Industry Trends

The Challenges of Inspecting Encrypted Network Traffic

By Nirav Shah | August 04, 2020

Encryption has become an essential component of today’s digital businesses, especially as more customers, workers, and applications connect to corporate resources across the public internet. In fact, according to FortiGuard Labs, the total percentage of encrypted web traffic is now around 85%, up from just 55% in 2017. This traffic is a larger and larger slice of a steadily increasing pie. 

This technology has had a massive impact on both privacy and cybersecurity, but unfortunately, the rise of encrypted traffic is not entirely positive. Malicious actors are increasingly using encryption to avoid detection and carry out massive cyberattacks, and organizations need new security capabilities to protect themselves.

What is Encryption?

Encryption is a data security practice that converts normal, readable information into an unintelligible cypher. Once traffic is encrypted, it can only be accessed by authorized users with a key, or by advanced encryption practices that can decode cyphertext. This allows organizations to safely move sensitive and confidential information around without exposing financial data, PII, or IP to prying eyes. 

This type of network traffic is very difficult to monitor and inspect, as organizations often don’t have decryption capabilities to gain full visibility into internal encrypted traffic. This means malicious actors may use encrypted traffic to secretly carry unsanctioned applications and malware.

Encrypted Network Traffic Has a Dark Side

Cybercriminals are actively using encryption to get around security detection, knowing most organization will not thoroughly inspect their traffic. They use encryption to obscure their presence and evade detection, whether delivering malware or exfiltrating stolen sensitive data, to bypass traditional security tools—which is why most CIOs indicate they have experienced a network attack using secure sockets layer (SSL) encryption. 

Gartner predicted that more than 70% of malware campaigns in 2020 would use some type of encryption to conceal malware specifically because encrypting attacks and malware makes security defenses less effective. For example, hackers use SSL encryption to hide an initial attack by encrypting their malware and sending it through an approved port. Many forms of malware also rely on encryption to hide command and control communications. And cybercriminals leverage encryption to protect stolen network information and user credentials, such as passwords, bank accounts, and other sensitive information, for the same reasons that businesses encrypt that same data. 

The Challenge of Monitoring and Inspecting Encrypted Traffic

Of course, inspecting encrypted traffic is the answer, but that’s easier said than done. The first problem is the time it takes to decrypt and re-encrypt data in order to inspect it. And for businesses, time is money. The demands of the digital marketplace require data to be immediately accessible, and technologies managing the time and overhead needed for accessing encrypted information must be improved if encryption is to be more readily applied. Unfortunately, few security tools can inspect encrypted traffic at the speeds that today's digital businesses require.

Generally speaking, examining encrypted traffic puts an enormous strain on a security device. Using ciphers to decrypt and inspect SSL/TLS traffic correctly is exceptionally CPU-intensive. As a result, nearly every firewall – especially those that rely on off-the-shelf processors for their computing power – sees its performance drop dramatically when it comes to inspecting encrypted traffic.

On average, according to NSS Labs, the performance hit for deep packet inspection after SSL decryption is 67%. In fact, performance numbers are so low that many firewall vendors refuse to publish them. Even more concerning, not all security products deployed to inspect encrypted traffic support the top 30 cipher suites or support TLS 1.3, which means that some traffic that appears to be being analyzed isn't being processed by some security devices at all. That's because the default setting on most firewalls is just to let uninspected encrypted traffic simply pass through. Of course, given the percentage of encrypted traffic now in use, this renders most traditional security devices in today's high-performance networks nearly useless.

Security Vendors Need to Re-Engineer Their Security Offerings


What's needed is a security solution designed to more efficiently handle this sort of traffic analysis, given the need for performance and scalability in today’s marketplace. Of course, custom processors are not news. Companies like Google, Microsoft, Amazon, and Apple have all developed specialized chips for high-performance devices and environments. Sadly, it’s mostly security that is lagging behind. And this is a critical oversight that has enormous ramifications. 

To highlight the difference that purpose-built processors can provide, Fortinet developed the Security Compute Rating benchmark that compares the performance of ASIC-based Next-Generation Firewall appliances to NGFW and SD-WAN solutions that utilize generic processors and network acceleration components for their networking and security functions. Custom processors explicitly designed to accelerate security and network functions such as inspecting encrypted traffic inspection demonstrate performance increases of between 15X and 40X.

In today’s increasingly dynamic and continuously expanding networks, security that can function hand-in-glove with core networking functionality and perform crucial functions like inspecting encrypted traffic without compromising on performance is essential. The failure on the part of the majority of today’s largest security vendors to step up and fill this gap is nothing short of irresponsible. It’s time for security vendors to deliver the next generation of high-performance, highly scalable security solutions that today’s organizations require.

Learn more about how the FortiGate Next-Generation Firewall delivers industry-leading SSL traffic inspection to protect against attacks that hide in encrypted traffic.