Enviar búsqueda
Cargar
F5 TLS & SSL Practices
•
18 recomendaciones
•
22,404 vistas
Brian A. McHenry
Seguir
Best practices and trends around SSL and TLS encryption.
Leer menos
Leer más
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 34
Descargar ahora
Descargar para leer sin conexión
Recomendados
F5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Lior Rotkovitch
F5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
Denis Kolegov
F5 DDoS Protection
F5 DDoS Protection
MarketingArrowECS_CZ
Web Application Security
Web Application Security
MarketingArrowECS_CZ
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
NEW LAUNCH! AWS Shield—A Managed DDoS Protection Service
NEW LAUNCH! AWS Shield—A Managed DDoS Protection Service
Amazon Web Services
Recomendados
F5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Lior Rotkovitch
F5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
Denis Kolegov
F5 DDoS Protection
F5 DDoS Protection
MarketingArrowECS_CZ
Web Application Security
Web Application Security
MarketingArrowECS_CZ
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
NEW LAUNCH! AWS Shield—A Managed DDoS Protection Service
NEW LAUNCH! AWS Shield—A Managed DDoS Protection Service
Amazon Web Services
Presentation fortinet securing the cloud
Presentation fortinet securing the cloud
xKinAnx
F5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
Waf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
AWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
XG Firewall
XG Firewall
DeServ - Tecnologia e Servços
Mobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Lior Rotkovitch
Automatically Renew Certificated In Your Kubernetes Cluster
Automatically Renew Certificated In Your Kubernetes Cluster
HungWei Chiu
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
Amazon Web Services
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Lance Peterman
Managing privileged account security
Managing privileged account security
Raleigh ISSA
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
Amazon Web Services
SIEM Primer:
SIEM Primer:
Anton Chuvakin
Cisco Web and Email Security Overview
Cisco Web and Email Security Overview
Cisco Security
Introduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
Amazon Web Services
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Amazon Web Services
Security Best Practices on AWS
Security Best Practices on AWS
Amazon Web Services
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
Shain Singh
Más contenido relacionado
La actualidad más candente
Presentation fortinet securing the cloud
Presentation fortinet securing the cloud
xKinAnx
F5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
Waf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
AWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
XG Firewall
XG Firewall
DeServ - Tecnologia e Servços
Mobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Lior Rotkovitch
Automatically Renew Certificated In Your Kubernetes Cluster
Automatically Renew Certificated In Your Kubernetes Cluster
HungWei Chiu
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
Amazon Web Services
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Lance Peterman
Managing privileged account security
Managing privileged account security
Raleigh ISSA
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
Amazon Web Services
SIEM Primer:
SIEM Primer:
Anton Chuvakin
Cisco Web and Email Security Overview
Cisco Web and Email Security Overview
Cisco Security
Introduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
Amazon Web Services
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Amazon Web Services
Security Best Practices on AWS
Security Best Practices on AWS
Amazon Web Services
La actualidad más candente
(20)
Presentation fortinet securing the cloud
Presentation fortinet securing the cloud
F5 Web Application Security
F5 Web Application Security
Waf bypassing Techniques
Waf bypassing Techniques
AWS Secrets Manager
AWS Secrets Manager
XG Firewall
XG Firewall
Mobile Application Penetration Testing
Mobile Application Penetration Testing
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Automatically Renew Certificated In Your Kubernetes Cluster
Automatically Renew Certificated In Your Kubernetes Cluster
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Managing privileged account security
Managing privileged account security
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Privileged Access Management (PAM)
Privileged Access Management (PAM)
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
SIEM Primer:
SIEM Primer:
Cisco Web and Email Security Overview
Cisco Web and Email Security Overview
Introduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Security Best Practices on AWS
Security Best Practices on AWS
Similar a F5 TLS & SSL Practices
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
Shain Singh
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
NetScaler 11 Update
NetScaler 11 Update
MarketingArrowECS_CZ
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
CASCouncil
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Arnaud Le Hors
Managing the SSL Process
Managing the SSL Process
Rocket Software
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
PROIDEA
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
OnBoard Security, Inc. - a Qualcomm Company
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
Kurtis Kemple
F5 TMOS v13.0
F5 TMOS v13.0
MarketingArrowECS_CZ
F5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 Roadshow
patmisasi
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco Canada
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
Amazon Web Services
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Meghan Weinreich
F5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric Security
Tzoori Tamam
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Honeywell
Mastering the move
Mastering the move
Trivadis
Purpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White Paper
Array Networks
Similar a F5 TLS & SSL Practices
(20)
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
NetScaler 11 Update
NetScaler 11 Update
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Managing the SSL Process
Managing the SSL Process
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
F5 TMOS v13.0
F5 TMOS v13.0
F5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 Roadshow
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna center
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
F5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric Security
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Mastering the move
Mastering the move
Purpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White Paper
Último
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
johnbeverley2021
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Christopher Logan Kennedy
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Rustici Software
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
Architecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
Remote DBA Services
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Zilliz
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Último
(20)
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Architecting Cloud Native Applications
Architecting Cloud Native Applications
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
F5 TLS & SSL Practices
1.
SSL/TLS Trends, Practices,
and Futures Brian A. McHenry, Security Solutions Architect bam@f5.com @bamchenry
2.
© F5 Networks,
Inc. 2 1. Global SSL Encryption Trends and Drivers 2. A Few “Best” Practices 3. Solutions 4. What’s Next? Agenda
3.
© F5 Networks,
Inc. 3 • Worldwide spending on information security will reach $71.1 billion in 2014 • Data loss prevention segment recording the fastest growth at 18.9 percent, • By 2015, roughly 10% of overall IT security enterprise product capabilities will be delivered in the cloud • Regulatory pressure will increase in Western Europe and Asia/Pacific from 2014 Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014
4.
© F5 Networks,
Inc. 4 IoEE-Commerce Privacy Mobility S n o w d e n Trajectory and Growth of Encryption Customer Trends: • PFS/ECC Demanded • SSL Labs Application Scoring Emerging Standards: • TLS 1.3, HTTP 2.0/SPDY • RSA -> ECC Thought Leaders and Influence: • Google: SHA2, SPDY, Search Ranking by Encryption • Microsoft: PFS Mandated MARKET AMPLIFIERS SSL growing ~30% annually. Entering the Fifth wave of transition (IoE) 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1998 2002 2006 2010 2014 Source: Netcraft MillionsofCertificates(CA) Years
5.
© F5 Networks,
Inc. 5 Timeline of SSL Vulnerabilities & Attacks February 2010 September 2011 February 2013 March 2013 March 2013 … April 2014 RC4 Attacks Weakness in CBC cipher making plaintext guessing possible BEAST & CRIME Client-sideor MITB attacks leveraging a chosen-plaintext flaw in TLS 1.0 and TLS compression flaws RFC 5746 TLS extension for secure renegotiation quickly mainstreamed Lucky 13 Another timing attack. August 2009 August 2009 Insecure renegotiation vulnerability exposes all SSL stacks to DoS attack TIME A refinement and variation of CRIME Heartbleed The end of the Internet as we know it!
6.
© F5 Networks,
Inc. 6 And the Hits Just Keep on Coming…
7.
© F5 Networks,
Inc. 7 SSL Intelligence and Visibility (Full Proxy) Enterprise key & Certificate Management Advance HSM Support: • Highest Performing HSM options • Virtualized low-‐bandwidth options • Market Leading HSM Vendor Support Market Leading Encryption: • Optimized SSL in Hardware and Software • Cipher Diversity (RSA, ECC, DSA) • SSL Visibility: Proxy SSL & Forward Proxy • SSL Traffic Intelligence: • HSTS, HTTP 2.0/SPDY, OCSP Stapling, TLS Server Session Ticket Fully Automated Key and Certificate Management: • For all BIG-‐IP platforms • For all vendor platforms • 3rd Party Integration for best-‐ in-‐class key encryption: Venafi, Symantec/ VeriSign • PKI Supported Environments The Three Pillars of SSL Everywhere Hardware Security Modules
8.
© F5 Networks,
Inc. 8 Data Protection:Microsoft and Google Expands Encryption
9.
© F5 Networks,
Inc. 9 Not all curves are considered equal Different Authorities: • US NIST (US National Institute of Standards) with 186-2 (recently superseded in 2009 by the new186-3) • US ANSI (American National Standard Institute) with X9.62 • US NSA (National Security Agency) Suite-B Cryptography for TOP SECRET information exchange • International SACG (Standards for efficient cryptography group) with Recommended Elliptic Curve Domain Parameters • German ECC Brainpool withECC Brainpool with their Strict Security Requirements • ECC Interoperability Forum composed by Certicom, Microsoft, Redhat, Sun, NSA If You Thought Encryption was confusing… ECC, PFS and Curves
10.
© F5 Networks,
Inc. 10 Not all curves are considered equal Different Names: • Secp256r1, Prime256v1, NIST P-256 • Secp384r1, NIST-P384 Different Kinds of Curves: • ECC over Prime Field (Elliptic Curve) • ECC over Binary Field (Koblitz Curve) Other Curves: • Curve25519 (Google) • Mumford (Microsoft) • Brainpool • DUAL_EC_RBNG If You Thought Encryption was confusing… ECC, PFS and Curves
11.
Some SSL Best
Practices
12.
© F5 Networks,
Inc. 12 • Google has begun adjusting page rank based on SSL implementations • F5 customers have third-party/B2B requirements for strong encryption • SSL Labs’ Pulse tool has made testing easy • Users and businesses are choosing services based on Pulse grades SSL: Not Just for Security
13.
© F5 Networks,
Inc. 13 • Set the option for Secure Renegotiation to “Require” • Disable SSLv2 and SSLv3 (DEFAULT in 11.5+) • Use an explicit, strong cipher string, such as: • !SSLv2:!EXPORT:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES- GCM:DHE+AES:DHE+3DES:RSA+AES-GCM:RSA+AES:RSA+3DES:-MD5:-SSLv3:-RC4 • Prefer Perfect Forward Secrecy (PFS) • Done via prioritizing Ephemeral (DHE, ECDHE) ciphers in the string above • Enable TLS_FALLBACK_SCSV extension • Enable HTTP Strict Transport Security (HSTS) • iRule prior to TMOS version 12.0 • Integrated into HTTP profile in next release Achieving A+ Grades on SSLLabs.com
14.
© F5 Networks,
Inc. 14 HTTP Strict Transport Security iRule when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max- age=[expr {$static::expires - [clock seconds]}]; includeSubDomains” }
15.
© F5 Networks,
Inc. 15 • RFC 6797 • HSTS is enabled by the “Strict-Transport-Security” HTTP header e.g.: Strict-Transport-Security: max-age=10886400; includeSubDomains; preload • When received, browsers will: • Automatically convert HTTP references to HTTPS references • Disallow certificate exemptions (self-signed, etc.) • Cache HSTS information and reuse stored values for new sessions New Feature: HTTP Strict Transport Security AVAILABLE IN 12.0
16.
© F5 Networks,
Inc. 16 HTTP Strict Transport Security Configuration HTTP Profile Screen
17.
© F5 Networks,
Inc. 17
18.
© F5 Networks,
Inc. 18 If I sound smart about crypto…
19.
© F5 Networks,
Inc. 19 SSL Feature Availability Feature TMOS TLS 1.2 10.2.3 ECC 11.4.0 PFS 11.4.0 SHA256 (SHA2) 10.2.3 SPDY 11.2.0 HTTP 2.0* 11.6.0 HSTS iRules/12.0 Feature TMOS Secure Renegotiation (RFC 5746) 10.2.3 TLS_FALLBACK_SCSV 11.5.0 Network HSM 11.2.1 Onboard HSM Y SNI 11.1.0 Hybrid Certificates (ECC & RSA)* 11.5.0
20.
A Peek Under
the Hood
21.
© F5 Networks,
Inc. 21 Network Session Application Web application Physical Client / Server L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation SSL inspection and SSL DDoS mitigation HTTP proxy, HTTP DDoS and application security Application health monitoring and performance anomaly detection Network Session Application Web application Physical Client / Server Full Proxy Security Proxy SSL (Visibility) ASM SSL Forward Proxy (Visibility) SWG
22.
© F5 Networks,
Inc. 22 Proxy Chain HUD chains are a series of filters which implement the configuration. The HUD chain is divided into two halves, client and server side. Filters on HUD chains usually are arranged as client/server pairs. The two halves are joined by the “proxy”. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy Chain
23.
© F5 Networks,
Inc. 23 Proxy Chain Each SSL filter handles connection to device on their side of the proxy. Normally, the two SSL filters operate completely independently. Between the two filters, all data is available unencrypted. To fully offload the backend server, remove the server side SSL filter. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – SSL Termination
24.
© F5 Networks,
Inc. 24 Data Center Proxy Chain Proxy SSL allows the client certificate to be presented to the server. Intermediary filters are disabled. SSL filters operate in monitor mode during the handshake. Post-handshake, SSL enables decryption and other filters. BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Allows server to perform client cert auth • L7 content inspection after handshake • Certificate transparent to end user Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy SSL
25.
© F5 Networks,
Inc. 25 Proxy Chain Forward SSL is used in Forward Proxy deployments. “Just in time” certificate creation is used to decrypt SSL connections. Enables policy based inspection of secure content. Requires the ability to create trusted certificates to work. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Inspect secure traffic at network edge • Transparent to the end user • Policy based bypass by: • Source IP Address • Destination IP Address • Host Name (SAN,CN,SNI) Forward SSL Proxy Benefits BIG-IP Architecture – Forward SSL
26.
What’s Next?
27.
© F5 Networks,
Inc. 27 A Quick Primer on Certificate Revocation • If a SSL certificate is stolen or compromised, sites need a way to revoke the certificate so it will no longer be trusted. Revocation is handled by either CRL or OCSP. • CRL: Certificate Revocation List • The browser retrieves the list of all revoked certificates from the CA. • The browser then parses the whole list looking for the certificate in question. • OCSP: Online Certificate Status Protocol • The browser sends the certificate to the CA for validation. • The CA responds that the certificate is good, revoked, or unknown. • OCSP is more efficient than CRL, but there’s room for improvement! New Feature: OCSP Stapling AVAILABLE IN 11.6
28.
© F5 Networks,
Inc. 28 • OCSP and CRL checks add significant overhead: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •DNS to CA (300ms) •TCP to CA (407ms) •OCSP to CA #1 (598ms) •TCP to CA #2 (317ms) •OCSP to CA #2 (444ms) •Finish SSL handshake (1270ms) < T O TA L : 6 . 3 S e c o n d s > • Add up the time for each step and you'll see that over 30% of the SSL overhead comes from checking whether the certificate has been revoked. • These checks are serial and block downloads. OCSP & CRL Checks Hurt Performance This portion is revocation check overhead.
29.
© F5 Networks,
Inc. 29 • OCSP Stapling allows the server to attach CA signed information regarding the certificates validity. • Processing with OCSP enabled: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •Process OCSP Data (10ms) •Finish SSL handshake (1270ms) < T O TA L : 4 . 2 S e c o n d s > O C S P S t a p l i n g a l s o e l i m i n a t e s c o m m u n i c a t i o n w i t h a t h i r d p a r t y d u r i n g c e r t i f i c a t e v a l i d a t i o n . T h i s m a y b e c o n s i d e r e d b e t t e r s e c u r i t y s i n c e i t p r e v e n t s i n f o r m a t i o n l e a k a g e . OCSP Stapling to the Rescue
30.
© F5 Networks,
Inc. 30 OCSP Stapling Configuration Changes to ‘Proxy Pool’ when ‘Use Proxy Server’ is enabled
31.
© F5 Networks,
Inc. 31 OCSP Stapling Configuration Profile Location Assignment to Client SSL Profile
32.
© F5 Networks,
Inc. 32 • SSL termination and inspection from BIG-IP® Local Traffic Manager™ (LTM) • Hybrid cipher support for ECC and RSA ciphers • SSL crypto-offload for additional SSL capacity • Integration with network HSMs from SafeNet and Thales for key management SSL Everywhere RA – Bringing it all Together
33.
© F5 Networks,
Inc. 33 SSL Everywhere
Descargar ahora