You may think of encryption as a way to secure your client data. Hackers see encryption as the express carpool lane, allowing them to bypass your entire security infrastructure.
When your customers are talking about security, they have two concerns in mind. The first is to protect their transactions, making sure that their applications are always accessible, responsive and coherent. The second concern is ensuring the privacy of their transaction details being transported over the public Internet. Quite often the solutions to these concerns are conflicting, and innovative technologies are arising to provide a complete solution to both problems.
Encryption techniques have existed for centuries and developed through time as mathematics and computer electronics evolved. The open standards that exist today are able to authenticate each user and encrypt the transaction data all the way from the protected server to the client computer or secure network. When used to their full extent, they can guarantee privacy for days or even centuries.
Two main standards are used today. The IPsec standard developed in 1995 allows for the creation of a secure symmetric tunnel between one end point to another and requires an installation of software/hardware on both sides of the tunnel. The SSL SSL standard developed in 1994 uses a client server model to dynamically create secure tunnels per user access request. This SSL standard was integrated to all Internet browsers and is today the de facto encryption standard of any application running on the network.
The fact that every browser supports this standard allows the application provider to focus on an SSL service infrastructure close to the application side without interference on the client side. Most Web sites offer SSL access today, and the next generation of streaming media (voice, video, conferencing, and remote file access) will also be protected by SSL.
The darker side of the privacy conflict is that, just as users need to protect the legitimate data from people probing the Internet, the privacy also protects illegitimate users from the entire security infrastructure that is put in place on the network. All the firewalls, intrusion detectors, antivirus software, parental control systems and other security devices are completely blinded by the encryption. This is why you need to deploy a smart solution in order to guarantee transaction privacy without compromising the protection of your users and applications.
There are two main points of encryption weakness that require security expert attention. The first is the need for protection in your users' access point to the Internet where a combination of a firewall, antivirus software and intrusion prevention appliances may be used. This is meant to protect your users from accessing malicious content on the Internet and infecting the enterprise LAN. But what will be the value of this infrastructure once a user opens an encrypted connection to a site on the Internet? None of your security gateways will be able to protect your network unless it can inspect the actual transaction data.
While most of your colleagues will choose to ignore this security hole, you can consider an innovative alternative for your enterprise as shown in the above diagram. Use your own trusted SSL termination gateway in the DMZ that will intercept all the outgoing SSL transactions from your internal users. This gateway behaves like the end server and provides the user with a certificate of the end server. The gateway also acts as a certificate authority for the internal users so it can authenticate itself.
Once the SSL tunnel is terminated, you can apply any security inspection mechanism to that traffic and make sure that your network and users enjoy the highest level of protection. Obviously, you should also guarantee the privacy of the transaction, and use the same SSL gateway to now communicate with the target server through a new SSL tunnel for the transaction. With that simple addition to your network you completely support the privacy of your users without any compromise.
The second place for protection is certainly at your application premises, where you apply various security mechanisms such as intrusion detection, intrusion prevention, application firewalls and other tools. If encryption reaches directly to the servers, hackers using encryption will enjoy automatic immunity from inspection as their "private" data will be hidden from the security tools.
There are two solutions to this problem. The first solution would be to terminate all the incoming encrypted sessions in front of the server farm. There are clear benefits to this approach in terms of offloading the servers and using hardware-based appliances to handle the encryption at very low latency.
However, a second solution is very simple to use without any modification to the network. Those security managers that already use IDS/IPS technology may complete the intrusion coverage for encrypted transaction by using an additional device that can listen to encrypted traffic, decrypt it and pass it unencrypted to IDS inspection. Such a passive encryption termination device has to be equipped with the private encryption certificates of the servers, and thus it can regenerate the encryption variables of each encryption sequence.
The above solutions will help ensure that your encryption tools not only secure your client data, but also will shut down the express lane hackers use to bypass your entire security infrastructure.
-----------------------------------
About the author: Amir Peles is chief technical officer at Radware.
 |
|
