Network

1.0 Introduction

This article provides an overview of Fortanix Key Insight on-premises Networks infrastructure used to ingest and analyze scanned network logs using network security monitoring frameworks (for example, Zeek) on Linux systems. It enables passive monitoring of mirrored network traffic to detect cryptographic metadata such as TLS versions, cipher suites, certificates, and key exchange parameters.

This capability extends Fortanix Key Insight visibility beyond file systems to include cryptographic activity observed in network telemetry.

It also describes:

• Network log scanning architecture

• Scanning network logs using the File System and Network Scanner Agent on Linux systems

• Supported cryptographic formats

• Network log scanning benefits

2.0 Terminology References

For on-premises connection concepts and supported features, refer to On-premises Connection Concepts.

3.0 Architecture

The following diagram illustrates how network logs are scanned using network security monitoring framework sensors (for example, Zeek) integrated with the File System and Network Scanner Agent:

NOTE

Network scanning is implemented as an extension of the File System and Network Scanner Agent. The agent does not directly inspect network traffic. Instead, it processes logs generated by network security monitoring framework, which passively monitors mirrored traffic using SPAN or TAP method.

3.1 Components

The architecture consists of two main components:

• File System and Network Scanner Agent: Installed on Linux servers to perform scanning. When network scanning is enabled, the agent processes logs from configured file system paths to identify cryptographic activity observed in network traffic.

• Fortanix On-premises Scanner: Installed once per organization. It receives metadata from multiple File System and Network Scanner Agents over HTTPS and forwards the aggregated information to Fortanix Key Insight.

3.2 Workflow

This section outlines the network logs scanning workflow:

• Multiple File System and Network Scanner Agents are deployed across Linux servers. Each agent scans its local network logs to detect network-derived cryptographic telemetry (for example, TLS sessions, certificates, and cipher suites).

  For more information, refer to Section 3.2.1: Scan Network Telemetry.

  NOTE

  No cryptographic material leaves the server. The File System and Network Scanner Agent transmits only metadata, such as file paths, cryptographic asset types, algorithms, and key sizes.

• The Fortanix On-premises Scanner aggregates this information and establishes an outbound connection to the Fortanix Key Insight SaaS for analysis, reporting, and visualization.

  For more information, refer to Section 3.2.2: Transfer Metadata to Fortanix On-premises Scanner.

3.2.1 Scan Network Telemetry

The File System and Network Scanner Agent is the primary component responsible for scanning and extracting metadata from network logs. When network scanning is enabled, the agent also processes generated log files to extract cryptographic metadata observed in network traffic, ensuring comprehensive visibility across both local and network-derived sources.

It is available for the following platforms:

• Linux: Provided as .deb and .rpm packages.

• Windows: Provided as an .exe executable.

NOTE

The network logs scanning is supported only on Linux platforms.

For detailed information on network logs scanning, configuration, and execution using the File System and Network Scanner Agent, refer to the following:

• File System and Network Scanner Agent Configuration – Linux

• File System and Network Scanner Agent Configuration File

3.2.2 Transfer Metadata to Fortanix On-premises Scanner

The metadata extracted by the File System and Network Scanner Agent is securely transferred to the Fortanix On-premises Scanner, which serves as the integration point with Fortanix Key Insight.

The Fortanix On-premises Scanner is available for the following platforms:

• Linux: Provided as .deb and .rpm packages.

• Windows: Provided as an .exe executable.

For detailed information on file system scanning using the Fortanix On-premises Scanner, refer to the following:

• On-premises Scanner Configuration - Linux

• On-premises Scanner Configuration - Windows

• On-premises Scanner Configuration File

4.0 Properties

The following are the key properties of the File System and Network Scanner Agent for network log scanning:

• Extracts only metadata and does not access or transfer raw cryptographic material (for example, private keys).

• Runs as a lightweight process without requiring long-running services or external dependencies (for example, OpenSSL).

• Provides passive network log monitoring only (no inline traffic interception)

• Extracts only cryptographic metadata from network logs derived from session handshakes.

5.0 Supported Cryptographic Formats

The network log scanning capability supports detection of cryptographic metadata observed in network traffic, including the following:

NOTE

• Network scanning does not extract or access raw keys or files. It analyzes generated logs (JSON format only) to derive cryptographic metadata from observed network sessions.

• Detection of cryptographic keys, certificates, and related materials is performed through content-based analysis and is independent of file extensions or file naming conventions, as explained in Section 5.1: File-Type Independent Scanning and Data Parsing.

• Metadata for TLS Sessions Monitored by network security monitoring framework (for example, Zeek)

  • Cipher suites observed in logs

  • TLS protocol versions

  • Elliptic curves used in the handshake

  • Key exchange algorithms

  • Encryption algorithms

  • Hash algorithms associated with cipher suites

• X.509 Certificate Metadata for Network Traffic

  • Certificate metadata (includes fingerprint, Distinguished Name (DN), certificate validity)

  • Cryptographic algorithm used for certificates

• DNS Traffic Metadata

  • Source and destination IP addresses and ports

  • Queried domains

  • Transport protocols used

• HTTP Traffic Metadata

  • Source & destination IP addresses and ports

  • HTTP methods used

  • Requested domains

• Cryptographic Details (Algorithms and Curves)

  • Key Exchange

    • ECDHE

    • RSA

  • Authentication

    • RSA

    • ECDSA

  • Encryption

    • AES-128-GCM

    • AES-256-GCM

    • ChaCha20-Poly1305

    • AES-128-CBC

    • AES-256-CBC

    • 3DES

  • Hash / MAC

    • SHA-256

    • SHA-384

    • SHA-1

  • TLS 1.3 Cipher Suites

    • AES-128-GCM-SHA256

    • AES-256-GCM-SHA384

    • ChaCha20-Poly1305-SHA256

  • TLS 1.2 and Earlier Componentsw Components

    • ECDHE-RSA

    • ECDHE-ECDSA

    • RSA-AES-CBC

    • RSA-3DES

5.1 File-Type Independent Scanning and Data Parsing

To maximize the accuracy of metadata detection, file extensions are not used to determine file type or scanning eligibility.

All files up to 4 GiB in size are scanned, regardless of their extension. The File System and Network Scanner Agent processes file contents directly at the binary level to extract metadata wherever possible.

If a file contains multiple PEM blocks, each block is evaluated individually for metadata in formats that support PEM encapsulation. File names are not considered as long as a file is readable, its contents are processed and analyzed for compatible metadata.

6.0 Network Scanning Benefits

The network logs scanning provides the following benefits:

• Detect unknown or unmanaged cryptographic usage observed in network traffic.

• Enhance compliance visibility.

• Complements file system scanning to provide a comprehensive cryptographic posture.

• Improves visibility of cryptographic assets to support compliance, auditing, and governance.