Embed Size (px)
Citation preview
Security Empowers Business
SO
LU
TIO
N B
RIE
F
The use of Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption for Internet and enterprise traffic is growing steadily. Modern applications that use SSL communications by default – such as SharePoint, Exchange, WebEx, Salesforce.com and Google Apps – are commonplace and rapidly growing. Even hosted and mobile email applications such as Gmail, Yahoo and Zimbra utilize SSL encryption by default in today’s workplace environments.
It’s clear that enterprises now need complete visibility into the encrypted SSL-based traffic running in their organizations. An encrypted traffic management strategy that considers the various business needs, the corporate policies established and the regulatory compliance mandates for its industry is essential for all enterprises. Blue Coat has solutions today to manage this growing encrypted traffic dilemma.
The Impact and Risks Associated with SSL-based Encrypted CommunicationsFor end users, SSL has long been a means to secure web-based transactions that enable e-commerce and online banking. Over time, the simplicity of SSL has made it the perfect vehicle for migrating new online services to web-based models, including applications for secure viewing of medical records, ordering prescriptions and filing tax returns.
Industry research indicates that over 50 percent of enterprise applications now use SSL and that many social networking and consumer applications such as Facebook and Gmail default to full-time use of SSL by their end users. The use of SSL in enterprise traffic and across the Internet has grown steadily, with a 52 percent CAGR in SSL-based WAN traffic. It’s clear that there are legitimate needs for encrypted data within, to, and from the enterprise. But as many IT managers are aware, its privacy benefits can be overshadowed by its risks.
While encrypting web sessions protects end-user data from being viewed in transit over the Internet, it creates a blind spot for IT administrators; they typically have no visibility into SSL-encrypted traffic. For that reason SSL has unfortunately become one of the most popular ways to mask malicious code, such as Trojan horses and viruses. Incoming and outgoing threats can hide in SSL to bypass security architectures and spread freely throughout and between organizations. Sadly, market research confirms this fact, indicating that over the 80% of defense-in-depth security solutions do not recognize or prevent threats within encrypted traffic. This issue is becoming a “hot button” for security applications that tackle data loss prevention (DLP),
compliance reporting and lawful decryption – solutions that could, at one time, see what was outgoing, but are suddenly in the dark because of the growth of SSL traffic.
This lack of visibility into SSL can make it difficult or impossible for network administrators to enforce acceptable corporate use policies and to ensure that threats like viruses, spam and malware are stopped before they reach individual users. The inability to examine the content of SSL communications also makes it possible for information to be accidentally leaked out of the enterprise – or worse, stolen. This was apparent in the highly-publicized and costly data exfiltration and security breaches at several global banks and retailers in the fall and winter of 2013.
Regulatory compliance requirements, including the identification of accidental or intentional leakage of confidential information, are also virtually impossible to meet because of SSL encryption. In many instances, enterprises face conflicting requirements to encrypt and examine data. In typical installations, these seemingly incompatible requirements cannot be met with acceptable performance. This SSL conundrum has wreaked havoc on organizations subject to industry and government compliance mandates, such as HIPAA and Sarbanes-Oxley (SOX), which require that only authorized individuals have access to hardware and software resources within the network infrastructure. Other compliance mandates require organizations with publicly accessible networks to be able to provide law enforcement agencies with documentation of network activity – which requires that all traffic be unencrypted.
MANAGING ENCRYPTED TRAFFIC WITH BLUE COAT SOLUTIONS
Security Empowers Business
SO
LU
TIO
N B
RIE
F
SSL Encrypted Traffic Management OptionsNetwork operators already deploy an array of network and security appliances to protect their enterprises, enforce internal acceptable-use policies, and satisfy government regulations. These devices provide solutions for detecting rogue applications, controlling unrestricted web surfing, firewalling traffic, providing VPNs and network access control (NAC), intrusion detection (IDS), intrusion prevention (IPS), unified threat management (UTM), regulatory compliance, virus protection, spam control, and other security measures. These appliances work almost entirely by providing deep packet inspection and flow analysis, looking for known patterns of mischievous activity and blocking or recording it. Unfortunately, these network and security appliances, in many instances, can only inspect plaintext traffic and are unable to inspect SSL-encrypted communications for attack signatures. They are therefore becoming less and less effective as the volume of encrypted SSL traffic continues to grow.
Network operators have had to choose between two extremes in confronting these issues. They can take a draconian approach by blocking SSL communications entirely, or allow SSL communications transparently, without inspection, by leaving TCP port 443 open within their security infrastructure. The former approach is impractical and risky due to the growing number of enterprise cloud and mobile applications that rely on encrypted communications like SSL. The latter approach is also insufficient as it greatly reduces the effectiveness of network security appliances to examine encrypted flows. Neither of these choices is a viable option for enterprise networks.
Other approaches provide limited inspection of SSL-encrypted flows, enabling the dropping of content that doesn’t meet acceptable-use policies or the logging of suspected attacks to a management station. Just as importantly, they identify and permit SSL in legitimate use cases. In many instances these methods are successful at examining encrypted SSL, but they typically suffer other major problems that limit their effectiveness.
Blue Coat Encrypted Traffic Management SolutionsBlue Coat can assist organizations in their quest for an appropriate encrypted traffic management strategy and supporting architecture. Blue Coat provides comprehensive, policy-based visibility into encrypted
traffic through its SSL Visibility Appliance and ProxySG with Encrypted Tap solutions. Whether exposing previously hidden advanced persistent threats (APTs), or offloading the performance burden on existing security appliances and enabling them with visibility into formerly encrypted traffic, or simply protecting corporate data from loss and exfiltration, Blue Coat solutions can help organizations of all sizes with managing encrypted communications. The SSL Visibility Appliance provides scalability, high-performance and multiple streams of decrypted content for use in IDS, IPS, next generation firewall (NGFW), compliance, logging, threat analysis and other measures across all network ports. For organizations considering the use of SSL proxy and inspection in their ProxySG deployment, the Encrypted Tap option offers complete visibility of encrypted web traffic for use in logging, forensics, and analysis.
Blue Coat SSL Visibility Appliance
The Blue Coat SSL Visibility ApplianceThe SSL Visibility Appliance provides decrypted content of SSL flows to existing security appliances used for NGFW, IDS, IPS, forensics, compliance and DLP. This enables these supporting security appliances and applications with the necessary visibility into both SSL and non-SSL network traffic. Enterprises can easily add SSL inspection capabilities to their network security architectures immediately to close the security visibility loophole that SSL creates.
Features and BenefitsThe unique capabilities of the SSL Visibility Appliance help organizations remove risks arising from lack of visibility into SSL traffic – while increasing the performance of security and network appliances. With market reports highlighting that merely enabling SSL decryption and encryption within these common security appliances results in a dramatic decrease in performance of up to 80% - simply enabling encrypted traffic management as an add-on feature is not sufficient. A complementary approach that maintains the performance of the installed network security infrastructure is needed – especially to extend the life and return on investment (ROI) of these appliances throughout the organization.
For more information on the technical aspects of SSL, download the Blue Coat SSL Technical Primer.
Security Empowers Business
SO
LU
TIO
N B
RIE
F
The SSL Visibility Appliance offers line-rate, high-performance throughput, and allows for non-SSL flows to be sent directly to the attached security appliances in less than 40 microseconds, minimizing delay for applications such as voice over IP (VoIP). The appliance is available in three performance-level models. The high-end system, the SV3800, supports decryption of up to 4Gbps of SSL traffic in a WAN link of up to 40Gbps (20 Gbps in each direction) for a variety of SSL versions and cipher suites.
The SSL Visibility Appliance can support the simultaneous analysis of up to 6,000,000 TCP flows for SSL content. It handles up to 400,000 concurrently active SSL sessions that are being inspected. The setup and teardown rate of up to 11,500 SSL sessions per second is more than 10 times higher than competitive solutions.
Deploying the SSL Visibility Appliance is transparent to end systems and to intermediate network elements. It doesn’t require network reconfiguration, IP addressing or topology changes, or modification to client and web browser configurations. The appliance can be deployed inline or through the use of SPAN/TAP or a mirror port to handle inbound and outbound SSL traffic. Deployments that provide decrypted data to active security appliances such as IPS and NGFW solutions enable policy and enforcement actions on SSL traffic. Likewise, deployments that feed passive security appliances such as IDS, malware analysis and Security Information and Event Management (SIEM) solutions are better suited for logging and reporting requirements.
The inspected content from the SSL Visibility Appliance is designed for application preservation. Decrypted plaintext is delivered to security
appliances as a generated TCP stream that contains the packet headers as they were received. This allows applications and appliances used for IDS, IPS, NGFW, malware analysis, forensics, DLP, and other measures to expand their scope to SSL-encrypted traffic.
The SSL Visibility Appliance also supports input aggregation and output mirroring. Input aggregation allows aggregation of traffic from multiple network taps onto a single passive-tap segment for inspection. Output mirroring allows the appliance to feed traffic to one or two attached passive security appliances in addition to the primary active security appliance.
SSL Visibility Appliances are designed for high availability with integrated fail-to-open hardware and configurable link state monitoring and mirroring for guaranteed network availability and network security.
Lastly, the SSL Visibility Appliance allows organizations to establish, enforce and manage policies for encrypted traffic throughout their networked infrastructure. Using the Host Categorization subscription-based service, the SSL Visibility Appliance can block, permit and forward SSL encrypted traffic based on numerous, familiar policies, such as whether the traffic contains personal banking or healthcare data. This is accomplished in a similar manner as that used in the Blue Coat ProxySG, PacketShaper and other proven solutions, utilizing the comprehensive Global Intelligence Network for real-time threat updates and response across the globe.
For those deployments where security certification is a requirement, Blue Coat’s SSL Visibility Appliances are in the process of receiving FIPS 140-2 Level 2 certification.
SSL Visibility ApplianceCorporate Assets
CN: GmailCA: Secure Web Gateway Cert
Security Solution(IDS/IPS, NGFW, Malware,
Forensics, etc.)Anti-Virus, Content Analysis, DLP, etc.
Encrypted Traffic
Secure Web Gateway Firewall
Decrypted Traffic
CERTIFICATE
CN: GmailCA: Secure Web Gateway Cert
CERTIFICATE
CN: GmailCA: Verisign
CERTIFICATE
Security Empowers Business
SO
LU
TIO
N B
RIE
F
The ProxySG Appliance with Encrypted TapBlue Coat Encrypted Tap is an optional feature for ProxySG appliances that works with the SSL proxy to provide complete visibility into SSL traffic. Encrypted Tap sends a stream of decrypted traffic to third-party logging systems for analysis, archiving and forensics. By providing this SSL visibility and control, Blue Coat now offers a complete SSL web security solution with its ProxySG family of secure web gateway appliances.
Blue Coat ProxySG Appliance
Features and BenefitsSSL inspection and filtering are not new to the ProxySG. SSL Proxy has been an integral feature for well over six years. Through policy the ProxySG can selectively inspect attachments for malware and content for data leakage prevention. It also enables third-party integration of anti-malware and DLP offerings over ICAP (Internet Content Adaptation Protocol). SSL Proxy terminates and re-establishes SSL connections and allows the ProxySG to securely send attachments and content for inspection services. Encrypted Tap builds on the SSL Proxy and allows all or selected SSL-encrypted web traffic to be decrypted and its content streamed to a third-party system for additional analysis, archiving, and forensics.
Encrypted Tap is available for the SG600, SG900, SG9000, S400 and S500 series ProxySG appliances. These appliances already include SSL hardware assist and SSL licenses, and need only the additional Encrypted Tap license to deliver comprehensive SSL visibility.
The ProxySG with the SSL Proxy and Encrypted Tap options can stop rogue applications from using SSL to subvert enterprise controls and security measures, and can scan SSL-encrypted traffic to block viruses, worms, and Trojans at the gateway.
The solution can also help prevent spyware from installing or communicating over SSL; halt secured phishing and pharming attacks that use SSL to hide from IT controls or to increase the appearance of authenticity; and accelerate approved and safe SSL-encrypted traffic.
ProxySG also allows administrators to take a granular approach to proxying SSL for applications of different trust levels and privacy concerns – pass-through, check/verify then pass-through, or proxy with full visibility and control.
The policy capabilities of the ProxySG allow for the display of splash screens reminding users of acceptable use, and warning them that monitoring extends to SSL.
Encrypted Tap on the ProxySG allows for visibility of both internal and external SSL traffic. It does more than enhance security – it also provides a better user experience. The Blue Coat solution actually improves overall session performance up to 1,000 percent by leveraging Blue Coat MACH5 acceleration technologies (caching, compression, and bandwidth prioritization policies). All ProxySG appliances are powered by a purpose-built operating system, and can be centrally managed as part of an enterprise-wide solution deployment.
ConclusionEncrypted traffic is pervasive in today’s enterprises and market research indicates continued rapid growth over the next several years. IT network operators are looking for new solutions that satisfy the need for information security for the enterprise and for individual users, as well as requirements for corporate compliance, acceptable-use policies and government regulations for security and privacy. The resulting solution must not require re-architecting the security infrastructure, nor impact network performance, because compliance at the expense of throughput is no more acceptable than meeting user and application bandwidth requirements while ignoring security. Historically it has been difficult, if not impossible, to satisfy these competing requirements for comprehensive security, high performance and effective, policy-based control. Blue Coat offers a choice of encrypted traffic management solutions that meet these requirements, and give any organization complete visibility and control of SSL communications and the potential threats therein.
Security Empowers Business
SO
LU
TIO
N B
RIE
F
© 2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5, Packetwise, Policycenter, ProxyAV, ProxyClient, SGOs, WebPulse, Solera Networks, the Solera Networks logos, DeepSee, “See Everything. Know Everything.”, “Security Empowers Business”, and BlueTouch are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. Blue Coat products, technical services, and any other technical data referenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws, regulations and requirements, and acknowledge that you have the responsibility to obtain any licenses, permits or other approvals that may be required in order to export, re-export, transfer in country or import after delivery to you. v.SB-SSL-VISIBILITY-EN-v2d-0514
Blue Coat Systems Inc. www.bluecoat.com
Corporate Headquarters Sunnyvale, CA
+1.408.220.2200
EMEA Headquarters Hampshire, UK
+44.1252.554600
APAC Headquarters Singapore
+65.6826.7000
Choosing the right solution
SSL VISIBILITY APPLIANCE ENCRYPTED TAP FOR PROXYSG
• Supports multiple, simultaneous streams (i.e. feeds up to three attached security devices simultaneously with decrypted traffic)
• Supports a single output stream of decrypted traffic
• Copy of decrypted traffic can be sent to:- Inline deployment with policy enforcement options for active appliances- Inline with passive appliances
• SPAN/Tap/Mirror deployment with passive appliances
• Copy of decrypted traffic can be sent to a single Tap port connected to a passive appliance
• All ProxySG deployment methodologies supported (see Secure Web Gateway Deployment Methodologies white paper)
• High Performance (multi-gigabit/sec SSL visibility throughput • Performance based on ProxySG performance
• Policy capability based on web host categories, IP addresses, CA status, destination TCP port and other network parameters
• Host Categorization-based policies utilize and sync with the Blue Coat Global Intelligent Network for real-time updates and protection against advanced malware and threats
• Full policy (CPL) integration
• Detection of all SSL traffic, irrespective of destination port value (application), using deep packet inspection techniques
• Provides the clear text of any SSL flow, including HTTPS, SPDY, POP3, IMAP, SMTP, FTP and other protocols that use SSL/TLS.
• SSL visibility of web traffic only (i.e. HTTPS)
• Standalone, dedicated appliance: SV1800, SV2800 or SV3800• Requires OS v3.7 or later for support of Host Categorization-based policies
• Requires existing or new ProxySG appliance: SG600, SG900, SG9000, S400 or S500
• Requires SGOS release v6.5 or later
• Requires an Enterprise Activation license• Requires the ‘Host Categorization’ subscription-based license for creating
policies based on web host categories
• Requires the SSL license• Requires the Encrypted Tap license• A collection system - configured to receive tapped data - is needed for effective
operation
About Blue CoatSecurity technology can focus on prevention and prohibition – and instill a culture of fear – or it can center on possibilities and help you unleash your full business potential.
Blue Coat offers more than the industry’s most advanced and sophisticated security technology and services. We offer a whole new outlook on how security technology provides business value. This Business Assurance Technology is delivered by our Solution Centers, a comprehensive array of technologies, products, services, and capabilities that give you total protection – and help you see and exploit new opportunities. Blue Coat offers two options for SSL visibility, a key component in our Security and Policy Solution Center that offers the intelligence you need to effectively manage encrypted traffic throughout your organization.
Learn more about our Business Solution Centers at www.bluecoat.com/business-assurance-technology
