Blind Spots

It is nearly impossible to defend against an attack you cannot see.

Increased adoption of TLS/SSL is helping organizations secure IP communications between users and web services through encryption. But increased use of encryption also creates challenges for devices in the security stack, such as FireEye NX, that cannot inspect encrypted traffic for hidden threats. When encrypted communications cannot be seen as clear text, they are passed through without inspection and become security blind spots. Clearly this creates serious risks for businesses as they face the very real concern that attackers could hide malware inside encrypted traffic.

Fortunately, solving this problem is simply a matter of decrypting SSL traffic and sending the unencrypted data to additional security devices for inspection. In fact, some security devices today do support SSL decryption natively—but at a cost: Decryption and re-encryption, especially of 2048-bit certificates, demands a lot of computing resources and can tremendously degrade the performance of these devices.

An integrated solution from F5 Networks and FireEye solves this challenge by centralizing SSL inspection across the security stack. This joint solution utilizes a dedicated F5 SSL Orchestrator to decrypt and route traffic before inspection by FireEye NX or other security devices, thereby greatly expanding your ability to prevent hidden threats and block zero-day exploits.

 

F5 Full Proxy Architecture

F5 SSL Orchestrator is the core of F5’s SSL/TLS visibility and orchestration solution. When deployed on the wire between an intranet and the Internet, as shown in Figure below, F5 SSL Orchestrator installs a decrypt /clear-text zone between the client and web server, creating an aggregation visibility point for FireEye NX to inspect the traffic.

1_thumb3

F5 full proxy architecture establishing the inspection zone.

When the client initiates an HTTPS connection to the web server, the F5 SSL Orchestrator intercepts and decrypts the client-encrypted traffic and steers it to a pool of FireEye NX devices for inspection. After inspection, the F5 SSL Orchestrator re-encrypts the same traffic before sending it to the web server. The return HTTPS response from the web server to the client is likewise intercepted and decrypted for inspection before being sent to the client.

 

Solution Deployment

F5 SSL Orchestrator intercepts both outbound and inbound traffic. Other security services like DLP (using ICAP), IPS, and next-generation firewalls can also be deployed alongside FireEye NX when configured in a service chain within the decrypt zone.

2_thumb3

The F5 SSLO FireEye NX solution with service chain

 

I. Bill of Materials

  • F5 SSL Orchestrator 5.1
    • Optional functional add-ons include URL filtering subscription, IP Intelligence subscription, network hardware security module (HSM), F5 Secure Web Gateway (SWG) Services and F5 Access Manager (APM).
  • FireEye NX appliance

 

II. Pre-requisites

  1. F5 SSL Orchestrator is licensed and set up with internal and external VLANs and Self-IP addresses.
  2. An SSL certificate—preferably a subordinate certificate authority (CA)—and private key are imported into F5 SSL Orchestrator.
  3. The CA certificate chain with root certificate is imported into the client browser.
  4. FireEye NX is setup with physical connectivity to F5 SSL Orchestrator.

 

III. Configure FireEye Operation Mode

Login to FireEye web user interface, navigate to Settings, and select Inline operation mode. FireEye supports both Inline and TAP mode of operation

3_thumb5

 

IV. Deploy F5 SSL Orchestrator using Guided Configuration

SSL Orchestrator version 5.1 introduced Guided Configuration, a workflow-based architecture that provides intuitive, re-entrant configuration steps and presents a completely new and streamlined user experience.  To deploy the SSL Orchestrator application, log into the F5 system. On the F5 Web UI Main menu, navigate to SSL Orchestrator > Configuration and follow the guided configuration steps.

Step 1: Topology Properties

SSL Orchestrator creates discreet configurations based on the selected topology. Selecting explicit forward proxy topology (as shown in the example) will ultimately create an explicit proxy listener.

3a_thumb3

Step 2: SSL Properties

Select the previously imported subordinate CA certificate (see Prerequisites, above) to sign and issue certificates to the end-host for client-requested HTTPS websites that are intercepted.

4a_thumb4

Step 3: Create the FireEye Inline Service

The services list section defines the security services that interact with SSL Orchestrator. The guided configuration includes a services catalog that contains common product integrations.

fireye_thumb2

In the service catalog, double click on the FireEye Inline service and configure the service settings: service name, VLAN pair and port remap. The ‘From VLAN’ and ‘To VLAN’ pairs (inward and outward VLANs) and the associated interfaces define the network connectivity from SSL Orchestrator to the inline security device.

feye2_thumb2

For the FireEye NX device to recognize that the steered traffic has been decrypted, it needs to be sent on a non-443 TCP port.

feye3_thumb2

Using the service catalog, create additional security services as required, before proceeding to the next step.

Step 4: Service Chains

Create a service chain, which is an arbitrarily ordered lists of security devices. The service chain determines which services receive traffic.

srvchain_thumb2

Step 5: Security Policy

SSL Orchestrator’s guided configuration presents an intuitive rule-based, drag-and-drop user interface for the definition of security policies. In the background, SSL Orchestrator maintains these security policies as visual per-request policies. If traffic processing is required that exceeds the capabilities of the rule-based user interface, the underlying per-request policy can be managed directly. Use this section to create custom rules as required.

8_thumb2

Step 6: Intercept Rule

Interception rules are based on the selected topology and define the listeners (analogous to BIG-IP Local Traffic Manager virtual servers) that accept and process different types of traffic, such as TCP, UDP, or other. The resulting BIG-IP LTM virtual servers will bind the SSL settings, VLANs, IPs, and security policies created in the topology workflow.

9a_thumb2

Step 7: Egress Settings

The egress settings section defines topology-specific egress characteristics like NAT and outbound route.

10a_thumb2

Step 8: Summary

The configuration summary page presents an expandable list of all the workflow-configured objects. Review the setting and click the Deploy button to deploy SSL Orchestrator.

12_thumb4

SSL Orchestrator will be successfully deployed on the F5 system.

13_thumb2

 

V. Verification

Navigate to http://www.eicar.org/ and download a malware test file via HTTP and HTTPS links from the client.

Login to FireEye NX Web UI and navigate to Alerts to view the malware alert.

last_thumb3

 

Conclusion

The joint solution from F5 Networks and FireEye brings together the best of application delivery and advanced content security to help you identify and stop even the most sophisticated attacks, whether in the data center or at the perimeter of your network. Together, we help you accelerate business growth while decreasing the risk of security breaches.

 

Learn more:

 

Product page: F5 SSL Orchestrator

White paper: Beyond Advanced Threat Protection