Encrypted Traffic Inspection (also known as SSL/TLS inspection) is a feature available on your school firewall, which enables it to decrypt HTTPS traffic (encrypted internet traffic) and then apply firewall permissions or policies to either block or allow that decrypted traffic through. It is beneficial because decryption allows much better visibility and detection of harmful or malicious links that could otherwise get through undetected.
As over 80% of internet sites use HTTPS these days, implementing Encrypted Traffic Inspection helps provide a good level of protection for your network and users.
Set up
Setting up Encrypted Traffic Inspection involves a couple of tasks.
- Identifying and configuring into the firewall which user groups and devices you want to apply Encrypted Traffic Inspection to. For some schools this will be all users/devices, for others it may be school-owned devices like staff laptops and school-owned chromebooks, but not student-owned BYOD devices.
- Installing TLS certificates on each user device. This is a critical technical requirement to ensure Encrypted Traffic Inspection can function properly, and that the user can browse successfully. Completing this step is a lot quicker and simpler if your school has an MDM (Mobile Device Management) system in place. However it is still possible to download and install individual certificates manually. Without a TLS certificate on their device, the user will be blocked from accessing any HTTPS website.
- Refining the firewall rules to ensure the right traffic is being blocked and allowed. This takes a bit of time and requires analysis of the firewall logs to see what’s being blocked or allowed by your firewall rules and filtering settings. Because a higher volume of network traffic is being scrutinised under Encrypted Traffic Inspection, it’s likely some tweaks will be needed to ensure only the undesirable traffic is blocked. N4L can work with your ICT through this refinement process.
Important things you should know
Encrypted Traffic Inspection involves additional set up but also ongoing management by your school IT Lead or ICT provider. Here’s a few things you should be aware of.
- Any new staff or students joining your school will need setting up with their TLS certificate. As mentioned, this can be automated if you have MDM in place, otherwise someone needs to manually install a TLS certificate on the new device before it can browse the internet successfully.
- N4L TLS certificates have been given extended expiry dates. However N4L reserves the right to update TLS certificates if a technical or security reason arose that necessitated it. In the event N4L needs to update the TLS certificates, we will provide ample advance warning and as much support as needed to complete this in a timely and streamlined manner.
Exempted traffic - privacy
In line with industry practice, certain categories of website are excluded from decryption and inspection, due to privacy. This includes the following website categories:
Exempted traffic - custom domains
Some websites and applications do not support decryption and will not work properly if Encrypted Traffic Inspection is active. These websites and/or web applications need to be whitelisted on the firewall to ensure they are exempted from Encrypted Traffic Inspection. Where it is diagnosed that a legitimate application or site is being impacted by Encrypted Traffic inspection, N4L will work with your IT Lead to ensure it is excluded.
