Catalyst 9000s Increase Security with Encrypted Traffic Analytics

With Cisco’s recent launch of the Catalyst 9000 series of switches, there are many new and interesting features that come along with it. The Catalyst 9000 switches were designed by Pininfarina from the ground up with usability, airflow, noise, ease of maintenance and energy efficiency in mind.

They are also announcing “intent based” networking, which would help automate the network configuration to continuously monitor and change the network to adapt and move the policy with the user. Along with these new switches, Cisco announced a few other technologies to support them, including DNA Center, Software Defined Access, Network Analytics Platform and Encrypted Traffic Analysis.

Digging Out Malware from Encrypted Traffic

Of the long list of new features and improvements, that last one caught my attention and had me guessing. With Encrypted Traffic Analytics (ETA), Cisco claims the analytics engine that is included with the 9000 series will allow companies to identify malware in encrypted traffic flows without having to do transport layer security (TLS) decryption. This is both interesting and important, because currently it is estimated that encrypted traffic grows about 90 percent year over year, with over 40 percent of websites encrypting traffic in 2016 versus just 21 percent in 2015. It is estimated by Gigamon that by 2019, 80 percent of all web traffic will be encrypted.

Currently, the only way to get visibility into encrypted traffic flows is to decrypt them to see what is inside. As you probably already know, TLS decryption is not easy and, unfortunately, is very resource intensive and difficult to scale.

How It Works

Encrypted Traffic Analytics is not a stand-alone solution on the network gear, but is an enhancement to NetFlow and works together with Cisco’s Stealthwatch and Cognitive Analytics solutions to provide enhanced visibility and protection. Encrypted Traffic Analytics extracts and adds four main data elements:

• The sequence of packet lengths and times
• The byte distribution
• TLS-specific features
• The initial data packet

Cisco claims that in experiments based on real-world data, it was able to achieve over 99 percent accuracy with 0.01 percent false positives (only one false positive for every 10,000 TLS connections). Not surprisingly, this does not appear to be a “set it and forget” solution but will require some tuning on what types of encrypted traffic you are expecting to see within your network. I am hoping it will be a valuable tool that can be used to protect and provide a better picture of what is happening with each and every flow without impacting network performance or usability.

Using ETA Today

Encrypted Traffic Analytics capability is stated to work with the following equipment and versions:

1. Compatible Cisco equipment supporting enhanced NetFlow with Encrypted Traffic Analytics:
2. Switches: Cisco Catalyst 9300 Series (starting with the Cisco IOS XE 16.6 release) and the 9400 Series and 9500 Series (starting with the Cisco IOS XE 16.8.1 release)
3. Routers: ASR 1001-X, ASR 1002-X, ASR 1001-HX, ASR 1002-HX, ASR 1004, ASR 1006-X, ASR 1009-X, 4221 ISR, 4321 ISR, 4331 ISR, 4351 ISR, 4431 ISR, 4451-X ISR, Integrated Services Virtual Router (ISRv) including the 5400 Enterprise Network Compute System, Cloud Services Router (CSR) 1000V (starting with the Cisco IOS XE 16.7 release)
4. Stealthwatch gains additional machine learning and statistical modeling capabilities (in release 6.9.2) to analyze enhanced NetFlow with Encrypted Traffic Analytics.
5. Stealthwatch Learning Network License (v2.0) on routers gains the ability to build behavioral profiles of the encrypted traffic, enabling it to flag anomalies detected in encrypted traffic.

I am excited to get some first-hand experience with these and start testing ETA along with all the other new security and automation features announced.

Learn more about how CDW’s partnership with Cisco can help make your network more agile and secure.