SSLSplitter

SSLSplitter is the software product for interpretation of SSL traffic created in partnership of Microolap Technologies and ArtX companies.

Principle of work

SSLSplitter is established "in a gap" networks on perimeter of the organization, proxying all network traffic. Finding the beginning of a SSL session in network connections, SSLSplitter for all such connections executes substitution of certificates (Man-in-the-Middle), being represented to the client of connection by the server, and to the server by the client. Thus, SSLSplitter sees all data of SSL connections in not encoded type. For finding of the beginning of SSL connection in a session the signature is used that allows to decrypt traffic regardless of network port of the server of connection. All not encoded connections are missed without changes.

Work SSLSplitter is result of one or more copies of the decrypted network traffic, sent to Mirror-interfaces to which systems for the analysis of the decrypted network connections are connected.

For substitution of certificates SSLSplitter can use both the self-signed certificate and issued in certification center. Anyway, on devices of users which traffic decrypts SSLSplitter in the entrusted root certificate authorities either the certificate of SSLSplitter, or the certificate of certification center used for release of the certificate of SSLSplitter should be set.

SSLSplitter supports work in two modes:

• The transparent mode (Bridge) - in this SSLSplitter mode functions at the L2 level of a network model of OSI, being invisible to a customer network.
• The mode of the gateway (Router) - in this SSLSplitter mode functions at the L3 level of a network model of OSI, being the gateway for a customer network, i.e. it is obviously specified in network settings of users as a network gateway.

In SSLSplitter the mechanism of exceptions allowing to pass without changes and interpretation of connection to Internet services which are not required to be controlled is developed. Thus the following problems are solved:

• Exception of users whose traffic is not required to be decrypted;
• The exception of web services which traffic is not necessary or cannot be decrypted, such as:
  • Internet clients of banks;
  • web interfaces of the different systems including using enciphering with the help a token keys;
  • Internet services which clients use the certificate of the server (certificate pinning) which is strictly registered in the application.

Exceptions register both to the IP addresses of clients and servers, and by Internet domains. Also for simplification of work with exceptions are maintained wildcard-syntax, for example, of "*.domain.com".

In SSLSplitter there is also a setup of autoexceptions (auto-bypass) – an opportunity to bring automatically in temporary exceptions of connection which could not be established a certain number of times for the set period. Autoexceptions are stored time set in settings for which the administrator can or transfer them to constants, or announce developers a problem with the requirement of its solution. This functionality considerably simplifies process of integration of SSLSplitter due to risk minimization of failure of business applications.

Features of the solution

• Interpretation of any protocols using SSL/TLS enciphering;
• Determination of SSL/TLS enciphering on signatures, but not on port number;
• Lack of the imposed functionality, only the solution of a problem of interpretation SSL/TLS traffic;
• Support of environments of virtualization;
• Support of all modern encryption algorithms, including GOST;
• Scalability and fault tolerance;
• Work in the L2 (bridge) and L3 (router) modes;
• Microolap Technologies performs direct technical support of users and partners in the Russian and English languages.

Scopes of application

The problem of opening of SSL/TLS connections naturally arises in many IT spheres where traffic observation or its change in real time is required.

Microolap SSLSplitter has no tough dependence on an ecosystem of any software maker (including other products Microolap) or a hardware platform – there is no vendor-lock. Therefore Microolap SSLSplitter can be used with any adjacent systems to which the solution of a problem of opening SSL/TLS connections is required.

Further two examples from real practice.

DLP solutions

At integration with DLP- solutions to services cybersecurity control over the ciphered traffic which in corporate environment is by different estimates from 50% to 75% returns. For example, control messengers (Skype [[Google Hangouts Mail.Ru Agent ICQ and so forth), control of web mail, social networks, cloud services (OneDrive Google Drive iCloud Yandex Disk and so forth), services of file sharing (FTPS servers, file hosting services and so forth), detection of use of the proxying solutions, control of unauthorized channels of personal e-mail (IMAP4S, SMTPS, POP3S, MAPI, NRPC protocols).

DPI solutions

At integration into DPI solutions allows cellular operators to solve problems of prioritization of SSL/TLS traffic and also to use caching and data modification in SSL connections (it will be available in the new version, the release is appointed to the beginning of 2018).