Professional Documents
Culture Documents
Ixia-SV-WP-Role of Active SSL Decryption
Ixia-SV-WP-Role of Active SSL Decryption
Ixia-SV-WP-Role of Active SSL Decryption
In Network Monitoring
WHITE PAPER
NEW MONITORING CHALLENGES RESULT FROM
DATA ENCRYPTION
Secure Sockets Layer (SSL) technology significantly impacts the way IT SSL technology
departments monitor their networks. As of the end of 2016, Sandvine Research significantly impacts
estimates that almost 70% of Internet traffic is now encrypted.1 Data that could the way IT departments
once be captured and sent to security and monitoring tools for analysis is now monitor their networks.
completely unreadable by those tools. This creates a major source of blind spots Data that could once
within your network that include hidden sources of security threats operating be captured and sent to
without your knowledge. security and monitoring
tools for analysis is now
While decryption of the data would be the most obvious answer, completely unreadable
most IT organizations struggle with the following problems: by those tools.
• They have multiple, often more than three, tools that need to see
decrypted (clear text) traffic which causes a significant burden
• Decryption (and re-encryption) has a high CPU resource tax making
it inefficient to run this SSL function on multiple security tools
• The serial chaining of multiple security tools together while properly
handling and protecting clear-text traffic is difficult
• Maintaining the isolation of clear-text traffic for regulatory
compliance is often difficult
Technology, like a network packet broker (NPB) with SSL decryption capability,
can be used to correct these problems by decrypting network data, aggregating
and filtering the data, data masking as needed, and then distributing it to the
proper security and monitoring tools for analysis. The data is then re-encrypted
by the NPB without impacting tool performance or causing compliance issues.
1
“2016 Global Internet Phenomena Report,” Sandvine Inc., 2016
26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 1
915-8183-01-7071 Rev A
HTTPS - THE SOLUTION FOR ONLINE PRIVACY
HTTPS, which includes both the original SSL standard and the updated version
Transport Layer Security (TLS) standard, is intended to secure Internet-based For security and trouble-
communications. While SSL was developed in 1994 for encrypting Internet shooting purposes,
data, it did not go mainstream until Facebook adopted it in 2013 and Google organizations must
started penalizing business website rankings in 2014 if the protocol wasn’t used. examine the traffic on their
In addition, web applications, Office 365, and cloud-based traffic have also networks. Unfortunately,
accelerated the adoption of SSL encryption. firewalls, intrusion
prevention systems (IPS),
Other huge drivers include regulatory and compliance initiatives. One example monitoring tools, and
is the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which other equipment do not
mandates the use of TLS 1.0 or higher. The Payment Card Industry has also understand encrypted
mandated the use of TLS in their PCI-DSS standard. In fact, PCI mandates the traffic.
migration to a more secure version of TLS (TLS 1.1 or higher) by June 30, 2018.
Improvements to SSL technology like the use of ephemeral keys, where new
encryption keys are exchanged between the server and clients for each session,
have increased the security and effectiveness of data encryption and are also
increasing adoption of the technology. In fact, all of these factors have increased
the proliferation of SSL for security of online browsing and data storage. However,
as we shall see, the use of encryption is not without its perils.
2
“Uncovering Hidden Threats Within Encrypted Traffic,” Ponemon Institute, 2016.
3
SSL Encryption: Keep Your Head in the Game
4
Rising SSL traffic to degrade firewall performance
26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 2
915-8183-01-7071 Rev A
OVERCOMING THE SSL SECURITY THREAT
To overcome the encryption security threat, businesses need to decrypt the
traffic crossing their network and analyze it. There are two popular methods
to achieve this: active decryption and passive decryption. Here is a review of
both approaches.
As shown in the picture below, passive decryption is for inbound only traffic
monitoring scenarios (i.e. out-of-band monitoring solutions) and not does
allow for the encryption/re-encryption of outbound communications.
Forensic Tool
Figure 1
Passive Decryption IDS DLP
Decrypted Monitoring
Traffic
Plaintext
Sender Plaintext Encryption Firewall Network Switch Network Tap Recipient Plaintext Decryption
26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 3
915-8183-01-7071 Rev A
ACTIVE SSL DECRYPTION
Active SSL decryption is a “man in the middle” approach where the off network
sever communicates directly with the decryption device to exchange encryption Some security tools, like
keys. In this scenario, IT personnel do not have to get involved to manually load firewalls and IPS systems,
decryption keys, as ephemeral keys can be supported. can be purchased that
include integrated SSL
Once the clear text data is analyzed for security threats, the good data can be
decryption capability.
re-encrypted and sent on to its destination within the business’ network. In this
Unfortunately, studies
instance, the SSL decryption device digitally signs the keys and negotiates the
have shown that there
decryption keys with the endpoint device on the network, for decryption at the
can be a significant
endpoint and is transparent to the recipient.
performance impacts (up
When using this scenario, decryption/encryption can be supported in both to an 81% drop in CPU
directions, i.e. for inbound and outbound network traffic. This means that both processing capability)
inline or out-of-band security and encryption tools can be used to analyze the for devices that have
network traffic. this decryption feature
turned on.
Figure 2
Active Decryption
Forensic Tool
IPS
Plaintext
Ephemeral Key
Negotiation
DLP
Decryption
NPB
Private Key
Encryption
Encrypted Traffic Decrypted Traffic
26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 4
915-8183-01-7071 Rev A
PURPOSE BUILT DECRYPTION DEVICE
The first type of solution includes the category of purpose-built decryption
devices. This type of solution excels in high volume transaction scenarios at high
speeds. Typically, these solutions come with a high price tag to match the high
performance. Since these devices are purpose built, once they are added to the
network architecture they can create complexities when it comes to forwarding
the decrypted data to multiple, sequential inspection tools (firewall, IPS, DLP,
etc.), then redirecting the data back to the decryption device for re-encryption,
and then the reintroduction of that data back into network. These solutions
typically have fairly basic capabilities to complement their SSL engines.
Some security tools, like
DECRYPTION INTEGRATED INTO SECURITY TOOLS firewalls and IPS systems,
can be upgraded to
In contrast to the purpose built device, some security tools, like firewalls and
include integrated SSL
IPS systems, can be upgraded to include integrated SSL decryption capability.
decryption capability.
Unfortunately, studies have shown that there can be a significant performance
Unfortunately, studies
impact (up to an 81% drop in CPU processing capability) for devices that have
have shown that there
this decryption feature turned on.5
can be a significant
This creates a significant network performance impact that will result in the performance impacts (up
costly purchase of additional security tools, i.e. additional firewalls in this case, to an 81% drop in CPU
to process the same amount of network traffic. As a result, an IDC survey processing capability)
found that only 25% of the companies surveyed actually use SSL decryption to for devices that have
inspect inbound and outbound communications for potential threats. Also, the this decryption feature
decryption capability was not applied to all traffic, just some of it. 6 turned on.
For enterprises who have adopted the industry best practice of “defense in
depth,” relying on encryption built into multiple security devices has additional
penalties. Forcing multiple inline devices to each decrypt and re-encrypt data
has obvious performance and latency impacts.
5
NSS Labs Analyst Brief “SSL Performance Problems,” Pirc, John W., 2013.
6
“The Blind State of Rising SSL/TLS Traffic: Are Your Cyber Threats Visible?,” IDC, Robert
Westervelt, July 2016.
26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 5
915-8183-01-7071 Rev A
With this decryption scenario, the NPB offers a cost effective alternative to both
the purpose-built and the security plus decryption tool scenarios discussed
previously. While performance at large scale can be less than the purpose built
scenario, the NPB filtering, masking, and distribution capabilities of the data is
far superior to purpose-built solutions. In addition, network traffic performance
delays caused by the introduction of multiple, serially connected devices for SSL
decryption is eliminated. These multi-component delays can add up and create
noticeable delays for real-time traffic like voice and video. Thus, the integrated
NPB approach provides excellent value across all decryption performance ranges.
Once you know these answers, you can select one of the three decryption methods
above that gives you the right solution at the right price for your network.
SUMMARY
Most enterprise applications are now encrypted and the use of SSL encryption is
here to stay. While SSL provides some protection of network data and improves
security and compliance initiatives, it does have its drawbacks. Encryption itself
can introduce hidden security risks. For instance, the use of encryption to hide
malware is growing rapidly. In addition, encryption makes the analysis of trouble
shooting and performance monitoring data much more difficult.
26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 6
915-8183-01-7071 Rev A
• Isolation of clear-text traffic can be maintained by the NPB
• The NPB solution delivers highly resilient security processing with
load-balancing of tools and fail-open behavior
One of the dangers with SSL decryption is that it makes sensitive data available
to anyone with access to network monitoring tools. This is a common problem
for monitoring data stored in DLPs, logs, and other databases, as it often violates
regulatory compliance mandates. Network packet brokers can be used to mask
data that doesn’t need to be exposed, to ensure regulatory compliance at all times.
The combination of these feature sets allows the NPB to deliver a broad set of
value-added features at a very cost effective price point.
26601 W. Agoura Road Clarion House, Norreys Drive 101 Thomson Road,
Calabasas, CA 91302 Maidenhead SL64FL #29-04/05 United Square,
United Kingdom Singapore 307591
(Toll Free North America)
1.877.367.4942 Sales +44.1628.408750 Sales +65.6332.0125
(Fax) +44.1628.639916 (Fax) +65.6332.0127
(Outside North America)
+1.818.871.1800
(Fax) 1.818.871.1805
www.ixiacom.com
26601 W. Agoura Road | Calabasas, CA 91302 USA | Tel + 1-818-871-1800 | www.ixiacom.com Page 7
915-8183-01-7071 Rev A I © Keysight Technologies, 2017