Protection and Visibitlity of Encrypted Traffic by F5
•Download as PPTX, PDF•
0 likes•616 views
Protection and Visibitlity of Encrypted Traffic by F5
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Protection and Visibitlity of Encrypted Traffic by F5
Similar to Protection and Visibitlity of Encrypted Traffic by F5 (20)
More from Bangladesh Network Operators Group
More from Bangladesh Network Operators Group (20)
Recently uploaded
Recently uploaded (20)
Protection and Visibitlity of Encrypted Traffic by F5
- 1. 1 Protection and Visibility of Encrypted Traffic Mashiur Rahman Systems Engineer (F5 Networks) April 29, 2019
- 2. 2 70% Source: Sandvine, Global Internet Phenomena Spotlight, 2016
- 3. 3 SSL - Privacy is NOT Security
- 4. 4 SSL - Privacy is NOT Security
- 5. 5 So what’s the problem?
- 7. 7
- 8. 8 DLP Fire- walls Anti Virus APTIDS/ IPS Your security tools are now ineffective
- 9. 9
- 10. 10 “But my inspection devices can decrypt SSL”
- 11. 11 But wait, there’s more!
- 12. 12 Traditional SSL Daisy-Chain Network Design SSL Visibility Web Gateway DLP/ICAP IDS/TAP IPS/NGFW decrypt encrypt decrypt encrypt decrypt encrypt decrypt encrypt inspect inspect inspect inspect % • Multiple Intercept Points • Multiple Points of Failure • Increased Latency • Increased Complexity • Complicated troubleshooting • Performance Impacts Challenges & Realities of Daisy-Chaining • Impacts “Perfect” Forward Secrecy • Reduced Security ROI • Must go through every service • Over-subscribing services • Complicated Mesh HA Designs • Bypass on failure (added Hardware) Application Server
- 13. 13
- 14. 14 So How Does SSL Security Service Help for Encrypted Traffic?
- 16. 16 Full Proxy Security PHYSICAL CLIENT/SERVER NETWORK SESSION APPLICATION WEB APPLICATION NETWORK SESSION APPLICATION WEB APPLICATION PHYSICAL CLIENT/SERVER L4Firewall:FullstatefulpolicyenforcementandTCPDDoS mitigation SSLinspectionandSSLDDoS mitigation HTTPproxy,HTTPDDoS andapplicationsecurity Applicationhealthmonitoringandperformanceanomalydetection
- 17. 17 SSL Security Service Engine User Internet DMZ Firewall IDS/TAPDLP/ICAP IPS/NGFWWeb Gateway Users/Devices SSL Security Service Orchestration Server Firewall Application Server
- 18. 18 A Functional Overview SSL Security Service Orchestration • IP Reputation • Source IP • Destination IP • IP Geolocation • Destination Port • Domain Name/SNI • URL Filtering Category • Protocol SSLDecryption [Intercept/Bypass] Classification SSLEncrpytion The proxy architecture allows for independent control of client-side and server-side ciphers and protocols, and is impervious to mismatch conditions. Cipher Diversity SSL Security Service Engine client-side server-side Ingress (inbound) & Egress (outbound) flow. SSLFlow SSL Decryption occurs based on classification Service Chain assigned. Action is either to Intercept (decrypt) or Bypass. Application
- 19. 19 Classification A Functional Overview SSL Security Service Orchestration SSLDecryption [Intercept/Bypass] Web Gateway IDS/TAP DLP/ICAP IPS/NGFW • Inline HTTP (Web Proxy) • Inline Layer 3 • Inline Layer 2 • DLP/ICAP • TAP Security Devices. Dynamic Device Support Application
- 20. 20 Classification A Functional Overview SSL Security Service Orchestration SSLDecryption [Intercept/Bypass] SSLEncrpytion Web Gateway IDS/TAP DLP/ICAP IPS/NGFW IDS/TAP IPS/NGFWOther Decryption [Intercept] Re-Encryption Web Gateway DLP/ICAP IDS/TAP IPS/NGFWHTTPS Decryption [Intercept] Re-Encryption IPS/NGFWFinance Decryption [BYPASS] Classification Context-based classification policies allow different types of traffic to flow through different chains of reusable security services Dynamic Service Chaining Dynamic Service Chain Application
- 21. 21 Classification A Functional Overview SSL Security Service Orchestration SSLDecryption [Intercept/Bypass] SSLEncrpytion Web Gateway IDS/TAP DLP/ICAP IPS/NGFW IDS/TAP IPS/NGFW Re-Encryption Web Gateway DLP/ICAP IDS/TAP IPS/NGFWHTTPS Decryption [Intercept] Re-Encryption IPS/NGFWFinance Decryption [BYPASS] Classification Other Decryption [Intercept] Context-based classification policies allow different types of traffic to flow through different chains of reusable security services Dynamic Service Chaining Dynamic Service Chain Application
- 22. 22 Classification A Functional Overview SSL Security Service Orchestration SSLDecryption [Intercept/Bypass] SSLEncrpytion Web Gateway IDS/TAP DLP/ICAP IPS/NGFW IDS/TAP IPS/NGFW Re-Encryption Web Gateway DLP/ICAP IDS/TAP IPS/NGFWHTTPS Decryption [Intercept] Re-Encryption IPS/NGFWFinance Decryption [BYPASS] Classification Other Decryption [Intercept] Context-based classification policies allow different types of traffic to flow through different chains of reusable security services Dynamic Service Chaining Dynamic Service Chain Application
- 23. 23 Classification A Functional Overview SSL Security Service Orchestration SSLEncrpytion IDS/TAP IPS/NGFWOther Decryption [Intercept] Re-Encryption Web Gateway DLP/ICAP IDS/TAP IPS/NGFWHTTPS Decryption [Intercept] Re-Encryption IPS/NGFWFinance Decryption [BYPASS] Classification A full proxy architecture provides for robust load balancing, monitoring and independent scaling of any number of security devices. Dynamic Scaling Dynamic Service Chain SSLDecryption [Intercept/Bypass] Web Gateway IDS/TAP DLP/ICAP IPS/NGFW % Application
- 24. 24 Classification A Functional Overview SSL Security Service Orchestration SSLDecryption [Intercept/Bypass] SSLEncrpytion Web Gateway IDS/TAP DLP/ICAP IPS/NGFW IDS/TAP IPS/NGFWOther Decryption [Intercept] Re-Encryption Web Gateway IDS/TAP IPS/NGFWHTTPS Decryption [Intercept] Re-Encryption IPS/NGFWFinance Decryption [BYPASS] Classification The ability to dynamically introduce and evaluate new services and service chains with test traffic before altering production designs. Dynamic Evaluation Dynamic Service Chains DLP/ICAPTest Traffic Decryption [Intercept] Re-EncryptionWeb Gateway IDS/TAP IPS/NGFW Application
- 25. 25
- 26. 26
Editor's Notes
- Note this presentation presumes Account Manager or Systems Engineer has already introduced SSL Visibility Challenges or highlighted the benefits and impacts of encryption to security. This is intended to be an animated, graphical representation of the key challenges in SSL Visibility and the solution set that SSL Orchestrator offers.
- Privacy and security concerns are driving encrypted traffic growth, which is expected to represent 70 percent of all Internet traffic this year. As more traffic is encrypted with SSL, the security tools that you trust and rely upon become less effective due to the increasing SSL blind spot. Source: https://www.sandvine.com/downloads/general/global-internet-phenomena/2015/encrypted-internet-traffic.pdf
- Using TLS To Hide Malware Google reports that 93% of web traffic it encounters uses encryption. That’s great – it means that network packets, which can hold any info you send or receive over the internet, from private communications to your credit card number, are very likely to be shielded from interception en route. Various types of malware have been coded to use TLS as a shield of their own, however. In 2016, Cisco reported some 12% of malware taking advantage of TLS protocol. One year later, Cyren claimed that 37% of malware was using HTTPS; while Zscaler saw closer to a 60% average. (Of course, these companies do have cybersecurity products to sell.)
- Using TLS To Hide Malware Google reports that 93% of web traffic it encounters uses encryption. That’s great – it means that network packets, which can hold any info you send or receive over the internet, from private communications to your credit card number, are very likely to be shielded from interception en route. Various types of malware have been coded to use TLS as a shield of their own, however. In 2016, Cisco reported some 12% of malware taking advantage of TLS protocol. One year later, Cyren claimed that 37% of malware was using HTTPS; while Zscaler saw closer to a 60% average. (Of course, these companies do have cybersecurity products to sell.)
- With more and more information being encrypted, customers are having a difficult time detecting and assessing threats in encrypted traffic. Organizations are effectively blind to potential threats; existing security architectures and security solutions are inadequate. This ultimately forces administrators to make a choice: let the traffic go uninspected, or suffer extreme application performance losses
- And those inspection devices are already doing a hard job.
- With more and more information being encrypted, customers are having a difficult time detecting and assessing threats in encrypted traffic. Organizations are effectively blind to potential threats; existing security architectures and security solutions are inadequate. This ultimately forces administrators to make a choice: let the traffic go uninspected, or suffer extreme application performance losses.
- [Red X] Impacts of outages in daisy chain [Yellow %] Impact of performance limits, capacity, usage or oversubscription Note: Caution, this demonstrates and “extreme” use case and most customers may just have 2 or 3 daisy chained systems. Customers may also use routing designs to fully bypass on failure (not ideal for security reasons or compliance reasons) but implemented in certain customer use cases. In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server is compromised.
- So one of F5's key differentiators and value-add with regard to security is the fact that we provide it on a full proxy architecture. And the value of a full proxy architecture for those who are not familiar can be analogous to the role that an escrow agent or an escrow officer might play in a real estate transaction. The reason for the escrow officer is to protect the buyer from the seller and the seller from the buyer by acting as an independent third party or a neutral third party to protect the buyer and the seller. And the role of this officer is also to inspect all elements of the transaction before allowing the transaction to be completed, safely and securely. And much in the same way F5's full proxy security looks and examines all elements within the OSI stack, because we are located at strategic points in the network and we are by nature inspecting that traffic, it allows us to understand what's happening and take action on that traffic, from an application perspective, from a session perspective and from a network session perspective, all throughout the stack. {NOTE TO SPEAKER: F5 Mitigation Technologies: Application: BIG-IP ASM: Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection Session: BIG-IP LTM and GTM: high scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation Network: BIG-IP LTM: SynCheck, default-deny posture, high-capacity connection table, full proxy traffic visibility, rate-limiting, strict TCP forwarding. Network layer bullets: L4 Stateful firewall – including TCP checksum checks, fragmentation and reassembly DDoS mitigation Session layer: SSL inspection SSL DDoS attacks Application Layer: OWASP top 10 Application content scrubbing (S -> C)}
- Starting point
- First pass – shows what's happening without SSL visibility Highlight Classification capabilities Highlight Cipher diversity and mismatch control Highlight Inbound/Outbound Decryption
- Highlight Device support
- Highlight Service Chaining: Shown HTTP Flow
- Highlight Service Chaining: Shown Other protocol flow with reduced service chain
- Highlight Service Chaining: Shown Bypass flow on URL Category Finance
- [Down Arrow] Talk about monitoring and bypass options [Red X ] Talk about system outage and scaling resources. [Green Circle & Arrow] Talk about upgrading scaled group without impact [Yellow %] Talk about scaling resources to address performance or bandwidth limits
- Talk about leveraging service chains and traffic classification to Dynamically evaluate new or upgraded security technologies
- SSLO labs