How to integrate SSL inspection with cloud services monitoring

Author: Ian Teague, Country Manager ANZ at Gigamon

Along with an Opex-leaning cost model, cloud computing’s appeal has included dynamic capacity provisioning where compute and storage resources can be added, moved and removed almost instantaneously.

While this helps companies to scale resource consumption easily, the bad news is that monitoring user experience, cloud service performance and security has become tougher.

Enterprise migration to cloud services, especially external clouds, will drive the use of HTTPS (encrypted HTTP) and other protocols running on top of the Secure Sockets Layer (SSL) to support web applications and search engines. However, SSL severely limits visibility for both cloud service performance and security monitoring tools.

Yet, NSS Labs estimates that SSL traffic now accounts for an average of 25 to 35 per cent of a typical enterprise’s network traffic and that proportion continues to grow.

The lack of visibility into uninspected SSL sessions coursing through public and private cloud networks and the use of larger ciphers are causes of concern. They not only degrade the performance of existing monitoring tools that handle SSL traffic but allow malware to be hidden within encrypted channels.

The urgency for on-the-fly SSL traffic decryption and scanning has never been greater. Security officers can manage only what they can see to fulfil the demands for highly available cloud services.

Multi-tier security SSL decryption approach

And hardware-accelerated SSL decryption will be required to tackle the growing use of HTTPS for web server sessions, network encryption on internal traffic, and particularly, the criminal use of encrypted channels to evade detection products.

The public key infrastructure encryption for SSL essentially uses the public key to encrypt, and the private key to decrypt. Only the cloud or web server that has access to the private key can decrypt data encrypted by the public key.

Monitoring tools that also decrypt SSL traffic have to bear a tremendous processing burden. They have to monitor traffic across tiers – from the data-centre, high-speed LAN to remote access and virtualised application resources in the cloud, as well as the perimeter. Hence, performance and cost of monitoring are key considerations.

A multi-tiered security solution could decrypt SSL traffic from the cloud and remote sites and monitor them. When the SSL sessions are decrypted, secure services running in the cloud can be differentiated and monitored.

Then, data centre administrators can begin to alleviate blind spots created by SSL encrypted application traffic.

Traffic intelligence solution

What’s needed is a traffic intelligence application that offloads SSL decryption and provides visibility into SSL sessions to help expose hidden threats.

That means delivering SSL decryption as a common service to connected monitoring and security tools. This frees the tools for packet analysis and eliminates the need to purchase a decryption licence for each tool.

One such solution is a visibility fabric that is built on a cluster of visibility nodes running smart traffic intelligence applications. One of these applications is SSL decryption.

A visibility fabric has access to bidirectional traffic so it can observe the exchange of public keys at the start of the transaction. The administrator loads the private keys and stores them securely on the system. The smart high-performance compute engines are then ready to decrypt the SSL traffic and forward it to performance and security tools for analysis.

Read more: App Security- the great unspoken

SSL decryption can be carried out on any traffic received on any network port in the cluster of visibility nodes. And decrypted traffic can be sent to any tool ports in the cluster.

Multiple smart applications such as header stripping, and adaptive packet filtering could be applied before the traffic is forwarded to the tools. For example, traffic can be selectively sent to inline security tools based on specific applications of interest.

The bottom line is that SSL sessions have become an essential component of enterprise security.

Because SSL is at the heart of today's enterprise infrastructure, endpoints and DMZ servers are potentially exposed to attacks without the right level of traffic visibility.

Read more: Synology cloud sync bug exposes Macs to full takeover

Decrypting and inspecting SSL sessions will enable tools to detect malware and intrusion, prevent data loss and carry out network forensics. Put simply, organisations can integrate SSL inspection into a multi-tiered security solution with decryption applied only once for all tools.

Feeling social? Follow us on Twitter and LinkedIn Now!

Tags malwaremonitoringSSLweb applicationsnetwork encryptionSSL inspectionSSL decryptionencrypted HTTP

Show Comments