In-Depth
SSL in the Enterprise: Challenges and Implications
Secure Sockets Layer encryption presents a tradeoff between keeping data private and allowing for network monitoring and the detection of intruders. The solution: transparent SSL proxies.
by Jarrod Siket
At the RSA 2007 conference, security expert Bruce Schneier spoke of the tradeoffs effective security policies require. Even if one is not conscious of it, Schneier said, tradeoffs are integral to the process of security and occur because as long as new methods of securing networks are developed and deployed, new methods of security disarmament will also unfold. Adaptation on both sides of this issue is inevitable and has created an arms race between organizations and people, and between code and devices of malicious intent. (See note 1)
Initially incorporated into communications technology to protect users and networks, Secure Sockets Layer (SSL) encryption presents a tradeoff between encrypting (to keep data private) and not encrypting (to allow for network monitoring and the detection of intruders). Each option presents a win-lose situation. By encrypting data, users are protected from identity theft. Unfortunately, viruses and hackers can enter unseen, and confidential company information can exit the network covertly. By not encrypting data, the viruses and hackers can be stopped, but identity thieves and unauthorized eyes can easily prey on unprotected information. In addition to the security issues arising from SSL, its use impairs policy management, since necessary information is encrypted.
This SSL conundrum has wreaked havoc for organizations subject to industry and government compliance mandates, such as HIPAA and Sarbanes-Oxley, which require intrusion protection and detection to ensure that only authorized individuals can access hardware and software within the network. Other compliance mandates, such as CALEA, require all organizations with publicly accessible networks to be able to provide law enforcement agencies with documentation of network activity, thus requiring that all traffic be unencrypted. While IT managers have implemented many security tools (including firewalls, vulnerability scanners, IDS/IPS, and network access control systems), not one of them is able to deal adequately and comprehensively with the SSL challenge.
SSL Proxies
Often, an organization will deploy SSL by severely limiting its use, reducing the benefits of SSL and compromising security. Increasingly, the method of choice for solving the SSL challenge has been to deploy SSL proxies that enable the inspection of encrypted flow content. While this allows administrators to monitor who and what enter and leave the network, these proxies often create performance bottlenecks, slowing network traffic to a crawl and impeding other functionality—a tradeoff of the security benefits.
As the rate and complexity of traffic increase, and more networks employ a multitude of specific-use appliances and IP-based applications and services, interest in the use of SSL proxies has surged again. Despite this and the existence of many SSL products in the market, few solutions provide a high level of security with little or no effect upon management and performance.
Performing through Encryption
In addition to incorporation of encryption into more applications, the increased prevalence of time-sensitive applications, such as VoIP and streaming video, demands that networks maintain line-rate performance. Although important, ensuring that SSL proxies support the analysis of as many traffic flows as quickly as possible is not the only approach to enhancing performance.
A new breed of high-speed, transparent SSL proxies pushes non-SSL traffic through at speeds that eliminate unnecessary delays, allowing the proxy to deal with only the traffic of concern: encrypted traffic. This new class establishes the proxy as a “bump in the wire,” making it completely transparent to server- and client-side systems, as well as every networking element in between, thereby eliminating the need for network configuration, IP addressing changes, or client-IP and Web-browser configuration.
An effective transparent SSL proxy solution provides great performance at the network level and at the application level. Multiple-interface support for applications to tap into SSL streams makes the proxy available to network and security applications, like firewalls, IDS/IPS and virus scanners, so they can analyze unencrypted flows and perform their duties uninhibited. By allowing applications access to the plain text in SSL streams, the proxy also enables IT managers to implement policy control and regulate network users—often necessary for compliance. Ideally, a proxy will even allow the integration of SSL inspection into new applications as well as its own integration into OEM solutions, achieving perhaps the most important feature of any security tool—interoperability.
Compliant at Last
Transparent SSL proxies should integrate seamlessly into the network by communicating with every machine and application in the system. The proxy should not exist as another appliance in the network. Instead, it should help translate and centralize feedback from all network and security applications and appliances. Complete integration ensures compliance and enables organizations to confidently protect their users, their networks and their reputations.
Tradeoffs to Come
The success of SSL encryption goes well beyond its cryptographic abilities. SSL has been the cause of many security shortcomings because of poor implementation. However, properly deployed, an application-accessible transparent SSL proxy that maintains network performance is an ideal solution to the current SSL security dilemma: traffic can be easily monitored for intruders and confidential data leakages while protecting users, allowing an organization’s policy management to remain operative.
As transparent SSL proxies become ubiquitous in the data center, more applications will be built around them and SSL will become even more widely (and well) used. Unseen transparent SSL proxy security tradeoffs may exist in the near future as networks increase in complexity. Just as the nature of networks is expected to evolve, so, too, is the nature of security.
Note 1—Source: http://www.schneier.com/news-027.html
- - -
Jarrod Siket is vice president of marketing for Netronome Systems. You can reach the author at jarrod.siket@netronome.com