Six Features to Consider When Evaluating SSL/TLS Inspection Solutions
By Babur Khan, Technical Marketing Engineer, A10 Networks
Encrypted traffic accounts for a large and growing percentage of all internet traffic. While the adoption of Secure Sockets Layer (SSL), and its successor, Transport Layer Security (TLS), should be cause for celebration – as encryption improves confidentiality and message integrity – these protocols also put your organization at risk as they create encrypted blind spots that hackers can use to conceal their exploits from security devices that are unable to inspect SSL/TLS traffic.
The threat of SSL/TLS blind spots is a serious one. According to a Ponemon survey, legacy security infrastructure is not built to take care of these evolved, hidden attacks, and almost two out of three organizations are not able to decrypt and inspect their SSL/TLS traffic.
To stop cyberattacks, you need to gain insight into encrypted data; to gain insight into encrypted data, you need a dedicated security platform that can decrypt SSL/TLS traffic and send it to the security stack for inspection in cleartext. This paper describes six features to consider when evaluating an SSL/TLS inspection platform. With this information, you will be able to easily define evaluation criteria and avoid common deployment pitfalls.
The current state of insecurity
Worldwide spending on information security will exceed a staggering $124 billion in 2019 as organizations stack up security products around their network perimeters. Unfortunately, as SSL traffic increases, our collective $124+ billion investment in security is falling far short of protecting all our digital assets.
Attackers are wising up and taking advantage of this gap in corporate defenses. In fact, as much as 70% of cyberattacks will use encryption as part of their delivery mechanisms by 2019. As a result, companies that do not inspect SSL communications are providing an open door for attackers to infiltrate defenses and steal data.
Cybercriminals can use encryption to hide the delivery of malware as well as the extraction of data, which leaves legacy security devices blind to data breaches. Such breaches can have a disastrous impact on your company’s reputation and brand, and you could be subject to disciplinary action and fines. For instance, over 200,000 computers worldwide were affected by last year’s WannaCry ransomware attack most notably, Britain’s National Health Service (NHS), causing serious disruptions in the delivery of health services across that nation. To prevent cyberattacks, enterprises need to inspect all traffic and encrypted traffic in particular, for advanced threats such as WannaCry.
Existing security solutions can’t hack it
While some security solutions can decrypt SSL/TLS traffic, many are collapsing under growing SSL/TLS bandwidth demands and SSL key lengths. Today, the use of 2048-bit SSL keys has become common, and the impact is startling.
NSS Labs looked at how decryption impacts performance in its 2018 SSL/TLS Performance Tests. They measured product performance with a Next-Generation Firewall (NGFW) with decryption turned on versus turned off and found significant performance degradation and increased latency in the tested products.
- A 92% drop in the average connection rate. Connection degradation ranged from 84% to 99%.5
- An increase in latency in the average application response time of 672%. Latency ranged from 99% to 2,910%.
- A 60% drop in the average throughput. Throughput degradation ranged from 13% to 95%.
The importance of being earnest…when evaluating SSL/TLS inspection platforms
To eliminate the SSL/TLS blind spot in corporate defenses, you should provide a solution that can decrypt SSL/TLS traffic and enable all security products that analyze network traffic to inspect the encrypted data. You must carefully evaluate all the features and performance of your SSL/TLS inspection platform before selecting a solution. If you deploy an SSL/TLS inspection platform in haste, you might be blindsided later by escalating SSL bandwidth requirements, deployment demands or regulatory implications.
SSL traffic is growing, and it will continue to increase in the foreseeable future due to concerns about privacy and government snooping. Many leading websites today, including Google, Facebook, Twitter, and LinkedIn encrypt application traffic. With SSL traffic accounting for a growing percentage of all internet traffic, you should factor in performance needs and future bandwidth usage when evaluating an SSL inspection solution. However, you should also make sure that your proposed architecture will comply with regulatory requirements such as the European Union’s (EU’s) General Data Protection Regulation (GDPR) or healthcare’s Health Insurance Portability and Accountability Act (HIPAA).
Six features to consider when selecting an SSL/TLS inspection platform
Because SSL/TLS inspection potentially touches so many different security products from firewalls and intrusion prevention systems (IPS) to data loss prevention (DLP), forensics, advanced threat prevention (ATP), and more, you should develop a list of criteria and evaluate SSL/TLS inspection platforms against these criteria before selecting a solution. An SSL/TLS inspection platform should:
- Meet current and future SSL/TLS performance demands
Performance is one of the most important evaluation criteria for an SSL/TLS inspection platform. You need to assess current internet bandwidth requirements and ensure the inspection platform can also handle future SSL throughput requirements.
- Satisfy compliance requirements
Privacy and regulatory concerns have emerged as one of the top hurdles preventing some organizations from inspecting SSL traffic. While your security team may have deployed a wide array of products to detect attacks, data leaks, and malware, and rightfully, so you have to walk a thin line between protecting your company’s intellectual property without violating employees’ privacy rights.
Companies that don’t comply with these regulatory rules can be subject to hefty fines and lawsuits. In a study by the Ponemon Institute, 36% of surveyed companies said compliance/regulatory failure was a major factor in justifying the funding of their organizations’ IT security budget. Forrester Research also recently reported that as many as “80% of companies will fail to comply with GDPR”
To address regulatory requirements like GDPR, HIPAA, Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS), and Sarbanes-Oxley (SOX), an SSL/TLS inspection platform should be able to bypass sensitive traffic, such as traffic to banking and healthcare sites. Once sensitive traffic is bypassed, you can rest easy knowing that confidential banking or healthcare records will not be sent to security devices or stored in log management systems.
- Support heterogeneous networks with diverse deployment and security requirements
You have to contend with a wide array of security threats from external actors as well as potential malicious insiders. Therefore, to safeguard digital assets, you need to deploy an ever-increasing number of security products to stop intrusions, attacks, data loss, malware, and more.
Some of these security products are deployed inline, while others are deployed non-inline as passive network monitors. Some analyze all network traffic, while others focus on specific applications, like web or email.
However, virtually all of these products need to examine traffic in clear text in order to pinpoint illicit activity. Recently, though, the rise in SaaS adoption has caused many applications to move to the cloud. Productivity and storage applications like Office 365, Box, Dropbox, G Suite, etc., are commonly used by many companies. However, many of these applications have their own security stacks in the cloud and, in the interest of better user experience, SaaS vendors generally recommend bypassing on-premise security stacks.
You will need the flexibility to deploy best-of-breed security products from multiple vendors to prevent getting locked into a single vendor solution. The security landscape constantly evolves to combat emerging threats, and in one or two years, your company may want to provision new security products; your SSL/TLS inspection platform needs to be able to interoperate with these new products. An inspection platform that supports flexible deployment, traffic steering, and granular traffic controls will be able to provide a wide range of security solutions into the future.
- Maximize the uptime and the overall capacity of your security infrastructure
Security infrastructure blocks cyberattacks and prevents data exfiltration. If your security infrastructure fails, threats may go undetected and your company may be unable to perform business-critical tasks, resulting in loss of revenue and brand damage.
Most firewalls today can granularly control access to applications and detect intrusions and malware. Unfortunately, analyzing network traffic for threats is a resource-intensive task. While firewalls have increased their capacity over time, they often cannot keep up with network demand, especially when multiple security features like IPS, URL filtering, and virus inspection are enabled. Therefore, your SSL/TLS inspection platform should not just offload SSL processing from security devices but should maximize the uptime and performance of these devices.
When evaluating an SSL/TLS inspection platform, look for a platform that can:
- Scale security deployments with load balancing.
- Avoid network downtime by detecting and routing around failed security devices.
- Support advanced health monitoring to rapidly identify network or application errors.
- Provide better value by supporting N+1 redundancy rather than just 1+1 redundancy.
Your SSL/TLS inspection platform should not be another point product and should not introduce risk to your network. Instead, it should lower risk by maximizing the availability and the overall capacity of your security infrastructure. Only then can the full potential of your SSL/TLS inspection platform be unlocked.
- Securely manage SSL certificates and keys
When providing visibility to SSL traffic, your SSL/TLS inspection solution must securely manage SSL certificates and keys. SSL certificates and keys form the basis of trust for encrypted communications. If they are compromised, attackers can use them for snooping on encrypted traffic and stealing data.
To ensure certificates are stored and administered securely, look for an SSL/TLS inspection platform that:
- Provides device-level controls to protect SSL keys and certificates.
- Integrates with third-party SSL certificate management solutions to discover, catalog, track and centrally control certificates.
- Supports FIPS 140-2 Level 2 and Level 3 certified equipment and Hardware Security Modules (HSMs) that can detect physical tampering and safeguard cryptographic keys.
- Simply and easily deploy and manage your enterprise security solution
When investing in either a firewall or a decryption solution, two of the biggest problems are the complexity and the lack of rich usable analytics. A solution that can be easily deployed allows your organization to become operational and prevent hidden threats as soon as possible. Unfortunately, most decryption solutions are too complex to be deployed easily. If your solution is deployed quickly, usually after paying hefty professional services fees, more problems can emerge; are the analytics provided with the solution humanly consumable and useful? Is the solution providing any usable insights?
When managing encrypted traffic, rich analytics with data delivered in an easy-to-consume format is critical in order to free up valuable human analysts to make effective and informed decisions. The real-time analysis provides deep insights into anomalies and threats in encrypted traffic, so adaptive controls and policy updates can be set through behavior analysis. Products from partners like Splunk may be deployed in your security network to capture insights into the traffic flowing through network devices.
Furthermore, as your organization grows and spreads to multiple, geographically-distributed deployments, a ‘single pane of glass’ solution becomes necessary to provide management and analytics available at a single centralized location. Simplicity becomes a must.
When choosing an SSL/TLS inspection solution, look for a platform that:
- It is easy to use and can be deployed in minutes.
- Ensures the application of security best practices, reducing human errors introduced during deployment.
- Provides detailed real-time analytics that will help in advanced troubleshooting.
- Enables troubleshooting of issues that you might have with the platform itself, with ease.
- Provides customizable dashboards that deliver tailored statistics widgets.
- It provides a centralized management option to support your organization as it grows, allowing all your geographically distributed deployments to be managed and analyzed from a central location.
As privacy concerns are propelling SSL/TLS usage, you face increased pressure to encrypt application traffic and keep data safe from hackers and foreign governments. In addition, because search engines such as Google rank HTTPS websites higher than standard websites, application owners are clamoring to encrypt traffic. At the same time, you face threats like cyberattacks and malware that can use encryption to bypass corporate defenses.
With SSL accounting for nearly 85% of enterprise traffic in North America and more applications supporting bigger keys and complex ciphers like ECC for PFS, you can no longer avoid the cryptographic elephant in the room. If you wish to prevent devastating data breaches, you must gain insight into your SSL/TLS traffic. Since legacy firewalls are inefficient at decrypting and inspecting traffic simultaneously, creating bottlenecks in your network, a dedicated SSL/TLS inspection platform that will support your existing security infrastructure is necessary.
Before provisioning an SSL/TLS inspection solution, consider criteria like performance, flexibility, analytics, ease-of-use, and secure key management, which are critical to your organization’s success. Armed with this information, you can make a well-informed decision and avoid the deployment pitfalls that SSL/TLS inspection can potentially expose.
About the Author
Babur Nawaz Khan is a technical marketing engineer at A10 Networks. He primarily focuses on the company’s enterprise security solutions, including Thunder® SSL Insight for TLS inspection and Cloud Access Proxy, which is a SaaS access security and optimization solution. Prior to his current role, he was a member of A10 Networks’ corporate systems engineering team, working on application delivery controllers. Khan holds a master’s degree in computer science from the University of Maryland, Baltimore County. Babur can be reached online at our company website http://www.a10networks.com