How Can You Defend Against Something You Can't See?
In This Article
Throughout my career, I have managed security products capable of decrypting and re-encrypting traffic for inspection. Now, as a Technical Solutions Architect at WWT, I spend my time designing secure architectures for Fortune 500 companies, focusing primarily on Application Delivery Controller technologies such as F5 Networks.
In my role, I have the opportunity to talk with customers from different verticals across the globe to learn about their business and technical challenges, and a common pain point I hear is a lack of visibility.
Security and visibility considerations
At WWT, one of the ways we address this lack of visibility is by decrypting SSL and TLS traffic. However, it's important to involve the right people in discussions so that everyone can ask questions and understand the benefits and impact it will have on their data and the organization as a whole. This is critical when tackling something like traffic decryption. It's important for everyone to understand our overall goal is to create a secure environment to ensure the confidentiality, integrity and, of course, provide the availability of data that helps drive business outcomes.
To get a better sense of why it's so important to include all players in these conversation from early on, think about this topic and ask yourself: What security-related challenges am I facing today?
Now, put yourself in the following roles and try to answer the same question:
- Security Engineer/Architect
- Cyber Response Team
- GRC Manager
- Network Administrator
- Board Member
- Help Desk
Did you come up with similar answers or are they different? More than likely, they're similar to your original answers because you're answering from your perspective and skillset.
Now, what if you asked the question to individuals in these specific roles within your organization, who have different levels of visibility and experience?
You can't see what you can't see
It doesn't matter if you're troubleshooting or talking about security-related challenges; having a lack of visibility is a thorn in everyone's side. From a troubleshooting perspective, it's challenging and time consuming to troubleshoot encrypted traffic. However, the higher risk to organizations comes from security and cyber teams not being able to detect and defend against malicious activity they can't see due to encryption.
Some reports are showing that 70 percent or more of Internet traffic today is now encrypted, and this trend will continue to climb.
Given today's evolving threat landscape and advanced persistent threats, decrypting traffic for inspection is no longer an option. It is a must. In theory, if 70 percent of your internet traffic is encrypted and your security tools aren't doing any form of decryption, efficacy is based on 30 percent visibility. A critical component to incident response and investigation is to have all the data you can get, that way you can stitch together a sophisticated cyber attack. This is yet another example of how organizations are challenged with visibility.
By enabling decryption on individual security products, you will notice:
- Increased visibility;
- Greater ROI;
- Increased security efficacy; and
- Reduced risk.
However, keep in mind that it doesn't scale well and may also impact:
- Hardware Performance;
- Application performance; and
- User experience.
This leaves customers with a couple of options:
Option 1: No decryption. Accept the risk of not having visibility into traffic going in/out of your organization
Option 2: Daisy Chain and oversize appliances, or compute resources, for solutions that are capable of decrypting traffic for inspection.
As a former security engineer, I believe Option 2 is the best, but we need to consider the cost involved with oversizing by up to 10 times. We have seen security appliances consume nearly 90 percent of resources after turning on decryption services.
An easier, more efficient way
If this approach sounds like a costly and time-consuming endeavor, well, it is. However, there is a simpler way to decrypt traffic for inspection, which brings us to:
Option 3: Use SSL Orchestration. Forward traffic to a purpose-built appliance to determine whether or not the traffic should be decrypted, and forward packets to the proper security appliances in the security service chain.
While many of the products on the market today can decrypt, inspect and re-encrypt traffic, as we've discussed, they can't do it at scale or without creating bottlenecks in your traffic flow. This isn't optimal with the technology initiatives driving many organizations today, which means performance is a critical component to every solution.
Decrypt once, inspect many times
F5's SSL Orchestrator is a purpose-built security appliance that can route traffic through, or around, specific security appliances based on dynamic policies and security service chains -- providing service insertion, resiliency, monitoring and load balancing. With F5's solution, you can decrypt once and inspect many times, which offers full visibility when and where you need it.
Some of the key functions include:
- SSL visibility
- Policy-based service chaining of security devices
- Load balancing and monitoring of non-SSL and decrypted SSL traffic flows across security devices
- Centralized and simplified management of certificates and encryption keys
- Selective decrypt/encrypt of specific traffic flows
One of the biggest differentiators with F5 is that it supports multiple deployment models simultaneously, including:
- Inline layer 3
- Inline layer 2
- HTTP security services (web proxy)
Common deployment scenarios for SSLO
F5's SSL Orchestrator is making SSL and TLS visibility a reality for customers today. Imagine having the bulk of your security appliances in a "Decrypted Zone" where they have full visibility into the traffic they need to inspect. I would much rather decrypt and inspect traffic inside of a controlled security zone than I would on my edge firewall appliance. Wouldn't you?
This solution brings a new level of intelligence to the security solutions you're already invested in and integrates well with NGFWs, IPS/IDS, Anti-Virus, DLP and others.
SSL air gap use case – Decrypted security zone
Interested in learning more?
We have created a working demo in our Advanced Technology Center where we've integrated F5's SSL Orchestrator with Palo Alto Next-Generation Firewalls and Cisco FirePOWER. This allows our customers to get hands-on experience with the products and shows them what a new level of visibility looks like in the products they're using today.
To schedule a demonstration or request more information, reach out to our F5 team at email@example.com.