Can Your Firewall Detect Encrypted Threats?

The use of encryption to protect sensitive data is now a standard security measure. More than half of all businesses globally report that they use the technology to safeguard network communications. In fact, encryption is now mandated by a host of data privacy laws.

Of course, every challenge is an opportunity for motivated cybercriminals.

Malicious actors are regularly leveraging encryption to slip past network defenses in order to distribute malware, launch ransomware attacks and exfiltrate data. Analysis indicates that more than 80 percent of network threats are now delivered over encrypted channels.

It’s an ingenious approach, really. Hackers understand that while encryption offers protection for your legitimate traffic, it also allows their attacks to go undetected. The best way to detect these threats is to decrypt and inspect encrypted data packets, but that’s a significant challenge for most organizations.

What’s Inside?

According to one recent study, only about 20 percent of organizations have mechanisms for decrypting and scanning encrypted traffic, largely because it is a compute-intensive process that most firewalls weren’t built to handle. Tests from NSS Labs found that the process of decrypting and re-encrypting traffic can degrade firewall performance by up to 95 percent, creating intolerable performance bottlenecks. As a result, it has become common practice to configure firewalls to let encrypted traffic pass through without inspection.

The latest next-generation firewalls (NGFWs) are addressing this blind spot with increased processing power and support for the latest encryption standards. Many of today’s NGFWs achieve tremendous performance gains through the use of application-specific integrated circuits (ASICs) and system-on-a-chip (SoC) processors that consolidate networking- and security-specific processors onto the same piece of silicon with a quad-core CPU. These dedicated processors deliver network security at near-line-rate speeds, allowing the firewall to handle many encryption/decryption tasks.

Additionally, best-in-class NGFWs were designed to support the latest version of the Transport Layer Security (TLS), the successor to the Secure Sockets Layer (SSL) protocol for encrypting data in transit. TLS version 1.3 achieves significant performance gains through stronger cryptographic ciphers and an improved handshake process for establishing encrypted communication sessions, which reduces the compute processes required to decrypt and inspect data packets.

Streamlined Processes

TLS requires a handshake negotiation between two devices when initiating communication. The devices must exchange messages to acknowledge and verify each other, establish which encryption algorithms they will use, and agree on session keys. In earlier versions of the protocol, this process took about six round-trip communications, which added a significant amount of latency. TLS 1.3 cuts the number of round-trips in half, improving the speed and responsiveness of the entire process.

Older versions of the protocol also offered dozens of choices of encryption algorithms to secure the connections. Negotiating which cipher suite would be used was a time-consuming process, again adding to latency. TLS 1.3 has just five recommended cipher suites, making the process much faster. The suites themselves are also smaller, with fewer ciphers.

Even with a robust NGFW, firewall management and the traffic inspection process can consume significant time and resources for most companies. SageNet’s managed firewall service can relieve your organization of that overhead. From traffic decryption and inspection to log monitoring and patch management, our team of security professionals works to ensure your firewall is delivering the highest levels of protection. Learn more in this video, or call us at 866.480.2263 to set up a consultation.