O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Protection and Visibitlity of Encrypted Traffic by F5

83 visualizações

Publicada em

Protection and Visibitlity of Encrypted Traffic by F5

Publicada em: Internet
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Protection and Visibitlity of Encrypted Traffic by F5

  1. 1. 1 Protection and Visibility of Encrypted Traffic Mashiur Rahman Systems Engineer (F5 Networks) April 29, 2019
  2. 2. 2 70% Source: Sandvine, Global Internet Phenomena Spotlight, 2016
  3. 3. 3 SSL - Privacy is NOT Security
  4. 4. 4 SSL - Privacy is NOT Security
  5. 5. 5 So what’s the problem?
  6. 6. 6 What you intended… DLP Fire- walls Anti Virus APTIDS/ IPS
  7. 7. 7
  8. 8. 8 DLP Fire- walls Anti Virus APTIDS/ IPS Your security tools are now ineffective
  9. 9. 9
  10. 10. 10 “But my inspection devices can decrypt SSL”
  11. 11. 11 But wait, there’s more!
  12. 12. 12 Traditional SSL Daisy-Chain Network Design SSL Visibility Web Gateway DLP/ICAP IDS/TAP IPS/NGFW decrypt encrypt decrypt encrypt decrypt encrypt decrypt encrypt inspect inspect inspect inspect % • Multiple Intercept Points • Multiple Points of Failure • Increased Latency • Increased Complexity • Complicated troubleshooting • Performance Impacts Challenges & Realities of Daisy-Chaining • Impacts “Perfect” Forward Secrecy • Reduced Security ROI • Must go through every service • Over-subscribing services • Complicated Mesh HA Designs • Bypass on failure (added Hardware) Application Server
  13. 13. 13
  14. 14. 14 So How Does SSL Security Service Help for Encrypted Traffic?
  15. 15. 15 SSL Security Service Orchestration Introduction
  16. 16. 16 Full Proxy Security PHYSICAL CLIENT/SERVER NETWORK SESSION APPLICATION WEB APPLICATION NETWORK SESSION APPLICATION WEB APPLICATION PHYSICAL CLIENT/SERVER L4Firewall:FullstatefulpolicyenforcementandTCPDDoS mitigation SSLinspectionandSSLDDoS mitigation HTTPproxy,HTTPDDoS andapplicationsecurity Applicationhealthmonitoringandperformanceanomalydetection
  17. 17. 17 SSL Security Service Engine User Internet DMZ Firewall IDS/TAPDLP/ICAP IPS/NGFWWeb Gateway Users/Devices SSL Security Service Orchestration Server Firewall Application Server
  18. 18. 18 A Functional Overview SSL Security Service Orchestration • IP Reputation • Source IP • Destination IP • IP Geolocation • Destination Port • Domain Name/SNI • URL Filtering Category • Protocol SSLDecryption [Intercept/Bypass] Classification SSLEncrpytion The proxy architecture allows for independent control of client-side and server-side ciphers and protocols, and is impervious to mismatch conditions. Cipher Diversity SSL Security Service Engine client-side server-side Ingress (inbound) & Egress (outbound) flow. SSLFlow SSL Decryption occurs based on classification Service Chain assigned. Action is either to Intercept (decrypt) or Bypass. Application
  19. 19. 19 Classification A Functional Overview SSL Security Service Orchestration SSLDecryption [Intercept/Bypass] Web Gateway IDS/TAP DLP/ICAP IPS/NGFW • Inline HTTP (Web Proxy) • Inline Layer 3 • Inline Layer 2 • DLP/ICAP • TAP Security Devices. Dynamic Device Support Application
  20. 20. 20 Classification A Functional Overview SSL Security Service Orchestration SSLDecryption [Intercept/Bypass] SSLEncrpytion Web Gateway IDS/TAP DLP/ICAP IPS/NGFW IDS/TAP IPS/NGFWOther Decryption [Intercept] Re-Encryption Web Gateway DLP/ICAP IDS/TAP IPS/NGFWHTTPS Decryption [Intercept] Re-Encryption IPS/NGFWFinance Decryption [BYPASS] Classification Context-based classification policies allow different types of traffic to flow through different chains of reusable security services Dynamic Service Chaining Dynamic Service Chain Application
  21. 21. 21 Classification A Functional Overview SSL Security Service Orchestration SSLDecryption [Intercept/Bypass] SSLEncrpytion Web Gateway IDS/TAP DLP/ICAP IPS/NGFW IDS/TAP IPS/NGFW Re-Encryption Web Gateway DLP/ICAP IDS/TAP IPS/NGFWHTTPS Decryption [Intercept] Re-Encryption IPS/NGFWFinance Decryption [BYPASS] Classification Other Decryption [Intercept] Context-based classification policies allow different types of traffic to flow through different chains of reusable security services Dynamic Service Chaining Dynamic Service Chain Application
  22. 22. 22 Classification A Functional Overview SSL Security Service Orchestration SSLDecryption [Intercept/Bypass] SSLEncrpytion Web Gateway IDS/TAP DLP/ICAP IPS/NGFW IDS/TAP IPS/NGFW Re-Encryption Web Gateway DLP/ICAP IDS/TAP IPS/NGFWHTTPS Decryption [Intercept] Re-Encryption IPS/NGFWFinance Decryption [BYPASS] Classification Other Decryption [Intercept] Context-based classification policies allow different types of traffic to flow through different chains of reusable security services Dynamic Service Chaining Dynamic Service Chain Application
  23. 23. 23 Classification A Functional Overview SSL Security Service Orchestration SSLEncrpytion IDS/TAP IPS/NGFWOther Decryption [Intercept] Re-Encryption Web Gateway DLP/ICAP IDS/TAP IPS/NGFWHTTPS Decryption [Intercept] Re-Encryption IPS/NGFWFinance Decryption [BYPASS] Classification A full proxy architecture provides for robust load balancing, monitoring and independent scaling of any number of security devices. Dynamic Scaling Dynamic Service Chain SSLDecryption [Intercept/Bypass] Web Gateway IDS/TAP DLP/ICAP IPS/NGFW % Application
  24. 24. 24 Classification A Functional Overview SSL Security Service Orchestration SSLDecryption [Intercept/Bypass] SSLEncrpytion Web Gateway IDS/TAP DLP/ICAP IPS/NGFW IDS/TAP IPS/NGFWOther Decryption [Intercept] Re-Encryption Web Gateway IDS/TAP IPS/NGFWHTTPS Decryption [Intercept] Re-Encryption IPS/NGFWFinance Decryption [BYPASS] Classification The ability to dynamically introduce and evaluate new services and service chains with test traffic before altering production designs. Dynamic Evaluation Dynamic Service Chains DLP/ICAPTest Traffic Decryption [Intercept] Re-EncryptionWeb Gateway IDS/TAP IPS/NGFW Application
  25. 25. 25
  26. 26. 26

×