SlideShare una empresa de Scribd logo

F5 TLS & SSL Practices

Brian A. McHenry
Brian A. McHenry

Best practices and trends around SSL and TLS encryption.

Tecnología
1 de 34
Descargar para leer sin conexión
SSL/TLS Trends, Practices, and Futures Brian A. McHenry, Security Solutions Architect bam@f5.com @bamchenry
© F5 Networks, Inc. 2 1. Global SSL Encryption Trends and Drivers 2. A Few “Best” Practices 3. Solutions 4. What’s Next? Agenda
© F5 Networks, Inc. 3 • Worldwide spending on information security will reach $71.1 billion in 2014 • Data loss prevention segment recording the fastest growth at 18.9 percent, • By 2015, roughly 10% of overall IT security enterprise product capabilities will be delivered in the cloud • Regulatory pressure will increase in Western Europe and Asia/Pacific from 2014 Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014
© F5 Networks, Inc. 4 IoEE-Commerce Privacy Mobility S n o w d e n Trajectory and Growth of Encryption Customer Trends: • PFS/ECC Demanded • SSL Labs Application Scoring Emerging Standards: • TLS 1.3, HTTP 2.0/SPDY • RSA -> ECC Thought Leaders and Influence: • Google: SHA2, SPDY, Search Ranking by Encryption • Microsoft: PFS Mandated MARKET AMPLIFIERS SSL growing ~30% annually. Entering the Fifth wave of transition (IoE) 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1998 2002 2006 2010 2014 Source: Netcraft MillionsofCertificates(CA) Years
© F5 Networks, Inc. 5 Timeline of SSL Vulnerabilities & Attacks February 2010 September 2011 February 2013 March 2013 March 2013 … April 2014 RC4 Attacks Weakness in CBC cipher making plaintext guessing possible BEAST & CRIME Client-sideor MITB attacks leveraging a chosen-plaintext flaw in TLS 1.0 and TLS compression flaws RFC 5746 TLS extension for secure renegotiation quickly mainstreamed Lucky 13 Another timing attack. August 2009 August 2009 Insecure renegotiation vulnerability exposes all SSL stacks to DoS attack TIME A refinement and variation of CRIME Heartbleed The end of the Internet as we know it!
© F5 Networks, Inc. 6 And the Hits Just Keep on Coming…
© F5 Networks, Inc. 7 SSL  Intelligence  and   Visibility  (Full  Proxy) Enterprise  key  &  Certificate   Management   Advance  HSM  Support: • Highest  Performing   HSM   options • Virtualized   low-­‐bandwidth   options • Market  Leading  HSM   Vendor   Support   Market  Leading  Encryption:   • Optimized   SSL  in  Hardware   and  Software • Cipher  Diversity  (RSA,  ECC,   DSA) • SSL  Visibility:   Proxy  SSL  &   Forward  Proxy • SSL  Traffic  Intelligence: • HSTS,  HTTP  2.0/SPDY,   OCSP  Stapling,   TLS     Server  Session  Ticket Fully  Automated   Key  and   Certificate  Management:     • For  all  BIG-­‐IP  platforms • For  all  vendor   platforms • 3rd Party  Integration  for  best-­‐ in-­‐class  key  encryption:   Venafi,   Symantec/  VeriSign • PKI  Supported   Environments The Three Pillars of SSL Everywhere Hardware  Security  Modules  
© F5 Networks, Inc. 8 Data Protection:Microsoft and Google Expands Encryption
© F5 Networks, Inc. 9 Not all curves are considered equal Different Authorities: • US NIST (US National Institute of Standards) with 186-2 (recently superseded in 2009 by the new186-3) • US ANSI (American National Standard Institute) with X9.62 • US NSA (National Security Agency) Suite-B Cryptography for TOP SECRET information exchange • International SACG (Standards for efficient cryptography group) with Recommended Elliptic Curve Domain Parameters • German ECC Brainpool withECC Brainpool with their Strict Security Requirements • ECC Interoperability Forum composed by Certicom, Microsoft, Redhat, Sun, NSA If You Thought Encryption was confusing… ECC, PFS and Curves
© F5 Networks, Inc. 10 Not all curves are considered equal Different Names: • Secp256r1, Prime256v1, NIST P-256 • Secp384r1, NIST-P384 Different Kinds of Curves: • ECC over Prime Field (Elliptic Curve) • ECC over Binary Field (Koblitz Curve) Other Curves: • Curve25519 (Google) • Mumford (Microsoft) • Brainpool • DUAL_EC_RBNG If You Thought Encryption was confusing… ECC, PFS and Curves
Some SSL Best Practices
© F5 Networks, Inc. 12 • Google has begun adjusting page rank based on SSL implementations • F5 customers have third-party/B2B requirements for strong encryption • SSL Labs’ Pulse tool has made testing easy • Users and businesses are choosing services based on Pulse grades SSL: Not Just for Security
© F5 Networks, Inc. 13 • Set the option for Secure Renegotiation to “Require” • Disable SSLv2 and SSLv3 (DEFAULT in 11.5+) • Use an explicit, strong cipher string, such as: • !SSLv2:!EXPORT:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES- GCM:DHE+AES:DHE+3DES:RSA+AES-GCM:RSA+AES:RSA+3DES:-MD5:-SSLv3:-RC4 • Prefer Perfect Forward Secrecy (PFS) • Done via prioritizing Ephemeral (DHE, ECDHE) ciphers in the string above • Enable TLS_FALLBACK_SCSV extension • Enable HTTP Strict Transport Security (HSTS) • iRule prior to TMOS version 12.0 • Integrated into HTTP profile in next release Achieving A+ Grades on SSLLabs.com
© F5 Networks, Inc. 14 HTTP Strict Transport Security iRule when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max- age=[expr {$static::expires - [clock seconds]}]; includeSubDomains” }
© F5 Networks, Inc. 15 • RFC 6797 • HSTS is enabled by the “Strict-Transport-Security” HTTP header e.g.: Strict-Transport-Security: max-age=10886400; includeSubDomains; preload • When received, browsers will: • Automatically convert HTTP references to HTTPS references • Disallow certificate exemptions (self-signed, etc.) • Cache HSTS information and reuse stored values for new sessions New Feature: HTTP Strict Transport Security AVAILABLE IN 12.0
© F5 Networks, Inc. 16 HTTP Strict Transport Security Configuration HTTP Profile Screen
© F5 Networks, Inc. 17
© F5 Networks, Inc. 18 If I sound smart about crypto…
© F5 Networks, Inc. 19 SSL Feature Availability Feature TMOS TLS 1.2 10.2.3 ECC 11.4.0 PFS 11.4.0 SHA256 (SHA2) 10.2.3 SPDY 11.2.0 HTTP 2.0* 11.6.0 HSTS iRules/12.0 Feature TMOS Secure Renegotiation (RFC 5746) 10.2.3 TLS_FALLBACK_SCSV 11.5.0 Network HSM 11.2.1 Onboard HSM Y SNI 11.1.0 Hybrid Certificates (ECC & RSA)* 11.5.0
A Peek Under the Hood
© F5 Networks, Inc. 21 Network Session Application Web  application Physical Client  /  Server L4  Firewall:  Full  stateful  policy  enforcement  and  TCP  DDoS  mitigation SSL  inspection   and  SSL  DDoS  mitigation HTTP  proxy,  HTTP  DDoS  and  application  security Application   health  monitoring  and  performance  anomaly  detection Network Session Application Web  application Physical Client  /  Server Full Proxy Security Proxy  SSL  (Visibility) ASM SSL  Forward  Proxy   (Visibility) SWG
© F5 Networks, Inc. 22 Proxy Chain HUD chains are a series of filters which implement the configuration. The HUD chain is divided into two halves, client and server side. Filters on HUD chains usually are arranged as client/server pairs. The two halves are joined by the “proxy”. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy Chain
© F5 Networks, Inc. 23 Proxy Chain Each SSL filter handles connection to device on their side of the proxy. Normally, the two SSL filters operate completely independently. Between the two filters, all data is available unencrypted. To fully offload the backend server, remove the server side SSL filter. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – SSL Termination
© F5 Networks, Inc. 24 Data Center Proxy Chain Proxy SSL allows the client certificate to be presented to the server. Intermediary filters are disabled. SSL filters operate in monitor mode during the handshake. Post-handshake, SSL enables decryption and other filters. BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Allows server to perform client cert auth • L7 content inspection after handshake • Certificate transparent to end user Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy SSL
© F5 Networks, Inc. 25 Proxy Chain Forward SSL is used in Forward Proxy deployments. “Just in time” certificate creation is used to decrypt SSL connections. Enables policy based inspection of secure content. Requires the ability to create trusted certificates to work. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Inspect secure traffic at network edge • Transparent to the end user • Policy based bypass by: • Source IP Address • Destination IP Address • Host Name (SAN,CN,SNI) Forward SSL Proxy Benefits BIG-IP Architecture – Forward SSL
What’s Next?
© F5 Networks, Inc. 27 A Quick Primer on Certificate Revocation • If a SSL certificate is stolen or compromised, sites need a way to revoke the certificate so it will no longer be trusted. Revocation is handled by either CRL or OCSP. • CRL: Certificate Revocation List • The browser retrieves the list of all revoked certificates from the CA. • The browser then parses the whole list looking for the certificate in question. • OCSP: Online Certificate Status Protocol • The browser sends the certificate to the CA for validation. • The CA responds that the certificate is good, revoked, or unknown. • OCSP is more efficient than CRL, but there’s room for improvement! New Feature: OCSP Stapling AVAILABLE IN 11.6
© F5 Networks, Inc. 28 • OCSP and CRL checks add significant overhead: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •DNS to CA (300ms) •TCP to CA (407ms) •OCSP to CA #1 (598ms) •TCP to CA #2 (317ms) •OCSP to CA #2 (444ms) •Finish SSL handshake (1270ms) < T O TA L : 6 . 3 S e c o n d s > • Add up the time for each step and you'll see that over 30% of the SSL overhead comes from checking whether the certificate has been revoked. • These checks are serial and block downloads. OCSP & CRL Checks Hurt Performance This portion is revocation check overhead.
© F5 Networks, Inc. 29 • OCSP Stapling allows the server to attach CA signed information regarding the certificates validity. • Processing with OCSP enabled: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •Process OCSP Data (10ms) •Finish SSL handshake (1270ms) < T O TA L : 4 . 2 S e c o n d s > O C S P S t a p l i n g a l s o e l i m i n a t e s c o m m u n i c a t i o n w i t h a t h i r d p a r t y d u r i n g c e r t i f i c a t e v a l i d a t i o n . T h i s m a y b e c o n s i d e r e d b e t t e r s e c u r i t y s i n c e i t p r e v e n t s i n f o r m a t i o n l e a k a g e . OCSP Stapling to the Rescue
© F5 Networks, Inc. 30 OCSP Stapling Configuration Changes to ‘Proxy Pool’ when ‘Use Proxy Server’ is enabled
© F5 Networks, Inc. 31 OCSP Stapling Configuration Profile Location Assignment to Client SSL Profile
© F5 Networks, Inc. 32 • SSL termination and inspection from BIG-IP® Local Traffic Manager™ (LTM) • Hybrid cipher support for ECC and RSA ciphers • SSL crypto-offload for additional SSL capacity • Integration with network HSMs from SafeNet and Thales for key management SSL Everywhere RA – Bringing it all Together
© F5 Networks, Inc. 33 SSL Everywhere
F5 TLS & SSL Practices

Recomendados

F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices Lior Rotkovitch
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsDenis Kolegov
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS ProtectionMarketingArrowECS_CZ
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityMarketingArrowECS_CZ
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
NEW LAUNCH! AWS Shield—A Managed DDoS Protection Service
NEW LAUNCH! AWS Shield—A Managed DDoS Protection ServiceNEW LAUNCH! AWS Shield—A Managed DDoS Protection Service
NEW LAUNCH! AWS Shield—A Managed DDoS Protection ServiceAmazon Web Services
 

Recomendados

F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices Lior Rotkovitch
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsDenis Kolegov
 
F5 DDoS Protection
F5 DDoS ProtectionF5 DDoS Protection
F5 DDoS ProtectionMarketingArrowECS_CZ
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityMarketingArrowECS_CZ
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
NEW LAUNCH! AWS Shield—A Managed DDoS Protection Service
NEW LAUNCH! AWS Shield—A Managed DDoS Protection ServiceNEW LAUNCH! AWS Shield—A Managed DDoS Protection Service
NEW LAUNCH! AWS Shield—A Managed DDoS Protection ServiceAmazon Web Services
 
Presentation fortinet securing the cloud
Presentation fortinet securing the cloudPresentation fortinet securing the cloud
Presentation fortinet securing the cloudxKinAnx
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application SecurityMarketingArrowECS_CZ
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
XG Firewall
XG FirewallXG Firewall
XG FirewallDeServ - Tecnologia e Servços
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
Automatically Renew Certificated In Your Kubernetes Cluster
Automatically Renew Certificated In Your Kubernetes ClusterAutomatically Renew Certificated In Your Kubernetes Cluster
Automatically Renew Certificated In Your Kubernetes ClusterHungWei Chiu
 
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...Amazon Web Services
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Lance Peterman
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account securityRaleigh ISSA
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSAmazon Web Services
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerAmazon Web Services
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksAmazon Web Services
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWSAmazon Web Services
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficShain Singh
 

Más contenido relacionado

La actualidad más candente

Presentation fortinet securing the cloud
Presentation fortinet securing the cloudPresentation fortinet securing the cloud
Presentation fortinet securing the cloudxKinAnx
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
Automatically Renew Certificated In Your Kubernetes Cluster
Automatically Renew Certificated In Your Kubernetes ClusterAutomatically Renew Certificated In Your Kubernetes Cluster
Automatically Renew Certificated In Your Kubernetes ClusterHungWei Chiu
 
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...Amazon Web Services
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Lance Peterman
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account securityRaleigh ISSA
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSAmazon Web Services
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerAmazon Web Services
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksAmazon Web Services
 

La actualidad más candente (20)

Presentation fortinet securing the cloud
Presentation fortinet securing the cloudPresentation fortinet securing the cloud
Presentation fortinet securing the cloud
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
 
XG Firewall
XG FirewallXG Firewall
XG Firewall
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
 
Automatically Renew Certificated In Your Kubernetes Cluster
Automatically Renew Certificated In Your Kubernetes ClusterAutomatically Renew Certificated In Your Kubernetes Cluster
Automatically Renew Certificated In Your Kubernetes Cluster
 
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
 

Similar a F5 TLS & SSL Practices

Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficShain Singh
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebCASCouncil
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL ProcessRocket Software
 
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPlnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPROIDEA
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...OnBoard Security, Inc. - a Qualcomm Company
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 
F5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 RoadshowF5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 Roadshowpatmisasi
 
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna centerCisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna centerCisco Canada
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Meghan Weinreich
 
F5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric SecurityF5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric SecurityTzoori Tamam
 
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini SummitF5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summitkimw001
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsHoneywell
 
Mastering the move
Mastering the moveMastering the move
Mastering the moveTrivadis
 
Purpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White PaperPurpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White Paper Array Networks
 

Similar a F5 TLS & SSL Practices (20)

Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
NetScaler 11 Update
NetScaler 11 UpdateNetScaler 11 Update
NetScaler 11 Update
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
 
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPlnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 
F5 TMOS v13.0
F5 TMOS v13.0F5 TMOS v13.0
F5 TMOS v13.0
 
F5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 RoadshowF5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 Roadshow
 
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna centerCisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna center
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
 
F5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric SecurityF5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric Security
 
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini SummitF5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Mastering the move
Mastering the moveMastering the move
Mastering the move
 
Purpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White PaperPurpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White Paper
 

Último

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Último (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

F5 TLS & SSL Practices

  • 1. SSL/TLS Trends, Practices, and Futures Brian A. McHenry, Security Solutions Architect bam@f5.com @bamchenry
  • 2. © F5 Networks, Inc. 2 1. Global SSL Encryption Trends and Drivers 2. A Few “Best” Practices 3. Solutions 4. What’s Next? Agenda
  • 3. © F5 Networks, Inc. 3 • Worldwide spending on information security will reach $71.1 billion in 2014 • Data loss prevention segment recording the fastest growth at 18.9 percent, • By 2015, roughly 10% of overall IT security enterprise product capabilities will be delivered in the cloud • Regulatory pressure will increase in Western Europe and Asia/Pacific from 2014 Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014
  • 4. © F5 Networks, Inc. 4 IoEE-Commerce Privacy Mobility S n o w d e n Trajectory and Growth of Encryption Customer Trends: • PFS/ECC Demanded • SSL Labs Application Scoring Emerging Standards: • TLS 1.3, HTTP 2.0/SPDY • RSA -> ECC Thought Leaders and Influence: • Google: SHA2, SPDY, Search Ranking by Encryption • Microsoft: PFS Mandated MARKET AMPLIFIERS SSL growing ~30% annually. Entering the Fifth wave of transition (IoE) 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1998 2002 2006 2010 2014 Source: Netcraft MillionsofCertificates(CA) Years
  • 5. © F5 Networks, Inc. 5 Timeline of SSL Vulnerabilities & Attacks February 2010 September 2011 February 2013 March 2013 March 2013 … April 2014 RC4 Attacks Weakness in CBC cipher making plaintext guessing possible BEAST & CRIME Client-sideor MITB attacks leveraging a chosen-plaintext flaw in TLS 1.0 and TLS compression flaws RFC 5746 TLS extension for secure renegotiation quickly mainstreamed Lucky 13 Another timing attack. August 2009 August 2009 Insecure renegotiation vulnerability exposes all SSL stacks to DoS attack TIME A refinement and variation of CRIME Heartbleed The end of the Internet as we know it!
  • 6. © F5 Networks, Inc. 6 And the Hits Just Keep on Coming…
  • 7. © F5 Networks, Inc. 7 SSL  Intelligence  and   Visibility  (Full  Proxy) Enterprise  key  &  Certificate   Management   Advance  HSM  Support: • Highest  Performing   HSM   options • Virtualized   low-­‐bandwidth   options • Market  Leading  HSM   Vendor   Support   Market  Leading  Encryption:   • Optimized   SSL  in  Hardware   and  Software • Cipher  Diversity  (RSA,  ECC,   DSA) • SSL  Visibility:   Proxy  SSL  &   Forward  Proxy • SSL  Traffic  Intelligence: • HSTS,  HTTP  2.0/SPDY,   OCSP  Stapling,   TLS     Server  Session  Ticket Fully  Automated   Key  and   Certificate  Management:     • For  all  BIG-­‐IP  platforms • For  all  vendor   platforms • 3rd Party  Integration  for  best-­‐ in-­‐class  key  encryption:   Venafi,   Symantec/  VeriSign • PKI  Supported   Environments The Three Pillars of SSL Everywhere Hardware  Security  Modules  
  • 8. © F5 Networks, Inc. 8 Data Protection:Microsoft and Google Expands Encryption
  • 9. © F5 Networks, Inc. 9 Not all curves are considered equal Different Authorities: • US NIST (US National Institute of Standards) with 186-2 (recently superseded in 2009 by the new186-3) • US ANSI (American National Standard Institute) with X9.62 • US NSA (National Security Agency) Suite-B Cryptography for TOP SECRET information exchange • International SACG (Standards for efficient cryptography group) with Recommended Elliptic Curve Domain Parameters • German ECC Brainpool withECC Brainpool with their Strict Security Requirements • ECC Interoperability Forum composed by Certicom, Microsoft, Redhat, Sun, NSA If You Thought Encryption was confusing… ECC, PFS and Curves
  • 10. © F5 Networks, Inc. 10 Not all curves are considered equal Different Names: • Secp256r1, Prime256v1, NIST P-256 • Secp384r1, NIST-P384 Different Kinds of Curves: • ECC over Prime Field (Elliptic Curve) • ECC over Binary Field (Koblitz Curve) Other Curves: • Curve25519 (Google) • Mumford (Microsoft) • Brainpool • DUAL_EC_RBNG If You Thought Encryption was confusing… ECC, PFS and Curves
  • 11. Some SSL Best Practices
  • 12. © F5 Networks, Inc. 12 • Google has begun adjusting page rank based on SSL implementations • F5 customers have third-party/B2B requirements for strong encryption • SSL Labs’ Pulse tool has made testing easy • Users and businesses are choosing services based on Pulse grades SSL: Not Just for Security
  • 13. © F5 Networks, Inc. 13 • Set the option for Secure Renegotiation to “Require” • Disable SSLv2 and SSLv3 (DEFAULT in 11.5+) • Use an explicit, strong cipher string, such as: • !SSLv2:!EXPORT:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES- GCM:DHE+AES:DHE+3DES:RSA+AES-GCM:RSA+AES:RSA+3DES:-MD5:-SSLv3:-RC4 • Prefer Perfect Forward Secrecy (PFS) • Done via prioritizing Ephemeral (DHE, ECDHE) ciphers in the string above • Enable TLS_FALLBACK_SCSV extension • Enable HTTP Strict Transport Security (HSTS) • iRule prior to TMOS version 12.0 • Integrated into HTTP profile in next release Achieving A+ Grades on SSLLabs.com
  • 14. © F5 Networks, Inc. 14 HTTP Strict Transport Security iRule when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max- age=[expr {$static::expires - [clock seconds]}]; includeSubDomains” }
  • 15. © F5 Networks, Inc. 15 • RFC 6797 • HSTS is enabled by the “Strict-Transport-Security” HTTP header e.g.: Strict-Transport-Security: max-age=10886400; includeSubDomains; preload • When received, browsers will: • Automatically convert HTTP references to HTTPS references • Disallow certificate exemptions (self-signed, etc.) • Cache HSTS information and reuse stored values for new sessions New Feature: HTTP Strict Transport Security AVAILABLE IN 12.0
  • 16. © F5 Networks, Inc. 16 HTTP Strict Transport Security Configuration HTTP Profile Screen
  • 17. © F5 Networks, Inc. 17
  • 18. © F5 Networks, Inc. 18 If I sound smart about crypto…
  • 19. © F5 Networks, Inc. 19 SSL Feature Availability Feature TMOS TLS 1.2 10.2.3 ECC 11.4.0 PFS 11.4.0 SHA256 (SHA2) 10.2.3 SPDY 11.2.0 HTTP 2.0* 11.6.0 HSTS iRules/12.0 Feature TMOS Secure Renegotiation (RFC 5746) 10.2.3 TLS_FALLBACK_SCSV 11.5.0 Network HSM 11.2.1 Onboard HSM Y SNI 11.1.0 Hybrid Certificates (ECC & RSA)* 11.5.0
  • 20. A Peek Under the Hood
  • 21. © F5 Networks, Inc. 21 Network Session Application Web  application Physical Client  /  Server L4  Firewall:  Full  stateful  policy  enforcement  and  TCP  DDoS  mitigation SSL  inspection   and  SSL  DDoS  mitigation HTTP  proxy,  HTTP  DDoS  and  application  security Application   health  monitoring  and  performance  anomaly  detection Network Session Application Web  application Physical Client  /  Server Full Proxy Security Proxy  SSL  (Visibility) ASM SSL  Forward  Proxy   (Visibility) SWG
  • 22. © F5 Networks, Inc. 22 Proxy Chain HUD chains are a series of filters which implement the configuration. The HUD chain is divided into two halves, client and server side. Filters on HUD chains usually are arranged as client/server pairs. The two halves are joined by the “proxy”. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy Chain
  • 23. © F5 Networks, Inc. 23 Proxy Chain Each SSL filter handles connection to device on their side of the proxy. Normally, the two SSL filters operate completely independently. Between the two filters, all data is available unencrypted. To fully offload the backend server, remove the server side SSL filter. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – SSL Termination
  • 24. © F5 Networks, Inc. 24 Data Center Proxy Chain Proxy SSL allows the client certificate to be presented to the server. Intermediary filters are disabled. SSL filters operate in monitor mode during the handshake. Post-handshake, SSL enables decryption and other filters. BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Allows server to perform client cert auth • L7 content inspection after handshake • Certificate transparent to end user Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy SSL
  • 25. © F5 Networks, Inc. 25 Proxy Chain Forward SSL is used in Forward Proxy deployments. “Just in time” certificate creation is used to decrypt SSL connections. Enables policy based inspection of secure content. Requires the ability to create trusted certificates to work. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Inspect secure traffic at network edge • Transparent to the end user • Policy based bypass by: • Source IP Address • Destination IP Address • Host Name (SAN,CN,SNI) Forward SSL Proxy Benefits BIG-IP Architecture – Forward SSL
  • 27. © F5 Networks, Inc. 27 A Quick Primer on Certificate Revocation • If a SSL certificate is stolen or compromised, sites need a way to revoke the certificate so it will no longer be trusted. Revocation is handled by either CRL or OCSP. • CRL: Certificate Revocation List • The browser retrieves the list of all revoked certificates from the CA. • The browser then parses the whole list looking for the certificate in question. • OCSP: Online Certificate Status Protocol • The browser sends the certificate to the CA for validation. • The CA responds that the certificate is good, revoked, or unknown. • OCSP is more efficient than CRL, but there’s room for improvement! New Feature: OCSP Stapling AVAILABLE IN 11.6
  • 28. © F5 Networks, Inc. 28 • OCSP and CRL checks add significant overhead: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •DNS to CA (300ms) •TCP to CA (407ms) •OCSP to CA #1 (598ms) •TCP to CA #2 (317ms) •OCSP to CA #2 (444ms) •Finish SSL handshake (1270ms) < T O TA L : 6 . 3 S e c o n d s > • Add up the time for each step and you'll see that over 30% of the SSL overhead comes from checking whether the certificate has been revoked. • These checks are serial and block downloads. OCSP & CRL Checks Hurt Performance This portion is revocation check overhead.
  • 29. © F5 Networks, Inc. 29 • OCSP Stapling allows the server to attach CA signed information regarding the certificates validity. • Processing with OCSP enabled: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •Process OCSP Data (10ms) •Finish SSL handshake (1270ms) < T O TA L : 4 . 2 S e c o n d s > O C S P S t a p l i n g a l s o e l i m i n a t e s c o m m u n i c a t i o n w i t h a t h i r d p a r t y d u r i n g c e r t i f i c a t e v a l i d a t i o n . T h i s m a y b e c o n s i d e r e d b e t t e r s e c u r i t y s i n c e i t p r e v e n t s i n f o r m a t i o n l e a k a g e . OCSP Stapling to the Rescue
  • 30. © F5 Networks, Inc. 30 OCSP Stapling Configuration Changes to ‘Proxy Pool’ when ‘Use Proxy Server’ is enabled
  • 31. © F5 Networks, Inc. 31 OCSP Stapling Configuration Profile Location Assignment to Client SSL Profile
  • 32. © F5 Networks, Inc. 32 • SSL termination and inspection from BIG-IP® Local Traffic Manager™ (LTM) • Hybrid cipher support for ECC and RSA ciphers • SSL crypto-offload for additional SSL capacity • Integration with network HSMs from SafeNet and Thales for key management SSL Everywhere RA – Bringing it all Together
  • 33. © F5 Networks, Inc. 33 SSL Everywhere