SlideShare uma empresa Scribd logo

F5 TLS & SSL Practices

Brian A. McHenry
Brian A. McHenry

Best practices and trends around SSL and TLS encryption.

Tecnologia
1 de 34
Baixar para ler offline
SSL/TLS Trends, Practices, and Futures Brian A. McHenry, Security Solutions Architect bam@f5.com @bamchenry
© F5 Networks, Inc. 2 1. Global SSL Encryption Trends and Drivers 2. A Few “Best” Practices 3. Solutions 4. What’s Next? Agenda
© F5 Networks, Inc. 3 • Worldwide spending on information security will reach $71.1 billion in 2014 • Data loss prevention segment recording the fastest growth at 18.9 percent, • By 2015, roughly 10% of overall IT security enterprise product capabilities will be delivered in the cloud • Regulatory pressure will increase in Western Europe and Asia/Pacific from 2014 Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014
© F5 Networks, Inc. 4 IoEE-Commerce Privacy Mobility S n o w d e n Trajectory and Growth of Encryption Customer Trends: • PFS/ECC Demanded • SSL Labs Application Scoring Emerging Standards: • TLS 1.3, HTTP 2.0/SPDY • RSA -> ECC Thought Leaders and Influence: • Google: SHA2, SPDY, Search Ranking by Encryption • Microsoft: PFS Mandated MARKET AMPLIFIERS SSL growing ~30% annually. Entering the Fifth wave of transition (IoE) 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1998 2002 2006 2010 2014 Source: Netcraft MillionsofCertificates(CA) Years
© F5 Networks, Inc. 5 Timeline of SSL Vulnerabilities & Attacks February 2010 September 2011 February 2013 March 2013 March 2013 … April 2014 RC4 Attacks Weakness in CBC cipher making plaintext guessing possible BEAST & CRIME Client-sideor MITB attacks leveraging a chosen-plaintext flaw in TLS 1.0 and TLS compression flaws RFC 5746 TLS extension for secure renegotiation quickly mainstreamed Lucky 13 Another timing attack. August 2009 August 2009 Insecure renegotiation vulnerability exposes all SSL stacks to DoS attack TIME A refinement and variation of CRIME Heartbleed The end of the Internet as we know it!
© F5 Networks, Inc. 6 And the Hits Just Keep on Coming…
© F5 Networks, Inc. 7 SSL  Intelligence  and   Visibility  (Full  Proxy) Enterprise  key  &  Certificate   Management   Advance  HSM  Support: • Highest  Performing   HSM   options • Virtualized   low-­‐bandwidth   options • Market  Leading  HSM   Vendor   Support   Market  Leading  Encryption:   • Optimized   SSL  in  Hardware   and  Software • Cipher  Diversity  (RSA,  ECC,   DSA) • SSL  Visibility:   Proxy  SSL  &   Forward  Proxy • SSL  Traffic  Intelligence: • HSTS,  HTTP  2.0/SPDY,   OCSP  Stapling,   TLS     Server  Session  Ticket Fully  Automated   Key  and   Certificate  Management:     • For  all  BIG-­‐IP  platforms • For  all  vendor   platforms • 3rd Party  Integration  for  best-­‐ in-­‐class  key  encryption:   Venafi,   Symantec/  VeriSign • PKI  Supported   Environments The Three Pillars of SSL Everywhere Hardware  Security  Modules  
© F5 Networks, Inc. 8 Data Protection:Microsoft and Google Expands Encryption
© F5 Networks, Inc. 9 Not all curves are considered equal Different Authorities: • US NIST (US National Institute of Standards) with 186-2 (recently superseded in 2009 by the new186-3) • US ANSI (American National Standard Institute) with X9.62 • US NSA (National Security Agency) Suite-B Cryptography for TOP SECRET information exchange • International SACG (Standards for efficient cryptography group) with Recommended Elliptic Curve Domain Parameters • German ECC Brainpool withECC Brainpool with their Strict Security Requirements • ECC Interoperability Forum composed by Certicom, Microsoft, Redhat, Sun, NSA If You Thought Encryption was confusing… ECC, PFS and Curves
© F5 Networks, Inc. 10 Not all curves are considered equal Different Names: • Secp256r1, Prime256v1, NIST P-256 • Secp384r1, NIST-P384 Different Kinds of Curves: • ECC over Prime Field (Elliptic Curve) • ECC over Binary Field (Koblitz Curve) Other Curves: • Curve25519 (Google) • Mumford (Microsoft) • Brainpool • DUAL_EC_RBNG If You Thought Encryption was confusing… ECC, PFS and Curves
Some SSL Best Practices
© F5 Networks, Inc. 12 • Google has begun adjusting page rank based on SSL implementations • F5 customers have third-party/B2B requirements for strong encryption • SSL Labs’ Pulse tool has made testing easy • Users and businesses are choosing services based on Pulse grades SSL: Not Just for Security
© F5 Networks, Inc. 13 • Set the option for Secure Renegotiation to “Require” • Disable SSLv2 and SSLv3 (DEFAULT in 11.5+) • Use an explicit, strong cipher string, such as: • !SSLv2:!EXPORT:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES- GCM:DHE+AES:DHE+3DES:RSA+AES-GCM:RSA+AES:RSA+3DES:-MD5:-SSLv3:-RC4 • Prefer Perfect Forward Secrecy (PFS) • Done via prioritizing Ephemeral (DHE, ECDHE) ciphers in the string above • Enable TLS_FALLBACK_SCSV extension • Enable HTTP Strict Transport Security (HSTS) • iRule prior to TMOS version 12.0 • Integrated into HTTP profile in next release Achieving A+ Grades on SSLLabs.com
© F5 Networks, Inc. 14 HTTP Strict Transport Security iRule when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max- age=[expr {$static::expires - [clock seconds]}]; includeSubDomains” }
© F5 Networks, Inc. 15 • RFC 6797 • HSTS is enabled by the “Strict-Transport-Security” HTTP header e.g.: Strict-Transport-Security: max-age=10886400; includeSubDomains; preload • When received, browsers will: • Automatically convert HTTP references to HTTPS references • Disallow certificate exemptions (self-signed, etc.) • Cache HSTS information and reuse stored values for new sessions New Feature: HTTP Strict Transport Security AVAILABLE IN 12.0
© F5 Networks, Inc. 16 HTTP Strict Transport Security Configuration HTTP Profile Screen
© F5 Networks, Inc. 17
© F5 Networks, Inc. 18 If I sound smart about crypto…
© F5 Networks, Inc. 19 SSL Feature Availability Feature TMOS TLS 1.2 10.2.3 ECC 11.4.0 PFS 11.4.0 SHA256 (SHA2) 10.2.3 SPDY 11.2.0 HTTP 2.0* 11.6.0 HSTS iRules/12.0 Feature TMOS Secure Renegotiation (RFC 5746) 10.2.3 TLS_FALLBACK_SCSV 11.5.0 Network HSM 11.2.1 Onboard HSM Y SNI 11.1.0 Hybrid Certificates (ECC & RSA)* 11.5.0
A Peek Under the Hood
© F5 Networks, Inc. 21 Network Session Application Web  application Physical Client  /  Server L4  Firewall:  Full  stateful  policy  enforcement  and  TCP  DDoS  mitigation SSL  inspection   and  SSL  DDoS  mitigation HTTP  proxy,  HTTP  DDoS  and  application  security Application   health  monitoring  and  performance  anomaly  detection Network Session Application Web  application Physical Client  /  Server Full Proxy Security Proxy  SSL  (Visibility) ASM SSL  Forward  Proxy   (Visibility) SWG
© F5 Networks, Inc. 22 Proxy Chain HUD chains are a series of filters which implement the configuration. The HUD chain is divided into two halves, client and server side. Filters on HUD chains usually are arranged as client/server pairs. The two halves are joined by the “proxy”. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy Chain
© F5 Networks, Inc. 23 Proxy Chain Each SSL filter handles connection to device on their side of the proxy. Normally, the two SSL filters operate completely independently. Between the two filters, all data is available unencrypted. To fully offload the backend server, remove the server side SSL filter. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – SSL Termination
© F5 Networks, Inc. 24 Data Center Proxy Chain Proxy SSL allows the client certificate to be presented to the server. Intermediary filters are disabled. SSL filters operate in monitor mode during the handshake. Post-handshake, SSL enables decryption and other filters. BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Allows server to perform client cert auth • L7 content inspection after handshake • Certificate transparent to end user Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy SSL
© F5 Networks, Inc. 25 Proxy Chain Forward SSL is used in Forward Proxy deployments. “Just in time” certificate creation is used to decrypt SSL connections. Enables policy based inspection of secure content. Requires the ability to create trusted certificates to work. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Inspect secure traffic at network edge • Transparent to the end user • Policy based bypass by: • Source IP Address • Destination IP Address • Host Name (SAN,CN,SNI) Forward SSL Proxy Benefits BIG-IP Architecture – Forward SSL
What’s Next?
© F5 Networks, Inc. 27 A Quick Primer on Certificate Revocation • If a SSL certificate is stolen or compromised, sites need a way to revoke the certificate so it will no longer be trusted. Revocation is handled by either CRL or OCSP. • CRL: Certificate Revocation List • The browser retrieves the list of all revoked certificates from the CA. • The browser then parses the whole list looking for the certificate in question. • OCSP: Online Certificate Status Protocol • The browser sends the certificate to the CA for validation. • The CA responds that the certificate is good, revoked, or unknown. • OCSP is more efficient than CRL, but there’s room for improvement! New Feature: OCSP Stapling AVAILABLE IN 11.6
© F5 Networks, Inc. 28 • OCSP and CRL checks add significant overhead: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •DNS to CA (300ms) •TCP to CA (407ms) •OCSP to CA #1 (598ms) •TCP to CA #2 (317ms) •OCSP to CA #2 (444ms) •Finish SSL handshake (1270ms) < T O TA L : 6 . 3 S e c o n d s > • Add up the time for each step and you'll see that over 30% of the SSL overhead comes from checking whether the certificate has been revoked. • These checks are serial and block downloads. OCSP & CRL Checks Hurt Performance This portion is revocation check overhead.
© F5 Networks, Inc. 29 • OCSP Stapling allows the server to attach CA signed information regarding the certificates validity. • Processing with OCSP enabled: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •Process OCSP Data (10ms) •Finish SSL handshake (1270ms) < T O TA L : 4 . 2 S e c o n d s > O C S P S t a p l i n g a l s o e l i m i n a t e s c o m m u n i c a t i o n w i t h a t h i r d p a r t y d u r i n g c e r t i f i c a t e v a l i d a t i o n . T h i s m a y b e c o n s i d e r e d b e t t e r s e c u r i t y s i n c e i t p r e v e n t s i n f o r m a t i o n l e a k a g e . OCSP Stapling to the Rescue
© F5 Networks, Inc. 30 OCSP Stapling Configuration Changes to ‘Proxy Pool’ when ‘Use Proxy Server’ is enabled
© F5 Networks, Inc. 31 OCSP Stapling Configuration Profile Location Assignment to Client SSL Profile
© F5 Networks, Inc. 32 • SSL termination and inspection from BIG-IP® Local Traffic Manager™ (LTM) • Hybrid cipher support for ECC and RSA ciphers • SSL crypto-offload for additional SSL capacity • Integration with network HSMs from SafeNet and Thales for key management SSL Everywhere RA – Bringing it all Together
© F5 Networks, Inc. 33 SSL Everywhere
F5 TLS & SSL Practices

Recomendados

F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsDenis Kolegov
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS ProtectionMarketingArrowECS_CZ
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices Lior Rotkovitch
 
BIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationBIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationPCCW GLOBAL
 
F5 Solutions for Service Providers
F5 Solutions for Service ProvidersF5 Solutions for Service Providers
F5 Solutions for Service ProvidersBAKOTECH
 
LTM essentials
LTM essentialsLTM essentials
LTM essentialsbharadwajv
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityMarketingArrowECS_CZ
 

Recomendados

F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsDenis Kolegov
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS ProtectionMarketingArrowECS_CZ
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices Lior Rotkovitch
 
BIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationBIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationPCCW GLOBAL
 
F5 Solutions for Service Providers
F5 Solutions for Service ProvidersF5 Solutions for Service Providers
F5 Solutions for Service ProvidersBAKOTECH
 
LTM essentials
LTM essentialsLTM essentials
LTM essentialsbharadwajv
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityMarketingArrowECS_CZ
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancerxKinAnx
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto NetworksLaurent Daudré-Vignier
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application SecurityMarketingArrowECS_CZ
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering conceptMostafa El Lathy
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) conceptMostafa El Lathy
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id conceptsMostafa El Lathy
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLFn|u - The Open Security Community
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsUtpal Sinha
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence ServiceF5 Networks
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficShain Singh
 

Mais conteúdo relacionado

Mais procurados

Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancerxKinAnx
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering conceptMostafa El Lathy
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) conceptMostafa El Lathy
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id conceptsMostafa El Lathy
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsUtpal Sinha
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence ServiceF5 Networks
 

Mais procurados (20)

Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering concept
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
 
14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id concepts
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methods
 
F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence Service
 

Semelhante a F5 TLS & SSL Practices

Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficShain Singh
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebCASCouncil
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL ProcessRocket Software
 
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPlnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPROIDEA
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...OnBoard Security, Inc. - a Qualcomm Company
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 
F5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 RoadshowF5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 Roadshowpatmisasi
 
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna centerCisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna centerCisco Canada
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Meghan Weinreich
 
F5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric SecurityF5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric SecurityTzoori Tamam
 
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini SummitF5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summitkimw001
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsHoneywell
 
Mastering the move
Mastering the moveMastering the move
Mastering the moveTrivadis
 
Purpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White PaperPurpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White Paper Array Networks
 

Semelhante a F5 TLS & SSL Practices (20)

Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
NetScaler 11 Update
NetScaler 11 UpdateNetScaler 11 Update
NetScaler 11 Update
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
 
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPlnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 
F5 TMOS v13.0
F5 TMOS v13.0F5 TMOS v13.0
F5 TMOS v13.0
 
F5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 RoadshowF5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 Roadshow
 
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna centerCisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna center
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
 
F5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric SecurityF5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric Security
 
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini SummitF5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Mastering the move
Mastering the moveMastering the move
Mastering the move
 
Purpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White PaperPurpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White Paper
 

Último

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 

Último (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

F5 TLS & SSL Practices

  • 1. SSL/TLS Trends, Practices, and Futures Brian A. McHenry, Security Solutions Architect bam@f5.com @bamchenry
  • 2. © F5 Networks, Inc. 2 1. Global SSL Encryption Trends and Drivers 2. A Few “Best” Practices 3. Solutions 4. What’s Next? Agenda
  • 3. © F5 Networks, Inc. 3 • Worldwide spending on information security will reach $71.1 billion in 2014 • Data loss prevention segment recording the fastest growth at 18.9 percent, • By 2015, roughly 10% of overall IT security enterprise product capabilities will be delivered in the cloud • Regulatory pressure will increase in Western Europe and Asia/Pacific from 2014 Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014
  • 4. © F5 Networks, Inc. 4 IoEE-Commerce Privacy Mobility S n o w d e n Trajectory and Growth of Encryption Customer Trends: • PFS/ECC Demanded • SSL Labs Application Scoring Emerging Standards: • TLS 1.3, HTTP 2.0/SPDY • RSA -> ECC Thought Leaders and Influence: • Google: SHA2, SPDY, Search Ranking by Encryption • Microsoft: PFS Mandated MARKET AMPLIFIERS SSL growing ~30% annually. Entering the Fifth wave of transition (IoE) 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1998 2002 2006 2010 2014 Source: Netcraft MillionsofCertificates(CA) Years
  • 5. © F5 Networks, Inc. 5 Timeline of SSL Vulnerabilities & Attacks February 2010 September 2011 February 2013 March 2013 March 2013 … April 2014 RC4 Attacks Weakness in CBC cipher making plaintext guessing possible BEAST & CRIME Client-sideor MITB attacks leveraging a chosen-plaintext flaw in TLS 1.0 and TLS compression flaws RFC 5746 TLS extension for secure renegotiation quickly mainstreamed Lucky 13 Another timing attack. August 2009 August 2009 Insecure renegotiation vulnerability exposes all SSL stacks to DoS attack TIME A refinement and variation of CRIME Heartbleed The end of the Internet as we know it!
  • 6. © F5 Networks, Inc. 6 And the Hits Just Keep on Coming…
  • 7. © F5 Networks, Inc. 7 SSL  Intelligence  and   Visibility  (Full  Proxy) Enterprise  key  &  Certificate   Management   Advance  HSM  Support: • Highest  Performing   HSM   options • Virtualized   low-­‐bandwidth   options • Market  Leading  HSM   Vendor   Support   Market  Leading  Encryption:   • Optimized   SSL  in  Hardware   and  Software • Cipher  Diversity  (RSA,  ECC,   DSA) • SSL  Visibility:   Proxy  SSL  &   Forward  Proxy • SSL  Traffic  Intelligence: • HSTS,  HTTP  2.0/SPDY,   OCSP  Stapling,   TLS     Server  Session  Ticket Fully  Automated   Key  and   Certificate  Management:     • For  all  BIG-­‐IP  platforms • For  all  vendor   platforms • 3rd Party  Integration  for  best-­‐ in-­‐class  key  encryption:   Venafi,   Symantec/  VeriSign • PKI  Supported   Environments The Three Pillars of SSL Everywhere Hardware  Security  Modules  
  • 8. © F5 Networks, Inc. 8 Data Protection:Microsoft and Google Expands Encryption
  • 9. © F5 Networks, Inc. 9 Not all curves are considered equal Different Authorities: • US NIST (US National Institute of Standards) with 186-2 (recently superseded in 2009 by the new186-3) • US ANSI (American National Standard Institute) with X9.62 • US NSA (National Security Agency) Suite-B Cryptography for TOP SECRET information exchange • International SACG (Standards for efficient cryptography group) with Recommended Elliptic Curve Domain Parameters • German ECC Brainpool withECC Brainpool with their Strict Security Requirements • ECC Interoperability Forum composed by Certicom, Microsoft, Redhat, Sun, NSA If You Thought Encryption was confusing… ECC, PFS and Curves
  • 10. © F5 Networks, Inc. 10 Not all curves are considered equal Different Names: • Secp256r1, Prime256v1, NIST P-256 • Secp384r1, NIST-P384 Different Kinds of Curves: • ECC over Prime Field (Elliptic Curve) • ECC over Binary Field (Koblitz Curve) Other Curves: • Curve25519 (Google) • Mumford (Microsoft) • Brainpool • DUAL_EC_RBNG If You Thought Encryption was confusing… ECC, PFS and Curves
  • 11. Some SSL Best Practices
  • 12. © F5 Networks, Inc. 12 • Google has begun adjusting page rank based on SSL implementations • F5 customers have third-party/B2B requirements for strong encryption • SSL Labs’ Pulse tool has made testing easy • Users and businesses are choosing services based on Pulse grades SSL: Not Just for Security
  • 13. © F5 Networks, Inc. 13 • Set the option for Secure Renegotiation to “Require” • Disable SSLv2 and SSLv3 (DEFAULT in 11.5+) • Use an explicit, strong cipher string, such as: • !SSLv2:!EXPORT:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES- GCM:DHE+AES:DHE+3DES:RSA+AES-GCM:RSA+AES:RSA+3DES:-MD5:-SSLv3:-RC4 • Prefer Perfect Forward Secrecy (PFS) • Done via prioritizing Ephemeral (DHE, ECDHE) ciphers in the string above • Enable TLS_FALLBACK_SCSV extension • Enable HTTP Strict Transport Security (HSTS) • iRule prior to TMOS version 12.0 • Integrated into HTTP profile in next release Achieving A+ Grades on SSLLabs.com
  • 14. © F5 Networks, Inc. 14 HTTP Strict Transport Security iRule when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max- age=[expr {$static::expires - [clock seconds]}]; includeSubDomains” }
  • 15. © F5 Networks, Inc. 15 • RFC 6797 • HSTS is enabled by the “Strict-Transport-Security” HTTP header e.g.: Strict-Transport-Security: max-age=10886400; includeSubDomains; preload • When received, browsers will: • Automatically convert HTTP references to HTTPS references • Disallow certificate exemptions (self-signed, etc.) • Cache HSTS information and reuse stored values for new sessions New Feature: HTTP Strict Transport Security AVAILABLE IN 12.0
  • 16. © F5 Networks, Inc. 16 HTTP Strict Transport Security Configuration HTTP Profile Screen
  • 17. © F5 Networks, Inc. 17
  • 18. © F5 Networks, Inc. 18 If I sound smart about crypto…
  • 19. © F5 Networks, Inc. 19 SSL Feature Availability Feature TMOS TLS 1.2 10.2.3 ECC 11.4.0 PFS 11.4.0 SHA256 (SHA2) 10.2.3 SPDY 11.2.0 HTTP 2.0* 11.6.0 HSTS iRules/12.0 Feature TMOS Secure Renegotiation (RFC 5746) 10.2.3 TLS_FALLBACK_SCSV 11.5.0 Network HSM 11.2.1 Onboard HSM Y SNI 11.1.0 Hybrid Certificates (ECC & RSA)* 11.5.0
  • 20. A Peek Under the Hood
  • 21. © F5 Networks, Inc. 21 Network Session Application Web  application Physical Client  /  Server L4  Firewall:  Full  stateful  policy  enforcement  and  TCP  DDoS  mitigation SSL  inspection   and  SSL  DDoS  mitigation HTTP  proxy,  HTTP  DDoS  and  application  security Application   health  monitoring  and  performance  anomaly  detection Network Session Application Web  application Physical Client  /  Server Full Proxy Security Proxy  SSL  (Visibility) ASM SSL  Forward  Proxy   (Visibility) SWG
  • 22. © F5 Networks, Inc. 22 Proxy Chain HUD chains are a series of filters which implement the configuration. The HUD chain is divided into two halves, client and server side. Filters on HUD chains usually are arranged as client/server pairs. The two halves are joined by the “proxy”. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy Chain
  • 23. © F5 Networks, Inc. 23 Proxy Chain Each SSL filter handles connection to device on their side of the proxy. Normally, the two SSL filters operate completely independently. Between the two filters, all data is available unencrypted. To fully offload the backend server, remove the server side SSL filter. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – SSL Termination
  • 24. © F5 Networks, Inc. 24 Data Center Proxy Chain Proxy SSL allows the client certificate to be presented to the server. Intermediary filters are disabled. SSL filters operate in monitor mode during the handshake. Post-handshake, SSL enables decryption and other filters. BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Allows server to perform client cert auth • L7 content inspection after handshake • Certificate transparent to end user Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy SSL
  • 25. © F5 Networks, Inc. 25 Proxy Chain Forward SSL is used in Forward Proxy deployments. “Just in time” certificate creation is used to decrypt SSL connections. Enables policy based inspection of secure content. Requires the ability to create trusted certificates to work. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Inspect secure traffic at network edge • Transparent to the end user • Policy based bypass by: • Source IP Address • Destination IP Address • Host Name (SAN,CN,SNI) Forward SSL Proxy Benefits BIG-IP Architecture – Forward SSL
  • 27. © F5 Networks, Inc. 27 A Quick Primer on Certificate Revocation • If a SSL certificate is stolen or compromised, sites need a way to revoke the certificate so it will no longer be trusted. Revocation is handled by either CRL or OCSP. • CRL: Certificate Revocation List • The browser retrieves the list of all revoked certificates from the CA. • The browser then parses the whole list looking for the certificate in question. • OCSP: Online Certificate Status Protocol • The browser sends the certificate to the CA for validation. • The CA responds that the certificate is good, revoked, or unknown. • OCSP is more efficient than CRL, but there’s room for improvement! New Feature: OCSP Stapling AVAILABLE IN 11.6
  • 28. © F5 Networks, Inc. 28 • OCSP and CRL checks add significant overhead: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •DNS to CA (300ms) •TCP to CA (407ms) •OCSP to CA #1 (598ms) •TCP to CA #2 (317ms) •OCSP to CA #2 (444ms) •Finish SSL handshake (1270ms) < T O TA L : 6 . 3 S e c o n d s > • Add up the time for each step and you'll see that over 30% of the SSL overhead comes from checking whether the certificate has been revoked. • These checks are serial and block downloads. OCSP & CRL Checks Hurt Performance This portion is revocation check overhead.
  • 29. © F5 Networks, Inc. 29 • OCSP Stapling allows the server to attach CA signed information regarding the certificates validity. • Processing with OCSP enabled: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •Process OCSP Data (10ms) •Finish SSL handshake (1270ms) < T O TA L : 4 . 2 S e c o n d s > O C S P S t a p l i n g a l s o e l i m i n a t e s c o m m u n i c a t i o n w i t h a t h i r d p a r t y d u r i n g c e r t i f i c a t e v a l i d a t i o n . T h i s m a y b e c o n s i d e r e d b e t t e r s e c u r i t y s i n c e i t p r e v e n t s i n f o r m a t i o n l e a k a g e . OCSP Stapling to the Rescue
  • 30. © F5 Networks, Inc. 30 OCSP Stapling Configuration Changes to ‘Proxy Pool’ when ‘Use Proxy Server’ is enabled
  • 31. © F5 Networks, Inc. 31 OCSP Stapling Configuration Profile Location Assignment to Client SSL Profile
  • 32. © F5 Networks, Inc. 32 • SSL termination and inspection from BIG-IP® Local Traffic Manager™ (LTM) • Hybrid cipher support for ECC and RSA ciphers • SSL crypto-offload for additional SSL capacity • Integration with network HSMs from SafeNet and Thales for key management SSL Everywhere RA – Bringing it all Together
  • 33. © F5 Networks, Inc. 33 SSL Everywhere