SSL/TLS: Visibility Isn’t Enough, You Need Orchestration

F5 Miniatura
Published July 25, 2018

The release of version 4.0 of F5 Networks’ SSL Orchestrator solves one of the most vexing security problems of the last five years: visibility into encrypted user traffic. Security budgets have invested billions in high-falutin’ security controls that are amazing at sandboxing, deep-packet inspection, and artificial intelligence, but blind when it comes to encryption. The situation is critical, because the percentage of encrypted user traffic has more than doubled since 2014, exceeding 80 percent, according to F5 Labs' 2017 TLS Telemetry report. So, of course, now there are SSL visibility solutions that provide decryption services allowing those security controls to see what they’re doing.

But visibility, by itself, isn’t enough. Security teams and network operations have found that setting up decryption zones is not easy. Not easy at all. Security teams often have to resort to manual daisy-chaining or tedious configuration to manage decryption/encryption across the entire security stack. And then they find that exceptions abound. Basically, it’s been a pain in the *checks notes* neck.

Enter version 4.0 of F5’s SSL Orchestrator, which sure enough delivers visibility but differentiates itself from the pack with orchestration. Orchestration provides policy-based traffic steering to a service chain based on risk and dynamic network conditions.

Via the virtue of being a full-proxy for both SSL/TLS andHTTP, SSL Orchestrator can make intelligent decisions to steer inbound and outbound traffic to service chains within the security stack. No other solution can do that.

The key takeaway, should you neglect to read after the fold, is that no matter how complicated your inbound and outbound encryption requirements are, the SSL Orchestrator can bring visibility back to your millions of dollars of inspection hardware.

Figure 1 – Diagrams Help Make Blog Posts Visually Interesting

More Dynamic Service Chaining

F5 introduced the concept of security service chaining in the earlier versions of the SSL Orchestrator. Different kinds of network traffic should get different kinds of inspection, amirite? For example, outbound traffic from admin workstations should receive the most scrutiny and pass through all existing security controls unencrypted. But VDI sessions from the business units’ contractors can skip the sandbox and the IPS on their way out.

Version 4.0 improves its security control insertion chaining, load balancing, and monitoring methods in notable ways, such as those described below.

Visibility Gets (More) Visual!

If you’re thinking that sounds complicated or confusing, stay with us through the mid-sentence anxiety, because the SSL Orchestrator makes service chaining easy! As it happens, the Orchestrator’s Visual Policy Editor (VPE) lets you drag-and-drop chains into your architecture so you can actually see the way traffic visibility is enabled.

Visibility: Not Just for HTTPS Anymore

Sure, the majority of your traffic is HTTPS, but if you’re a larger organization and you have all kinds of protocols flowing through your kit, you might also be handling some FTP(S), IMAP, POP3, and ICAP. And, because of the recent focus on opportunistic encryption, many applications are using STARTTLS for those services. You’re probably thinking “that’s WAY too advanced for F5 to handle.” Well, you’re wrong, Kenny, because SSL Orchestrator can now detect and correctly decrypt opportunistic encryption like STARTTLS within FTP, IMAP, POP3, and ICAP.

Optimizing ICAP

The majority of ICAP services we integrate with are anti-virus (AV). AV can add significant latency (obviously) so SSL Orchestrator has added some tweaks. You can now create policies that only send certain types of requests/responses over ICAP. One common example is to scan only POST requests and bypass the rest of payloads. We’re not saying that’s the recommended way to do it, but that’s what the people want so we gave it to them.

All That and a Bag of Chips

If you want to know more about the chewy goodness that’s inside version 4.0 of the SSL Orchestrator, here’s a splash of bullet points (and links to more information further below).

What’s New in Version 4.0

  • Updated setup utility with resource provisioning capabilities
  • Inspection of all traffic for malware and data exfiltration
  • Flexible deployment modes to integrate across your entire security infrastructure
  • Analytics and enhanced logging settings and categories
  • L7 application settings for specific traffic (IMAP, SMTPS, POP3, FTP, HTTP)
  • High availability with best-in-class load balancing, health monitoring, and SSL offload capabilities

And lastly, remember this: You need to scan your inbound and outbound traffic for tomorrow’s threats, and SSL Orchestrator is the tool that lets your security controls keep your organization’s name out of the (figurative) papers and away from those pesky GDPR fines.

Additional Resources