

  • Inspection of all traffic, being application and port agnostic

  • A great user experience with extensive interoperability to avoid breaking the internet

  • Powerful policy tools, offering the perfect balance of performance, privacy, and protection

The new Xstream architecture in XG Firewall provides the ultimate solution to the biggest challenge in network security today.

Demo all XG Firewall’s features – no install, no commitment.

  • Unrivaled visibility into SSL traffic
  • Deep learning threat detection
  • Powerful, automated incident response
  • Simple cloud management
Full-featured demo Try the product online No installation required

If you can see this then you have CSS disabled. This is a honeypot to catch bots, leave this textbox empty