SSL: Your network blind spot

You can't defend against what you can't see.

Let's say you are the police commissioner in a city with a large prison. A dangerous criminal just escaped and is fleeing the city by vehicle. You quickly respond by setting up roadblocks and checkpoints, inspecting every vehicle that leaves the city. You have expertly trained and experienced officers conducting the inspections, and not a single vehicle gets out of the city without passing through your checkpoints and being inspected inside and out. You would be certain to catch him, right?

Now imagine that the officers at the checkpoints lack the authority to stop and inspect the inside of the vehicles. They can peer inside the windows, but about a third of the vehicles passing through have compartments that you can't see from outside. Maybe some are utility vans with no windows in the back, or have tinted windows, or are semi trucks with large trailers. Would you be confident that you will catch the bad guy if you are only inspecting one-third of the vehicles passing through your checkpoints?

Life inside the enterprise network

Life inside the enterprise network is kind of like this. Encrypted traffic is like a car with tinted windows - your network-based checkpoints (firewall, IPS, etc.) can't peer inside the cryptographically obscured data.

Just how big of a deal is this? How much traffic on the network is actually encrypted? Consider the following:

  1. A 2013 report from NSS Labs states that 25% to 35% of traffic on enterprise networks is SSL-encrypted.
  2. Palo Alto Networks' Application and Usage Risk Report, 7th Edition, corroborates this, stating that their analysis shows 36% of all traffic on enterprise networks is encrypted.
  3. A growing number of websites are enforcing SSL by default.
  4. Google recently announced that it will begin favoring SSL-enabled websites in search rankings.

What can be done?

So what's the solution? There are no easy answers, but here are a few things to consider:

  1. Robust endpoint security. Endpoint security solutions inspect traffic after (or before, depending on your perspective) it is decrypted by the workstation.
  2. Content filtering. Even though the traffic may be encrypted, some security tools can still filter content using information contained in the SSL certificate. An allow/deny decision is based on a reputation database. This isn't a flawless approach, but it is better than nothing.
  3. SSL decryption. Both traffic initiated inbound to your organization's servers and traffic initiated by clients on your corporate network to the internet can be decrypted by network-based security tools and inspected by your entire suite of network security gear. For a comprehensive look at how this works, take a look at What's Lurking in your Network?

Why does it matter? What does it mean for the enterprise?

Considering how much traffic is already encrypted on corporate networks, combined with the fact that the compute power required on web servers to implement SSL is getting cheaper by the day, it isn't hard to envision a day when all traffic on your network will encrypted. And because bad guys like to hide their bad guy activities, it is only going to get easier for them to slip past your checkpoints undetected.

Do you know how much traffic on your network is encrypted today? Does your current security plan account for encrypted traffic? Do your organization's decision makers understand that your network-based security tools are useless on a substantial portion of traffic flowing in your network? Do you have a plan in place for dealing with an increasing percentage of encrypted traffic on the network?

If you can't answer all of these in the affirmative, you need to get to work.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)