|
Web encryption is indispensable for today's businesses, but organizations with an open port 443 (HTTPS tunnel) on their firewall are left with a major security hole wide open in their network. Traditional firewalls and gateway anti-virus solutions are unable to scan encrypted traffic, and therefore can provide no control over what content is sent in and out of organizations' networks via HTTPS. This presents risks to organizations that may not realize they cannot rely on their HTTP filters to protect HTTPS encrypted traffic. Risk also exists with regulatory compliance. Can an organization be compliant if they allow open SSL tunnels which could contain the very confidential information the regulations seek to control?
Moreover, hackers and malicious employees alike know that the traffic that goes through HTTPS tunnels under the cloak of encryption is wide open and unprotected, and therefore they use and will continue to exploit the HTTPS protocol to bypass content control mechanisms to circulate potentially malicious content. This white paper discusses how HTTPS filtering (SSL scanning) provides companies with the means to counter these by fully extending their existing Internet usage policies to HTTPS traffic, and thereby proactively closing that last known major network security hole.
Introduction
The production version of SSL was released by Netscape in 1996 and was designed to maintain the integrity of transmissions through encryption, authentication, and message authentication codes. The protocol's ability to maintain the integrity of information and to establish a secure pipeline between two endpoint entities was arguably a key factor in the rapid adoption of e-commerce in the late 1990s. Initially SSL was deployed as a means to protect the integrity of transactions and posed a performance challenge to the Web servers, as the termination and decryption of 128-bit encrypted traffic required more powerful hardware. Over the years less expensive SSL acceleration and termination cards helped the expansion of HTTPS to Web services as well as more traditional Web content.
Today, the proportion of encrypted content to standard HTTP traffic is already too large for enterprises to ignore and is increasing every day. The continued growth in encrypted content in relation to encrypted transactions is, and will continue to be, a major security challenge for corporate networks. Based on analysis of various companies' gateway logs1, it becomes clear that a significant portion of incoming traffic is encrypted - ranging anywhere between 10% to 50%. This means that potentially up to half of all traffic going through the corporate gateway is not sufficiently scanned for viruses and cannot be checked for security-policy compliance.
Rising popularity of SSL
The majority of the increase in SSL traffic is represented in the large scale de-facto adoption of Internet shopping for day-to-day shopping needs, as well as a transition from call centers to customer Web portals. Gone are the times when auto insurance businesses or popular banks didn't offer online banking or online customer service portals, and customers had no other options but to go to the counter or call in - unthinkable in today's world. But SSL isn't limited to business to consumer transactions. For example, state and federal governmental institutions have widely adopted the offering of their services via the Internet, and of course it all must be encrypted. The same is true for the IRS popular ?e-file' tax service which grew to 60 million US individual tax returns in 2006.
Popular content driven applications include end-to-end encrypted Web-mail services like Hotmail or Gmail, an increasing number of online publications, encrypted Web hosting, and SSL-protected newsgroups. Even full-fledged business-to-business offerings such as salesforce.com [II] or Web conferencing tools contribute to the rising popularity of SSL.
Threat assessment- Viruses and malware can hide in encrypted traffic
Administrators will readily admit that they like to know and control what is going on in their networks, which is why it is increasingly rare to find a company of any size that hasn't deployed some sort of Web content filtering solution. Encouraged by the worldwide spreading Nimda, Code Red, Slammer, Zotob, and the like, companies have come to view Web security solutions as mandatory for the day-to-day security of their business. But most companies are less protected than they think and there is an alarming amount of Web activity that still evades administrator's control.
|
