Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

02 June 2008

Evil Encryption Dilemma

SSL is everywhere nowadays, it's not only used by Web Servers, but also Telecommuters and Remote Employees access their Enterprises using SSL VPN Tunnels. P2P and IM's are also encrypting their traffic.

Ok, it's good to encrypt your traffic, so that no one can see or alter your confidential data, but on the other hand, how will the Network-Based IPS's, Firewalls/UTM's, and WAN Optimizers operate successfully in such Confidential World!?

By encrypting your traffic you are hiding the malicious traffic patterns from the IPS's along with your confidential data. You are also hiding the repeated patterns from the WAN Optimizers, and sure they won't be able to optimize traffic they can't see.

I know there are some workarounds out there and special deployment scenarios that can somehow help in solving such issue. But I'd like you first to tell me what do you think is the optimum solution for this Evil Encryption Dilemma.

Tags: , ,

5 comments:

  1. It has been, and will always be Security vs Quality, speed, optimization, accessibility, Usability ...etc!
    Security vs anything, Security wins! It's that simple!
    Security is more important than people's attempts to "snoop" around my business to "optimize" it or to steal it, violate my privacy ..etc!

    The solution is end point security where the content are reevaluated at the client/server/peer.

    Going into the content of the higher network layers is really not the business of the network devices. Although, it's been the life long dream of Cisco to thrust into these upper layers, but just about everyone else in the world is pushing them down and "letting them" have the lower layers. Higher layers are controlled and dominated by Microsoft, Google, Verisign, IBM, Sun and the rest of the services and content providers.
    Which is making Cisco go nuts because they can't (and will never) be able to compete up there
    So they start crying about how SSL is inefficient, how RPC over HTTP is wasteful, and how the new direct-connect/SOAP/Communication foundation/Rosetta are not network optimized (and I agree) but no one is listening! People want security, people want seamless communications and it's just the way it's going to be

    ReplyDelete
  2. The problem here that it's more like Security vs Security instead of Security vs Quality.

    I agree that End-Point security can be more effective sometimes, but in some cases this can't be always the case. How a bout an organization that want to block people from running P2P applications!? How about a mobile operator who wants to block Fring/Skype traffic!? How about attacks that target the OS Kernel or Device Drivers, the Security Applications running on top of such Vulnerable OS for sure won't be able to do anything.

    At the end of the day, security has do be done in layers, and that's why we still need to find another methods in order to help the Network Based Security devices deal with the Encrypted Traffic.

    ReplyDelete
  3. See, protecting against vulnerabilities in the OS is a completely end point job. Mitigated by keeping the systems up to date and patched at all times.
    As for blocking encrypted services which is unethical except in the way the telco companies seem to justify thier control over a specific market. That's a whole other story.
    If it was a corporation, they can also apply it through group policy which will deny the user from installing anything on thier machines. But again, these are all unjustifiable reasons to block legitimate traffic through. There are certain things that the users "REALLY" don't want anyone to snoop into.

    ReplyDelete
  4. Well, end point security is one way to go, and will give you a idea of what is running on that endpoint. It will also make you able to put it on the network yes or no.

    But then again, what if this end point security device only looks at layer 4. you will be blind like hell...

    So the solution would be, a application/client on the endpoint that integrates:

    - end point security
    - WAN ACC
    - SSL enc
    - ETC

    AND => Layer 7 visability, this to see if this is real http of that port 80.

    So a layer 7 detection that doesn't look at ports, BUT at application level regardless of port number.

    ReplyDelete
  5. The point is that Software/Client that run on the End Point are at the end of the day depending on the OS, they use the same libraries and DLL's included in that OS. So any vulnerability in such OS can affect that End-Point Security software. They also as Frac said, can be blind to some layers due to their presence on the End-Point on top of the OS there.

    That's why I believe there must be a combination of both End Point as well as Network Based security solution. Which sometimes is called Layered Security Approach.

    ReplyDelete