Uncover Threats in SSL Traffic: The Ultimate Guide to SSL Inspection WHITE PAPER



Similar documents
Load Balancing Security Gateways WHITE PAPER

Healthcare Security and HIPAA Compliance with A10

PCI DSS and the A10 Solution

SSL Insight Certificate Installation Guide

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Setting Up a Kerberos Relay for the Microsoft Exchange 2013 Server DEPLOYMENT GUIDE

A10 ADC Return On Investment

A10 Thunder and AX Series

AAM Kerberos Relay Integration with SharePoint

Leveraging Symantec CIC and A10 Thunder ADC to Simplify Certificate Management

VALIDATING DDoS THREAT PROTECTION

Advanced Core Operating System (ACOS): Experience the Performance

VMware View 5.0 and Horizon View 6.0 DEPLOYMENT GUIDE

APPLICATION ACCESS MANAGEMENT (AAM) Augment, Offload and Consolidate Access Control

A10 Networks LBaaS Driver for Thunder and AX Series Appliances

SSL Performance Problems

Content-ID. Content-ID URLS THREATS DATA

PCI DSS and the A10 Solution

Avoid Microsoft Lync Deployment Pitfalls with A10 Thunder ADC

White Paper A10 Thunder and AX Series Application Delivery Controllers and the A10 Advantage

The Benefits of SSL Content Inspection ABSTRACT

A10 Device Package for Cisco Application Centric Infrastructure (ACI)

Achieve Deeper Network Security and Application Control

Achieve Single Sign-on (SSO) for Microsoft ADFS

A Modern Framework for Network Security in the Federal Government

Executive Brief on Enterprise Next-Generation Firewalls

Websense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Hosted Web Security

Thunder ADC for Epic Systems

IBM Security Network Protection

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

Networking for Caribbean Development

Websense Web Security Solutions. Websense Web Security Gateway Websense Web Security Websense Web Filter Websense Express Websense Hosted Web Security

Defending Against Cyber Attacks with SessionLevel Network Security

How To Sell Security Products To A Network Security Company

SSL ACCELERATION DEPLOYMENT STRATEGIES FOR ENTERPRISE SECURITY

How To Buy Nitro Security

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Deploying Firewalls Throughout Your Organization

Next-Generation Firewalls: Critical to SMB Network Security

The Cisco ASA 5500 as a Superior Firewall Solution

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

IBM Security Intrusion Prevention Solutions

V1.4. Spambrella Continuity SaaS. August 2

Thunder Series for SAP BusinessObjects (BOE)

Microsoft Exchange 2016 DEPLOYMENT GUIDE

Achieve Deeper Network Security

Brocade Network Monitoring Service (NMS) Helps Maximize Network Uptime and Efficiency

Stop advanced targeted attacks, identify high risk users and control Insider Threats

ENABLING FAST RESPONSES THREAT MONITORING

BlackRidge Technology Transport Access Control: Overview

How Traditional Firewalls Fail Today s Networks And Why Next-Generation Firewalls Will Prevail

Whitepaper SSL Decryption: Uncovering The New Infrastructure Blind Spot

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

HTTPS Inspection with Cisco CWS

Enabling Business Beyond the Corporate Network. Secure solutions for mobility, cloud and social media

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Websense Web Security Solutions

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

Netsweeper Whitepaper

Securing the Intelligent Network

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

Securing the Borderless Enterprise

How To Protect A Web Application From Attack From A Trusted Environment

How To Control Your Network With A Firewall On A Network With An Internet Security Policy On A Pc Or Ipad (For A Web Browser)

Inspection of Encrypted HTTPS Traffic

Filling the Threat Management Gateway Void with F5

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Evaluation Guide. eprism Messaging Security Suite V8.200

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Solution Brief. Secure and Assured Networking for Financial Services

Comprehensive real-time protection against Advanced Threats and data theft

10 easy steps to secure your retail network

WHITE PAPER. Data Centers in the Crosshairs: Today s Most Dangerous Security Threats

Trend Micro Cloud Security for Citrix CloudPlatform

Lab Testing Summary Report

UTM-Enabled Network Protection

WEBSENSE TRITON SOLUTIONS

Security Overview and Cisco ACE Replacement

Guideline on Firewall

Thunder ADC: 10 Reasons to Select A10 WHITE PAPER

WHAT S NEW IN WEBSENSE TRITON RELEASE 7.8

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions

TRITON APX. Websense TRITON APX

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Trend Micro InterScan Web Security and Citrix NetScaler SDX Platform Overview

SiteCelerate white paper

Installation and configuration guide

EXTENDING THREAT PROTECTION AND CONTROL TO MOBILE WORKERS

Network Security Forensics

SSL Insight and Cisco FirePOWER Deployment Guide DEPLOYMENT GUIDE

Fight Malware, Malfeasance, and Malingering with F5

Sophistication of attacks will keep improving, especially APT and zero-day exploits

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Next Gen Firewall and UTM Buyers Guide

Features of a comprehensive application security solution

The Application Front End Understanding Next-Generation Load Balancing Appliances

Transcription:

Uncover Threats in SSL Traffic: The Ultimate Guide to SSL Inspection WHITE PAPER

Table of Contents Executive Summary... 3 The Current State of Insecurity... 3 Existing Security Solutions Can t Hack It... 3 The Importance of Being Earnest When Evaluating SSL Inspection Platforms... 3 5 Features to Consider When Selecting an SSL Inspection Platform... 4 Conclusion... 6 Learn More... 6 About A10 Networks... 7 Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided as-is. The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks products and services are subject to A10 Networks standard terms and conditions. 2

Executive Summary Encrypted traffic accounts for a large and growing percentage of all network traffic. While the adoption of SSL, and its successor, Transport Layer Security (TLS), should be cause for celebration as encryption improves confidentiality and message integrity it also puts organizations at risk. This is because hackers can leverage encryption to conceal their exploits from security devices that do not inspect SSL traffic. How serious is the threat? According to a recent Gartner survey, less than 20% of organizations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic. 1 This means that hackers can evade over 80% of companies network defenses simply by tunneling attacks in encrypted traffic. Gartner believes that, in 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls, up from less than 5%. 4 To stop cyber attacks, organizations must gain insight into encrypted data, and to do this, they need a dedicated security platform that can decrypt inbound and outbound SSL traffic. This paper describes five features that organizations should consider when evaluating SSL inspection platforms, enabling IT security teams to rapidly define evaluation criteria and avoid common deployment pitfalls. The Current State of Insecurity Worldwide spending on information security will reach a staggering $71.1 billion in 2014 2, as organizations stack up firewalls around their network perimeters and inspect incoming and outgoing traffic with an array of security products. Unfortunately, as SSL traffic increases, our collective $70+ billion investment in security is falling far short of protecting digital assets. Attackers are wising up and taking advantage of this gap in corporate defenses. In fact, researchers at Gartner predict that in 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls, up from less than 5%. 3 As a result, organizations that do not inspect SSL communications are providing an open door for attackers to infiltrate defenses and steal data. To prevent cyber attacks, enterprises need to inspect all traffic, and in particular encrypted traffic, for advanced threats. Existing Security Solutions Can t Hack It While some security solutions can decrypt SSL traffic, many are collapsing under growing SSL bandwidth demands and SSL key lengths. The transition from 1024- to 2048-bit SSL key lengths was triggered by NIST publication 800-131A, and the impact is startling. Analysis by NSS Labs reveals that decrypting traffic with 2048-bit SSL ciphers caused a mean average of 81% in performance loss 5 for seven leading next-generation firewalls. If organizations wish to repurpose their firewalls for SSL decryption, they must consider the performance impact on those firewalls. The Importance of Being Earnest When Evaluating SSL Inspection Platforms To eliminate the SSL blind spot in corporate defenses, organizations should provision solutions that can decrypt SSL traffic both inbound traffic to corporate servers and outbound traffic from internal users to the Internet and allow all security products that analyze network traffic to inspect encrypted data. Organizations must carefully evaluate the features and performance of SSL inspection platforms before selecting a solution. If IT security teams deploy SSL inspection platforms in haste, they might be blindsided later by escalating SSL bandwidth requirements, deployment demands or regulatory implications. SSL traffic is growing and it will continue to increase in the foreseeable future due to concerns about privacy and government snooping. Many leading websites today, including Google, Facebook, Twitter and LinkedIn, encrypt application traffic. But it s not just the web giants that are encrypting communications; 48% more of the million most popular websites used SSL in 2014 than a year earlier. 7 NSS Labs found that 2048-bit ciphers caused a mean average of 81% in performance loss across seven leading nextgeneration firewalls. 6 1 Gartner, Security Leaders Must Address Threats from Rising SSL Traffic, December 2013 2 Gartner, Forecast: Information Security, Worldwide, 2012-2018, 3Q14 Update 3 Gartner, Security Leaders Must Address Threats from Rising SSL Traffic, December 2013 4 Gartner, Security Leaders Must Address Threats from Rising SSL Traffic, December 2013 5 6 7 Netcraft, January 2014 Web Server Survey 3

With SSL traffic accounting for a growing percentage of all Internet traffic, IT security teams must factor in performance needs and future bandwidth usage when evaluating SSL inspection solutions. They should also make sure that their proposed architecture will comply with regulatory requirements like the Health Insurance Portability and Accountability Act (HIPAA). 5 Features to Consider When Selecting an SSL Inspection Platform Because SSL inspection potentially touches so many different security products from firewalls and intrusion prevent systems (IPS) to data loss prevention (DLP), forensics, advanced threat prevention and more organizations must develop a list of criteria and evaluate SSL inspection platforms against these criteria before selecting a solution. This paper describes five features that all SSL inspection platforms should provide, enabling IT security teams to rapidly define evaluation criteria and avoid common deployment pitfalls. SSL inspection platforms should: 1. Meet Current and Future SSL Performance Demands Performance is perhaps the most important evaluation criteria for SSL inspection platforms. Organizations must assess their current Internet bandwidth requirements and ensure that their SSL inspection platform can handle future SSL throughput requirements. While IP traffic is predicted to grow 21 percent per year between 2013 and 2018, 8 organizations must also factor in SSL traffic growth. SSL traffic currently accounts for between 25 and 35% of all Internet traffic and reaches upwards to 70% for some networks. 9 Moreover, encrypted traffic is increasing faster than overall IP traffic growth, and more and more sites are using computationally intensive 4096-bit SSL keys and Diffie-Hellman ciphers. When evaluating SSL inspection performance, IT security teams should: Test SSL inspection speeds with 2048-bit and 4096-bit SSL keys. Evaluate a mix of traffic with Diffie-Hellman and elliptic curve ciphers. Ensure that the SSL inspection platform can handle throughput requirements, with extra headroom for traffic peaks. Analyze appliance performance with essential security and networking features enabled. Testing SSL decryption speeds without considering the impact of deep packet inspection (DPI), URL classification or other features will not provide a clear picture of real-world performance. Those organizations that thoroughly evaluate performance benchmarks should be able to avoid surprises in their production environments. 2. Satisfy Compliance Requirements Privacy and regulatory concerns have emerged as one of the top hurdles preventing organizations from inspecting SSL traffic. While IT security teams have deployed a wide array of products to detect attacks, data leaks and malware and rightfully so they must walk a thin line between protecting employees and intellectual property, and violating employees privacy rights. To address regulatory requirements like HIPAA, Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes-Oxley (SOX), an SSL inspection platform should be able to bypass sensitive traffic, like traffic to banking and healthcare sites. By bypassing sensitive traffic, IT security teams can rest easy knowing that confidential banking or healthcare records will not be sent to security devices or stored in log management systems. 8 Cisco, The Zettabyte Era: Trends and Analysis 9 4

IT security teams should look for SSL inspection platforms that can: Categorize web traffic using an automated URL classification service. By categorizing web traffic, organizations can bypass communications to banking and healthcare sites and ensure that confidential data remains encrypted. Support manually-defined URL bypass lists with hundreds of thousands of URL entries. Display a customizable message to users the first time they access the Internet informing them that web traffic, and encrypted traffic, may be monitored for cyber threats and unauthorized activity. 3. Support Heterogeneous Networks with Diverse Deployment and Security Requirements Organizations must contend with a wide array of security threats from external actors and from disgruntled employees. To safeguard their digital assets, organizations have deployed an ever increasing number of security products to stop intrusions, attacks, data loss, malware and more. Some of these security products are deployed inline, while others are deployed non-inline as passive network monitors. Some analyze all network traffic, whereas others focus on specific applications, like web or email protocols. However, virtually all of these products need to examine traffic in clear text in order to pinpoint illicit activity. As a result, SSL inspection platforms should interoperate with a diverse set of security products from multiple vendors. They should support transparent deployment and be able to route traffic from one security device to another with traffic steering. Organizations should look for SSL inspection platforms that can: Decrypt outbound traffic to the Internet and inbound traffic to corporate servers with multiple, flexible deployment options. They should support transparent forward proxy configuration, transparently intercepting traffic, as well as an explicit proxy configuration, where browsers are explicitly configured to use a proxy. They should also support reverse proxy deployment to decrypt traffic to corporate servers and allow inline or noninline security devices to inspect the traffic. Intelligently route traffic with traffic steering. The SSL inspection platform should be able to forward traffic to multiple security devices based on source IP address, protocol, file type, URL or other parameters. By supporting advanced traffic steering, an SSL inspection platform can optimize the performance of network security devices and support complex network architectures. Granularly parse and control traffic based on custom-defined policies. By supporting scriptable, programmatic control over Layer 7 traffic, administrators can inspect request headers and payloads and perform any number of actions, including blocking traffic, redirecting traffic or modifying content. Integrate with a variety of security solutions from leading vendors. By validating interoperability, IT security teams can be assured that their SSL inspection platform will work together seamlessly with other security solutions and avoid surprises that could delay deployment. By integrating with a variety of security solutions, organizations can also reduce costs by eliminating the need to deploy multiple point solutions. Organizations want to deploy best-of-breed security products from multiple vendors; they do not want to get locked into a single vendor solution. The security landscape constantly evolves to combat emerging threats. In one or two years, organizations may want to provision new security products and they need to make sure that their SSL inspection platform will interoperate with these products. By selecting an SSL inspection platform that supports flexible deployment, traffic steering and granular traffic controls, they will be able to provision their choice of security solutions in the future. 4. Maximize the Uptime and the Overall Capacity of Security Infrastructure Organizations depend on their security infrastructure to block cyber attacks and prevent data exfiltration. If their security infrastructure fails, threats may go undetected and users may be unable to perform business-critical tasks, resulting in loss of revenue and brand damage. Most firewalls today can granularly control access to applications and detect intrusions and malware. Unfortunately, analyzing network traffic for network-borne threats is a resource-intensive task. While firewalls have increased their capacity over time, they often cannot keep up with network demand, especially when multiple security features like IPS, URL filtering and virus inspection are enabled. 5

Therefore, SSL inspection platforms should not just offload SSL processing from security devices. They should also maximize the uptime and performance of these devices. When evaluating SSL inspection platforms, organizations should look for platforms that can: Scale security deployments with load balancing Avoid network downtime by detecting and routing around failed security devices Support advanced health monitoring to rapidly identify network or application errors Provide better value by supporting N+1 redundancy rather than just 1+1 redundancy SSL inspection platforms should not be another point product and they should not introduce risk to the network. Instead, they should lower risk by maximizing the availability and the overall capacity of security infrastructure. Only then can organizations unlock the full potential of their SSL inspection platforms. 5. Securely Manage SSL Certificates and Keys Whether providing visibility to outbound or inbound SSL traffic, SSL inspection devices must securely manage SSL certificates and keys. SSL certificates and keys form the basis of trust for encrypted communications. If they are compromised, attackers can use them to impersonate legitimate sites and steal data. When SSL inspection devices are deployed in front of corporate applications to inspect inbound traffic, they may need to manage tens, hundreds or even thousands of certificates. As the number of SSL key and certificate pairs grows, certificate management becomes more challenging. Organizations constantly add, remove or redeploy servers to meet business needs. This fluid and dynamic environment makes it difficult for organizations to account for all SSL certificates at any given time and ensure that certificates have not expired. To ensure that certificates are stored and administered securely, organizations should look for SSL inspection platforms that: Provide device-level controls to protect SSL keys and certificates Integrate with third-party SSL certificate management solutions to discover, catalog, track and centrally control certificates Support FIPS 140-2 Level 2 and Level 3 certified equipment and Hardware Security Modules (HSMs) that can detect physical tampering and can safeguard cryptographic keys Conclusion Privacy concerns are propelling SSL usage higher; businesses face increased pressure to encrypt application traffic and keep data safe from hackers and foreign governments. In addition, because search engines such as Google rank HTTPS websites better than standard websites, application owners are clamoring to encrypt traffic. But IT security teams face their own set of challenges as they tackle threats like cyber attacks and malware threats that can use encryption to bypass corporate defenses. With SSL accounting for nearly a third of enterprise traffic 10 and with more applications supporting 2048-bit and 4096-bit SSL keys, organizations can no longer avoid the cryptographic elephant in the room. If they wish to prevent devastating data breaches, they must gain insight into SSL traffic. And to accomplish this goal, they need a dedicated SSL inspection platform. This guide describes criteria that organizations should consider before they provision SSL inspection technologies criteria like performance, availability and SSL key management which will be critical to their success. Armed with this information, organizations can make well-informed decisions and avoid the deployment pitfalls that SSL inspection can potentially expose. Learn More To find out about SSL inspection solutions from A10 Networks, visit http://www.a10networks.com/products/ssl_ insight.php 10 6

About A10 Networks A10 Networks is a leader in application networking, providing a range of high-performance application networking solutions that help organizations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, California, and serves customers globally with offices worldwide. For more information, visit: www.a10networks.com Corporate Headquarters A10 Networks, Inc 3 West Plumeria Ave. San Jose, CA 95134 USA Tel: +1 408 325-8668 Fax: +1 408 325-8666 www.a10networks.com Part Number: A10-WP-21116-EN-01 Dec 2014 Worldwide Offices North America sales@a10networks.com Europe emea_sales@a10networks.com South America latam_sales@a10networks.com Japan jinfo@a10networks.com China china_sales@a10networks.com Taiwan taiwan@a10networks.com Korea korea@a10networks.com Hong Kong HongKong@a10networks.com South Asia SouthAsia@a10networks.com Australia/New Zealand anz_sales@a10networks.com 2014 A10 Networks, Inc. All rights reserved. The A10 logo, A10 Lightning, A10 Networks, A10 Thunder, acloud, ACOS, ACOS Policy Engine, ACOS Synergy, Affinity, aflex, aflow, agalaxy, avcs, AX, axapi, IDaccess, IDsentrie, IP-to-ID, SoftAX, SSL Insight, Thunder, Thunder TPS, UASG, VirtualN, and vthunder are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. To learn more about the A10 Thunder Application Service Gateways and how it can enhance your business, contact A10 Networks at: www.a10networks.com/contact or call to talk to an A10 sales representative. 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information