Decrypting at multiple points in a connection flow introduces several problems:
· Additional investment for TLS decryption and key management on each device.
· Additional performance overhead on each decrypting device.
· Multiple points of failure and increased latency on the connection.
· Increased troubleshooting difficulty and costs.
· Challenges in scaling each service independently.
· Inconsistent support of SSL/TLS protocols and ciphers across the security stack.
Many organizations have responded by creating decryption zones in the DMZ for inspection by multiple devices, but it’s usually a static path where all decrypted traffic is inspected by the same chain of devices. While this strategy does boost performance and lower management overhead, it can introduce scaling problems. It may also limit the environment to less secure crypto by restricting the use of the cipher suites required for forward secrecy. Finally, the process can be inefficient because your security devices are inspecting everything instead of identifying and inspecting only the suspicious traffic. Setting up a decryption zone without added intelligence and traffic orchestration isn’t the ideal solution to the pressing problem of visibility into encrypted traffic. The good news is that there’s a better way.
SECURE ALL TRAFFIC, INBOUND AND OUTBOUND
With the explosion of HTTPS traffic, decryption has become a requirement to enable application-layer traffic management decisions. Organizations frequently leverage an Application Delivery Controller (ADC) such as BIG-IP Local Traffic Manager (LTM) to provide visibility for other systems beyond the application server. A relatively new challenge is the requirement to provide visibility for multiple thirdparty inspection technologies on the same application connection.