How to uncover the hidden threats in encrypted traffic

More and more cyber-criminals are tunnelling attacks in SSL encryption to evade detection by firewalls and other security products. SSL represents not just a chink in enterprises’ armour, but an enormous crater that malicious actors can exploit.

SSL is a standard security technology for establishing an encrypted link between a server and a client—typically a web server and a browser, or a mail server and a mail client.

To prevent attacks, intrusions and malware, enterprises need to inspect incoming and
outgoing traffic for threats. Today SSL accounts for 25 to 35 percent of all Internet traffic. But increasingly, attackers are turning to encryption to evade detection.

Cyber-criminals use SSL to expose a blind spot in corporate defences. Organisations rely on a dizzying array of security products to inspect traffic, block intrusions, stop malware and control which applications users can access. To keep users safe, these products must inspect all communications, not just clear-text traffic.

Unfortunately, many firewalls, intrusion prevention and threat prevention products can’t keep pace with growing SSL encryption demands. The transition from 1024- to 2048-bit SSL keys, spurred on by NIST Special Publication 800-131A, has burdened security devices because 2048-bit certificates require approximately 6.3 times more processing power to decrypt than 1024-bit certificates.

With SSL certificate key lengths continuing to increase, and 4096-bit key lengths accounting for 20 per cent of all certificates for one certificate authority – many security devices are collapsing under these increased decryption demands.

In its report, SSL Performance Problems, NSS Labs found that eight leading next-generation firewall vendors experienced significant performance degradation when decrypting 2048-bit encrypted traffic. NSS asserted that it had “concerns for the viability of SSL inspection in enterprise networks without the use of dedicated SSL decryption devices.”

As organisations move key applications like email, CRM, business intelligence and file storage to the cloud, they need to monitor and protect these applications just as they would internally-hosted applications. Many of these cloud-based applications use SSL, exposing gaping holes in organisations’ defences.

For end-to-end security, organisations need to inspect outbound SSL traffic originating from internal users, as well as inbound SSL traffic originating from external users to corporate-owned application servers, in order to eliminate the blind spot in corporate defences.

ADCs to the rescue

Advanced Application Delivery Controllers (ADCs) not only load balance traffic, but they can also eliminate the blind spot imposed by SSL encryption. ADCs can offload CPU-intensive SSL decryption functions and enable security devices to inspect all traffic – not just clear text. Such ADCs decrypt SSL-encrypted traffic and forward it to a third-party security device like a firewall for deep packet inspection (DPI). Once the traffic has been analysed and scrubbed, the ADC re-encrypts it and forwards it to the intended destination.

While dedicated security devices provide in-depth inspection and analysis of network traffic, they are rarely designed to encrypt SSL traffic at high speeds. Some cannot decrypt SSL traffic at all. SSL inspection technology, included standard with certain ADCs, offloads CPU-intensive encryption and decryption tasks from dedicated security devices, boosting application performance.

The ADC functions as an SSL forward or a transparent proxy to intercept SSL traffic. Organisations can simply deploy appropriate ADC appliances to safeguard their communications efficiently.

In addition to inline deployment, organisations can deploy security devices, such as intrusion detection systems and forensics tools, in passive mode.  In passive mode, such a security device can easily be integrated into a production environment without requiring network changes or introducing a single point of failure in the network. Non-inline deployment is ideal for security devices that inspect, alert and report on events rather than actively block attacks.

With an ADC, organisations can achieve high performance with SSL acceleration hardware, scale security with load balancing, reduce load on security infrastructure by controlling which types of traffic to decrypt, and granularly control traffic. An ADC can also selectively bypass sensitive web applications, like banking and healthcare sites

Single point for decryption and analysis

Organisations often deploy multiple security solutions to analyse and filter application traffic. An ADC offers a centralised point to decrypt SSL traffic and send it in clear text to a myriad of devices, eliminating the need to decrypt traffic multiple times. An ADC can also interoperate with firewalls, intrusion prevention systems (IPS), data loss prevention (DLP) products, threat prevention platforms, and other security tools, providing visibility to a wide range of network security devices.

Read more: Microsoft confirms HTTP Strict Transport Security for IE 12

Many security devices are not designed for inline deployment or for high-speed SSL decryption. An ADC can enables these devices to inspect SSL-encrypted data without burdening the devices with computationally intensive SSL processing.

Features to consider for SSL inspection

To streamline and automate management, choose an ADC that includes an industry standard CLI, a web user interface, and a RESTful API which can integrate with third party or custom management consoles. For larger deployments, a centralised management system will ensure that routine tasks can be performed at scale across multiple appliances, regardless of physical location.

Since not all ADCs are equal, it is essential to select one that will eliminate the blind spot in corporate defences by decrypting SSL traffic at high speeds; prevent costly data breaches and loss of intellectual property by detecting advanced threats; maximise uptime by load-balancing multiple third-party security appliances; and scale performance and throughput to counter cyber attacks.

Read more: Comodo hacker claims Dutch SSL attack

Greg Barnes is the ANZ Managing Director, A10 Networks  

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the CSO newsletter!

Error: Please check your email address.

Tags security threatsAdvanced Application Delivery Controllers (ADCs)intrusion preventioncyber-criminalsSSL encryptionencrypted traffic

More about A10 NetworksADCAdvancedCSODLPDPIIPSIT Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Greg Barnes

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place