SlideShare a Scribd company logo

How to Gain Visibility into Encrypted Threats

Shain Singh
Shain Singh

Encrypting data-in-transit with SSL/TLS is standard practice among organisations today. Important security initiatives, such as built-in web browser warnings and stronger legislative GDPR changes, have significantly improved privacy awareness and helped to prevent data breaches. However, cybercriminals commonly hide threats within encrypted payloads and use encrypted channels to propagate malware and exfiltrate data, knowing they can bypass traditional security inspection solutions.

Technology
1 of 34
Download to read offline
Achieving Visibility/Control Encryption Challenges SSL/TLS Trends
60% 61% 89% 34% 25% 11% 2015 2016 2017 TLS 1.2 SSL 3.0 80%of sampled page loads use SSL/TLS TLS 1.2 vs. SSL 3.0
Heavy adoption of Microsoft Office 365 Google Search results rankings Increased focus on user privacy Continuing growth and use of social networks Google Chrome browser warnings GDPR compliance SSL/TLS Encryption Business Drivers
Even governments recognise the potential security issues
Complexity burdens IT with inefficiencies Performance can degrade when decrypting at scale Visibility is reduced due to the growth of SSL usage
You can’t secure what you can’t see of all Internet traffic is encrypted of page loads are now encrypted with SSL/TLS70% 80% Source: TLS Telemetry Report, F5 Labs, April 2018
Untrusted Networks Security Services SSL/TLS BLIND SPOT Encryption creates a blind spot in your network m
Exploitation Command & Control Data Exfiltration Data C&C
RSA, most common Key exchange Diffie-Hellman (Ephemeral) Key agreement
vs. 1 Client Hello 1 Client Hello Supported Cipher Suites Guesses Key Agreement Protocol Key Share 2 Server Hello Key Agreement Protocol Key Share Server Finished 3 Checks Certificate Generates Keys Client Finished Step Client Direction Message Direction Server 5 Server Hello Done 6 Client Key Exchange 7 Change Cipher Spec 8 Finished 9 Change Cipher Spec 10 Finished 3 Certificate 4 Server Key Exchange 2 Server Hello Step Client Direction Message Direction Server 88% of hosts prefer forward secrecy
Ephemeral Keys Perfect Forward Secrecy Automatically and frequently changes the keys used to encrypt and decrypt information, exposing only a small portion of sensitive user data if the latest key is compromised Cipher suite Encryption key size Key exchange mechanism ECDHE-RSA-AES128-GCM-SHA256 128 bit ECDH, encryption: AES, MAC: SHA256 ECDHE-RSA-AES128-SHA 128 bit ECDH, encryption: AES, MAC: SHA1 ECDHE-RSA-AES256-SHA 256 bit ECDH, encryption: AES, MAC: SHA1 ECDHE-RSA-3DES-EDE-SHA 168 bit ECDH, encryption: 3DES, MAC: SHA1 ECDHE-RSA-RC4128-SHA 128 bit ECDH, encryption: RC4, MAC: SHA1 Unique Key to Each Connection
Untrusted Networks Edge Firewall Switch Apps Network Tap PFS removes ability to do inbound traffic passive inspection
Firewall performance tests conducted by NSS Labs Response time increased by 672% 60% drop in the average throughput Next-Gen Firewall Web Gateway DLP Anti-Malware IPS Next-Gen Firewall Decrypt, Inspect, Re-Encrypt Decrypt, Inspect, Re-Encrypt Decrypt, Inspect, Re-Encrypt Decrypt, Inspect, Re-Encrypt Users Internet / Apps
Security inspection devices are not the right tool for decryption Privacy Performance End-user experience
Purpose-built solution for orchestration of inbound/outbound SSL/TLS traffic Users Internet / Apps Next-Gen Firewall Next-Gen IPS Malware Protection Secure Web Gateway Data Loss Prevention Other SSL Orchestrator
Visibility is not enough Still requires manual “daisy-chaining” or tedious configurations across the security stack
Broad topology and device support Dynamic service chaining Policy-based traffic steering Advanced monitoring, load balancing, and scaling Centralised and simplified management of certificates and keys Proxy-level control over ciphers and protocols SSL Orchestration: More than visibility
Dynamic grouping of security devices Topology independent Maximised security investments Service insertion, monitoring, scaling Firewall IDS WAF 1 Firewall IPS WAF DLP 2 Firewall IPS WAF DLP Forensics 3
Source Addr. Dest. Addr. Dest. Port IP Geo Domain Name IPI Cat. URL Cat. Protocol Contextual classification engine Traffic Classifier Engine Service Chain Incoming Traffic Rich set of traffic selectors Decrypt and steer to service chain based on policy match Banks, Healthcare Bypass HTTP/ HTTPS Everything else Bypass, block, inspect actions
SSL Orchestrator Users Policy-Based Traffic Steering Source IP Destination IP IP intelligence category URL filtering category In Out IP geolocation Host and domain name Destination port Protocol SSL/TLS Termination and Inspection Web Application Firewall IDS/IPS Customer Experience Solutions Apps Dynamic Service Chaining chainX chainY bypass reject
SSL Orchestrator Users Policy-Based Traffic Steering Source IP Destination IP IP intelligence category URL filtering category In Out IP geolocation Host and domain name Destination port Protocol SSL/TLS Termination and Inspection Internet Dynamic Service Chaining chainX chainY bypass reject IDS/IPS Malware Sandbox Secure Web GatewayNext-Gen Firewall Data Loss Prevention
PFS Apps Tap Switch PFS RSA Users SSL Orchestrator SSL/TLS Termination and Inspection
SSL Visibility Users SSL Orchestrator Internet / Apps
Firewall Internet / Apps Firewall NGFW (Pool) IPS (Pool) Anti-Malware (Pool) DLP (Pool) Inline Insertion (L3 Mode) Inline Insertion (L2 Mode) ICAP SIEM Passive Decrypt and Steer Re-Encrypt SSL Orchestrator Users
Inline Layer 2 Receive Only Inline Layer 3 Inline Layer 3 ICAP ICAP Suspect IP dest. Receive Only Inline Layer3 Inline Layer2 Inline Layer3 Partner domains Inline Layer3 Inline Layer2 Inline Layer3 Requires PCI data privacy Receive Only Create services Risky web sites Receive Only Inline Layer3 Inline Layer2 Inline Layer3 ICAP ICAP Chain services Security inspection devices can be grouped, monitored, scaled, and load balanced independently. Policy-based traffic steering directs traffic through the appropriate service chain based on risk and context.
Enterprise Key Management Secure Vault Software-based encrypted storage system for securing cryptographic keys with the highest performance Internal HSM Physical hardware designed to generate, store, and protect keys with high performance Network HSM Integration with leading network-based hardware for use with all appliances, chassis, and virtual editions Cloud HSM Integration for high-assurance encryption services fit for the cloud HSM = Hardware Security Module
Untrusted Networks Security Services ? Source: Technical Alert 17-318A, National Cybersecurity and Communications Integration Center (NCCIC), November 2017
Full proxy SSL Orchestrator Untrusted Networks ! IDS/IPS Malware Sandbox Secure Web GatewayNext-Gen Firewall Data Loss Prevention !
SSL Orchestrator Key Use Cases SSL/TLS visibility and orchestration Maximised security investments Risk management and privacy
F5 BIG-IP and Symantec DLP F5 BIG-IP and Palo Alto Networks NGFW F5 BIG-IP and FireEye NX
Deploy into any environment Offer ease of integration with unique network topologies and security inspection devices Go beyond visibility Provide centralised de- cryption and policy-based traffic steering across multiple security tools Dynamically chain services Remove limitations of daisy-chaining and manual configuration
How to Gain Visibility into Encrypted Threats

Recommended

Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's MalwareDavid Perkins
 
SonicWALL Advanced Features
SonicWALL Advanced FeaturesSonicWALL Advanced Features
SonicWALL Advanced FeaturesDavid Perkins
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
GDP Product Presentation
GDP Product PresentationGDP Product Presentation
GDP Product Presentationtswong
 
Get an office 365 expereience your users will love v8.1
Get an office 365 expereience your users will love v8.1Get an office 365 expereience your users will love v8.1
Get an office 365 expereience your users will love v8.1Zscaler
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN SecurityPriyanka Aash
 
Cisco amp for meraki
Cisco amp for merakiCisco amp for meraki
Cisco amp for merakiCisco Canada
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsPriyanka Aash
 

Recommended

Preventing Today's Malware
Preventing Today's MalwarePreventing Today's Malware
Preventing Today's MalwareDavid Perkins
 
SonicWALL Advanced Features
SonicWALL Advanced FeaturesSonicWALL Advanced Features
SonicWALL Advanced FeaturesDavid Perkins
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
GDP Product Presentation
GDP Product PresentationGDP Product Presentation
GDP Product Presentationtswong
 
Get an office 365 expereience your users will love v8.1
Get an office 365 expereience your users will love v8.1Get an office 365 expereience your users will love v8.1
Get an office 365 expereience your users will love v8.1Zscaler
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN SecurityPriyanka Aash
 
Cisco amp for meraki
Cisco amp for merakiCisco amp for meraki
Cisco amp for merakiCisco Canada
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsPriyanka Aash
 
O365 quick with fast user experience
O365 quick with fast user experienceO365 quick with fast user experience
O365 quick with fast user experienceZscaler
 
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionInfographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionBlue Coat
 
Check point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitiveCheck point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitiveMoti Sagey מוטי שגיא
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionMicrosoft
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)Robb Boyd
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack SurfaceAlert Logic
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Cisco Security
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the CloudAlert Logic
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideAlberto Rivai
 
DEVNET-1180 Security from the Cloud
DEVNET-1180 Security from the CloudDEVNET-1180 Security from the Cloud
DEVNET-1180 Security from the CloudCisco DevNet
 
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerMigration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerZscaler
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
 
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerHACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerPriyanka Aash
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trustZscaler
 
Ma story then_now_webcast_10_17_18
Ma story then_now_webcast_10_17_18Ma story then_now_webcast_10_17_18
Ma story then_now_webcast_10_17_18Zscaler
 
Cerdant Security State of the Union
Cerdant Security State of the UnionCerdant Security State of the Union
Cerdant Security State of the UnionDavid Perkins
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Rishabh Dangwal
 
8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...
8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...
8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...BGA Cyber Security
 

More Related Content

What's hot

O365 quick with fast user experience
O365 quick with fast user experienceO365 quick with fast user experience
O365 quick with fast user experienceZscaler
 
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionInfographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionBlue Coat
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionMicrosoft
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)Robb Boyd
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack SurfaceAlert Logic
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Cisco Security
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the CloudAlert Logic
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideAlberto Rivai
 
DEVNET-1180 Security from the Cloud
DEVNET-1180 Security from the CloudDEVNET-1180 Security from the Cloud
DEVNET-1180 Security from the CloudCisco DevNet
 
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerMigration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerZscaler
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
 
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerHACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerPriyanka Aash
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trustZscaler
 
Ma story then_now_webcast_10_17_18
Ma story then_now_webcast_10_17_18Ma story then_now_webcast_10_17_18
Ma story then_now_webcast_10_17_18Zscaler
 
Cerdant Security State of the Union
Cerdant Security State of the UnionCerdant Security State of the Union
Cerdant Security State of the UnionDavid Perkins
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash
 

What's hot (20)

O365 quick with fast user experience
O365 quick with fast user experienceO365 quick with fast user experience
O365 quick with fast user experience
 
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL EncryptionInfographic: Stop Attacks Hiding Under the Cover of SSL Encryption
Infographic: Stop Attacks Hiding Under the Cover of SSL Encryption
 
Check point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitiveCheck point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitive
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information Protection
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
 
DEVNET-1180 Security from the Cloud
DEVNET-1180 Security from the CloudDEVNET-1180 Security from the Cloud
DEVNET-1180 Security from the Cloud
 
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerMigration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscaler
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerHACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trust
 
Ma story then_now_webcast_10_17_18
Ma story then_now_webcast_10_17_18Ma story then_now_webcast_10_17_18
Ma story then_now_webcast_10_17_18
 
Cerdant Security State of the Union
Cerdant Security State of the UnionCerdant Security State of the Union
Cerdant Security State of the Union
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 

Similar to How to Gain Visibility into Encrypted Threats

Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Rishabh Dangwal
 
8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...
8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...
8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...BGA Cyber Security
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics Robb Boyd
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficShain Singh
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3Truong Minh Yen
 
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_diveNur Shiqim Chok
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesAmazon Web Services
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practicesMihajlo Prerad
 
wireless lan security.ppt
wireless lan security.pptwireless lan security.ppt
wireless lan security.pptSagarBedarkar3
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...SBWebinars
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMIftikhar Ali Iqbal
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Jorgen Thelin
 
Secrity project keyvan
Secrity project keyvanSecrity project keyvan
Secrity project keyvanitrraincity
 
bcs_sb_TechPartner_SSLVisibility_Lastline_EN_v1c
bcs_sb_TechPartner_SSLVisibility_Lastline_EN_v1cbcs_sb_TechPartner_SSLVisibility_Lastline_EN_v1c
bcs_sb_TechPartner_SSLVisibility_Lastline_EN_v1cSam Kumarsamy
 
Endüstriyel Router Çözümleri
Endüstriyel Router ÇözümleriEndüstriyel Router Çözümleri
Endüstriyel Router ÇözümleriElmarkPlusTurkiye
 

Similar to How to Gain Visibility into Encrypted Threats (20)

Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...
 
8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...
8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...
8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applica...
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
 
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension and Cisco | Solutions for PIPEDA Compliance
Next Dimension and Cisco | Solutions for PIPEDA Compliance
 
Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3
 
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best Pratices
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
 
wireless lan security.ppt
wireless lan security.pptwireless lan security.ppt
wireless lan security.ppt
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
 
Unit 6
Unit 6Unit 6
Unit 6
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEM
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)
 
Secrity project keyvan
Secrity project keyvanSecrity project keyvan
Secrity project keyvan
 
bcs_sb_TechPartner_SSLVisibility_Lastline_EN_v1c
bcs_sb_TechPartner_SSLVisibility_Lastline_EN_v1cbcs_sb_TechPartner_SSLVisibility_Lastline_EN_v1c
bcs_sb_TechPartner_SSLVisibility_Lastline_EN_v1c
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Endüstriyel Router Çözümleri
Endüstriyel Router ÇözümleriEndüstriyel Router Çözümleri
Endüstriyel Router Çözümleri
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

How to Gain Visibility into Encrypted Threats

  • 1.
  • 3. 60% 61% 89% 34% 25% 11% 2015 2016 2017 TLS 1.2 SSL 3.0 80%of sampled page loads use SSL/TLS TLS 1.2 vs. SSL 3.0
  • 4. Heavy adoption of Microsoft Office 365 Google Search results rankings Increased focus on user privacy Continuing growth and use of social networks Google Chrome browser warnings GDPR compliance SSL/TLS Encryption Business Drivers
  • 6. Complexity burdens IT with inefficiencies Performance can degrade when decrypting at scale Visibility is reduced due to the growth of SSL usage
  • 7. You can’t secure what you can’t see of all Internet traffic is encrypted of page loads are now encrypted with SSL/TLS70% 80% Source: TLS Telemetry Report, F5 Labs, April 2018
  • 8. Untrusted Networks Security Services SSL/TLS BLIND SPOT Encryption creates a blind spot in your network m
  • 9. Exploitation Command & Control Data Exfiltration Data C&C
  • 10. RSA, most common Key exchange Diffie-Hellman (Ephemeral) Key agreement
  • 11. vs. 1 Client Hello 1 Client Hello Supported Cipher Suites Guesses Key Agreement Protocol Key Share 2 Server Hello Key Agreement Protocol Key Share Server Finished 3 Checks Certificate Generates Keys Client Finished Step Client Direction Message Direction Server 5 Server Hello Done 6 Client Key Exchange 7 Change Cipher Spec 8 Finished 9 Change Cipher Spec 10 Finished 3 Certificate 4 Server Key Exchange 2 Server Hello Step Client Direction Message Direction Server 88% of hosts prefer forward secrecy
  • 12. Ephemeral Keys Perfect Forward Secrecy Automatically and frequently changes the keys used to encrypt and decrypt information, exposing only a small portion of sensitive user data if the latest key is compromised Cipher suite Encryption key size Key exchange mechanism ECDHE-RSA-AES128-GCM-SHA256 128 bit ECDH, encryption: AES, MAC: SHA256 ECDHE-RSA-AES128-SHA 128 bit ECDH, encryption: AES, MAC: SHA1 ECDHE-RSA-AES256-SHA 256 bit ECDH, encryption: AES, MAC: SHA1 ECDHE-RSA-3DES-EDE-SHA 168 bit ECDH, encryption: 3DES, MAC: SHA1 ECDHE-RSA-RC4128-SHA 128 bit ECDH, encryption: RC4, MAC: SHA1 Unique Key to Each Connection
  • 13. Untrusted Networks Edge Firewall Switch Apps Network Tap PFS removes ability to do inbound traffic passive inspection
  • 14. Firewall performance tests conducted by NSS Labs Response time increased by 672% 60% drop in the average throughput Next-Gen Firewall Web Gateway DLP Anti-Malware IPS Next-Gen Firewall Decrypt, Inspect, Re-Encrypt Decrypt, Inspect, Re-Encrypt Decrypt, Inspect, Re-Encrypt Decrypt, Inspect, Re-Encrypt Users Internet / Apps
  • 15. Security inspection devices are not the right tool for decryption Privacy Performance End-user experience
  • 16. Purpose-built solution for orchestration of inbound/outbound SSL/TLS traffic Users Internet / Apps Next-Gen Firewall Next-Gen IPS Malware Protection Secure Web Gateway Data Loss Prevention Other SSL Orchestrator
  • 17. Visibility is not enough Still requires manual “daisy-chaining” or tedious configurations across the security stack
  • 18. Broad topology and device support Dynamic service chaining Policy-based traffic steering Advanced monitoring, load balancing, and scaling Centralised and simplified management of certificates and keys Proxy-level control over ciphers and protocols SSL Orchestration: More than visibility
  • 19. Dynamic grouping of security devices Topology independent Maximised security investments Service insertion, monitoring, scaling Firewall IDS WAF 1 Firewall IPS WAF DLP 2 Firewall IPS WAF DLP Forensics 3
  • 20. Source Addr. Dest. Addr. Dest. Port IP Geo Domain Name IPI Cat. URL Cat. Protocol Contextual classification engine Traffic Classifier Engine Service Chain Incoming Traffic Rich set of traffic selectors Decrypt and steer to service chain based on policy match Banks, Healthcare Bypass HTTP/ HTTPS Everything else Bypass, block, inspect actions
  • 21. SSL Orchestrator Users Policy-Based Traffic Steering Source IP Destination IP IP intelligence category URL filtering category In Out IP geolocation Host and domain name Destination port Protocol SSL/TLS Termination and Inspection Web Application Firewall IDS/IPS Customer Experience Solutions Apps Dynamic Service Chaining chainX chainY bypass reject
  • 22. SSL Orchestrator Users Policy-Based Traffic Steering Source IP Destination IP IP intelligence category URL filtering category In Out IP geolocation Host and domain name Destination port Protocol SSL/TLS Termination and Inspection Internet Dynamic Service Chaining chainX chainY bypass reject IDS/IPS Malware Sandbox Secure Web GatewayNext-Gen Firewall Data Loss Prevention
  • 25. Firewall Internet / Apps Firewall NGFW (Pool) IPS (Pool) Anti-Malware (Pool) DLP (Pool) Inline Insertion (L3 Mode) Inline Insertion (L2 Mode) ICAP SIEM Passive Decrypt and Steer Re-Encrypt SSL Orchestrator Users
  • 26. Inline Layer 2 Receive Only Inline Layer 3 Inline Layer 3 ICAP ICAP Suspect IP dest. Receive Only Inline Layer3 Inline Layer2 Inline Layer3 Partner domains Inline Layer3 Inline Layer2 Inline Layer3 Requires PCI data privacy Receive Only Create services Risky web sites Receive Only Inline Layer3 Inline Layer2 Inline Layer3 ICAP ICAP Chain services Security inspection devices can be grouped, monitored, scaled, and load balanced independently. Policy-based traffic steering directs traffic through the appropriate service chain based on risk and context.
  • 27. Enterprise Key Management Secure Vault Software-based encrypted storage system for securing cryptographic keys with the highest performance Internal HSM Physical hardware designed to generate, store, and protect keys with high performance Network HSM Integration with leading network-based hardware for use with all appliances, chassis, and virtual editions Cloud HSM Integration for high-assurance encryption services fit for the cloud HSM = Hardware Security Module
  • 28. Untrusted Networks Security Services ? Source: Technical Alert 17-318A, National Cybersecurity and Communications Integration Center (NCCIC), November 2017
  • 29. Full proxy SSL Orchestrator Untrusted Networks ! IDS/IPS Malware Sandbox Secure Web GatewayNext-Gen Firewall Data Loss Prevention !
  • 30. SSL Orchestrator Key Use Cases SSL/TLS visibility and orchestration Maximised security investments Risk management and privacy
  • 31. F5 BIG-IP and Symantec DLP F5 BIG-IP and Palo Alto Networks NGFW F5 BIG-IP and FireEye NX
  • 32.
  • 33. Deploy into any environment Offer ease of integration with unique network topologies and security inspection devices Go beyond visibility Provide centralised de- cryption and policy-based traffic steering across multiple security tools Dynamically chain services Remove limitations of daisy-chaining and manual configuration