Inspecting Encrypted Traffic and Blocking Malware

Take a moment to imagine this scenario: Your company is going about its business, when, by a stroke of “luck”, someone notices signs of malicious activity on the network. However, the security devices you have deployed in your network fail to report any active threats. This leaves you with no idea how to track down what’s going on.

If you can’t inspect encrypted traffic, you are blind to hidden threats. By the time you realize this, it’s too late. Malware has made its way into your infrastructure hidden by encryption. It’s no longer a matter of prevention. It’s a matter of damage control.

For some companies, this hypothetical situation is all too real and there’s usually a combination of problems at play, rather than a single culprit. There’s usually a combination of problems. We’ll look at some of the problems limiting traffic inspection, and the best solutions.

Problem 1: Encrypted Internet Traffic

Encryption is now nearly ubiquitous. More than 80 percent of internet traffic is already encrypted, according to Google’s Transparency Report.

Although increased encryption is good news in terms of data privacy, it also introduces a security “blind spot” that your network defenses cannot look in to. Unfortunately, hackers wasted no time in learning how to exploit this blind spot and have started using it for the delivery of their malware and other malicious content.

Many companies rely on their existing security solutions and try to leverage their built-in decryption capabilities, if available. Unfortunately, this comes with its own set of disadvantages. These types of “bolted-on” decryption tools, commonly implemented as mere software extensions, result in a significant amount of performance degradation.

SSL/TLS security and performance test reports carried out by NSS Labs revealed just how much performance suffers during the encryption process:

This means that, for example, a security solution that originally offers 10 gigabytes of inspection throughput might be limited to a mere 2 or 3 gigabytes once it starts decrypting. That’s a staggering 70-80 percent performance drop.

We have more details on this topic in “Next Generation Firewalls May Not Stop Malware.”

To prevent such extreme performance degradation, some companies turn to dedicated decryption solutions. While such solutions are certainly the perfect remedy to all their decryption woes, they can sometimes prove to be overly complicated and difficult to deploy. That’s why companies need to seek out dedicated decryption tools that are not only effective at eliminating the blind spot, but also easy to deploy and use.

Problem 2: Scalable SSL Inspection Strategy

With a dedicated decryption solution, a small company can easily gain full visibility into its network traffic, encrypted or not, and can defend against all sorts of attacks. However, this solution is effective only if deployed in a single location with a localized security stack requiring the decryption.

As your company grows to include multiple branches and offices it will undoubtedly run into problems as the scope for decryption and overall visibility expands. That’s because, without centralized visibility, organizations are unable to see the bigger picture. Instead, they’re stuck with an incomplete view of all their data, looking at one branch or office at a time.

For example, a large organization might have its IT department located in its main headquarters. However, the IT team is going to need to take a closer look at all of the organization’s traffic. This includes the traffic flowing through the different branch offices. Only then would they be able to make sense of it all.

To solve this, companies need to employ centralized management, complete with intuitive dashboards and actionable analytics. Then they can manage and control all multi-site deployments, regardless of geographic location.

Centralized policy management can ensure that security policies remain consistent across all deployments. Consistent policies can, in turn, help organizations stay compliant with a variety of privacy and data standards.

Problem 3: Modern Applications Create New Problems

With the rapid adoption of SaaS and the move of traditional productivity tools to the cloud, many organizations can’t even imagine functioning without Google’s G Suite, Dropbox or Microsoft’s Office 365.

However, companies increasingly employing the use of SaaS applications means that the applications previously hosted on-premise are now accessed in the cloud. This has increased the volume of north-south network traffic between the enterprise and the internet, as opposed to the previous model of east-west network flow, where internal applications. Regardless of the traffic flow however, you still expect the user experience to be as if the applications are being accessed locally.

Legacy security solutions weren’t designed to handle such unprecedented volumes of traffic at the perimeter. They can face performance degradation and introduce bottlenecks. Such a slow down of the network might be acceptable in some cases. In the case of SaaS applications, it can create huge problems because it can severely degrade the user experience.

To maintain an acceptable user experience, many SaaS providers recommend that companies allow their application traffic to circumvent internal security devices. Instead, they recommend passing network traffic through to a trusted cloud service, for example Microsoft and Office 365. However, doing so creates a huge gap in traffic visibility. As a result now you don’t have access to your SaaS traffic and statistics.

Visibility of SaaS Traffic

The lesson here is that disconnected and localized network visibility isn’t enough on its own, especially with the popularity of SaaS. Companies need to be able to inspect their cloud traffic and deployments. They can accomplish that with a localized, dedicated decryption solution that works hand-in-hand with a centralized management and visibility solution that’s able to log traffic both in the network and the cloud.

Local Decryption and Global Visibility

To recap, you need security solutions that compliment your existing deployments and help you overcome scale and performance while providing overall visibility. Between widespread encryption, multiple geographically distributed locations, and a wealth of SaaS apps, maintaining consistent visibility and retaining the ability to manage all deployments can prove to be a challenge.

Here are the key needed features:

  1. A dedicated decryption tool that’s easy to deploy, user-friendly and supports your entire security infrastructure within your enterprise network. This way, one decryption tool can serve your entire security stack, thereby reducing total cost of ownership (TCO).
  2. Centralized policy management so that your organization can have uniform security policies applied across all deployments.
  3. Actionable analytics, and centralized application visibility and control to provide your company with application level visibility and control for both, network and SaaS traffic.
  4. Centralization of management and visibility will enable your organization to catch any traffic abnormalities that would otherwise be lost due to isolated analytics at each site.

With dedicated decryption coupled with centralized management and analytics, companies can simplify their IT administration processes, apply uniform security policies and efficiently decrypt and examine all incoming traffic.


December 22, 2018

About Babur Khan

Babur Nawaz Khan is a Technical Marketing Engineer at A10 Networks. He primarily focuses on A10's Enterprise Security and DDoS Protection solutions. Prior to this, he was a member of A10's Corporate Systems Engineering team, focusing on Application Delivery Controllers. Babur holds a master's degree in Computer Science from the University of Maryland, Baltimore County. READ MORE