Encrypting data-in-transit with SSL/TLS is standard practice among organisations today. Important security initiatives, such as built-in web browser warnings and stronger legislative GDPR changes, have significantly improved privacy awareness and helped to prevent data breaches. However, cybercriminals commonly hide threats within encrypted payloads and use encrypted channels to propagate malware and exfiltrate data, knowing they can bypass traditional security inspection solutions.
4. Heavy adoption of
Microsoft Office 365
Google Search
results rankings
Increased focus
on user privacy
Continuing growth and
use of social networks
Google Chrome
browser warnings
GDPR compliance
SSL/TLS
Encryption
Business
Drivers
7. You can’t secure what you can’t see
of all Internet
traffic is encrypted
of page loads are now
encrypted with SSL/TLS70% 80%
Source: TLS Telemetry Report, F5 Labs, April 2018
11. vs.
1 Client Hello
1
Client Hello
Supported Cipher Suites
Guesses Key Agreement Protocol
Key Share
2
Server Hello
Key Agreement Protocol
Key Share
Server Finished
3
Checks Certificate
Generates Keys
Client Finished
Step Client Direction Message Direction Server
5 Server Hello Done
6 Client Key Exchange
7 Change Cipher Spec
8 Finished
9 Change Cipher Spec
10 Finished
3 Certificate
4 Server Key Exchange
2 Server Hello
Step Client Direction Message Direction Server
88% of hosts prefer
forward secrecy
12. Ephemeral
Keys
Perfect
Forward
Secrecy
Automatically and
frequently changes the
keys used to encrypt and
decrypt information,
exposing only a small
portion of sensitive user
data if the latest key is
compromised
Cipher suite
Encryption
key size
Key exchange
mechanism
ECDHE-RSA-AES128-GCM-SHA256 128 bit
ECDH, encryption:
AES, MAC: SHA256
ECDHE-RSA-AES128-SHA 128 bit
ECDH, encryption:
AES, MAC: SHA1
ECDHE-RSA-AES256-SHA 256 bit
ECDH, encryption:
AES, MAC: SHA1
ECDHE-RSA-3DES-EDE-SHA 168 bit
ECDH, encryption:
3DES, MAC: SHA1
ECDHE-RSA-RC4128-SHA 128 bit
ECDH, encryption:
RC4, MAC: SHA1
Unique Key to
Each Connection
14. Firewall performance tests
conducted by NSS Labs
Response time
increased by 672%
60% drop in the
average throughput
Next-Gen
Firewall
Web Gateway DLP Anti-Malware IPS Next-Gen
Firewall
Decrypt,
Inspect,
Re-Encrypt
Decrypt,
Inspect,
Re-Encrypt
Decrypt,
Inspect,
Re-Encrypt
Decrypt,
Inspect,
Re-Encrypt
Users Internet /
Apps
16. Purpose-built solution for orchestration of inbound/outbound SSL/TLS traffic
Users Internet /
Apps
Next-Gen
Firewall
Next-Gen
IPS
Malware
Protection
Secure Web
Gateway
Data Loss
Prevention
Other
SSL
Orchestrator
17. Visibility is not enough
Still requires manual “daisy-chaining” or tedious
configurations across the security stack
18. Broad topology and device
support
Dynamic service chaining
Policy-based traffic steering
Advanced monitoring, load
balancing, and scaling
Centralised and simplified
management of certificates
and keys
Proxy-level control over
ciphers and protocols
SSL
Orchestration:
More than
visibility
20. Source Addr.
Dest. Addr.
Dest. Port
IP Geo
Domain
Name
IPI Cat.
URL Cat.
Protocol
Contextual
classification
engine
Traffic
Classifier Engine
Service
Chain
Incoming
Traffic
Rich set
of traffic
selectors
Decrypt and steer to
service chain based
on policy match
Banks,
Healthcare
Bypass
HTTP/
HTTPS
Everything
else
Bypass, block,
inspect actions
21. SSL
Orchestrator
Users
Policy-Based Traffic Steering
Source IP
Destination IP
IP intelligence category
URL filtering category
In Out
IP geolocation
Host and domain name
Destination port
Protocol
SSL/TLS
Termination
and Inspection
Web Application Firewall IDS/IPS Customer Experience Solutions
Apps
Dynamic Service Chaining
chainX
chainY
bypass
reject
22. SSL
Orchestrator
Users
Policy-Based Traffic Steering
Source IP
Destination IP
IP intelligence category
URL filtering category
In Out
IP geolocation
Host and domain name
Destination port
Protocol
SSL/TLS
Termination
and Inspection
Internet
Dynamic Service Chaining
chainX
chainY
bypass
reject
IDS/IPS Malware Sandbox Secure Web GatewayNext-Gen Firewall Data Loss Prevention
26. Inline Layer 2
Receive Only
Inline Layer 3
Inline Layer 3
ICAP
ICAP
Suspect
IP dest.
Receive
Only
Inline
Layer3
Inline
Layer2
Inline
Layer3
Partner
domains
Inline
Layer3
Inline
Layer2
Inline
Layer3
Requires
PCI data
privacy
Receive
Only
Create services
Risky
web sites
Receive
Only
Inline
Layer3
Inline
Layer2
Inline
Layer3
ICAP ICAP
Chain services
Security inspection devices can be grouped, monitored, scaled, and load balanced independently.
Policy-based traffic steering directs traffic through the appropriate service chain based on risk and context.
27. Enterprise Key
Management
Secure Vault
Software-based encrypted storage
system for securing cryptographic keys
with the highest performance
Internal HSM
Physical hardware designed
to generate, store, and protect keys
with high performance
Network HSM
Integration with leading network-based
hardware for use with all appliances,
chassis, and virtual editions
Cloud HSM
Integration for high-assurance
encryption services fit for the cloud
HSM = Hardware Security Module
28. Untrusted Networks Security Services
?
Source: Technical Alert 17-318A, National Cybersecurity and
Communications Integration Center (NCCIC), November 2017
30. SSL Orchestrator
Key Use Cases
SSL/TLS visibility
and orchestration
Maximised security
investments
Risk management
and privacy
31. F5 BIG-IP and
Symantec DLP
F5 BIG-IP and
Palo Alto Networks NGFW
F5 BIG-IP and
FireEye NX
32.
33. Deploy into any
environment
Offer ease of integration
with unique network
topologies and security
inspection devices
Go beyond
visibility
Provide centralised de-
cryption and policy-based
traffic steering across
multiple security tools
Dynamically
chain services
Remove limitations
of daisy-chaining and
manual configuration