The document discusses the challenges posed by network security blind spots, particularly due to increasing SSL usage, which can hinder threat detection and reduce the performance of security appliances. It outlines best practices for mitigating these risks, including the integration of Thales nShield HSM with F5 BIG-IP for enhanced key management and security. The results aim to optimize security stack performance, improve traffic visibility, and ensure compliance with regulatory standards.

1. www.thales-esecurity.com
Protecting Application
Delivery without Network
Security Blind Spots
Juan Asenjo, Thales e-Security
Don Laursen, F5 Networks

2. 2
▌ Juan Asenjo, Sr. Partner Manager, Thales e-Security
Juan has worked in the information security field for over 20 years. He has degrees in
engineering and business, he is a Certified Information System Security Professional, and is
currently working on a post-graduate degree. His experience includes over 10 years within the
Department of Defense as an engineer and as a civilian INFOSEC liaison with the U.S. Army-
Europe.
▌ Don Laursen, Sr. Product Manager, F5 Networks
Don has been in the technology industry for over 20 years. He is a member of IEEE, ACM, and
International Privacy Professional Association. He holds an MS in computer systems, is a
CISSP certified professional, and Certified Information Privacy Professional (CIPP/US and
CIPP/Europe). Prior to joining the private sector Don spent 10 years serving as a U.S. Naval
Cryptologist in an active-duty role and as a reservist.
Our Speakers

3. 3
Objectives
▌Describe how network security blind spots occur
▌Outline threat that they represent to organization
▌Define the best practices to protect against them
▌Explain how to configure a trusted secure system

4. 4
Introduction
SSL is growing and that
presents a challenge for
our customers

5. 5
Network Security Blind Spots
▌Hinders work of network security tools
Network health monitoring
DLP, IDS, IPS
Malware detection
▌ Requires visibility into network traffic
Security Dashboard (SIEMS)
Policy and Privacy Enforcement
Troubleshooting
ENCRYPTED

6. 6
Typical Security Stack
Users / Devices
User
InternetFirewall F5 BIG-IP Firewall
IPS
(Pool)
DLP
(Pool)
Web
Gateway
(Pool)
Anti-Malware
(Pool)
Decrypt and
Steer (based on
policy, bypass
options)
Re-
encrypt
ICAP
Inline Insertion
(L2 Mode)
1-Armed /
2-Armed
NGFW
(Pool)
Inline Insertion
(L3 Mode)

7. 7
Significant Performance Impact on Existing Security Stack
Visibility
is reduced due to the
growth of SSL usage
Malware
uses encrypted channels
to evade detection
Blind Spotsfor decryption is a
significant undertaking
Next-Gen Firewall
Performance Impact
%
79
Next-Gen IPS
Performance Impact
%
75
Threat Defense
No SSL Support
%
100
Enabling SSL on a firewall, SWG or an IPS
will reduce the overall performance of the
appliance, often by more than 80%
Performance

8. 8
Threat
▌Threat to your organization
ENCRYPTED

9. 9
Best Practices
▌Protecting against encryption blind spots with BIG-IP
Optimizes security stack through SSL offload
Centralized decrypt/encrypt capability
Support for latest ciphers and suites providing network traffic visibility
Flexible deployment to support diverse environments
▌SSL/TLS and encrypt/decrypt feature use crypto keys
Keys maintained in software can be exposed to threats
Increasing number of crypto keys are harder to manage
Customers require certified key protection for compliance

10. 10
F5 BIG-IP Solution
But critical keys can exist in
multiple places and are
vulnerable to physical and
software attacks
Connection
Origination

11. 11
F5 BIG-IP Solution with Thales nShield HSM
Connection
Origination Critical keys are protected and
managed in certified confined of
HSM and not exposed to physical
and software attacks

12. 12
Protecting and Managing the Keys
▌External nShield HSM enables enhanced security
Protects and manages critical SSL keys used by BIG-IP and
encrypt/decrypt feature
Isolate cryptography and keys in secure FIPS 140-2 Level 3 and
Common Criteria EAL 4+ boundary
Deliver lifecycle hardware key management, mitigates risks, and
facilitates regulatory compliance

13. 13
Value of HSM Integration
F5 BIG-IP
• Optimizes SSL traffic, response times, and customer experience
• Provide traffic visibility and prevent security blind spots
THALES
•Enhances security protecting crypto keys in dedicated hardware
•Provide dual controls facilitating auditing/regulatory compliance
INTEGRATION
• Delivers a proven solution with a strong and certified root of trust

14. 14
HSMs and Problems they Address
▌ What are HSMs?
Hardware Security Module
Hardened, tamper-resistant devices
isolated from host environment
Alternative to software crypto libraries
▌ What do HSMs do?
Secure cryptographic operations
Protect critical cryptographic keys
Segregate administration and
security domains and enforce policy
over the use of keys
nShield HSMs are FIPS
140-2 Level 3 and Common
Criteria EAL4+ certified

15. 15
Enhanced Security for Application Delivery Controllers
▌ Software-only system
▌ Numerous copies of keys
across system and backups
▌ Hardened security system
▌ Keys are segregated within isolated
security environment
Hardware
Security
Module
Software
environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
Hardware
Security
Module
Software
environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups

16. 16
Root of Trust
▌Provides FIPS 140-2 and Common Criteria certified security
▌Isolates crypto keys and processes from host environment
▌Enforces dual controls and protects from rogue super users
▌Enhances security and ensures availability of critical keys
▌Facilitates security compliance, auditing, and reporting

17. 17
▌ Experience ‒ Leading global provider of data protection solutions for 40+ years
▌ Leadership ‒ HSMs help secure more than 80% of the world’s payment transactions
and most valuable corporate and government information
▌ Market focus ‒ Provides the best data protection solutions possible
▌ Independently certified ‒ Products certified to FIPS standards
▌ Expert advice ‒ Provides training and deployment assistance
Why Thales e-Security?
Banking Government Utilities High Tech Mobile

18. 18
Why F5?
▌ Experience ‒ 7+ Years providing SSL offload and transformation
▌ Leadership ‒ Gartner ADC Magic Quadrant Leader
▌ Market focus ‒ Application Availability, Security and Performance
▌ Certified ‒ Products certified for US Government and Global Markets
▌ Partnerships ‒ Marketing leading partnerships and ecosystem

19. 19
In Summary…
▌Preventing network security blind spots should be priority
▌ADCs increasingly taking on task/enabling traffic visibility
▌Solution delivers better performance and robust root of trust

20. 20
Time for Questions…
Thank you !
Juan Asenjo
+1.954.888.6202 / juan.asenjo@thalesesec.com
Don Laursen
+1.205.272.6860 / d.laursen@f5.com
@pgalvin63@asenjoJuan
@pgalvin63d.laursen@f5.com