Prevent data encryption from hijacking the network: these four strategies you need to get

Encryption protects network traffic from hackers and cyber criminals, but it prevents security and monitoring tools from seeing inside the packets passing through the network. In fact, many organizations allow encrypted traffic to flow through their networks without fully inspecting it, and hackers often use encryption to hide malware and launch attacks to hijack user networks. In order to maintain a strong defense and reduce the risk of security breaches and data loss, all network traffic must be decrypted, inspected, and re-encrypted.

The burden of decryption

Decryption devices must be powerful. To protect against data hijacking, encryption algorithms are becoming longer and more complex. Years ago, NSS Labs conducted tests that showed an average performance drop of 81% for eight leading firewalls when the cipher went from 1024 bits to 2048 bits. In fact, decryption for SSL does not need to be done at the firewall. Now, some new strategies have been made to offload decryption work and send plain text to the tool, allowing it to work efficiently and handle more traffic. The following four strategies can make decryption easier, faster and more cost-effective.

[[202629]]

Strategy 1: Remove malicious traffic before decryption

Many IP addresses that have been used in cyber attacks are reused and published in the security community. Specialized organizations track and identify known cyber threats every day and store this information in intelligence databases. By comparing incoming and outgoing packets through this database, malicious traffic can be identified and blocked from the network. Since the comparison is done through the packet header in plain text format, this strategy does not require decryption of the packet. Filtering out traffic related to known attackers in advance can reduce the number of packets that need to be decrypted. In addition, eliminating this part of the traffic that will also trigger security alerts can also help security teams improve efficiency.

The quickest way to deploy this strategy is to install a dedicated hardware appliance called a threat intelligence gateway in front of your firewall. This appliance is designed to quickly and massively block malicious traffic, including information from unverified countries, and it continuously updates itself with a comprehensive threat intelligence feed. Once installed, the gateway requires no human intervention and no filters need to be created or maintained. Malicious traffic is either immediately dropped or sent to a sandbox for further analysis. Depending on your industry and the frequency of malicious attacks, you can reduce security alerts by up to 80%.

Alternatively, we can configure custom filters on the firewall to block specific IP addresses. Unfortunately, firewall filters must be manually configured and maintained, and there are limits on the number of filters that can be created. The explosive growth of connected devices and IP addresses under attack has stretched firewall capabilities. In addition, looping on advanced devices such as firewalls just to complete a simple comparison is not a cost-effective way to block traffic.

Strategy 2: Seek advanced decryption capabilities

After removing encrypted packets to and from malicious sources, the remaining data also needs to be processed by a decryption device. Many security tools, such as next-generation firewalls (NGFW) or intrusion prevention systems (IPS), have SSL decryption capabilities. However, an article published by NSS Labs warns that some security tools may not contain the latest keys, which will cause SSL communications on non-standard ports to be lost, and may not complete encryption at the advertised throughput rate, or even quickly establish some connections without decryption at all.

Cryptography relies on being one step ahead of the curve. Security solutions must support the latest encryption standards, incorporate a wide variety of keys and algorithms, and have the ability to decrypt traffic using larger 2048-bit and 4096-bit keys and updated Elliptic Curve keys. As security technology grows in complexity, solutions must be able to handle decryption efficiently and cost-effectively - without dropping packets, introducing errors, or failing to complete full inspection.

As the amount of SSL traffic increases, the quality of the decryption solution will become increasingly important in order to achieve complete network visibility. In addition, "defense in depth" has become a recognized best practice, which usually requires the use of multiple best-of-breed security devices (such as independent firewalls and IPS). Having all these devices go through traffic decryption and re-encryption will lead to inefficient security tools, increase network latency, and reduce policy effectiveness and end-to-end visibility.

Strategy 3: Choose tools that are easy to use

Another key feature is that administrators can create and manage decryption-related policies through simple operations. Those outstanding solutions can provide a drag-and-drop user interface to complete the creation of filters, which has the ability to achieve selective data forwarding or data desensitization based on content identification, such as ID cards or bank card numbers. These solutions can also easily save complete records for each SSL key used and all exceptions generated during the communication process (such as lost sessions, SSL failures, invalid certificates, and sessions that do not need to be decrypted for policy reasons). These detailed logs are very valuable for auditing, forensics, network troubleshooting, and capacity planning.

Strategy 4: Plan for cost-effective scalability

As the amount of encrypted traffic increases, decryption will have a greater impact on the performance of your security infrastructure, so planning ahead is essential. While it may seem reasonable to simply “turn on” SSL decryption in a firewall or unified threat management (UTM) solution, decryption is a function that requires a lot of processing in the process. Due to the increase in SSL traffic and the additional cycles required for decryption, overall performance will be affected and tools may also experience packet loss. In order to increase the ability to flow traffic in a multi-function device, the only option is to increase the overall capacity. Adding capacity will incur a large capital expenditure, and certain features will also incur additional costs to ensure that the device can handle decryption.

A better option is to implement SSL offload for security tools by implementing SSL decryption with a network visibility solution or network packet broker (NPB) that has SSL decryption capabilities. Many organizations use NPBs to aggregate network traffic, identify relevant packets, and distribute them to security tools at high speed. NPBs that use hardware acceleration can process traffic at line speed with zero packet loss and automate load balancing. In addition, they eliminate the need for multiple cascaded devices to perform their own independent decryption/re-encryption. The cost of scaling NPBs is lower than the cost of scaling most security appliances and can provide a quick return on investment.

in conclusion

As more of the Internet moves to encrypted traffic, attacks within SSL traffic will become more common. In order to protect data and networks from hackers and cyber criminals, it is imperative to inspect all encrypted network traffic. Enterprises that have not yet implemented strict encrypted traffic inspection systems will greatly reduce network security and bring unacceptable risks caused by breaches and data loss. Fortunately, new solutions are emerging to improve the efficiency and cost-effectiveness of SSL decryption.