SSL Decryption
Shawn Reilly
AVP Enterprise Sales - A10 Networks | Driving Strategic Growth, Capturing New Business, and Exceeding Revenue Targets Across Enterprise Markets
Did you know that about 25% on average of traffic on corporate IT networks today is encrypted? Think about it. All social media, instant messaging, personal mail, SAAS based applications like Salesforce, EMR apps and CMR apps are encrypted. Google is now prioritizing search requests to SSL servers. And I heard the other day that Wikipedia just encrypted their entire back end so all of your browsing and updating of Wikipedia is encrypted. So what does this mean? Well, one thing is that this is only going to get more and more prevalent because of Mr Snowden and if typical firewalls are designed to keep HTTPS or port 443 or 4433 or whatever ports you are using for SSL to be open than, how can we see this traffic? And why do we need to see this traffic?
More and more threat activists are getting smarter and smarter and embedding malware and or delivering malware in encrypting connections. This alone is forcing our hands to be able to see inside encrypted traffic. And if we want to restrict or control content being used on our corporate network we need to identify it first to implement a policy. The only way to do this is to decrypt it first and scan it to identify it and implement a policy. Cryptolocker and Zeus Bot to name a few are encrypted malware that uses encryption in different ways. Even if a company has the most updated antivirus on the planet it will not stop something like Cryptolocker from entering a network because most of it is delivered in an encrypted connection and connect be seen. Furthermore, the outbound connection it makes to the command and control servers to steal info are also encrypted connections.
What is the answer? There is no silver bullet to combat these issues or our ever growing threat landscape in general. Not one solution will solve world hunger. LOL! However a layered approach solution will help you lower risk as much as possible and we need to be decrypting traffic and inspecting it. The days of truning our heads on SSL traffic and assuming its secure are OVER. Without inspecting it we are letting 25% of the traffic fly by the firewall. Things to consider when approaching this topic.
- Performance is key and SSL decryption and scanning performance will be much lower than normal deep packet inspection performance. Be cognitive of this when choosing a vendor.
- Ability to restrict certain types of SSL or TLS is huge cause some of the versions of these are inherently unsecure.
- You will want to exclude things from being decrypted and scanned
- Is the decryption on box or is another appliance or server needed to offload the performance? If this is the case, this may become cumbersome and increase management time.
Shawn
CEO, Data-Tech
9 年Great post Rob. I agree with Shawn "What is the answer? There is no silver bullet to combat these issues or our ever growing threat landscape in general. Not one solution will solve world hunger. LOL! However a layered approach solution will help you lower risk as much as possible and we need to be decrypting traffic and inspecting it. The days of turning our heads on SSL traffic and assuming its secure are OVER. Without inspecting it we are letting 25% of the traffic fly by the firewall."