New Version of SSLV Appliance Sets Enterprise Standard for Decryption

Among the ongoing trends is the growth in data traffic over enterprise networks. The “new normal” of vast numbers of people working remotely have made them increasingly dependent on the internet and cloud applications to remain productive. This is fostering a boom in cloud-delivered security solutions, but it’s also increasing the demand for high performance, data center tools for companies that prefer a hybrid infrastructure.

The importance of performance for both on cloud and edge alike is compounded by the ever-increasing pervasiveness and complexity of encryption. With an increasing amount of SSL/TLS traffic going through data centers, it is imperative that on-prem security devices keep up. A proven way to provide scale for SSL/TLS inspection is with a purpose-built device that sits between the client and server which decrypts traffic, feeds all inspection tools, and re-encrypts it at the same strength.

Today, I’m happy to share that Symantec, as a division of Broadcom, is releasing a new version of our industry-leading SSL Visibility Appliance to supply the powerful network information security tool needed to provide this enhanced level of encrypted communications.

In conjunction with the announcement, I recently sat down with Kevin Hohenbrink, product manager for the Symantec SSL Visibility Appliance. We spoke about the newest model and how it benefits our customers and enterprises everywhere. Here are some excerpts from our conversation:

TM: I saw that there was some exciting news about the SSL Visibility Appliance coming out with a new model. But before we get into that, what does the SSL Visibility Appliance - or what we call “SSLV” - do for our customers?

KH: That’s a great question! The SSL Visibility appliance portfolio is a very comprehensive, extensible solution for ensuring very high-security encryption communications. While other vendors only support a handful of cipher standards, the SSL Visibility Appliance portfolio provides timely and complete standards support, with up to 100 Cipher Suites, including RSA, Diffe-Hellman (DHE), Elliptic Curve (ECDHE), and more, as well as all the official internet standards for high security encrypted communications from TLS 1.1 to the most recent protocol, TLS 1.3, which SSLV was the first to support without downgrading.

TM: The SSL Visibility Appliance has been managing encrypted traffic for years and has really led the pack. I just happened to look at the latest Data Sheet that you guys posted and there’s a new version. So, tell us about that and why is it significant?

KH: We’re introducing a new platform, the SV-S550-20. Its performance has effectively doubled for Inspected Throughput of up to 20-Plus Gbps along with dramatic improvements in our 4K key sizes up to 24,000 handshakes. What drove the introduction is the market continuing to see growth in the volume of encrypted traffic and our customers upgrading their network infrastructure to accommodate this with faster network pipes beyond 10 Gbps. They have upgraded to 40-to-100 Gbps network infrastructure. In addition, the market is also moving to larger key sizes like RSA 4K certificates which require greater performance.

We’ve increased the port density and the network connectivity to address customers upgrading to larger network sizes with up to 20-by-10 Gb network interface cards, up to 10-by-40 Gb ports, and 2-by-100 NIC option cards for the Appliance. We’ve also increased the Concurrent SSL Flows with a custom QAT, which is Intel’s Quick Assist Technology. QAT is a hardware assist to help with increasing the Concurrent SSL Flows. We could support up to 2.5 million Concurrent Flows, which is about a 2-1/2 times increase over the previous platforms.

TM: I heard you mention 20 Gbps and that is just a massive amount of throughput. So, this addition to the SSLV portfolio is not for your typical donut shop- but instead for a bigger customer. So, tell us who are the types of customers who would be looking for this extensive capability?

KH: Large financial institutions; federal, local, and state governments; and healthcare customers are common customers for SSLV. They have a need for an on-prem solution that delivers on higher performance as they’ve seen significant growth in TLS and SSL traffic as well as a need for greater port density as they continue adding security tools to their traffic management and their forensics infrastructure.

TM: SSLV has always supported non-Symantec products as well, which I always thought was compelling. Does the new model continue to support non-Symantec network security tools?

KH: Yes, we continue to support 3rd party as well as Symantec products. We recognize that customers have multiple devices. The new solution, just like the existing portfolio, feeds active and passive devices simultaneously and complements the existing security solutions, such as DLP, IPS, NextGen FireWalls, and sandboxing, as well as our own proxy.

TM: That’s great! Another thing I noticed on the data sheet – among the big numbers you’re throwing out there -- is the amount of SSL decryption it can do on behalf of a proxy or “off-loaded” from a proxy, and the throughput is different for a standard scenario. Can you explain why that is?

KH: For proxy segments, the SSL Visibility Appliance needs to handle effectively two sessions: one for each side (client vs. server) of the proxy versus a classic segment that only handles a single session for a client-to-server connection. So, think in terms of the 20-Gb number we talked about earlier. It’s cut in half because you’re handling two sessions, one for each side of the proxy. That’s why the performance is different in a proxy off-load.

TM: It’s great that we can do that for the proxy. I know a lot of customers appreciate that flexibility. It’s not just any proxy, right? Does this work for non-Symantec proxies?

KH: Because of the signaling we use, it does not. We have a proprietary protocol that informs the proxy that an upstream TLS decryption is being performed. This ensures that the proxy will not initiate outbound requests assuming decrypted destinations. It ensures that cookies and alike are not sent out in the clear for operations like cache refresh and proxy prefetch operations.

TM: Right. So, one more question. The new model is running our 5.x series of software. Can existing customers who don’t have that hardware upgrade to the 5.x or are they stuck on 4.x still?

KH: The 5.2x software version introduced with the new SSL S550-20 only runs on the new S-Series hardware. We will continue to maintain the 4.5 branch of software that runs on the SV800, SV1800B, SV2800B, SV3800B and SV3800B-20 models. At some point in the future, when we have replacement models, we’ll have solutions for those models.

TM: Great!

In closing, I’d like to point out that at Symantec we see a growing number of our customers accelerating their move to the cloud. Despite this, the overwhelming majority of our largest enterprises -- nearly all, in fact -- have a strong on-premises infrastructure presence.

For this reason, it’s vitally important to look at the new SSLV platform. For those customers who find that their existing platform is fast reaching capacity, especially if SSL/TLS traffic is growing, it’s important to consider migrating. The good news is that the new platform is already data-tested and ready for release. It offers you the same value that has made the SSLV portfolio the gold standard in encryption technology. It assures you of the highest security encryption without any downgrading. That’s the value you will only find with the Symantec SSL Visibility Appliance.