When your customers are talking about security, they have two concerns in mind. The first is to protect their transactions, making sure that their applications are always accessible, responsive and coherent. The second concern is ensuring the privacy of their transaction details being transported over the public Internet. Quite often the solutions to these concerns are conflicting, and innovative technologies are arising to provide a complete solution to both problems.
Encryption techniques have existed for centuries and developed through time as mathematics and computer electronics evolved. The open standards that exist today are able to authenticate each user and encrypt the transaction data all the way from the protected server to the client computer or secure network. When used to their full extent, they can guarantee privacy for days or even centuries.
Two main standards are used today. The IPsec standard developed in 1995 allows for the creation of a secure symmetric tunnel between one end point to another and requires an installation of software/hardware on both sides of the tunnel. The SSL SSL standard developed in 1994 uses a client server model to dynamically create secure tunnels per user access request. This SSL standard was integrated to all Internet browsers and is today the de facto encryption standard of any application running on the network.
The fact that every browser supports this standard allows the application provider to focus on an SSL service infrastructure close to the application side without interference on the client side. Most Web sites offer SSL access today, and the next generation of streaming media (voice, video, conferencing, and remote file access) will also be protected by SSL.
The darker side of the privacy conflict is that, just as users need to protect the legitimate data from people probing the Internet, the privacy also protects illegitimate users from the entire security infrastructure that is put in place on the network. All the firewalls, intrusion detectors, antivirus software, parental control systems and other security devices are completely blinded by the encryption. This is why you need to deploy a smart solution in order to guarantee transaction privacy without compromising the protection of your users and applications.
There are two main points of encryption weakness that require security expert attention. The first is the need for protection in your users' access point to the Internet where a combination of a firewall, antivirus software and intrusion prevention appliances may be used. This is meant to protect your users from accessing malicious content on the Internet and infecting the enterprise LAN. But what will be the value of this infrastructure once a user opens an encrypted connection to a site on the Internet? None of your security gateways will be able to protect your network unless it can inspect the actual transaction data.
The second place for protection is certainly at your application premises, where you apply various security mechanisms such as intrusion detection, intrusion prevention, application firewalls and other tools. If encryption reaches directly to the servers, hackers using encryption will enjoy automatic immunity from inspection as their "private" data will be hidden from the security tools.
There are two solutions to this problem. The first solution would be to terminate all the incoming encrypted sessions in front of the server farm. There are clear benefits to this approach in terms of offloading the servers and using hardware-based appliances to handle the encryption at very low latency.
The above solutions will help ensure that your encryption tools not only secure your client data, but also will shut down the express lane hackers use to bypass your entire security infrastructure.
About the author: Amir Peles is chief technical officer at Radware.
This was first published in May 2006