Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Mohammed Al-Moneer, A10 Networks: SSL Inspection – Uncovering Cyber Threats in SSL Traffic

January 2017 by Marc Jacob

Encrypted traffic accounts for a large and growing percentage of all network traffic. While the adoption of SSL, and its successor, Transport Layer Security (TLS), should be cause for celebration – as encryption improves confidentiality and message integrity – it also puts organizations at risk. This is because hackers can leverage encryption to conceal their exploits from security devices that do not inspect SSL traffic. How serious is the threat?

The Current State of Insecurity

According to a recent Gartner survey, “less than 20% of organizations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic.” This means that hackers can evade over 80% of companies’ network defenses simply by tunneling attacks in encrypted traffic. To stop cyber attacks, organizations must gain insight into encrypted data, and to do this, they need a dedicated security platform that can decrypt inbound and outbound SSL traffic.

The Importance of Being Earnest…When Evaluating SSL Inspection Platforms

To eliminate the SSL blind spot in corporate defenses, organizations should provision solutions that can decrypt SSL traffic – both inbound traffic to corporate servers and outbound traffic from internal users to the Internet – and allow all security products that analyze network traffic to inspect encrypted data. Organizations must carefully evaluate the features and performance of SSL inspection platforms before selecting a solution. If IT security teams deploy SSL inspection platforms in haste, they might be blindsided later by escalating SSL bandwidth requirements, deployment demands or regulatory implications.

Because SSL inspection potentially touches so many different security products – from firewalls and intrusion prevent systems (IPS) to data loss prevention (DLP), forensics, advanced threat prevention and more – organizations must develop a list of criteria and evaluate SSL inspection platforms against these criteria before selecting a solution. SSL inspection platforms should:

Meet Current and Future SSL Performance Demands

Performance is perhaps the most important evaluation criteria for SSL inspection platforms. Organizations must assess their current Internet bandwidth requirements and ensure that their SSL inspection platform can handle future SSL throughput requirements. When evaluating SSL inspection performance, IT security teams should:

Test SSL inspection speeds with 2048-bit and 4096-bit SSL keys.
Evaluate a mix of traffic with Diffie-Hellman and elliptic curve ciphers.
Ensure that the SSL inspection platform can handle throughput requirements, with extra headroom for traffic peaks.
Analyze appliance performance with essential security and networking features enabled. Testing SSL decryption speeds without considering
Those organizations that thoroughly evaluate performance benchmarks should be able to avoid surprises in their production environments.

Satisfy Compliance Requirements

Privacy and regulatory concerns have emerged as one of the top hurdles preventing organizations from inspecting SSL traffic. While IT security teams have deployed a wide array of products to detect attacks, data leaks and malware – and rightfully so – they must walk a thin line between protecting employees and intellectual property, and violating employees’ privacy rights. To address regulatory requirements like HIPAA, Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes-Oxley (SOX), an SSL inspection platform should be able to bypass sensitive traffic, like traffic to banking and healthcare sites. By bypassing sensitive traffic, IT security teams can rest easy knowing that confidential banking or healthcare records will not be sent to security devices or stored in log management systems.

Support Heterogeneous Networks with Diverse Deployment and Security Requirements

Organizations must contend with a wide array of security threats from external actors and from disgruntled employees. To safeguard their digital assets, organizations have deployed an ever increasing number of security products to stop intrusions, attacks, data loss, malware and more.

Some of these security products are deployed inline, while others are deployed non-inline as passive network monitors. Some analyze all network traffic, whereas others focus on specific applications, like web or email protocols. However, virtually all of these products need to examine traffic in clear text in order to pinpoint illicit activity.

As a result, SSL inspection platforms should interoperate with a diverse set of security products from multiple vendors. They should support transparent deployment and be able to route traffic from one security device to another with traffic steering.

Maximize the Uptime and the Overall Capacity of Security Infrastructure

Organizations depend on their security infrastructure to block cyber attacks and prevent data exfiltration. If their security infrastructure fails, threats may go undetected and users may be unable to perform business-critical tasks, resulting in loss of revenue and brand damage. Most firewalls today can granularly control access to applications and detect intrusions and malware. Unfortunately, analyzing network traffic for network-borne threats is a resource-intensive task. While firewalls have increased their capacity over time, they often cannot keep up with network demand, especially when multiple security features like IPS, URL filtering and virus inspection are enabled. Therefore, SSL inspection platforms should not just offload SSL processing from security devices. They should also maximize the uptime and performance of these devices.

Securely Manage SSL Certificates and Keys

Whether providing visibility to outbound or inbound SSL traffic, SSL inspection devices must securely manage SSL certificates and keys. SSL certificates and keys form the basis of trust for encrypted communications. If they are compromised, attackers can use them to impersonate legitimate sites and steal data.

When SSL inspection devices are deployed in front of corporate applications to inspect inbound traffic, they may need to manage tens, hundreds or even thousands of certificates. As the number of SSL key and certificate pairs grows, certificate management becomes more challenging. Organizations constantly add, remove or redeploy servers to meet business needs. This fluid and dynamic environment makes it difficult for organizations to account for all SSL certificates at any given time and ensure that certificates have not expired.

In conclusion, privacy concerns are propelling SSL usage higher. Businesses face increased pressure to encrypt application traffic and keep data safe from hackers and foreign governments. In addition, because search engines such as Google rank HTTPS websites better than standard websites, application owners are clamouring to encrypt traffic. But IT security teams face their own set of challenges as they tackle threats like cyber attacks and malware – threats that can use encryption to bypass corporate defenses. If they wish to prevent devastating data breaches, they must gain insight into SSL traffic. And to accomplish this goal, they need a dedicated SSL inspection platform.


See previous articles

    

See next articles












Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts