SSL Visibility: The Ultimate Passive Inspection Architecture

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone I'm David Holmes I'm with that five network so we're gonna do a lightboard video today about ssl visibility what we want to build is the ultimate passive inspection architecture specifically around decryption so I'm gonna build you a story and show you what we have built and tested for one of the world's big retailers and this is about as advanced as it gets but I'm gonna try to simplify it for all of us all right so I'll just kind of start with your you know how we got here here's a user right there out on the internet and they come into the data center right and so I'll draw kind of the old way everything worked pardon this little Jag here this will be explained in a moment but they would come down into the data center they all go out to some applications so what maybe we call it app one app to app three and maybe these are even their different subdomains right so that's Apple 1 comma 2 comma 3 comma right so this is how things worked in the very old days when it was just HTTP you're going to your browser coming in you read a webpage it's not encrypted at all that's how it worked in the old days now at some point people started getting malware and all kinds of malicious traffic and they thought we need to be able to inspect that traffic and they also needed to do analytics to see which pages are better than other pages so what they would do is take a copy of this traffic send it over to a switch and there would be a tap here let's draw a little tap right and then a packet broker I'll have the arrows going the other way just for effect packet broker and then this would send the traffic out to say you're a choosen detection system your analytics maybe it's Tea Leaf analytics and then like a packet capture alright but you could hang any number of devices off of here all right and this is your your passive inspection zone let's make it a zone ok cool now and this particular retailer we've built this for a very very strict controls around this this area here who can get in who can see what but getting back to our story alright so this was the state of the world for a while and then everybody got all this we came to understand we need to encrypt we need to at least encrypt the traffic between the user and the data center right because we can't have people's credit cards being seen or their usernames or passwords for banks so they would of course use SSL or TLS to encrypt everything this has caused some issues because right everybody has to have a each of these applications has to have a key associated with it this isn't anything new of course all my keys are terrible I'm sorry but then all of this stopped working right because all this traffic was encrypted right so this was RSA I'm not sure where I'll put I don't know the RSA certificates one property of RSA though is you can share these keys to any other devices that need to be able to decrypt the traffic and be able to look at it so these guys would each get a copy of the key and now they can decrypt the traffic traffic is encrypted all the way through here there's no unencrypted traffic on the network everybody's happy everyone's be able to see the IDS the analytics all that stuff is working just fine right ok now fast-forward till about 2013 people have figured out that there that encrypted traffic can be recorded and saved and then later forward in time if somebody gets a copy of the key they could come back and decrypt it right that is a property of RSA that people are trying to solve with something called forward secrecy supported secrecy is a solution to what happens if somebody gets a copy of my key later on either through heartbleed or they send a spy or maybe you accidentally leak keys that happens no shame if you accidentally do that although try not to do that the the integrity of the data that you've been encrypting this whole time could be recovered if somebody gets the key for it in time so they've been solving this problem with forward secrecy which basically adds another handshake on top of RSA so we'll write these as PFS right and it almost like creates an it creates ephemeral keys such that if anybody retrieves this key they can't decrypt the traffic only our smiley face user and the other endpoint can decrypt the traffic right everything sound cool what's the problem so what's the problem well if only the two endpoints can see the traffic can decrypt the traffic how's the IDS supposed to work how's the analytics supposed to work how's the packet capture supposed to work all of that stops working which is perhaps an unintended side effect a forward secrecy now the reason this is going to become so topical is there's a new version of TLS coming out CLS 1.3 which has only forward secret ciphers alright I'm just gonna write forward secrecy here perfect forward secrecy I hope you can read my scrolls looks good from back here though all right so TLS 1.3 only has 4 word secret ciphers so none of this is going to work right the actual financial community brought that to the attention of the IETF committee the ATF committee decided for their reasons not to allow say RSA or existing ciphers that can support this kind of architecture from working so what's the solution how do you fix this David all right this you can fix it of course with an f5 because we have been doing decryption for years and years and years and we're quite good at it so now the solution to this is you have your f5 see it's you know understand why this is here right because this is now an f5 box we will decrypt it here basically stripping off the forward secrecy we can then send it over this way toward the switch or actually here's the kind of a magic part here we're using route domains to send it to ourselves right so this is route domain 20 we're just targeting ourselves on route domain 10 ok so it leaves the device goes out to the switch comes back to us encrypted with RSA right the tap is here so the tab can take that traffic send it over to all of these guys and they can all decrypt it because they have the RSA key right so basically we have taken forward secrecy stepped it down to RSA that enables all of this stuff to work and then for this particular customer they wanted us to re-encrypt with forward secrecy here which is why I'm calling this the ultimate passive inspection architecture because this is about as this is about as much encryption as you could possibly handle and as a matter of fact it's only possible because if you have an f5 bit Breann right that's one of our chassis devices the new blades the 44 50s support elliptic curve in hardware an elliptic curve is the elliptic curve D H ACD H is the number one forward secret cipher all right so all of this works and there's still there's no unencrypted traffic on the Internet you can still use TLS 1.3 to talk to the users right and to the outside world it appears your your TLS 1.3 compliant plus if anybody's recording the traffic in between here they won't be able to decrypt it even if they get a copy of the key and there's another benefit speaking of keys for example if all of these three were different subdomains they might all have different keys okay so you might have like like each of these are different keys and then each of these devices would have different keys so there would be a count of 3 right because I've got 3 applications and you might say well 3 applications who cares I've got a copy 3 keys that these other three things what if you had a hundred applications or what if you're a hosting provider or an MSSP and you have 10,000 applications on behalf of a thousand customers that's keys you would have to have on each of these devices with this solution since we're doing all of that stuff and managing all those keys we use one single RSA key here and so all of these guys don't have to do all that every time you add an application you don't have to add a new key you're just using the key that the f5 is using right so become it's sort of proxying all those keys down to one all right so now you might think to yourself alright David I don't necessarily know if I need the forward secrecy all the way back here and in fact we have several customers who want us to do this kind of thing and just send it right through here and in in that case all of this is basically the same except there's no there's no decrypt here right and then there's no re-encrypt in there but that all still works and there's no unencrypted traffic on the network so now that is the ultimate passive inspection monitoring architecture or SSL visibility thank you you
Info
Channel: F5 DevCentral
Views: 6,997
Rating: 4.8490567 out of 5
Keywords: f5, devcentral, lightboard, ssl, ssl visibility, forward secrecy, tls1.3, pfs
Id: 2RgPzCdFWiw
Channel Id: undefined
Length: 10min 54sec (654 seconds)
Published: Wed Nov 08 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.