Virtualization Technology News and Information
Skyport Systems 2018 Predictions: Keep Your Eyes on Opaque Encryption in 2018

VMblog Predictions 2018

Industry executives and experts share their predictions for 2018.  Read them in this 10th annual series exclusive.

Contributed by Will Eatherton, Co-Founder and Vice President of Engineering at Skyport Systems

Keep Your Eyes on Opaque Encryption in 2018

During my time at Cisco and Juniper (1999-2013), we were largely focused on building products and features around the concept of the "Intelligent Network" - delivering much-desired visibility into deep packet data. During that time, a multi-billion-dollar industry was born, with a plethora of products such as next-generation firewalls, IPS/IDS, UTM, web proxies, data loss prevention, anti-virus, and secure web gateways, providing insight into and control of enterprise traffic.

And then, I wondered "what if?" What if the day eventually came when the data flowing through user devices was encrypted? What if most of those features we worked so hard to develop to help secure and protect enterprises eventually became irrelevant?

Here we are.

As we look ahead to 2018, IT departments are faced with a stark reality: the rise of new encryption protocols will cause visibility into enterprise traffic to go dark. This will result in opaque encryption, allowing most traffic to bypass man-in-the-middle (MITM) monitoring, without inspection from the standpoint of IT and security administrators.

There are several developments leading to opaque encryption that make it hard to leverage enterprises' existing technologies. These include:

  • A trend towards the use of Perfect Forward Secrecy (PFS), which deliberately prevents after-the-fact decryption and defeats passive MITM technologies.
  • Increased use of non-SSL/TLS encryption protocols with no accompanying MITM infrastructure. For example, Google's QUIC is an alternative to TLS that vendors are lagging behind (currently unable to support).
  • Multi-path to improve performance. Multi-path makes decryption difficult because a single MITM box only sees a portion of the needed state.
  • Compressed header state and fewer clear text headers, which makes it difficult to determine what traffic to decrypt. TLS 1.3 does provide a clear text extension (SNI) to communicate a target server's host name. While it seems useful for decryption determination, it can be easily spoofed.
  • Increased use of certificate and public key pinning, which are hard blocks to traditional transparent MITM.
  • TCP connection re-use (enabled through HTTP/2 and TLS1.3), which complicates state machines for MITM devices.
  • Technologies that are crossing enterprise perimeter that were never meant for transparently inserting network security in the middle, such as IPSEC-based tunnels.

A Look Ahead

While it seems reasonable that many of the above developments could be countered to some degree by network security vendors, as a sum total the level of disruption in such a short time is staggering.

The transition to opaque crypto will start in earnest in 2018, but will take years to manifest. For most enterprises, simple-to-deploy central policy visibility and enforcement will go away and companies will adapt.

There may be a rise of non-transparent proxies for client endpoints in the enterprise. However, these are known to be relatively difficult to maintain, so it is unclear if this will gain widespread adoption. It may be that enterprises may increasingly consider client endpoints to be lost causes and establish a goal to heavily segment them from business applications. To deal with rogue clients, the use of automated rebuild/replace of client devices should become more common.

For applications running on server endpoints in enterprise data centers, there will be an ongoing trend towards applying policy to the application instead of the network. Policy (for example, what entities this application can talk to or receive communication from), will increasingly be a part of a developer's definition of an application - similar to software dependencies, data models, and API definitions.

What we know: the trend towards opaque encryption will produce a stronger model for secure communication. But while the networking industry resets, vendors and enterprises will struggle to find the new normal.

For a more in-depth technical analysis of this trend, I have a detailed technical writeup here:


About the Author

Will Eatherton 

Will is a co-founder and Vice President of Engineering at Skyport. Previously he has served in management and individual contributor roles, including VP of Engineering and Distinguished Engineer, between Cisco and Juniper.

Published Wednesday, November 22, 2017 5:21 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2017>