Traditional WAN Acceleration Increases Attack Surface
Publish date: 7/6/2020
Edit 8/17/21: Many of our customers run NitroAccelerator over their existing WAN Acceleration & Monitoring solutions. We discovered the potential vulnerability in the article below about 6-8 months before it was widely publicized. We are not in the business of publicly publishing security vulnerabilities found within traditional WAN Acceleration solutions, but we do notify existing customers of issues that we find within them. We take security seriously and do not recommend solutions that require additional hardware or proxies. We value transparency in action above our internal sales processes. If your network has been compromised, we have a solution that will only allow NitroAccelerated connections access to specific endpoints. If you are not a Nitrosphere customer, but you are experiencing a Priority 1: Critical breach, please email [email protected] and we will get back to you immediately with an extended free trial of our solution.
As WAN Acceleration options continue to expand, many of the newer solutions appear to sacrifice security for speed. Traditional WAN Acceleration often requires additional hardware that stores sensitive data on a separate drive. If a hacker gets control of these devices, they will have access to all the corporate data that it contains. If the WAN Acceleration hardware is exploited, one would not need to hack file servers to get access to the certificates required to decrypt and monitor network transfers. This makes it a prime target for hackers and drastically increases the attack surface of traditional WAN acceleration.
If one were to show your IT department a diagram of a traditional WAN Hardware Accelerator, the issue would quickly become apparent. Where is sensitive data stored on the network?
Many traditional solutions claim that there is ‘no good way to optimize, compress or cache information from encrypted connections’, and their solutions have been built around the belief that one must separate acceleration from the security of the network to accelerate.
Nitrosphere has disproved this common belief by inserting its acceleration and encryption processes directly on the clients and servers without requiring additional proxies or complex network configuration. NitroAccelerator does not rely on pushing sensitive data out across the entire network or into a central repository for hackers before accelerating.
How Nitrosphere Accelerates Without Increasing Attack Surface
NitroAccelerator only stores data that’s being queried to the specific client as a kernel cache in the memory. Sensitive data is never stored on the actual disk or on external hardware. The result is a lightweight and secure starting point for its acceleration and encryption processes to operate. This solution allows NitroAccelerator to work with local security instead of undermining it through insecure distribution.
In the second figure, we can see that NitroAccelerator is improving network performance without increasing the attack surface by not relying on unnecessary proxy configurations or additional hardware.
Below is a quick breakdown of shared benefits and areas of concern in security that NitroAccelerator directly addresses: