Security Strategy, Plan, Budget

Get a glimpse into your VPN tunnels


You have built a nice, solid SSL VPN gateway. Your users have no trouble connecting to your online banking system. The endpoints are solid and secure. Nothing to worry about, right? You might want to rethink that analysis. Suppose bad guys connect to your site through the VPN. Perhaps they are using hijacked credentials from a legitimate customer and are spoofing that user. While our interlopers are inside your network, they lay an egg: a nice little bot-type egg.

The result: The bot wanders about in your network happily harvesting credit card numbers and user credentials. The bot sends the harvested data to a command-and-control center somewhere on the internet and before you know it your customers' accounts are being emptied. But you had a solid VPN. How could this have happened?

It happened because a VPN does not authenticate a person to the network. It authenticates a session. While the good news is that the data traveling over the tunnel cannot be intercepted, the bad news is that the data traveling over the tunnel cannot be intercepted. Even by you. All of the botting and harvesting slipped right past you, all neatly concealed by the VPN. What you need is a way to see inside the tunnel without disrupting the security of the tunnel. Ask, and you shall receive.

A new product from Netronome called SSL Inspector is just the ticket for solving this problem. Netronome claims to be the first product of its type that does both in-band and out-of-band analysis. That's very nice for a product that is intended to be part of a data leakage prevention regimen. But, there is a lot more to this product than that.
First, consistent with most of today's security gateway products, SSL Inspector is policy driven. And those policies can be quite granular. Setting the policies up is simply a matter of drag and drop. The SSL Inspector can report on violations of policy or it can enforce them. Your choice.

Supporting up to 10Gbps networks, it really does not matter if it is inline or out-of-band. The appliance is fully transparent to the VPN. There are several operational modes – known server key, certificate re-signing and self-signed certificate – but, in general, the device intercepts an SSL encrypted flow, uses one of several methods to decrypt the flow, reads the data (and feeds it off to a data leakage prevention appliance or an IDS) and then re-encrypts it with the same certificate so that the analysis is transparent to the applications using the VPN.

If the appliance is inline, it can implement its policies, stopping bad data before it can cause damage to the enterprise. When it is in passive mode, it simply processes traffic from a network tap or a span port on a switch. It sends the processed traffic to some external – to the device – application, such as data leakage prevention, anti-malware or an intrusion detection system (IDS).

One important area of concern in the enterprise is what happens when a failure occurs in an appliance such as the SSL Inspector. The device offers two options: fail-to-appliance and fail-to-network. This allows administrators to select the behavior of the appliance when a failure occurs.

Of course, when traffic is not SSL encrypted, the appliance knows it and passes it on undisturbed. In general, there are three policy groups: traffic diversion, SSL inspection and reset generation. Within these, there are a large number of options that offer the most complete set of policies I've seen.

Overall, I liked the SSL Inspector. There is no doubt that it provides important functionality and that it does it very competently. Are there other products that do the same thing? To be sure, but not in the same way. SSL Inspector has the most comprehensive feature set and the best overall performance of any of its few competitors. It is easy to use, appropriately priced and offers full functionality for its product space.

All of this points to a well-thought-out product offering in an application that is of key importance to the enterprise.

Product: SSL Inspector
Company: Netronome
Price: $42,999 for the SI 8000C
What it does: Intercepts and decrypts SSL tunnels so that the contents can be analyzed by an external device, such as an IDS or data leakage prevention tool.
What we liked: This product really fills the bill for adding protection – especially DLP – to an SSL-encrypted tunnel.
What we didn't like: Nothing. This is the best of breed for this type of product.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.