ssl technologies update - f5 networks · 4. advanced configuration - hsm partition/slot by...
TRANSCRIPT
![Page 1: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/1.jpg)
![Page 2: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/2.jpg)
PRESENTED BY:
SSL Technologies Update
![Page 3: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/3.jpg)
![Page 4: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/4.jpg)
1994 1995 1999 2006 2008 2018
SSL1 and SSL2
Netscape project that contained
significant flaws
SSL3Netscape addresses SSL2 flaws
TLS 1.0Standardized SSL3 with almost no changes RFC2246
TLS 1.1Security fixes and TLS extensions RFC4346
TLS 1.2Added support for authenticated encryption (AES-GCM, CCM modes) and removed hard-coded primitives RFC5246
TLS 1.3Signficiant overhaul, requiring PFS, removing weak ciphers. Allows 0-RTT and 1-RTT handshakes.RFC Draft
History
![Page 5: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/5.jpg)
History
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
![Page 6: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/6.jpg)
Revelations of privacy
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
Snowden
![Page 7: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/7.jpg)
Motivation
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
Snowden Page rankIncentives
![Page 8: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/8.jpg)
Must use TLSv1.2Must support ephemeral key exchange >= 2048b
Technology advances
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
Snowden Page rankIncentives
Emergingtechnologies
![Page 9: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/9.jpg)
Regulatory compliance
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
Snowden Page rankincentives
Emergingtechnologies
Regulatoryrequirements
![Page 10: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/10.jpg)
Lower barrier to entry
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
Snowden Page rankIncentives
Emergingtechnologies
Regulatoryrequirements Accessibility
![Page 11: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/11.jpg)
2009 2011 2013 2014 2015 2016
InsecureRenegotiation
BeastCrime
RC4Time
Lucky 13
Heartbleed PoodleDire
FreakLogJam
Drown
2017
Robot
2018
?
Quantifiable security
Snowden Page rankIncentives
Emergingtechnologies
Regulatoryrequirements Accessibility Qualified
grading
![Page 12: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/12.jpg)
60% 75%
37 71
TLS is still growing (Google report)
70%
![Page 13: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/13.jpg)
![Page 14: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/14.jpg)
Nobody does SSL better
F5 develops its own native SSL stack
“A Grade” SSL rating out-of-the-box
SSL mirroring and hybrid crypto offload
Highest rated performance-oriented SSL features
240K SSL TPS and 80 Gbps of SSL#1
Worldwide ADC Market Share 1Q 2016*
45.4%
* Source IDC
![Page 15: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/15.jpg)
SSL strategy and roadmap
• TLS 1.3 tolerance
• F5 cipher suite builder
• Dynamic CA bundle update
• External crypto offload
• SSL visibility
• SSL connection mirroring
• OCSP stapling
• C3D – phase one
• TLS 1.3 – phase one
• Curve25519
• TLS 1.3 – phase two
• DH 2048
• ChaCha20-Poly1305
• 0-RTT
• C3D – phase two
BIG-IP 14.0 BIG-IP 14.1
![Page 16: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/16.jpg)
TLS 1.3 support
Library Used By 18 19 20 21 22 23 24 25 26 27 28
F5 TMM BIG-IP x xNSS Firefox x xmiTLS Microsoft xBoringSSL Google/Chrome xWireshark Wireshark x x x x x x x x x x xpicotls H2O Server x x x xSecure Transport Apple (Mac) xsChannel Windows (Edge+)OpenSSL Most Servers / Tools x x xwolfSSL MySQL x x x x xGnuTLS Synology x??? Opera xtlslite-ng Python Lib xSwiftTLS Apple x x
![Page 17: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/17.jpg)
Client Certificate Constrained Delegation
Model 1: Local Delegate Model 2: Remote Delegate
![Page 18: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/18.jpg)
FIPS and key management
![Page 19: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/19.jpg)
FIPS and key management
![Page 20: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/20.jpg)
F5 FIPS and key management
20
OrganizationManagement
DomainManagement
User Account Creation
Certificate Management
Order Submission
Order StatusMonitoring
User API Authentication Key Creation
CA Server
Certificate Validation
Certificate Manager from CA or third-party solutions
Stages BIG-IP/BIG-IQ are interested in
Certificate Installation
Renew/Update/Revoke
12
43 5 6
78
Symantec (now DigiCert) Comodo
![Page 21: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/21.jpg)
F5 FIPS and key management
1. Vendor agnostic - simply install per vendor instructions
2. Point BIG-IP to use the new vendor PKCS#11 library
3. On-box test of basic PKCS#11 APIs per library
4. Advanced configuration - HSM partition/slot by name/label
5. Concurrent access to multiple HSM partitions/slots• Multi-tenancy support (cloud use-case)• Per-App HSM partition/slot allocation
6. Easy integration with new PKCS#11 HSMs• Ability to link any new vendor PKCS#11 library without code changes• A basic test utility to test and validate basic PKCS#11 APIs calls• Robust set of regression tests run with each F5 release
![Page 22: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/22.jpg)
![Page 23: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/23.jpg)
Performance
Visibilitydon’t
do
![Page 24: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/24.jpg)
Users / Devices
User
InternetFirewall
🛑🛑Multiple SSL/TLS intercept points
🛑🛑
🛑🛑
🛑🛑
The daisy chain of security servicesdecrypt encrypt
inspect
encryptdecryptinspect
encryptdecryptinspect
decrypt encryptinspect
IPSDLPWeb Gateway Anti-Malware
![Page 25: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/25.jpg)
Users / Devices
User
InternetFirewall
✅Single SSL/TLS intercept point
✅
✅
✅
High performance decryption and encryption of SSL traffic
IPSDLPWeb Gateway Anti-Malware
![Page 26: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/26.jpg)
Policy-based dynamic service chaining
![Page 27: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/27.jpg)
What’s new in 4.0
![Page 28: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/28.jpg)
![Page 29: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/29.jpg)
![Page 30: SSL Technologies Update - F5 Networks · 4. Advanced configuration - HSM partition/slot by name/label 5. Concurrent access to multiple HSM partitions/slots • Multi-tenancy support](https://reader033.vdocuments.site/reader033/viewer/2022050510/5f9ad1251644176c021ff387/html5/thumbnails/30.jpg)