Encryption: What You Can’t See Can Hurt You

SSL encryption is a double-edged sword for organizations. It bolsters security by providing confidentiality and message integrity. It enables users to verify the identity of application owners and it allows applications to authenticate users with client certificates. As threats like snooping, phishing, and data theft continue to grow, encryption has become an essential way to protect users and data.

But encryption also puts organizations at risk. Hackers leverage encryption to conceal their exploits from security devices like firewalls, intrusion prevention systems, forensics solutions and more that can’t keep up with increasing SSL decryption demands or that cannot decrypt SSL traffic at all because of their location in the network.

How serious is the threat? According to a recent Gartner survey, “less than 20% of organizations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic.”[1] This means that hackers can evade over 80% of companies’ network defenses simply by tunneling attacks in encrypted traffic.

SSL Usage on the Rise
To reduce the risk of snooping and theft, an increasing number of applications encrypt data using SSL or SSL’s successor, Transport Layer Security (TLS). SSL usage has become ubiquitous and many leading websites now encrypt every web request and response. In fact, 48% more of the million most popular websites use SSL in 2014 than a year earlier.[2]

However, the transition from 1024- to 2048-bit SSL key lengths, combined with growing SSL bandwidth demands, has burdened security devices that decrypt SSL traffic. The impact of decryption on security devices is startling. Analysis by NSS Labs reveals that 2048-bit SSL ciphers “caused a mean average of 81% in performance loss”[3] for seven leading next-generation firewalls.

High-Speed SSL Decryption with SSL Insight
To help organizations decrypt and inspect SSL traffic without degrading network performance, A10 has introduced SSL Insight. Included as a feature of the A10 Thunder Application Deliver Controller (ADC), SSL Insight enables third-party security devices to inspect encrypted traffic. With SSL Insight, organizations can eliminate the blind spot imposed by SSL encryption.

URL Classification for SSL Insight to Keep Trusted Data Encrypted
On August 5th, A10 announced several enhancements for SSL Insight. These enhancements, which will be available in ACOS version 4.0 P1, include:
 

  • Enhancements to URL bypass lists -   SSL Insight will support multiple, manually-defined bypass lists, enabling different administrators to manage and update bypass lists separately. In addition, bypass lists will be able to scale up to one million Server Name Indication (SNI) values on select Thunder ADC models. Using bypass lists, SSL Insight can be configured to ignore specific types of traffic, such as communications to banking and healthcare applications, for compliance and data privacy.
  • URL Classification service to selectively bypass sensitive applications – With A10's industry-first URL classification service, Thunder ADC can categorize traffic to over 460 million domains, enabling organizations to bypass traffic based on website category. The URL classification service ensures confidential data remains encrypted and helps organizations achieve compliance. A10's URL classification service, powered by Webroot, is available with the purchase of annual subscription.
  • Decryption of SMTP and XMPP traffic – In addition to HTTPS traffic, SSL Insight will be able to decrypt mail and Extensible Messaging and Presence Protocol (XMPP) instant messaging traffic.
  • Client certificate detection and optional bypass – If SSL Insight detects traffic encrypted by client and server certificates (sometimes referred to as mutual or two-way authentication), SSL Insight can be configured to block the traffic or allow it through uninspected.
  • Untrusted certificate handling - SSL Insight will be able redirect clients to an error page or resign encrypted traffic with an untrusted certificate to preserve default browser error messages.

SSL Insight is included with Thunder ADC at no additional charge. A10’s all-inclusive feature licensing ensures that any Thunder ADC appliance can support any feature, at any given time, for peace of mind and maximum uptime.

To learn more about these new features, see the A10 press release or our joint press release with Webroot.

You can also view our SSL Insight Solution Brief for more information about A10’s SSL Insight technology. And stay tuned for more SSL Insight announcements in the upcoming weeks.

[1] Gartner, Security Leaders Must Address Threats From Rising SSL Traffic, December 2013
[2] Netcraft, January 2014 Web Server Survey
[3] NSS Labs, SSL Performance Problems, June 2013

Add new comment