Clearing the SSL Inspection Confusion

At A10 Networks, we take your security very seriously. Because of that, it’s our duty to clear up some confusion put forth in a recent alert by US-CERT (Alert TA17-075A) regarding the use of SSL inspection.

There was no specific event that triggered the alert, but rather US-CERT issued it as a generic warning based on previously published information. The US-CERT alert referenced three sources: The Risks of SSL Inspection (a CERT/CC Blog); The Security Impact of HTTPS Interception a research paper; and https://badssl.com/, an SSL test website.

Each of those sources mentions vulnerabilities they claim can impact SSL inspection solutions, including A10 Thunder SSLi. The reports feature some inaccurate information that we’d like to take a moment to correct.

Here’s a breakdown of each paper mentioned in the US-CERT alert:

Based on the information contained in those reports, here are A10’s recommended configuration best practices from SSLi that you can follow to ensure the best security:

AppCentric Templates

AppCentric Templates is a wizard-based configuration tool that allows an organization to apply best practices to their SSL Insight solution, enabling them to secure the deployment with minimal efforts. Most of the subsequent points can be easily configured via AppCentric Templates.

Signing CA and Key

TLS Version and Cipher Suites

Origin CA Validation

A10 includes a Mozilla CA bundle in ACOS.

SSL Inspection Policy

Certificate Pinned Websites

To get the best customer experience from our Thunder SSLi product, we highly recommend you use our AppCentric Templates wizard, which has been developed with a focus on A10’s recommended best practices that should be applied by security and network engineers while setting up the SSL Insight solution in a network.

By following the guidelines provided by A10, your organization can rest assured that your network is not just secure, but that leveraging SSL Insight enhances your security.

We welcome any questions you might have regarding the US-CERT alert and the references made in it.

For additional details on A10 Thunder SSLi, download this data sheet

For a best practices guide for SSLi, please contact your A10 representative or A10’s Technical Assistance Center (TAC).


|

April 26, 2017

About Andrew Hickey

Andrew Hickey serves as A10's editorial director. Andrew has two decades of journalism and content strategy experience, covering everything from crime to cloud computing and all things in between. READ MORE