The Growing Need for SSL Inspection

June 18, 2012 - By Tim Chiu

Enterprises face mounting challenges as the use of secure web based content and applications grow, many of them mission critical and confidential. Both internal applications and many public cloud-delivered applications use an encrypted transport mechanism (commonly known as SSL or HTTPs) to secure applications ranging from database, ERP, and finance to collaboration software, such as SharePoint and Webex. This traffic is generally not visible to a secure web gateway and therefore uncontrollable to network administrators, but requires significant WAN bandwidth and remains latency sensitive. In addition, harmful or malicious code can be masked by this encryption.

SSL Inspection is the solution to this challenge.  It is quickly becoming a requirement as common external web pages move to all-encrypted sessions.  Facebook and Gmail are two popular examples of websites offering users the ability to have their entire sessions encrypted.  For organizations that currently do not inspect SSL, all encrypted Facebook and Gmail traffic pass through bypassing policy controls and threat protection measures on the gateway.  In addition if you run any type of DLP on your web gateway, without SSL inspection, all encrypted traffic also bypasses the DLP protection that has been implemented.

For many administrators, SSL inspection poses a challenge to a few areas.  The first is with regard to performance of the secure web gateway.  It's true the SSL inspection does require more CPU power and it's important to size accordingly before turning on SSL inspection.  There are ways to reduce the impact of SSL inspection on your web gateway.  One method is through policy.  SSL inspection can be enabled for specific groups or users first to determine the actual impact to the gateway using a small subset of users.  In addition it's important to make sure your device has hardware-based assist for encryption and decryption (for example all of the currently shipping Blue Coat appliances include a hardware-assist SSL card) to help offload the system's main processor.

The second challenge is generally around privacy and legality of inspecting a user's encrypted session.  The legal issues vary by country and locale, so it's important to check with your legal department first and make sure there's no issues with intercepting SSL for your end-users.  Once again, policy is the solution to any restrictions that local rules and regulations may require.  For example, it's possible to bypass scanning for specific categories, like financial websites where privacy may be an issue, and specifically for user groups or specific users located where regulations prohibit SSL inspection.

To help you get control over your SSL traffic, Blue Coat appliances can intelligently detect, inspect, optimize and accelerate all secure web traffic, including traffic from external servers not under your own control – reducing latency, increasing WAN throughput, and returning control, visibility, and security to network administrators. This not only accelerates internal applications over SSL, but optimizes securely delivered public cloud applications as well.