SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

Transcription

1 SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

2 Contents Introduction 3 SSL Encryption Basics 3 The Need for SSL Traffic Inspection 4 How SSL Inspection Works 4 The Upgrade from 1024 to 2048-bit SSL Certificates 4 Is It Time to Move to the Cloud for SSL Inspection? 5 How Zscaler Secures Enterprises 6 How It Works 7 For More Information 8 About Zscaler 8 Zscaler SSL Encryption and Traffic Inspection 2

3 Introduction 2048-bit SSL encryption certificates have finally arrived. The good news is that the Internet will be much more secure. The bad news is that it will require substantially more processing power from your enterprise to manage the larger encryption keys. Hopefully, your organization is already prepared for this advanced level of security. But if you are still relying on an appliance-based proxy solution, you may have found the upgrade experience to be time-consuming, complex, and expensive. Now there s a better way to provide SSL encryption and traffic inspection without the frustrations and expense of doing it on your own. SSL Encryption Basics SSL (Secure Sockets Layer) is the encryption standard used to protect Internet communications in transit. In order to keep sensitive information secure, SSL establishes an encrypted link between a Web server and a browser. When an SSL certificate is used, the information becomes unreadable to everyone except for the server the information was sent to. This protects the information from hackers and other malicious individuals. The use of SSL encryption is rapidly expanding. According to industry analysts, the volume of SSL traffic will grow from approximately 5 exabytes (or 5 billion gigabytes) of data per year today, to nearly 15 exabytes in Ten years ago, SSL certificates were used primarily for banking and other secure transactions. SSL certificates are now being used to provide full coverage across enterprise apps, Webmail, social networking sites, and all of the leading search engines. 45,000 SSL Traffic Growth Data courtesy of Sandvine* Global Internet Phenomena Report - 2H ,000 Exabytes per Year 35,000 30,000 25,000 20,000 15,000 10,000 5, Sandvine GIPR Project Coyote Point Project Zscaler SSL Encryption and Traffic Inspection 3

4 The Need for SSL Traffic Inspection In the early days of the Internet, servers were the primary target of hackers. The attacker s goal was to bypass the company firewall and then compromise key enterprise systems in the datacenter. Attacks on servers are now rare, since datacenters and consolidated servers utilize much more sophisticated security systems. The preferred attack vectors for hackers has now shifted to individuals. Mobile users access their company s resources from the Internet, from a variety of different locations, across a range of different devices. These users and their mobile devices are now the easiest way for hackers to get into the enterprise. Although SSL is a very effective protocol for securing the communication of legitimate traffic, it is important to note that malware can also be delivered over SSL. Since malicious code can hide inside SSL tunnels, enterprises need the ability to inspect all incoming SSL traffic in order to identify botnets, viruses, phishing attacks, and other potentially harmful attacks. In addition to stopping hackers, SSL inspection is also useful when an enterprise wants to know what its employees are intentionally or accidently sending out of the organization. For example, individuals who are using SSL-encrypted Yahoo mail may be exposing company passwords, personal information, or financial data. SSL inspection is also needed for compliance, to ensure that employees are not putting the organization s confidential data at risk. REMOTE HACKER PROTECTED NETWORK REMOTE USER How SSL Inspection Works In order to perform SSL inspection, users connect to the enterprise inspection appliance, where the information is de-encrypted. After the inspection is complete, the data is re-encrypted and sent on to its intended destination. The challenge for enterprises is that SSL traffic inspection requires a significant amount of computational power. Many enterprises have chosen to use Web proxy appliances for SSL inspection. But since the processes are so CPU intensive, they can significantly slow Web traffic for organizations that are unable to scale their infrastructure to meet demand. The Upgrade from 1024 to 2048-bit SSL Certificates In order to strengthen encryption standards, the Certification Authority/Browser (CA/B) Forum and the National Institute of Standards and Technology recently mandated the switch from 1024-bit RSA keys to 2048-bit RSA keys for all SSL traffic. Going from 1024-bit to 2048-bit encryption was great for security, since the longer keys are harder to compromise. But the added security boost came with a significant performance penalty. The 2048-bit security mandate resulted in an 80% drop in performance for Web servers and proxies using SSL. Zscaler SSL Encryption and Traffic Inspection 4

5 Organizations relying on appliance-based proxy solutions were faced with time-consuming and complex hardware and infrastructure upgrades in order to scale capacity for the 2048-bit keys. In addition, upgrading all of the hardware cards and accelerators required many enterprises to cycle down their hardware, taking key systems offline during critical business windows, including holiday seasons for many retailers. So what happens if an enterprise didn t upgrade to 2048-bit encryption? The browser community and OS vendors will no longer support 1024-bit certificates after the switch to 2048-bit certificates after January 1, If an enterprise still uses 1024-bit certificates, its clients and prospects will see a flood of pop ups and warnings that the site s security certificates are no longer valid. It will appear to users that the site may have been compromised, leading to decreased consumer confidence and an increase in customer support issues BIT 80 % PERFORMANCE DROP 2048 BIT ALL EXISTING 1024-BIT CERTIFICATES MUST BE REPLACED WITH 2048-BIT SSL CERTIFICATES BY DECEMBER 31, 2013 Is It Time to Move to the Cloud for SSL Inspection? If the move to 2048-bit encryption was a challenging and expensive process for your organization, take a moment to answer these questions: Can your existing proxy solution effectively secure all of your mobile users sessions, from multiple devices, and from distributed office locations? Are your cloud applications, including Office365, Box, Google Apps, etc., becoming bottlenecked by your appliance-based solution? Are you able to easily scan and inspect all of your incoming and outgoing SSL traffic? Do your appliances have enough processing power to handle the increased SSL interception demands that came with the 2048-bit certificates? Can you upgrade your appliances easily, cost effectively, without incurring any downtime for your business-critical applications? If the answer to any of these questions is no, it s time to check out the Zscaler Direct-to-Cloud Network. Zscaler SSL Encryption and Traffic Inspection 5

6 How Zscaler Secures Enterprises Zscaler s Direct-to-Cloud Network enables enterprises to route all Internet and cloud-bound traffic through a globally deployed cloud infrastructure without having to manage all of the costly hardware and software required by appliance-based proxy solutions. The Zscaler cloud service offers compelling flexibility, economics, and simplicity, without compromising the enterprise s existing security capabilities and requirements. Zscaler designed its global security cloud with ultra-fast proxies, which it makes available to its customers on-demand. In addition, Zscaler has already completed its transparent migration of its worldwide cloud infrastructure to enable 2048-bit SSL traffic inspection, upgrading its SSL processing capacity by over 2,500 percent. Zscaler provides secure access to leading cloud, mobile, and social applications from the cloud. Zscaler SSL Encryption and Traffic Inspection 6

7 How It Works Getting started with the Zscaler Direct-to-Cloud Network is fast and simple. The enterprise s network administrator sets up policy and launches it on the Zscaler cloud through a simple yet comprehensive web interface. The policies are made available instantly across Zscaler s global network. All cloud and Internet-bound traffic is then forwarded to Zscaler s cloud network where the policies are applied. Once the cloud and Internet is accessed, the Zscaler network scans all traffic for threats and protects business networks from malicious intent. All traffic that is determined to be safe goes through quickly to its destination. Any traffic that is denied will return a notice of denial to the user. And finally, the Zscaler Direct-to-Cloud Network provides instant access to executive summaries and drill-down information for detailed investigations and reviews. REGIONAL OFFICE REMOTE OFFICE HOME OFFICE INTERNET ENFORCE POLICE BI-DIRECTIONALLY SAME POLICY FOR MOBILE USERS FORWARD TRAFFIC ADMINISTRATOR REAL-TIME VISIBILITY DEFINE POLICY AT A CENTRAL PORTAL HEADQUARTERS ON-THE-GO USERS Zscaler SSL Encryption and Traffic Inspection 7

8 For More Information Zscaler Direct-to-Cloud Network is the ideal solution for organizations that find themselves challenged by the inadequacy of their appliance-based security solutions and the transition to SSL 2048-bit encryption. For more information on the Zscaler Direct-to-Cloud Network, contact your Zscaler representative for a demonstration, or visit us at About Zscaler Zscaler is transforming enterprise networking and security with the world s largest Direct-to-Cloud Network, which securely enables the productivity benefits of cloud, mobile and social technologies without the cost and complexity of traditional on-premise appliances and software. The Zscaler Direct-to-Cloud Network processes daily more than 12 billion transactions from more than 12 million users in 180 countries across 100 global data centers with near-zero latency. Learn why more than 4,500 global enterprises choose Zscaler CONTACT US Zscaler, Inc. 110 Baytech Drive, Suite 100 San Jose, CA 95134, USA FOLLOW US facebook.com/zscaler linkedin.com/groups/zscaler twitter.com/zscaler youtube.com/zscaler blog.zscaler.com Zscaler, and the Zscaler Logo are trademarks of Zscaler, Inc. in the United States. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners