Presentation Title Placeholder · SSL Orchestrator overview Out Inline L3 Services Inline L2...
Transcript of Presentation Title Placeholder · SSL Orchestrator overview Out Inline L3 Services Inline L2...
Topologies and general functions
Single-box deployment
Out
Inline L3Services
Inline L2Services
DLP/ICAPServices
Receive Only
Services
Clients
InspectionZone
InspectionZone
BIG-IPIngress
In Out
In Out
• Simplified Configuration
• Robust service chaining
• Internal signaling
Two-box deployment
Out
Inline L3Services
Inline L2Services
DLP/ICAPServices
Receive Only
Services
Clients
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalSecurityServices
BIG-IPIngress
BIG-IPEgress
In Out
In Out
• Robust service chaining
• Recapitalize throughput
• Policy-driven separation
• Internal and external signaling
Transparent ingress proxy Explicit ingress proxy Signaling
SSL Orchestrator overview
Out
Inline L3Services
Inline L2Services
DLP/ICAPServices
Receive Only
Services
Clients
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalSecurityServices
BIG-IPIngress
BIG-IPEgress
In Out
In Out
SSL Orchestrator overview
Out
Inline L3Services
Inline L2Services
DLP/ICAPServices
Receive Only
Services
Device-Agnostic Design
Clients
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalSecurityServices
BIG-IPIngress
BIG-IPEgress
In Out
In Out
SSL Orchestrator overview
Out
L3Services
Inline L3Services
Inline L2Services
DLP/ICAPServices
Receive Only
Services
Device-Agnostic Design
Scalable Services Architecture
Clients
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalSecurityServices
BIG-IPIngress
BIG-IPEgress
In Out
In Out
SSL Orchestrator overview
Out
Inline L3Services
Inline L2Services
DLP/ICAPServices
Receive Only
Services
Device-Agnostic Design
Scalable Services Architecture
Clients
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalSecurityServices
BIG-IPIngress
BIG-IPEgress
In Out
In Out
Service Chaining
• chainX
• chainY
• bypass
• reject
SSL Orchestrator overview
Clients Out
InspectionZone
Inline L3Services
InspectionZone
Inline L2Services
DLP/ICAPServices
Receive Only
Services
Service Chaining
• chainX
• chainY
• bypass
• reject
Device-Agnostic Design
Scalable Services Architecture
Cleartext Zone
L3Services
AdditionalSecurityServices
BIG-IPIngress
BIG-IPEgress
In Out
In Out
Classification Engine• Source IP• Destination IP• IP geolocation• Host and domain name• IP intelligence category• URL filtering category• Destination port• Protocol
SSL Orchestrator overview
Clients Out
InspectionZone
Inline L3Services
InspectionZone
Inline L2Services
DLP/ICAPServices
Receive OnlyServices
Cleartext Zone
L3Services
AdditionalServices
BIG-IPIngress
BIG-IPEgress
In Out
In Out
Transparent Proxy
Explicit Proxy
SSL Orchestrator overview
Clients Out
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalServices
BIG-IPIngress
BIG-IPEgress
In Out
In Out
Transparent Proxy
Explicit Proxy
Inline L3Services
Receive OnlyServices
Inline L2Services
DLP/ICAPServices
SSLBypass
Banks
Healthcare
SSL Orchestrator overview
Clients Out
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalServices
BIG-IPIngress
BIG-IPEgress
In Out
In Out
Transparent Proxy
Explicit Proxy
Inline L3Services
Receive OnlyServices
Inline L2Services
DLP/ICAPServices
SSLBypass
HTTP/HTTPS
Banks
Healthcare
SSL Orchestrator overview
Clients Out
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalServices
BIG-IPIngress
BIG-IPEgress
In Out
In Out
SSLBypass
HTTP/HTTPS
Everything else
Banks
Healthcare
Transparent Proxy
Explicit Proxy
Inline L3Services
Receive OnlyServices
Inline L2Services
DLP/ICAPServices
What it supports (examples)
Inline layer 2 security devices Inline layer 3 security devices
Receive-only (passive) security devicesDLP (via ICAP) security devices
Security service chainingCreate services
Inline
Layer 2
Inline
Layer 2
Inline
Layer 3
Receive
Only
DLP
ICAP
Inline
Layer 2
Chain services
Inline Layer 3
Inline Layer 2
ReceiveOnly
DLPICAP
Inline Layer 3
Inline Layer 2
ReceiveOnly
Inline Layer 3
DLPICAP
ReceiveOnly
Select services
Source
Addr
Dest
AddrIP Geo
Host
Name
IPI
Cat
URLF
Cat
Dest
Port
Proto
Traffic
Classifier
Engine
PacketChain
SSL Orchestrator technical overview
Clients Out
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalServices
SSLOIngress
SSLOEgress (optional)
In Out
In Out
SSLBypass
HTTP/HTTPS
Other supported protocols
Banks / Healthcare
Transparent Proxy
Explicit Proxy
Inline L3Services
Receive OnlyServices
Inline L2Services
DLP/ICAPServices
Example traffic classifications
How SSL Forward Proxy worksInitial connection
Parked
Server cert forged and cached
Server cert validation
Decrypted
data
SSLFWD
Clients Out
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalServices
SSLOIngress
SSLOEgress (optional)
In Out
In Out
SSLBypass
HTTP/HTTPS
Other supported protocols
Banks / Healthcare
Transparent Proxy
Explicit Proxy
Inline L3Services
Receive OnlyServices
Inline L2Services
DLP/ICAPServices
Example traffic classifications
How SSL Forward Proxy worksSubsequent connections
Forged cert exists
Decrypted
data
SSLFWD
Clients Out
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalServices
SSLOIngress
SSLOEgress (optional)
In Out
In Out
SSLBypass
HTTP/HTTPS
Other supported protocols
Banks / Healthcare
Transparent Proxy
Explicit Proxy
Inline L3Services
Receive OnlyServices
Inline L2Services
DLP/ICAPServices
Example traffic classifications
How SSL Forward Proxy works in an SSL visibility solution
Parked
Server cert forged and cached
Server cert validation
SSLFWD Ingress
Detach from TLS flow
Decrypted data
with signaling
SSLFWD Egress
SNI re-injection
Clients Out
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalServices
SSLOIngress
SSLOEgress (optional)
In Out
In Out
SSLBypass
HTTP/HTTPS
Other supported protocols
Banks / Healthcare
Transparent Proxy
Explicit Proxy
Inline L3Services
Receive OnlyServices
Inline L2Services
DLP/ICAPServices
Example traffic classifications
Security
Service
Security
ServiceSecurity
Service
Security
ServiceSecurity
Service
Security
Service
How traffic flows through SSL Orchestrator
DLPICAP
ClientRemote
ServersSSLO
Inline
SecurityService
Inline
SecurityService
Inline
SecurityService
Inline
SecurityService
PassiveSecurityService
Clonepools
Re-encryptDecrypt
1 2
34
Clonepools
5
6
F5 SSLO
Ingress
Security
ServiceF5Client
Remote
ServersSecurity
ServiceF5
Security
Service
F5 SSLO
Egress
LB
Monitor
SSLFWD server side TLS handshakes and SSL bypass*
Clients Out
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalServices
SSLOIngress
SSLOEgress (optional)
In Out
In Out
SSLBypass
HTTP/HTTPS
Other supported protocols
Banks / Healthcare
Transparent Proxy
Explicit Proxy
Inline L3Services
Receive OnlyServices
Inline L2Services
DLP/ICAPServices
Example traffic classifications
Signaling
Parked
Server cert forged and cached
Server cert validation
SSLFWD Ingress
Detach from TLS flow
Decrypted datawith signaling
SSLFWD Egress
SNI re-injection
SNI injection
How does the client’s SNI
get to the other side?
In a single-box SSLO configuration...
• TCP packets are tracked by
source+destination:address+port
in table memory.
• The signal contains SNI, destination
port and other data.
Signal
Clients Out
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalServices
SSLOIngress
SSLOEgress (optional)
In Out
In Out
SSLBypass
HTTP/HTTPS
Other supported protocols
Banks / Healthcare
Transparent Proxy
Explicit Proxy
Inline L3Services
Receive OnlyServices
Inline L2Services
DLP/ICAPServices
Example traffic classifications
Signaling
Parked
Server cert forged and cached
Server cert validation
SSLFWD Ingress
Detach from TLS flow
Decrypted datawith signaling
SSLFWD Egress
SNI re-injection
SNI injection
How does the client’s SNI
get to the other side?
In a two-box SSLO configuration...
• TCP packets are tracked by
source+destination:address+port
in table memory on the ingress box.
• A separate out-of-band TCP HSL bi-
directional signal is used to carry the
signal from ingress to egress.
Signal
Clients Out
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalServices
SSLOIngress
SSLOEgress (optional)
In Out
In Out
SSLBypass
HTTP/HTTPS
Other supported protocols
Banks / Healthcare
Transparent Proxy
Explicit Proxy
Inline L3Services
Receive OnlyServices
Inline L2Services
DLP/ICAPServices
Example traffic classifications
Signaling
Parked
Server cert forged and cached
Server cert validation
SSLFWD Ingress
Detach from TLS flow
Decrypted datawith signaling
SSLFWD Egress
SNI re-injection
SNI injection
How does the client’s SNI
get to the other side?
What doesn’t work
• HTTP headers
• TCP::options injection
• QoS bit injection
• Raw leading packet injection
• Out-of-band UDP HSL
Signal
Clients Out
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalServices
SSLOIngress
SSLOEgress (optional)
In Out
In Out
SSLBypass
HTTP/HTTPS
Other supported protocols
Banks / Healthcare
Transparent Proxy
Explicit Proxy
Inline L3Services
Receive OnlyServices
Inline L2Services
DLP/ICAPServices
Example traffic classifications