DAVID HOLMES Computationally onerous encryption systems remain vulnerable to denial of service attacks on companies
Users expect all data transmissions to be encrypted to ensure privacy, but these same privacy measures, which typically mask Internet communications, also enable malware to infiltrate organisations and networks, says integrated network management company F5 Networks security solutions expert David Holmes.
The exposure and leaking of surveillance information and methods of national crime-fighting organisations has raised the level of awareness of online privacy and has led to demands for all network traffic to be securely encrypted, typically through encryption protocols such as secure socket layers (SSL).
The threat of surveillance has led to the development of perfect forward secrecy protocols, which ensure that data cannot be compromised, even in the future, should a main encryption key, such as on a lost or disused machine, be exposed.
However, achieving ubiquitous and secure encryption will introduce significant additional computational requirements for data centres and servers and can also enable malware to infiltrate an organisation’s network through infected personal devices that cannot be scanned, owing to privacy measures.
Meanwhile, privacy must be balanced against the ability to detect and neutralise cybercrime attacks, and many companies’ security strategies aim to expose Internet connections and actively block malware.
Further, many network optimisation systems, which typically monitor the availability and use of applications or network components, cannot function effectively in an environment where all traffic is encrypted, and it is inefficient to decode all the information in a stream to extract the data relevant to its function.
“SSL encryption adds significant computational requirements, while Diffie-Helman key exchange systems, for perfect forward secrecy, add even more. In addition, these systems can be even more vulnerable to denial of service attacks on companies, which typically flood the cryptographic processors with streams of data to analyse and process, effectively shutting them down,” says Holmes.
The dichotomy presented by the requirements for privacy of private citizens and the requirement to be able to monitor threats posed by cyber criminals, who use the same methods to screen their activities, makes the two concepts difficult to reconcile in practice.
“There is a need for monitoring to detect criminal elements, including cybercrime, to improve policing and security. However, agencies can also use that same monitoring apparatus to gather broad-spectrum surveillance information about citizens at large. It is a complex problem.”
Companies must design a strategy around these topics, as most workers expect to bring their own devices into their environments, yet retain privacy for their personal communications.
Encrypted personal-device connections may be blocked or users may be required to use their own connections without having access to the corporate network, while different levels of encryption can be used for different levels of employees to secure company information without adding significant computational requirements.
These competing and complex networking requirements have led to intelligent networking and security components moving closer to the edge of companies’ networks to protect them from risks, while all subsequent exchanges within the networks are blind to the data streams.
“While F5 Networks can provide advice, we prefer to develop systems to meet companies’ strategic requirements and objectives. This is done to ensure that business efficiency and cost effectiveness are maintained, including the unconstrained, integrated and smart use of applications in organisations through network optimisation, which is a core capability of ours,” concludes Holmes.