Data moving between clients (computers, tablets, phones, and so on) and servers is predominantly encrypted with Secure Sockets Layer (SSL) or the more modern, more secure Transport Layer Security (TLS). (For reference, see the 2019 TLS Telemetry Report Summary from F5 Labs). Today’s pervasive encryption means threats are hidden and invisible to security inspection unless traffic is decrypted.
The decryption and encryption of data by different devices which are performing security functions, such as Cisco Web Security Appliance (WSA), potentially increases overhead and latency. Added to the SSL visibility challenges and the fragmented nature of the security stack, enterprises are finding it challenging to design a comprehensive security strategy with any longevity.
This system reference architecture covers the different ways of structuring the SSL Orchestrator and Cisco WSA products across network topologies; it addresses visibility, privacy, and regulatory compliance challenges.
F5 SSL Orchestrator sits between the IT infrastructure and the Internet, creating a decryption zone which you can use for inspection. Within the decryption zone, Security devices like Cisco FTD can access the data to detect and mitigate hidden threats like malware.
F5’s advanced SSL/TLS decryption technology, strong cipher support, and flexible architectures help you optimize the use of resources, remove latency, and add resilience to your security inspection infrastructure. Because all communication is funneled through SSL Orchestrator, it also serves as a strategic point of control where policies addressing operational risk (performance, availability, and security) are enforced.
SSL Orchestrator provides high-performance decryption of both inbound (from Internet users to web applications) and outbound (from corporate users to the Internet) SSL/TLS traffic. As shown in Figure 1, outbound traffic is decrypted and sent to the Cisco WSA system for inspection and detection.
Figure 1: Outbound traffic is being decrypted and sent to Cisco WSA.
Different environments call for different architectures. SSL Orchestrator is offered in various form factors and sizes to address diverse architectural requirements.
F5 SSL Orchestrator iSeries platform
High-performance SSL Orchestrator iSeries hardware is optimized to provide 1 GB, 5 GB, 10 GB, and 20 GB decryption throughputs and is ideal for regional and central enterprise sites.
F5® BIG-IP® Virtual Edition
High-performance SSL Orchestrator virtual edition can be used to augment the SSL decryption architecture to include smaller office sites.
F5® VIPRION® platform (chassis)
High-end VIPRION platform delivers decryption throughputs greater than 100 GB, providing the ability to aggregate and to manage an ever-increasing volume of network traffic. Modular design and clustering capabilities allow the VIPRION to easily scale as network needs evolve.
A typical security stack often consists of multiple systems such as a next-gen firewall (NGFW), intrusion detection or prevention systems (IDS/IPS), data loss prevention, and malware analysis tools. All these systems require access to decrypted data for inspection.
SSL Orchestrator easily integrates with existing security architectures and centralizes SSL/TLS decryption across multiple inspection devices in the security stack. This “decrypt once and steer to many inspecting devices” design addresses latency, complexity, and risk issues that can occur if every single security device performs decryption. You can also create multiple service chains for different traffic flows using the context engine.
Figure 2: Decrypt once and steer to many inspecting devices design, using dynamic service chaining.
A service in the SSL Orchestrator system is defined as a pool of identical security devices. For example, a Cisco WSA service would include one or more WSA devices. By default, SSL Orchestrator will load balance the traffic to all the devices in a service.
SSL Orchestrator provides various health monitors to check the health of the security devices in a service and handles any device failures instantly. For example, in a Cisco WSA service, should a device fail, the SSL Orchestrator will automatically shift the load to the active WSA devices. Should all the devices in the service fail, SSL Orchestrator will bypass the service to maintain network continuity and maximize uptime.
SSL Orchestrator’s context engine provides the ability to intelligently steer traffic based on policy decisions made using classification criteria, URL category, IP reputation, and flow information. You can also use the context engine to bypass decryption to applications and websites like financials, government services, health care, and others like them for legal or privacy purposes.
Figure 3: Context engine delivering service chaining and policy-based traffic steering.
SSL Orchestrator supports an active-standby HA architecture: one system actively processes traffic while the other remains in standby mode until needed. The goal is to decrease any downtime and to eliminate single points of failure. The systems automatically synchronize configuration and user connection information.
SSL Orchestrator can be integrated with a bypass switch to give fail-to-wire protection. If the SSL Orchestrator system loses power, the traffic will be bypassed without endangering network performance.
F5 SSL Orchestrator is deployed inline either in Layer 2 or Layer 3 mode and can be configured as an explicit forward proxy or transparent forward proxy. And Cisco WSA can be deployed as an explicit forward proxy or transparent forward proxy inside the SSL Orchestrator service chain; it can also be deployed as an upstream proxy to SSL Orchestrator in either mode to receive the decrypted traffic for inspection.
When both SSL Orchestrator and Cisco WSA are configured as transparent forward proxy, user authentication can be performed on Cisco WSA using a captive portal via SSL Orchestrator.
When Cisco WSA is configured as an explicit forward proxy, user authentication should be performed by SSL Orchestrator. The same is true when Cisco WSA is deployed as upstream proxy to SSL Orchestrator.
Figure 4: Cisco WSA deployment topologies that are supported by F5 SSL Orchestrator.
Figure 5 shows how SSL Orchestrator integrates into an enterprise architecture to centralize the decryption of outbound traffic across the inspection infrastructure.
Figure 5: F5 SSL orchestration integration into enterprise network architecture.
As shown in Figure 6 below, SSL Orchestrator supports link aggregation using IEEE 802.1q VLAN tagging protocol to provide link redundancy for increased fault tolerance.
Figure 6: link aggregation for port redundancy.
SSL and its successor TLS are becoming more prevalent to secure IP communications on the Internet. This can be good or bad. Good, because all communications are scrambled from prying eyes. But potentially bad, because attackers can hide malware inside encrypted traffic. If encrypted traffic is simply passed through, security systems are can’t intercept it. And that defeats the entire defense-in-depth strategy of layering security functions.
F5 SSL Orchestrator, with an advanced threat protection system like Cisco WSA can solve these SSL/TSL challenges by centralizing the SSL/TLS decryption within the enterprise boundaries. It can orchestrate the decrypted traffic through the entire security stack for inspection to identify and block zero-day exploits. As a result, this solution lets you maximize existing security services investments for malware protection and next-generation firewalls.
F5 (NASDAQ: FFIV) gives the world’s largest businesses, service providers, governments, and consumer brands the freedom to securely deliver every app, anywhere—with confidence. F5 delivers cloud and security application services that enable organizations to embrace the infrastructure they choose without sacrificing speed and control. For more information, go to f5.com. You can also follow @f5networks on Twitter or visit us on LinkedIn and Facebook for more information about F5, its partners, and technologies.