Industry executives and experts share their predictions for 2018. Read them in this 10th annual VMblog.com series exclusive.
Contributed by Will Eatherton, Co-Founder and Vice President of Engineering at Skyport Systems
Keep Your Eyes on Opaque Encryption in 2018
During my time at Cisco
and Juniper (1999-2013), we were largely focused on building products and
features around the concept of the "Intelligent Network" - delivering much-desired
visibility into deep packet data. During that time, a multi-billion-dollar
industry was born, with a plethora of products such as next-generation
firewalls, IPS/IDS, UTM, web proxies, data loss prevention, anti-virus, and
secure web gateways, providing insight into and control of enterprise traffic.
And then, I wondered "what
if?" What if the day eventually came when the data flowing through user devices
was encrypted? What if most of those features we worked so hard to develop to help
secure and protect enterprises eventually became irrelevant?
Here we are.
As we look ahead to
2018, IT departments are faced with a stark reality: the rise of new encryption
protocols will cause visibility into enterprise traffic to go dark. This will
result in opaque encryption, allowing most traffic to bypass man-in-the-middle
(MITM) monitoring, without inspection from the standpoint of IT and security administrators.
There are several
developments leading to opaque encryption that make it hard to leverage
enterprises' existing technologies. These include:
-
A trend towards the use of Perfect
Forward Secrecy (PFS), which deliberately prevents after-the-fact decryption
and defeats passive MITM technologies.
-
Increased use of non-SSL/TLS
encryption protocols with no accompanying MITM infrastructure. For example,
Google's QUIC is an alternative to TLS that vendors are lagging behind
(currently unable to support).
-
Multi-path to improve
performance. Multi-path makes decryption difficult because a single MITM box
only sees a portion of the needed state.
-
Compressed header state and
fewer clear text headers, which makes it difficult to determine what traffic to
decrypt. TLS 1.3 does provide a clear text extension (SNI) to communicate a
target server's host name. While it seems useful for decryption determination,
it can be easily spoofed.
-
Increased use of certificate and
public key pinning, which are hard blocks to traditional transparent MITM.
-
TCP connection re-use (enabled
through HTTP/2 and TLS1.3), which complicates state machines for MITM devices.
-
Technologies that are crossing
enterprise perimeter that were never meant for transparently inserting
network security in the middle, such as IPSEC-based tunnels.
A Look Ahead
While it seems
reasonable that many of the above developments could be countered to some
degree by network security vendors, as a sum total the level of disruption in such a short time is staggering.
The transition to opaque
crypto will start in earnest in 2018, but will take years to manifest. For most
enterprises, simple-to-deploy central policy visibility and enforcement will go
away and companies will adapt.
There may be a rise of
non-transparent proxies for client endpoints in the enterprise. However, these
are known to be relatively difficult to maintain, so it is unclear if this will
gain widespread adoption. It may be that enterprises may increasingly consider
client endpoints to be lost causes and establish a goal to heavily segment them
from business applications. To deal with rogue clients, the use of automated
rebuild/replace of client devices should become more common.
For applications running
on server endpoints in enterprise data centers, there will be an ongoing trend
towards applying policy to the application instead of the network. Policy (for
example, what entities this application can talk to or receive communication
from), will increasingly be a part of a developer's definition of an
application - similar to software dependencies, data models, and API definitions.
What we know: the trend
towards opaque encryption will produce a stronger model for secure
communication. But while the networking industry resets, vendors and
enterprises will struggle to find the new normal.
For a more in-depth
technical analysis of this trend, I have a detailed technical writeup here: https://www.skyportsystems.net/blog/opaque-crypto-happens-enterprise-network-goes-dark/
##
About the Author
Will is a co-founder and Vice President of Engineering at
Skyport. Previously he has served in management and individual contributor
roles, including VP of Engineering and Distinguished Engineer, between Cisco
and Juniper.