SSL Optimization Over WAN Needs Scrutiny

← Back to Stories (view on slashdot.org)

SSL Optimization Over WAN Needs Scrutiny

Posted by kdawson on Saturday March 10, 2007 @10:57AM from the trusting-the-box dept.

coondoggie writes with word of the expansion of WAN optimization appliances to handle SSL traffic and the security concerns this brings up. From the article: "With more and more WAN optimization vendors extending their capabilities to include encrypted traffic, corporate IT executives have a decision to make: Should they trust the security these devices provide? Rather than passing through SSL sessions between clients and servers located in remote data centers, some WAN optimization gear can terminate the SSL sessions, shrink the traffic, and re-encrypt it for the next leg of the trip. These chains of encrypted sessions introduce potential vulnerabilities that different vendors address in different ways. SSL traffic represents a growing percentage of total traffic on WAN links, according to Forrester Research. So SSL support in WAN optimization appliances will become more important to businesses that want to keep traffic secure while minimizing the size of their WAN links."

2 of 70 comments (clear)

Min score:

Reason:

Sort:

Whiskey Tango Foxtrot? by ewhac · 2007-03-10 11:31 · Score: 4, Interesting

...some WAN optimization gear can terminate the SSL sessions, shrink the traffic, and re-encrypt it for the next leg of the trip.

Um... Isn't that the very definition of a man-in-the-middle attack?
Er, no. Thank you very much for your kind offer, but I would prefer my encrypted data were not "optimized" in this way.
Schwab

--
Editor, A1-AAA AmeriCaptions
1. Re:Whiskey Tango Foxtrot? by Melkman · 2007-03-10 12:30 · Score: 5, Interesting
  
  If you are a network admin SSL traffic is a bitch. Normal web traffic can be scanned for malicious content with ICAP. With SSL traffic you're out of luck. Also a lot of remote access programs tunnel their traffic in an SSL connection over port 443 (cool service LogMeIn, NOT). That means if you allow encrypted web traffic you also allow people on the network to give control over their PC's to external people. I've dealed with both. Some moron downloaded an infected program of an https site, which was luckily caught by the local virus scanner. And some nitwit called the helpdesk of an ASP which took over teir desktop while he was having sensitive data on his screen. After these events we enabled SSL termination on the proxies and feed all SSL traffic to the ICAP scanner and disallow any traffic that doesn't strictly follow HTTP. If someone has traffic that must bypass these rules the can request an exception, usually this concerns shitty java applications.
  that was about a year ago. We were already using Bluecoat proxies, formerly known as CacheFlow.