As Encryption Use Rises, Impact on Security Designs Rises Too

Application Networking

As Encryption Use Rises, Impact on Security Designs Rises Too

By Frank Yue, Director of Application Delivery Solutions  |  April 04, 2016

Increasing amounts of traffic on the intranet and Internet are being encrypted. Individuals are concerned about their privacy and utilizing encrypted services more. Companies are protecting and securing the communications to their applications. Finally, HTTP/2 was introduced last year and most web clients encrypt HTTP/2 traffic by default. Sandvine (News - Alert) predicts that more than 70 percent of Internet traffic will be encrypted by the end of 2016.

Security solutions that do content and application-based inspection need to view unencrypted traffic to analyze and make decisions. Network security architectures utilize several different security devices including next generation firewalls, intrusion prevention systems, data loss prevention, and web application firewalls to name a few.

Why wash, rinse, and repeat?

These components have different management interfaces, policies, and internal architectures. If an organization wants to use these solutions when the traffic is encrypted, the traffic must be decrypted at each security checkpoint, inspected, and then re-encrypted. This introduces significant latency and the duplication of a task that requires significant compute resources, the decryption and re-encryption of the data. In addition, encryption keys must be installed on all of the devices that need to perform this function for all of the applications that the business wants the security devices to inspect.

We can leverage application delivery controller technologies to simplify and streamline this process. ADCs inherently sit in front of the application servers as a reverse-proxy. Since ADCs often do content-based traffic-steering, they often have the hardware necessary to do high performance decryption and re-encryption.

If the ADC (News - Alert) is decrypting the content to make a traffic steering decision, it can have the ability to use service chaining to steer the decrypted traffic to a series of security devices to ensure that all appropriate security policies are enforced. The ADC can leverage service chaining policies to steer the decrypted content only to the security services that are applicable to the content in question.

The ADC is the gateway for internal application services and is an appropriate location to position the encryption termination point in the network architecture for inbound connections.  Consolidating the decryption and re-encryption services lowers the performance impact on security services, reduces the latency of the traffic, and simplifies the security operations through a centralized security access model.

Just when you thought it was safe to go back in the water...

The Internet is the source of many security threats attacking the network. It is also the source of dangerous content that users can inadvertently or maliciously access while within a corporate network. Much of the encrypted outbound traffic may be social media, video streaming, cloud-based application services, or general Internet surfing. For this encrypted content, it is possible that the existing security services will not identify the threat and expose the corporate network to unknown threats.

Even if the company has NGFW, IPS, and VPN services installed, there is limited to no visibility for the threat profile of outbound encrypted traffic. Not only is there the potential for the corporate network to be compromised, but it is also possible for unscrupulous employees to send confidential data and restricted intellectual property through these encrypted communication channels. 

The solution to this problem is to utilize an ADC or similar technology to do the decryption and re-encryption of the outbound traffic so the security services can properly inspect the traffic in a fashion similar to our inbound security model. Service chaining based on company-defined policies can be implemented based on the classification of the external site and application used.

The main difference for the outbound model is that the company does not have access to the site certificates and encryption keys for all of the sites on the Internet that may be accessed. It is essential to implement a solution that acts either as an explicit forward proxy that can substitute its own certificates for the client or a transparent forward proxy which can act on behalf of the client to establish a secure, but security validated connection.

Increased encryption means increased encrypted attacks.

For performance and security reasons, it makes sense to utilize the ADC, which is already acting as an application proxy to manage the encrypted traffic. Traffic steering technologies and encryption hardware enable the ADC to excel while performing this task. As the majority of traffic on the Internet becomes encrypted, expect the majority of threats to be encrypted as well.

Frank Yue (News - Alert) is director of application delivery solutions at Radware (

Frank Yue is the Director Application Delivery Solutions for Radware (News - Alert). In this role, Yue is responsible for evangelizing technologies and trends around Radware�s ADC solutions and products. He writes blogs, produces solution architectures, and speaks at conferences and events around the world about application networking technologies. Prior to joining Radware, Yue was at F5 Networks (News - Alert), delivering their global messaging for service providers. Yue has also covered deep packet inspection, high performance networking, and security technologies. Yue is a scuba diving instructor and background actor when he is not discussing technology.

Edited by Stefania Viscusi