Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Encryption IT

SSL Optimization Over WAN Needs Scrutiny 70

coondoggie writes with word of the expansion of WAN optimization appliances to handle SSL traffic and the security concerns this brings up. From the article: "With more and more WAN optimization vendors extending their capabilities to include encrypted traffic, corporate IT executives have a decision to make: Should they trust the security these devices provide? Rather than passing through SSL sessions between clients and servers located in remote data centers, some WAN optimization gear can terminate the SSL sessions, shrink the traffic, and re-encrypt it for the next leg of the trip. These chains of encrypted sessions introduce potential vulnerabilities that different vendors address in different ways. SSL traffic represents a growing percentage of total traffic on WAN links, according to Forrester Research. So SSL support in WAN optimization appliances will become more important to businesses that want to keep traffic secure while minimizing the size of their WAN links."
This discussion has been archived. No new comments can be posted.

SSL Optimization Over WAN Needs Scrutiny

Comments Filter:
  • The cited analyst is confusing proxying conducted by someone the site designates vs. yourself. One doesn't let anyone do anything they can't already. The other means you have all your confidential information sitting on a device that is not engineered for efficency.
  • What about Akamai? (Score:1, Interesting)

    by Anonymous Coward
    What about Akamai's SSL encryption? http://www.akamai.com [akamai.com]?
    • by pipacs ( 179230 )
      From TFA:

      The fact that SSL sessions are being proxied shouldnt scare anyone away, says Joe Skorupa, an analyst with Gartner. Akamai, for instance, proxies SSL transactions - some of them involving e-commerce - for its customers, he says. Theres precedent for doing it and doing it where significant amounts of money are at risk
      Let's just hope they are all good guys.
  • Microsoft ISA Server (Score:1, Informative)

    by Anonymous Coward
    Microsoft's ISA (Internet Security and Acceleration) Server has been providing functionality to accomplish just this (reverse proxy publishing of web servers, acting as the SSL endpoint, passing on unencrypted or re-ssl'd traffic to the webserver post-inspection of the http traffic) for quite some time.

    Not only does it work very well for microsoft and non-microsoft webservers (and perform application-layer inspection of a number of other protocols), but neither ISA 2004 nor ISA 2006 has had a single exploit
    • Re: (Score:2, Informative)

      by Anonymous Coward
      Nu vulnerabilities in ISA 2004 ?
      One quick google and http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7027 [nist.gov]
    • by jafiwam ( 310805 )
      Yeah, except if you try to authenticate through it, it rebroadcasts the session and screws up a WebDav login.

      Only solution, put in a complete bypass. Bypass so you can login. Great security that.
    • It'll also publish multiple sites (say, your /sharepoint, your /cacti, your /owa, and your /intranet sites) using path rules on the same IP address - one point of entry (or multiple points, with an array of ISA boxes), with a collection of disparate apps in your WAN / DMZ behind it

      In other words, something Apache has done for more than half a decade?

      • by beuges ( 613130 )
        Apache is a web server, ISA is a gateway server. The proper comparison would be apache to IIS, which has also done this for half a decade, if not longer.
  • by ewhac ( 5844 ) on Saturday March 10, 2007 @06:31PM (#18303060) Homepage Journal

    ...some WAN optimization gear can terminate the SSL sessions, shrink the traffic, and re-encrypt it for the next leg of the trip.

    Um... Isn't that the very definition of a man-in-the-middle attack?

    Er, no. Thank you very much for your kind offer, but I would prefer my encrypted data were not "optimized" in this way.

    Schwab

    • by Professor_UNIX ( 867045 ) on Saturday March 10, 2007 @06:38PM (#18303112)

      Er, no. Thank you very much for your kind offer, but I would prefer my encrypted data were not "optimized" in this way.
      Thanks to Enron, many people don't have a choice in the matter anymore. Allowing encrypted connections out of your LAN without scanning the data included could open you up to law suits or criminal prosecution now. Expect that SSL termination will be a growing trend in the years to come as more and more companies come on board.
      • Thanks to Enron ... Expect that SSL termination will be a growing trend in the years to come as more and more companies come on board.

        Which, like most 'security' measures, is a great way to keep honest people honest.
        But then, I guess, it's not about stopping the bad behaviour, it's about being able to deflect lawsuits by being able to prove that you put measure in place, however ineffective, to try to stop it.
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Um... Isn't that the very definition of a man-in-the-middle attack?

      Er, no. Thank you very much for your kind offer, but I would prefer my encrypted data were not "optimized" in this way.

      If you manage your network infrastructure devices and servers properly, this is no more risky than simply adding more webservers to your DMZ.

      In fact, it probably makes your infrastructure as a whole more resilient, since your webservers are no longer directly receiving traffic from clients, and data can be sanity ch

    • by Melkman ( 82959 ) on Saturday March 10, 2007 @07:30PM (#18303532)
      If you are a network admin SSL traffic is a bitch. Normal web traffic can be scanned for malicious content with ICAP. With SSL traffic you're out of luck. Also a lot of remote access programs tunnel their traffic in an SSL connection over port 443 (cool service LogMeIn, NOT). That means if you allow encrypted web traffic you also allow people on the network to give control over their PC's to external people. I've dealed with both. Some moron downloaded an infected program of an https site, which was luckily caught by the local virus scanner. And some nitwit called the helpdesk of an ASP which took over teir desktop while he was having sensitive data on his screen. After these events we enabled SSL termination on the proxies and feed all SSL traffic to the ICAP scanner and disallow any traffic that doesn't strictly follow HTTP. If someone has traffic that must bypass these rules the can request an exception, usually this concerns shitty java applications.
      that was about a year ago. We were already using Bluecoat proxies, formerly known as CacheFlow.
      • by Sloppy ( 14984 )

        Some moron downloaded an infected program of an https site, which was luckily caught by the local virus scanner.
        Which just goes to show that the approach of attempting to detect malware (as opposed to preventing it from being run, or running it harmlessly in a sandbox, etc) is a fundamentally wrong approach to malware. I'm glad that you saw the local scanner's success as "lucky" because luck is exactly what it is.
    • Re: (Score:1, Informative)

      by Anonymous Coward
      It is a MITM. But I hate burst your bubble, but the majority of large ecommerce presences terminate SSL at hardware level appliances(SSL offloaders) and usually don't reencrypt it to the server.
    • Um... Isn't that the very definition of a man-in-the-middle attack?

      Good point.

      It's not an attack but it is definitely man-in-the-middle. A server proxy could make good architectural sense, for example when the SSL proxy is a load balancer in front of a server farm. As the client, you can validate that the load balancer is what its certificate claims it to be, say www.foo.com.

      What is privately architected beyond that, you don't know, and really shouldn't care. Just think of the whole thing as one big

      • Note that the proxy can only succeed at representing itself as having the expected identity because it has been configured with the private key corresponding to that certificate and its identity. In other words, no random person can set up this man-in-the-middle.

        Mostly true. Be aware that in a corporate environment, the IT department can install its own SSL CA certificates into the web browsers (and other applications). Once this is done, corporate proxy can masquerade as any entity the IT department chooses - up to and including auto-generation of SSL certificates, signed, of course, with the IT department's CA certificate.

        This, of course, is no surprize.

        Also, I assume that applications, including web browsers, could be configured to use a central CA certific

        • Once this is done, corporate proxy can masquerade as any entity the IT department chooses

          We have to be careful when talking about certificate identity. It's not the case that a proxy can ever "masquerade" as something else. By being configured with a given certificate and -- critically -- its corresponding private key, that proxy in identity terms becomes that other entity. As you say, this should be no surprise, but this is not familiar territory for many people, and it bears emphasis.

          Often people m

  • "some WAN optimization gear can terminate the SSL sessions, shrink the traffic and re-encrypt it for the next leg of the trip."

    Doesn't this completely defeat the point of SSL? An encrypted link from client to server? If you got to an SSL website through this WAN link, it's not going to be encrypted anymore unless you trust the keys from the WAN access point. So, unless each WAN has it's own trusted key through a signature authority this isn't going to work. Seems pretty stupid to me. Isn't SSL traffic alrea
    • Re:huh? (Score:4, Interesting)

      by flyingfsck ( 986395 ) on Saturday March 10, 2007 @08:06PM (#18303864)
      It only works if your user name is Administrator and your password is 123... ;) This kind of proxy equipment needs the end points to co-operate. It cannot be done on just any ssh or stunnel connection. I don't really see the use for it. If your SSL connection is slow, then you have to adjust the cypher or something.
    • by rviana ( 216474 )
      Imagine that you have 4000 branches all around the world. And imagine that the average latency across these links range from 10ms when its close, to over 400ms when its far. If you've ever tried to load a website with 30+ images/javascript/css with IE's measly 2 http simultaneous connections. ONLY then, will you realize how necessary this is. Because its either WAN optimization (more for latency reduction...not so much for bandwidth reduction), or local servers in 4000 branches.

      Now throw in a little CIF
  • Its a good thing that these devices can offer SSL, but it should only be talked about as "additional" security measures. There seems to be a trend in the IT world where one "new" security tool comes along and renders some "other" (other, not older) security tool/method discarded. These lessons have been learned, and shouldnt be repeated: Defense in Depth.
  • by Animats ( 122034 ) on Saturday March 10, 2007 @07:38PM (#18303616) Homepage

    Any administrator who puts in a security hole like that to get a minor reduction in bandwidth is grossly irresponsible. No device in the middle of the network should have the end to end decryption keys. Ever.

    If you have too much traffic to your secure servers, take a look at what they're sending. Maybe the canned images can be moved to a non-secure server, where they can be cached locally. You're probably not actually sending huge volumes of secure data to a browser.

    Or maybe you just need to find out who's downloading videos and stop them.

    • by hab136 ( 30884 )
      SSL is used for more than just browsers. Many business data feeds are XML over HTTP over SSL (I've seen this in growing use at financial institutions). Many oddball applications took their standard protocol and wrapped it in SSL because their clients demanded it.
    • If you have too much traffic to your secure servers, take a look at what they're sending. Maybe the canned images can be moved to a non-secure server

      In theory, this sounds good, however, many browsers put up a warning when a web page contains mixed "secure" and "unsecure" content. (I just checked this with FireFox 2.0.0.2 with a page on my internal server; I got such a warning.)

      I hope such warnings will continue to be the default. As such, the work around is either reduce the number and size of images in your web page, and/or use SSL/TSL acceleration.

    • by VENONA ( 902751 )
      Not sure what you meant by, "the middle of the network." A decent network design will likely have all of this happening on the DMZ. One positive thing about doing things this way (in addition to optimizing WAN traffic) would be that endpointing before the host allows you to place a network intrusion sensor on the wire.

      If you have to comply with policies that require NIDS & retention of their logs, you don't have any other good option that won't load the host. That load will be disk I/O and it's associat
  • Legality (Score:3, Interesting)

    by digitalgimpus ( 468277 ) on Saturday March 10, 2007 @08:52PM (#18304250) Homepage
    As I recall it's criminal to intercept financial communications without permission from the institution.

    That means, if an employee at a company that uses a BlueCoat device were to say login to a bank... the sysadmin would technically be violating the law.... unless the bank gave explicit permission (most likely would need to be in writing).

    Even if you were to ban online banking in the workplace, that wouldn't change the impact on the sysadmin's libility if a user broke the rules. Go ahead, fire the employee... they just let the bank know about the security breach, and who the "hacker" was.

    Seems to me like the laws may need some adjusting.

    And that's why I don't login to a bank from work. I know sysadmins in many companies steal SSN's, credit card #'s, etc. by using Timbuktu, VNC, etc. as well as sniffing packets. It's just what it is. Why should I put my identity at risk? I don't see a good reason. I wait until I'm home for that. It's one thing to read an email, it's another to jack by SSN.
  • I don't understand why this is being portrayed as something "new" to IT. I work for a medium sized company, and we have been doing this for nearly 5 years. There are a slew of vendors in this space including F5 Networks [f5.com], Citrix, Sun, and Microsoft. The technology works be installing the SSL certificate onto the appliance rather than the server. If designed correctly, this is no less secure than the conventional model, and can save significant processing load on web servers.
  • by _hAZE_ ( 20054 ) on Sunday March 11, 2007 @01:03AM (#18305762)
    I've actually been around SSL Accelerators for a few years now, working in the web hosting industry. The idea is pretty much the same; your customers connect to your website using https, except they're actually talking to an SSL Accelerator/load balancer device, not the actual web server. The SSL Accelerator holds the SSL certificate, decrypts the traffic, and sends it to the web server in plain text. The web server replies back in plain text, the SSL Accelerator encrypts it, and send it back to the customer's web browser. Being a device made specifically to handle this type of traffic, the SSL Accelerator can encrypt/decrypt a lot faster than the web server, leaving the web server to do it's task of serving up content without all the overhead involved with SSL.

    Normally, the SSL Accelerators are in very close proximity to the web servers (both network and physical distance-wise). The thought of doing something similar with enterprise WAN traffic over long distances, however, is a bit more frightening. I guess like many other things out there, it all depends on who your vendors are and how you implement the solution. Just be careful.. the Internet can be a nasty place.
  • If your SSL connection is slow, you better always adjust your password.

    to keep your connection security.

  • Areas of concern that SSL addresses: 1. Unauthorised access to cached data at each access point Problems that SSL poses: 1. Slower throughput due to encryption process

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...