Encrypted Packets and Encrypted Traffic Visibility

Know Your Options

SECTION 3

The growth of SSL/TLS traffic has forced organizations to find solutions that enable their network and their applications to respond to the increased demands of widespread encryption. 

.     .     .     .    .     .     .     .     .     .     .     .     .    .     .     .     .     .     .     .     .     .    
.     .     .     .    .     .     .     .     .     .     .     .     .    .     .     .     .     .     .     .     .     .    
.     .     .     .    .     .     .     .     .     .     .     .     .    .     .     .     .     .     .     .     .     .    

DOING NOTHING IS A RECIPE FOR DISASTER

Many organizations are not equipped to detect malware hidden in encrypted traffic using their existing security stack. However, as attackers increasingly conceal their malicious code in traffic that security devices can’t see, the do-nothing option is a recipe for disaster. It also wastes money spent on inspection tools, and the effort spent maintaining them. On the surface, it seems there are several options—but only one of them is truly effective.

01  |  Decrypt Everything?

Before user privacy became a popular topic, many organizations terminated SSL/TLS at their ingress point and let everything flow freely in cleartext within their data centers.

Now that GDPR and other regulations are in effect, and privacy is in the news due to high-profile breaches and abuses, this is no longer a viable option. Depending on the types of data you collect and its corresponding jurisdiction, you may be subject to various privacy laws and regulations.

02  |  Set up a Decryption Zone

Some security teams set up a decryption zone (air gap), where they decrypt inbound and/or outbound traffic before passing it through a daisy chain of security inspection tools and then re-encrypting it.

This solution at least uncovers hidden malware, but it creates routing complexity and makes it harder to change the architecture. Also, catastrophic outages can occur when in-line security devices fail.

03  |  Orchestration

Orchestration is the most effective choice. By applying policy-based decryption and traffic steering to both your inbound and outbound traffic, you can conduct your orchestration of security devices like a maestro. 

A high-performing SSL/TLS orchestration solution improves visibility and protects your apps while increasing the security, efficiency, and resilience of your security stack. There is only one SSL decrypt and re-encrypt operation, so automatically you’ve removed the latency of the daisy-chain approach.

This process is so critical that the NSA published an advisory titled “Managing Risk from Transport Layer Security Inspection.” The advisory says that to minimize risk, breaking and inspecting TLS traffic should only be conducted once within the enterprise network. The advisory also strongly recommends against redundant TLSI, where a client-server traffic flow is decrypted, inspected, and re-encrypted by one forward proxy and is then forwarded to a second forward proxy for more of the same.

 

SEE ENCRYPTED THREATS WITH SSL VISIBILITY

Security inspection tools are increasingly blind to SSL/TLS traffic. While some security solutions include native decryption capabilities, performing decryption and encryption at scale aren’t their core purpose or focus. Without that, encrypted traffic must go through the static daisy chain of a repetitive decrypt/inspect/re-encrypt process across the entire security stack. 

This process consumes precious time and resources, adds latency, and disrupts user experience. Plus, it can easily lead to over-subscription—meaning increased costs for oversized security services.

F5 SSL Orchestrator, with its full proxy architecture and dynamic service chaining, presents a true paradigm shift in the way you can deal with malware in your environment. Protect against encrypted threats with SSL visibility.



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

READY TO STOP ENCRYPTED MALWARE? 

Because SSL Orchestrator functions as a full proxy for both SSL/TLS and HTTP, it can make intelligent decisions to steer inbound and outbound traffic to service chains within the security stack, no matter how complicated your inbound and outbound encryption requirements are.

See how SSL Orchestrator provides visibility into encrypted inbound application traffic—including how it dynamically chains security services and applies context-based traffic steering.