USE CASE

nCipher Comprehensive SSL Ecosystem to Support Ubiquitous Encryption

nCipher logo

THE CHALLENGE

  • The majority of today’s web traffic is encrypted.
  • Encrypting and decrypting traffic to inspect it for malicious content is resource intensive—it  requires a lot of processing power.
  • Organizations must ensure that encryption doesn’t impact the performance of their web servers, which could, in turn, impact operational performance

KEY BENEFITS

  • F5 BIG-IP and nShield Connect work together to deliver high performance while also securing valuable cryptographic material.
  • nShield Connect creates carefully designed cryptographic boundaries that makes sure keys are accessed and used properly.
  • nShield Connect provides FIPS 140-2 Level 3 and Common Criteria EAL 4+ certified protection.
  • nShield Connect is auditable and can help ensure regulatory compliance.
  • nShield Connect can be deployed on-premises or as a service.
     

We’re well past the point where the majority of internet traffic—from simple web browsing to email, web applications, and cloud-based services—is encrypted. That happened back in 2017. Today, encrypted traffic makes up about 80% of all web traffic.

While encryption is good for privacy and security, it comes at a cost. Fast, scalable security requires a lot of computing power because traffic—including lDs, passwords, and account numbers—is encrypted and transported using SSL.

Given this reality, it’s critical for organizations to ensure that the ever-growing number of SSL connections doesn’t impact web server performance, which could in turn impact operational performance. 

F5 and nCipher joint SSL ecosystem

Together, F5 and nCipher create a complete SSL ecosystem, purpose-built to deliver resource-heavy encryption capabilities that remove friction and delays for end users. This ecosystem starts with F5 BIG-IP application delivery controllers (ADCs), which efficiently manage SSL traffic in a dedicated appliance. And because more SSL traffic means more keys and certificates, nCipher’s hardware security module (HSM), is deployed on premises or as a service alongside BIG-IP to protect and manage these components.

nCipher

Figure: nCipher nShield Connect HSMs integrate with BIG-IP to protect SSL encryption/decryption keys and certificates in a high-security environment.

How it works

While BIG-IP operators can terminate SSL connections in a BIG-IP appliance, keys handled inside the cryptographic boundary of a certified HSM like nShield Connect are even less vulnerable to attack.

BIG-IP provides load balancing, performance acceleration, and security for hardware platforms or virtual instances to ensure applications are fast, secure, and available. SSL management and orchestration are among the many services enabled by BIG-IP.

F5 SSL Orchestrator makes sure encrypted traffic can be decrypted, inspected by security controls, then re-encrypted. This process delivers enhanced visibility so organizations can mitigate threats traversing their networks, strengthen next-generation firewalls (NGFW), and protect against malware, data loss, ransomware, and other inbound and outbound threats like exploitation, callback, and data exfiltration.

The nShield Connect HSM from nCipher works with BIG-IP systems to provide Federal Information Processing Standards (FIPS) and Common Criteria certified protection of SSL certificates and associated encryption/decryption keys. The nShield architecture includes a Remote File System (RFS) that stores and manages encrypted key files to support BIG-IP platforms. As a result, nCipher not only reduces the workload on BIG-IP systems but also increases overall security because keys handled inside the cryptographic boundary of a certified HSM are less vulnerable to attack.

Summary

Together, F5 and nCipher provide a complete SSL ecosystem that’s purpose built to deliver resource-heavy encryption capabilities that remove friction for end users. Our joint solution increases overall security and improves regulatory compliance.

F5 and nCipher features

  • Together, BIG-IP and nShield Connect deliver high performance while securing valuable cryptographic material and supporting even the most demanding transaction rates.
  • nShield Connect secures keys and certificates in a dedicated, hardened device that creates carefully designed cryptographic boundaries ensuring:
    • Keys are only used for their authorized purpose.
    • Keys are always accessible when needed.
  • nShield Connect provides FIPS 140-2 Level 3 and Common Criteria EAL 4+ certified protection, which enables organizations to deliver a high security environment and comply with industry best practices.
  • nShield Connect is auditable and can help ensure regulatory compliance.
  • nCipher nShield can be deployed on premises or as a service.

For more information about the F5 and nCipher partnership and solution integration, visit F5 SSL Orchestrator

Learn more:

nCipher Solution briefs & data sheets

F5 SSL Orchestrator

Connect with F5

F5 Labs

The latest in application threat intelligence.

DevCentral

The F5 community for discussion forums and expert articles.

F5 Newsroom

News, F5 blogs, and more.