SSL: The handshake that requires scrutiny
Secure Sockets Layer (SSL)-encrypted communications constitute a significant and growing percentage of the traffic in the enterprise LAN and WAN. However, as many IT managers are aware, the privacy benefits provided by SSL can be overshadowed by the vulnerabilities encryption brings to the enterprise network.
While SSL encryption provides privacy and protection to both corporate and individual user information, the lack of visibility into network traffic flows that it brings can also make it difficult for network administrators to enforce corporate acceptable-use policies. Additionally, SSL prevents IT organizations from ensuring that threats such as viruses, spam and malware are stopped before they reach enterprise resources. Regulatory and other compliance requirements, including identifying accidental or intentional leakage of confidential information, are also virtually impossible to meet because of SSL encryption.
This article explores the drivers behind the increase in SSL usage and the methods by which enterprises are dealing with SSL today. It also introduces a new solution that improves upon current SSL deployments by removing the problems that existing methods create.
SSL provides an end-to-end encrypted session between client and server that protects both enterprise and personal user information. The enterprise most often uses encryption for traffic leaving the LAN, providing security between remote locations across a public network, to remote locations via an intranet and partner networks via an extranet. They also require encrypted communications to individual mobile users who depend upon remote access via a VPN. In a growing number of cases, SSL encryption is also being used within the LAN to provide security to sensitive information, such as human resource data, or corporate activities, such as business development, mergers and acquisitions.
Individual users also have similar needs for data security and encryption. They require secure communications for their remote access VPN sessions, as well as data protection for their information, as most firms allow employee personal transactions within their acceptable use policies. These may include secure web communications, online banking, access to external email accounts or processing of human resources and benefits, such as ordering medications from a health care provider. In the personal use cases, the enterprise has no need or desire to inspect the data. And in light of all of the cases, it is clear that there are legitimate needs for encrypted data within, to and from the enterprise.
While SSL-encrypted communications easily and reliably provide data protection and security for sensitive information, they unfortunately have the adverse effect of introducing a new set of problems for network operators. SSL encryption successfully ensures that data is useless to potential interceptors, yet also makes it difficult or impossible for network operators to verify that the encrypted information complies with corporate and government regulatory policies.
Without the ability to examine the contents of SSL communications, network operators leave open the possibility for information to be accidentally or intentionally leaked out of the enterprise. It also provides the opportunity for a wide range of malware to enter. Network operators already deploy a series of network and security appliances to protect their enterprises, enforce internal corporate acceptable use policies and satisfy external government regulation such as Sarbanes-Oxley (SOX), Communications Assistance for Law Enforcement (CALEA), Health Insurance Portability and Accounting Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA).
These appliances provide solutions for detecting rogue applications, controlling unrestricted web surfing, firewalls, VPNs, network access control (NAC), intrusion detection (IDS), intrusion prevention (IPS), unified threat management (UTM), virus protection, spam control and many others. They work almost entirely by providing deep packet inspection and flow analysis, looking for known patterns of mischievous activity and logging or blocking it. Unfortunately, these network and security appliances are becoming less and less effective as the amount of encrypted SSL communications and traffic continues to grow.
Numerous corporate and government regulations for privacy and compliance exist. Ironically, just as many regulations require encryption to protect electronic communications, as there are regulations that require their examination. In this environment, network operators face two extremes: taking a draconian approach and blocking SSL communications entirely, or wholly allowing SSL communications. The latter choice greatly reduces the effectiveness of their network and security appliances due to their inability to examine encrypted flows. Neither of these alternatives is practical within current designs.
Today, most network operators permit encrypted communications, but only through SSL proxies that allow the IT organization to examine the content before it enters or exits the enterprise. SSL proxy appliances provide the opportunity to examine the contents of network traffic, yet still offer encryption prior to leaving the enterprise. Unfortunately, traditional SSL proxies create their own set of problems. First, they are inserted in the network path, becoming increasingly congested bottlenecks as their performance fails to keep pace with the rate of expansion of the network capacity and bandwidth. (As network interfaces have moved from hundreds of megabits-per-second to tens of gigabits-per-second, network and security appliances' bandwidth has remained far below a gigabit-per-second.) Second, the designs assume that all SSL traffic is blocked except that which goes through the proxy. This requires network topology and policy configuration, as well potential application considerations. Third, end-users may still not have full trust that their personal information is secure, since they must trust the enterprise to behave appropriately. Fourth, as an active network element, a proxy requires device IP configuration and likely network topology changes to engineer into the network. Finally, it often requires costly configuration of all clients and each of their SSL-capable applications with the proxy server's information.
A new class of SSL proxy is entering the market that provides many of the benefits of existing ones, but also removes or mitigates the negative impacts currently associated with them. These devices, known as transparent SSL proxies, perform the tasks of legacy devices by providing a unique place in the IP network where encrypted SSL traffic can be inspected as plaintext before it enters or exits the LAN, WAN or datacenter.
Unlike their traditional counterparts, the transparency of this new class is defined by the fact that they are deployed as a "bump-in-the-wire," in which they are not active endpoints in the network. As a result, they do not require any IP address assignment or configuration, thereby removing any complicated configuration requirements or IP network topology changes. They can easily be added, or removed from the network by simply connecting or disconnecting their input and output network connections. The transparency also means that the SSL proxy function is hidden from the end user, removing the need for time-consuming and costly client device and application configuration. These transparent SSL proxies are also built on a new generation of technology that allows for line-rate network performance with SSL encryption and decryption, along with analysis of the plaintext by performing Layer 4-7 classification and DPI in hardware.
Finally these new devices have been engineered from the ground up to account for legitimate acceptable use cases for personal SSL encryption within the enterprise that the network operator and IT staff should not be permitted to analyze. This is addressed through exception handling and personal "white-listing" for permitted activities.
With the amount of SSL-encrypted traffic forecasted to continue to increase, IT network operators are looking for new solutions that satisfy their need for information security for the enterprise and individual users, as well as the requirement for corporate compliance of acceptable use policies and government regulations for both security and privacy. The solution must also be provided without impact to network performance, because providing compliance at the expense of throughput is no more acceptable than meeting user and application bandwidth requirements while ignoring security. To date, it has been difficult, if not impossible, to satisfy these competing requirements for security, performance and control. Thankfully for enterprise network operators, a next-generation of high-speed, transparent SSL proxies is now poised to deliver it.