Lightboard Lessons: The Problem Of TLS Visibility

Internet traffic today is encrypted at a rate of almost 90%.  Our F5 Labs team wrote a TLS Telemetry Report last year that outlines several Internet-related encryption statistics.  Also, Google serves up a page with near-real-time statistics related to Internet encrypted traffic.  These reports show a staggering amount of encryption used across the Internet today.

While encryption is a great benefit to securing web traffic, it also presents a problem for inspecting that traffic.  Many organizations need to send traffic through security devices/services to ensure they are not allowing malicious traffic into their network.  But this presents a problem of organizing and managing encryption keys in addition to slowing down the user experience.  In this video, John outlines these issues and explains why they are a problem.  Stay tuned for more follow-up content showing how F5 can help solve this problem.  Enjoy!


 

Published Nov 28, 2018
Version 1.0

Was this article helpful?

5 Comments

  • Hi John,

     

    Nice introduction! You mentioned that another Lightboard Lesson is on the way. No to hard to figure out it will be about SSLO :-)

     

    If I may ask to include some info about this topics:

     

    1. Is that mandatory to use two separate physical interfaces for each L2 service
    2. Is there a way to easily add AWAF/DDoS L7 policies if Inbound SSLO is configured
    3. Is there a way to add APM pre-authentication in case of Inbound SSLO
    4. What is best practice to modify already configured Service Chains
    5. When it makes sense to include any service in Non Intercept Chain - as far as I understand the idea, traffic processed by this chain is not decrypted so it seems to not make sense to include any service here?

    Piotr

     

  • @Piotr...great questions! I'll be sure to address them. By the way, what version of SSLO are you running? I can talk through these with recent versions, but if you have an older version, maybe I can take that into account as well. Thanks!

     

  • Hi,

     

    Just played around with v4. I think v5 is not out yet? Heard that there is plenty of changes how v5 is configured (more wizards).

     

    Piotr

     

  • @Piotr, I recorded the SSLO video, but time constraints didn't allow me to dig into all the details you asked about. That said, I wanted to post answers here so you would have them (and others could see as well).

     

    1. Is it mandatory to use two separate physical interfaces for each L2 service?
      • No, it's not necessary. It needs to be different L2 network, though.
    2. Is there a way to easily add AWAF/DDoS L7 policies if Inbound SSLO is configured?
      • No, not currently within the SSLO managed UI interface.
    3. Is there a way to add APM pre-authentication in case of Inbound SSLO?
      • You cannot do that in any of the releases prior to 5.1 from the SSLO UI. In 5.0 you would have 2 options: First, deploy normally and then disable the “Protected/Unprotected” lock; then modify the policy per your use in Access -> Per Request Policy. Second, you can define the policy outside first and then use that as a security policy.
    4. What is best practice to modify already configured Service Chains?
      • In 5.0 you just have to modify the definition of the service chain. Go to service chain, select the service chain that you want to edit and follow the hyperlink (name).
    5. When does it makes sense to include any service in Non Intercept Chain - as far as I understand the idea traffic processed by this chain is not decrypted so it seems to not make sense to include any service here?
      • It could be just to record the traffic.
  • Hi John,

     

    Thanks a lot for answers. Will check as well SSLO video. Just one question, what do you mean by that:

     

    Is it mandatory to use two separate physical interfaces for each L2 service? No, it's not necessary. It needs to be different L2 network, though.

     

    How I can have different L2 using same physical interfaces on BIG-IP?

     

    Piotr