Widoczność ruchu SSL w sieci –integracja F5 z Next Generation FW

Mariusz Sawczuk - Specialist SE North & East EMEA

2

What we know about SSL/TLS

50%

75%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Encrypted Web Traffic

2016

2019

Source: “TLS/SSL: Where Are We Today?”, NSS Labs, October 2016

• According to an October 2016 NSS Labs survey, enterprises today see 40% – 50% of all web traffic as encrypted

• NSS Labs forecasts that number to increase to 75% by 2019

• In June 2016 NSS Labs research study, 97% of surveyed enterprises are seeing an increase in encrypted web traffic

Encrypted Traffic Is Increasing Rapidly

3

E V E N T S

S N O W D E NM a n n i n g /

A s s a n g e

A C C E S S I B I L I T YV U L N E R A B I L I T I E S I N I T I A T I V E S

All malware will begin to cross encrypted channels

by 2017 as cyber criminals grow more sophisticated and

evasive in their attacks.

What we know about SSL/TLS

4

SSL is a Significant Performance Hit on Security

Next-Gen IPSPerformance Impact

Sandbox/Anti-MalwareNo SSL Support

%100

Next-Gen FirewallPerformance Impact

%79 %75SSL

• Additional performance loss when multiple security devices each decrypt, inspect and re-encrypt

• But, it’s not just performance: Latest cipher support is often missing from security devices

Security architectures are notbuilt for SSL encryption. Nothandling SSL traffic createsblind spots and enables SSL onnext-gen security products toimpact their performance,sometimes by over 80%!

What we know about SSL/TLS

5

What we know about SSL/TLS

Client Inernet

“Our FireEye has gone from effective to irrelevant because of its blindness to SSL traffic.”

“We have significant challenges with the growth in encrypted connections we’re seeing lately.”

“We have significant challenges with the growth in encrypted connections we’re seeing lately.”

“We field over 12 different security services, and we struggle with using all of them effectively.”

IPSDLPWeb Gateway Anti-Malware NGFW

6

F5 SSL Intercept Solution

Client Inernet

Decrypt Re-encrypt

IPSDLPWeb Gateway Anti-Malware NGFW

Steer

BIG-IP (SSLi/o) Orchestrator

L2 mode L3 modeICAP

1-Armed2-Armed

7

F5 SSL Intercept SolutionTopologies

Single-box deployment

Out

Inline L3Services

Inline L2Services

DLP/ICAPServices

Receive Only

Services

Clients

InspectionZone

InspectionZone

BIG-IPIngress

In Out

In Out

• Simplified Configuration

• Robust service chaining

• Internal signaling

Two-box deployment

Out

Inline L3Services

Inline L2Services

DLP/ICAPServices

Receive Only

Services

Clients

InspectionZone

InspectionZone

Cleartext Zone

L3Services

AdditionalSecurityServices

BIG-IPIngress

BIG-IPEgress

In Out

In Out

• Robust service chaining

• Recapitalize throughput

• Policy-driven separation

• Internal and external signaling

8

F5 SSL Intercept SolutionDynamic Service Chaining

HTTP/HTTPS

Everything else

SSLBypass

Banks

Healthcare

• Virtual grouping of security devices

• Policy match defines which chain handles selected traffic

• Device can be reused in multiple chains

• Topology independent▪ Not tied to an interface, port or VLAN

• Allows efficient use of security devices

• Allows load balancing pools

• Allows simple service insertion

9

F5 SSL Intercept SolutionDynamic Service Chaining

Select Service Chain

Source

Addr.

Dest.

Addr.IP Geo

Domain

Name

IPI

Cat.

URL

Cat.

Dest.

Port

Protocol

Traffic

Classifier

Engine

PacketChain

Create Services

Inline

Layer2

ICAP

Inline

Layer3

Receive

Only

ICAP

Inline

Layer3

Creat Service Chains

Inline Layer 3

Inline Layer 2

ReceiveOnly

DLPICAP

Inline Layer 3

Inline Layer 2

ReceiveOnly

Inline Layer 3

DLPICAP

ReceiveOnly

Inline

Layer

3

ICA

P

Inline

Layer

3

Inline

Layer

3

10

F5 SSL Intercept SolutionCreating Services

11

F5 SSL Intercept SolutionCreating Service Chains

12

F5 SSL Intercept SolutionSelecting Service Chain

13

F5 SSL Intercept SolutionSelecting Service Chain

14

F5 SSL Intercept SolutionBypassing Service Chains

15

CheckPoint SG (L3)

PaloAlto (L2)

L2_INGRESS L2_EGRESSInternetBIG-IP (SSLi/o)

INSIDE

10.1.20.0/24 .3.100

OUTSIDE

10.1.10.0/24

198.19.0.0/25

.1-2

.3 .2

198.19.0.128/25

.61 .161

.244-5

Client

Demo F5 SSLiWith CheckPoint & PAN

16

https://youtube.comURL cat: Social WebSend to: CheckPoint

CheckPoint SG (L3)

PaloAlto (L2)

InternetBIG-IP (SSLi/o)Client

Demo F5 SSLiWith CheckPoint & PAN

17

https://secure.eicar.orgURL cat: Computer SecuritySend to: PaloAlto

CheckPoint SG (L3)

PaloAlto (L2)

InternetBIG-IP (SSLi/o)Client

Demo F5 SSLiWith CheckPoint & PAN

18

https://www.eximb.comURL cat: FinanceSend to: Bypass SSL decrypt

CheckPoint SG (L3)

PaloAlto (L2)

InternetBIG-IP (SSLi/o)Client

Demo F5 SSLiWith CheckPoint & PAN

19

Other SSL trafficSend to: All

CheckPoint SG (L3)

PaloAlto (L2)

InternetBIG-IP (SSLi/o)Client

Demo F5 SSLiWith CheckPoint & PAN

20

THANK YOU

m.sawczuk@f5.com