Major web browsers and many web sites rely on the Secure Sockets Layer (SSL) protocol, which encrypts confidential information, such as credit card numbers, before sending them securely over the internet. SSL encryption ensures that e-mail, e-commerce, voice-over-IP, online banking, remote health, and countless other services are kept secure.
However, last year’s high-profile SSL vulnerabilities, such as Heartbleed and Padding Oracle On Downgraded Legacy Encryption (Poodle), have exposed weaknesses in the technology.
With the Heartbleed security flaw, for instance, cybercriminals can trick a host server into sending them sensitive information, even the private encryption keys used to encrypt and decrypt information. Armed with the private keys, hackers are able to access encrypted communications freely or impersonate the affected server – all without leaving any trace.
Bots in SSL clothing
This also means the ability to encrypt and leak confidential data and files using SSL connections. Hackers and nefarious actors have also succeeded in hiding threats, such as the Zeus botnet, in SSL sessions that were once considered safe.
“Hackers and cybercriminals are increasingly using SSL sessions to dodge network security defenses,” says Ananda Rajagopal, vice president of Product Management at Gigamon.
This leads to a cause for concern – the growing portion of enterprise network traffic encrypted within SSL. Rajagopal cites an independent study by NSS Labs which estimates that 25% to 35% of enterprise traffic is SLL encrypted and growing. In some verticals, that number is higher.
Additionally, “Gartner believes that, in 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls, up from less than 5% today,” Rajagopal adds.
This relates to another reason for security leaders not to be complacent with SSL encryption – many security and performance monitoring tools today lack the ability to see inside encrypted sessions.
Although inline devices such as application delivery controllers and firewalls, support SSL inspection, out-of-band monitoring and security tools often cannot access encrypted traffic to monitor network usage patterns and analyze security and application performance.
Because SSL traffic flies under the radar, malware can exploit SSL sessions to hide its activity and thus turn unmonitored SSL traffic into a threat vector.
But even for performance management tools and many out-of-band security tools that do decrypt SSL, users have reported significant decline in performance.
“Security administrators are using larger ciphers for increased security today,” says Rajagopal. “A study by NSS Labs noted a performance degradation of 81% in existing SSL architectures.”
Many inline tools, such as SSL proxies and application load balancers, lack the scalability to handle the traffic volume from multiple TAPs across the network or to filter and replicate decrypted traffic to multiple monitoring tools. These tools also lack visibility functionality or traffic intelligence for non-encrypted traffic.
SSL decryption offload
For these reasons, new hardware is needed to provide visibility into SSL sessions and decrypt them at high performance to detect threats or performance issues.
To achieve this, Gigamon offloads SSL decryption to its Visibility Fabric platform, where the modular GigaSMART high-performance traffic intelligence engine decrypts SSL traffic and forwards it to tools for analysis. GigaSMART modules can be added to a node or to a cluster in the Visibility Fabric to increase SSL decryption throughput as SSL processing needs increase.
This not only eliminates the need to have multiple decryption licenses for multiple tools but also delivers decrypted traffic to security and application performance tools as well as any tool port in the cluster.
To prevent loss of sensitive information, decrypted traffic can be sliced to remove irrelevant or private payload data and fields within the payload can be masked. Private keys are encrypted using a special password that is distinct from the generic system admin password.
“By delivering SSL decryption as a common service to security and performance management tools, the tools can return to full performance,” Rajagopal explains. “Further, because SSL is at the heart of today’s enterprise infrastructure, endpoints and DMZ servers are potentially exposed to attacks without the right level of traffic visibility.”
With a traffic intelligence application that provides visibility into SSL sessions, administrators can gain deeper insight into infrastructure blind spots to guard end points and servers.
This is a QuestexAsia feature commissioned by Gigamon.