Protecting Your Network Against Risky SSL Traffic ABSTRACT

Transcription

1 Protecting Your Network Against Risky SSL Traffic ABSTRACT Every day more and more Web traffic traverses the Internet in a form that is illegible to eavesdroppers. This traffic is encrypted with Secure Socket Layer (SSL), a transport layer encryption protocol that protects data against unauthorised access. In this manner, the financial information submitted during an online banking session is protected as it is sent from the user s client to the bank s server. However, not all of the content that s encrypted with SSL is benign. The content may be illegal, inappropriate or infected with malware and other threats that can harm the organisation s network, and without visibility into SSL-encrypted traffic, how can you protect the network against these threats? The purpose of this white paper is to help you understand the threats associated with SSL traffic and how to protect your network against them using Web content filtering.

2 INTRODUCTION Every day more and more Web traffic traverses the Internet in a form that is illegible to eavesdroppers. This traffic is encrypted with Secure Socket Layer (SSL), a transport layer encryption protocol that protects data against unauthorised access. In this manner, the financial information submitted during an online banking session is protected as it is sent from the user s client to the bank s server. But this is just one example. According to Palo Alto Networks Application Usage and Risk Report, more than 40% of the 1,042 applications that were identified on enterprise networks in the study can use SSL or hop ports 1. In most organisations, traffic flowing through network port 443 the designated port for SSL traffic passes freely in and out of the network. The IT organisation lacks the ability to inspect and control SSL-encrypted traffic. And this is a problem. Not all of the content that s encrypted with SSL is benign. The content may be illegal, inappropriate or infected with malware and other threats that can harm the organisation s network. Without visibility into SSL-encrypted traffic, IT lacks the ability to protect the network against these threats. And while SSL-encrypted traffic is increasing, so are the threats it is transmitting. The purpose of this white paper is to help you understand the threats associated with SSL traffic and how to protect your network against them using Web content filtering. UPTAKE IN SSL TRAFFIC SSL offers a significant benefit to Web users and developers: it is a simple way to authenticate Web sites and Web servers, and protect sensitive data. As a result, SSL has made it safe for Web users to buy merchandise, file tax returns, pay bills, view medical records, order prescriptions, renew a driver s license and more all from the comforts of home or office desk. As we become more aware of the security risks involved in sending sensitive data online, be it intellectual property or personal information, we are becoming increasingly dependent upon SSL to provide protection. Thus, SSL traffic is increasing faster than ever before. Perhaps the most notable contributor to SSL traffic is cloud computing services. Public cloud service providers such as Salesforce.com and Google Apps use SSL to encrypt traffic as it travels to and from their servers in the cloud. Thus, corporate assets are protected as they are sent over the public network to and from these applications. We are not here to discuss the merits of cloud computing, but one thing is certain: its growth and thereby the increase in SSL traffic has no end in sight. More recently, security researchers have discovered that intermittent use of SSL to, for example, encrypt the authentication process when a user logs in to a Web site, but not to encrypt subsequent pages rendered during the user s session, leaves the user and network vulnerable to Web threats. This has led to the rise of Always On SSL and therefore an increase in SSL traffic. The idea behind Always On SSL is that SSL is used across an entire Web site so that users and networks are protected during the entire course of the visit. The Online Trust Alliance 2 has asked security, business and interactive advertising communities to adopt Always On SSL, and many are doing so. Twitter offers Always On SSL, as well as Google and Firefox (through an extension to the Firefox browser). Enterprises themselves are also adding to the amount of SSL traffic traversing the Web. SSL offers an easy way to encrypt traffic leaving the network to provide data security between remote locations, remote workers and mobile devices. Some enterprises use SSL to protect sensitive information even if it is staying on the corporate network. For example, it might be used to protect personally identifiable information sent between human resources and other departments. THREATS ASSOCIATED WITH SSL Ironically, even as we grow more and more dependent on SSL for protection, it is capable of harboring threats that put corporate networks at risk. Just as SSL hides sensitive data from the bad guys, it can also hide bad stuff from the good guys; i.e., your IT organisation. SSL can be used to hide malwareinfected Web pages, inappropriate content (like gambling sites and pornography), and non-business content (like Facebook and Twitter) all of which threaten employee productivity and impact your bottom line. Let s take a closer look at each of these threats. Of the Web sites that are used to spread malware or launch attacks against users, 90% are legitimate 3.

3 That means hackers are taking known and trusted Web sites, like your users favourite e-commerce sites, for example, and exploiting vulnerability within the code to infect the sites with malware. The malware infections are then hidden from security controls on the user s computing device and the corporate network because the Web page is encrypted with SSL. This is low-hanging fruit for hackers. Users already trust these sites because they have a relationship with the bank or retailer, and their data is being transmitted with the protection of SSL. What s not to trust? But the malware poses a significant risk to your users, their endpoint devices, your network and in extreme circumstances the reputation of your organisation. For example, spyware is a class of malware that self-installs on a computer without the user s knowledge. Spyware can infect a system through security holes in a Web browser. Once on the user s computer, it then collects sensitive information, such as the user s browsing habits, logins and passwords. This information is sent back to a hacker s server and can be encrypted with SSL as well so that it passes through the corporate network undetected. Phishing attacks are similar in that they collect the user s sensitive information and send the encrypted data to the hacker s server. However, in this case, users willingly divulge sensitive information. Phishing attacks often come in the form of a legitimate-looking or Web page from an online entity with whom the user does business. For example, it might be an seemingly from an online auction service prompting the user to login and update his/her credit card information. When the user submits the sensitive financial information, it is actually sent to the hacker not the business the message purported to be from. SSL can also be used to hide content that users have no need for in the workplace. Individual social media sites like Facebook and Twitter, for example, offer users the option to select Always On SSL. Web-based services such as Yahoo and Gmail also employ SSL. These Web sites pose a threat to employee productivity. Independent studies show that on average the standard employee wastes more than 2 hours per day browsing non-business related Web sites 4. At the end of a week, your organisation has paid each employee a full day s salary to surf the Web. There are other sites which are not only a misuse of resources for personal purposes, but that are completely inappropriate for the workplace or education establishment. Gambling, pornography, and discriminatory sites have no place and in fact, they can put your business at risk of legal action. This is because you may be liable for the information that enters and resides on your network and many of these sites may use SSL to bypass traditional security controls. Even those sites that don t directly use SSL can be accessed in a manner that allows them to go through network gateways undetected. SSL anonymous proxies allow users to surf the Web for content that is prohibited by your acceptable use policies. SSL proxies such as Ultrasurf and Hotspot Shield (which are free to download) allow users to launch a client that establishes a secure VPN tunnel, thereby allowing users to bypass Web filters. These are similar to the tried-and-true anonymous proxies that users (and in particular students) have been using for years. But now users are browsing the Web over a secure connection where the traffic is being encrypted. THE PROBLEM: PAST SOLUTIONS DON T WORK As previously mentioned, SSL traffic freely passes through network gateways and past security controls. And that s the problem. Intrusion-detection systems, intrusion-prevention systems even traditional Web filters do not decrypt SSL traffic. If the traffic is not decrypted then it cannot be scanned for malware or to determine whether it complies with acceptable use policies. You might consider adding SSL proxies and SSL-encrypted Web sites to a Web filter database. But traditional Web content filters that rely on a database alone simply don t work. They are rendered ineffective due to the sheer size of the Web. Consider the largest Web filtering database available today. The vendor boasts that it has 180 million URLs classified in its database. The last effective count at the time of this writing undertaken by Google puts the number of URLs on the Web as at least 1.3 trillion 5. That Web filtering database contains less than 1% of the web s URLs. It simply can t keep up. Another issue for Web filter databases is the dynamic nature of Web content. You can t rely on content to remain nstant from one point of access to the next. Clearly, it s time to look for a new solution to Web content filtering; one that can not only keep up with the ever growing body of Web content, but one that can also mitigate the threats posed by encrypted traffic.

4 A WEB CONTENT FILTER FOR THE 21ST CENTURY An effective Web filter doesn t depend solely on a URL database to protect users and corporate networks. Today s Web filters use advanced text analysis and classification technology to categorise content in real time before it s allowed or denied. In this manner, the Web filter doesn t have to keep up with every new URL that goes live on the Web. Some Web filters also decrypt SSL traffic so that malware and inappropriate content can be blocked before it hits the network. As you begin evaluating Web content filters, there are several factors to consider. To begin with, look for a solution that offers a multi-tiered approach to Web filtering that includes real-time analysis and categorisation of content. This is the only way to make sure that you know what content is entering the network. At the same time, an optimised URL database of the most frequently accessed URLs can help to enhance the overall performance of the solution. An enterprise grade Anti-malware solution incorporated in the solution is also beneficial, as it will help minimise the volume of endpoint infection. Of course, you also want to look for a Web filter that offers ease-of-management features. These include the ability to allow or deny traffic to groups of users, the ability to delegate administration to other IT personnel, a built-in Web reporting application that displays information in a clear and concise way, and the ability to access detailed logs. This last point is especially important for forensics. Some Web filters are not accurate enough to show what users have attempted to access. Look for a Web filter that logs what content users have attempted to access, what they successfully accessed, the IP address they accessed it from and the date and time of access. All of this detail is necessary to paint an accurate picture of the user s actions. CONCLUSION The same protocol organisations and users trust to protect sensitive and confidential information has been embraced by hackers to get around traditional security controls. Allowing SSL traffic in and out of the network without inspection puts users, the network and your business at risk. And with the advent of cloud computing, Always On SSL and anonymous proxies the amount of encrypted Web traffic grows by the day. Manual categorisation of Web pages is no longer enough to effectively manage the risks these developments pose. Instead, organisations require a solution which can provide genuine real-time categorisation of requested pages, offering IT departments the reassurance they need that their network is secure. 1 Palo Alto Networks, Application Usage and Risk Report (8th Edition, December 2011). 2 Online Alliance Trust, Always On SSL Threats. 3 Symantec, Web Threats 2010: The Risks Ramp Up America Online and Salary.com Survey, 5

5 ABOUT BLOXX Bloxx provides Web and filtering solutions to thousands of organisations around the globe. We have an in-depth understanding of the unique challenges faced by educational establishments. Bloxx uses unique patented Tru-View Technology (TVT) to analyse and accurately categorise webpages being requested in real-time. With unsurpassed flexibility in deployment, Bloxx Web filtering lets you quickly and effectively roll out 1-to-1 learning programmes and easily manage BYOD Web traffic. Available as hardware and virtual appliances, Bloxx filtering easily scales to meet your current and future requirements and our dedicated web reporting appliances ensure you can store years of traffic logs. In addition, our unique approach to licensing lets you decide the most cost-effective approach for your deployment which means you don t end up paying for expensive licenses you don t actually need. To find out more about Bloxx content filtering and security, info@bloxx.com, visit com, or chat to us on Twitter or Linkedin. t. +44 (0) e. info@bloxx.com w. Copyright 2015 Bloxx Ltd. All rights reserved. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Bloxx. Specifications are subject to change without notice.