WHILE encryption can keep your network traffic safe from hackers and cybercriminals, it can also prevent your security and monitoring tools from seeing inside the packets crossing your network.
Knowing that many organisations pass encrypted traffic into their networks without full inspection, the bad guys use encryption to hide malware and launch attacks, effectively hijacking your network.
To keep defenses strong while limiting the risk of security breaches and data loss, you need to decrypt, examine, and re-encrypt all network traffic.
The burden of decryption
Devices for decryption must be powerful. Encryption algorithms are becoming longer and more complex to withstand hacking.
A test done by NSS Labs several years ago found that moving from 1024- to 2048-bit ciphers caused an average performance drop of 81% on eight leading firewalls . However, SSL decryption does not need to be performed on a firewall.
New strategies are available to offload decryption and send plain text to tools, enabling them to work efficiently and process more traffic. Here are four strategies to make decryption easier, faster, and cost-effective.
Strategy 1: Remove malicious traffic before decrypting
Many IP addresses used in cyberattacks are reused and known in the security community. Dedicated organisations track and verify known cyber threats on a daily basis, maintaining this information in an intelligence database. By comparing incoming and outgoing packets against this database, you can identify malicious traffic and block it from your network.
Because the comparison is made with packet headers in plain text format, this strategy eliminates the need to decrypt the packets. Eliminating traffic associated with known attackers reduces the number of packets to decrypt. And, eliminating traffic that would otherwise generate a security alert helps security teams improve productivity.
The fastest way to deploy this strategy is to install a special-purpose hardware appliance called a threat intelligence gateway in front of a firewall. This appliance is designed for fast, high-volume blocking, including untrusted countries, and is updated continuously by an integrated threat intelligence feed.
Once the gateway is installed, no further manual intervention is required, and no filters need to be created or maintained. Malicious traffic can be either dropped immediately or sent to a sandbox for further analysis.
Depending on your industry and how often you are targeted, you could see up to an 80% reduction in security alerts.
Alternatively, you can configure custom filters on your firewall to block specified IP addresses. Unfortunately, firewall filters must be manually configured and maintained, and there is a limit to how many filters can be created.
The explosion of connected devices and compromised IP addresses outstrips the capabilities of firewalls. Plus, using the processing cycles on an advanced device like a firewall to make simple comparisons is not a cost-efficient way to block traffic.
Strategy 2: Look for advanced decryption capabilities
Once the encrypted packets traveling from or to malicious sources is removed, a decryption device is needed to process the rest. Many security tools, such as next generation firewalls (NGFW) or intrusion prevention systems (IPS), include an SSL decryption feature.
However, a paper issued by NSS Labs warned that some tools may not have the latest ciphers, may miss SSL communications that occur on non-standard ports, may be unable to decrypt at advertised throughput, and may even fast-path some connections without performing decryption at all.
Cryptography relies on advances to stay one step ahead of the bad guys. Security solutions need to support the latest encryption standards, have access to a wide variety of ciphers and algorithms, and have the power to decrypt traffic using the larger 2048- and 4096-bit keys as well as newer Elliptic Curve keys.
As security technology grows in complexity, solutions must be able to process decryption efficiently and cost-effectively without dropping packets, introducing errors, or failing to complete a full inspection.
As the volume of SSL traffic increases, the quality of a decryption solution is more important to achieving total network visibility. In addition, Defense in Depth is a widely regarded best practice, which often involves multiple best-of-breed security devices (such as a separate firewall and IPS).
It is very inefficient for each of these devices to decrypt and re-encrypt traffic separately, which both increases latency and reduces policy effectiveness and end-to-end visibility.
Strategy 3: Choose tools with operational simplicity
Another key feature is the ease with which administrators can create and manage policies related to decryption. This is important in industries that must comply with the mandates of Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS), Sarbanes- Oxley Act (SOX), and other standards.
The best solutions provide a drag-and-drop interface for creating filters and the ability to selectively forward or mask information based on pattern recognition (such as social security numbers).
They also make it easy to keep a complete record of each SSL cipher used and all exceptions related to dropped sessions, SSL failures, invalid certifications, and sessions not decrypted for policy reasons. These detailed logs are valuable for audits, forensics, and network troubleshooting and capacity planning.
Strategy 4: Plan for cost-effective scalability
As the volume of encrypted traffic increases, decryption will have a greater impact on the performance of your security infrastructure. It pays to plan ahead. While it may seem logical to simply turn on the SSL decryption feature in a firewall or unified threat management (UTM) solution, decryption is a process-intensive function.
As SSL traffic increases and more cycles are required for decryption, performance will begin to suffer, and tools may begin to drop packets.
To increase the flow of traffic through a multifunction device, the only option is to increase overall capacity. Adding capacity is a significant capital expense and some features have an extra cost to ensure the device can handle decryption.
A better option is to use a network visibility solution or network packet broker (NPB) with SSL decryption to offload security tools. Many organisations use NPBs to aggregate traffic from across the network, identify relevant packets, and distribute them at high speed to security tools.
NPBs using hardware acceleration can process traffic at line rate with no packet loss, and can automatically load balance. They also eliminate the requirement for multiple inline devices to each perform independent decryption/re-encryption.
The cost of scaling an NPB is lower than scaling most security appliances, and can provide a quick return on investment.
As more of the Internet shifts toward encrypted traffic, attacks in SSL traffic will become more common. To protect data and networks from hackers and cybercriminals, it is essential to inspect all encrypted network traffic.
An organisation that does not develop a rigorous approach to inspecting encrypted traffic will undermine network security, creating an unacceptable risk of breach and data loss.
Fortunately, new solutions are emerging that improve the efficiency and cost-effectiveness of SSL decryption.
Phil Trainor is head of Security Business at Ixia, Asia Pacific.
Related Stories:Cybersecurity still not a top priority for local enterprisesSophos advises companies to tread carefully with IoTThe smarter way of dealing with cyberattacks
For more technology news and the latest updates, follow usonFacebook,Twitter or LinkedIn.
- What Is Encryption? | Surveillance Self-Defense - December 4th, 2017
- Comodo Disk Encryption Download - softpedia.com - December 1st, 2017
- Encryption - Simple English Wikipedia, the free encyclopedia - November 24th, 2017
- BitLocker Drive Encryption Overview - technet.microsoft.com - November 23rd, 2017
- The Encrypting File System - technet.microsoft.com - November 18th, 2017
- FBI cant break the encryption on Texas shooters smartphone - November 13th, 2017
- DOJ: Strong encryption that we dont have access to is ... - November 13th, 2017
- DOJ Fires Up New War With Apple Over Encryption - November 12th, 2017
- Security Awareness - Encryption | Office of Information ... - October 15th, 2017
- Data Encryption and Decryption (Windows) - October 14th, 2017
- Trumps DOJ tries to rebrand weakened encryption as responsible ... - October 11th, 2017
- How to encrypt (almost) anything | PCWorld - September 22nd, 2017
- Private Internet Access | VPN Encryption - September 21st, 2017
- Encryption Substitutes | Privacy | Encryption - September 21st, 2017
- Data Encryption: Hardware & Software Security: Online ... - September 21st, 2017
- How To Enable BitLocker Drive Encryption In Windows 10? - September 21st, 2017
- PGP Encryption Tool - iGolder - September 21st, 2017
- encryption - How to encrypt String in Java - Stack Overflow - September 21st, 2017
- Encryption Software Market, Size, Trends and Forecast 2020 - September 21st, 2017
- Encryption Definition - Tech Terms - September 20th, 2017
- Why You Should Be Encrypting Your Devices and How to Easily Do It - Gizmodo - September 6th, 2017
- Black Hats, White Hats, and Hard Hats The Need for Encryption in Mining and Resources - Australian Mining - September 6th, 2017
- How can enterprises secure encrypted traffic from cloud applications? - TechTarget - September 6th, 2017
- Encryption Explained - Arizona Daily Wildcat - September 6th, 2017
- News in brief: Call to link encryption to ID; Facebook maps everyone ... - Naked Security - September 2nd, 2017
- 'Independent' gov law reviewer wants users preemptively identified before they're 'allowed' to use encryption - The Register - September 2nd, 2017
- High-Dimensional Quantum Encryption Performed in Real-World ... - Futurism - September 2nd, 2017
- It's Time to Replace Your Encryption-Key Spreadsheet - Data Center Knowledge - September 2nd, 2017
- Legislation to limit smartphone encryption 'may be necessary,' deputy AG Rosenstein says - Washington Times - August 31st, 2017
- Cloud Encryption Market by Component, Service Model, Organization Size, Vertical And Region - Global Forecast to ... - Markets Insider - August 31st, 2017
- Cipher Suites: Ciphers, Algorithms and Negotiating Security Settings - Hashed Out by The SSL Store (registration) (blog) - August 31st, 2017
- Encryption in Office 365 - Office 365 - August 29th, 2017
- Need-to-Know Only: Use Encryption to Make Data Meaningless to ... - Security Intelligence (blog) - August 29th, 2017
- Amber Rudd is wrong - real people do want end-to-end encryption - ITProPortal - August 29th, 2017
- Why encryption is for everyone - IFEX - August 29th, 2017
- 4D quantum encryption successful in first real-world test - New Atlas - New Atlas - August 29th, 2017
- For the First Time Ever, Quantum Communication is Demonstrated in Real-World City Conditions - Futurism - August 26th, 2017
- High-Dimensional Quantum Encryption Takes Place in Real-World ... - Photonics.com - August 26th, 2017
- Hedvig Bakes Encryption into Software-Defined Storage Platform - IT Business Edge (blog) - August 26th, 2017
- Hedvig storage upgrade adds flash tier, encryption options - TechTarget - August 26th, 2017
- How to use EFS encryption to encrypt individual files and folders on Windows 10 - Windows Central - August 26th, 2017
- Cloud Encryption Market Worth 2401.9 Million USD by 2022 - Markets Insider - August 23rd, 2017
- To Protect Genetic Privacy, Encrypt Your DNA - WIRED - August 23rd, 2017
- Data Encryption in OneDrive for Business and SharePoint Online - August 21st, 2017
- Researchers use encryption to keep patients' DNA private - Engadget - August 21st, 2017
- Additional proof that Lancaster County Commissioners should reconsider encrypting police transmissions - LancasterOnline - August 21st, 2017
- iPhone Secure Enclave firmware encryption key leaked - TechTarget - August 21st, 2017
- Encryption, speed push the modern mainframe into the future - TechTarget - August 21st, 2017
- Hardware encryption vs software encryption: the simple guide - Kroll Ontrack UK (press release) (blog) - August 21st, 2017
- Encryption Technology Could Protect the Privacy of Your DNA - Gizmodo - August 21st, 2017
- Beginner's guide to Windows 10 encryption - Windows Central - August 18th, 2017
- Encryption key for iPhone 5s Touch ID exposed, opens door to further research - AppleInsider (press release) (blog) - August 18th, 2017
- How security pros look at encryption backdoors - Help Net Security - August 18th, 2017
- The Laws of Mathematics and the Laws of Nations: The Encryption Debate Revisited - Lawfare (blog) - August 18th, 2017
- 72 percent of security pros say encryption backdoors won't stop terrorism - BetaNews - August 18th, 2017
- Ex-MI5 Boss Evans: Don't Undermine Encryption - Infosecurity Magazine - August 14th, 2017
- Despite end to end encryption, apps like WhatsApp, Messenger are still vulnerable to hacking: Study - Firstpost - August 13th, 2017
- What is Encryption? (with pictures) - wiseGEEK - August 12th, 2017
- Ex-MI5 chief warns against crackdown on encrypted messaging ... - The Guardian - August 12th, 2017
- Former UK security service head says weakening encryption would be too dangerous - 9to5Mac - August 12th, 2017
- News in brief: facial recognition planned for Carnival; spy chief backs encryption; ginger emoji planned - Naked Security - August 12th, 2017
- Avoid getting lost in encryption with these easy steps - We Live Security (blog) - August 12th, 2017
- Here's why IBM Z Mainframe Wants to Encrypt the World - Edgy Labs (blog) - August 10th, 2017
- Symantec Announces Plesk Will Integrate Symantec Encryption Everywhere Security Into Its Website Management ... - Business Wire (press release) - August 10th, 2017
- Australia: Shelve Proposed Law to Weaken Encryption - Human Rights Watch (press release) - August 6th, 2017
- IBM India Helps Create Breakthrough Encryption Technology That's Completely Hacker Proof - Indiatimes.com - August 6th, 2017
- Letter to Prime Minister Turnbull re Encryption and Human Rights - Human Rights Watch (press release) - August 5th, 2017
- Zscaler Finds Hackers Using SSL Encryption in Malware to Hide ... - eWeek - August 5th, 2017
- HBO Hack Highlights Importance of Encryption, Data Governance - eSecurity Planet - August 3rd, 2017
- UK flip-flop on encryption doesn't help anyone - CNET - August 3rd, 2017
- UpVote: Turkish regime jails IT trainers in encryption clampdown - Ars Technica UK - August 3rd, 2017
- Telegram messaging app strikes deal with Indonesia on encryption - Digital Trends - August 2nd, 2017
- Encryption is for 'Real People' - Human Rights Watch - August 2nd, 2017
- We don't want to ban encryption, but our inability to see what terrorists are plotting undermines our security - Telegraph.co.uk - August 2nd, 2017
- Real people don't need encryption - Fudzilla - August 2nd, 2017
- Ex-NSA boss questions encrypted message access laws proposed by Malcolm Turnbull - ABC Online - August 2nd, 2017
- Facebook's Sheryl Sandberg: WhatsApp metadata informs governments about terrorist activity in spite of encryption - CNBC - July 31st, 2017
- Commissioners need to rethink encryption - LancasterOnline - July 31st, 2017
- Ex-NSA chief Chris Inglis backs government's encryption push against Apple, Facebook - The Australian Financial Review - July 31st, 2017
- Oak Ridge licenses its quantum encryption method - FCW.com - July 31st, 2017