Over the last three years, the amount of encrypted web traffic has increased sharply—a recent NSS survey forecasts that 75% of web traffic will be encrypted by 2019. This is great news for most organizations, but it presents a real challenge for others.
While SSL/TLS enables the encryption of communication channels from untrusted networks, it also masks threats from being detected by traditional security devices. Identifying and decrypting SSL/TLS connections and application traffic across networks is critical for identifying potential threats that would effectively blind your security controls.
Fortunately, there are SSL/TLS based-decryption devices that allow for packet inspection. These devices intercept SSL/TLS traffic, decode, inspect and re-encrypt untrusted SSL traffic before entering the network. But while these devices do provide visibility, threats are still able to bypass security which may lead to breaches or data loss.
The primary reasons why even these security devices are still blind when it comes to SSL/TLS are:
As you can see, even with SSL/TLS devices, networks can be ‘blind’ to encrypted traffic. And depending how the device is designed; the impact can be worse. Devices that are “retrofitted” for SSL/TLS will degrade rapidly in decryption performance, latency, and maximum connection rates. Only through careful analysis of these parameters can you make an informed decision about the solution and make the correct capacity planning decisions.
JOIN US IN OUR NEXT SSL/TLS TEST:
NSS Labs is conducting a group test to determine leading security products’ encryption and decryption capabilities. The test will be based off of NSS’ SSL/TLS Performance Test Methodology and will create the industry’s first-ever rating criteria for network-based SSL/TLS security products. NSS will also be publishing a series of Technical Briefs on encryption.
If you are a vendor and wish to participate in this free test, or if you are an enterprise IT organization and want to see how a particular SSL/TLS device performs, please drop us a note at firstname.lastname@example.org. Our upcoming test will include leading SSL/TLS vendors and the vendors most requested by enterprises.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.