Your Security Devices’ SSL Blind Spot · Your Security Devices’ SSL Blind Spot (and how to...
Transcript of Your Security Devices’ SSL Blind Spot · Your Security Devices’ SSL Blind Spot (and how to...
ADC Product Marketing Manager
Your Security Devices’ SSL Blind Spot(and how to remove it)
Yaron Azerual
The world of Internet Encryption is Changing!
Enterprise Perimeter Security Must Adopt
Customer Case & Summary
What percentage of your internet traffic is encrypted?
First the facts:As of 2016, over 50% of internet traffic today is already encrypted
It took 16 years to reach 40% encryption– 1 year to reach 50%!– Adoption rate is accelerating
Drivers and Market Trends
As of mid 2016, most devices used encryption for more than 50% for their communication
https://www.google.com/transparencyreport/https/metrics/?hl=en
More concerns around privacy, mainly in social media
Social media
Adoption of HTTP/2
Google encrypt all of its services (including YouTube)
Netflix Encrypts most of it streaming services
The Cloud trend – requires encrypted communication
Why Is the Internet Growing Darker?
RSA 128 bit
RSA 256 bit
RSA 512 bitRSA 1024 bit
RSA 2048 bit
RSA 4096 bit
Elliptic Curve Cryptography (ECC)
CPU power
required
Encryption Strength
TLS 1.3 dropped support for RSA!
Elliptic Curve (ECC) is a new cryptography protocol adopted by the TLS 1.3 standard– It provides stronger encryption with smaller keys– Lighter in CPU resources– Mobile devices are the first to adopt it (saving battery)
None of the existing SSL acceleration devices were designed to support ECC– Provide very poor performance processing SSL with ECC
Will require the industry to refresh their ADC devices to support ECC– And the growing SSL processing capacity required
The Datacenter’s Challenge of Elliptic Curve Cryptography
Radware has teamed up with Intel to deliver the most cost effective SSL acceleration solutions
Using Intel’s SSL libraries and Intel’s latest acceleration cards in the Alteon D‐line– Optimized the SSL processing code to double Intel’s capacity
Available throughout the Alteon D‐line appliances
Available with all Alteon D‐line virtual appliances
Available in the Cloud
Radware’s Alteon ADC – Leader in SSL Price-Performance
Alteon D‐5208 Alteon D‐8820
The world of Internet Encryption is Changing!
Enterprise Perimeter Security Must Adopt
Customer Case & Summary
Why Perimeter Security Avoid Inspecting Encrypted Traffic?
DLPNGFWAnti
MalwareIPSDDoS
Protection
Some Devices don’t support SSL decryption
Device Capacity drops by up to 70%
Encrypted trafficprocessing adds delay per device
Increases solution complexity
SSL Processing Can double the solution’s cost
Over 50% of traffic in
enterprises is encrypted
By 2017, 50% of attacks will be
encrypted
Source: Gartner SSL report 80% of organizations don’t inspect SSL
Traffic
Source: Gartner SSL report
Use Cases where SSL Support is Critical
Enterprise Perimeter Security
Applications
Datacenter
DDoS Protection
Cloud
DLPNGFWAnti
MalwareIPS
1. Inbound SSL Inspection
2. Outbound SSL Inspection
Introducing Radware’s SSL Inspection Solutionwith Firewall Load balancing
WAN Perimeter LAN
Server facing SSL handshake
Client facing SSL handshake
Intercept target data flows to • Offloads SSL processing from the firewall• With Optimized price performance hardware and software
Re‐encrypt traffic, to maintain privacy
Servers
Load balance firewalls (ingress)• Enable cost effective capacity upgrades• More cost effective redundancy
Load balance firewalls (egress)• Session persistency for statefull firewalls• Offloads SSL processing in the egress as well
Activating SSL processing in firewalls result in a performance drop of 80%• Non cost effective• Required forklift upgrade to larger & much more expensive models
• Non‐scalable
Inbound SSL Inspection – Alternative Architecture
WAN Perimeter LAN
Server facing SSL handshake
Client facing SSL handshake
Servers
Another possible architecture for inbound SSL offloading:‐ More cost effective ‐ requires only 1/2 Alteon devices (instead of 2/4)‐ Allows simpler SSL offloading for multiple device types‐ The only solution to also allow load balancing per security VAS
IPSAnti
Malware
Remove Blind Spots for Outbound Traffic
NGFWAnti
Malware DLP
Server UserAlteon SSL Inspect
Client facing SSL handshake(server emulation)
Server facing SSL handshake(client emulation)
Reduce Latency:• Decrypt & re‐encrypt once for
all security devices only once• Provide much better end‐user
quality of experience
√Remove blind spots √minimize latency √ optimize your security devices utilization√ √ Optimize Solution Cost
Increase efficiency: • Offload SSL processing from all security devices• Only forward relevant traffic to relevant Security VAS
PerimeterCloud
Removing the SSL Blind Spot While Maintaining Employee’s Privacy
LAN
Automated URL classification – ensures employees’ privacy while maximizing organization’s data security
ServerAlteon SSL Inspect
User
IPSAnti‐
Malware DLPNGFW
The Business Case of SSL offloading for Firewalls
An enterprise with 4Gbps connectivity to the internet, would normally use A Checkpoint 4600 firewall, MSRP: $15K
Project CAPEX: Checkpoint 13500, MSRP $79K
Customer challenges: High budget and complex projectWhat will happen when the organization needs increased SSL capacityWon’t address other devices’ need to inspect encrypted traffic
With a project cost of $79KWhat is the ROI vs. the
alternatives?
When the HTTPs traffic is above 20% (in this case 3Gbps):Requires to upgrade the firewall to a much larger modelRequires a complete forklift upgrade
Project CAPEX: Alteon D‐5208 Secure 12G, List price $38K
Advantages for the customers:
Doesn’t require a forklift upgrade
SSL capacity upgradeable through a simple license key
Simpler HA and scalability of the entire solution
Enable seamless firewall scalability with same benefits
Better ROICAPEX saving: $79K‐$38K=$41K
OPEX: 15‐20% of the $41K diff $8K‐$15K annual saving on support
The Alternative with Radware’s SSL Inspect Solution
The world of Internet Encryption is Changing!
Enterprise Perimeter Security Must Adopt
Customer Case & Summary
UPS – Security with SSL Visibility
Company Overview One of the largest Courier companies in the
world
Business Challenges Provide Visibility of SSL traffic to their
DLP, Web Security Gateway and NGFW
Avoid the heavy lifting project of upgrading all their security devices
Competition F5 and A10
Radware Solution 10 x Alteon 6024S with Security
package URL Sec Subscription
Business Drivers: Keep the organization secure
from SSL based attacks Fast and cost effective
deployment
Why Radware? Best SSL price performance Solution flexibility – enabled to
support all type of security devices (L2, L3)
Summary
• The encryption standard for internet communication is evolving– Supporting the new encryption cyphers and protocols require specific attention– Any future solution must support larger capacities and the latest standard
• Perimeter security devices can no longer ignore SSL traffic– SSL decryption/encryption must be part of your perimeter security solution– It’s not realistic to add it per device – must be centralized