Encrypted Internet traffic is steadily increasing and by 2017 it is
expected that 50% – 70% of all web sites will be HTTPS. Think about
it! With so much traffic being encrypted, and your existing security
appliances unable to inspect that traffic, how will you protect your
business? More importantly – what do you do now?
So, what can you do to protect yourself? Most Unified Threat Management (UTM) Firewalls already have SSL inspection capability and you may be able to capitalize on that. The best aspect of using an existing firewall is that the device in already inline and there will be little disruption to production traffic by activating the inspection features. The biggest concern with SSL Inspection on pre existing gateways is that, unless you actively scoped your appliance to perform that function (in conjunction with the other UTM capabilities) the firewall will face intensive resource issues and may become a bottleneck. If, by chance, you did scope your firewall for this function then you can feel comfortable in giving it a try; monitor it closely and if resource utilization remain stable then you’re good to go. The only other concern to mention is that firewalls typically don’t have the ability to copy & forward the decrypted traffic to other security solutions (Sandbox/IPS/DLP) to conduct further scanning – for this you would require a more advanced solution or architecture.
Typically, SSL Inspection solutions should be inline and allow for the normal flow of traffic in bypass mode. The Bluecoat SSL Visibility Appliance is a single inline appliance and has the capability to copy/forward traffic to a specific destination for additional security scanning. The Bluecoat solution is a favorite among many because of its security policy granularity and ability to finely tune traffic that should be bypassed (such as personal banking transactions).
A10 Networks has designed a different solution where they create, what I call, a traditional “DMZ style” decryption zone. This solution requires two appliances where any traffic entering the zone is decrypted, scanned by your security appliances (UTM/IPS/DLP/Sandbox), and then re-encrypted on leaving the zone.
Call A2N for an immediate review of your architecture and we can help in creating the best solution for you SSL visibility needs.