SSL encryption is the cornerstone technology that makes the Internet secure. Email, e-commerce, VoIP, online banking, remote health, and countless other services are kept secure with SSL, but unfortunately the encrypted traffic traverses the network un-inspected. Many security and performance monitoring tools lack the ability to see inside encrypted sessions. Monitoring application performance and network usage patterns becomes impossible if you cannot determine which applications are running over the network.

Even worse, malware can create SSL sessions to hide its activity confident that security tools will neither inspect nor block the traffic. Some examples include:

  -> Gameover trojan – read full article on how this trojan hides activity in encrypted SSL connections here.

  -> Android Malware uses SSL for evasionread full article by Trend Micro.

The very technology that makes the web secure can also be a threat vector. Even with all the usual enterprise security practices in place, monitoring tools can only see the destinations and, in some cases, the host name within the un-encrypted portion of the SSL handshake. They can’t see the full path, content type or content itself. That can be a problem when the command and control channels or the ex-filtration of sensitive data are hidden by encryption.

Encrypted traffic is growing fast and becoming mainstream. According to Gartner, SSL traffic comprises 15-25% of the total web traffic, making it a significant percentage.

It’s a very real problem that enterprises are facing. Figures from Gartner indicate that less than 20% of organisations using firewalls, IPS or UTM decrypt SSL traffic, meaning malware hidden within SSL traffic would bypass those security platforms. Gartner also claims that:

By 2017, over 50% of network attacks that target enterprises will use SSL to bypass security

 Hiding Malicious Actions and Messages

Bad actors can and do use SSL to mask malicious actions and data exfiltration in the following ways (among others):

  • Sending an encrypted stream of protected, sensitive and other critical data outbound through your firewall over “normal” ports, such as 443 or 80, which the firewall is tuned to accept because they are approved ports.
  • Obfuscating malware communications when a worm, virus or botnet “phones home” to send stolen data to a master computer or download instructions or more malicious code.
  • Making phishing threats look even more legitimate, as even informed recipients would think the SSL usage makes it secure. Clicking the link, however, takes them to an SSL server loaded with malware that infects the client because the malware traffic is encrypted and not recognized by an IPS.

Solution

Gigamon, Blue Coat, and FireEye offer a combined solution that can tackle those SSL visibility challenges – inline. This solution can scale as the protected network infrastructure grows with the addition of network links. As the network grows, Gigamon provides inline tool groups for the Blue Coat SSL Visibility Appliance (SSLVA) and FireEye appliances to provide Security Service Assurance (SSA) for inline SSL decryption and advanced malware protection. The SSLVA and FireEye inline tool groups by Gigamon ensure that the combined inline security service remains available regardless of appliance maintenance or failure.

Let me just briefly explain each of those parts of solution and why it is needed:

  1. Gigamon: provides secure data access for BlueCoat and FireEye by using bypass switch technology on inline links, which protects the link of different types of failures. In addition, it can also filter the specific traffic to reduce the load of BlueCoat/FireEye and load-balance the traffic to improve performance.
  2. Blue Coat: provides visibility into SSL traffic by using powerful SSL decryption appliance
  3. FireEye: crucial part of solution, provides inline security and blocks the threats found in decrypted traffic. You can read more at the end of article.

Architecture

The solution described on diagram above is based on a standard deployment of an active inline network and tools where two or more Blue Coat SSL visibility appliances and FireEye Network Threat Prevention Platform (NX Series) appliances are directly cabled to one GigaVUE-HC2 chassis.

Upon full deployment, the GigaVUE-HC2 first sends traffic to the SSL VA inline tool group that decrypts SSL traffic based upon a user defined policy, and then sends decrypted traffic along with all other traffic to the GigaVUE-HC2. The GigaVUE-HC2 then forwards only traffic of interest to the FireEye inline tool group for malware inspection.

This solution involves a complex traffic path where the same data is entering and exiting a Gigamon GigaVUE-HC2 node several times before and after each inline security tool. This path is shown in image below. The figure shows the two GigaVUE-HC2 interface modules necessary for bypass protection of one gigabit copper network links and the second for inline security tools.

So, this is how it works:

  1. When client (Side A) sends a request for a server resource on the Internet (Side B) the request enters the GigaVUE-HC2 on an inline network port.
  2. The live traffic is then sent to the Blue Coat SSLVA 3800 for decryption of SSL traffic as necessary.
  3. SSLVA 3800 decrypts traffic based on a user defined policy and sends copy of the decrypted traffic along with all other traffic to the GigaVUE-HC2.
  4. The GigaVUE-HC2 in turn distributes the traffic to the NX 2400 inline tool group for inspection.
  5. If the request is not blocked, the request is returned through Side B of NX 2400 to the GigaVUE-HC2.
  6. The GigaVUE-HC2 sends the request back to the decrypted Side B of the SSLVA 3800.
  7. SSLVA 3800 then completes its task for the outbound direction of that TCP session based on the NX2400 inspection by either sending a reset or allow the encrypted traffic out to Side B of its encrypted link to GigaVUE-HC2.
  8. Finally, the GigaVUE-HC2 sends the request out Side B of the inline network port on its way to the server resource requested. The return path of the server response is handled in the same way but in the reverse direction.

P.S. you can as well use FireEye SSL Intercept appliance for decryption of traffic.

This combined solution using the Gigamon-GigaVUE-HC2 chassis for inline tool high availability and traffic distribution achieves the following objectives:

  • High availability of both Blue Coat SSL decryption and FireEye malware protection because each inline security solution can be put into a Gigamon inline tool group with tool failover actions. The inline tool group can be optimized for each security need, regardless of whether the tool goes off-line due to an outage or planned maintenance.
  • Seamless scalability for an increasing network infrastructure as well as the inline security tools to accommodate the additional traffic.
  • Ultimate flexibility of adding new types of inline security tools without physical change control because all new tools are physically added to the GigaVUE-HC2 and logically added to the path through traffic flow maps.

Take a short look at all the features enabled by Gigamon GigaSMART technology. (some of them as shown on photo above are very interesting like De-Duplication, Packet Slicing, Adaptive Packet Filtering, etc.)