Getting ahead of the trend towards SSL and HTTPS. Recent vulnerabilities in SSL are related to the use of OpenSSL by many server and dedicated SSL vendors. Array Networks Dedicated SSL solutions that use a proprietary SSL implementation were immune to the recent Heartbleed and MITM vulnerabilities.
3. SSL trends
Cloud, SaaS and data center
consolidation
Heartbleed is a serious
vulnerability in OpenSSL
cryptographic software
Google to reward secure
websites with better search
ranking
Starting in 2014 CAs will no longer
support 1024-bit SSL certificates
SSL
4. Impact on banking and finance
• Large data center or private cloud
• Business critical B2B or B2C
banking or finance applications
• SSL encryption for compliance
and consumer protection
Current and future risk associated
with performance, scalability, cost
and security.
5. Performance, scalability and cost
Key
Size
64-bit
Server
Dedicated SSL
Solution
1024 1,500 TPS 7 Servers 25,000 TPS 200,000 TPS
2048 300 TPS 35 Servers 5,000 TPS 40,000 TPS
Implication
Where servers once sufficed for
handling SSL, a dedicated SSL
solution may be required
More robust dedicated SSL
solutions may be required to meet
increasing demands
Increasing adoption of SSL, data center consolidation and the more
compute-intensive 2048-bit standard creates a dynamic that impacts
both costs and performance (user experience)
6. Security
Server
Dedicated SSL
Solution
Proprietary
Dedicated SSL
Vulnerability OpenSSL OpenSSL Proprietary SSL
Performance Software SSL Hardware SSL Optimized HW SSL
Remediation
Many OpenSSL
versions results in
complex remediation
Multiple OpenSSL
versions increases
remediation burden
Single proprietary SSL
simplifies remediation
(if needed)
Recent vulnerabilities in SSL are related to the use of OpenSSL by many
server and dedicated SSL vendors
Dedicated SSL solutions that use a proprietary SSL
implementation were immune to the recent
Heartbleed and MITM vulnerabilities
7. Strategies for success
Scalability
Solid performance on entry-
level, mid-range and high-
end solutions ensures
seamless upgrades if and
when needed.
Performance
If you require SSL, use a
dedicated appliance, even
in environments where
many other elements
are virtualized.
Speeds, feeds and
price vary by vendor and
provider, normalize metrics
and offers to $/SSL TPS to
make accurate comparisons
Cost
Seek solutions that
use proprietary SSL to
mitigate OpenSSL-related
issues such as Heartbleed
and MITM vulnerabilities.
Security
• If you are purchasing
equipment, carefully
evaluate vendors
• If you are deploying in
the cloud, carefully
evaluate IaaS providers
• Measure costs in
$/SSL TPS
• SSL is becoming
ubiquitous, consider
your future needs
$
8. Additional BFSI considerations
Scaling certificate management
Client certificate authentication and certificate revocation list (CRL)
management are potential bottlenecks
Solutions that perform these functions at a system level (as opposed to
solutions based on OpenSSL) will ensure maximum performance
More stringent certificate management and security
BFSI industry is trending towards greater use of
certificates to authenticate and authorize sessions
Look for solutions capable of:
• Operating in bridge mode as an SSL server and/or client
• Requesting certificate re-verification on demand “in-flight”
• Supporting multi-level authentication
(open, credentials, certificate)
• Supporting 2-way certificates
Google recently announced SSL encrypted pages will receive higher search rankings. This will drive broader adoption of SSL as the Google algorithm increasingly favors encrypted pages.
As of 2014, NIST, CAB and CAs no longer support or issue 1024-bit certificates. New 2048-bit certificates are more secure, however, they consume fives times more compute horsepower. In data centers where SSL connections are aggregated, this has forced a choice between increased costs or diminished performance.
Recent vulnerabilities such as Heartbleed and man-in-the-middle (MITM) have raised the question of whether SSL is sufficiently secure, and have caused many to worry over when and where the next vulnerability will occur.
With the rise of cloud and Web-based SaaS applications, businesses are consolidating their operations into a small number of more scalable data centers. Without proper planning, supporting cloud-scale SSL has the potential to impact the performance of applications and servers.