As most traffic becomes encrypted and with ephemeral key on its way to becoming the dominant technology, organizations need a way to retain the benefits of Transport Layer Security (TLS) 1.3, while being able to inspect traffic for threats and malware to protect their networks and users.
Ixia's Active Secure Sockets Layer (SSL) capability, an addition to its SecureStack feature set, enables organizations to see inside traffic that uses ephemeral key cryptography through its visibility platform. Ixia's Active SSL can be used both inline and out-of-band, for outbound and inbound traffic and it can be used simultaneously with NetStack, PacketStack and AppStack capabilities. The Active SSL capability will be available via a high-performance application module that is compatible with Vision ONE™, a turnkey network packet broker that provides high-performance, lossless visibility. With a dedicated cryptographic processor, Active SSL provides the best throughput integrated with a visibility solution. Moreover, it includes built-in policy management, Uniform Resource Locator (URL) categorization, support for all leading ciphers and reporting.
A Security Dilemma
Organizations encrypt internet exchanges to protect themselves and their users — in particular, to protect sensitive information such as credit card numbers, social security numbers, etc. As of 2016, both Firefox and Google have shown that over 50% of sites visited via their browsers encrypt traffic. This encryption helps prevent identity theft, security breaches, and data leaks. However, much like a Trojan horse, encryption can also be the way malware and other threats are inserted into networks. By 2020, more than 60% of organizations will fail to decrypt Hypertext Transfer Protocol Secure (HTTPS) efficiently, missing most targeted web malware according to Gartner. Moreover, hackers are becoming more clever and some forms of encryption are becoming more vulnerable.
The solution to this is dilemma is two-fold:
- Use encryption technology that is harder to compromise
- Inspect all encrypted traffic for threats as part organizations' security and monitoring policies
Why Ephemeral Key
Secure Sockets Layer (SSL) and Transport Layer Security (TLS), both of which are commonly referred to as "SSL," are technologies in which data is scrambled or "coded" to protect communications over a computer network. As shown to the right, the technology basically works by exchanging information that is coded via a public key (provided by the server) and sent over the internet. The receiving party (server) is able to un-code the data because it has the other half of the equation, the private key.
The dominant encryption technology had been Rivest-Shamir-Adleman (RSA), which uses static keys. This means that a server has a given key for its communications. Now, if this key is somehow compromised, any communication from that server is exposed. To address this concern, many organizations and regulatory bodies are shifting to using and mandating ephemeral key encryption, most commonly Elliptic curve Diffie–Hellman ephemeral (ECDHE), in which a new key is generated for each exchange.
Perfect Forward Secrecy and TLS 1.3
Let us consider static keys to be like physical keys — if one is stolen or copied, the person with the key can access all communications locked by that key. In contrast, ephemeral key is like a number generated by a mobile app for a specific exchange. If the number is stolen, it can only be used to unlock that one exchange. All other exchanges are still protected. This perfect forward secrecy is what makes ephemeral key compelling.
Tech industry leaders including Google, Facebook, Mozilla, and more are announcing their shift to using ephemeral key for encryption to provide greater security for users. In upcoming TLS 1.3, the latest TLS protocol standard expected to be published in 2017 by the Internet Engineering Task Force (IETF) will increasingly favor ephemeral key exchange.
Ixia's Active SSL
- Offload SSL Decryption
- Inline & OOB
- Outbound & Inbound
- Limitless Visibility
- Easy Management
- Real-time Insight
Decrypt network traffic once and inspect many times to scale your security and monitoring infrastructure. SSL decryption can take up to 60-80% of a tool's capacity, meaning the majority of time is spent decrypting versus the more critical inspecting of traffic. Moreover, some tools aren't even able to decrypt SSL traffic.
By offloading the SSL decryption, you achieve the following:
- Better ROI for security and monitoring tool investment
- Improved performance of security and monitoring tools
- Ability to scale security and monitoring infrastructure
- Complete visibility into encrypted traffic, even traffic encrypted with ephemeral key
Active SSL can be used for both inline and out-of-band deployments.
- Inline: traffic that is coming into or leaving the network can be inspected enroute. With Active SSL, data that comes into a network packet broker is decrypted and then sent to security and monitoring tools. After inspection, tools send the data back to the network packet broker where it is re-encrypted with the Active SSL capability. By default, the same cipher is used, but you can apply any policy required. Data is then routed back to the network. For optimal security, this is done with a Bypass switch in an active-active resilient architecture. Re-encrypting the data with an ephemeral key ensures network security, while allowing inspection, the best of both worlds!
- Out-of-band: traffic comes into the network packet broker and is decrypted, copied and sent to out-of-band security and monitoring tools. These tools use the decrypted traffic to generate alerts.
- Simultaneous deployment: With Ixia's Vision ONE, both inline and out-of-band modes can be used at the same time. So security and monitoring tools appropriate for each mode can be used in the same deployment.
Active SSL can be used for both outbound and inbound network traffic.
- Outbound: Users from within a network – such as a university, corporate, carrier, etc. – can download or access data from anywhere on the Internet. With Active SSL, downloads can be decrypted and inspected inline before it is sent to the user. This helps organizations prevent malware, ransomware and other threats from penetrating their networks.
- Inbound: Inbound traffic from the Internet (users initiating contact to an organization's server) can be decrypted and inspected both inline and out-of-band. This can be used to detect an attack over an encrypted connection. An example would be an SQL injection attack against a web server.
With Ixia, traffic can be decrypted and then packets trimmed, headers stripped and more, before sending to out-of-band security tools. This increases tool efficiency and operating life.
For inline deployments, decryption and filtering can happen in any order. Using Application Identification, packets can be selectively filtered based on application, browser, OS or more and then decrypted for inspection. Using application identification helps minimize impact by only decrypting relevant traffic, so security and monitoring tools only get relevant traffic. Traffic can also be decrypted and then personally identifiable information (PII) can be masked with Data Masking Plus to protect users and organizations.
Using many features concurrently ensures optimized security policy enforcement, while allowing tools to operate efficiently. Improving the life of security and monitoring tools.
As Ixia is known for, the Active SSL capability is easy to configure and manage as part of your Vision ONE network packet broker setup and deployment.
Vision ONE includes flexible policy configuration for maximum security and support of multiple concurrent contexts.
Upgrades to higher throughput are easy with a simple license modification. Active SSL is offered with 1G, 2G, 4G or 10G licenses. No additional hardware or massive upgrades, that require configuration changes, are needed to move among licenses.
Ixia's Active SSL comes with real-time onscreen analytics that includes details on throughput, sessions and crypto data. With the ability to mouse-over and drill down, it ensures you can keep track of all your data. Active SSL also includes error and exception logging and the ability to access historical data.
Supports Leading Ciphers
Active SSL supports all leading ciphers that are indicated in the TLS 1.3 draft. As the draft evolves and is released, Ixia will continue to add support for leading ciphers.
"With the TLS 1.3 standard implementing ephemeral keys, organizations will find decrypting and inspecting encrypted traffic to be more complex and resource intensive. Solutions like Ixia’s Active SSL will enable organizations to gain visibility into their current network traffic efficiently, with less disruption to their networks, as well as their monitoring tools and security devices."
Security Resilience with Active SSL
Active SSL seamlessly integrates into Ixia's fail-safe security architecture for inline deployments. Combined with Ixia's threat intelligence gateway, ThreatARMOR™ , Active SSL creates an even more robust inline architecture that can block bad Internet Protocols (IPs), handle encrypted traffic, and protect your network with active-active high availability configurations that ensure continuous traffic inspection and near-instant recovery.