SSL Decryption, Inspection and Protection

“Is it secret? Is it safe?”

For those who’ve never seen the 1976 film Marathon Man, that’s what the fugitive Nazi war criminal played by Sir Laurence Olivier asks Dustin Hoffman while he’s sticking a pointy dental probe into Hoffman’s exposed cavity. Ouch. Excellent movie, though.

Cinema trivia notwithstanding, these are pertinent questions federal agencies need to ask when it comes to information under their control. Is it secret? There are many levels of classified information. Is it safe? We hope that, classified or not, information about the workings of our government and about us is safe from cyber attack.

Secrecy and safety should go together, and it would seem that “secret” and “safe” together should add up to “secure.” But there’s one situation in which, unfortunately, that’s not the case.

When the website you’re at shows up with a URL starting with “https://”, that site is using encryption to add security, specifically Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols.

OMB Memorandum M-15-13, “A Policy to Require Secure Connections across Federal Websites and Web Services” (June 2015) requires that “all publicly accessible Federal websites and web services only provide service through a secure connection. The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS).”

Encrypting HTTP does add latency, and agencies need to take this into account in planning their network infrastructure. But you’d think that the performance hit is well worth the increase in security (safety, secrecy) SSL and TLS provide. However, here’s where that assumption starts to fall apart:

More and more cyber attacks are taking place using SSL itself as a means of injecting malicious code and acting as a gateway into places they have no business being. SonicWall Security’s 2016 Annual Threat Report, just released, goes into great detail on the global increase in SSL traffic. The encrypted sessions themselves are being used as attack vectors.

Preventing this requires that agencies inspect all packets, even encrypted ones, that enter their networks. As you’d expect, SSL inspection can add yet another performance/latency hit, unless you implement a solution specifically architected to minimize that impact.

Fortunately, SonicWall has that solution. Our SuperMassive 9000 Series Next-Generation Firewalls (NGFWs) provide SSL decryption, inspection and protection with no added latency, through Reassembly-Free Deep Packet Inspection (RFDPI), patented by SonicWall. The SonicWall SuperMassive next-gen firewall series deployed in a SonicWall firewall sandwich architecture allows up to 16 SonicWall SuperMassive devices to perform DPI inspection in parallel, supporting up to 160Gbps of DPI and 80Gbps of SSL-DPI. Our Firewall Sandwich can be deployed in several different configurations depending on your agency’s existing network design helping you scale firewall services with more resiliency and availability. The SuperMassive and NSA Series NGFWs are now certified under the Department of Defense’s Unified Capabilities Approved Products List (UC APL), an essential for DoD and a significant plus for civilian agencies looking for the best, most cost-effective network security solutions they can find.

In the Federal Computer Week Digital Dialogue, “Speed and Security Aren’t Mutually Exclusive,” Angelo Rodriguez, director of security engineering at SonicWall Security Solutions Group, goes into greater detail on the firewall sandwich and the technology behind our NGFWs.

Read the Digital Dialogue

The Dialogue is a summary of December’s Government Computer News webcast, “Enabling Network Security at the Speed of Mission”, in which Angelo discusses the concept of a scale-out firewall architecture, a network-based model for scaling a next-generation firewall (NGFW) beyond 100Gbps, and deep packet inspection.