Four reasons why SSL/TLS is blinding your security devices

A man seen from behind, sitting at a desk looking at several monitors while on the phoneOver the last three years, the amount of encrypted web traffic has increased sharply—a recent NSS survey forecasts that 75% of web traffic will be encrypted by 2019. This is great news for most organizations, but it presents a real challenge for others.

While SSL/TLS enables the encryption of communication channels from untrusted networks, it also masks threats from being detected by traditional security devices. Identifying and decrypting SSL/TLS connections and application traffic across networks is critical for identifying potential threats that would effectively blind your security controls.

Fortunately, there are SSL/TLS based-decryption devices that allow for packet inspection. These devices intercept SSL/TLS traffic, decode, inspect and re-encrypt untrusted SSL traffic before entering the network.  But while these devices do provide visibility, threats are still able to bypass security which may lead to breaches or data loss.

The primary reasons why even these security devices are still blind when it comes to SSL/TLS are:

  • Multiple cipher suites are not supported by security device vendors – Security is constantly evolving with newer ciphers being introduced. If device is older it potentially may not get an update as the latest device.
  • SSL/TLS communications are occurring over non-standard ports – The standard port for SSL/TLS is 443.  If other ports are used, then the traffic will be overlooked and threats simply pass into the network.
  • Devices are unable to decrypt traffic at their advertised SSL/TLS-based throughputs – As keys, ciphers and hashes become more difficult to decrypt, the throughput performance of security devices start to decrease.  Some devices may only reach 50% of their advertised rates because they are ‘Marketing’ number under ideal conditions.  
  • Devices are fast-pathing connections without decryption at high rates – A workaround that can occur is as throughput performance decreases, traffic will be forwarded without inspection.  This ‘fast-pathing’ allows performance to be maintained but at the expense of letting potential threats through.

As you can see, even with SSL/TLS devices, networks can be ‘blind’ to encrypted traffic.  And depending how the device is designed; the impact can be worse.  Devices that are “retrofitted” for SSL/TLS will degrade rapidly in decryption performance, latency, and maximum connection rates.  Only through careful analysis of these parameters can you make an informed decision about the solution and make the correct capacity planning decisions.

JOIN US IN OUR NEXT SSL/TLS TEST:

NSS Labs is conducting a group test to determine leading security products’ encryption and decryption capabilities. The test will be based off of NSS’ SSL/TLS Performance Test Methodology and will create the industry’s first-ever rating criteria for network-based SSL/TLS security products. NSS will also be publishing a series of Technical Briefs on encryption.

If you are a vendor and wish to participate in this free test, or if you are an enterprise IT organization and want to see how a particular SSL/TLS device performs, please drop us a note at vendors@nsslabs.com. Our upcoming test will include leading SSL/TLS vendors and the vendors most requested by enterprises.

Follow us on Twitter (@NSSLabs) to keep informed as new research is released.

TAGS: CIO, CISO, Firewall, Next Generation Firewall, NGFW, SAN, Security, SSL, TCO, TLS, web encryption