Upload
dangkien
View
215
Download
0
Embed Size (px)
Citation preview
© 2016 F5 Networks
Nobody Does SSL Better
3
Worldwide ADCMarket Share 1Q 2016*
45.4%
30 OF THE TOP 30 USCOMMERCIAL BANKS
ALL 15 EXECUTIVE DEPARTMENTSOF THE US CABINET
48 OF THEFORTUNE 50Trusted by
Scale
Performance
Purpose Built
Secure
F5 develops its own native SSL stack
“A Grade” SSL rating out-of-the-box
Technology Only SSL mirroring and hybrid crypto offload
Highest rating for performance-oriented SSL features
240K SSL TPS and80 Gbps of SSL
* Source IDC
#1Leader in SSL Offload Since 2001
© 2016 F5 Networks
Top SSL Features Supported on One Platform
https://istlsfastyet.com/
Session identifiers
Session tickets
OCSPstapling
Dynamicrecord sizing ALPN Forward
secrecy HTTP/2
Apache Yes Yes Yes Yes Yes Yes Yes
ATS Yes Yes Yes Yes Yes Yes Yes
bud No Yes Yes Static Yes Yes No
Brocade vTM Yes No Yes No Yes Yes Yes
F5 BIG-IP Yes Yes Yes Yes Yes Yes Yes
H2O Yes Yes Yes Static (1.4k) Yes Yes Yes
HAProxy Yes Yes Yes Dynamic Yes Yes No
Hitch Yes Yes Yes No No Yes No
IIS Yes Yes Yes No Yes Yes Yes
NetScaler Yes No No No Yes Yes Yes
NGINX Yes Yes Yes Static (16k) Yes Yes Yes
node.js Yes Yes Optional Optional Yes Yes Yes
Go Yes Yes Optional No Yes Yes Yes
nghttpx Yes Yes Yes Dynamic Yes Yes Yes
4
© 2016 F5 Networks
How to Check if You Got It Right…
A+SUMMARY
OVERALL RATING
Protocol Support
Key Exchange
Cipher Strength
0 20 40 60 80 100
Certificate 100
95
100
90
Documentation: SSL/TLS Deployment Best Practices, SSL Server Rating Guide, and Open SSL Cookbook.
This server is not vulnerable to the Heartbleed attack. (Experimental.)
This server supports HHTP Strict Transport Security with long duration. Grade set to A+.
5
© 2016 F5 Networks
F5: A Proven and Trusted Leader in SSLOffering a complete range of enterprise-class features
Hybrid Crypto OffloadCipher DiversityData Protection
Visibility and Control
Key ProtectionSSL Attack Prevention
Key LifecycleManagement
Hybrid Environments
Hardware Security Modules
SSL Intercept
Virtual Patching
Key and Certificate Management
Virtual Edition Chassis Appliance
7
© 2016 F5 Networks
Use Case 1: SSL OffloadSpecifics Terminate SSL @ F5 Unencrypted traffic to servers
Benefits Security outside/performance inside • Faster server response • Reduced overhead • Reduced bandwidth • Support any IDS/IPS
SSL Offloading{
Enterprise Servers
Leakage Prevention
HSM
{
UnencryptedInternet
IDS
/IPS
Clients
8
© 2016 F5 Networks
Use Case 2: SSL Offload (Transformation)Specifics Terminate SSL @ F5 Re-encrypt traffic to servers
Benefits Manage, adapt, optimize Support any IDS/IPS Reduce overhead
Strong SSL Offloading{
Enterprise Servers
Leakage Prevention
HSM
{
Weak SSL Server SideInternet
IDS
/IPS
Clients
9
© 2016 F5 Networks
SSL is growing and that presents a challenge for our customers.
Most network architectures are obsolete. They are not built for SSL encryption. Enabling SSL on NG security products impacts performance (80% degradation).
Cyber criminals are growing more sophisticated and evasive in their attacks
Traditional network architectures are built for little or no encryption. Attackers are planting SSL-encrypted malware on compromised servers to evade network monitoring. Without security tools to inspect SSL traffic, attacker actions can go undetected.
UnencryptedThreat
EncryptedThreat
Apps
Apps
IPS DLP SWG Any Security
Security Services
Untrusted Networks Resources
SSL BLIND SPOT
70%
11
© 2016 F5 Networks
Encryption Creates a Blind Spot in Your NetworkMaking the security tools you trust and rely on less effective
12
SSL
SSLSSL Blind Spot
Unencrypted
Transitioning to 100% SSL
SSL SSL SSL
SSL SSLEncrypted
© 2016 F5 Networks
Encryption Creates a Blind Spot in Your NetworkMaking the security tools you trust and rely on less effective
12
SSL
SSLSSL Blind Spot
Unencrypted
Transitioning to 100% SSL
How much risk are you willing to accept?
SSL SSL SSL
SSL SSLEncrypted
© 2016 F5 Networks
Significant Performance Loss with SSL Across Vendors
Visibilityis reduced due to the growth of SSL usage
Malwareuses encrypted channels to
evade detectionfor decryption is a
significant undertaking
Next-Gen IPS Performance Impact
Threat Defense No SSL Support
%100
Performance
Source: NSS Labs and vendor data
Next-Gen Firewall Performance Impact
%79 %75
Enabling SSL on a firewall, SWG, or an IPS will reduce
the overall performance of the appliance, often by
more than 80%
SSL
13
© 2016 F5 Networks
F5 SSL OrchestratorProvides decryption and encryption of SSL traffic, enabling traffic inspection
14
F5 SSL OrchestratorUser Apps
Next-Gen Firewall
Next-Gen IPS
Malware Protection
Secure WebGateway
UXMonitoring
Other…
© 2016 F5 Networks
F5 SSL OrchestratorProvides decryption and encryption of SSL traffic, enabling traffic inspection
14
F5 SSL OrchestratorUser Apps
Next-Gen Firewall
Next-Gen IPS
Malware Protection
Secure WebGateway
UXMonitoring
Other…
Eliminate the security blind spot
© 2016 F5 Networks
DMZ
The SSL Visibility Vision
Remote User
Corporate Network
User
Internet NetworkFirewall Employees
Web/Application Servers
Scale-Out for Growth
DLP Any SecuritySWGIPS
Security Services
Defense-in-Depth
Strategic Point of Control
Customer Scenarios
BCorporate Internet access (outbound)Internet data center (inbound)A
NG-IPSWeb Application Firewall Passive Monitor Web Filtering
External SSL Offload
SSL Appliance
SSL Visibility Cipher Diversity Secure Architecture Performance Key Protection
Corporate Internet Access, SSL Inspection, HSM, SSL Offload, NG-IPS, and Passive Monitoring
Website
HSM
BNetwork Firewall
AB
A
15
© 2016 F5 Networks
The First SSL Intercept ImplementationVersion 1.0 (iApp)
BIG-IP
Inspection Zone
Inspection Zone
L3 Services
Two-box SSL Intercept
One-box SSL Intercept
• HTTP header signaling from ingress to egress
• Limited security service support in the iApp
• Static “service chaining” • Simple to modify • Basis for current
customer solutions
L3 Services
L2 Services
Ingress Egress
Client
Client
BIG-IP
Egress
BIG-IP
Egress
Out
Out
16
© 2016 F5 Networks
The First SSL Intercept ImplementationVersion 1.0 derivatives
ICAP DLP Devices
BlueCoatBlueCoatFireEyeFireEye
Decryption Re-encryption
SSL forward proxy handshakes + Service
Point
Route !Proxy Chaining
Failure bypass Failure bypass
Passive Tap Devices
ICAP DLP Devices
Reporting Services
Advanced Firewall
Secure Web Gateway
• SSL Intercept is typically deployed as a single or HA pair of devices.
• It can also be deployed as separate devices, in which case the egress point is physically separated from ingress, providing an additional (physical) inspection zone and doubled SSL/TLS throughput.
ICAP DLP Devices
ICAP DLP Devices
OutBIG-IP
Ingress
Client
BIG-IP
Egress
17
© 2016 F5 Networks
Hybrid Crypto Services (SSL Virtual Offload)Problem SSL and virtual edition scalability Legacy hardware support Hybrid (DC + cloud)
Main Benefits Leverage all SSL hardware acceleration resources regardless of location or type • Virtual editions (12.0) • ECC support (13.0) • Legacy BIG-IP devices (13.1)
VE Per Application
• Per App Deployment • Software Flexibility • Multi-tenant
• Offload SSL • Hardware Acceleration • Pool Resources
SSL Resource Pool
BIG-IP PlatformSSL External Crypto OffloadUser
19
© 2016 F5 Networks
Hybrid Crypto Offload Services
SSL Crypto Offload
VE Standalone
100%
vCPU Utilization
34%5,700TPS
1,500TPS
Capacity
66%
SSL Performance
Hybrid deployments can do more L4–7 application service workloads than
standalone VEs.
More
A single 10200V should be able to serve 5 VEs at this rate.
20
© 2016 F5 Networks
Scaling Crypto Capacity
VIP
Pool
Remote Crypto Servers
Remote Crypto Servers
Remote Crypto Servers
BIG-IP (VE or Physical)
Remote Crypto Client
Remote Crypto Client
Remote Crypto Client
Remote Crypto Client
Remote Crypto Client
Remote Crypto Client
Remote Crypto Client
21
© 2016 F5 Networks
SSL Session (11.6) and Connection Mirroring (12.0)
SSL MIRRORING
Active Traffic Group
Passive Traffic Group
TCP Proxy
SSL
TCP
SSL
TCP
TCP Proxy
SSL
TCP
SSL
TCP
StandbyTraffic Group
Active Traffic Group
Pro
xy C
onne
ct
SS
L H
ands
hake
Ip_i
nputS
SL
Han
dsha
ke
Ip_i
nput
Problem Applications that require long-lived connections will break in the event of a failover Recovery can be complicated by the computationally intense SSL handshake re-negotiation, making it difficult to ramp back up Transactions will fail, impacting revenue
Use Case HTTP/2.0 will drive more SSL adoption Customers that require extended HA support for SSL Connections • ATMs • Streaming Video • Gaming • IoT
Solution SSL Session and Connection Mirroring
23
© 2016 F5 Networks
Industry Best Practices with FlexibilityStrategic Point of Control for Policy Enforcement
• 1k Keys • No SSL • HTTP 1.1
• ECC • PFS • HSTS • HTTP 2.0 • 2k/4k Keys
Recommendations • Use trusted Certificate Authority (CA) • Use only TLS 1.1 or 1.2 • Use SHA-2 algorithm or look to migrate • Set cipher suites excluding weak ciphers • Set Perfect Forward Secrecy (PFS) • Disable client initiated renegotiation • Encrypt 100% of the site • Deploy HTTP Strict Transport Security (HSTS)
Apps
Remote Users
Regulatory compliance • PCI DSS 4.1: Requires use of cryptography over public
networks • PCI DSS 3.5.2: Keys must be stored securely within an HSM • Global organizations: EU Safe Harbor • Public companies: Sarbanes-Oxley • EU Data Protection Directive • EU General Data Protection Regulation
ADC Platform
25
© 2016 F5 Networks
F5 Security Certifications and Compliancehttps://f5.com/about-us/compliance-and-certifications
• (NIST) FIPS 140-2 • NIST SP 800-53r4 • DNSSEC • USGv6 (IPV6) • NIAP CC EAL2+ & EAL4+ • JTIC PKE Certification • DISA UC-APL (TN#1312201): IA Tool • US Army’s IA- APL • ICSA Certifications
• WAF, Network Firewall, IPSEC, SSL-TLS VPN
• C&A (RMF) Current ATO • F5 Device STIG/SRG • DISA • NMCI • JWICS • SOCOM and CENTCOM • ARMY • USMC • NAVY • AF
27
© 2016 F5 Networks
Comprehensive SSL Lifecycle Management Throughout Physical, Virtual, and Cloud Environments
Internal HSM
Network HSM
Secure VaultSoftware-based encrypted storage system for securing cryptographic keys with the highest performance
Cloud HSM
Enterprise Key and Certificate Management
Physical hardware designed to generate, store, and protect keys
with high performance
Integration with leading network-based hardware for use with all appliances,
chassis, and virtual editions
Integration for high-assurance encryption services fit for the cloud
Open APIs to automate management for the digital certificate and encryption
key technologies used by today’s enterprises
29
© 2016 F5 Networks
Key Protection and Lifecycle Management
Network HSM EKCM
Sever Cert
Cert Mgmt
Cert Mgmt
HTTPS
FIPS 140-2 Level 2/3 for all platforms
with Network HSM
ADC Platform AppsDNS
30
© 2016 F5 Networks
F5 SSL Orchestrator Solution Highlights
Dynamically chain services
Flexible deployment options
Gain visibility into SSL traffic
With centralized SSL decryption across
multiple security tools
Based on context-based policy to efficiently
deploy security
Provides ease of integration with unique
network topologies
Protect existing investments in security infrastructure with better availability and utilization
Automatically insert security services with the appropriate configurations and policies
Prevent attacks at stages of the attack including exploitation, callback, and data exfiltration
32
© 2016 F5 Networks
2 3
Policy-Based Dynamic Service Chaining
FIREWALL
IDS
WAF
FIREWALL
IPS
WAF
DLP
FIREWALL
IPS
WAF
DLP
FORENSICS
1
• Domain name • URL filtering category • Destination port • Protocol
ClassificationEngine
• Source IP • Destination IP • IP intelligence • IP geolocation
• Allows determination of decryption, OR selection of services based on connection context
• Policy based, dynamic
33
© 2016 F5 Networks
2 3
Policy-Based Dynamic Service Chaining
“We field over 12 different security services, and westruggle with using all of them effectively.”
“We (currently) chain the security services statically leadingto over provisioning and investment overruns.”
“We want to pre-filter traffic going to (our firewall)so we make more effective use of them.”
FIREWALL
IDS
WAF
FIREWALL
IPS
WAF
DLP
FIREWALL
IPS
WAF
DLP
FORENSICS
1
• Domain name • URL filtering category • Destination port • Protocol
ClassificationEngine
• Source IP • Destination IP • IP intelligence • IP geolocation
• Allows determination of decryption, OR selection of services based on connection context
• Policy based, dynamic
33
© 2016 F5 Networks
Service Configuration
Receive Only (IDS, forensics)
Layer 2: Inline (IPS, Sandbox, NGFW)
35
© 2016 F5 Networks
Troubleshooting Decryption
Decryption by site
Decryption traffic per security service
40
• Add class to your personal schedule.
• Survey will pop up in Mobile App. • Answer the multiple choice. • Submit your question to complete. • Receive 5 points!
Give Feedback – Get Points!