Internet users typically don’t concern themselves with cipher suites. They type in a web address and expect the site to appear. Boom!
But if an SSL decryption device doesn’t understand a new SSL version or cipher suite, traffic is broken and your users can’t make it to the internet.
That’s what happened last year, when Google selected a new default cipher suite for Chrome. A number of SSL decryption devices weren’t able to understand this new cipher suite; thus traffic was broken. In turn, these devices had to be taken off the network, patched, upgraded and reinstalled. That took days. And for those days, organizations weren’t getting the benefit of their SSL decryption devices, meaning they were vulnerable to malware, ransomware and other nefarious traffic cloaked by encryption.
When A10 Networks built Thunder SSLi five years ago, we decided to invest in a full proxy architecture, which helps organizations avoid this problem.
In this video, A10 Director of Product Management Yasir Liaqatullah explains the benefits of a full proxy architecture and A10 Thunder SSLi.
A full proxy architecture means we break the connection from a user to the internet into two segments – we create a segment toward the client and another toward the internet server. Each connection has its own parameters and distinct cipher suite selection.
That means Thunder SSLi can adjust the cipher suite selection for encryption by renegotiating to a different cipher suite of similar strength. This makes Thunder SSLi future-proof against new ciphers or TLS versions that could be introduced to the network without notice, and without compromising your network. Thunder SSLi ensures traffic is encrypted using the most secure ciphers, eliminating the use of compromised ciphers.