18. 18
A Functional Overview
SSL Security Service Orchestration
• IP Reputation
• Source IP
• Destination IP
• IP Geolocation
• Destination Port
• Domain Name/SNI
• URL Filtering Category
• Protocol
SSLDecryption
[Intercept/Bypass]
Classification
SSLEncrpytion
The proxy architecture allows
for independent control of
client-side and server-side
ciphers and protocols, and is
impervious to mismatch
conditions.
Cipher Diversity
SSL Security Service Engine
client-side server-side
Ingress (inbound) & Egress
(outbound) flow.
SSLFlow
SSL Decryption occurs based on
classification Service Chain
assigned. Action is either to
Intercept (decrypt) or Bypass.
Application
19. 19
Classification
A Functional Overview
SSL Security Service Orchestration
SSLDecryption
[Intercept/Bypass]
Web Gateway IDS/TAP
DLP/ICAP IPS/NGFW
• Inline HTTP (Web Proxy)
• Inline Layer 3
• Inline Layer 2
• DLP/ICAP
• TAP Security Devices.
Dynamic Device Support
Application
20. 20
Classification
A Functional Overview
SSL Security Service Orchestration
SSLDecryption
[Intercept/Bypass]
SSLEncrpytion
Web Gateway IDS/TAP
DLP/ICAP IPS/NGFW
IDS/TAP IPS/NGFWOther
Decryption
[Intercept]
Re-Encryption
Web Gateway DLP/ICAP IDS/TAP IPS/NGFWHTTPS
Decryption
[Intercept]
Re-Encryption
IPS/NGFWFinance
Decryption
[BYPASS]
Classification
Context-based classification
policies allow different types of
traffic to flow through different
chains of reusable security
services
Dynamic Service Chaining
Dynamic Service Chain
Application
21. 21
Classification
A Functional Overview
SSL Security Service Orchestration
SSLDecryption
[Intercept/Bypass]
SSLEncrpytion
Web Gateway IDS/TAP
DLP/ICAP IPS/NGFW
IDS/TAP IPS/NGFW Re-Encryption
Web Gateway DLP/ICAP IDS/TAP IPS/NGFWHTTPS
Decryption
[Intercept]
Re-Encryption
IPS/NGFWFinance
Decryption
[BYPASS]
Classification Other
Decryption
[Intercept]
Context-based classification
policies allow different types of
traffic to flow through different
chains of reusable security
services
Dynamic Service Chaining
Dynamic Service Chain
Application
22. 22
Classification
A Functional Overview
SSL Security Service Orchestration
SSLDecryption
[Intercept/Bypass]
SSLEncrpytion
Web Gateway IDS/TAP
DLP/ICAP IPS/NGFW
IDS/TAP IPS/NGFW Re-Encryption
Web Gateway DLP/ICAP IDS/TAP IPS/NGFWHTTPS
Decryption
[Intercept]
Re-Encryption
IPS/NGFWFinance
Decryption
[BYPASS]
Classification Other
Decryption
[Intercept]
Context-based classification
policies allow different types of
traffic to flow through different
chains of reusable security
services
Dynamic Service Chaining
Dynamic Service Chain
Application
23. 23
Classification
A Functional Overview
SSL Security Service Orchestration
SSLEncrpytion
IDS/TAP IPS/NGFWOther
Decryption
[Intercept]
Re-Encryption
Web Gateway DLP/ICAP IDS/TAP IPS/NGFWHTTPS
Decryption
[Intercept]
Re-Encryption
IPS/NGFWFinance
Decryption
[BYPASS]
Classification
A full proxy architecture
provides for robust load
balancing, monitoring and
independent scaling of any
number of security devices.
Dynamic Scaling
Dynamic Service Chain
SSLDecryption
[Intercept/Bypass]
Web Gateway IDS/TAP
DLP/ICAP IPS/NGFW
%
Application
24. 24
Classification
A Functional Overview
SSL Security Service Orchestration
SSLDecryption
[Intercept/Bypass]
SSLEncrpytion
Web Gateway IDS/TAP
DLP/ICAP IPS/NGFW
IDS/TAP IPS/NGFWOther
Decryption
[Intercept]
Re-Encryption
Web Gateway IDS/TAP IPS/NGFWHTTPS
Decryption
[Intercept]
Re-Encryption
IPS/NGFWFinance
Decryption
[BYPASS]
Classification
The ability to dynamically
introduce and evaluate new
services and service chains
with test traffic before altering
production designs.
Dynamic Evaluation
Dynamic
Service Chains
DLP/ICAPTest Traffic
Decryption
[Intercept]
Re-EncryptionWeb Gateway IDS/TAP IPS/NGFW
Application
Note this presentation presumes Account Manager or Systems Engineer has already introduced SSL Visibility Challenges or highlighted the benefits and impacts of encryption to security.
This is intended to be an animated, graphical representation of the key challenges in SSL Visibility and the solution set that SSL Orchestrator offers.
Privacy and security concerns are driving encrypted traffic growth, which is expected to represent 70 percent of all Internet traffic this year. As more traffic is encrypted with SSL, the security tools that you trust and rely upon become less effective due to the increasing SSL blind spot.
Source:
https://www.sandvine.com/downloads/general/global-internet-phenomena/2015/encrypted-internet-traffic.pdf
Using TLS To Hide Malware
Google reports that 93% of web traffic it encounters uses encryption. That’s great – it means that network packets, which can hold any info you send or receive over the internet, from private communications to your credit card number, are very likely to be shielded from interception en route.
Various types of malware have been coded to use TLS as a shield of their own, however. In 2016, Cisco reported some 12% of malware taking advantage of TLS protocol. One year later, Cyren claimed that 37% of malware was using HTTPS; while Zscaler saw closer to a 60% average. (Of course, these companies do have cybersecurity products to sell.)
Using TLS To Hide Malware
Google reports that 93% of web traffic it encounters uses encryption. That’s great – it means that network packets, which can hold any info you send or receive over the internet, from private communications to your credit card number, are very likely to be shielded from interception en route.
Various types of malware have been coded to use TLS as a shield of their own, however. In 2016, Cisco reported some 12% of malware taking advantage of TLS protocol. One year later, Cyren claimed that 37% of malware was using HTTPS; while Zscaler saw closer to a 60% average. (Of course, these companies do have cybersecurity products to sell.)
With more and more information being encrypted, customers are having a difficult time detecting and assessing threats in encrypted traffic. Organizations are effectively blind to potential threats; existing security architectures and security solutions are inadequate. This ultimately forces administrators to make a choice: let the traffic go uninspected, or suffer extreme application performance losses
And those inspection devices are already doing a hard job.
With more and more information being encrypted, customers are having a difficult time detecting and assessing threats in encrypted traffic. Organizations are effectively blind to potential threats; existing security architectures and security solutions are inadequate. This ultimately forces administrators to make a choice: let the traffic go uninspected, or suffer extreme application performance losses.
[Red X] Impacts of outages in daisy chain
[Yellow %] Impact of performance limits, capacity, usage or oversubscription
Note: Caution, this demonstrates and “extreme” use case and most customers may just have 2 or 3 daisy chained systems. Customers may also use routing designs to fully bypass on failure (not ideal for security reasons or compliance reasons) but implemented in certain customer use cases.
In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server is compromised.
So one of F5's key differentiators and value-add with regard to security is the fact that we provide it on a full proxy architecture.
And the value of a full proxy architecture for those who are not familiar can be analogous to the role that an escrow agent or an escrow officer might play in a real estate transaction. The reason for the escrow officer is to protect the buyer from the seller and the seller from the buyer by acting as an independent third party or a neutral third party to protect the buyer and the seller. And the role of this officer is also to inspect all elements of the transaction before allowing the transaction to be completed, safely and securely.
And much in the same way F5's full proxy security looks and examines all elements within the OSI stack, because we are located at strategic points in the network and we are by nature inspecting that traffic, it allows us to understand what's happening and take action on that traffic, from an application perspective, from a session perspective and from a network session perspective, all throughout the stack.
{NOTE TO SPEAKER: F5 Mitigation Technologies:
Application: BIG-IP ASM: Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection
Session: BIG-IP LTM and GTM: high scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation
Network: BIG-IP LTM: SynCheck, default-deny posture, high-capacity connection table, full proxy traffic visibility, rate-limiting, strict TCP forwarding.
Network layer bullets:
L4 Stateful firewall – including TCP checksum checks, fragmentation and reassembly
DDoS mitigation
Session layer:
SSL inspection
SSL DDoS attacks
Application Layer:
OWASP top 10
Application content scrubbing (S -> C)}
Starting point
First pass – shows what's happening without SSL visibility
Highlight Classification capabilities
Highlight Cipher diversity and mismatch control
Highlight Inbound/Outbound Decryption
Highlight Device support
Highlight Service Chaining: Shown HTTP Flow
Highlight Service Chaining: Shown Other protocol flow with reduced service chain
Highlight Service Chaining: Shown Bypass flow on URL Category Finance
[Down Arrow] Talk about monitoring and bypass options
[Red X ] Talk about system outage and scaling resources.
[Green Circle & Arrow] Talk about upgrading scaled group without impact
[Yellow %] Talk about scaling resources to address performance or bandwidth limits
Talk about leveraging service chains and traffic classification to Dynamically evaluate new or upgraded security technologies