The Security vs. Usability Tradeoff

There is a tradeoff in any network between making it super secure and making it easy and accessible for users to use. With the push of Bring Your Own Devices (BYOD) to work, IT departments have made a step forward to show that they care about their users' experience, but the tradeoff mentioned earlier forces them a step backwards in security because it's hard to control people and what they do once you give them access.

The DPI Solution

Firewalls that have Deep Packet Inspection (DPI) technology give network admins a nice little security blanket to help cover any security holes that were missed, such as crazy users doing crazy things, and they've been around for a while on most decent firewalls (no I'm not talking about your built in firewall in your home or small business router; if you spent less than $400 on your firewall, it likely does not have DPI).

DPI Explained and it's limitations

To put it simply, a firewall with DPI can watch packets of information flowing back and forth, open them up and check for virus signatures. If it thinks something is a virus, it just throws the packet out into the internet ether, protecting whatever its destination (or source) was from further damage. The hitch is, DPI will typically only work for traffic that the firewall can see. Encrypted traffic is designed to not be able to be seen by any device in between the two endpoints. That's why encryption was invented - to add protection - but ironically, it limits the firewall from doing its job!

Now, with your Father's internet this hasn't been a big deal, as SSL encrypted sites were usually reserved for just login pages and the rest of the site was not encrypted. Nowadays (times they are always a changing), all sites are in a mad rush to encrypt all traffic to help ensure the prolific perusing eyes are not able to watch. This of course was catalyzed by leaked NSA documents and subsequent push by Google for more security and to rank sites higher that have a secure website.

What Next?

I've seen this trend for a while now and I think we're at a crossroads where we really have to push for DPI over SSL/TLS in order to head off the next rounds of major security breaches. So what's a network admin to do?

Well for one, DPI over SSL/TLS technology already exists but it's only available in the really high end firewalls, which are out of the price range of most Small Business (SMB) customers.

The Solution

For the past several months I've been wondering about how to solve this for clients in the years to come and I read today that SonicWALL is making this technology available in their midgrade firewalls, which are much more affordable for small businesses. I must say a huge bravo to SonicWALL for making clearly the right move to help them protect their SMB networks.

Now I finally have a solution to offer, and if you own a SonicWALL, you may want to make plans this year to upgrade to a device that supports DPI over SSL and make sure your network admin configures it (unfortunately, the configuration is NOT a click-once type of setup). Be sure to check out SonicWALLs special upgrade prices, which are a great deal and very easy to do.

Nerd is the New Jock

Tech Industry News and Blog
View All Posts