DDoS Detection, Mitigation, Orchestration, and Threat Intelligence
Consolidated Security & CGNAT
TLS/SSL Inspection
Web Application Firewall
Application Security & Load Balancing
Analytics & Management
CGNAT & IPv6 Migration
December 6, 2019
In this video, A10 Networks Technical Product Manager Mubeen Alam explains what privacy and compliance concerns users have when it comes to decryption of their network traffic and how those concerns can be addressed with a decryption solution like A10's SSL Insight.
Transcript
As you know TLS/SSL decryption and inspection is more relevant today as more than 80% of the traffic is encrypted in SSL. Without TLS/SSL decryption, all of these security devices that you see here, such as the IDS, next-gen firewall DLP, or antivirus appliance will be blindsided to any malware or threats hiding in the encrypted traffic. But often times, security admins have apprehensions about decrypting traffic.
For instance, there are often worried whether they are violating any user privacy or any other laws that are applicable to their country by decrypting traffic.
So, today I will try to address all of these concerns and I will try to explain how we can alleviate all of these with a good TLS/SSL decryption solution.
So, the first and foremost of these concerns is compliance. People often think that when they start decrypting traffic, they may be able to see users financial and banking traffic or healthcare traffic and clear-text traffic. And therefore they may be violating Sox or HIPAA compliance.
And even if these laws are not applicable to their country, they may be violating users’ privacy because now they can see users credit card numbers or passwords in clear-text traffic as well. So privacy is also a big concern in these scenarios. Apart from this, often times, you may not want to decrypt traffic coming from your executive suite, such as your CEO, CFO, etc.
So you do not want to touch this traffic. So how do you handle that?
So beyond these, now there are just a lot of custom apps which are available on your mobile phones that you can access through your mobile devices,. These apps often come embedded with a copy of the server certificate. So, if a device can try to decrypt this traffic, the connection most often fails.
So how do you address these custom apps? How do you make sure that users continue to use these?
Now along with TLS/SSL decryption, there is also a huge growth in SaaS apps today. And a good example of this is Office 365 traffic, because Office 365 traffic allows users to collaborate in real-time. So it’s very sensitive to any kind of delays introduced by your network.
And also it relies on many smaller connections. So, how do you handle this traffic? If you start decrypting traffic and introduce another device and your network security stack?
Next are reliability issues. So, now that you’re decrypting traffic, how reliable is your solution? Would it really be able to identify the bad traffic? Or would really be able to basically validate a remote server certificate, for instance, whether the certificate really matches a domain that you want to bypass or that you want to inspect. So, reliability is a big factor while deciding this. And then lastly there’s user satisfaction issue.
It all boils down to how your users will perceive your final security solution. Does it really slow down or introduce a new bottle neck to your network.
Do your users often complain about not being able to access any resources? So, how do you make sure that your user satisfaction is not impacted by any such solution.
So this is where a good TLS/SSL decryption solution such A10 Networks SSL Insight can really help you.
You A10 SSL Insight, we give you full control over compliance standards, such as Sox or HIPAA and all other compliance standards by our powerful web categorization feature.
With web categorization we can categorize more than 80 domains in real time and also with the cloud lookups. And using this web categorization, you can not only bypass health and finance traffic, you can also bypass or block any traffic of that that does not conform to your policies.
We can also address the issue of privacy by masking sensitive information, such as credit cards and user passwords.
You can also give you control over how your executive traffic is handled by integrating with the active directory server.
This is where you can integrate all the user IDs and group IDs and apply that, route that to your decryption policy. For custom apps, we can provide you with a list of Apps that are commonly used that are known to have certificate, pinning issues and you can bypass such traffic.
So that is the only solution that is available for such applications.
Now for SaaS applications such as Office 365, A10 Networks SSL Insight site gives you a very good control over all the domains and class domains and IP addresses that come from Microsoft, and those domains and IP addresses are updated regularly.
And with that updated list, you can bypass reliably any of the Office 365 traffic or any other SaaS application traffic for that matter.
In terms of reliability SSL Insight can validate your server certificate against your client SMI and you can make sure that and that the remote server certificate that you are bypassing or decrypting is indeed the server certificate belonging to that server and it’s not spoofed by anybody.
Lastly, for user satisfaction, SSL Insight offers some of the highest performing devices in the industry.
Our highest performing device can give you decryption for up to 25 gigs on a single device and we can also offer a scale out architecture.
Not only that, you can also deploy SSL Insight in a staged manner, meaning that you can start off with a small subset of your users.
You can pass them through the SSL Insight solution and once that traffic is decrypted, and once it has stabilized, you can slowly introduce more of your users and and have a streamlined approach where not all of your users are impacted all of a sudden. We can also automatically bypass any traffic that fails to negotiate with the remote server.
For instance, iff there is a new Cipher that we do not support, we can automatically bypass that for you and we can give you a log.