IT Brief Australia - Technology news for CIOs & IT decision-makers
Story image
Using ADCs to uncover hidden threats in encrypted traffic
Mon, 9th Nov 2015
FYI, this story is more than a year old

More and more cybercriminals are tunnelling attacks in SSL encryption to evade detection by firewalls and other security products. SSL represents not just a chink in enterprises' armour, but an enormous crater that malicious actors can exploit.

SSL is a standard security technology for establishing an encrypted link between a server and a client—typically a web server and a browser, or a mail server and a mail client.

To prevent attacks, intrusions and malware, enterprises need to inspect incoming and outgoing traffic for threats. Today SSL accounts for 25% to 35% of all internet traffic, according to an NSS Labs report. But increasingly, attackers are turning to encryption to evade detection.

Cybercriminals use SSL to expose a blind spot in corporate defences. Organisations rely on a dizzying array of security products to inspect traffic, block intrusions, stop malware and control which applications users can access. To keep users safe, these products must inspect all communications, not just clear-text traffic.

Unfortunately, many firewalls, intrusion prevention and threat prevention products can't keep pace with growing SSL encryption demands.

The transition from 1024- to 2048-bit SSL keys, spurred on by NIST Special Publication 800-131A, has burdened security devices because 2048-bit certificates require approximately 6.3 times more processing power to decrypt than 1024-bit certificates.

With SSL certificate key lengths continuing to increase, and 4096-bit key lengths accounting for 20% of all certificates for one certificate authority, according to a NetCraft SSL survey, many security devices are collapsing under these increased decryption demands.

 In its report, SSL Performance Problems, NSS Labs found that eight leading next-generation firewall vendors experienced significant performance degradation when decrypting 2048-bit encrypted traffic. NSS asserted that it had ‘concerns for the viability of SSL inspection in enterprise networks without the use of dedicated SSL decryption devices'.

 As organisations move key applications like email, CRM, business intelligence and file storage to the cloud, they need to monitor and protect these applications just as they would internally hosted applications. Many of these cloud-based applications use SSL, exposing gaping holes in organisations' defences.

For end-to-end security, organisations need to inspect outbound SSL traffic originating from internal users, as well as inbound SSL traffic originating from external users to corporate-owned application servers, in order to eliminate the blind spot in corporate defences.

ADCs to the rescue

Advanced application delivery controllers (ADCs) not only load balance traffic, but can also eliminate the blind spot imposed by SSL encryption. ADCs can offload CPU-intensive SSL decryption functions and enable security devices to inspect all traffic – not just clear text. Such ADCs decrypt SSL-encrypted traffic and forward it to a third-party security device like a firewall for deep packet inspection (DPI). Once the traffic has been analysed and scrubbed, the ADC re-encrypts it and forwards it to the intended destination.

While dedicated security devices provide in-depth inspection and analysis of network traffic, they are rarely designed to encrypt SSL traffic at high speeds. Some cannot decrypt SSL traffic at all. SSL inspection technology, included standard with certain ADCs, offloads CPU-intensive encryption and decryption tasks from dedicated security devices, boosting application performance.

The ADC functions as an SSL forward or a transparent proxy to intercept SSL traffic. Organisations can simply deploy appropriate ADC appliances to safeguard their communications efficiently.

In addition to inline deployment, organisations can deploy security devices, such as intrusion detection systems and forensics tools, in passive mode. In passive mode, such a security device can easily be integrated into a production environment without requiring network changes or introducing a single point of failure in the network. Non-inline deployment is ideal for security devices that inspect, alert and report on events rather than actively block attacks.

With an ADC, organisations can achieve high performance with SSL acceleration hardware, scale security with load balancing, reduce load on security infrastructure by controlling which types of traffic to decrypt, and granularly control traffic. An ADC can also selectively bypass sensitive web applications, like banking and healthcare sites.

Single point for decryption and analysis

Organisations often deploy multiple security solutions to analyse and filter application traffic. An ADC offers a centralised point to decrypt SSL traffic and send it in clear text to a myriad of devices, eliminating the need to decrypt traffic multiple times. An ADC can also interoperate with firewalls, intrusion prevention systems (IPS), data loss prevention (DLP) products, threat prevention platforms, and other security tools, providing visibility to a wide range of network security devices.

Many security devices are not designed for inline deployment or for high-speed SSL decryption. An ADC can enable these devices to inspect SSL-encrypted data without burdening the devices with computationally intensive SSL processing.

Features to consider for SSL inspection

To streamline and automate management, choose an ADC that includes an industry standard CLI, a web user interface, and a RESTful API which can integrate with third party or custom management consoles. For larger deployments, a centralised management system will ensure that routine tasks can be performed at scale across multiple appliances, regardless of physical location.

Since not all ADCs are equal, it is essential to select one that will eliminate the blind spot in corporate defences by decrypting SSL traffic at high speeds; prevent costly data breaches and loss of intellectual property by detecting advanced threats; maximise uptime by load-balancing multiple third-party security appliances; and scale performance and throughput to counter cyber attacks.

By Greg Barnes, A10 Networks ANZ managing director