9/6/2018

Seeing Inside Encrypted Sponsored by

Traffic: Blocking Threats
and Enforcing Policy While
Preserving Security,
Compliance and
Performance
© 2018 Monterey Technology Group Inc.

 Made possible by

Thanks to

1
 9/6/2018

 Why decrypt
 How
 Explicit proxy
Preview of  Inline transparent
Key Points  Challenges
 Performance
 Integration
 Logistics
 Security
 Privacy

 More/most traffic is SSL encrypted today

 Applications
 Websites

Why Decrypt Clear

Encrypted

Encrypted

2
 9/6/2018

 More of your critical traffic and data is Internet

 Reliance on cloud

Why Decrypt
Cloud usage

Time

 If you can’t see into the payload of a packet all you know is
 Source and destination IP and ports
 Cadence, flow and volume

IP
TCP
Why Decrypt SSL

Application Data

3
 9/6/2018

 What you can’t know

 Malformed content 
 Malware 
 Data exfiltration 
Why Decrypt 

Company data 
Inappropriate content 
 Inappropriate communications/posts 
 No visibility into C&C traffic
 Attacks
 XSS
 Malicious javascript
 Et al

 Products like SSL Insight functions as a dynamic CA

How  Creates a certificate on the fly as different servers accessed

 Functions as a benevolent man-in-the-middle

4
 9/6/2018

Normal SSL
behavior

www

SSL behavior www

with
decryption www

Enterprise
CA

5
 9/6/2018

 Performance

Challenges  Integration
 Logistics
 Security
 Privacy

 SSL Performance Problems

 NSS Labs found that eight leading next generation firewall
vendors experienced significant performance degradation
when decrypting 2048-bit encrypted traffic. This led NSS Labs
to assert that it had “concerns for the viability of SSL inspection
in enterprise networks without the use of dedicated SSL
Performance decryption devices
 Performance
 Decrypting and re-encrypting all the SSL traffic flowing
between your organization and the Internet
 CPU intensive
 Multiple decrypt/re-encrypt
 Growing key lengths
 Traffic that doesn’t need decryption

6
 9/6/2018

 Scaling options
Performance  Do the decryption once
 Do it with dedicated hardware
 Have the option to separate SSL de/encryption from security
technologies

Integration  If you want to bring any security technology or product to

bear upon your traffic there’s a lot of integration scenarios
 First, what kind of proxy?
 Inline transparent
 Explicit

7
 9/6/2018

 Explicit proxy

Integration

 Inline transparent proxy

Integration

8
 9/6/2018

 Next what kind of integration scenarios?

 Inline transparent proxy or explicit proxy deployment with
Integration  passive, non-inline third-party devices
 active, inline third-party devices
 ICAP-connected devices
 third-party transparent and explicit proxy devices using proxy
chaining

once once

Enforce
Decrypt Security Re-encrypt

Integration +
Performance
+ Cost

9
 9/6/2018

 Nonstandard ports
Logistics  Certificate pinning
 Not just https
 HTTPS, STARTTLS, SMTP, XMPP, POP3, SSH, SCP, sFTP
 High availability

 Certificate pinning
 Certain desktop or mobile applications use hard certificate
pinning
Challenges  Impossible for transparent or explicity proxies to decrypt
 Decryption should be bypassed for applications required for
your business operation
 positively confirmed that their certificates are pinned
 Need a list of known websites and web applications that use
hard certificate pinning

10
 9/6/2018

 Flexibility in terms of security technology and products

brought to bear
Security  Safety of signing certificate’s private key
 HSM?
 Flow analysis and logging

 Bypass trusted communications and avoid compliance

Privacy incidents
 Banking sites
 Healthcare applications
 Requires tight integration with URL classification

11
 9/6/2018

See an
example in
 Parth Jagirdar will demonstrate
action  A10’s unique SSL decryption technology
 how it provides performance and compliance
 allows you to leverage any security technology you need

© 2018 Monterey Technology Group Inc.

SSL Insight
Comprehensive SSL Visibility

Parth Jagirdar
Product Marketing Manager

Reliable Security Always™ CONFIDENTIAL | DO NOT DISTRIBUTE

24. CONFIDENTIAL | DO NOT DISTRIBUTE

12
 9/6/2018

Cyber Crimes are on the Rise

1.5 M
phishing sites
6 in 10
malware were
19X
Growth in risks due
WannaCry
150 countries -
introduced each month ransomware to Malvertising FedEx, Hitachi, UK NHS,
PetroChina

25. CONFIDENTIAL | DO NOT DISTRIBUTE

Impact of Data Breaches – Stolen Records

o Investigation and notification

costs
o Brand damage
o Lost revenue
o Regulatory fines
o e.g. GDPR Violations

o Lawsuits

26. CONFIDENTIAL | DO NOT DISTRIBUTE

Source - As of May 2018 -
www.informationisbeautiful.net

13
 9/6/2018

SSL Visibility
Challenge

27. CONFIDENTIAL | DO NOT DISTRIBUTE

Problems with Existing Solutions

Inefficient, Expensive and Complex

Inferior Inflexible Difficult
Performance Operationalization

Costly and Inefficient Complex Configuration

Not Purpose Inspection and Dashboards
Built

28. CONFIDENTIAL | DO NOT DISTRIBUTE

14
 9/6/2018

Performance hit at every appliance . . . or NO

inspection?

AV / DLP

Internet
Secure Web APT IPS NGFW
Gateway

29. CONFIDENTIAL | DO NOT DISTRIBUTE

A10’s SSL Visibility Solution

Visibility, Versatility with Performance

Dedicated Interoperable Simple and
Decryption Hardware and Flexible Easy to Use

× Blazing Fast
Performance
Efficiency and
Scalability
Analytics,
Dashboards and
Wizards

30. CONFIDENTIAL | DO NOT DISTRIBUTE

15
 9/6/2018

Decrypt Once, Inspect Many Times

ICAP

AV / DLP

Internet
A10 Secure Web APT IPS NGFW A10
SSL Gateway SSL
Insight Insight

31. CONFIDENTIAL | DO NOT DISTRIBUTE

Thunder SSLi Solution Overview

32. CONFIDENTIAL | DO NOT DISTRIBUTE

16
 9/6/2018

The A10 Advantage

SSL INSPECTION

Dedicated Up to 25 Gbps
Purpose built for Decrypt Across any FIPS 140-2 Level
Decryption throughput on single
complete SSL visibility port and protocol 3 compliance
Hardware rack unit with 2k
keys

Flexible and Many validated URL filtering with Authentication &

solution and ICAP Bypass & Threat Investigator
Secure App Signatures
Support Threat Intelligence

EASE OF USE

Simplified Local Wizard based configuration Centralized management and

and & troubleshooting using ACT analytics using Harmony Controller
Centralized
33. CONFIDENTIAL | DO NOT DISTRIBUTE

Secure Decrypt Zone

o Decrypt once, inspect many times Secure Decrypt

Zone
• Fast and Efficient - Decrypt once, inspect multiple times
IDS/ATP DLP/AV

o ICAP support Non-Inline ICAP device

security device
FW/IPS/SWG
• Decrypted traffic can be inspected using ICAP enabled
security devices
Inline
security devices
o Interoperable with many security
solutions SSL/TL SSL/TL
S S Internet
SSH SSH
• Extensive list of validated solutions

• Supports devices that modify data

34. CONFIDENTIAL | DO NOT DISTRIBUTE

17
 9/6/2018

What Goes Inside a Decrypt Zone? – Validated

Solutions
Secure Decrypt Zone

Non-Inline, Inline and ICAP

devices

SSL/TLS SSL/TLS
SSH SSH
Internet
Thunder SSLi

35. CONFIDENTIAL | DO NOT DISTRIBUTE … and more!

Key Benefits
SaaS Use Case  Reduce burden on security stack
 Improve network performance
 Improve user experience
 Microsoft recommends this!
Secure Decrypt Zone

DLP/AV Secure Web IPS NGFW

ATP
Gateway

Internet
Thunder SSLi

SaaS Traffic
Encrypted Internet Traffic
36. CONFIDENTIAL | DO NOT DISTRIBUTE Decrypted Internet Traffic

18
 9/6/2018

Quick Recap

o Summary- Thunder SSLi can provide full SSL visibility and dramatically
improve performance of your existing security stack at fraction of the cost

o Key Differentiators
• Complete SSL visibility
• Excellent performance
• Wizard based configuration and troubleshooting
• Centralized management and analytics
• Office 365/SaaS use case
• Preventive security
37. CONFIDENTIAL | DO NOT DISTRIBUTE

Next Steps – Learn More!

o A10 Networks Website – https://www.a10networks.com/

o Product Page – https://www.a10networks.com/products/ssl-inspection
o Datasheet – Available on product page; Detailed features and models
o YouTube Channel – https://www.youtube.com/user/a10networks

o For Questions – Parth Jagirdar

• pjagirdar@a10networks.com

o For Demo – Tim Balistreri

• tbalistreri@a10networks.com

• T: 1-888-A10-6363 (USA and Canada)

T: 1-408-325-8616 (International)

38. CONFIDENTIAL | DO NOT DISTRIBUTE

19
 9/6/2018

Demo

39. CONFIDENTIAL | DO NOT DISTRIBUTE

20