Nubeva TLS Decrypt

Welcome to Nubeva’s TLS, a complete cloud traffic visibility solution for AWS, Azure and GCP.

Traffic visibility is a crucial component in securing the business and keeping systems operational. However, network monitoring has been blinded in the cloud. Not only is the infrastructure used for monitoring unaccessible in the cloud, more than 70% of cloud traffic is encrypted. Traditional encryption services cannot adapt and cannot support the ephemeral nature of cloud workloads, and the newer encryption standards which enforce perfect forward secrecy and preclude ‘man in the middle’ encryption techniques. Therefore, IT teams are no longer able to acquire, process and distribute decrypted packet-level cloud traffic to their selected tools. Consequently, the move to the cloud creates significant blind-spots and loss of ROI on vital tools that are powerless without access to packet-level cloud data.

Nubeva TLS Decrypt is a Software as a Service (SaaS) offering that provides complete packet visibility into any public cloud including breakthrough TLS decryption capabilities that have been designed specifically for the cloud. Nubeva TLS Decrypt extracts TLS/SSL session keys, mirrors encrypted packets within a cloud instance and forwards them to decryption agents running on security and analysis tool instances. Nubeva TLS Decrypt has a SaaS architecture comprised of central control: TLS Cloud Console and Key Agents. The control plane is split between the TLS Cloud Console which controls Key Agents and Decryptor Agents (or Decryptors). The architecture is secure, elastic, and achieves decrypted traffic visibility without sending decrypted packets accross the network.


Figure 1: TLS Decrypt services architecture

Figure 1 depicts a sample deployment in an AWS could. Dotted lines represent control messages, dashed line represent session keys, and solid lines represent mirrored traffic. Decryptor Agents retrieve session keys from the secure storage, based on the session identifiers in the packet flows they receive, and produce both encrypted and decrypted traffic flows on an interface which a security tool running on the same cloud instance can access.


Decryptor Agents handle the synchronization of keys with packet flows, assuring that all the traffic received is matched with keys, and is fully decrypted.

When any instance containing a Key Agent or a Decryptor Agent launches, the agent will automatically connect to the TLS Cloud Console and register itself, obtain configuration updates and automatically install software updates when upgrades are available. Prism Cloud Agents use HTTPS to make REST API calls to the Cloud Console. Control traffic always originates at the agent. Data plane traffic (mirrored filtered traffic) is routed based on the users’ network configurations. Mirrored packets are never sent to the Cloud Console. The control plane does not directly modify, nor does it require the user to modify networks or security setting, save for allowing outbound HTTPS (TCP port 443) from subnets containing Cloud Agents.

The following URLs and IP addresses should be accessible for the agents to connect: