Asia's Source for Enterprise Network Knowledge

Sunday, May 26th, 2019

Secure Your Cloud

Security-performance balance in combating encrypted threats

A key discovery from F5 Labs’ study of a decade's worth of breach cases is that companies usually only know a small fraction of what went on in the attacks that lead to a breach. The causes of this could be the failure of multiple factors, including visibility, logging, monitoring and alerting, and communication.

What has been obvious, however, is that applications and identities were the initial targets in 86% of breaches. Breaches that start with application attacks are costly, accounting for 47% of the breach costs, albeit only 22% of the total breached records.

One of way of addressing this risk, as the F5 Labs 2018 Application Protection Report highlighted, is to encrypt confidential application data and protect the encryption decoding key. Indeed, privacy and security concerns have led to more than 80% of internet page loads now encrypted with Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for secure links between a web server and a browser.

The downsides are that SSL/TLS encrypted channels can also be used by attackers to hide attacks and malware from security devices. Further, many inspection devices like a next-gen firewall, an IDS/IPS, or a malware sandbox lack visibility into encrypted SSL/TLS traffic or suffer degraded performance when decrypting the encrypted traffic. 

Still, faced with myriad threats such as distributed denial-of-service (DDoS), sidejacking, SSL man-in-the-middle, and renegotiation attacks, IT security teams need to protect their organizations’ entire web presence. 

Low-consumption protection

This calls for app infrastructure protection to defend systems that the applications depend on from attacks on TLS, Domain Name Systems, and the network. 

At the TLS tier of an app, attacks could target keys to decrypt confidential data and establish authenticity, or use captured or reverse-engineered session IDs to take control of a legitimate user’s web application session still in progress. 

To provide full visibility into the data moving in and out of the network, organizations need encryption that, in the interest of performance, does not consume a large amount of resources, particularly CPU time on servers. The F5 BIG-IP platform, for example, offers an array of solutions to drive security without increasing network latency. 

The F5 platform takes advantage of elliptical curve cryptography (ECC)advanced encryption algorithms that reduce CPU overhead for encryption while simultaneously maintaining or improving security, with smaller key sizes. Also, IT teams are driving toward a solution that maintains a single round of encryption for the entire connection, from client to server while facilitating use of a variety of tools, such as those for data leak prevention (DLP), pre-access authentication, and load balancing, for secure and efficient application delivery.

With authentication, authorization, and accounting, the BIG-IP device prevents unauthorized users, even attackers masquerading as valid users, from entering or reaching critical systems to attempt exploits. In DDoS scenarios, a high-performance device can redirect attacking connections to a quarantine network so public-facing networks remain available to actual users.

    1. Know your bits

Full visibility into encrypted traffic also requires high-performance decryption and encryption of inbound and outbound SSL/TLS traffic to enable inspection and quicker threat detection. This is where SSL Orchestrator goes beyond mere SSL awareness and offload to provide robust decryption/encryption of SSL/TLS traffic driven by policy-based orchestration capabilities across any network topology, device or application.

Such a unified application delivery architecture can provide optimal security, performance and availability services to each application, wherever and however they are deployed.

While SSL Orchestrator's primary role is to decrypt and send decrypted traffic to external security devices for inspection and then re-encrypt, theF5 BIG-IP Local Traffic Manager (LTM) is an application delivery controller function of the BIG-IP product line. It’s a traditional reverse full proxy and load balancing component that also provides SSL decryption and re-encryption.

SSL Orchestrator taps on BIG-IP LTM, among other components from multiple product modules. Based on the F5 full proxy architecture, security services such as IDS, IPS and NGFW can be load balanced, monitored, skipped if failed, and re-usably "chained" together in logical flows. Individual TCP packet flows can be steered through different service chains based on various criteria – all within a single set of hardware-accelerated decrypt and re-encrypt operations.

The F5 SSL Orchestrator and the F5 BIG-IP LTM, along with the F5 Advanced WAF, enable organizations to simplify and accelerate a highly secure infrastructure that inspects encrypted traffic, provides end-to-end encryption, and protects SSL/TLS protocol. 

With support for Hardware Security Modules too, the F5 BIG-IP platform is highly adaptable to an organization’s changing needs – stopping attacks while continuing to provide users the high-performance application experience that they need and expect.

This is a QuestexAsia feature commissioned by F5 Networks Asia Pacific.