Over the holidays the SSL Visibility team released software version 4.2.2 enabling new features, keeping pace with customer demand. There are several enhancements, but here are a few that stood out:
A Hardware Security Module (HSM) provides additional security for storing cryptographic keys and certificates. The SSL Visibility Appliance (SSLV) can use a network-attached HSM appliance to store resigning CA keys, and to perform digital signature operations. The SSL Visibility Appliance interacts with an HSM on its management interface. SSLV exchanges signing requests and responses with the attached HSM appliance, over HTTPS.
Once mutually authenticated with the HSM, SSLV can send certificate digests to the HSM so that the HSM can sign these using the Intermediate CA private key that is stored in the HSM. The digitally signed digest is then returned to SSLV for inclusion in the re-signed server certificate that is sent to the client. SSLV can be configured to access multiple HSM devices for resiliency and an individual HSM device may be accessed by multiple SSLV appliances and if needed by ProxySG devices as well.
Asymmetric Traffic enables where the packets for both directions of a network flow are seen on different network interfaces on the SSL Visibility Appliance. Asymmetric routing is the normal use case for asymmetric segments. This is where the network for management reasons decides to route traffic so that inbound and outbound packets are sent over different paths. Using an asymmetric segment to support situations where a customer is using Link Aggregation to bond two links together to provide higher bandwidth.
SSLV now supports the creation of a ProxySG Segment that enables customers to extend an additional active appliance on either side of a proxy within a single segment. This new segment allows a device such an IPS (Intrusion Prevention System) to be used in conjunction with a proxy without the need for decryption and re-encryption on each inter-device hop.
This is significant as it is often desirable to process network traffic through multiple different security appliances amortizing the cost of SSL decryption service across multiple heterogeneous devices. As new value-added services require tighter, and in cases, custom integration with each device, supporting dedicated physical interfaces to each device becomes the next architectural step.
Last release (4.2.1) gave us TLS 1.3 support for draft 18-21. Now with the new features in 4.2.2, you may want to update your software today. If you have any questions, please contact your Symantec account team.