Active SSL solves the ephemeral key encryption issue
Encryption is the critical enabling technology on the internet. Whether we know it or not, we use it every day, for everything from conducting business, to shopping, to sending and receiving emails. It’s the fundamental building block of online data protection. And of course, as with any such security tool, the standards underpinning it have to be regularly updated, to proactively address any weaknesses, close security gaps and stay one step ahead of cybercriminals. Transport Layer Security (TLS) is one such standard that is being updated, with the latest version (TLS 1.3), still a working draft but due to come into force soon.
TLS 1.3 mandates the use of what is known as 'ephemeral keys', which in practice means that every individual encryption session will generate a brand-new set of encryption keys. The upshot for cybercriminals is that if they manage to break into a single encrypted session they can't then use that information to compromise later sessions.
Hidden from cybercriminals – and cybersecurity
While this represents a great improvement in online security, and is likely to be adopted everywhere on the Web, it also creates challenges. The biggest issue is that the more data is encrypted by default, the more common it is for blind spots to be generated within corporate networks. After all, data that could once be captured and sent to security and monitoring tools for analysis suddenly becomes unreadable by those tools. In turn, that means that insidious and malicious content, such as malware downloads are already encrypted, and hidden in the stream of encrypted normal traffic.
Decryption, so that traffic can then be inspected sounds like the obvious answer, but this is not a straightforward process. Your organization is likely to have multiple tools that need to see clear text traffic, and this causes a hefty processing burden. Decryption (and re-encryption) also has a high CPU resource tax, making it inefficient to run this SSL function on multiple security tools. Then there are difficulties around the serial chaining of multiple security tools together, while properly handling and protecting clear-text traffic, and maintaining the isolation of clear-text traffic for regulatory compliance.
Active SSL is the answer
There is a solution – and it centers around network packet brokers (NPBs). By building SSL decryption capability into your NPBs, it's possible to address the above challenges. Integrating SSL decryption capabilities within an NPB is simpler and easier than any other alternative, and it carries no performance impact for decryption and re-encryption.
What's more, the NPB easily connects dozens of security tools to the traffic they need to inspect, which means the NPB can become a central hub for visibility into network traffic. The NPB can also maintain the isolation of clear-text traffic, and it delivers highly resilient security processing with load-balancing of tools and fail-open behavior.
Decrypted traffic can potentially be seen by anyone with access to network monitoring tools, and this is particularly problematic for monitoring data stored in DLPs, logs, and other databases, as it often violates regulatory compliance mandates. Once again, NPBs can help, by masking data that doesn't need to be exposed. In short, SSL-enabled NPBs can decrypt network data, aggregate it and filter it, apply data masking as needed and only then distribute it to the proper security and monitoring tools for analysis.
At Ixia, we have introduced Active SSL capability to our flagship Vision ONE NPB. This new feature turns Vision ONE into a single hub on the network, for complete visibility into all traffic. Active SSL provides visibility into traffic encrypted with ephemeral key to offload the SSL burden from security tools, and provides improved network security.
TLS 1.3 is another positive step in developing encryption standards and protocols, and keeping organizations one step ahead of cybercriminals. But enterprises cannot just sit back and watch these new standards come into force – they also have a responsibility to ensure the technology on their own networks can keep pace. Active SSL helps them to do that. To find out more, why not download our white paper on active SSL decryption, or contact us for a demo.