SSL Decryption, Encryption and Inspection
Threats Can Hide in Encrypted SSL Traffic
To prevent cyber-attacks, enterprises need to inspect incoming and outgoing traffic for threats. Unfortunately, attackers are increasingly turning to encryption to evade detection. With more and more applications using encrypting data- in fact, today, SSL traffic accounts for 25% to 35% of all Internet traffic1 -organizations that do not inspect SSL communications are providing an open door for attackers to infiltrate defenses and for malicious insiders to steal sensitive data.
The Current State of Insecurity
Worldwide spending on information security will reach a staggering $71.1 billion in 2014,2 as organizations stack up firewalls around their network perimeters and inspect incoming and outgoing traffic with an array of products including secure web gateways, forensic tools, advanced threat prevention platforms, and more.
Unfortunately, as SSL traffic increases, our collective $70+ billion investment in security is falling far short of protecting digital assets. This is because, according to a survey by Gartner, "less than 20% of organizations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic."3 This means that for over 80% of organizations, attackers can simply tunnel attacks in SSL traffic to circumvent defenses.
Gain Visibility into Encrypted Traffic with SSL Insight
Thunder SSLi eliminates the SSL blind spot in corporate defenses and enables security devices to inspect encrypted traffic – not just clear text. Thunder SSLi decrypts SSL-encrypted traffic and forwards it to third-party security devices for inspection. Once the traffic has been analyzed and scrubbed, Thunder SSLi encrypts it and forwards it to the intended destination. SSL inspection, also known as SSL forward proxy, is a technology consisting of two SSL termination devices that have separate secured sessions between server and client. The adjacent diagram explains the flow.
- Encrypted traffic from the client is decrypted by the internal, Thunder SSLi appliance.
- Thunder SSLi sends the unencrypted data to a security appliance which inspects the data in clear text.
- The external Thunder SSLi encrypts the data and sends it to the server.
- The server sends an encrypted response to the external Thunder SSLi.
- Thunder SSLi decrypts the response and forwards it to the security device for inspection.
- The internal Thunder SSLi receives tra¬ffic from the security device, re-encrypts it and sends it to the client.
Because one Thunder SSLi appliance can also support multiple, virtual ADCs using A10’s Application Delivery Partition (ADP) technology, customers can deploy a single Thunder SSLi appliance to perform both SSL decryption and encryption functions. Therefore, customers can deploy a single appliance to gain visibility into SSL traffic.
Thunder SSLi can also decrypt SSL traffic and send it unencrypted to security devices deployed off of network SPAN ports. By mirroring traffic, Thunder SSLi allows non-inline security devices to inspect all communications for unauthorized activity.
Protect Critical Assets without Degrading Firewall Performance
While dedicated security devices provide in-depth inspection and analysis of network traffic, they are rarely designed to encrypt SSL traffic at high speeds. In fact, some security products cannot decrypt SSL traffic at all. SSL Insight offloads CPU-intensive encryption and decryption tasks from dedicated security devices, boosting application performance.
High performance with SSL Acceleration Hardware
Thunder SSLi, with its powerful SSL security processors, can significantly improve the performance of your critical business applications and services by managing multiple secure connections simultaneously with exceptional SSL CPS rates. With SSL acceleration hardware, Thunder SSLi has near parity performance for the upgrade to 2048-bit key sizes, and has the extreme power needed to handle 4096-bit keys at high performance production levels.
Connection Per Second (CPS) measures the number of new HTTP connections (1 HTTP request per TCP connection, without TCP connection reuse) within 1 second.
A Better Solution for SSL Visibility
SSL Insight offers organizations a powerful load-balancing, high availability and SSL decryption solution. Using SSL Insight, organizations can:
- Analyze all network data, including encrypted data, for complete threat protection
- Deploy best-of-breed content inspection solutions to fend off cyber attacks
- Maximize the performance, availability and scalability of corporate networks by leveraging A10’s 64-bit ACOS® platform, Flexible Traffic Acceleration (FTA) technology and specialized security processors
1 NSS Labs, "SSL Performance Problems," https://www.nsslabs.com/reports/ssl-performance-problems
2 Forecast: Information Security, Worldwide, 2012-2018, 2Q14 Update, Gartner
3 Security Leaders Must Address Threats From Rising SSL Traffic, Gartner