Network technologies and trends

Jan 27 2017   2:39PM GMT

Are Next Generation Firewalls capable of supporting SSL/TLS interception?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan


These days most of the traffic passes though various network  is SSL/TLS. People used to believe by using SSL encryption they are free from attacks and can protect their organisations from any call backs, malware etc. However trends are changing as attackers are capable of sending malware in the encrypted SSL tunnel, unless one doesn’t decrypt the SSL/TLS  traffic they can’t detect what’s there in the packet.

Looking at these challenges most of Next Generation Firewall started offering SSL interception for both incoming and out going traffic from the Enterprise network. This is the one added value anyone can get by having a Next Generation Firewalls as they can intercept both the incoming and outgoing SSL traffic. Does this mean are they capable of handling all the SSL traffic passes through them?

If the intercepted SSL/TLS traffic is of low volume ( in few Mega bytes) to certain extent yes the Next Generation Firewalls are capable, however this holds no good when the volume of intercepted traffic is increased. They often tends to under perform and consume all the hardware resources and finally they stop working.

The better alternative is to have a dedicated SSL descriptors. Leading companies like A10, Bluecoat and F5  are offering dedicated SSL appliances which are capable of decrypting and encrypting back the large volume of SSL /TLS traffic. One can rely on dedicated SSL appliances are they capable of supporting huge throughput, can intercept huge SSL/TLS traffic without any performance degradation.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: