Visibility and management of outbound SSL traffic using F5 solutions, Part 2

F5 offers a complete solution for managing TLS/SSL encrypted traffic (so-called Encrypted Traffic Management (ETM), covering traffic to publicly available and exposed web services (inbound) and outbound traffic generated by internal users in the organization’s network.

Internal users represent the greatest risk, especially when responding to unverified emails or accessing the Internet. Targeted phishing attacks can lead a user to accidentally enable malware access to the network via a SSL connection. There are numerous solutions capable of detecting malware which are have been proved ineffective when dealing with transparent decryption of SSL connections or system scaling.

Added problem is the security architecture which starts with a firewall in most environments, but includes a number of other inspection tools used for checking content entering the organization. In order to tackle specific security challenges, security administrators have to link various solutions into a single chain. Typical security architecture can include components such as Data Loss Prevention Scanners, Web Application Firewalls, IPS Devices, Anti-Malware Devices, etc.

Insight into outbound SSL traffic

However, as previously mentioned, the main problem is that most of these devices have no insight into encrypted traffic. Even if some devices have SSL intercept capabilities, the problem lies with significant growth of encrypted web traffic, as well as increasing complexity of cryptographic algorithms, which causes rapid exhaustion of hardware resources offered by these solutions.

How does F5 solve this problem?

This deployment method is often referred to as SSL Intercept or SSL Air-Gap, and is used to provide such devices with insight into SSL traffic. The solution usually consists of multiple F5 devices positioned on separate parts of the security chain. The F5 device closest to users decrypts outbound traffic and sends decrypted traffic to the next device in the chain. After analyzing traffic throughout the entire chain, processed data is than sent to the next F5 device that encrypts traffic before finally sending it from the data center to the Internet. Likewise, only one F5 device can be used for the same functionality.

How to inspect outbound SSL traffic using F5 technology?

F5 products are based on a full-proxy architecture enabling them to create a decrypted, clear-text zone between the client and a web server/Internet, providing analysis and insight into SSL/TLS traffic. F5 technology offers insight into outbound SSL traffic using two methods:

  • F5 Herculon SSL Orchestrator
  • F5 LTM + SSL Forward Proxy license

Oba rješenja pružaju iste funkcionalnosti, uz razliku da je Herculon posebna F5 platforma, dok u drugom slučaju uz LTM produkt, potrebno je imati i SSL Forward Proxy licencu te iskoristiti iApp predložak kako bi se dobile funkcionalnosti kao u prvoj opciji. Ovdje je potrebno istaknuti da je drugu opciju potrebno ostvariti na BIG-IP iSeries platformama uz to da verzija softvera mora biti minimalno TMOS v12.1.

Both solutions provide the same functionality, with the difference being that Herculon is a proprietary F5 platform, while the LTM product requires having an SSL Forward Proxy license and using the iApp template to achieve the same functionality provided by the first option. We should note that the second option is required on BIG-IP iSeries platforms, using at least TMOS v12.1 or later.

F5 Herculon SSL Orchestrator

F5 SSL Orchestrator decrypts and encrypts high performance traffic, ensuring traffic analysis for the purpose of detecting and eliminating potential threats. Using the F5 URL filtering base and F5 capabilities in the SSL communications segment, SSL Orchestrator ensures that the selected traffic can be decrypted, analyzed by third-party devices, and then encrypted while gaining advanced insight into all potential threats entering the network.

F5 Herculon SSL Orchestrator has the option of dynamically linking various services which enables simple and intelligent traffic orchestration and access policy management. Traffic decrypted by F5 devices in a clear-text zone is delivered to various security solutions that can detect advanced threats and malicious programs – ransomware – entering the system, as well as during the C&C stage. Traffic inspection information are sent to the F5 Herculon SSL Orchestrator which applies certain access rules and prevents hidden threats. F5 SSL Orchestrator supports integration with various systems such as IDS/IPS, anti-virus/malware systems, DLP, and Next-Gen Firewalls. It is also possible to use different implementation methods such as TAP, ICAP, L2, and L3 connectivity. All this creates an extremely flexible system, while protecting investments in existing solutions.

F5 Herculon SSL Orchestrator establishes two separate SSL connections: one to the client and the other to the web server. When the client initiates a HTTPS connection to the web server, F5 Herculon SSL Orchestrator intercepts and decrypts the connection. Decrypted traffic is then sent to the next security device in the chain for further analysis, after which it is re-encrypted and forwarded to the web server. Response by the web server is also intercepted, checked and then forwarded to the client.

F5 Herculon SSL Orchestrator has the ability of using different security device chains based on a specific context, such as the following:

  • Source IP address/network or destination IP address/network
  • IP geolocation information
  • URL filtering category based on name and type of service
  • Destination port/protocol.

Of course, specific regulations and organization’s privacy protection policies preclude the analysis of all SSL traffic generated by users, especially various online banking services. F5 offers several methods for defining a list of web applications whose SSL traffic must not be decrypted:

  • Using F5 URL Categorization
  • Manually defining web applications whose traffic must not be decrypted nor sent for further analysis

F5 products offering this feature include Herculon i10800, i5800 and i2800 SSL Orchestrator devices. It is also possible to use other F5 devices with appropriate LTM and SSL Forward Proxy licenses, provided that they use at least TMOS v13 software or later.

SSL Orchestrator provides a central point for decrypting SSL traffic and insight into SSL traffic using a variety of security devices. This creates a highly efficient and consolidated system consisting of multiple devices operating as a single scalable platform. SSL Orchestrator increases the operational efficiency of existing security devices and raises the overall security level of the organization, applications and users.

Feel free to contact us for more information, advice or to schedule a demonstration.


Share on LinkedInShare on FacebookShare on Google+Tweet about this on Twitter
Need a quote or help in designing the solution that best fits your needs? Wondering what partner to choose for implementation?
Contact us!