Views:

Recommendation

Deep Discovery Inspector (DDI) has now a capability to decrypt and inspect outbound TLS traffic. If your appliance supports inline deployment, and if you want to inspect TLS traffic, you can configure DDI to do so.

When DDI is deployed inline:

  • DDI acts as a layer 2 bridge between network devices and is transparent on the network.
  • Only traffic flowing through the inline ports is inspected.
  • DDI does not have the ability to block traffic. It can only inspect traffic.
 
Inline deployment can be supported in DDI by adding an Inline (LAN Bypass) network interface card. For detailed steps, refer to the Inline (LAN-bypass) Network Interface Card Installation Guide.
 

Configuration

Configuration for TLS inspection mainly consists of 3 parts, namely the Decryption Policy, Certificate Management and Domain Tunneling. You also need to know about Traffic Bypass mode, and how to test the TLS inspection feature.

The illustration below shows the different objects that comprise the Decryption Policy matching logic. For DDI to identify the TLS traffic that needs to be decrypted, the user needs to configure these objects accordingly

DecriptionPolicy

 

  1. Configure client IP addresses
    1. Log on the DDI web console, go to Administration > Monitoring/Scanning > TLS Traffic Inspection > Decryption Policy > Client IP Addresses

      ClientIP

    2. Click Add or Import to specify client IP address to decrypt in the Decrypt section.
    3. Click Add or Import to specify client IP addresses to except from decryption in the Exceptions section.
  2. Configure Server Ports for decryption in the Server Ports section.

    ServerPorts

  3. Configure Domain Categories and Domain Objects to decrypt in the Server Domains section.

    ServerDomains

  4. Click Save after configuring all the necessary parts.

DDI behaves like a proxy on the behalf of the client to verify the server certificate when inspecting TLS traffic. For DDI to verify the server, you must import a Trusted CA Certificate for the destination server. DDI imported Mozilla bundle certificates by default.

  1. Import a necessary CA certificate.
    1. Go to Administration > Monitoring/Scanning > TLS Traffic Inspection > Certificate Management > Trusted CA Certificates tab. Click Add.

      CertificateManagement

    2. Click Select > select a new certificate > click Add.

      AddtrustedCA

    3. Check that the new certificate is added with a “Valid” status.
  2. The client connects to the destination server through DDI when TLS traffic inspection is enabled. For the client to trust DDI, you must import a Signing Certificate on the client.

You can do one of the following to configure the Signing Certificate:

Method 1: Deploy DDI’s self-signed certificate to clients.

  1. To download DDI’s certificate, go to Administration > Monitoring/Scanning > TLS Traffic Inspection > Certificate Management > Signing Certificate tab. Click Download Certificate.

    DownloadCertificate

  2. Install the downloaded certificate on clients, for example, you can import the certificate in the Certificate Manager Console (Press the Windows key+R to bring up the Run command, type certmgr.msc and press Enter) in Windows 10. Alternatively, the user can click Install Certificate… in the certificate file.

    InstallCertificate

Method 2: Import certificate signed by company CA to DDI, deploy company CA certificate to clients.

  1. To generate and download a CSR, go to Administration > Monitoring/Scanning > TLS Traffic Inspection > Certificate Management > Signing Certificate tab. Click Generate CSR.

    SigningCertificate

  2. Sign the CSR using the company's private key and CA certificate to generate a Signing Certificate.

    Here is a reference when you create a certificate using Microsoft Active Directory Certificate Service.

    Steps:

    1. Log in to the Microsoft Active Directory Certificate Service and select Request a certificate option
    2. Select to submit an advanced certificate request
    3. Paste in the data from your CSR
    4. Set Certificate Template to Subordinate Certification Authority and click on Submit
    5. To download your certificate, select DER encoded and click on Download certificate
  3. Click Import and Replace Certificate to import the certificate signed in the previous step to DDI.

    ImportReplaceCert

  4. On the client, import the company's CA certificate that signed the CSR.
  1. Enable TLS traffic inspection.
    1. Go to Administration > Monitoring/Scanning > TLS Traffic Inspection > Inspection Settings. Toggle Enable TLS traffic Inspection.

      EnableTLS

  2. DDI can list TLS connection which was unable to inspect in the tunneled domain list in the web console. When Domain Tunneling feature is enabled, DDI doesn’t inspect new connections between a client-domain pair in the tunneled domain list for the next 24 hours.
    1. To manage Domain Tunneling, go to Administration > Monitoring/Scanning > TLS Traffic Inspection > Inspection Settings.
    2. You can enable or disable this feature by toggling a button.
    3. You can also see the list of tunneled domains by clicking Configure tunneled domains.

      DomainTunneling

    4. If an inspection of a TLS connection to a domain or URL is unsuccessful and they are trusted, configure it as an Exception in the Domain Objects section in the Decryption Policy screen. To not decrypt TLS traffic for a domain, click Move to Domain Exceptions.

      DomainExceptions

    5. If you want to delete a domain from the Tunneled domains list, move it to the Domain Exception once, then, remove it in Administration > Monitoring / Scanning > TLS Traffic Inspection > Decryption Policy > Domain Objects section.

      DomainObjects

When DDI is deployed as an inline appliance and configured to decrypt TLS traffic, an event such as a system crash, power outage, or other unexpected condition may have an impact on the network accessibility. DDI uses traffic bypass to cross-connect the two physical network ports. Traffic bypass helps to prevent DDI from being a single point of failure in the network.

DDI can automatically enable traffic bypass, or you can manually enable traffic bypass.

Automatic traffic bypass

DDI performs self-health checks. If an issue is detected, DDI automatically enters traffic bypass mode to prevent the potential impact on the network. When this occurs, a global notification appears in the management console, and if configured, DDI can send an email notification or an SNMP trap.

DDIbypassissue

 

Manual traffic bypass

You can manually enable traffic bypass mode. To enable traffic bypass mode, go to Administration > System Settings > Network Interface > toggle Enable manual traffic bypass.

Inlineinterface

 

You can also enable traffic bypass mode in the pre-configuration console. For more details, see the Installation and Deployment Guide.

 
Issues such as power outage, system hang, or kernel panic can prevent DDI from sending email notifications and SNMP traps. Trend Micro recommends that you use tools like an NMS or system monitoring to identify these issues.
 

It is important to check that TLS traffic is actually inspected by DDI after the feature is enabled. We can check this using eicar.org web site.

  1. Prepare an Windows Client. IP address of this client should be in Administration > Monitoring / Scanning > TLS Traffic Inspection > Decryption Policy > Client IP Addresses section > Decrypt field.

    ClientIPaddress

  2. Import a certificate to this client. It should be the one you decided to use as a signing certificate in 9.2.2: Configure Certificate section.
  3. If “secure.eicar.org” is not included as a TLS inspection target in Administration > Monitoring/Scanning > TLS Traffic Inspection > Decryption Policy > Server Domain section, add it either as a domain category (General > Computers/Internet) or a domain object (secure.eicar.com)

    ServerDomain

    Domainobject

  4. Type “https://secure.eicar.org/eicar.com” in the browser on the client. The file should be downloaded.
  5. Check DDI log, go to Detections > All Detections. You can see that DDI detected the file through TLS in the Detection Detail report.

    DDIDetection

    Protocolinformation