Cipher suite update? No issue with Proxy-based Architecture
Internet users typically don’t concern themselves with cipher suites. They type in a web address, want to shop for the holidays and expect the site to appear. They may not be able to afford the holiday gifts they’re buying, just as a business you can’t afford them not being able to access the Internet.
But if a TLS/SSL decryption and inspection device doesn’t understand a new cipher suite or TLS version, traffic is broken and your users can’t make it to the internet to buy that special tea pot for the holiday white elephant gift exchange.
What’s a cipher vs a cipher suite?
A cipher is an algorithm used in cryptography to encrypt or decrypt information. It consists of a series of steps that must be followed in order to complete the encryption or decryption process.
A cipher suite is a combination of ciphers that each fulfill a different encryption purpose, like key generation and authorization.
That happened in 2016, when Google selected a new default cipher suite for Chrome. A number of SSL decryption solution devices weren’t able to understand this new cipher suite; thus traffic was broken.
In turn, these devices had to be taken off the network so users could access the Internet again. While offline and being patched, upgraded and reinstalled, which took days, organizations weren’t getting the benefit of their SSL decryption devices. This means they were vulnerable to malware, ransomware and other nefarious traffic cloaked by encryption.
When A10 Networks built Thunder® SSL Insight (SSLi®), we decided to invest in a full proxy-based architecture, which helps organizations avoid this problem.
When we were developing this technology used in Thunder SSLi back in 2011, we took a conscious decision to useful proxy-based architecture compared to the prevalent architecture at the time. We believe we’re reaping the benefits of that choice today and we have a much stronger advantage than our competitors. And of course, our customers benefit the most.
“What is full proxy-based architecture?”, you ask
A full proxy-based architecture means we break the connection from a user to the internet into two segments – we create a full view or full segment towards the client and another view or full segment towards the internet server. Each connection has its own parameters and distinct cipher suite selection.
What are the benefits of a full proxy-based architecture?
Thunder SSLi can adjust the cipher suite selection for SSL encryption by renegotiating to a different cipher suite of similar strength. This makes Thunder SSLi future-proof against a new cipher or TLS version that could be introduced to the network without notice, and without compromising your network. Thunder SSLi ensures traffic is encrypted using the most secure ciphers, eliminating the use of compromised ciphers.
“Cipher suites for TLS 1.2 and 1.3” by Halub3 is licensed under CC BY-SA 4.0
*** This is a Security Bloggers Network syndicated blog from A10 Networks Blog: Cyber Security authored by A10 Networks. Read the original post at: https://www.a10networks.com/blog/cipher-suite-update-no-issue-with-proxy-based-architecture/
