The Fast Mode spoke to Sashi Jeyaretnam, Sr. Director, Product Management for Spirent Security Solutions on new encryption technologies and their impact on today's networks. Sashi joins us in a series of discussions with leading vendors in the traffic management, service assurance, traffic monitoring, analytics, policy control and network security space, assessing various attributes of encryption, its benefits as well as the challenges it poses, specifically loss of visibility that makes networking increasingly complex.
Tara: How does encryption affect network security?
Sashi: Encryption is a standard attribute of any digital service driven by the need to ensure data privacy and integrity during transmission, as well as to verify the identity of the communicating entities through authentication. Its clear strong encryption is critical to protecting sensitive business and personal data, and this is achieved with the use of transport layer security (TLS) - the commonly accepted standard for securing data in transit. Google estimates that nearly 95% of its internet traffic uses the encryption, and most industry experts conclude that between 80-90% of network traffic is encrypted today.
As organizations increasingly adopt TLS encryption to protect themselves and their users, it also limits the organization’s visibility of what’s traversing the network, which is being exploited by cybercriminals to launch their attack campaigns in stealth and cover up their tracks. This leads to the need for TLS inspection as the only option overcome the issues of detecting the presence of bad actors, preventing the injection of malicious content into assets, blocking unintended or intended data leakage of sensitive information, and ensure user and applications adhere to corporate policies.
However, for many organizations enabling TLS inspection is not that trivial as it has a huge impact on performance which introduces latency and will slow down the data transit, impacting the user and application quality of experience (QoE). Also, with the advent of TLS 1.3, the use of HTTP/2/3 which mandates TLS and DNS over HTTPs (DoH), many of the passive inspection solutions will no longer be effective.
To enable active TLS inspection organizations can either use a dedicated inline decryption solution, that will decrypt network traffic once and inspect many times to scale your security across FW, IPS, and DLP solutions or opt for all-in-one solution and enable TLS inspection on the NGFWs in their network.
Tara: What are some of the ways enterprises can address visibility issues related to encryption?
Sashi: Given the rise of encryption for both legitimate and malicious network traffic, TLS inspection must be key part of an enterprise security strategy. However, TLS inspection is computationally intensive and thus has a considerable impact on network performance and end-user experience.
There are many security vendors who offer TLS inspection solutions, however enterprise security leaders need to be mindful of the following factors as they look to right-size their TLS inspection investments for their growing network needs.
Performance - The performance of network infrastructure elements and content aware solutions are impacted by number of factors such as the TLS protocol versions, ciphers and key sizes utilized and also the application traffic mix and average transaction sizes. Therefore, it is critical to assess the performance (throughput, sessions/connections per second and concurrent sessions) of TLS inspection infrastructure with the configuration options that an organization is planning to deploy. Also characterizing via testing the latency and delay in the network for handling encrypted applications transactions, to understand the impact on user experience. This measured approach will ensure that organizations can right-size their TLS infrastructure and maintain business continuity and user experience.
Scalability - It is expected that organizations typically will see anywhere from 25-50% organic annual growth in internet traffic. Regardless of if a traditional hardware-based or cloud-enabled TLS security solution is chosen you need to ensure TLS inspection solution can easily scale with your business growth without a dramatic performance degradation.
Policy impact - TLS inspection involves decrypting, inspecting, and re-encrypting traffic as passes through TLS inspection solution. Once decrypted, security and application police will be applied to traffic in transit. When assessing the performance, it is highly recommended to use a mix of application and malicious traffic so that you can validate the effectiveness of the polices to the take the correct actions as well model the impact of polices in the overall latency and performance.
Privacy controls - Also, with decryption, organizations need to be careful they are still compliant with their organization’s, industry’s, and country’s legal requirements around personal privacy. Therefore, TLS inspection solution need to be able to waive inspection for specific banking or health care sites but intercept others, that level granular control will be important for enterprise wide coverage.
Robust / resilient - TLS interception requires certain level of trust on the robustness and security of the a “man in the middle” solution between client and destination. To establish that trust organizations need to validate the security efficacy and compliance (FIPS and FedRAMP) of the supporting PKI (public key infrastructure) platform that would be issuing the certification, check certificate strengths, supported cypher suites, key length, secure key storage and certificate lifecycle management.
This interview is a part of The Fast Mode's Real-time Visibility for Encrypted Traffic segment, featuring 34 leading IP networking solution providers and their views on the impact of encryption on traffic visibility. A research report on this topic will be published in February 2023 - for more information, visit here.
