SSL Inspection: Requirements and Solutions

Yoram Ehrlich By: Yoram Ehrlich December 11, 2018

Introduction – The SSL Inspection Imperative

Security—as defined by the combination of confidentiality, integrity, and availability—is vital for protecting web-based transactions. Secure Sockets Layer (SSL) due to its flexibility is the ubiquitous choice for securing ecommerce. SSL is most commonly implemented in the form of secure hypertext transport protocol (HTTPS). This secure link ensures that data passed between the web server and the browser is encrypted and, thus, private.

As the use of the Internet has exploded and become more pervasive, the knowledge and understanding of its users has also increased. Concerns about privacy are at the top of their minds, leading to the use of SSL to protect not only financial transactions but also news, social media, search results, and everyday web browsing.

As a result, the level of encrypted web traffic continues to dramatically increase, so does the level of security. However, encryption has also made it more difficult for network inspection devices to identify and prevent hidden malware and other types of attacks.

Cybersecurity experts agree that to protect enterprise data and networks from hackers and cybercriminals it is essential to inspect network traffic encrypted with SSL. Corporate employees use SSL-encrypted applications for social media and entertainment, for both approved and unapproved applications for corporate collaboration, and for a wide variety of private and corporate e-commerce and business applications. All of these uses provide routes into the corporate network for malware and malicious network traffic. They also expose protected personal data and confidential corporate information. The stakes will only get higher: industry analysts estimate that through 2019, more than 75% of enterprises’ web traffic will be encrypted and more than 60% of organizations will fail to decrypt HTTPS efficiently, missing most targeted web malware.

SSL Inspection Balance Act - Performance vs Security

As network bandwidths multiply and the complexity of applications and attacks increase, more networks are employing multitude of network and security appliances and IP-based applications and services. Accordingly, interest in the use of SSL proxies that allow the IT organizations to examine and inspect SSL-encrypted content before entering or exiting the enterprise has surged. These proxies provide the opportunity to examine the contents of network traffic, yet still offer encryption prior to leaving the enterprise.

The ideal solution for safeguarding the confidentiality and protection of SSL traffic balances performance, control and security. While solutions exist to meet each goal on its own, it is difficult to meet them concurrently, resulting in one or more of these important requirements failing to be met. Increasing security to the detriment of network performance or compliance is no more satisfactory than meeting application bandwidth and compliance requirements while ignoring security. To date, it has been difficult, if not impossible, to satisfy all three of these objectives. Many of the SSL products in the market cannot provide a high level of security without impact upon management and performance.

SSL Inspection Proxies

In order to address the SSL visibility challenge some network appliances such as Firewalls, IDS, IPS and NPMD tools and other network tools, have integrated built-in SSL inspection capabilities. The disadvantage of this approach is that with SSL inspection enabled, the performance of these network appliances is severely degraded. With SSL inspection turned on, these dedicated network appliances are allocating significant resources to SSL decryption (and re-encryption) rather than focusing on their core functionality of detecting and blocking malicious traffic - that is already complex ad resource intensive on its own.

Alternatively, other vendors are offering dedicated SSL inspection appliances that can then connect to various inline or out of band network tools. These dedicated SSL inspection tools typically come with a limited mix of feeds and speeds. They introduce another appliance to the network, complicating network deployment and maintainability and OpEx. More importantly, they offer limited opportunity for performance upgrades without a forklift of the entire solution.

An effective SSL inspection solution should provide support for a wide set of cipher suites and support the the various TLS versions including the more recent TLS1.3 version. In addition to supporting various inline and out of band deployments the SSL inspection solution should see all network traffic, including SSL, and, thus, require line-rate network performance and the ability to cut-through non-SSL flows. An effective SSL proxy solution provides high performance at both the network and application levels as well as multiple-interface support for applications to tap into SSL streams. SSL proxy solution should also provide a wide set of policies to enable the user to specify what traffic to forward to the network tools. By providing applications with access to the plaintext in SSL streams, the SSL proxy enables IT managers to implement policy control including for user access.

SSL Inspection Proxy Deployment Modes

Even though the network security appliance market is complex and constantly changing, transparent SSL proxy devices share several common deployment modes. They are either active devices installed in-line with respect to traffic flow, and actively filter traffic to block attacks, or are passive devices deployed on a mirrored interface, span port or tap port and only monitor network traffic as it passes through the network to identify attacks or record traffic.

In-line Mode
In in-line mode, the transparent SSL proxy operates as a “bump-in-the-wire” and will receive all inbound and outbound traffic to/from the computing resources behind it. It will forward all traffic to the egress network port. While the SSL proxy is inline, both inline network tools or out of band network tools can be connected.

ssl inspection

Figure 1 depicts a scenario where traffic flows into the SSL proxy, is decrypted and sent to the inline network appliance (like Firewall or IPS). the output from the inline network appliance is sent back to the SSL proxy and re-encrypted before being sent out to the egress network port.

Passive Mode
In passive mode, the transparent SSL proxy is deployed off a span port, tap or mirrored interface where the network appliance is receiving a copy of all network traffic for analysis and detection as shown in Figure 2. In passive configuration, no data is ever forwarded back toward the network; the SSL proxy and adjacent security appliance are capturing traffic for analysis. Please note that there may be limitations on cipher suites and TLS version supportable in passive mode.

secure sockets layer

SSL Proxy Deployment Tradeoffs

Using SSL to encrypt data over a network ensures that the data was only read by its intended recipient and not intercepted during transmission. The SSL protocol is computationally intensive, though. The SSL protocol is slow because public key cryptography is extremely CPU intensive. The time and number of CPU cycles required to establish an SSL session and encrypt/decrypt data are much higher than similar metrics for symmetric encryption and certainly for an unencrypted TCP connection.

Accordingly, in-line SSL decryption is a potential bottleneck in network performance. Many SSL proxy devices in the industry only operate at hundreds of Mbps. Considering that they are almost exclusively deployed in-line on Gigabit Ethernet interfaces, it takes many devices operating in parallel to keep up with network speeds, not to mention the additional hardware required to optionally load-balance flows across a large number of SSL proxies.


With the forecast amount of SSL-encrypted traffic continuing to increase, IT network operators are on the lookout for new solutions that satisfy their need for information security for the enterprise and individual users, as well as the requirement for corporate compliance, acceptable use policies and government regulations for both security and privacy. The solution must also be provided without having an impact on network performance, because providing compliance at the expense of throughput is no more acceptable than meeting user and application bandwidth requirements while ignoring security. Gratefully, for enterprise network operators, a next generation of high-speed, Network Packet Brokers (NPBs) with embedded transparent SSL proxy functionality meets these challenges.

NPBs allow data to be collected from multiple sources, decrypted by the NPB itself, and then propagated to appropriate security and monitoring tools for analysis. Data can be decrypted at line-rate and, if need be, filtered and load-balanced. Since the NPB decryption capability does not place any decryption overhead on the security and monitoring tools, those tools continue to function at peak capability. If the decryption feature needs to be detached, the capability is simply deactivated. Taking the network down or rerouting data is unnecessary. For in-line monitoring situations, the NPB can then effortlessly restore the analyzed traffic back into the network for further transmission.

If your enterprise values data privacy and security, take the first step towards protecting your network by optimizing your SSL implementation. Schedule a consultation with a Niagara Networks visibility expert today to assist you.

How to monitor your network traffic with no impact - get the white paper