This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.
While encryption can keep your network traffic safe from hackers and cybercriminals, it can also prevent your security and monitoring tools from seeing inside the packets crossing your network. Knowing that many organizations pass encrypted traffic into their networks without full inspection, the bad guys use encryption to hide malware and launch attacks, effectively hijacking your network. To keep defenses strong while limiting the risk of security breaches and data loss, you need to decrypt, examine, and re-encrypt all network traffic.
The burden of decryption
Devices for decryption must be powerful. Encryption algorithms are becoming longer and more complex to withstand hacking. A test done by NSS Labs several years ago found that moving from 1024- to 2048-bit ciphers caused an average performance drop of 81 percent on eight leading firewalls. However, SSL decryption does not need to be performed on a firewall. New strategies are available to offload decryption and send plain text to tools, enabling them to work efficiently and process more traffic. Here are four strategies to make decryption easier, faster, and cost-effective.
Strategy 1: Remove malicious traffic before decrypting
Many IP addresses used in cyberattacks are reused and known in the security community. Dedicated organizations track and verify known cyber threats on a daily basis, maintaining this information in an intelligence database. By comparing incoming and outgoing packets against this database, you can identify malicious traffic and block it from your network. Because the comparison is made with packet headers in plain text format, this strategy eliminates the need to decrypt the packets. Eliminating traffic associated with known attackers reduces the number of packets to decrypt. And, eliminating traffic that would otherwise generate a security alert helps security teams improve productivity.
The fastest way to deploy this strategy is to install a special-purpose hardware appliance called a threat intelligence gateway in front of a firewall. This appliance is designed for fast, high-volume blocking, including untrusted countries, and is updated continuously by an integrated threat intelligence feed. Once the gateway is installed, no further manual intervention is required, and no filters need to be created or maintained. Malicious traffic can be either dropped immediately or sent to a sandbox for further analysis. Depending on your industry and how often you are targeted, you could see up to an 80 percent reduction in security alerts.
Alternatively, you can configure custom filters on your firewall to block specified IP addresses. Unfortunately, firewall filters must be manually configured and maintained, and there is a limit to how many filters can be created. The explosion of connected devices and compromised IP addresses outstrips the capabilities of firewalls. Plus, using the processing cycles on an advanced device like a firewall to make simple comparisons is not a cost-efficient way to block traffic.
Sign up for Computerworld eNewsletters.