SSL Visibility: The Ultimate Inline Inspection Architecture

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello I'm David Holmes from f5 networks I'm here to talk about SSL visibility I think it's probably the number one issue I see with customers around the world today has been for a little bit but other parts of the world that it's just getting around to solving it so imagine the situation we're trying to solve here is all right here's a user happy web browsing user coming in to read web pages at noir servers maybe your applications right so you're serving up applications maybe it's banking or retail doesn't necessarily matter what it is all right we're perhaps are connecting to a sharepoint the problem is right they send malware into the system or perhaps they're trying to hack the system so there but all these really sophisticated tools and I'm gonna draw them each here as kind of a pair that look for malware and hacking so isolate three of the one three of the common ones you might see so a next-generation firewall right Palo Alto is the poster boy for for that ids/ips Sourcefire might be the poster boy for that one and then a sandbox all right you might be thinking fireEye for those okay all fantastic tools they're great at what they do not good at decryption and even if they were good at decryption there is a problem which I'll talk about in a moment but the larger issue is I checked earlier this summer 61% of all page requests are now encrypted and almost everywhere I go nobody has these devices doing decryption because as I said they're not very good at it and everyone's got other stuff to do so how do you fix this problem so the you can make it an inspection zone out of a couple of f5s on either side now you might already have an f5 typically you might be here right load-balancing to your applications and doing all of its intelligent traffic steering but it's also super good at decryption we've been doing that since forever so how about when the user comes in here we decrypt his traffic and now we're gonna send the decrypted traffic through all these devices next-generation firewall the ids/ips sandbox to the other f5 device which will then re encrypt it as it load balances out here alright so now it's Rhian cryptid now this creates an obvious kind of red zone of everything's decrypted in here which could be one of the things i want to talk to people about is this area which it might be your dmz this needs to be as secure as possible if you're going to do this sort of decrypted red zone needs to be as secure as possible you have to have really tight security controls around who can access these which ideally you would have anyway but you need to double check maybe it's a different subnet but all of this is in line right and if you were trying to do this out of band or or a passive monitoring way you would see our other reference architecture which we have also don't like board video for but if you're doing this all in line this is what you're trying to build something like this now there's some some nuances around each of these devices that I wanted to talk about specifically so let's go through them so with the next-generation firewalls people typically think hey my firewalls are on the other side of whatever whatever it wherever my private keys aren't right for example you might think of your private keys being out here at the security perimeter and that's what you would typically have that device on the other side but the next our next-generation firewall contains so many other cool notifications and it keeps track of which users are doing what that it really does need these days need to be able to see all the decrypted traffic so you can solve that particular part of the problem by having a what we call network HSM which is basically like a suit secur keysmith or back here and so the keys don't live there anymore they live over here so we can still decrypt the traffic but keep the keys behind the next-generation firewall past the traffic through the next-generation firewall now you would think hey can I just treat these as a look can I just load balance to these things right so then I wouldn't have to necessarily have redundant high availability pairs and as a load balancer vendor we would of course love for you to do that because we love to load balanced stuff and if one went down we just said in traffic to the other one everything will be great but in my experience most people don't want to do that they want to keep these as a high availability probably for reporting and like 50 other reasons that aren't necessarily related to just simple load balancing or traffic management so I totally get it now that particular set up can be a tad complicated the most common fix and it the most common fix and I almost hesitate to say this but is many people who put a switch in between these two devices and that actually solves a lot of weird failable problems failover is much faster sub-second if these if one of these goes down the other one can pick up and everything is still decrypted and moving through I know that sounds like kind of a low-tech solution but I'm just telling you real word stuff here all right so let me talk about the sandboxing next again we would love to just load balance to these things to the load balancer because I think the sandbox is perhaps the most complicated of all of the devices all right think about it it's a hypervisor running like 50 different guest operating systems and not only that it's exploding malware inside every operating system so I would say perhaps not the most brittle but the most complicated the most perhaps likely to suffer some kind of failure that it may take a while to recover so we would like to be able to load balance to those and I highly recommend if you can do that do that so we could simply treat these as a pool and that one went down would send traffic to the other one and then if they both went down we have something called priority activation VLAN hairpin failover which is like five or six words Google that such that if it did go down we just wrapped traffic around it until the tongue period where they come back up right so if they just when I was rebooting really quickly traffic keeps flowing now you might say hey David that's not cool you're making it bail open again security devices you fail closed totally get it totally get that the issue is when everything's in line like this one of these devices goes down it could cause say DNS stops working DNS stops working everything stops work email stops working all your executives are like why can't I get on the internet I want someone's head on a plate in front of me this would stop your head from appearing on a plate now ideally in the future these things will have a great mean time between failures and we wouldn't have to do this and that's completely fine you could even set it up and monitor of every month and say you know what we had last month we had zero failures take out the hairpin that's great so the last thing I wanted to talk about is a specific case with the ids/ips and source buyer so if you remember Sourcefire there were the darling and perhaps still are of the ids/ips world we had considered them one of the best and we were actually gonna buy them back in the day so we were like dating for a while f5 and source' bar and while we are dating we're trying to figure out how do we make our devices work better together and of course we do all the decryption in front of them and so that they don't have to chew up cycles on on decrypting things and they could spend all their time looking for malware and all the things that IDs is do here's the part that we we made it cool was the ids/ips if it sees something it doesn't like let's say let's say this is me this is david and i'm just trying to send some malware and printer patches through to the network it can say you know what I don't like the traffic David is sending and it could signal over to the f5 and say hey block David for the next ten minutes and so we would just block David at the layer three so we don't even decrypt David's traffic anymore for like the next ten minutes in the next hour or whatever now this used to just be a virtual server listening on the inside for post coming from here but this can now be a REST API and that's actually super cool if you think about it a security inspection device in the zone could signal to the perimeter to tell it to temporarily program the perimeter to respond to different threats that's actually hugely powerful if you think about it and in some way I think that's how all of this stuff should work and in a passive system that is kind of how that works but in an in-line system almost nobody does this but I would really like to see more of this happen now I promised that I would talk about what so why can't we just have each of these devices you know have a copy of the key and then decrypt I know it looks like a gun I'm terrible at drawing key right why can't we just do that besides the fact that is slow and you might have to pay more well there's this the new version of TLS still has 1.3 is coming out and it contains only forward secret ciphers so forward secret cipher is a cipher that guarantees that only the two endpoints but in a converse in an encrypted conversation can see can decrypt the traffic so in that case it might be David and the application right nobody else who has a copy of this key can see the traffic so that includes this this this that would include the the the f5 at that point to write only the application service now the browser people love this because they they think they're making the world like a safer place by delivering malware all the way to your application servers fine whatever in the real world what everyone's going to do is you're just going to decrypt it as usual I'm sorry for contra I forgot we can't erase you're just going to decrypt it as usual here at the f5 using TLS with forward secrecy or perfect forward secrecy as they call it sometimes and then we'll turn around and just send that decrypted traffic through back to the other f5 on the other side of the perimeter or your your zone and then we can reinterpret with PFS if you want right I don't necessarily know that I would I might just go RSA here we have many customers that who just go clear text all the way back because they've done the work they need to do to secure here right so they said when TLS 1.3 does come out the more and more people are gonna have to adopt this kind of solution so I'm trying to go around and socialize the idea hey you could provide inspection for all of these kinds of really sophisticated inspection devices without necessarily changing the architecture of your network and be able to support for its secrecy in TLS 1.3 but also get back closer to a 100 percent visibility on all of the traffic that you have all right thanks for watching you
Info
Channel: F5 DevCentral
Views: 12,230
Rating: 4.9444447 out of 5
Keywords: f5, devcentral, lightboard, ssl, ssl visibility, forward secrecy, pfs, tls
Id: ennae0LqK_I
Channel Id: undefined
Length: 11min 45sec (705 seconds)
Published: Wed Nov 15 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.