The Fast Mode spoke to Brett Ayres, VP of Product at Teneo on new encryption technologies and their impact on today's networks. Brett joins us in a series of discussions with leading vendors in the traffic management, service assurance, traffic monitoring, analytics, policy control and network security space, assessing various attributes of encryption, its benefits as well as the challenges it poses, specifically loss of visibility that makes networking increasingly complex.
Tara: How does encrypted traffic impact networking functions such as routing, switching, load balancing, network slicing, etc?
Brett: Encrypted traffic can make it more difficult for networking devices such as routers, switches, and security devices to perform their functions because the contents of the traffic are not visible. In short, encryption can make it harder for network devices to determine the source and destination of the traffic, which can make it harder to perform routing, switching, load balancing and so on. This can, in turn create a delay while traffic is unencrypted and re-encrypted, thus impacting user experience.
However, it is worth noting that this does not mean that encryption prevents these networking functions from working altogether - it may just make them harder to perform or require additional measures to be taken. In addition, well-designed networks should be able to minimise this impact and deliver a good experience for the user.
Today, many organisations are adopting SD-WAN to perform network and security functions across hybrid environments. Good SD-WAN solutions will have the option to encrypt the traffic as a part of the overlay service it provides. By having encryption as part of a unified service, the challenges encryption can bring are minimised.
Nevertheless, SD-WAN networking can bring its own performance overheads. SD-WAN sends encrypted traffic using IP-Sec tunnels to transport traffic and there is a small, but noticeable performance implication when the traffic is encapsulated in IPSec tunnels. This is common with legacy SD-WANs as they use IP Sec IKE encapsulation which carries a performance overhead, whereas modern SD-WANs will give you the option to run IP Sec UDP (i.e. IKE-less) where the performance hit is negligible.
Lastly, it is worth noting that SD-WAN differs from traditional MPLS networks. SD-WAN completely removes the routing between the Provider CPE. MPLS providers have to maintain and manage customer routing tables in separate VRFs. By removing the customer’s subnets/routes from the Provider networks (i.e. moving to SD-WAN), this gives the customer full control of their own routing and provides an enhanced level of security over and above traditional encryption.
Tara: What are some of the ways enterprises can address visibility issues related to encryption?
Brett: There are several ways that enterprises can address visibility issues related to encryption:
- Decryption: One way to address visibility issues is to decrypt the traffic before it reaches networking devices such as routers, switches, and security devices. This can be done using a decryption proxy or a VPN gateway that can decrypt the traffic before it reaches the other devices.
- Network packet brokers (NPBs): NPBs can be used to provide visibility into encrypted traffic by copying the traffic and forwarding it to security and monitoring tools for analysis.
- Next-generation firewalls (NGFWs): NGFWs can be configured to perform SSL/TLS decryption and inspection, providing visibility into encrypted traffic. Some, or all of the data, can then be exported to your visibility tool set for further analysis.
- Cloud-based security solutions: Cloud-based security solutions can also provide visibility into encrypted traffic by inspecting the traffic as it enters and exits the cloud environment. It is worth noting here that you need a high degree of trust in your cloud provider to have unencrypted data in flight or at rest in the cloud.
- Network segmentation: Network segmentation and micro-segmentation can also help to address visibility issues by separating sensitive data and applications into separate, more secure segments of the network. This removes the need for visibility tools to identify the traffic as we know that only a specific type of traffic is on that segment. However, it does limit the extent of insights we can gain from observing this traffic.
- Use of Network Function Virtualization (NFV) and Software Defined Networking (SDN) technologies: These technologies can provide the ability to add virtualized security functions that can inspect encrypted traffic. By combining the encryption to a unified platform, you can ensure traffic is both encrypted and highly visible.
It's worth noting that when decrypting the traffic, organizations must consider the security and compliance implications, as well as the possible impact on the network performance.
This interview is a part of The Fast Mode's Real-time Visibility for Encrypted Traffic segment, featuring 34 leading IP networking solution providers and their views on the impact of encryption on traffic visibility. A research report on this topic will be published in February 2023 - for more information, visit here.
