Strategy 2: Look for advanced decryption capabilities
Once the encrypted packets traveling from or to malicious sources is removed, a decryption device is needed to process the rest. Many security tools, such as next generation firewalls (NGFW) or intrusion prevention systems (IPS), include an SSL decryption feature. However, a paper issued by NSS Labs warned that some tools may not have the latest ciphers, may miss SSL communications that occur on non-standard ports, may be unable to decrypt at advertised throughput, and may even fast-path some connections without performing decryption at all.
Cryptography relies on advances to stay one step ahead of the bad guys. Security solutions need to support the latest encryption standards, have access to a wide variety of ciphers and algorithms, and have the power to decrypt traffic using the larger 2048- and 4096-bit keys as well as newer Elliptic Curve keys. As security technology grows in complexity, solutions must be able to process decryption efficiently and cost-effectively-without dropping packets, introducing errors, or failing to complete a full inspection.
As the volume of SSL traffic increases, the quality of a decryption solution is more important to achieving total network visibility. In addition, Defense in Depth is a widely regarded best practice, which often involves multiple best-of-breed security devices (such as a separate firewall and IPS). It is very inefficient for each of these devices to decrypt and re-encrypt traffic separately, which both increases latency and reduces policy effectiveness and end-to-end visibility.
Strategy 3: Choose tools with operational simplicity
Another key feature is the ease with which administrators can create and manage policies related to decryption. This is important in industries that must comply with the mandates of Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS), Sarbanes- Oxley Act (SOX), and other standards. The best solutions provide a drag-and-drop interface for creating filters and the ability to selectively forward or mask information based on pattern recognition (such as social security numbers). They also make it easy to keep a complete record of each SSL cipher used and all exceptions related to dropped sessions, SSL failures, invalid certifications, and sessions not decrypted for policy reasons. These detailed logs are valuable for audits, forensics, and network troubleshooting and capacity planning.
Strategy 4: Plan for cost-effective scalability
As the volume of encrypted traffic increases, decryption will have a greater impact on the performance of your security infrastructure. It pays to plan ahead. While it may seem logical to simply "turn on" the SSL decryption feature in a firewall or unified threat management (UTM) solution, decryption is a process-intensive function. As SSL traffic increases and more cycles are required for decryption, performance will begin to suffer, and tools may begin to drop packets.
Sign up for Computerworld eNewsletters.