widoczność ruchu ssl w sieci – integracja f5 z next ... ssl.pdf · widoczność ruchu ssl w...
TRANSCRIPT
Widoczność ruchu SSL w sieci –integracja F5 z Next Generation FW
Mariusz Sawczuk - Specialist SE North & East EMEA
2
What we know about SSL/TLS
50%
75%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Encrypted Web Traffic
2016
2019
Source: “TLS/SSL: Where Are We Today?”, NSS Labs, October 2016
• According to an October 2016 NSS Labs survey, enterprises today see 40% – 50% of all web traffic as encrypted
• NSS Labs forecasts that number to increase to 75% by 2019
• In June 2016 NSS Labs research study, 97% of surveyed enterprises are seeing an increase in encrypted web traffic
Encrypted Traffic Is Increasing Rapidly
3
E V E N T S
S N O W D E NM a n n i n g /
A s s a n g e
A C C E S S I B I L I T YV U L N E R A B I L I T I E S I N I T I A T I V E S
All malware will begin to cross encrypted channels
by 2017 as cyber criminals grow more sophisticated and
evasive in their attacks.
What we know about SSL/TLS
4
SSL is a Significant Performance Hit on Security
Next-Gen IPSPerformance Impact
Sandbox/Anti-MalwareNo SSL Support
%100
Next-Gen FirewallPerformance Impact
%79 %75SSL
• Additional performance loss when multiple security devices each decrypt, inspect and re-encrypt
• But, it’s not just performance: Latest cipher support is often missing from security devices
Security architectures are notbuilt for SSL encryption. Nothandling SSL traffic createsblind spots and enables SSL onnext-gen security products toimpact their performance,sometimes by over 80%!
What we know about SSL/TLS
5
What we know about SSL/TLS
Client Inernet
“Our FireEye has gone from effective to irrelevant because of its blindness to SSL traffic.”
“We have significant challenges with the growth in encrypted connections we’re seeing lately.”
“We have significant challenges with the growth in encrypted connections we’re seeing lately.”
“We field over 12 different security services, and we struggle with using all of them effectively.”
IPSDLPWeb Gateway Anti-Malware NGFW
6
F5 SSL Intercept Solution
Client Inernet
Decrypt Re-encrypt
IPSDLPWeb Gateway Anti-Malware NGFW
Steer
BIG-IP (SSLi/o) Orchestrator
L2 mode L3 modeICAP
1-Armed2-Armed
7
F5 SSL Intercept SolutionTopologies
Single-box deployment
Out
Inline L3Services
Inline L2Services
DLP/ICAPServices
Receive Only
Services
Clients
InspectionZone
InspectionZone
BIG-IPIngress
In Out
In Out
• Simplified Configuration
• Robust service chaining
• Internal signaling
Two-box deployment
Out
Inline L3Services
Inline L2Services
DLP/ICAPServices
Receive Only
Services
Clients
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalSecurityServices
BIG-IPIngress
BIG-IPEgress
In Out
In Out
• Robust service chaining
• Recapitalize throughput
• Policy-driven separation
• Internal and external signaling
8
F5 SSL Intercept SolutionDynamic Service Chaining
HTTP/HTTPS
Everything else
SSLBypass
Banks
Healthcare
• Virtual grouping of security devices
• Policy match defines which chain handles selected traffic
• Device can be reused in multiple chains
• Topology independent▪ Not tied to an interface, port or VLAN
• Allows efficient use of security devices
• Allows load balancing pools
• Allows simple service insertion
9
F5 SSL Intercept SolutionDynamic Service Chaining
Select Service Chain
Source
Addr.
Dest.
Addr.IP Geo
Domain
Name
IPI
Cat.
URL
Cat.
Dest.
Port
Protocol
Traffic
Classifier
Engine
PacketChain
Create Services
Inline
Layer2
ICAP
Inline
Layer3
Receive
Only
ICAP
Inline
Layer3
Creat Service Chains
Inline Layer 3
Inline Layer 2
ReceiveOnly
DLPICAP
Inline Layer 3
Inline Layer 2
ReceiveOnly
Inline Layer 3
DLPICAP
ReceiveOnly
Inline
Layer
3
ICA
P
Inline
Layer
3
Inline
Layer
3
15
CheckPoint SG (L3)
PaloAlto (L2)
L2_INGRESS L2_EGRESSInternetBIG-IP (SSLi/o)
INSIDE
10.1.20.0/24 .3.100
OUTSIDE
10.1.10.0/24
198.19.0.0/25
.1-2
.3 .2
198.19.0.128/25
.61 .161
.244-5
Client
Demo F5 SSLiWith CheckPoint & PAN
16
https://youtube.comURL cat: Social WebSend to: CheckPoint
CheckPoint SG (L3)
PaloAlto (L2)
InternetBIG-IP (SSLi/o)Client
Demo F5 SSLiWith CheckPoint & PAN
17
https://secure.eicar.orgURL cat: Computer SecuritySend to: PaloAlto
CheckPoint SG (L3)
PaloAlto (L2)
InternetBIG-IP (SSLi/o)Client
Demo F5 SSLiWith CheckPoint & PAN
18
https://www.eximb.comURL cat: FinanceSend to: Bypass SSL decrypt
CheckPoint SG (L3)
PaloAlto (L2)
InternetBIG-IP (SSLi/o)Client
Demo F5 SSLiWith CheckPoint & PAN
19
Other SSL trafficSend to: All
CheckPoint SG (L3)
PaloAlto (L2)
InternetBIG-IP (SSLi/o)Client
Demo F5 SSLiWith CheckPoint & PAN