Frequently Asked Question

What is network traffic decryption?
Last Updated 2 years ago

Most modern web traffic is encrypted using SSL encryption, which creates a secure connection between your computer and the website you are trying to reach.

Network traffic decryption introduces an intermediary in this process, and serves as a means for the core firewall to "see" the contents of encrypted network traffic being routed through it.

The primary motivation for implementing network traffic decryption is security.  By doing so, the core firewall is better able to get insight into potential security threats, which reduces the risk to users as threats can be blocked at the network level before they even reach the user's computer.

Decrypting SSL works by routing all outbound traffic through the core firewall. For requests that are to be decrypted, the core firewall intercepts and decrypts these requests, then re-encrypts and forwards the request to its intended destination on the user’s behalf. This gives the core firewall an opportunity to see the contents of the encrypted traffic while still maintaining security across the internet through encryption.

The following diagram illustrates the traffic flow in a simplified view:

image

We understand that some communications are sensitive and should not be decrypted.  Deciding which traffic is decrypted is largely driven by URL categories as listed by Palo Alto Networks.  We have identified the following categories as risky, and will decrypt or block traffic categorized as such:

  • Command and Control
  • Dynamic DNS
  • Grayware
  • Insufficient Content
  • Malware
  • Newly Registered Domain
  • Not Resolved
  • Parked
  • Phishing
  • Private IP Addresses
  • Proxy Avoidance and Anonymizers
  • Unknown

The SD59 root certificate must be installed on any computers and/or browsers that access the internet through the SD59 network for transparent operation.  Most District-managed devices should have this certificate installed already through management mechanisms.  If you are using an unmanaged or unsupported device, the certificate will need to be installed manually.

It is expected that a small percentage of websites will not work properly with this method.  Exceptions can be made on an as-needed basis.  If you are having issues with a particular website, please reach out to the tech support team.

Please Wait!

Please wait... it will take a second!