Is Your Security Blind to SSL/TSL?
-
Upload
nss-labs -
Category
Technology
-
view
70 -
download
1
Transcript of Is Your Security Blind to SSL/TSL?
![Page 1: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/1.jpg)
IsYourSecurityBlindtoSSL/TLS?November17,2016
![Page 2: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/2.jpg)
2
Presenters
JerryDaughertyPrac2ceManagerNSSLabs,[email protected]
MichaelLyngeSr.ProductMarke2ngManagerNSSLabs,[email protected]
BhaarathVenkateswaranDirectorofProductManagementNSSLabs,[email protected]
![Page 3: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/3.jpg)
3
WhoisNSSLabs?Research&Advisory• Solu2ontrends• Bestprac2cesolu2onarchitectureguidance• Analystinquiries• Securityadvisorydays• Webinars/educa2on
Objec@vePurchaseInsight• Productmodeling• RFPtemplates• TCOmodelingkits
SecurityVendorTes@ng• Securityefficacy• Solu2onperformance• Costofownership
CyberAdvancedWarningSystem™• Con2nuousexploitvisibility• Con2nuoustargetassetiden2fica2on• Con2nuoussecuritymeasurement• Productcompara2ves• SaaSorAPI
![Page 4: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/4.jpg)
4
SSL/TLSOverview• SecureSocketLayer/TransportLayerSecurity(SSL/TLS)o 1994SSL1.0(Netscape–Neverreleased)o 1995SSL2.0(Netscape–Securityflaws)
o 1996SSL3.0(Netscape–Rewrite)o 1999TLS1.0(IETF–BecameRFC)
o 2006TLS1.1(IETF–Cipher-blockchaining)o 2008TLS1.2(IETF–Mul2pleenhancements)
o 2016TLS1.3(IETF–Currentworkingdraa)
• HTTPoverTLS(HTTPS)o En2reHTTPprotocolisencrypted
Client Server
Clienthello
Serverhello
Clientkeyexchange
Changecipherspec
Clientfinished
Changecipherspec
Serverfinished
Cer2ficateServerKeyExchangeServerHelloDoneCer2ficateRequest
Verifycer2ficate
Cer2ficateVerify
Verifycer2ficate
Applica2ondataApplica2ondata Encrypted
![Page 5: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/5.jpg)
5
Businessvs.TechnologyImpact• 40.5%oftheInternet’s140,132mostpopularwebsiteshaveHTTPSbydefault• Encryp2ontechnologiesimplementedinenterprisestoday:
o Datainmo&on(e.g.,virtualprivatenetworks,webcommunica2onsbetweenbrowserandwebservers)
o Dataatrest(e.g.,databases,wholediskencryp2onforservers,desktops,mobiledevices)o Encryptedwebcommunica2on(u2lizingHTTPS)
![Page 6: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/6.jpg)
6
Businessvs.TechnologyImpactBusinessdriversandimpact:• Controlaccessto—andmaintaintheintegrityof—intellectualproperty• Maintainconfiden2alityoffinancialtransac2ons(PCI-DSS),personallyiden2fiableinforma2on(PII),etc.
• ImproverankingforGooglesearchengineresults• Reduceexposuretoprotocol-specificajacks(e.g.,Heartbleed)• Reduceriskfromincreasedwirelessaccesspoints• Enterpriseemployeesconsumeencryptedcontentforpersonalreasons(Gmail,banking,etc..)
• Enterprisecontentishostedinternally
![Page 7: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/7.jpg)
7
Businessvs.TechnologyImpactTechnologyimpact:• Enterprise’sabilitytoscaleandimplementSSL• Technologysuppor2ngSSLreliesonservercerts,protocolsupport,keyexchange,cipherstrength
• UnderstandingSSLimpactwithtradi2onallayersofdefense• Encryp2on/decryp2on/hybrid–aconstantchallenge• Performanceimpact–SSLsecurelyexchangesalldataoveranetwork(e.g.,filetransfers,VPNconnec2ons,instantmessaging,contenttransac2ons,VoIP)
• BalancingSSLsecurityandlegacyapplica2onsupport(backwardcompa2bility)
![Page 8: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/8.jpg)
8
CurrentChallenges• SSLperformanceforappliancesistypicallylowerthannetworkapplianceperformance
• Evalua2ngappliance-basednetworkperformanceiseasierthanevalua2ngSSLperformance
• NSSresearchindicatesmajorityofthreatsusingSSLasatransportfallintotargetedpersistentajack(TPA)category
• Cer2fica2onauthori2es(CAs)–weakestlink• Privacyandconfiden2alityvs.visibilityagainstthreats/dataexfiltra2on• SecurityflawswithSSL-TLSprotocols• Enterprisecompliance,segmenta2on,zoning-basedimplementa2on/deploymentchallenges
![Page 9: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/9.jpg)
9
SSL/TLSVendorLandscapeOverview• Hardware-basedsecurityappliancevendors
o On-BOXinspec2onvendors(perimeter,internalenterprisenetworks)
o Offloading–primarilydecryp2on—vendors(server-side/datacenterinfrastructure)
o VPN-basedvendors(onlyVPNsupport)
• Soaware-basedSSLsecurityvendorsarenotinscopeforthisversion
![Page 10: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/10.jpg)
10
SSL/TLSVendorLandscapeOverview
![Page 11: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/11.jpg)
11
TheNeedforSSLTesting• Enterprise-basedbreachesoverSSLareontherise
• Enterprisevisibility:Iden2fyinganddecryp2ngSSL/TLSconnec2onsandapplica2ontrafficacrossthenetworkiscri2cal(threatsanddataloss)
• SSL/TLS-basedsecurityappliancesareprovingtobeineffec2veo Mul2pleciphersuitesarenotsupportedbythesecurityappliancevendorso SSL/TLScommunica2onsoccurringovernon-standardports–notvisible
o Unabletodecrypttrafficevenat50%oftheiradver2sedSSL/TLS-basedthroughput(duetoprocessor,computa2onalalgorithmmetrics)
o Fast-pathingconnec2onsathighrateswithoutdecryp2on
• Understandingandra2ngSSL/TLSnetwork-basedsecurityappliancesondecryp2onperformance,latency,maximumconnec2onratesbecomesextremelyimportant
• NSSLabs’firstforayintotes2ngSSL/TLSforenterprises
![Page 12: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/12.jpg)
12
NSSLabsMethodology• UseofSSLanditsneweritera2on,TLS,hasbeenontherisewithever-increasingneedforprivacyonline• Moderncybercampaignsfrequentlyfocusonajackingusersthroughmostcommonwebprotocolsandapplica2ons• NSScon2nuestoreceiveinquiriesfromenterprisecustomersduringtheirassessmentsofvendorsthatprovideSSL/TLSdecryp2onandprotec2ontechnologies• NSShasdevelopedamethodologytotestcapabili2esandperformanceofdevicesprovidingSSL/TLSprotec2on
![Page 13: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/13.jpg)
13
DeploymentScenarios• Ourtestmethodologyisintendedtosupportandtestvariousdeploymentmethods,including:
o Man-in-the-middleo Forwardproxyo Reverseproxyo Puredecryp2onoffload
![Page 14: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/14.jpg)
14
MethodologyOverview
• NSSTestMethodologiesaredesignedtoaddresschallengesfacedbyenterprisesecurity/ITprofessionalsinselec2ngandmanagingsecurityproducts• Scopeofthispar2cularmethodologyincludes:o Verifica2onofSSL/TLScapabilityo SSL/TLSperformance
• Basedonneedsiden2fiedinNSS’research,thefollowingcapabili2esareconsideredessen2alinSSL/TLS-capabledevices:o AbilitytoperformSSLinspec2ono Abilitytonego2atetoallmodernciphersandkeysizeso SupportforcommonTLSextensionsandTLSprofileenforcement
![Page 15: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/15.jpg)
15
SSLMethodology:OverallFocus
Decryp2onperformance
Encryp2on/inspec2onvalida2on
Ciphernego2a2on
SSLfunc2onalityvalida2on
Connec2onrate
Response2mes
![Page 16: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/16.jpg)
16
SSLMethodology:PerformanceFocus
Applica2onresponse2me
MaxSSL/TLShandshakes
Maxdecryp2onperformance
Maxconnec2onssupported
Performance
![Page 17: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/17.jpg)
17
SSLMethodology:FunctionalityFocus
TLSprofileenforcement
Ciphernego2a2onandsupport
Sessionreuse
Popularciphersuites
![Page 18: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/18.jpg)
18
OurObjective• SSLencryp2onhasincreasedovertheyears,andmanyproductshavecometotheforetoprotectthattraffic.
• Un2lnow,nocomprehensive,methodicaltesthasbeenperformedtovalidateperformanceandfunc2onalityacrossmul2pletechnologiesandmanufacturers.
• TheNSSLabsSSL/TLStestisdesignedtobeawell-thoughtout,data-drivenapproachtogiveenterprisestheinforma2ontheyneedtoprotecttheirnetworksintheencryp2onage.
![Page 19: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/19.jpg)
19
TestDetails• Ciphersuitesandkeysizeso Over75teststhatcoverthisrangeofciphersuitesandkeys• Manufacturerandenterprisefeedback• Tes2nggearandtools
![Page 20: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/20.jpg)
20
TestDeliverables• IndividualTestReportsforeachvendor• Performanceresultsforeachciphersuiteselected
o Resultsprovidedinbothtablesandgraphs• Matrixofsupportedciphersuitesbasedontes2ng• Resultsoffunc2onalitytes2ng
![Page 21: Is Your Security Blind to SSL/TSL?](https://reader033.fdocuments.in/reader033/viewer/2022051709/5871f6761a28ab5c348b699f/html5/thumbnails/21.jpg)
21
Q&A