KEMP Security Series – Part 2: SSL/TLS Security
The Trustwave Global Security Report is an annual snapshot of the threats faced by web-based applications and services. The 2016 report, which is based on data collected in 2015, highlights and discusses many such threats. In a previous article in this series, we looked at Application security. In this post we will focus on how enforcing organizational wide standards and use for SSL/TLS encryption can help secure your Internet facing services.
Encryption of data within SSL/TLS based systems is an important part of all network and application protection schemes. Attacks against such security systems were the most common in the latest report, with 4 of the top 5 network vulnerabilities detected being SSL or TLS related. The Trustwave report shows that attacks against SSL/TLS systems that are out of date or poorly configured are also increasing, making it vital that these systems are deployed correctly and kept up to date. However, correctly configuring these network security systems, and keeping them up to date, is time-consuming and often tricky.
KEMP LoadMaster, when deployed with the KEMP Web Application Firewall (WAF), can help protect your web applications against the common vulnerabilities highlighted in the TrustWave Global Security Report. It combines Layer 7 Web Application Firewall protection with other application delivery services such as intelligent load balancing, intrusion detection & prevention, edge security, and authentication. It also includes ModSecurity, the world’s most widely deployed web application firewall engine, and is augmented by threat intelligence from Trustwave.
LoadMaster can also be the central hub of your network for handling SSL/TLS encryption. Handling SSL/TLS encryption for network packets is a resource intensive task. Doing this on the web servers and application servers that are there to serve client requests puts an additional overhead on servers that should be optimized for content delivery. A LoadMaster application delivery controller can be configured as an SSL Accelerator. When performing this role, the LoadMaster is optimized to quickly perform SSL and TLS decryption and encryption for incoming and outgoing network traffic.
In addition to removing the burden of the SSL/TLS encryption from back-end servers, LoadMaster also helps reduce the burden of correctly configuring SSL/TLS for network administrators. The LoadMaster Web User Interface (WUI) makes it easy to configure SSL and TLS settings correctly (as shown in the image below).
Beyond this help with SSL/TLS configuration, a WAF subscription provides updates that help prevent against new and emerging threats. This will help your network administration and security staff stay ahead of the curve with respect to vulnerabilities. The LoadMaster SSL/TLS implementation is also kept up to date with current industry best practice and tested against sites such as Qualys SSL Labs. Moving SSL/TLS handling to Loadmaster also allows legacy applications that may not support up to date SSL/TLS versions to be protected behind a modern secure load balancer.
The Trustwave report shows that proper SSL/TLS implementation, configuration, and management is important. Vulnerabilities in this part of an Internet-facing infrastructure are increasingly the target for malicious 3rd parties. KEMP Technologies can help you guard against threats in this area via our KEMP 360 service, our Professional Services consulting staff, and our award winning KEMP LoadMaster Application Delivery Controllers. Contact us for help with all your application delivery needs.