Is Your Firewall Scanning SSL-Encrypted Traffic

By

If your firewall isn’t scanning SSL-encrypted traffic, then your network isn’t as safe as you think.

Some reports indicate that by the end of 2016 two-thirds of all traffic on the internet will be encrypted. In fact, the 2015 SonicWall Security Annual Threat Report discovered a 109% between January 2014 and January 2015. Are you prepared? Most network administrators may not even know a majority of the traffic that is moving in and out of their network is encrypted and this traffic could be a potential source for malware to enter their network or even worse, allow known intrusions to be exploited.

As we’ve seen this year, more sites with advertisements that are not hosted or controlled locally are being used to spread malware. Therefore, this allows hackers to exploit those vulnerable end-point systems. With more websites and search engines leveraging encryption, it’s possible that users who are going to legitimate websites or doing legitimate searches are more exposed to these types of attacks because the edge security device does not have the capability to decrypt, scan and determine if something harmful is embedded in the encrypted payload.

As the Internet landscape continues to evolve so too do the security requirements. If you’re using an older Stateful Packet Inspection or UTM appliance that does not have the ability to decrypt SSL encrypted traffic, it could leave your network and users exposed.

Here are some things network administrators should consider when choosing a product that will support SSL decryption to be included as part of their overall security feature set.

  • Does my current firewall have the ability to decrypt and scan SSL-encrypted traffic?
  • What is the performance penalty if I enable this on my current firewall solution?
  • Is the SSL decryption required for outgoing connections from endpoints only?
  • Are there requirements for server-side SSL decryption?
  • How flexible is the control over which sites (e.g. banking) are not subject to SSL decryption?
  • Do I have a way to distribute the certificates easily for all device and OS types?

If SSL decryption is not something you have included as part of your overall security strategy, it should be. With more and more encrypted data moving in and out of your network, the possibility that you will be exposed is growing. As part of the overall SonicWall security strategy, DPI-SSL is a feature available on all next-generation firewall products including the powerful and scalable SonicWall NSA Series appliances.

Picture of SonicWall NSA models stacked on top of each other

To learn more about the robust security offering from SonicWall review the following eBook: Achieve deeper network security and application control:

SonicWall Staff