Is Your Security Blind to SSL/TSL?
2 likes276 views
The document discusses SSL/TLS and its implications for security, detailing the evolution of secure protocols and their business and technology impacts. It highlights current challenges, the need for SSL testing, and NSS Labs' methodology for testing SSL/TLS capabilities and performance. The objective is to provide a data-driven approach for enterprises to enhance their network protection in an increasingly encrypted environment.
Is Your Security Blind to SSL/TSL?
- 3. 3 Who is NSS Labs? Research & Advisory • Solu2on trends • Best prac2ce solu2on architecture guidance • Analyst inquiries • Security advisory days • Webinars/educa2on Objec@ve Purchase Insight • Product modeling • RFP templates • TCO modeling kits Security Vendor Tes@ng • Security efficacy • Solu2on performance • Cost of ownership Cyber Advanced Warning System™ • Con2nuous exploit visibility • Con2nuous target asset iden2fica2on • Con2nuous security measurement • Product compara2ves • SaaS or API
- 4. 4 SSL/TLS Overview • Secure Socket Layer/Transport Layer Security (SSL/TLS) o 1994 SSL 1.0 (Netscape – Never released) o 1995 SSL 2.0 (Netscape – Security flaws) o 1996 SSL 3.0 (Netscape – Rewrite) o 1999 TLS 1.0 (IETF – Became RFC) o 2006 TLS 1.1 (IETF – Cipher-block chaining) o 2008 TLS 1.2 (IETF – Mul2ple enhancements) o 2016 TLS 1.3 (IETF – Current working draa) • HTTP over TLS (HTTPS) o En2re HTTP protocol is encrypted Client Server Client hello Server hello Client key exchange Change cipher spec Client finished Change cipher spec Server finished Cer2ficate ServerKeyExchange ServerHelloDone Cer2ficateRequest Verify cer2ficate Cer2ficateVerify Verify cer2ficate Applica2on data Applica2on data Encrypted
- 5. 5 Business vs. Technology Impact • 40.5% of the Internet’s 140,132 most popular websites have HTTPS by default • Encryp2on technologies implemented in enterprises today: o Data in mo&on (e.g., virtual private networks, web communica2ons between browser and webservers) o Data at rest (e.g., databases, whole disk encryp2on for servers, desktops, mobile devices) o Encrypted web communica2on (u2lizing HTTPS)
- 6. 6 Business vs. Technology Impact Business drivers and impact: • Control access to—and maintain the integrity of—intellectual property • Maintain confiden2ality of financial transac2ons (PCI-DSS), personally iden2fiable informa2on (PII), etc. • Improve ranking for Google search engine results • Reduce exposure to protocol-specific ajacks (e.g., Heartbleed) • Reduce risk from increased wireless access points • Enterprise employees consume encrypted content for personal reasons (Gmail, banking, etc..) • Enterprise content is hosted internally
- 7. 7 Business vs. Technology Impact Technology impact: • Enterprise’s ability to scale and implement SSL • Technology suppor2ng SSL relies on server certs, protocol support, key exchange, cipher strength • Understanding SSL impact with tradi2onal layers of defense • Encryp2on / decryp2on / hybrid – a constant challenge • Performance impact – SSL securely exchanges all data over a network (e.g., file transfers, VPN connec2ons, instant messaging, content transac2ons, VoIP) • Balancing SSL security and legacy applica2on support (backward compa2bility)
- 8. 8 Current Challenges • SSL performance for appliances is typically lower than network appliance performance • Evalua2ng appliance-based network performance is easier than evalua2ng SSL performance • NSS research indicates majority of threats using SSL as a transport fall into targeted persistent ajack (TPA) category • Cer2fica2on authori2es (CAs) – weakest link • Privacy and confiden2ality vs. visibility against threats/data exfiltra2on • Security flaws with SSL-TLS protocols • Enterprise compliance, segmenta2on, zoning-based implementa2on/ deployment challenges
- 9. 9 SSL/TLS Vendor Landscape Overview • Hardware-based security appliance vendors o On-BOX inspec2on vendors (perimeter, internal enterprise networks) o Offloading–primarily decryp2on—vendors (server-side/data center infrastructure) o VPN-based vendors (only VPN support) • Soaware-based SSL security vendors are not in scope for this version
- 11. 11 The Need for SSL Testing • Enterprise-based breaches over SSL are on the rise • Enterprise visibility: Iden2fying and decryp2ng SSL/TLS connec2ons and applica2on traffic across the network is cri2cal (threats and data loss) • SSL/TLS-based security appliances are proving to be ineffec2ve o Mul2ple cipher suites are not supported by the security appliance vendors o SSL/TLS communica2ons occurring over non-standard ports – not visible o Unable to decrypt traffic even at 50% of their adver2sed SSL/TLS-based throughput (due to processor, computa2onal algorithm metrics) o Fast-pathing connec2ons at high rates without decryp2on • Understanding and ra2ng SSL/TLS network-based security appliances on decryp2on performance, latency, maximum connec2on rates becomes extremely important • NSS Labs’ first foray into tes2ng SSL/TLS for enterprises
- 12. 12 NSS Labs Methodology • Use of SSL and its newer itera2on, TLS, has been on the rise with ever- increasing need for privacy online • Modern cyber campaigns frequently focus on ajacking users through most common web protocols and applica2ons • NSS con2nues to receive inquiries from enterprise customers during their assessments of vendors that provide SSL/TLS decryp2on and protec2on technologies • NSS has developed a methodology to test capabili2es and performance of devices providing SSL/TLS protec2on
- 13. 13 Deployment Scenarios • Our test methodology is intended to support and test various deployment methods, including: o Man-in-the-middle o Forward proxy o Reverse proxy o Pure decryp2on offload
- 14. 14 Methodology Overview • NSS Test Methodologies are designed to address challenges faced by enterprise security/IT professionals in selec2ng and managing security products • Scope of this par2cular methodology includes: o Verifica2on of SSL/TLS capability o SSL/TLS performance • Based on needs iden2fied in NSS’ research, the following capabili2es are considered essen2al in SSL/TLS-capable devices: o Ability to perform SSL inspec2on o Ability to nego2ate to all modern ciphers and key sizes o Support for common TLS extensions and TLS profile enforcement
- 18. 18 Our Objective • SSL encryp2on has increased over the years, and many products have come to the fore to protect that traffic. • Un2l now, no comprehensive, methodical test has been performed to validate performance and func2onality across mul2ple technologies and manufacturers. • The NSS Labs SSL/TLS test is designed to be a well-thought out, data-driven approach to give enterprises the informa2on they need to protect their networks in the encryp2on age.
- 19. 19 Test Details • Cipher suites and key sizes o Over 75 tests that cover this range of cipher suites and keys • Manufacturer and enterprise feedback • Tes2ng gear and tools
- 20. 20 Test Deliverables • Individual Test Reports for each vendor • Performance results for each cipher suite selected o Results provided in both tables and graphs • Matrix of supported cipher suites based on tes2ng • Results of func2onality tes2ng
- 21. 21 Q&A