full transparency through encrypted traffic...
TRANSCRIPT
FULL TRANSPARENCY THROUGH ENCRYPTED TRAFFIC MANAGEMENT
PATRICK K. KUTTRUFF CISM CYBERDEFENSE STRATEGIST DACH/EE
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 3
THE CHALLENGE • In books about firewalls
and perimeter security high walls and gates were used for illustration
• Our networks are much more complex now
• The attacker needs to trick us, the users, to get into our network (much more entry points)
• The attacker can choose the weapon and can try as often as he likes. We have to detect him every time!
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 4
SSL/TLS TRAFFIC IS PERVASIVE AND INTRODUCES RISK
*Source: Gartner
of all malware will use SSL by 2017*
2013 2015 2017
35%
50%
73%
SSL is estimated at 35 - 50% of network traffic and growing 20% annually* • >70% in some industries
(e.g. healthcare)
Advanced Persistent Threats (APTs) increasingly use SSL as a transport • C&C traffic over SSL is the new
normal (sslbl.abuse.ch) • SANS Analyst Whitepaper, Nov.
2013: “Beating the IPS”
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 7
A LOOK INTO THE FUTURE 30.3.2012 (heise.de)
9.11.2014 (heise.de)
15.11.2014 (heise.de)
19.11.2014 (golem.de)
2.5.2015 (heise.de)
“Google schaltet SSL bei Suchen weltweit ein”
“BND will SSL-geschützte Verbindungen abhören”
“Das Internet Architecture Board hat auf dem 91. IETF-Meeting gefordert, Datenübertragungen im Internet grundsätzlich zu verschlüsseln.”
“Let’s Encrypt. Eine neue gemeinnützige Zertifizierungsstelle soll die Verbreitung von HTTPS-Verbindungen fördern. Beteiligt sind neben Mozilla und der EFT auch große Unternehmen wie Akamai und Cisco.”
“Mozilla will HTTP ausrangieren”
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 8
SECURITY INDUSTRY CONFIRMATION
“Less than 20% of organizations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic.”
https://salesportal.bluecoat.com/#workspaces/UG9ydGFs/directories/05850000000CsmTAAS/files/06850000001W8mMAAS
SSL Inspection is a Security Best Practice “Implement a Secure Sockets Layer (SSL) inspection capability to inspect both ingress and egress encrypted network traffic for potential malicious activity”.
—Alert TA14-353A: Targeted Destructive Malware (Dec 2014)
https://www.us-cert.gov/ncas/alerts/TA14-353A
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 9
PRIVACY AND COMPLIANCE ISSUES STALL DECRYPTION PROJECTS
2) Assure custody and integrity of encrypted data
LEAD TO REQUIREMENTS 1) Manage what type of information is decrypted
DATA PRIVACY
CONCERNS
RISK OF ADVANCED THREATS
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 10
EXISTING SECURITY INFRASTRUCTURE IS INSUFFICIENT
INTRUSION PREVENTION NEXT GEN FIREWALL
DLP ANTI-MALWARE NETWORK FORENSICS
*Sources: NSS Labs, Gartner
Most security solutions are “blind” to SSL • DLP, IDS, Sandbox & Network Forensics
“Tool by tool” SSL decryption doesn’t work • Costly upgrades: NGFW and IPS solutions
suffer up to 80% performance degradation* • Port gnostic • Numerous, evolving cryptographic suites • Certificate and key management complexities • Additional complexity – arduous scripting
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 11
STRATEGIES Three Apes • Ignoring the problem • Reasons like acceptable use policy, legal concerns • Accepting the risk created by the SSL blind spot • CISO is responsible
Million Dollar Man • Solving the problem with money • Buying NGFW, IPS … (and LBs) as needed to intercept SSL • Configuring and maintaining SSL interception on each device • hiring new admins
Encrypted Traffic Management (ETM) with one Solution • Intercept SSL traffic once and feed many appliances • Leverage the exiting security devices • Avoiding administrative overhead • Respecting the Privacy of users
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 12
EFFECTIVE DECRYPTION STRATEGY REQUIRES A PURPOSE BUILT INFRASTRUCTURE
• Automatic and complete SSL / TLS discovery: • Any port – any application • No complex scripting
Assure High Security Encryption
Eliminate the SSL “Blind Spot”
• Timely and complete standards support: • 70+ cipher suites and key exchanges • No “downgrading” of cryptography levels
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 13
• Selective decryption based on policy • Utilizing the Global Intelligence Network (GIN)
• Ensure data integrity and auditing • No modification of decrypted traffic with “loopback”
verification and logging
Cost Effectively Enhance the Existing Security Infrastructure
Preserve Data Privacy and Compliance
• Decrypt, re-encrypt, inbound and outbound traffic in a single appliance
• Feed active and passive devices simultaneously • 2x – 3x h/w capacity upgrade avoidance – lowering
CapEx
EFFECTIVE DECRYPTION STRATEGY REQUIRES A PURPOSE BUILT INFRASTRUCTURE
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 18
ENCRYPTED TRAFFIC MANAGEMENT A SECURE, DEDICATED SOLUTION • Eliminate the encrypted traffic blind spot
• Assure high security encryption
• Cost-effectively enhance the existing security infrastructure
• Preserve privacy and compliance while enabling comprehensive security
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 19
ELIMINATE THE ENCRYPTED TRAFFIC BLIND SPOT • Automatically discover all SSL/TLS traffic,
regardless of port or application • Complex scripting not required • Faster ‘time-to-productivity’ • Expose potential hidden threats*
• High-performance inspection • 4 Gbps SSL throughput • 40 Gbps overall througput • 400K connections / second (CPS) • Software and hardware acceleration • Support for multiple network segments
simultaneously * TCP Ports used by Dyre Trojan for Hidden Command & Control
- Blue Coat Labs
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 20
ASSURE THE HIGHEST LEVEL OF ENCRYPTED SECURITY • Support for the latest cryptographic standards
• Timely and complete coverage: 70+ cipher suites and key exchanges supported
• e.g. AES-GCM, ChaCha, Camellia
• Maintain security posture • Do not modify the existing infrastructure
security posture • No “downgrading” of cryptography – utilize
what’s established • No “replay vulnerable” RSA forced for key exchange
• Ensure compliance • No exposure or vulnerability of decrypted data
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 21
COST-EFFECTIVELY ENHANCE THE EXISTING SECURITY INFRASTRUCTURE • Efficient, ‘Decrypt Once – Feed Many’ design for active and passive security devices • Avoid increased hardware capacity costs • Ensure data integrity and active device response/verification • Deliver a more comprehensive threat defense system
NGFW Security Analytics Anti-
Malware IDS / IPS
Certificate & Key Management
Global Intelligence Network
DLP
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 22
PRESERVE PRIVACY AND COMPLIANCE WHILE ENABLING SECURITY
Selective Decryption enables ‘Blacklist’ and ‘Whitelist’ Policies
• Policy based on Lists, IP, Port, Domain, Cypher Suits, Certificates, DiffServ, Web Categories
• Host Categorization Service • Easily customizable per regional
and organizational needs Policy Examples
• Block or decrypt traffic from suspicious sites and known malnets
• Bypass / Do not decrypt financial and banking-related traffic
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 23
SSL VISIBILITY APPLIANCE FAMILY
Function SV800-250M SV800-500M SV1800 SV2800 SV3800
Total Packet Processing 8 Gbps 8 Gbps 8 Gbps 20 Gbps 40 Gbps
SSL Visibility Throughput 250 Mbps 500 Mbps 1.5 Gbps 2.5 Gbps 4 Gbps
Concurrent SSL Flow States (CPS) 20,000 20,000 100,000 200,000 400,000
New Full Handshake SSL sessions (CPS) (i.e. Setups / Tear Downs) • 1024-bit keys • 2048- bit keys
• 1,000 • 1,000
• 2,000 • 2,000
• 7,500 • 3,000
• 10,500 • 3,000
• 12,500 • 6,000
Configurations Fixed Fixed Fixed Modular 3 Slots Modular 7 Slots
Input / Output 8
10/100/1000 Copper (fixed)
8 10/100/1000 Copper
(fixed)
8 10/100/1000 Copper
or Fiber (fixed)
2x10G-Fiber, 4x1G Copper, 4x1G Fiber Network Mods
2x10G-Fiber, 4x1G Copper, 4x1G Fiber
Network Mods
Resiliency Fail-to-Wire (FTW) / Fail-to-Appliance (FTA) FTW / FTA FTW / FTA FTW / FTA FTW / FTA
Network Modules / Net Mods (USD) (fixed)
• 4 port copper 1G : NTMD-SV-4x1G-C - $2,000 • 4 port fiber 1G : NTMD-SV-4x1G-F - $4,000 • 2 port fiber 10G SR : NTMD-SV-2x10G-SR - $5,000 • 2 port fiber 10G LR : NTMD-SV-2x10G-LR - $7,000
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 24
SSL VISIBILITY APPLIANCE COMMON USE CASE 1. Identify all inbound and outbound
SSL / TLS traffic 2. Utilize the Global Intelligence Network 3. Establish category-based policies to
selectively decrypt SSL traffic and maintain compliance
4. Feed existing security solutions to expose potential threats • Avoid high capacity upgrade costs • Extend security infrastructure investment • Assures data integrity of traffic – auditable
“loopback”
GATEWAY / FIREWALL
CLIENT
CORPORATE SERVERS
SSL VISIBILITY APPLIANCE
CLIENT
GLOBAL INTELLIGENCE NETWORK
Encrypted traffic Decrypted traffic
INTERNET SERVER
NG IPS
SANDBOX
SECURITY ANALYTICS
❶
❹ ❸
❷
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 25
TOPOLOGY
SECURITY ANALYTICS PLATFORM
FIREWALL
CLIENT
IDS
IPS / MALWARE
OTHER…
CLIENT ASSETS (SERVERS)
SECURITY ANALYTICS PLATFORM
FIREWALL
CLIENT
INBOUND SSL INSPECTION
OUTBOUND SSL INSPECTION
INTERNET
INTERNET
IDS
IPS / MALWARE
OTHER…
SSL VISIBILITY APPLIANCE
SSL VISIBILITY APPLIANCE
TCP
RES
ET
Last Updated: July 31.2014
GLOBAL INTELLIGENCE NETWORK
GLOBAL INTELLIGENCE NETWORK
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 26
Certified Partners
ENCRYPTED TRAFFIC MANAGEMENT PARTNER INTEGRATION
HSM KEY MGMT DLP NGFW / IPS APM / NPM SANDBOX FORENSICS
Additional Proven, Compatible Solutions
SSL Visibility Appliances
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 29
Model is per-Segment (not per-appliance)
• Passive-Tap • Inbound only
• Passive-Inline • Inbound and Outbound • Max 2 passive tools
• Active-Inline • Inbound and Outbound • Active tool(s) • Max 2 passive tools
SSL VISIBILITY APPLIANCE DEPLOYMENT MODELS
Active-Inline
Passive-Tap
Passive-Inline
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 30
RESILIENCY SSL-VA redundancy is handled with a LAG group on switches on either side of the device or via a fiber bypass switch
Security Device
“Fail-to-Wire” bypasses Security Device on failure “Fail-to-appliance” bypasses SSL-VA and continues to send traffic to security device
Fiber Bypass Switch
Appliance Redundancy
Security Device Behavior in SSLV Failure
To handle failed links for devices attached to or from an SSLV, different configurations are possible
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 31
KEY MANAGEMENT OUTBOUND Support for Hardware Security Module (HSM) • 3rd party devices that securely store
cryptographic keys and certificates • SafeNet Luna SP supported
• Used for certificate re-sign when inspecting outbound SSL traffic
• Appropriate for large or complex network security environments
• Financial Services, Banking, Manufacturing
V3.8 s/w supports all SSL Visibility Appliance models
Secure storage and management of certs
& keys
SafeNet Luna SP HSM
SSL Visibility Appliance
Mutually Authenticated
HTTPS
INTERNET
Outbound
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 32
KEY MANAGEMENT INBOUND
• Security policy is set within Venafi TrustAuthority, including key length, encryption algorithm, and expiration date.
• Venafi TrustForce securely delivers a digital certificate and encryption key to the SSL Server.
• The Venafi Platform ensures encryption keys and digital certificates stored in the SSL Visibility Appliance are current, valid, and conform to applicable security policy
• Any changes in keys and certificates are automatically updated by Venafi TrustForce in the SSL Visibility appliance.
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 34
RAMIFICATIONS OF SSL / TLS GROWTH • Ignoring encrypted traffic
• Increases data security and governance risk
• Inbound infestation • Outbound data exfiltration
• Inspecting encrypted traffic • Invokes regulatory compliance
• Numerous regulations per industry • Adds complexity and CapEx /
OpEx costs • Decreases ROI of the infrastructure
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 35
ENCRYPTED TRAFFIC MANAGEMENT: A SECURITY NECESSITY • Advanced threats increasingly use encryption to hide • Most existing security solutions are “blind” to SSL • Blue Coat Encrypted Traffic Management solutions
• Eliminate the encrypted traffic blind spot
• Assure high security encryption
• Cost-effectively enhance the existing security infrastructure
• Preserve privacy and compliance while enabling comprehensive security
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 36
ENCRYPTED TRAFFIC MANAGEMENT: FOR MORE INFORMATION • Understanding the Impact of SSL/TLS Encryption
and Mitigation Options • Blue Coat “The Visibility Void” • Gartner report “Security Leaders Must Address
Threats from Rising SSL Traffic” • SANS white paper “Finding Hidden Threats
by Decrypting SSL” • ETM for Dummies book
• Balancing Data Privacy with Security • Securosis white paper “Security and Privacy
on the Encrypted Network”
• SSL/TLS Performance Analyses • NSS Labs report “SSL Performance Problems”
www.bluecoat.com/uncoverssl