The value of network monitoring in an encrypted world

This rise of encryption

The last decade has seen encryption applied to vast portions of internet traffic. Services offered by Google, Meta and Microsoft are all encrypted indeed around 80% of all web traffic uses TLS encryption (the padlock at the top of your browser next to the website address) compared to just 58% 5 years ago and 26% in 2014(1). There are at least two drivers behind this change. Firstly various revelations into the monitoring performed by governments has raised public awareness to the vulnerability their otherwise private activity has to being intercepted. Secondly the processing power required to implement encryption on a universal basis has become readily available driven by the inclusion of functions within processors that vastly improve the efficiency with which encryption can be performed.

Historically network monitoring was able to provide an insight into users online activity by analysing the data they sent across the internet. Much of this can no longer be read. So what if any value remains in monitoring online traffic for legitimate purposes such as law enforcement?

Parts remain unencrypted

Some key parts of the way the internet works still aren’t encrypted!

DNS

Domain Name Service (DNS) is the way computers take a web address and translate this into an Internet Protocol (IP) address, which they can use to connect to the correct destination. Monitoring DNS means it is possible to record which websites a computer has looked to access and at roughly what time. There are limitations to this, DNS answers are cached by the computer that requests them meaning that it is not possible to infer the number of times the destination of interest was visited and although highly likely, the act of looking up the IP address of a destination doesn’t absolutely mean that the IP address was actually visited, further monitoring would be required. Although a number of encryption options are available for this service they aren’t generally used and to a degree this is likely to remain the case for a while to come. Control of DNS allows network providers to implement lawful restrictions to websites as can be required of them by government. Examples would be restricting access to websites selling illicit items or sharing unlawful images. Whilst there are still mechanisms to circumvent this method of control it will raise the degree of technical knowledge required to do so. Another reason for the slow introduction of DNS encryption is that of technical compatibility. Various proposals to encrypt DNS have been published each of which would require implementation by both the networks but also in every user device that uses that network, something that would take time and money to achieve.

TLS Handshake

Valuable information can be derived from the mechanism of encryption its self. Establishing an encrypted link begins with a process called a handshake. During this process both ends of the link introduce themselves to each other, the initial action being a ‘Client Hello’. In this first step the client will often indicate the name of the service it wishes to connect to and also whether it is looking to establish the connection using encryption parameters it has previously negotiated i.e. it is possible to suggest whether this is a first visit or not. Similarly when the website responds it will (if this isn’t a first visit) present a certificate to verify its authenticity. This certificate will generally include details such as the name of the service being accessed. Further value can be derived in monitoring this handshake from a network security perspective. Fingerprinting the handshake between the client and the server (website) can identify either endpoint being impersonated (2).

Traffic Analysis

The insights described so far are all derived from direct observation of unencrypted data but in a more general case answers to the questions of 'when' and 'where' can be inferred from even encrypted data, the fact that two points communicated with each other, the time that happened, the amount of data transferred can be used to infer the probable action. Obfuscation techniques such as TOR or VPN’s can frustrate this type of inference but again raise the technical bar to hiding online.

NetVision

NetVision is an ideal platform for implementing novel ideas such as this type of inferencing due to its ability to implement the algorithms using the most appropriate technology from its range of programmable chips and because its core processing components such as configurable protocol stack processing and sessions tracking can be reused to form the the basis of new ideas. Combined with its management interface, updates (and roll-back) of deployed configurations can be managed across a suite of deployed sensors at the click of a button.

Comments

Post a Comment

Popular posts from this blog

A day in the life of a packet

Packets have a short life (although its all a matter of perspective really), in general a packet that lasts much more than a few tens of  milliseconds is doing well. Some packets have been known to live for as long as 700ms and travel into space but in generally most exist for a far shorter period of time and never make it out of the ground. Despite their short lifetime they have an important purpose without which the Internet would cease to exist. They carry the messages we send to friends, orders we send to online shops, directions to help us through traffic, films, weather, everything! What are these packets? Well really they're more of a concept than a substantial physical being, manifesting as strings of electrons or photons but little more. Their purpose, to convey little messages across the Internet. Created by many things, computers, phones, TV's anything that needs to talk to anything else over a network they come into being at the push of a button and cease to exist o
Read more

All for one and one for all - the three musketeers of network processing

Switching ASIC vs CPU vs FPGA At A6Labs we’ve adopted the philosophy of using the best technology for the task rather than making the task fit the technology we already use. There are plenty of counter arguments to having multiple technologies in a product but we believe that to work at the forefront of what is possible we must use the best solution for the problem. Athos Programmable Switching Application Specific Integrated Circuit (ASIC). Lightning fast, fairly quick to catch on, specialising in the elite art of packet processing the ASIC is a microchip that can be programmed to perform all kinds of manipulations on packet data (see day in the life of a packet). It can alter the contents of a packet, adding, removing and translating portions before sending the packet on its way, steering it towards its next destination. It speaks the language of P4, a programming language developed specifically for network processing. Programmable switch chips are a comparatively recent deve
Read more