SSL inspection – Uncovering cyber threats in SSL traffic

SSL inspection – Uncovering cyber threats in SSL traffic

Encrypted traffic accounts for a large and growing percentage of all network traffic. While the adoption of SSL, and its successor, Transport Layer Security (TLS), should be cause for celebration – as encryption improves confidentiality and message integrity – it also puts organisations at risk. This is because hackers can leverage encryption to conceal their exploits from security devices that do not inspect SSL traffic, writes Mohammed Al-Moneer, Regional Director, MENA, A10 Networks. 

How serious is the threat?

According to a recent Gartner survey, “less than 20% of organisations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic.” This means that hackers can evade over 80% of companies’ network defences simply by tunnelling attacks in encrypted traffic. To stop cyber attacks, organisations must gain insight into encrypted data, and to do this, they need a dedicated security platform that can decrypt inbound and outbound SSL traffic.

The importance of being earnest…When evaluating SSL inspection platforms

To eliminate the SSL blind spot in corporate defences, organisations should provision solutions that can decrypt SSL traffic – both inbound traffic to corporate servers and outbound traffic from internal users to the Internet – and allow all security products that analyse network traffic to inspect encrypted data. Organisations must carefully evaluate the features and performance of SSL inspection platforms before selecting a solution. If IT security teams deploy SSL inspection platforms in haste, they might be blindsided later by escalating SSL bandwidth requirements, deployment demands or regulatory implications.

Because SSL inspection potentially touches so many different security products – from firewalls and intrusion prevent systems (IPS) to data loss prevention (DLP), forensics, advanced threat prevention and more – organisations must develop a list of criteria and evaluate SSL inspection platforms against these criteria before selecting a solution. SSL inspection platforms should:

Meet current and future SSL performance demands

Performance is perhaps the most important evaluation criteria for SSL inspection platforms. Organisations must assess their current Internet bandwidth requirements and ensure that their SSL inspection platform can handle future SSL throughput requirements. When evaluating SSL inspection performance, IT security teams should:

  • Test SSL inspection speeds with 2048-bit and 4096-bit SSL keys.
  • Evaluate a mix of traffic with Diffie-Hellman and elliptic curve ciphers.
  • Ensure that the SSL inspection platform can handle throughput requirements, with extra headroom for traffic peaks.
  • Analyze appliance performance with essential security and networking features enabled. Testing SSL decryption speeds without considering

Those organisations that thoroughly evaluate performance benchmarks should be able to avoid surprises in their production environments.

Satisfy compliance requirements

Privacy and regulatory concerns have emerged as one of the top hurdles preventing organisations from inspecting SSL traffic. While IT security teams have deployed a wide array of products to detect attacks, data leaks and malware – and rightfully so – they must walk a thin line between protecting employees and intellectual property, and violating employees’ privacy rights. To address regulatory requirements like HIPAA, Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes-Oxley (SOX), an SSL inspection platform should be able to bypass sensitive traffic, like traffic to banking and healthcare sites. By bypassing sensitive traffic, IT security teams can rest easy knowing that confidential banking or healthcare records will not be sent to security devices or stored in log management systems.

Support heterogeneous networks with diverse deployment and security requirements

Organisations must contend with a wide array of security threats from external actors and from disgruntled employees. To safeguard their digital assets, organisations have deployed an ever increasing number of security products to stop intrusions, attacks, data loss, malware and more.

Some of these security products are deployed inline, while others are deployed non-inline as passive network monitors. Some analyze all network traffic, whereas others focus on specific applications, like web or email protocols. However, virtually all of these products need to examine traffic in clear text in order to pinpoint illicit activity.

As a result, SSL inspection platforms should interoperate with a diverse set of security products from multiple vendors. They should support transparent deployment and be able to route traffic from one security device to another with traffic steering.

Maximise the uptime and the overall capacity of security infrastructure

Organisations depend on their security infrastructure to block cyber attacks and prevent data exfiltration. If their security infrastructure fails, threats may go undetected and users may be unable to perform business-critical tasks, resulting in loss of revenue and brand damage. Most firewalls today can granularly control access to applications and detect intrusions and malware. Unfortunately, analysing network traffic for network-borne threats is a resource-intensive task. While firewalls have increased their capacity over time, they often cannot keep up with network demand, especially when multiple security features like IPS, URL filtering and virus inspection are enabled. Therefore, SSL inspection platforms should not just offload SSL processing from security devices. They should also maximise the uptime and performance of these devices.

Securely manage SSL certificates and keys

Whether providing visibility to outbound or inbound SSL traffic, SSL inspection devices must securely manage SSL certificates and keys. SSL certificates and keys form the basis of trust for encrypted communications. If they are compromised, attackers can use them to impersonate legitimate sites and steal data.

When SSL inspection devices are deployed in front of corporate applications to inspect inbound traffic, they may need to manage tens, hundreds or even thousands of certificates. As the number of SSL key and certificate pairs grows, certificate management becomes more challenging. Organizations constantly add, remove or redeploy servers to meet business needs. This fluid and dynamic environment makes it difficult for organizations to account for all SSL certificates at any given time and ensure that certificates have not expired.

In conclusion, privacy concerns are propelling SSL usage higher. Businesses face increased pressure to encrypt application traffic and keep data safe from hackers and foreign governments. In addition, because search engines such as Google rank HTTPS websites better than standard websites, application owners are clamouring to encrypt traffic. But IT security teams face their own set of challenges as they tackle threats like cyber attacks and malware – threats that can use encryption to bypass corporate defences. If they wish to prevent devastating data breaches, they must gain insight into SSL traffic. And to accomplish this goal, they need a dedicated SSL inspection platform.

Browse our latest issue

Intelligent CISO

View Magazine Archive