You Can’t Stop What You Can’t See
By: Darin Barton CISSP, CISA
By 2017 it is expected that 50-70% of all Internet based traffic will be encrypted. If that is the case then we need a serious paradigm shift in our perception of IT security – this is The Encrypted Traffic Dilemma.
It was early in 2015 when I recognized the growing void within IT security enveloping the globe. For many years I’ve been acutely aware of the challenges involved with scanning and detecting malicious SSL/TLS encrypted traffic; but it was the growing number of encrypted sites that caught my attention.
As the number of globally encrypted sites escalates so does the focus and creative means in which to target attacks through HTTPS. The interesting thing about encrypted traffic is that both the good guys and the bad guys use it to their advantage. For years, we have felt safer knowing our web traffic was encrypted but essentially we created a massive black hole within our networks and hoped that our end point security functioned at 100%. Now, as more sites and traffic become encrypted we are faced with the greater challenge of maintaining elusive control over a complex attack vector.
Without a doubt, as more companies are focusing their efforts to the Cloud and accepting even more encrypted traffic, it offers a potent opportunity for hackers to apply their craft through a vector that is woefully lacking security and potentially offers direct line-of-site into corporate networks.
So, what can you do to protect yourself? Most Unified Threat Management (UTM) Firewalls already have SSL inspection capability and you may be able to capitalize on that. The best aspect of using an existing firewall is that the device is already inline and there will be little disruption to production traffic by activating the inspection feature. The biggest concern with SSL inspection on pre existing gateways is that, unless you actively scoped your appliance to perform that function (in conjunction with the other UTM capabilities) the firewall will face intensive resource issues and may become a bottleneck. If, by chance, you did scope your firewall for this function then you can feel comfortable in giving it a try; monitoring it closely, and if resource utilization remain stable then you’re good to go. The only other concern to mention is that firewalls typically don’t have the ability to copy & forward the decrypted traffic to other security solutions (Sandbox/IPS/DLP) to conduct further scanning – for this you would require a more advanced solution or architecture.
Typically, SSL inspection solutions should be inline and allow for the normal flow of traffic in bypass mode. The Bluecoat SSL Visibility Appliance is a single inline appliance and has the capability to copy/forward decrypted traffic to a specific destination for additional security scanning. The Bluecoat solution is a favorite among many because of its security policy granularity and ability to finely tune traffic that should be bypassed (such as personal banking transactions).
A10 Networks has designed a different solution where they create, what I call, a “DMZ style” decryption zone. This solution requires two devices where any traffic entering the zone is decrypted, scanned by your security appliances (UTM/IPS/DLP/Sandbox), and then re-encrypted when leaving the zone.
Surprisingly, I am seeing a very low adoption rates to mitigate the gap encrypted traffic presents and I’m not sure why. Perhaps it’s a budgetary situation where organizations have been caught off guard by this dilemma and don’t have additional funding; these solutions aren’t cheap but they are manageable. I believe 2016 will see an increase in adoption as concern (and word) spreads to the ears of IT executives.
Whatever your situation, it is clear that you can no longer delay inspecting SSL traffic within your organization. As each day moves forward, the ROI on your traditional security investments become less; and before you know it, may add little overall value to your secure enterprise. In 2016, work with your security partner to properly leverage your IT investments and reduce the security risk encrypted traffic presents.
:Darin Barton CISSP, CISA is a senior security professional in Toronto Canada, with 20+ years experience in cybersecurity and investigations and currently employed with Access 2 Networks Inc. (A2N).