topic Re: How can firewalls inspect the payload of a packet with HTTPs? in Network Security

How can firewalls inspect the payload of a packet with HTTPs?

Mitrixsen — Fri, 21 Feb 2025 11:51:24 GMT

Hello, everyone.

A lot of resources say that firewalls can read more than just the traditional L3/L4 headers. They mention that they can read the L7 data and the payload itself. My question is, how exactly is this accomplished if the protocol that's being used is HTTPs? This means that the payload and the L7 data are encrypted, so the firewall shouldn't be able to decrypt it, or is there a workaround to this?

Thank you.

David

Re: How can firewalls inspect the payload of a packet with HTTPs?

Mark Elsen — Fri, 21 Feb 2025 11:58:17 GMT

- FYI : https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-ssl-decryption.html

Re: How can firewalls inspect the payload of a packet with HTTPs?

Kasun Bandara — Fri, 21 Feb 2025 12:07:00 GMT

@Mitrixsen hi,

there is many methods used by different vendors.

cisco have ETA - https://community.cisco.com/t5/security-knowledge-base/cisco-eta-feature-encrypted-traffic-analysis-at-glance/ta-p/4783197

generally all firewalls which support SSL inspection, do decrypt and re-encrypt the packet to inspect content flowing through the firewalls.

Re: How can firewalls inspect the payload of a packet with HTTPs?

Rob Ingram — Fri, 21 Feb 2025 12:28:26 GMT

@Mitrixsen aside from the SSL decryption that has already been mentioned. The FTD software image (not ASA) supports EVE (Encrypted Visibility Engine), which works by fingerprinting the Client Hello packet in the TLS handshake and does not need to implement full main-in-the-middle (MITM) decryption. EVE uses the fingerprints to identify thousands of applicationts and even known malicious processes and can also be used to identify and stop malware.

https://secure.cisco.com/secure-firewall/v7.2/docs/encrypted-visibility-engine

Re: How can firewalls inspect the payload of a packet with HTTPs?

M02@rt37 — Fri, 21 Feb 2025 12:51:07 GMT

David,

Modern firewalls can inspect L7 data, even in encrypted HTTPS traffic, through methods like SSL/TLS interception (Man in the Middle), which allows them to decrypt and inspect encrypted payloads. This process involves the firewall acting as a "man in the midle" between the client and server. It installs a trusted root certificate on the client, enabling it to decrypt traffic from the client, inspect the content, and then re-encrypt the traffic before forwarding it to the server. This way, the firewall can analyze the application layer data, detect threats, and apply policies based on the content of the encrypted traffic.

Another technique is SNI inspection, which allows firewalls to inspect the hostname in the TLS handshake without fully decrypting the payload. This is useful for making decisions based on destination URLs or blocking specific sites, even in encrypted sessions. While SSL/TLS interception is the most comprehensive method, it requires careful management of certificates and can introduce privacy concerns since the firewall can decrypt all traffic unless protections like perfect forward secrecy are in place...