How to integrate SSL inspection with cloud services monitoring

Author: Ian Teague, Country Manager ANZ at Gigamon

Along with an Opex-leaning cost model, cloud computing’s appeal has included dynamic capacity provisioning where compute and storage resources can be added, moved and removed almost instantaneously.

While this helps companies to scale resource consumption easily, the bad news is that monitoring user experience, cloud service performance and security has become tougher.

Enterprise migration to cloud services, especially external clouds, will drive the use of HTTPS (encrypted HTTP) and other protocols running on top of the Secure Sockets Layer (SSL) to support web applications and search engines. However, SSL severely limits visibility for both cloud service performance and security monitoring tools.

Yet, NSS Labs estimates that SSL traffic now accounts for an average of 25 to 35 per cent of a typical enterprise’s network traffic and that proportion continues to grow.

The lack of visibility into uninspected SSL sessions coursing through public and private cloud networks and the use of larger ciphers are causes of concern. They not only degrade the performance of existing monitoring tools that handle SSL traffic but allow malware to be hidden within encrypted channels.

The urgency for on-the-fly SSL traffic decryption and scanning has never been greater. Security officers can manage only what they can see to fulfil the demands for highly available cloud services.

Multi-tier security SSL decryption approach

And hardware-accelerated SSL decryption will be required to tackle the growing use of HTTPS for web server sessions, network encryption on internal traffic, and particularly, the criminal use of encrypted channels to evade detection products.

The public key infrastructure encryption for SSL essentially uses the public key to encrypt, and the private key to decrypt. Only the cloud or web server that has access to the private key can decrypt data encrypted by the public key.

Monitoring tools that also decrypt SSL traffic have to bear a tremendous processing burden. They have to monitor traffic across tiers – from the data-centre, high-speed LAN to remote access and virtualised application resources in the cloud, as well as the perimeter. Hence, performance and cost of monitoring are key considerations.

A multi-tiered security solution could decrypt SSL traffic from the cloud and remote sites and monitor them. When the SSL sessions are decrypted, secure services running in the cloud can be differentiated and monitored.

Then, data centre administrators can begin to alleviate blind spots created by SSL encrypted application traffic.

Traffic intelligence solution

Read more: App Security- the great unspoken

What’s needed is a traffic intelligence application that offloads SSL decryption and provides visibility into SSL sessions to help expose hidden threats.

That means delivering SSL decryption as a common service to connected monitoring and security tools. This frees the tools for packet analysis and eliminates the need to purchase a decryption licence for each tool.

One such solution is a visibility fabric that is built on a cluster of visibility nodes running smart traffic intelligence applications. One of these applications is SSL decryption.

A visibility fabric has access to bidirectional traffic so it can observe the exchange of public keys at the start of the transaction. The administrator loads the private keys and stores them securely on the system. The smart high-performance compute engines are then ready to decrypt the SSL traffic and forward it to performance and security tools for analysis.

Read more: Synology cloud sync bug exposes Macs to full takeover

SSL decryption can be carried out on any traffic received on any network port in the cluster of visibility nodes. And decrypted traffic can be sent to any tool ports in the cluster.

Multiple smart applications such as header stripping, and adaptive packet filtering could be applied before the traffic is forwarded to the tools. For example, traffic can be selectively sent to inline security tools based on specific applications of interest.

The bottom line is that SSL sessions have become an essential component of enterprise security.

Because SSL is at the heart of today's enterprise infrastructure, endpoints and DMZ servers are potentially exposed to attacks without the right level of traffic visibility.

Decrypting and inspecting SSL sessions will enable tools to detect malware and intrusion, prevent data loss and carry out network forensics. Put simply, organisations can integrate SSL inspection into a multi-tiered security solution with decryption applied only once for all tools.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags network encryptionweb applicationsCloudSSLmalwareencrypted HTTPSSL decryptionmonitoringSSL inspection

More about CSOLAN

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Teague

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts