The Current State of Insecurity: Strategies for Inspecting SSL Traffic

Friday, April 17, 2015

Kasey Cross

52ff7cf6fd88aebfb48b323e6251cd95

Encrypted traffic accounts for a large and growing percentage of all network traffic. While the adoption of SSL and its successor, Transport Layer Security (TLS), should be cause for celebration – since encryption improves confidentiality and message integrity – it also puts organizations at risk. This is because hackers can leverage encryption to conceal their exploits from security devices that do not inspect SSL traffic. Attackers are wising up and taking advantage of this gap in corporate defenses.

Organizations that do not inspect SSL communications are providing an open door for attackers to infiltrate defenses undetected and steal data. To prevent cyber-attacks, enterprises need to inspect all traffic, and in particular encrypted traffic, to avoid advanced threats.

SSL traffic is growing and it will continue to increase in the foreseeable future due to concerns about privacy and government snooping. Many leading websites today, including Google, Facebook, Twitter and LinkedIn, encrypt application traffic. But it’s not just the web giants that are encrypting communications; 48 percent more of the million most popular websites used SSL in 2014 than a year earlier, according to Netcraft's January 2014 Web Server Survey.

To mitigate these risks, organizations are increasingly deploying dedicated SSL inspection platforms. But if they acquire these platforms in haste, they might be blindsided later by escalating SSL bandwidth requirements, deployment demands or regulatory implications. Therefore, organizations must carefully evaluate the features and performance of SSL inspection platforms before selecting a solution.

If your organization is looking at SSL inspection platforms, you should consider the following five criteria before selecting a solution.

Performance

Performance is perhaps the most important evaluation criteria for SSL inspection platforms. Organizations that thoroughly evaluate performance benchmarks should be able to avoid surprises in their production environments. Organizations must assess their current Internet bandwidth requirements and ensure that their SSL inspection platform can handle future SSL throughput requirements. Testing SSL decryption speeds without considering the impact of deep packet inspection (DPI), URL classification or other features will not provide a clear picture of real-world performance.

Compliance

While IT security teams have deployed a wide array of products to detect attacks, data leaks and malware – and rightfully so – they must walk a thin line between protecting employees and intellectual property, and violating employees’ privacy rights. Privacy and regulatory concerns have emerged as one of the top hurdles preventing organizations from inspecting SSL traffic. To address regulatory requirements such as HIPAA, Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes-Oxley (SOX), an SSL inspection platform should be able to bypass sensitive traffic, such as traffic to banking and healthcare sites. By bypassing sensitive traffic, IT security teams can rest easy knowing that confidential banking or healthcare records will not be sent to security devices or stored in log management systems.

Support for Complex Networks

Organizations must not only contend with security threats from external factors but also from disgruntled employees. To safeguard their digital assets, organizations have deployed an ever increasing number of security products to stop intrusions, attacks, data loss, malware and more.

Some of these security products are deployed inline, while others are deployed out of band as passive network monitors. Some analyze all network traffic, whereas others focus on specific applications, such as web or email protocols.

Many organizations wish to deploy best-of-breed security products from multiple vendors; they do not want to get locked into a single vendor solution. The security landscape constantly evolves to combat emerging threats. In one or two years, organizations may want to provision new security products and they need to make sure that their SSL inspection platform will interoperate with these products.

As a result, SSL inspection platforms should interoperate with a diverse set of security products from multiple vendors. They should support transparent deployment and be able to route traffic from one security device to another with traffic steering.

By selecting an SSL inspection platform that supports flexible deployment, traffic steering and granular traffic controls, they will be able to provision their choice of security solutions in the future.

Maximize Capacity and “Uptime”

Organizations depend on their security infrastructure to block cyber-attacks and prevent data exfiltration. If their security infrastructure fails, threats may go undetected and users may be unable to perform business-critical tasks, resulting in loss of revenue and brand damage.

While firewalls have increased their capacity over time, they often cannot keep up with network demand, especially when multiple security features such as IPS, URL filtering and virus inspection are enabled.

Therefore, SSL inspection platforms should not just offload SSL processing from security devices. They should also maximize the uptime and performance of these devices. They should also maximize the overall capacity of security infrastructure through load balancing and integrated high availability. Only then can organizations unlock the full potential of their SSL inspection platforms.

Securely Manage Certificates and Keys

Whether providing visibility to outbound or inbound SSL traffic, SSL inspection devices must securely manage SSL certificates and keys.  When SSL inspection devices are deployed in front of corporate applications to inspect inbound traffic, they may need to manage tens, hundreds or even thousands of certificates. As the number of SSL key and certificate pairs grows, certificate management becomes more challenging. 

Organizations constantly add, remove or redeploy servers to meet business needs. This fluid and dynamic environment makes it difficult for organizations to account for all SSL certificates at any given time and ensure that certificates have not expired.

SSL certificates and keys form the basis of trust for encrypted communications. If they are compromised, attackers can use them to impersonate legitimate sites and steal data.

Conclusion

IT security teams face their own set of challenges as they tackle threats such as cyber-attacks and malware – threats that can use encryption to bypass corporate defenses. 

Privacy concerns are propelling SSL usage higher; businesses face increased pressure to encrypt application traffic and keep data safe from hackers and foreign governments. In addition, because search engines such as Google rank HTTPS websites better than standard websites, application owners are clamoring to encrypt traffic. 

With SSL accounting for nearly a third of enterprise traffic and with more applications supporting 2048-bit and 4096-bit SSL keys, organizations can no longer avoid the cryptographic elephant in the room. If they wish to prevent devastating data breaches, they must gain insight into SSL traffic. And to accomplish this goal, they need a dedicated SSL inspection platform.

About the Author: Kasey Cross is a senior product marketing manager for A10 Networks, a provider of application networking technologies.

Possibly Related Articles:
13625
Firewalls IDS/IDP Network Access Control Network->General
Information Security Software
Firewalls Encryption SSL TLS Network Security Inspection traffic
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.