Scale SSL/TLS Visibility
Decrypting SSL/TLS traffic on large high-speed links has been considered unachievable. Historically the most common strategy to scale network security has been vertical scaling of devices, i.e. buying ever larger devices. For SSL/TLS traffic visibility this approach doesn’t work as even the largest security devices face an unacceptable performance degradation when trying to decrypt SSL traffic in order to inspect it.
As a result, most organizations simply leave encrypted traffic uninspected. However encrypted traffic now represents the majority of traffic on any link, and the expectation is that in the near future close to 100% of network traffic will be encrypted.
As Enterprises step up their use of encryption to protect themselves, advanced persistent threats and malicious content being delivered over SSL/TLS is increasing rapidly. Leaving encrypted traffic uninspected is no longer a viable option and decryption and inspection should be a component of every Enterprise network security operation.
Corsa is a proud Symantec Technology Integration Partner (TIPP)
Symantec’s SSL/TLS Visibility Appliance (SSLVA) products seamlessly expand to 10G/40G/100G of visibility with Corsa network security scaling technology.
With its patented SmartWire technology, Corsa NSE7200 used as a load balancer provides a simple way to scale SSL/TLS decryption infrastructure horizontally, i.e. by splitting work between more devices, so you can inspect 100% of your traffic. This is really the only feasible approach, since SSL/TLS decryption is processed more efficiently with a greater number of decryption processors sharing the load, rather than with a single larger device.
Symmetry is the Key
In order to perform SSL decryption, both directions of any flow always need to pass through the same decryption device. Corsa’s load balancing technology with member synchronization ensures that this happens, including automatic re-balancing if a link failure is detected.
As devices are added and removed, each side of the conversation is always directed to the same physical or virtual appliance. By design, synchronization between two load balance groups on each side of the SSL decryption appliance is guaranteed.
Advanced wire abstraction model (Corsa SmartWire)
Symmetrical load balancing of bidirectional traffic between up to 128 instances of in-line appliances
Flow symmetry to ensure both directions of the flow always go to the same appliance
SSL/TLS Scale When and Where Needed
NSE7200 supports 10G, multiple-10G and 100G interfaces in our SmartWire technology with all ports and the full bandwidth of the appliance available for use right from the time of purchase.
You can start building out your SSL/TLS visibility infrastructure on one or two North-South 10G links. As your network traffic grows, you can add more 10G links between the upstream and downstream routers, without having to change topology and without needing to purchase more bandwidth or more ports on the NSE7200.
Independently of the North-South path upgrades, you can keep adding more SSL/TLS Visibility appliances as needed to scale the inspection capabilities.
And when it makes sense, you can even upgrade to 100G interfaces on your routers, without having to fork lift your SSL/TLS Visibility infrastructure.
Enable horizontal scaling of SSL decryption appliances on 10G, multiple-10G and 100G links
Full bandwidth and all ports available right from time of purchase
Seamlessly add decryption appliances into the same topology when needed
Path to Virtualized Infrastructure
Even with horizontal scalability SSL/TLS decryption still requires purpose built hardware appliances to be able to handle traffic volumes in modern networks. However, with the growing advantages of virtualized infrastructure and the cloud, customers are increasingly looking at ways to move network security into virtual appliances.
Corsa NSE7200 provides a simple way to add virtual appliances running on general purpose server hardware into the same network path as physical appliances. You can add logical sub-interfaces corresponding to each virtual appliance to the same load balance groups that already contain physical interfaces. Everything continues to behave the same way with flow symmetry guaranteed in both directions.
Scale out to virtual and/or physical decryption and inspection appliances
Deploy into existing network without having to add VLANs, IP addresses or making routing changes
Simple 5 step configuration in under 10 minutes