​Epic Internet failure looms in SSL blind spots

Author: Greg Barnes, ANZ Managing Director, A10 Networks

Two-thirds of Internet traffic will be encrypted by 2016, according to a survey by intelligent network policy control solutions vendor Sandvine1. Popular websites, as well as email, instant messaging, and FTP leverage encryption to keep data secure and private. But when organisations start encrypting application traffic, they often encounter obstacles such as performance degradation on their application servers.

Encryption has more serious ramifications - it makes network security tools blind to application traffic. Security solutions that include next-generation firewalls, intrusion prevention, and advanced threat protection platforms are unable to inspect packets and mitigate threats when traffic is encrypted.

To resolve this issue, organisations can deploy SSL inspection platforms to decrypt SSL traffic and forward it to third-party security devices for analysis. For outbound traffic, organisations own the end points, but not the SSL certificates and keys. Because they own the end points, they can configure the end points to trust the SSL inspection platform. This allows the SSL inspection platform to decrypt outbound traffic transparently.

Protecting corporate servers
Decrypting inbound traffic destined to internal application servers differs from decrypting outbound traffic because organisations own the SSL keys. Two main ways to decrypt inbound SSL traffic sent to internal servers are

  • Reverse proxy mode: SSL traffic is terminated on the SSL inspection devices and sent in clear text to inline or non-inline security devices. This mode is also referred to as “SSL offload.”
  • Passive non-inline or inline mode: SSL traffic is decrypted using a copy of the server SSL keys. SSL traffic is not modified by the SSL inspection platform except—potentially—to block attacks.

In reverse proxy mode, the SSL inspection platform can potentially also accelerate SSL performance and load balance servers.

In passive non-inline mode, the SSL inspection platform can be installed transparently without needing to update network settings. However, in passive non-inline mode, organisations cannot easily block attacks. Although organisations may be able to send TCP resets from non-inline devices, this is a best-effort approach and will not effectively block all attacks, including single-packet attacks.

The biggest flaw with passive mode is its lack of support for strong encryption methods like Perfect Forward Secrecy (PFS) because the SSL inspection platform does not participate actively in the SSL key negotiation.

Many organisations are transitioning to PFS for the following reasons:

Read more: ​Encrypted email firm ProtonMail stiffed after paying DDoS ransom
  • PFS ensures that if an SSL key is compromised in the future, criminals or government organisations cannot decrypt the data. Each session has its own unique key, so each individual session must be cracked—which is a nearly impossible task.
  • PFS mitigates many types of SSL vulnerabilities. For example, with the notorious Heartbleed bug, if an SSL private key is compromised, hackers cannot monitor and decrypt communications. This is because each SSL session is encrypted with a unique session key.

Leading SSL proponents like the Electronic Frontier Foundation (EFF) are urging application owners to switch to Perfect Forward Secrecy. And many organisations are heeding their call. Web properties including Dropbox, Facebook, Google, LinkedIn, Microsoft Outlook.com, Twitter, Tumblr, Yahoo and more now use PFS.

Unfortunately, organisations that deploy an SSL inspection platform that supports only passive mode will be hamstrung—unable to implement strong security ciphers like Elliptic Curve Diffie Hellman Exchange (ECDHE) without breaking their SSL decryption architecture. SSL inspection platforms deployed in passive non-inline mode are an epic security fail.

Key features to consider when evaluating an SSL inspection platform include:

  • Eliminate unwelcome production surprises by ensuring that an SSL inspection platform can handle future throughput requirements.
  • Safeguard the company from malware, Trojans and data breaches by intelligently routing traffic, supporting transparent deployment, and integrating with a variety of security solutions.
  • Minimise risk and maximise uptime, performance and overall capacity of security devices with automatic downtime detection and load balancing.

An advanced application delivery controller (ADC) will tick all these boxes, ensuring that organisations choosing the appropriate device will be able to plug SSL decryption blind spots and eliminate nightmares of epic failure.

1 Sandvine Global Internet Phenomena Spotlight, 2015

Join the CSO newsletter!

Error: Please check your email address.

Tags encryptedopinionSSLdata secureCSO Australiainternet traffic

More about ADCDropboxEFFElectronic Frontier FoundationFacebookGoogleMicrosoftTwitterYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Greg Barnes

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts