Skip to main content Skip to search
Blog

Next Generation Firewalls May Not Stop Malware

Best Defense Against Malicious SSL Encrypted Traffic

41% of attacks evaded security with SSL EncryptionBad actors and malicious insiders are concealing threats in encrypted traffic, like malware, in an attempt to steal sensitive data. In fact, it is predicted that as much as 70% of cyberattacks will use encryption as part of their delivery mechanism by 2019.

Meanwhile, the use of encryption is growing rapidly. The latest data shows  85 percent of the internet in North America is encrypted today, creating a gaping blind spot that’s ripe for malware exploitation.
64 percent of organizations unable to decrypt traffic
You may expect your next generation firewall (NGFW) to protect you from these hidden malware attacks, but almost 2/3’s of organizations are not able to decrypt and inspect their SSL/TLS traffic. In a world that relies increasingly on encrypted traffic, letting traffic pass through firewalls without inspection can expose your business, customers, and partners to danger.

Next Generation Firewalls Do Not Prevent Next Generation Threats

NGFWs can often inspect traffic by analyzing the application layer. However, NGFWs usually rely on deep-packet inspection (DPI) to perform this work, which causes devices to redline because DPI is a CPU-intensive task. A rise in the use of increased key lengths and more complex ciphers means that general purpose CPUs find it significantly harder to keep up with the amplified performance requirements. The result is a quantifiable performance degradation. The average performance loss according to NSS across NGFWs that are trying to perform decryption and re-encryption of SSL/TLS encrypted traffic is 60 percent with a maximum of 95%. This is quite a significant impact to your security infrastructure performance!
45% don't decrypt web traffic
In addition, NGFWs often can’t pass the results of decryption activities to other devices. That’s a problem if you are using a Defense in Depth strategy or using firewalls from multiple vendors. You could end up decrypting and re-encrypting your traffic many times as it moves through your security environment. The performance degradation resulting from these repeated activities ripples throughout your infrastructure – building up to a bad user experience. When you feel this type of impact, you may decide to turn off inspection to preserve the quality of your end user experience. However, you could end up trading a better user experience for bad user security.

Traffic Encryption Rates Today

85% internet traffic protected by encryption

90% of web pages loaded over HTTPS, Chrome

75% of web pages loaded over HTTPS, Mozilla

Expose Your Blind Spots, Not Your Content

What you need is an agnostic security tool that lets you inspect traffic in clear text while also enhancing the performance of your existing security infrastructure – prolonging its life span in the process.
So how do you do this? Your business’s best defense against malicious encrypted traffic is to make sure you have a dedicated SSL/TLS inspection platform in place that meets the following critical criteria.

Six Criteria for Selecting a Dedicated SSL/TLS Inspection Security Platform

Relying on a system that doesn’t meet these six requirements can open your organization up to deployment pitfalls — and incoming threats.

  1. Fulfills your SSL/TLS performance demands
  2. Satisfies your specific compliance mandates (e.g. GDPR, HIPAA etc.)
  3. Supports your security devices (e.g. firewalls, next generation firewalls, secure web gateways, advanced threat protection, forensics and security systems, data loss prevention, etc.)
  4. Maximizes your security infrastructure uptime and capacity
  5. Securely manages your SSL/TLS certificates and keys
  6. Provides you with rich, actionable analytics

Innovative Decryption and Re-Encryption Solution from A10

A10’s Thunder® SSLi® is a purpose-built decryption solution that eliminates the SSL/TLS blind spot, providing full visibility into your encrypted traffic. This increases your security effectiveness at a fraction of the cost by offloading CPU-intensive SSL/TLS operations from your existing security solutions. With dedicated SSL hardware, Thunder SSLi boosts the performance of your existing security infrastructure, decrypting traffic and forwarding it to one or more of your security devices, allowing them to operate at their peak performance. This dramatically reduces any performance degradation or latency introduced by your security infrastructure.

With dedicated SSL acceleration hardware, SSLi delivers high performance with 2048-bit and 4096-bit key sizes while supporting multiple cipher suites including Elliptic-Curve Cryptography (ECC) for perfect forward secrecy (PFS) support.

SSLi also helps to ensure that your security deployments’ compliancy is met with the continually evolving data protection and privacy standards, rules and regulations such as the EU’s General Data Protection Regulation (GDPR) and the healthcare industry’s HIPAA Privacy Rule, avoiding hefty fines.

With SSLi’s step-by-step configuration wizards, troubleshooting wizards and customized dashboards, you can operationalize your SSLi device and gain real-time, actionable insights. For multi-site deployments, A10’s Harmony Controller SSLi app provides a centralized analytics and management console with rich insights into traffic decryption status, user behavior and traffic pattern analysis in an easy-to-consume format.
A10’s Harmony Controller SSLi
A10’s Thunder SSLi provides a compelling and scalable enterprise security solution that will not only arm your existing security infrastructure for today’s cyber threat landscape, but will future-proof your enterprise security infrastructure to defend against the growing cyber threats, without compromising your network’s performance.
Malicious Traffic

View the Infographic
Categories:


Babur Khan
|
September 25, 2018

Babur Nawaz Khan is a Senior Product Marketing Manager at A10 Networks. He is responsible for A10's Enterprise Security and DDoS Protection solutions. Prior to this, he was… Read More