Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSL Optimization Over WAN Needs Scrutiny

Posted by kdawson on from the trusting-the-box dept.

coondoggie writes with word of the expansion of WAN optimization appliances to handle SSL traffic and the security concerns this brings up. From the article: "With more and more WAN optimization vendors extending their capabilities to include encrypted traffic, corporate IT executives have a decision to make: Should they trust the security these devices provide? Rather than passing through SSL sessions between clients and servers located in remote data centers, some WAN optimization gear can terminate the SSL sessions, shrink the traffic, and re-encrypt it for the next leg of the trip. These chains of encrypted sessions introduce potential vulnerabilities that different vendors address in different ways. SSL traffic represents a growing percentage of total traffic on WAN links, according to Forrester Research. So SSL support in WAN optimization appliances will become more important to businesses that want to keep traffic secure while minimizing the size of their WAN links."

7 of 70 comments (clear)

  1. I'm tired of hearing by Anonymous Coward · · Score: 0, Insightful

    the general public complain about options that backhaul ISP providers use to help reduce their expenses, increase performance and keep costs down as much as possible. Backhaul of circuits in remote sites with Sat bandwidth is enormously expensive. With new bandwidth intensive applications coming out all of the time, an ISP can either optimize their traffic to support the new apps, or pass the increase of their upgrades on to their users and then listen to the users whine about the new cost. The internet was never and should never be considered a replacement for a private WAN if data security is of the utmost importance for your business. Does it work - yes. Is it a replacement - no. ISPs are not in business to provide non-profit service to corporations who choose to use a cheaper method of transporting their private data and then listen to the complaints about such matters. If you consider your ISP to be doing something disreputable with your encrypted traffic - find another ISP or switch to a private WAN circuit.

    1. Re:I'm tired of hearing by Anonymous Coward · · Score: 1, Insightful

      If you read the fine print of SBC/ATT's "private WAN" contract, even for frame relay service, they have the right to put your traffic on the public internet w/o any encryption. Who knows how much they do.

  2. Re:Whiskey Tango Foxtrot? by Professor_UNIX · · Score: 4, Insightful

    Er, no. Thank you very much for your kind offer, but I would prefer my encrypted data were not "optimized" in this way.
    Thanks to Enron, many people don't have a choice in the matter anymore. Allowing encrypted connections out of your LAN without scanning the data included could open you up to law suits or criminal prosecution now. Expect that SSL termination will be a growing trend in the years to come as more and more companies come on board.
  3. Nothing can be trusted... by antirelic · · Score: 2, Insightful

    Its a good thing that these devices can offer SSL, but it should only be talked about as "additional" security measures. There seems to be a trend in the IT world where one "new" security tool comes along and renders some "other" (other, not older) security tool/method discarded. These lessons have been learned, and shouldnt be repeated: Defense in Depth.

    --
    20th century Marxism is not progress...
  4. This is gross irresponsibility by Animats · · Score: 2, Insightful

    Any administrator who puts in a security hole like that to get a minor reduction in bandwidth is grossly irresponsible. No device in the middle of the network should have the end to end decryption keys. Ever.

    If you have too much traffic to your secure servers, take a look at what they're sending. Maybe the canned images can be moved to a non-secure server, where they can be cached locally. You're probably not actually sending huge volumes of secure data to a browser.

    Or maybe you just need to find out who's downloading videos and stop them.

  5. Re:Don't trust SSL! by Beryllium+Sphere(tm) · · Score: 2, Insightful

    Yes, but that cooperation may not be the result of informed consent. It's painfully easy for an untrusted application to stick a new root CA into IE's list, after which it can sign its own certificates and use them to intercept SSL. MarketScore, reportedly, did this.

  6. Re:Don't trust SSL! by Tony+Hoyle · · Score: 2, Insightful

    The whole point of these devices is that *don't* need to forge the bank's SSL certificate - they're breaking the end to end nature of SSL and inserting a proxy inbetween that allows the admins to get at the banking data in plaintext.

    You have no way of verifying it because the ability to verify the SSL certificate is taken away from you (every site returns the certificate of the proxy).

    Yes reading such data would be actionable - as would reading most emails without explicit written consent. Hasn't stopped them in the past and won't stop them in the future. If you *really* trust those admins then go ahead and use SSL sites at work, otherwise don't bother because it's not secure anymore.