The document discusses the evolution and challenges of SSL/TLS encryption and its impact on network security. It highlights how increasing SSL traffic can create blind spots for traditional security architectures, making them less effective against sophisticated cyber attacks. F5 Networks introduces the SSL Orchestrator as a solution to provide visibility into encrypted traffic, enabling better security inspection and management of SSL/TLS communications.

1. | ©2018 F5 NETWORKS1

2. | ©2018 F5 NETWORKS2
1994 1995 1999 2006 2008 2009 2009 2011 2013 2014 2015 2016
SSL1 and SSL2
Netscape project that
contained significant
flaws
SSL3
Netscape
addresses
SSL2 flaws
TLS 1.0
Standardized SSL3
with almost no
changes RFC2246
TLS 1.1
Security fixes and TLS
extensions RFC4346
TLS 1.2
Added support for
authenticated
encryption (AES-
GDM, CCM modes)
and removed hard-
coded primitives
RFC5246
Insecure
Renegotiation
Beast
Crime
RC4
Time
Lucky 13
Heart-
bleed
Poodle
Dire
Freak
LogJam
Zero-day Vulnerabilities
2013
23
-
2014
24
+4%
2015
54
+125%
Symantec 2015 Internet Security Threat Report
S N OW D E N
M a n n i n g /
A s s a n g e

3. | ©2018 F5 NETWORKS3
1994 1995 1999 2006 2008 2009 2009 2011 2013 2014 2015 2016
SSL1 and SSL2
Netscape project that
contained significant
flaws
SSL3
Netscape
addresses
SSL2 flaws
TLS 1.0
Standardized SSL3
with almost no
changes RFC2246
TLS 1.1
Security fixes and TLS
extensions RFC4346
TLS 1.2
Added support for
authenticated
encryption (AES-
GDM, CCM modes)
and removed hard-
coded primitives
RFC5246
Insecure
Renegotiation
Beast
Crime
RC4
Time
Lucky 13
Heart-
bleed
Poodle
Dire
Freak
LogJam
Zero-day Vulnerabilities
2013
23
-
2014
24
+4%
2015
54
+125%
Symantec 2015 Internet Security Threat Report
S N OW D E N
M a n n i n g /
A s s a n g e
100%
by 2020
Expected
growth of TLS

4. | ©2018 F5 NETWORKS4
Encryption Creates a Blind Spot in Your Network
MAKING THE SECURITY TOOLS YOU TRUST AND RELY ON LESS EFFECTIVE
DLP
Fire-
walls
Anti
Virus
APTIDS/
IPS

5. | ©2018 F5 NETWORKS5
Untrusted
Networks
| ©2018 F5 NETWORKS5
SSL traffic encryption
is growing and that
presents a challenge
for our customers
Most security architectures
are not built for SSL
encryption. Enabling SSL
on NG security products
impacts performance
(80% degradation).
70%
Cyber criminals are growing more
sophisticated and evasive in their attacks
Traditional network architectures are built for little or no
encryption. Attackers are utilizing SSL-encrypted
channels to evade network monitoring.
Without security tools to inspect SSL traffic, attacker
actions can go undetected.
ResourcesSecurity Services
SSL BLIND SPOT
IPS DLP SWG Any
Security
Un-Encrypted
Threat
Encrypted
Threat
Apps
Apps

6. | ©2018 F5 NETWORKS6
Public Key Cryptography
RSA, most common
Key exchange
Diffie-Hellman (Ephemeral)
Key agreement

7. | ©2018 F5 NETWORKS7
TLS 1.2 Handshake vs. TLS 1.3 Handshake
1 Client Hello
1
Client Hello
Supported Cipher Suites
Guesses Key Agreement Protocol
Key Share
2
Server Hello
Key Agreement Protocol
Key Share
Server Finished
3
Checks Certificate
Generates Keys
Client Finished
Step Client Direction Message Direction Server
5 Server Hello Done
6 Client Key Exchange
7 Change Cipher Spec
8 Finished
9 Change Cipher Spec
10 Finished
3 Certificate
4 Server Key Exchange
2 Server Hello
Step Client Direction Message Direction Server
88% of hosts prefer
forward secrecy

8. | ©2018 F5 NETWORKS8
Issue with handling SSL Traffic on Security
Devices
Complexity in deployment and troubleshooting
Multiple points of failure
Increased network latency
Multiple SSL/TLS Intercept points
Users / Devices
User
Firewall Web Gateway DLP Anti-Malware IPS Firewall Internet
Decrypt, Inspect,
Re-encrypt
Decrypt, Inspect,
Re-encrypt
Decrypt, Inspect,
Re-encrypt
Decrypt, Inspect,
Re-encrypt

9. | ©2018 F5 NETWORKS9
Nobody Does SSL Better
Worldwide ADC
Market Share 1Q 2016*
45.4%
Trusted by
48 of the
fortune 50
All 15 Executive Departments
of the US Cabinet
30 of the Top 30 US
Commercial Banks
Purpose Built
Scale
Performance
Technology
Secure
F5 develops its own
native SSL stack
240K SSL TPS and
80 Gbps of SSL
Highest rating for performance-
oriented SSL features
Only SSL mirroring and
hybrid crypto offload
“A Grade” SSL rating
out-of-the-box
#1
Leader in SSL Offload
Since 2001
*Source IDC

10. | ©2018 F5 NETWORKS10
SSL Visibility
PROVIDE DECRYPTION AND ENCRYPTION OF SSL/TLS TRAFFIC, ENABLING TRAFFIC INSPECTION
Next-Gen
Firewall
DLPMalware
Protection
Secure Web
Gateway
Next-Gen IPS UX
Monitoring
Eliminate the security blind spot
User F5 SSL
Orchestrator
Apps

11. | ©2018 F5 NETWORKS11
Introducing F5 SSL Orchestrator
• Purpose built, all-in-one SSL appliance
• Provides security solutions with visibility into
SSL/TLS encrypted traffic
Key Features
• SSL decrypt/encrypt at high performance
• Selective decrypt / encrypt of specific traffic flows
• Policy based inspection hand-off of decrypted traffic
• Dynamic service chaining of security solutions
• Load balancing of SSL traffic flows across security
devices
• Centralized and simplified management of
certificates, encryption keys
• Flexibility deployment for seamless fit into networks
• Proxy architecture allows correct support for SSL
ciphers and protocols, including Forward Secrecy
Users / Devices
User
Firewall
Internet
F5 SSL Orchestrator
Decrypt and
steer (based on
policy, bypass
options, URL
categorization
Re-encrypt
Firewall
Web Gateway
(Pool)
AV (Pool)
NGFW (Pool)
IPS (Pool)
DLP (Pool)

12. | ©2018 F5 NETWORKS12
Firewall Internet /
Apps
Firewall
NGFW (Pool) IPS (Pool) Anti-Malware (Pool) DLP (Pool)
Inline Insertion
(L3 Mode)
Inline Insertion
(L2 Mode)
Topology and Device Support
ICAP
SIEM
Passive
Decrypt and Steer Re-Encrypt
SSL
Orchestrator
Users

13. | ©2018 F5 NETWORKS13
• Allows determination of decryption OR selection of
services based on connection context
• Policy based, dynamic
Policy Based Dynamic Service Chaining
Classification Engine
• Source IP
• Destination IP
• IP intelligence
• IP geolocation
• Domain name
• URL filtering category
• Destination port
• Protocol
“We field over 12 different security services, and we struggle
with using all of them effectively.”
“We [currently] chain the security services statically leading to
over provisioning and investment overruns.”
“We want to pre-filter traffic going to [our Firewall] so we make
more effective use of them.”
Firewall Firewall Firewall
IDS IPS IPS
WAF WAF WAF
DLP DLP
Forensics
1 2 3

14. | ©2018 F5 NETWORKS14
SSL Orchestrator Ecosystem
SSL Visibility
Users
SSL
Orchestrator
Internet /
Apps

15. | ©2018 F5 NETWORKS15
Ecosystem and Partnerships
F5 BIG-IP and
Symantec DLP
F5 BIG-IP and
Palo Alto Networks NGFW
F5 BIG-IP and
FireEye NX

16. | ©2018 F5 NETWORKS16
F5 Labs Reports

17. | ©2018 F5 NETWORKS17
A Tale of SSL Certificates

18. | ©2018 F5 NETWORKS18
Why SSL Orchestrator is needed
Gain visibility into SSL
traffic with centralized SSL
decryption across multiple
security tools.
Prevent attacks at stages of
the attack including exploitation,
callback, and data exfiltration.
Flexible deployment
options provides ease of
integration with unique network
topologies
Protect existing investments
in security infrastructure with
better availability and utilization
Dynamically chain
services based on context-
based policy to efficiently
deploy security.
Automatically insert security
services with the appropriate
configurations and policies

19. | ©2018 F5 NETWORKS19