Don’t Let Attacks Pass You By: Strategies for Inspecting SSL Traffic

By Kasey Cross, Security Evangelist, A10 Networks

Two-thirds of North American Internet traffic will be encrypted in 2016, according to Sandvine.[1] While many financial institutions deploy a myriad of security solutions, these solutions will fall far short of protecting digital assets if they cannot inspect encrypted traffic.

Attackers are wising up and taking advantage of the blind spot in corporate defenses created by encryption. As a result, organizations that do not inspect SSL communications are providing an open door for attackers to infiltrate defenses and steal data. To prevent cyber attacks, financial institutions need to inspect all traffic, and in particular encrypted traffic, for advanced threats.

Financial institutions can deploy dedicated SSL inspection platforms to mitigate these risks. But they should consider future network traffic and SSL bandwidth demands—especially as SSL traffic continues to account for a growing portion of all traffic. They should also consider networking and high availability requirements. The right SSL inspection solution should do more than simply decrypt traffic, it should also improve network performance and uptime. The following criteria can help financial institutions find a solution that meets their needs – today and tomorrow.


Performance and scalability are two factors to consider when architecting a network for SSL decryption. Organizations must assess their Internet bandwidth requirements and ensure that SSL inspection platforms can handle future SSL throughput requirements. To get real-world performance benchmarks, consider the impact of deep packet inspection, URL classification, and other features.

Privacy Concerns

Financial institutions must balance employee and data protection with the possible violation of privacy rights. Regulatory requirements including Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes-Oxley (SOX) add to the burden. An SSL inspection platform should be able to bypass sensitive traffic to ensure that confidential financial records aren’t sent to security devices or stored in log management systems.

Traffic Steering to Support Multiple Security Devices

Security best practices have long recommended the use of a variety of security products from different vendors. SSL inspection platforms must interoperate with these devices as network defense changes.  By selecting an SSL inspection platform that supports flexible deployment, traffic steering and granular traffic controls, organizations ensure their ability to provision varied security solutions in the future.


Firewalls strain to keep pace with increasing network loads, especially if they also perform URL filtering, signature-based intrusion prevention or virus inspection. SSL inspection platforms should not just offload SSL processing from other security devices but should maximize the overall capacity of security infrastructure by load balancing traffic and routing around failed security devices.

Secure Management of SSL Keys

SSL certificates and keys are the basis of trust for encrypted communications and, if compromised, can enable attackers to impersonate legitimate sites and steal data. SSL inspection devices must securely manage these certificates and keys.

Driven by privacy concerns, SSL traffic has grown to nearly a third of enterprise traffic. Existing security defenses, already stretched to keep up, are challenged to support 2048 and 4096-bit SSL encryption. At the same time, more and more cyber-attacks and malware are leveraging encryption to evade corporate defenses. Financial institutions must find a way to gain insight into SSL traffic to prevent devastating data breaches. And to accomplish this goal, they need a dedicated and high-performance SSL inspection platform.

[1] Global Internet Phenomena Spotlight, Sandvine, April 30, 2015


Contact Person: Kasey Cross
Phone: 408-325-8668


A10 Networks is a leader in application networking, providing a range of high-performance application networking solutions that help organizations ensure that their data center applications and networks remain highly available, accelerated and secure.

A10 Thunder appliances are Application Delivery Controllers (ADCs) that provide Unified Application Service Gateway functionality by consolidating premium solution modules for intelligent Cloud services in the most efficient form factors.  A10 Networks is based in San Jose, Calif., and serves customers globally with offices worldwide.


Follow Us:

Sitemap | Privacy | Copyright © © 2017, WSTA®, All Rights Reserved.