full transparency through encrypted traffic...

FULL TRANSPARENCY THROUGH ENCRYPTED TRAFFIC MANAGEMENT

PATRICK K. KUTTRUFF CISM CYBERDEFENSE STRATEGIST DACH/EE

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 3

THE CHALLENGE • In books about firewalls

and perimeter security high walls and gates were used for illustration

• Our networks are much more complex now

• The attacker needs to trick us, the users, to get into our network (much more entry points)

• The attacker can choose the weapon and can try as often as he likes. We have to detect him every time!


SSL/TLS TRAFFIC IS PERVASIVE AND INTRODUCES RISK

*Source: Gartner

of all malware will use SSL by 2017*

2013 2015 2017

35%

50%

73%

SSL is estimated at 35 - 50% of network traffic and growing 20% annually* • >70% in some industries

(e.g. healthcare)

Advanced Persistent Threats (APTs) increasingly use SSL as a transport • C&C traffic over SSL is the new

normal (sslbl.abuse.ch) • SANS Analyst Whitepaper, Nov.

2013: “Beating the IPS”


A LOOK INTO THE FUTURE 30.3.2012 (heise.de)

9.11.2014 (heise.de)

15.11.2014 (heise.de)

19.11.2014 (golem.de)

2.5.2015 (heise.de)

“Google schaltet SSL bei Suchen weltweit ein”

“BND will SSL-geschützte Verbindungen abhören”

“Das Internet Architecture Board hat auf dem 91. IETF-Meeting gefordert, Datenübertragungen im Internet grundsätzlich zu verschlüsseln.”

“Let’s Encrypt. Eine neue gemeinnützige Zertifizierungsstelle soll die Verbreitung von HTTPS-Verbindungen fördern. Beteiligt sind neben Mozilla und der EFT auch große Unternehmen wie Akamai und Cisco.”

“Mozilla will HTTP ausrangieren”


SECURITY INDUSTRY CONFIRMATION

“Less than 20% of organizations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic.”

https://salesportal.bluecoat.com/#workspaces/UG9ydGFs/directories/05850000000CsmTAAS/files/06850000001W8mMAAS

SSL Inspection is a Security Best Practice “Implement a Secure Sockets Layer (SSL) inspection capability to inspect both ingress and egress encrypted network traffic for potential malicious activity”.

—Alert TA14-353A: Targeted Destructive Malware (Dec 2014)

https://www.us-cert.gov/ncas/alerts/TA14-353A


PRIVACY AND COMPLIANCE ISSUES STALL DECRYPTION PROJECTS

2) Assure custody and integrity of encrypted data

LEAD TO REQUIREMENTS 1) Manage what type of information is decrypted

DATA PRIVACY

CONCERNS

RISK OF ADVANCED THREATS


EXISTING SECURITY INFRASTRUCTURE IS INSUFFICIENT

INTRUSION PREVENTION NEXT GEN FIREWALL

DLP ANTI-MALWARE NETWORK FORENSICS

*Sources: NSS Labs, Gartner

Most security solutions are “blind” to SSL • DLP, IDS, Sandbox & Network Forensics

“Tool by tool” SSL decryption doesn’t work • Costly upgrades: NGFW and IPS solutions

suffer up to 80% performance degradation* • Port gnostic • Numerous, evolving cryptographic suites • Certificate and key management complexities • Additional complexity – arduous scripting


STRATEGIES Three Apes • Ignoring the problem • Reasons like acceptable use policy, legal concerns • Accepting the risk created by the SSL blind spot • CISO is responsible

Million Dollar Man • Solving the problem with money • Buying NGFW, IPS … (and LBs) as needed to intercept SSL • Configuring and maintaining SSL interception on each device • hiring new admins

Encrypted Traffic Management (ETM) with one Solution • Intercept SSL traffic once and feed many appliances • Leverage the exiting security devices • Avoiding administrative overhead • Respecting the Privacy of users


EFFECTIVE DECRYPTION STRATEGY REQUIRES A PURPOSE BUILT INFRASTRUCTURE

• Automatic and complete SSL / TLS discovery: • Any port – any application • No complex scripting

Assure High Security Encryption

Eliminate the SSL “Blind Spot”

• Timely and complete standards support: • 70+ cipher suites and key exchanges • No “downgrading” of cryptography levels


• Selective decryption based on policy • Utilizing the Global Intelligence Network (GIN)

• Ensure data integrity and auditing • No modification of decrypted traffic with “loopback”

verification and logging

Cost Effectively Enhance the Existing Security Infrastructure

Preserve Data Privacy and Compliance

• Decrypt, re-encrypt, inbound and outbound traffic in a single appliance

• Feed active and passive devices simultaneously • 2x – 3x h/w capacity upgrade avoidance – lowering

CapEx

EFFECTIVE DECRYPTION STRATEGY REQUIRES A PURPOSE BUILT INFRASTRUCTURE

ENCRYPTED TRAFFIC MANAGEMENT (ETM) WITH SSL-VA


ENCRYPTED TRAFFIC MANAGEMENT A SECURE, DEDICATED SOLUTION • Eliminate the encrypted traffic blind spot

• Assure high security encryption

• Cost-effectively enhance the existing security infrastructure

• Preserve privacy and compliance while enabling comprehensive security


ELIMINATE THE ENCRYPTED TRAFFIC BLIND SPOT • Automatically discover all SSL/TLS traffic,

regardless of port or application • Complex scripting not required • Faster ‘time-to-productivity’ • Expose potential hidden threats*

• High-performance inspection • 4 Gbps SSL throughput • 40 Gbps overall througput • 400K connections / second (CPS) • Software and hardware acceleration • Support for multiple network segments

simultaneously * TCP Ports used by Dyre Trojan for Hidden Command & Control

- Blue Coat Labs


ASSURE THE HIGHEST LEVEL OF ENCRYPTED SECURITY • Support for the latest cryptographic standards

• Timely and complete coverage: 70+ cipher suites and key exchanges supported

• e.g. AES-GCM, ChaCha, Camellia

• Maintain security posture • Do not modify the existing infrastructure

security posture • No “downgrading” of cryptography – utilize

what’s established • No “replay vulnerable” RSA forced for key exchange

• Ensure compliance • No exposure or vulnerability of decrypted data


COST-EFFECTIVELY ENHANCE THE EXISTING SECURITY INFRASTRUCTURE • Efficient, ‘Decrypt Once – Feed Many’ design for active and passive security devices • Avoid increased hardware capacity costs • Ensure data integrity and active device response/verification • Deliver a more comprehensive threat defense system

NGFW Security Analytics Anti-

Malware IDS / IPS

Certificate & Key Management

Global Intelligence Network

DLP


PRESERVE PRIVACY AND COMPLIANCE WHILE ENABLING SECURITY

Selective Decryption enables ‘Blacklist’ and ‘Whitelist’ Policies

• Policy based on Lists, IP, Port, Domain, Cypher Suits, Certificates, DiffServ, Web Categories

• Host Categorization Service • Easily customizable per regional

and organizational needs Policy Examples

• Block or decrypt traffic from suspicious sites and known malnets

• Bypass / Do not decrypt financial and banking-related traffic


SSL VISIBILITY APPLIANCE FAMILY

Function SV800-250M SV800-500M SV1800 SV2800 SV3800

Total Packet Processing 8 Gbps 8 Gbps 8 Gbps 20 Gbps 40 Gbps

SSL Visibility Throughput 250 Mbps 500 Mbps 1.5 Gbps 2.5 Gbps 4 Gbps

Concurrent SSL Flow States (CPS) 20,000 20,000 100,000 200,000 400,000

New Full Handshake SSL sessions (CPS) (i.e. Setups / Tear Downs) • 1024-bit keys • 2048- bit keys

• 1,000 • 1,000

• 2,000 • 2,000

• 7,500 • 3,000

• 10,500 • 3,000

• 12,500 • 6,000

Configurations Fixed Fixed Fixed Modular 3 Slots Modular 7 Slots

Input / Output 8

10/100/1000 Copper (fixed)

8 10/100/1000 Copper

(fixed)

8 10/100/1000 Copper

or Fiber (fixed)

2x10G-Fiber, 4x1G Copper, 4x1G Fiber Network Mods

2x10G-Fiber, 4x1G Copper, 4x1G Fiber

Network Mods

Resiliency Fail-to-Wire (FTW) / Fail-to-Appliance (FTA) FTW / FTA FTW / FTA FTW / FTA FTW / FTA

Network Modules / Net Mods (USD) (fixed)

• 4 port copper 1G : NTMD-SV-4x1G-C - $2,000 • 4 port fiber 1G : NTMD-SV-4x1G-F - $4,000 • 2 port fiber 10G SR : NTMD-SV-2x10G-SR - $5,000 • 2 port fiber 10G LR : NTMD-SV-2x10G-LR - $7,000


SSL VISIBILITY APPLIANCE COMMON USE CASE 1. Identify all inbound and outbound

SSL / TLS traffic 2. Utilize the Global Intelligence Network 3. Establish category-based policies to

selectively decrypt SSL traffic and maintain compliance

4. Feed existing security solutions to expose potential threats • Avoid high capacity upgrade costs • Extend security infrastructure investment • Assures data integrity of traffic – auditable

“loopback”

GATEWAY / FIREWALL

CLIENT

CORPORATE SERVERS

SSL VISIBILITY APPLIANCE

CLIENT

GLOBAL INTELLIGENCE NETWORK

Encrypted traffic Decrypted traffic

INTERNET SERVER

NG IPS

SANDBOX

SECURITY ANALYTICS

❶

❹ ❸

❷


TOPOLOGY

SECURITY ANALYTICS PLATFORM

FIREWALL

CLIENT

IDS

IPS / MALWARE

OTHER…

CLIENT ASSETS (SERVERS)

SECURITY ANALYTICS PLATFORM

FIREWALL

CLIENT

INBOUND SSL INSPECTION

OUTBOUND SSL INSPECTION

INTERNET

INTERNET

IDS

IPS / MALWARE

OTHER…



TCP

RES

ET

Last Updated: July 31.2014




Certified Partners

ENCRYPTED TRAFFIC MANAGEMENT PARTNER INTEGRATION

HSM KEY MGMT DLP NGFW / IPS APM / NPM SANDBOX FORENSICS

Additional Proven, Compatible Solutions

SSL Visibility Appliances

DEPLOYMENT AND RESILIENCY


Model is per-Segment (not per-appliance)

• Passive-Tap • Inbound only

• Passive-Inline • Inbound and Outbound • Max 2 passive tools

• Active-Inline • Inbound and Outbound • Active tool(s) • Max 2 passive tools

SSL VISIBILITY APPLIANCE DEPLOYMENT MODELS

Active-Inline

Passive-Tap

Passive-Inline


RESILIENCY SSL-VA redundancy is handled with a LAG group on switches on either side of the device or via a fiber bypass switch

Security Device

“Fail-to-Wire” bypasses Security Device on failure “Fail-to-appliance” bypasses SSL-VA and continues to send traffic to security device

Fiber Bypass Switch

Appliance Redundancy

Security Device Behavior in SSLV Failure

To handle failed links for devices attached to or from an SSLV, different configurations are possible


KEY MANAGEMENT OUTBOUND Support for Hardware Security Module (HSM) • 3rd party devices that securely store

cryptographic keys and certificates • SafeNet Luna SP supported

• Used for certificate re-sign when inspecting outbound SSL traffic

• Appropriate for large or complex network security environments

• Financial Services, Banking, Manufacturing

V3.8 s/w supports all SSL Visibility Appliance models

Secure storage and management of certs

& keys

SafeNet Luna SP HSM

SSL Visibility Appliance

Mutually Authenticated

HTTPS

INTERNET

Outbound


KEY MANAGEMENT INBOUND

• Security policy is set within Venafi TrustAuthority, including key length, encryption algorithm, and expiration date.

• Venafi TrustForce securely delivers a digital certificate and encryption key to the SSL Server.

• The Venafi Platform ensures encryption keys and digital certificates stored in the SSL Visibility Appliance are current, valid, and conform to applicable security policy

• Any changes in keys and certificates are automatically updated by Venafi TrustForce in the SSL Visibility appliance.

ETM IN SUMMARY


RAMIFICATIONS OF SSL / TLS GROWTH • Ignoring encrypted traffic

• Increases data security and governance risk

• Inbound infestation • Outbound data exfiltration

• Inspecting encrypted traffic • Invokes regulatory compliance

• Numerous regulations per industry • Adds complexity and CapEx /

OpEx costs • Decreases ROI of the infrastructure


ENCRYPTED TRAFFIC MANAGEMENT: A SECURITY NECESSITY • Advanced threats increasingly use encryption to hide • Most existing security solutions are “blind” to SSL • Blue Coat Encrypted Traffic Management solutions

• Eliminate the encrypted traffic blind spot

• Assure high security encryption

• Cost-effectively enhance the existing security infrastructure

• Preserve privacy and compliance while enabling comprehensive security


ENCRYPTED TRAFFIC MANAGEMENT: FOR MORE INFORMATION • Understanding the Impact of SSL/TLS Encryption

and Mitigation Options • Blue Coat “The Visibility Void” • Gartner report “Security Leaders Must Address

Threats from Rising SSL Traffic” • SANS white paper “Finding Hidden Threats

by Decrypting SSL” • ETM for Dummies book

• Balancing Data Privacy with Security • Securosis white paper “Security and Privacy

on the Encrypted Network”

• SSL/TLS Performance Analyses • NSS Labs report “SSL Performance Problems”

www.bluecoat.com/uncoverssl

http://www.bluecoat.com/uncoverssl

GOT SSL? WWW.BLUECOAT.COM/UNCOVERSSL

full transparency through encrypted traffic...

Documents