Protecting encrypted data from attacks

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Strategies Web server weaknesses you don't want to overlook Rich Internet applications security testing checklist The lowdown on PCI compliance Web 2.0 application security troubleshooting, testing tutorial Expert resolves issues plaguing OpenSTA users Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Preparing for testing applications in the cloud The role of quality assurance (QA) pros in software security

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

vice infrastructure close to the application side without interference on the client side. Most Web sites offer SSL access today, and the next generation of streaming media (voice, video, conferencing, and remote file access) will also be protected by SSL.

The darker side of the privacy conflict is that, just as users need to protect the legitimate data from people probing the Internet, the privacy also protects illegitimate users from the entire security infrastructure that is put in place on the network. All the firewalls, intrusion detectors, antivirus software, parental control systems and other security devices are completely blinded by the encryption. This is why you need to deploy a smart solution in order to guarantee transaction privacy without compromising the protection of your users and applications.

There are two main points of encryption weakness that require security expert attention. The first is the need for protection in your users' access point to the Internet where a combination of a firewall, antivirus software and intrusion prevention appliances may be used. This is meant to protect your users from accessing malicious content on the Internet and infecting the enterprise LAN. But what will be the value of this infrastructure once a user opens an encrypted connection to a site on the Internet? None of your security gateways will be able to protect your network unless it can inspect the actual transaction data.

[IMAGE]
While most of your colleagues will choose to ignore this security hole, you can consider an innovative alternative for your enterprise as shown in the above diagram. Use your own trusted SSL termination gateway in the DMZ that will intercept all the outgoing SSL transactions from your internal users. This gateway behaves like the end server and provides the user with a certificate of the end server. The gateway also acts as a certificate authority for the internal users so it can authenticate itself.

Once the SSL tunnel is terminated, you can apply any security inspection mechanism to that traffic and make sure that your network and users enjoy the highest level of protection. Obviously, you should also guarantee the privacy of the transaction, and use the same SSL gateway to now communicate with the target server through a new SSL tunnel for the transaction. With that simple addition to your network you completely support the privacy of your users without any compromise.

The second place for protection is certainly at your application premises, where you apply various security mechanisms such as intrusion detection, intrusion prevention, application firewalls and other tools. If encryption reaches directly to the servers, hackers using encryption will enjoy automatic immunity from inspection as their "private" data will be hidden from the security tools.

There are two solutions to this problem. The first solution would be to terminate all the incoming encrypted sessions in front of the server farm. There are clear benefits to this approach in terms of offloading the servers and using hardware-based appliances to handle the encryption at very low latency.

[IMAGE]
However, a second solution is very simple to use without any modification to the network. Those security managers that already use IDS/IPS technology may complete the intrusion coverage for encrypted transaction by using an additional device that can listen to encrypted traffic, decrypt it and pass it unencrypted to IDS inspection. Such a passive encryption termination device has to be equipped with the private encryption certificates of the servers, and thus it can regenerate the encryption variables of each encryption sequence.

The above solutions will help ensure that your encryption tools not only secure your client data, but also will shut down the express lane hackers use to bypass your entire security infrastructure.

-----------------------------------
About the author: Amir Peles is chief technical officer at Radware.

Rate this Tip To rate tips, you must be a member of SearchSoftwareQuality.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.