Decrypting and Selectively Inspecting Modern Traffic
•
0 likes•113 views
Some Security equipment vendors claim that modern Perfect Forward Secrecy (PFS)-encrypted traffic cannot be decrypted inline. Alternative techniques must be used to locate malware hiding in such encrypted traffic, such as using Artificial Intelligence to guess if a security threat is present.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Decrypting and Selectively Inspecting Modern Traffic
Similar to Decrypting and Selectively Inspecting Modern Traffic (20)
Recently uploaded
Recently uploaded (20)
Decrypting and Selectively Inspecting Modern Traffic
- 1. | ©2018 F5 NETWORKS1
- 2. | ©2018 F5 NETWORKS2 1994 1995 1999 2006 2008 2009 2009 2011 2013 2014 2015 2016 SSL1 and SSL2 Netscape project that contained significant flaws SSL3 Netscape addresses SSL2 flaws TLS 1.0 Standardized SSL3 with almost no changes RFC2246 TLS 1.1 Security fixes and TLS extensions RFC4346 TLS 1.2 Added support for authenticated encryption (AES- GDM, CCM modes) and removed hard- coded primitives RFC5246 Insecure Renegotiation Beast Crime RC4 Time Lucky 13 Heart- bleed Poodle Dire Freak LogJam Zero-day Vulnerabilities 2013 23 - 2014 24 +4% 2015 54 +125% Symantec 2015 Internet Security Threat Report S N OW D E N M a n n i n g / A s s a n g e
- 3. | ©2018 F5 NETWORKS3 1994 1995 1999 2006 2008 2009 2009 2011 2013 2014 2015 2016 SSL1 and SSL2 Netscape project that contained significant flaws SSL3 Netscape addresses SSL2 flaws TLS 1.0 Standardized SSL3 with almost no changes RFC2246 TLS 1.1 Security fixes and TLS extensions RFC4346 TLS 1.2 Added support for authenticated encryption (AES- GDM, CCM modes) and removed hard- coded primitives RFC5246 Insecure Renegotiation Beast Crime RC4 Time Lucky 13 Heart- bleed Poodle Dire Freak LogJam Zero-day Vulnerabilities 2013 23 - 2014 24 +4% 2015 54 +125% Symantec 2015 Internet Security Threat Report S N OW D E N M a n n i n g / A s s a n g e 100% by 2020 Expected growth of TLS
- 4. | ©2018 F5 NETWORKS4 Encryption Creates a Blind Spot in Your Network MAKING THE SECURITY TOOLS YOU TRUST AND RELY ON LESS EFFECTIVE DLP Fire- walls Anti Virus APTIDS/ IPS
- 5. | ©2018 F5 NETWORKS5 Untrusted Networks | ©2018 F5 NETWORKS5 SSL traffic encryption is growing and that presents a challenge for our customers Most security architectures are not built for SSL encryption. Enabling SSL on NG security products impacts performance (80% degradation). 70% Cyber criminals are growing more sophisticated and evasive in their attacks Traditional network architectures are built for little or no encryption. Attackers are utilizing SSL-encrypted channels to evade network monitoring. Without security tools to inspect SSL traffic, attacker actions can go undetected. ResourcesSecurity Services SSL BLIND SPOT IPS DLP SWG Any Security Un-Encrypted Threat Encrypted Threat Apps Apps
- 6. | ©2018 F5 NETWORKS6 Public Key Cryptography RSA, most common Key exchange Diffie-Hellman (Ephemeral) Key agreement
- 7. | ©2018 F5 NETWORKS7 TLS 1.2 Handshake vs. TLS 1.3 Handshake 1 Client Hello 1 Client Hello Supported Cipher Suites Guesses Key Agreement Protocol Key Share 2 Server Hello Key Agreement Protocol Key Share Server Finished 3 Checks Certificate Generates Keys Client Finished Step Client Direction Message Direction Server 5 Server Hello Done 6 Client Key Exchange 7 Change Cipher Spec 8 Finished 9 Change Cipher Spec 10 Finished 3 Certificate 4 Server Key Exchange 2 Server Hello Step Client Direction Message Direction Server 88% of hosts prefer forward secrecy
- 8. | ©2018 F5 NETWORKS8 Issue with handling SSL Traffic on Security Devices Complexity in deployment and troubleshooting Multiple points of failure Increased network latency Multiple SSL/TLS Intercept points Users / Devices User Firewall Web Gateway DLP Anti-Malware IPS Firewall Internet Decrypt, Inspect, Re-encrypt Decrypt, Inspect, Re-encrypt Decrypt, Inspect, Re-encrypt Decrypt, Inspect, Re-encrypt
- 9. | ©2018 F5 NETWORKS9 Nobody Does SSL Better Worldwide ADC Market Share 1Q 2016* 45.4% Trusted by 48 of the fortune 50 All 15 Executive Departments of the US Cabinet 30 of the Top 30 US Commercial Banks Purpose Built Scale Performance Technology Secure F5 develops its own native SSL stack 240K SSL TPS and 80 Gbps of SSL Highest rating for performance- oriented SSL features Only SSL mirroring and hybrid crypto offload “A Grade” SSL rating out-of-the-box #1 Leader in SSL Offload Since 2001 *Source IDC
- 10. | ©2018 F5 NETWORKS10 SSL Visibility PROVIDE DECRYPTION AND ENCRYPTION OF SSL/TLS TRAFFIC, ENABLING TRAFFIC INSPECTION Next-Gen Firewall DLPMalware Protection Secure Web Gateway Next-Gen IPS UX Monitoring Eliminate the security blind spot User F5 SSL Orchestrator Apps
- 11. | ©2018 F5 NETWORKS11 Introducing F5 SSL Orchestrator • Purpose built, all-in-one SSL appliance • Provides security solutions with visibility into SSL/TLS encrypted traffic Key Features • SSL decrypt/encrypt at high performance • Selective decrypt / encrypt of specific traffic flows • Policy based inspection hand-off of decrypted traffic • Dynamic service chaining of security solutions • Load balancing of SSL traffic flows across security devices • Centralized and simplified management of certificates, encryption keys • Flexibility deployment for seamless fit into networks • Proxy architecture allows correct support for SSL ciphers and protocols, including Forward Secrecy Users / Devices User Firewall Internet F5 SSL Orchestrator Decrypt and steer (based on policy, bypass options, URL categorization Re-encrypt Firewall Web Gateway (Pool) AV (Pool) NGFW (Pool) IPS (Pool) DLP (Pool)
- 12. | ©2018 F5 NETWORKS12 Firewall Internet / Apps Firewall NGFW (Pool) IPS (Pool) Anti-Malware (Pool) DLP (Pool) Inline Insertion (L3 Mode) Inline Insertion (L2 Mode) Topology and Device Support ICAP SIEM Passive Decrypt and Steer Re-Encrypt SSL Orchestrator Users
- 13. | ©2018 F5 NETWORKS13 • Allows determination of decryption OR selection of services based on connection context • Policy based, dynamic Policy Based Dynamic Service Chaining Classification Engine • Source IP • Destination IP • IP intelligence • IP geolocation • Domain name • URL filtering category • Destination port • Protocol “We field over 12 different security services, and we struggle with using all of them effectively.” “We [currently] chain the security services statically leading to over provisioning and investment overruns.” “We want to pre-filter traffic going to [our Firewall] so we make more effective use of them.” Firewall Firewall Firewall IDS IPS IPS WAF WAF WAF DLP DLP Forensics 1 2 3
- 14. | ©2018 F5 NETWORKS14 SSL Orchestrator Ecosystem SSL Visibility Users SSL Orchestrator Internet / Apps
- 15. | ©2018 F5 NETWORKS15 Ecosystem and Partnerships F5 BIG-IP and Symantec DLP F5 BIG-IP and Palo Alto Networks NGFW F5 BIG-IP and FireEye NX
- 16. | ©2018 F5 NETWORKS16 F5 Labs Reports
- 17. | ©2018 F5 NETWORKS17 A Tale of SSL Certificates
- 18. | ©2018 F5 NETWORKS18 Why SSL Orchestrator is needed Gain visibility into SSL traffic with centralized SSL decryption across multiple security tools. Prevent attacks at stages of the attack including exploitation, callback, and data exfiltration. Flexible deployment options provides ease of integration with unique network topologies Protect existing investments in security infrastructure with better availability and utilization Dynamically chain services based on context- based policy to efficiently deploy security. Automatically insert security services with the appropriate configurations and policies
- 19. | ©2018 F5 NETWORKS19