Encrypted Traffic Orchestration

Detect. Decrypt. Deter.Encrypted Traffic OrchestrationEncrypted traffic has become ubiquitous in networkstoday, delivering privacy and protecting users’ data.However, encrypting data also creates a new set ofsecurity issues for enterprises, as existing securitymechanisms are “blind” to any threats carried byencrypted connections. The Mira ETO software enablesan enterprise to remove this “blind spot” by providingvisibility into the unencrypted connection for the fullrange of security and analytic tools being used.Encryption Orchestration without CompromiseMira Encrypted Traffic Orchestration (ETO) softwareprovides safe and secure visibility into encrypted trafficallowing the tools used by enterprise security teamsto function effectively, even when all the importanttraffic is encrypted. Enabling the enterprise securitystack to detect and mitigate threats while providingfeatures to enable privacy and ensure compliance requirements can be met is central to Mira ETO software. Automatically detect all SSL/TLS and SSH traffic inthe network, no matter what ports are being used Capable of decrypting SSL v3, TLS 1.0, 1.1, 1.2 and1.3, as well as SSHv2 Transparent to the higher-level protocols beingcarried on top of the encrypted layer providingdecrypted flows to security tools for any existing orfuture protocols Seamless integration with existing security toolsprotects existing security investments Policy control over which encrypted traffic is madevisible allows compliance with industry requirementsand enterprise policies on data privacyMiraSecurity.comConfigure whether to allow or deny traffic based on the SSL/TLSversion or certificate status. Policy control over which encryption mechanismsare allowed in the enterprise network to preventweak or obsolete methods from being used Comprehensive logging enables the enterprise toanalyse encrypted traffic within the network andderive actionable changes to operational policy Scaling from a sub 1G for branch offices and microedge locations to nearly 100G allows for growth andsupports the collapsing of data centers.info@mirasecurity.com

Encrypted traffic has become ubiquitous in networkstoday, delivering privacy and protecting users’ data.However, encrypting data also creates a new set ofsecurity issues for enterprises, as existing securitymechanisms are “blind” to any threats carried by encrypted connections. The Mira ETO software enablesan enterprise to remove this “blind spot” by providingvisibility into the unencrypted connection for the fullrange of security and analytic tools being used.Mira ETO automatically detects SSL, TLS and SSH traffic and can decrypt this traffic in order to send theunencrypted data to one or more security tools. Portnumbers are not used during detection of encryptedtraffic, so all traffic will be discovered irrespective ofthe port number being used. Decrypted data is sent tosecurity tools with the same packet header details asthe original encrypted flow. Optionally, the decryptedflow can be marked allowing the tool to determine thatthe flow was originally encrypted.Flexible policy control features of Mira ETO allowenterprises to enforce policy on what encryptionmechanisms are allowed in order to ensure a secureenvironment. For example, policy can be used toprevent any traffic from using obsolete encryptionversions such as SSLv3 or TLS 1.0 and TLS 1.1. Forencrypted traffic that is allowed, there are fine-grainedpolicies that allow control over which encrypted flowsare decrypted and made visible to security tools. Policycontrols can optionally make use of the Mira categorydatabase and/or a locally created category databaseto determine which types of traffic are decrypted.Enterprises need to balance security risks of notdecrypting traffic with the privacy implications of doingso, and Mira ETO provides the flexible policy controls toensure that balance is achieved.Increasing network traffic is causing a shift from10 Gbps links to 40 Gbps and 100 Gbps links inenterprise networks with essentially all traffic beingencrypted. This means that scalable solutions toprovide visibility into traffic are required. Mira ETOsoftware is designed for high-performance decryptionand can work with link speeds of 1, 10, 25, 40 and soon100 Gbps, providing decryption for anywhere from 1 Gbps of encrypted traffic up to 100 Gbps. In addition to industry-leading decryption capacity, Mira ETOsoftware supports high rates of new TLS handshakesper second, ensuring that there is no performanceimpact when deployed in an enterprise network. Thesoftware is architected to allow the use of externalhardware PKI engines if these are available, allowingConfigure whether and how to decrypt trafficusing match/action rules.both decryption performance and new handshake performance to be scaled even higher, if required.Mira ETO software decrypts traffic and feeds it to oneor more security tools that actually detect and mitigateany threats that may be present. No special interfacesor software changes are required to the security tools;they simply receive traffic from Mira ETO as if itwas traffic directly from the network. This means theexisting security stacks can regain their effectiveness,diminished by the increase in encrypted traffic, simplyby deploying Mira ETO to feed them.Multiple decryption mechanisms are supported by MiraETO software and the system allows for the appropriate mechanism to be used on a per-flow basis. The threeprimary mechanisms are: Known server key mode. This can be used for TLSand SSH traffic and requires that the server privatekey is available to the Mira ETO software. This isused by enterprises to inspect encrypted traffic toservers under their control. Certificate re-sign mode. This can be used for TLStraffic and relies on the Mira ETO software acting asa Certificate Authority that enterprise clients trust. Self-signed mode. This can be used for TLS traffic toservers that have a self-signed certificate.Depending on the decryption mechanisms being used,the Mira ETO software needs to be located either inline as a “bump in the wire” or attached to a networktap, so that it receives copies of packets. Deploymentswhere Mira ETO is attached to a network tap can onlybe used to provide visibility into traffic when knownserver key mode is being used and when the TLShandshake is using RSA key exchange. TLS 1.3 does notsupport the use of RSA key exchange, so this modecannot be used for TLS 1.3 traffic. This passive-passivedeployment is used by a limited number of enterprises.

Typical Deployment SMIRA ETOFTWInline-InlineDeploymentCERTIPS/MALWAREMIRA ETOFTWAPM/NPMPassive-PassiveDeploymentMIRA ETOTAPENTERPRISESERVER

The majority of deployments rely on in-line deploymentmodes that allow for all decryption mechanisms to beused and TLS 1.3 traffic to be handled.Mira ETO software is managed by a web user interfaceand implements role-based access controls (RBAC),allowing enterprises to ensure that network and security team staff have appropriate access. A REST API issupported, allowing programmatic access to all of thefeatures that are accessible via the web UI. Detailsof encrypted sessions are captured in a session logcapable of holding 300M entries. Session log details canbe sent to remote syslog servers, allowing analysis andmonitoring using existing enterprise tools, such as Splunk.Mira ETO can be used to prevent the use of QUIC, thusforcing the use of TLS.The Mira ETO software operates transparently at Layer2, so there is no requirement to assign IP addresses tointerfaces and no need to re-engineer the enterprisenetwork addressing. Decrypted traffic sent to attachedsecurity tools retains the original packet headerinformation, allowing these to be used as part of thethreat detection and mitigation mechanisms used bythe tool. Encrypted traffic within tunnels, such as GREor VXLAN, can be detected and decrypted.Software Subscription LicenseMira ETO software is licensed as a subscription model. Subscriptions can be for 12 months or 36 months and can beupgraded during the subscription period. The license purchased determines the amount of encrypted traffic that canbe decrypted to provide visibility for security tools.ETO Software Subscription OptionsETO LicenseETO-DL-0.5 ETO-DL-2.5 ETO-DL-5SKUETO-DL-10 ETO-DL-15 ETO-DL-20 ETO-DL-30 ETO-DL-40 ETO-DL-50LicensedDecrypt GB/s0.52.55101520304050Max Full 35,00038,00050,000Max Full TLSSessions/sRSA 000License CompatibilityA license can be used on either a virtual appliance or on one of the hardware appliances available from Mira Security.The following matrix shows which licenses can be used on specific appliance models:Appliance Model CapabilitiesApplianceModel SKUInterfaces /SpeedsMaxSegmentsMax SSLFlows/SegmentMax SSLFlowsMax SessionLog EntriesLicensed CapacityOptionsVirtualAppliance6 / 1, 10 Gbps1250K250K10M0.5HN-3-06106 / 1, 10 Gbps14M4M300M2.5, 5, 10, 15HN-5-102510 / 1, 10, 25 Gbps25M10M300M5, 10, 15, 20,30HN-7-1225*12 / 1, 10, 25 Gbps*3*TBD*TBD*TBD*TBD*HN-7-06406 / 40 Gbps120M20M300M15, 20, 30, 40, 50Virtual Appliance Details*Planned for future release Support for KVM and ESXi Licensed capacity defines requirements for virtual appliance in terms of memory and CPU cores

Physical Appliance DetailsModel Family3xxx5xxx7xxxDimensions1U rack mount(WxHxD) 17.25 x 1.72 x 25.58 in.(438.4 x 43.6 x 649.9 mm)1U rack mount(WxHxD) 17.2 x 1.7 x 29 in.(437 x 43 x 737 mm)2U rack mount(WxHxD) 17.2 x 3.5 x 28.5 in.(437 x 89 x 723 mm)Power Supplies2 x 500W redundant100V to 240V auto sense50 to 60 Hz2 x 1000W redundant100V to 240V auto sense50 to 60 Hz2 x 1600W redundant100V to 240V auto sense50 to 60 HzOperating Temp.5º to 35º C (41º to 95º F)10º to 35º C (50º to 95º F)10º to 35º C (50º to 95º F)Non-operating Temp.-40º to 60º C (-40º to 140º F)-40º to 70º C (-40º to 158º F)-40º to 60º C (-40º to 140º F)Operating RelativeHumidity8% to 90% (non-condensing)8% to 90% (non-condensing)8% to 90% (non-condensing)Non-operatingRelative Humidity5% to 95% (non-condensing)5% to 95% (non-condensing)5% to 95% (non-condensing)Electromagnetic Emissions:FCC Class A, EN 55032Class A, EN 61000-3-2/3-3,CISPR 32 Class AElectromagnetic Emissions:FCC Class A, EN 55032 Class A,EN 61000-3-2/3-3, CISPR 32Class AElectromagnetic Emissions:FCC Class A, EN 55032 Class A,EN 61000-3-2/3-3, CISPR 22Class AElectromagnetic Immunity:EN 55024/CISPR 24,(EN 61000-4-2, EN 61000-4-3,EN 61000-4-4, EN 61000-4-5,EN 61000-4-6, EN 61000-4-8,EN 61000-4-11)Electromagnetic Immunity:EN 55024/CISPR 24,(EN 61000-4-2, EN 61000-4-3,EN 61000-4-4, EN 61000-4-5,EN 61000-4-6, EN 61000-4-8,EN 61000-4-11)Electromagnetic Immunity:EN 55024/CISPR 24,(EN 61000-4-2, EN 61000-4-3,EN 61000-4-4, EN 61000-4-5,EN 61000-4-6, EN 61000-4-8,EN 61000-4-11)Safety: CSA/EN/IEC/UL60950-1 Compliant, UL orCSA Listed (USA and Canada),CE Marking (Europe)Other: VCCI-CISPR 32 andAS/NZS CISPR 32Safety: CSA/EN/IEC/UL60950-1 Compliant, UL orCSA Listed (USA and Canada),CE Marking (Europe)RegulatoryComplianceOther: VCCI-CISPR 32 andAS/NZS CISPR 32Environmental: Directive2011/65/EU and Directive2012/19/EUEnvironmental: Directive2011/65/EU and DelegatedDirective (EU) 2015/863 andDirective 2012/19/EUSafety: CSA/EN/IEC/UL60950-1 Compliant, UL orCSA Listed (USA and Canada),CE Marking (Europe)

MiraSecurity.comMira Security3159 Unionville Road, Suite 100Cranberry Township, PA 16066Phone: 1 (412) 533-7830Email: rity.com 2021 Mira Security. All rights reserved.TM Mira Security, the Mira Security logo and “Detect. Decrypt. Deter.” aretrademarks or registered trademarks of Mira Security, Inc. All othertrademarks mentioned are registered trademarks or trademarks of theirrespective owners in the United States and other countries.MIRA-SW-5/21

The Mira ETO software enables an enterprise to remove this “blind spot” by providing visibility into the unencrypted connection for the full range of security and analytic tools being used. Encryption Orchestration without Compromise Mira Encrypted Traffic Orchestration (ETO) software provides safe and secure visibility into encrypted traffic