Hundreds of Columns Sorted by Topic
The SSL Encrypted Traffic Threat: Common Apps Pose Danger
by Darrin Coulson, Senior Director of Business Development
4/5/2010
Encrypted traffic is growing rapidly due to the enterprise-wide usage of SSL-based applications, such as SharePoint, Exchange, WebEx, Salesforce.com and Google Apps. Additionally, most web mail applications, like Gmail, Yahoo and e-mail clients all use SSL to encrypt communications.
Although this encrypted traffic protects end-user data, it also creates security "blind spots." The security infrastructure put in place to protect the enterprise is blind to threats within SSL traffic, thus causing risks to the computing infrastructure. Traffic to enterprise SSL servers might be hiding malicious attacks that bypass existing security measures. SSL provides a convenient vehicle for criminals to hide their cyber attack activities, as in the case of several recent well-publicized attacks.
In addition to the risks of incoming threats hiding within SSL, outbound enterprise SSL traffic is now a growing problem. This is becoming quite a "hot button" for security applications that tackle data loss prevention (DLP), compliance reporting, etc. -- solutions that could, at one time, see what outgoing traffic contained, are suddenly "in the dark" as applications switch to using SSL.
This article explores the drivers behind the increase in SSL usage and the challenges to network security teams tasked with managing the security challenges that SSL creates.
SSL Usage
SSL has become the ubiquitous choice to secure web-based transactions. As a security layer on top of IP that provides authenticated and encrypted communications, SSL is used by a wide range of applications, in addition to the familiar web (HTTPS) usage.
Specifically, for end users, SSL has long been used to secure web-based transactions to enable e-commerce and online banking. Over time, the simplicity that SSL provides has made it the perfect vehicle to migrate many applications to a web-based model for new online services such as viewing medical records, ordering prescriptions, filing federal, state, and local tax returns and other government uses. In addition, new cloud based and enterprise applications such as Salesforce.com, Exchange, SharePoint and most of the web-based email applications on the market such as Gmail and Yahoo, all use SSL to encrypt traffic.
In the enterprise, SSL is most often used to encrypt traffic leaving the enterprise to provide data security between remote locations and across a public network. SSL is also used inside the enterprise to secure sensitive transmissions, such as human resource data, between departments or groups and to ensure privacy for corporate activities, such as business development, mergers and acquisitions.
Growth
SSL encrypted communications constitute a significant and growing percentage of network traffic in the enterprise as the mainstream applications start to switch to 100 percent SSL encryption. Surveys have shown that between 25 and 35 percent of enterprise traffic is SSL-encrypted and can be 70 percent or more in select market verticals.
Conflicting compliance requirements
It is clear that there are legitimate needs for encrypted data within and to and from the enterprise. As many IT managers are becoming extremely aware of this need, the privacy benefits provided by SSL encryption can be overshadowed by the risks SSL brings to the enterprise network.
In many instances there are conflicting requirements to both encrypt and examine data within the enterprise. In typical installations these seemingly incompatible requirements cannot both be met with acceptable performance. This SSL conundrum has wreaked havoc for organizations subjected to industry and government compliance mandates (HIPAA, SOX, PCI), which require intrusion prevention and detection to ensure that only authorized individuals have access to applications and data. Often these same compliance mandates require all organizations with publicly accessible networks to be able to provide law enforcement agencies with documentation of network activity, thus requiring that all traffic, including encrypted communications, must be logged and tracked (meaning they need to be decrypted).
Attacks using SSL sessions
As the level of SSL traffic in networks increases, enterprises are becoming aware that SSL traffic is actually increasing the risks to their network. While it may seem paradoxical that increased use of encryption can increase the threats to an enterprise it is indeed the case.
To understand the threat, consider a typical enterprise network running a number of internal SSL servers which are hosting services for customers and also having internal users connecting to SSL services on the public Internet. The problem arises because the current enterprise security system, which prevents incoming attacks on servers over HTTP, cannot detect or prevent attacks over HTTPS. Devices such as Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) are essentially blind to SSL traffic.
At the same time, any enterprise security systems in place to detect and prevent unauthorized data leakage, such as DLP and Network Forensics appliances, are also incapable of performing their function if the data is within an SSL session; for example Gmail or other common SSL encrypted communication applications.
In order to address the increased risk, enterprises require the means to allow the existing security infrastructure to work when the traffic concerned is SSL. This can be achieved if a decrypted copy of the SSL flow is made available to the security appliance.
Transparent SSL Proxies
In order to reduce the risks from increased use of SSL, an enterprise network can set up a Transparent SSL Proxy that will make un-encrypted versions of SSL flows available to the existing security appliances in the network.
Transparent SSL proxies carry out a number of functions in order to make decrypted SSL traffic available to the existing security appliance. These functions include:
- finding SSL sessions as these are not always on port 443;
- providing access to decrypted SSL traffic that is to/from a server in the enterprise;
- providing access to decrypted SSL traffic that is to/from a server on the Internet; and
- enabling management control over which SSL traffic should be decrypted.
Essentially the transparent SSL proxy is decrypting and then recrypting an SSL session to maintain an end to end SSL session between client and server, while at the same time providing a copy of the unencrypted data to the attached security appliance which can be inspected for threats. Policy control over which SSL sessions should be sent to the attached security appliance for inspection is required, as not all SSL traffic in the enterprise should be inspected.
In order to provide the ability to inspect all SSL traffic, a transparent SSL proxy needs to be an in-line device with all network traffic passing through it. As the device sees all the traffic, not just the SSL traffic, it must be capable of line rate performance and should not become a bottleneck for either SSL traffic or non-SSL traffic. An effective transparent SSL proxy solution provides great performance at both the network and application levels as well as multiple-interface support for applications to tap into SSL streams. By providing applications with access to the plaintext in SSL streams, the transparent proxy enables IT managers to implement policy control and regulate network users--often necessary for compliance.
Conclusion
With the amount of SSL-encrypted traffic forecasted to continue to increase significantly, security managers realize the need to have some level of "visibility" into this growing component of enterprise traffic for the many different security appliances in their network. Also, they are realizing that treating this solution as a "feature" for each and every security appliance will hamper their network performance and reliability. To date, it has been difficult, if not impossible, to satisfy the competing requirements for security, performance and control.
With the introduction of these Transparent SSL Proxies network administrators can apply a solution to their overall SSL policy management and inspection needs quickly and transparently. Choosing this type of solution to meet the growing challenges that go along with SSL encrypted traffic AND protecting the investments made in the security architecture is a very welcome story.
About the Author
Darrin Coulson is the Senior Director of Business Development for the enterprise security products at Netronome. Darrin has 20+ years experience within the technology industry from networking to business video providers. Prior to Netronome he spent 5 years in the business video space serving as the Chief Operating Officer for publicly traded Sonic Foundry. He oversaw the channels, sales, services and operations. Prior to the business video space Darrin spent nearly 10 years at Fore Systems/Marconi, a networking hardware and services company selling high speed networks working alongside many of the current Netronome team members. He held several senior management positions in sales and operations. As the executive in charge of Global Services for FORE and then Marconi he built the infrastructure to support some of the "fastest" progressive networks with leading edge technology around the globe.
About Netronome
Netronome is a leading developer of highly programmable semiconductor products that are used for intelligent flow processing in network and communications devices. Netronome's solutions include network flow processors and acceleration cards that scale to 100 Gbps. They are used in carrier-grade and enterprise-class communications products that require deep packet inspection, flow analysis, content processing, virtualization and security. Netronome's products are developed in labs in Santa Clara, CA, Boxborough, MA and Pittsburgh, PA. To learn more about Netronome and its products, please visit www.netronome.com
See our Converge! One Minute Videos
Send us your response to this article.
Learn How to Get Your Column Published on this Site
