|
Web applications and their derivatives-IM, P2P, web services-continue
to comprise the overwhelming majority of new applications being deployed across
today's distributed enterprises. Much of the new growth in Web application
development is focused on business-critical applications. Many of these
applications and related components are hosted by third parties or accessed over
public infrastructure. Not surprisingly, the criticality and confidentiality of
Internet-accessible applications have caused organizations to rely heavily on
SSL (secure sockets layer) encryption.
Merits and Demerits
SSL encryption was designed to create a trusted class of Web traffic. However,
encryption, the very thing that keeps prying eyes away from SSL traffic, also
makes it nearly impossible to see, understand, or manage that traffic.
Most SSL traffic is, of course, benign and provides no threat to
organizations. Much of it is key business traffic to business partners and
outsourced application providers. On the other hand, users can use SSL
technology to circumvent the usual policy controls. They can use SSL encrypted
Web e-mail services to send confidential information. They can also set up a SSL
tunnel between the organization and their own home PC to transfer information,
and users have been known to use SSL to surf for inappropriate content on the
Web.
Newer types of spyware are now using SSL to get around spyware
controls both for entering organizations and for sending out their information
to the spyware control points. And, of course, often the worst attacks for
individual users is phishing attacks where the user is fooled into entering
their private information onto a bogus site. These are very often secured by SSL
as it helps the user feel confident that this is a legitimate banking or finance
site.
Making it Work
If an organization wants to adopt a solution to address security threat, it
needs to understand native SSL traffic flowing to external applications, be
operationally affordable, not impede business in terms of performance and
privacy, and be extensible and adaptable.
Unfortunately, most technology efforts to resolve these issues
for unencrypted traffic have proved inadequate-none can see the encrypted
traffic. While SSL offload or SSL VPN technologies can help organizations manage
SSL traffic for applications that they control, there has not been a practical
solution for 'inside-out SSL.' In other words, traditional security and
networking solutions cannot effectively protect users inside the corporate
network from safely accessing applications and information outside the corporate
network.
IT organizations can overcome these limitations with intelligent
proxy appliances that allow inbound and outbound encrypted traffic to be
terminated, thereby enabling unprecedented visibility and context of the
encrypted content. From there, proxy appliances can reinitiate the sessions
according to the policies set by IT. Termination by a proxy is the only way to
gain visibility and control of SSL communications. It provides a critical
control point for protection (against viruses, worms, spyware, and phishing),
policy and performance (cache, compress, and prioritize traffic).
PK Lim
maildqindia@cybermedia.co.in
The author is managing director–Asean & ANZ, Blue Coat Systems Page(s) 1
| 
Print
Comment
Email
Digg
Del.icio.us
Reddit
Twitter
