SSL Visibility with Advanced Threat ProtectionDanny Luedke, Product Marketing

© 2016 F5 Networks

Nobody Does SSL Better

3

© 2016 F5 Networks

Nobody Does SSL Better

3

Worldwide ADCMarket Share 1Q 2016*

45.4%

30 OF THE TOP 30 USCOMMERCIAL BANKS

ALL 15 EXECUTIVE DEPARTMENTSOF THE US CABINET

48 OF THEFORTUNE 50Trusted by

Scale

Performance

Purpose Built

Secure

F5 develops its own native SSL stack

“A Grade” SSL rating out-of-the-box

Technology Only SSL mirroring and hybrid crypto offload

Highest rating for performance-oriented SSL features

240K SSL TPS and80 Gbps of SSL

* Source IDC

#1Leader in SSL Offload Since 2001

© 2016 F5 Networks

Top SSL Features Supported on One Platform

https://istlsfastyet.com/

Session identifiers

Session tickets

OCSPstapling

Dynamicrecord sizing ALPN Forward

secrecy HTTP/2

Apache Yes Yes Yes Yes Yes Yes Yes

ATS Yes Yes Yes Yes Yes Yes Yes

bud No Yes Yes Static Yes Yes No

Brocade vTM Yes No Yes No Yes Yes Yes

F5 BIG-IP Yes Yes Yes Yes Yes Yes Yes

H2O Yes Yes Yes Static (1.4k) Yes Yes Yes

HAProxy Yes Yes Yes Dynamic Yes Yes No

Hitch Yes Yes Yes No No Yes No

IIS Yes Yes Yes No Yes Yes Yes

NetScaler Yes No No No Yes Yes Yes

NGINX Yes Yes Yes Static (16k) Yes Yes Yes

node.js Yes Yes Optional Optional Yes Yes Yes

Go Yes Yes Optional No Yes Yes Yes

nghttpx Yes Yes Yes Dynamic Yes Yes Yes

4

© 2016 F5 Networks

How to Check if You Got It Right…

A+SUMMARY

OVERALL RATING

Protocol Support

Key Exchange

Cipher Strength

0 20 40 60 80 100

Certificate 100

95

100

90

Documentation: SSL/TLS Deployment Best Practices, SSL Server Rating Guide, and Open SSL Cookbook.

This server is not vulnerable to the Heartbleed attack. (Experimental.)

This server supports HHTP Strict Transport Security with long duration. Grade set to A+.

5

Full-Proxy Security

© 2016 F5 Networks

F5: A Proven and Trusted Leader in SSLOffering a complete range of enterprise-class features

Hybrid Crypto OffloadCipher DiversityData Protection

Visibility and Control

Key ProtectionSSL Attack Prevention

Key LifecycleManagement

Hybrid Environments

Hardware Security Modules

SSL Intercept

Virtual Patching

Key and Certificate Management

Virtual Edition Chassis Appliance

7

© 2016 F5 Networks

Use Case 1: SSL OffloadSpecifics Terminate SSL @ F5 Unencrypted traffic to servers

Benefits Security outside/performance inside • Faster server response • Reduced overhead • Reduced bandwidth • Support any IDS/IPS

SSL Offloading{

Enterprise Servers

Leakage Prevention

HSM

{

UnencryptedInternet

IDS

/IPS

Clients

8

© 2016 F5 Networks

Use Case 2: SSL Offload (Transformation)Specifics Terminate SSL @ F5 Re-encrypt traffic to servers

Benefits Manage, adapt, optimize Support any IDS/IPS Reduce overhead

Strong SSL Offloading{

Enterprise Servers

Leakage Prevention

HSM

{

Weak SSL Server SideInternet

IDS

/IPS

Clients

9

SSL Visibility

© 2016 F5 Networks

SSL is growing and that presents a challenge for our customers.

Most network architectures are obsolete. They are not built for SSL encryption. Enabling SSL on NG security products impacts performance (80% degradation).

Cyber criminals are growing more sophisticated and evasive in their attacks

Traditional network architectures are built for little or no encryption. Attackers are planting SSL-encrypted malware on compromised servers to evade network monitoring. Without security tools to inspect SSL traffic, attacker actions can go undetected.

UnencryptedThreat

EncryptedThreat

Apps

Apps

IPS DLP SWG Any Security

Security Services

Untrusted Networks Resources

SSL BLIND SPOT

70%

11

© 2016 F5 Networks

Encryption Creates a Blind Spot in Your NetworkMaking the security tools you trust and rely on less effective

12

SSL

SSLSSL Blind Spot

Unencrypted

Transitioning to 100% SSL

SSL SSL SSL

SSL SSLEncrypted

© 2016 F5 Networks

Encryption Creates a Blind Spot in Your NetworkMaking the security tools you trust and rely on less effective

12

SSL

SSLSSL Blind Spot

Unencrypted

Transitioning to 100% SSL

How much risk are you willing to accept?

SSL SSL SSL

SSL SSLEncrypted

© 2016 F5 Networks

Significant Performance Loss with SSL Across Vendors

Visibilityis reduced due to the growth of SSL usage

Malwareuses encrypted channels to

evade detectionfor decryption is a

significant undertaking

Next-Gen IPS Performance Impact

Threat Defense No SSL Support

%100

Performance

Source: NSS Labs and vendor data

Next-Gen Firewall Performance Impact

%79 %75

Enabling SSL on a firewall, SWG, or an IPS will reduce

the overall performance of the appliance, often by

more than 80%

SSL

13

© 2016 F5 Networks

F5 SSL OrchestratorProvides decryption and encryption of SSL traffic, enabling traffic inspection

14

F5 SSL OrchestratorUser Apps

Next-Gen Firewall

Next-Gen IPS

Malware Protection

Secure WebGateway

UXMonitoring

Other…

© 2016 F5 Networks

F5 SSL OrchestratorProvides decryption and encryption of SSL traffic, enabling traffic inspection

14

F5 SSL OrchestratorUser Apps

Next-Gen Firewall

Next-Gen IPS

Malware Protection

Secure WebGateway

UXMonitoring

Other…

Eliminate the security blind spot

© 2016 F5 Networks

DMZ

The SSL Visibility Vision

Remote User

Corporate Network

User

Internet NetworkFirewall Employees

Web/Application Servers

Scale-Out for Growth

DLP Any SecuritySWGIPS

Security Services

Defense-in-Depth

Strategic Point of Control

Customer Scenarios

BCorporate Internet access (outbound)Internet data center (inbound)A

NG-IPSWeb Application Firewall Passive Monitor Web Filtering

External SSL Offload

SSL Appliance

SSL Visibility Cipher Diversity Secure Architecture Performance Key Protection

Corporate Internet Access, SSL Inspection, HSM, SSL Offload, NG-IPS, and Passive Monitoring

Website

HSM

BNetwork Firewall

AB

A

15

© 2016 F5 Networks

The First SSL Intercept ImplementationVersion 1.0 (iApp)

BIG-IP

Inspection Zone

Inspection Zone

L3 Services

Two-box SSL Intercept

One-box SSL Intercept

• HTTP header signaling from ingress to egress

• Limited security service support in the iApp

• Static “service chaining” • Simple to modify • Basis for current

customer solutions

L3 Services

L2 Services

Ingress Egress

Client

Client

BIG-IP

Egress

BIG-IP

Egress

Out

Out

16

© 2016 F5 Networks

The First SSL Intercept ImplementationVersion 1.0 derivatives

ICAP DLP Devices

BlueCoatBlueCoatFireEyeFireEye

Decryption Re-encryption

SSL forward proxy handshakes + Service

Point

Route !Proxy Chaining

Failure bypass Failure bypass

Passive Tap Devices

ICAP DLP Devices

Reporting Services

Advanced Firewall

Secure Web Gateway

• SSL Intercept is typically deployed as a single or HA pair of devices.

• It can also be deployed as separate devices, in which case the egress point is physically separated from ingress, providing an additional (physical) inspection zone and doubled SSL/TLS throughput.

ICAP DLP Devices

ICAP DLP Devices

OutBIG-IP

Ingress

Client

BIG-IP

Egress

17

Hybrid Crypto Services

© 2016 F5 Networks

Hybrid Crypto Services (SSL Virtual Offload)Problem SSL and virtual edition scalability Legacy hardware support Hybrid (DC + cloud)

Main Benefits Leverage all SSL hardware acceleration resources regardless of location or type • Virtual editions (12.0) • ECC support (13.0) • Legacy BIG-IP devices (13.1)

VE Per Application

• Per App Deployment • Software Flexibility • Multi-tenant

• Offload SSL • Hardware Acceleration • Pool Resources

SSL Resource Pool

BIG-IP PlatformSSL External Crypto OffloadUser

19

© 2016 F5 Networks

Hybrid Crypto Offload Services

SSL Crypto Offload

VE Standalone

100%

vCPU Utilization

34%5,700TPS

1,500TPS

Capacity

66%

SSL Performance

Hybrid deployments can do more L4–7 application service workloads than

standalone VEs.

More

A single 10200V should be able to serve 5 VEs at this rate.

20

© 2016 F5 Networks

Scaling Crypto Capacity

VIP

Pool

Remote Crypto Servers

Remote Crypto Servers

Remote Crypto Servers

BIG-IP (VE or Physical)

Remote Crypto Client

Remote Crypto Client

Remote Crypto Client

Remote Crypto Client

Remote Crypto Client

Remote Crypto Client

Remote Crypto Client

21

SSL Session and Connection Mirroring

© 2016 F5 Networks

SSL Session (11.6) and Connection Mirroring (12.0)

SSL MIRRORING

Active Traffic Group

Passive Traffic Group

TCP Proxy

SSL

TCP

SSL

TCP

TCP Proxy

SSL

TCP

SSL

TCP

StandbyTraffic Group

Active Traffic Group

Pro

xy C

onne

ct

SS

L H

ands

hake

Ip_i

nputS

SL

Han

dsha

ke

Ip_i

nput

Problem Applications that require long-lived connections will break in the event of a failover Recovery can be complicated by the computationally intense SSL handshake re-negotiation, making it difficult to ramp back up Transactions will fail, impacting revenue

Use Case HTTP/2.0 will drive more SSL adoption Customers that require extended HA support for SSL Connections • ATMs • Streaming Video • Gaming • IoT

Solution SSL Session and Connection Mirroring

23

Encryption Policy Enforcement Gateway

© 2016 F5 Networks

Industry Best Practices with FlexibilityStrategic Point of Control for Policy Enforcement

• 1k Keys • No SSL • HTTP 1.1

• ECC • PFS • HSTS • HTTP 2.0 • 2k/4k Keys

Recommendations • Use trusted Certificate Authority (CA) • Use only TLS 1.1 or 1.2 • Use SHA-2 algorithm or look to migrate • Set cipher suites excluding weak ciphers • Set Perfect Forward Secrecy (PFS) • Disable client initiated renegotiation • Encrypt 100% of the site • Deploy HTTP Strict Transport Security (HSTS)

Apps

Remote Users

Regulatory compliance • PCI DSS 4.1: Requires use of cryptography over public

networks • PCI DSS 3.5.2: Keys must be stored securely within an HSM • Global organizations: EU Safe Harbor • Public companies: Sarbanes-Oxley • EU Data Protection Directive • EU General Data Protection Regulation

ADC Platform

25

Certifications and Compliance

© 2016 F5 Networks

F5 Security Certifications and Compliancehttps://f5.com/about-us/compliance-and-certifications

• (NIST) FIPS 140-2 • NIST SP 800-53r4 • DNSSEC • USGv6 (IPV6) • NIAP CC EAL2+ & EAL4+ • JTIC PKE Certification • DISA UC-APL (TN#1312201): IA Tool • US Army’s IA- APL • ICSA Certifications

• WAF, Network Firewall, IPSEC, SSL-TLS VPN

• C&A (RMF) Current ATO • F5 Device STIG/SRG • DISA • NMCI • JWICS • SOCOM and CENTCOM • ARMY • USMC • NAVY • AF

27

Hardware Security Modules and FIPS 140-2

© 2016 F5 Networks

Comprehensive SSL Lifecycle Management Throughout Physical, Virtual, and Cloud Environments

Internal HSM

Network HSM

Secure VaultSoftware-based encrypted storage system for securing cryptographic keys with the highest performance

Cloud HSM

Enterprise Key and Certificate Management

Physical hardware designed to generate, store, and protect keys

with high performance

Integration with leading network-based hardware for use with all appliances,

chassis, and virtual editions

Integration for high-assurance encryption services fit for the cloud

Open APIs to automate management for the digital certificate and encryption

key technologies used by today’s enterprises

29

© 2016 F5 Networks

Key Protection and Lifecycle Management

Network HSM EKCM

Sever Cert

Cert Mgmt

Cert Mgmt

HTTPS

FIPS 140-2 Level 2/3 for all platforms

with Network HSM

ADC Platform AppsDNS

30

SSL Orchestrator Sneak Peak

© 2016 F5 Networks

F5 SSL Orchestrator Solution Highlights

Dynamically chain services

Flexible deployment options

Gain visibility into SSL traffic

With centralized SSL decryption across

multiple security tools

Based on context-based policy to efficiently

deploy security

Provides ease of integration with unique

network topologies

Protect existing investments in security infrastructure with better availability and utilization

Automatically insert security services with the appropriate configurations and policies

Prevent attacks at stages of the attack including exploitation, callback, and data exfiltration

32

© 2016 F5 Networks

2 3

Policy-Based Dynamic Service Chaining

FIREWALL

IDS

WAF

FIREWALL

IPS

WAF

DLP

FIREWALL

IPS

WAF

DLP

FORENSICS

1

• Domain name • URL filtering category • Destination port • Protocol

ClassificationEngine

• Source IP • Destination IP • IP intelligence • IP geolocation

• Allows determination of decryption, OR selection of services based on connection context

• Policy based, dynamic

33

© 2016 F5 Networks

2 3

Policy-Based Dynamic Service Chaining

“We field over 12 different security services, and westruggle with using all of them effectively.”

“We (currently) chain the security services statically leadingto over provisioning and investment overruns.”

“We want to pre-filter traffic going to (our firewall)so we make more effective use of them.”

FIREWALL

IDS

WAF

FIREWALL

IPS

WAF

DLP

FIREWALL

IPS

WAF

DLP

FORENSICS

1

• Domain name • URL filtering category • Destination port • Protocol

ClassificationEngine

• Source IP • Destination IP • IP intelligence • IP geolocation

• Allows determination of decryption, OR selection of services based on connection context

• Policy based, dynamic

33

© 2016 F5 Networks 34

© 2016 F5 Networks

Service Configuration

Receive Only (IDS, forensics)

Layer 2: Inline (IPS, Sandbox, NGFW)

35

© 2016 F5 Networks

Service Chaining

36

© 2016 F5 Networks

Dashboards

37

© 2016 F5 Networks

Cipher Analysis

38

© 2016 F5 Networks 39

© 2016 F5 Networks

Troubleshooting Decryption

Decryption by site

Decryption traffic per security service

40

© 2016 F5 Networks 41

• Add class to your personal schedule.

• Survey will pop up in Mobile App. • Answer the multiple choice. • Submit your question to complete. • Receive 5 points!

Give Feedback – Get Points!