Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
PRESENTED BY:
SSL Technologies Update
1994 1995 1999 2006 2008 2018
SSL1 and SSL2
Netscape project that contained
significant flaws
SSL3Netscape addresses SSL2 flaws
TLS 1.0Standardized SSL3 with almost no changes RFC2246
TLS 1.1Security fixes and TLS extensions RFC4346
TLS 1.2Added support for authenticated encryption (AES-GCM, CCM modes) and removed hard-coded primitives RFC5246
TLS 1.3Signficiant overhaul, requiring PFS, removing weak ciphers. Allows 0-RTT and 1-RTT handshakes.RFC Draft
History
History
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
Revelations of privacy
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
Snowden
Motivation
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
Snowden Page rankIncentives
Must use TLSv1.2Must support ephemeral key exchange >= 2048b
Technology advances
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
Snowden Page rankIncentives
Emergingtechnologies
Regulatory compliance
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
Snowden Page rankincentives
Emergingtechnologies
Regulatoryrequirements
Lower barrier to entry
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
Snowden Page rankIncentives
Emergingtechnologies
Regulatoryrequirements Accessibility
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
Quantifiable security
Snowden Page rankIncentives
Emergingtechnologies
Regulatoryrequirements Accessibility Qualified
grading
60% 75%
37 71
TLS is still growing (Google report)
70%
Nobody does SSL better
F5 develops its own native SSL stack
“A Grade” SSL rating out-of-the-box
SSL mirroring and hybrid crypto offload
Highest rated performance-oriented SSL features
240K SSL TPS and 80 Gbps of SSL#1
Worldwide ADC Market Share 1Q 2016*
45.4%
* Source IDC
SSL strategy and roadmap
• TLS 1.3 tolerance
• F5 cipher suite builder
• Dynamic CA bundle update
• External crypto offload
• SSL visibility
• SSL connection mirroring
• OCSP stapling
• C3D – phase one
• TLS 1.3 – phase one
• Curve25519
• TLS 1.3 – phase two
• DH 2048
• ChaCha20-Poly1305
• 0-RTT
• C3D – phase two
BIG-IP 14.0 BIG-IP 14.1
TLS 1.3 support
Library Used By 18 19 20 21 22 23 24 25 26 27 28
F5 TMM BIG-IP x xNSS Firefox x xmiTLS Microsoft xBoringSSL Google/Chrome xWireshark Wireshark x x x x x x x x x x xpicotls H2O Server x x x xSecure Transport Apple (Mac) xsChannel Windows (Edge+)OpenSSL Most Servers / Tools x x xwolfSSL MySQL x x x x xGnuTLS Synology x??? Opera xtlslite-ng Python Lib xSwiftTLS Apple x x
Client Certificate Constrained Delegation
Model 1: Local Delegate Model 2: Remote Delegate
FIPS and key management
FIPS and key management
F5 FIPS and key management
20
OrganizationManagement
DomainManagement
User Account Creation
Certificate Management
Order Submission
Order StatusMonitoring
User API Authentication Key Creation
CA Server
Certificate Validation
Certificate Manager from CA or third-party solutions
Stages BIG-IP/BIG-IQ are interested in
Certificate Installation
Renew/Update/Revoke
12
43 5 6
78
Symantec (now DigiCert) Comodo
F5 FIPS and key management
1. Vendor agnostic - simply install per vendor instructions
2. Point BIG-IP to use the new vendor PKCS#11 library
3. On-box test of basic PKCS#11 APIs per library
4. Advanced configuration - HSM partition/slot by name/label
5. Concurrent access to multiple HSM partitions/slots• Multi-tenancy support (cloud use-case)• Per-App HSM partition/slot allocation
6. Easy integration with new PKCS#11 HSMs• Ability to link any new vendor PKCS#11 library without code changes• A basic test utility to test and validate basic PKCS#11 APIs calls• Robust set of regression tests run with each F5 release
Performance
Visibilitydon’t
do
Users / Devices
User
InternetFirewall
🛑🛑Multiple SSL/TLS intercept points
🛑🛑
🛑🛑
🛑🛑
The daisy chain of security servicesdecrypt encrypt
inspect
encryptdecryptinspect
encryptdecryptinspect
decrypt encryptinspect
IPSDLPWeb Gateway Anti-Malware
Users / Devices
User
InternetFirewall
✅Single SSL/TLS intercept point
✅
✅
✅
High performance decryption and encryption of SSL traffic
IPSDLPWeb Gateway Anti-Malware
Policy-based dynamic service chaining
What’s new in 4.0