Date Published: January 30, 2024
Comments Due:
Email Comments to:
Author(s)
Murugiah Souppaya (NIST), William Barker (Dakota Consulting), Karen Scarfone (Scarfone Cybersecurity), John Kent (MITRE), David Wells (Mira Security), Johann Tonsing (Mira Security), Sean Turner (sn3rd), Erik Freeland (Nubeva), Russ Housley (Vigil Security), Murali Palamisamy (AppViewX), Dung Lam (F5), Paul Barrett (NETSCOUT), Ray Jones (NETSCOUT), Patrick Kelsey (Not for Radio)
Announcement
The Addressing Visibility Challenges with TLS 1.3 project builds on the NCCoE's earlier work, TLS Server Certificate Management, which showed organizations how to centrally monitor and manage their TLS certificates. We are now focusing on protocol enhancements such as TLS 1.3 which have helped organizations boost performance and address security concerns. These same enhancements have also reduced enterprise visibility into internal traffic flows within the organizations' environment. This project aims to change that—and has two main objectives:
- Provide security and IT professionals with practical approaches and tools to help them gain more visibility into the information being exchanged on their organizations’ servers.
- Help users fully adopt TLS 1.3 in their private data centers and in hybrid cloud environments—while maintaining regulatory compliance, security, and operations.
This project will result in a publicly available NIST Cybersecurity Practice Guide in the Special Publication 1800 series, which contains practical steps and guidance to implement our cybersecurity reference designs.
Volumes A (2nd preliminary draft) and B (initial preliminary draft) are now available for review and comment. The public comment period is open through April 1, 2024.
The Transport Layer Security (TLS) protocol is widely deployed to secure network traffic. The latest version, TLS 1.3, has been strengthened so that even if a TLS-enabled server is compromised, the contents of its previous TLS communications are still protected—better known as forward secrecy. The approach used to achieve forward secrecy interferes with passive decryption techniques that are widely used by enterprises to achieve visibility into their own TLS 1.2 traffic. Many enterprises depend on that visibility to permit their authorized network security staff to implement controls needed to conform to cybersecurity, operational, and regulatory requirements. This forces enterprises to choose between using the old TLS 1.2 protocol or adopting TLS 1.3 with some alternative method for internal traffic visibility. The NCCoE has, in collaboration with technology providers and enterprise customers, initiated a project demonstrating options for maintaining visibility within the TLS 1.3 protocol within an enterprise to overcome these impediments. The project demonstrates several standards-compliant architectural options for use within enterprises to provide both real-time and post-facto systems monitoring and analytics capabilities. This publication describes the approach, architecture, and security characteristics for the demonstrated proofs of concept.
The Transport Layer Security (TLS) protocol is widely deployed to secure network traffic. The latest version, TLS 1.3, has been strengthened so that even if a TLS-enabled server is compromised, the contents of its previous TLS communications are still protected—better known as forward secrecy. The...
See full abstract
The Transport Layer Security (TLS) protocol is widely deployed to secure network traffic. The latest version, TLS 1.3, has been strengthened so that even if a TLS-enabled server is compromised, the contents of its previous TLS communications are still protected—better known as forward secrecy. The approach used to achieve forward secrecy interferes with passive decryption techniques that are widely used by enterprises to achieve visibility into their own TLS 1.2 traffic. Many enterprises depend on that visibility to permit their authorized network security staff to implement controls needed to conform to cybersecurity, operational, and regulatory requirements. This forces enterprises to choose between using the old TLS 1.2 protocol or adopting TLS 1.3 with some alternative method for internal traffic visibility. The NCCoE has, in collaboration with technology providers and enterprise customers, initiated a project demonstrating options for maintaining visibility within the TLS 1.3 protocol within an enterprise to overcome these impediments. The project demonstrates several standards-compliant architectural options for use within enterprises to provide both real-time and post-facto systems monitoring and analytics capabilities. This publication describes the approach, architecture, and security characteristics for the demonstrated proofs of concept.
Hide full abstract
Keywords
bounded lifetime; break and inspect; ephemeral; key management; middlebox; passive inspection; Transport Layer Security (TLS); visibility; protocol
Control Families
Access Control; System and Communications Protection; System and Information Integrity
