How to uncover the hidden threats in encrypted traffic

More and more cyber-criminals are tunnelling attacks in SSL encryption to evade detection by firewalls and other security products. SSL represents not just a chink in enterprises’ armour, but an enormous crater that malicious actors can exploit.

SSL is a standard security technology for establishing an encrypted link between a server and a client—typically a web server and a browser, or a mail server and a mail client.

To prevent attacks, intrusions and malware, enterprises need to inspect incoming and
outgoing traffic for threats. Today SSL accounts for 25 to 35 percent of all Internet traffic. But increasingly, attackers are turning to encryption to evade detection.

Cyber-criminals use SSL to expose a blind spot in corporate defences. Organisations rely on a dizzying array of security products to inspect traffic, block intrusions, stop malware and control which applications users can access. To keep users safe, these products must inspect all communications, not just clear-text traffic.

Unfortunately, many firewalls, intrusion prevention and threat prevention products can’t keep pace with growing SSL encryption demands. The transition from 1024- to 2048-bit SSL keys, spurred on by NIST Special Publication 800-131A, has burdened security devices because 2048-bit certificates require approximately 6.3 times more processing power to decrypt than 1024-bit certificates.

With SSL certificate key lengths continuing to increase, and 4096-bit key lengths accounting for 20 per cent of all certificates for one certificate authority – many security devices are collapsing under these increased decryption demands.

In its report, SSL Performance Problems, NSS Labs found that eight leading next-generation firewall vendors experienced significant performance degradation when decrypting 2048-bit encrypted traffic. NSS asserted that it had “concerns for the viability of SSL inspection in enterprise networks without the use of dedicated SSL decryption devices.”

As organisations move key applications like email, CRM, business intelligence and file storage to the cloud, they need to monitor and protect these applications just as they would internally-hosted applications. Many of these cloud-based applications use SSL, exposing gaping holes in organisations’ defences.

For end-to-end security, organisations need to inspect outbound SSL traffic originating from internal users, as well as inbound SSL traffic originating from external users to corporate-owned application servers, in order to eliminate the blind spot in corporate defences.

ADCs to the rescue

Advanced Application Delivery Controllers (ADCs) not only load balance traffic, but they can also eliminate the blind spot imposed by SSL encryption. ADCs can offload CPU-intensive SSL decryption functions and enable security devices to inspect all traffic – not just clear text. Such ADCs decrypt SSL-encrypted traffic and forward it to a third-party security device like a firewall for deep packet inspection (DPI). Once the traffic has been analysed and scrubbed, the ADC re-encrypts it and forwards it to the intended destination.

While dedicated security devices provide in-depth inspection and analysis of network traffic, they are rarely designed to encrypt SSL traffic at high speeds. Some cannot decrypt SSL traffic at all. SSL inspection technology, included standard with certain ADCs, offloads CPU-intensive encryption and decryption tasks from dedicated security devices, boosting application performance.

The ADC functions as an SSL forward or a transparent proxy to intercept SSL traffic. Organisations can simply deploy appropriate ADC appliances to safeguard their communications efficiently.

In addition to inline deployment, organisations can deploy security devices, such as intrusion detection systems and forensics tools, in passive mode.  In passive mode, such a security device can easily be integrated into a production environment without requiring network changes or introducing a single point of failure in the network. Non-inline deployment is ideal for security devices that inspect, alert and report on events rather than actively block attacks.

With an ADC, organisations can achieve high performance with SSL acceleration hardware, scale security with load balancing, reduce load on security infrastructure by controlling which types of traffic to decrypt, and granularly control traffic. An ADC can also selectively bypass sensitive web applications, like banking and healthcare sites

Single point for decryption and analysis

Organisations often deploy multiple security solutions to analyse and filter application traffic. An ADC offers a centralised point to decrypt SSL traffic and send it in clear text to a myriad of devices, eliminating the need to decrypt traffic multiple times. An ADC can also interoperate with firewalls, intrusion prevention systems (IPS), data loss prevention (DLP) products, threat prevention platforms, and other security tools, providing visibility to a wide range of network security devices.

Read more: Microsoft confirms HTTP Strict Transport Security for IE 12

Many security devices are not designed for inline deployment or for high-speed SSL decryption. An ADC can enables these devices to inspect SSL-encrypted data without burdening the devices with computationally intensive SSL processing.

Features to consider for SSL inspection

To streamline and automate management, choose an ADC that includes an industry standard CLI, a web user interface, and a RESTful API which can integrate with third party or custom management consoles. For larger deployments, a centralised management system will ensure that routine tasks can be performed at scale across multiple appliances, regardless of physical location.

Since not all ADCs are equal, it is essential to select one that will eliminate the blind spot in corporate defences by decrypting SSL traffic at high speeds; prevent costly data breaches and loss of intellectual property by detecting advanced threats; maximise uptime by load-balancing multiple third-party security appliances; and scale performance and throughput to counter cyber attacks.

Read more: Comodo hacker claims Dutch SSL attack

Greg Barnes is the ANZ Managing Director, A10 Networks  

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags cyber-criminalsSSL encryptionintrusion preventionencrypted trafficAdvanced Application Delivery Controllers (ADCs)

More about A10 NetworksADCAdvancedCSODLPDPIIPSIT Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Greg Barnes

Latest Videos

More videos

Blog Posts