Decrypt SSL traffic for IPS

Just to clarify...so you want to decrypt, send to IPS, then re-encrypt to send to server? Please correct me if I am wrong.

 

Also do you want true IPS - as in Protection mode (so inline deployment required), or are you deploying an IPS as an IDS - Detection (so SPAN port will be OK)?

 

It depends on which direction you're talking about, but for forward (outbound) proxy, there's an iApp for that.

 

https://devcentral.f5.com/codeshare/air-gap-egress-inspection-with-ssl-intercept-iapp-template

 

It's called "SSL Intercept" and is a configuration whereby an ingress (device or VIP) decrypts traffic and sends the unencrypted data across an "air gap" to an egress (device or VIP) for re-encryption. Inside that air gap you can deploy any sort of security device inline with the traffic. The iApp is designed for forward proxy and so requires the Forward Proxy SSL license.

 

For reverse proxy it's actually quite a bit simpler. Since you own both the PKI and the address/port space, you can create a dedicated VIP on your (outside) ingress device, offload SSL, send that across to the (inside) egress device and optionally re-encrypt. If you're using two separate BIG-IPs, you can either pool to the egress VIP for layer 2 and below inspection devices, or pool to the layer 3 inspection device and have it route to the egress VIP. If you're using a single BIG-IP, the model only changes a little in that layer 2 and below inspection devices require you to set up the egress VIP in a separate route domain. There are of course other ways to get the unencrypted data off of the BIG-IP and then back, but route domains are probably the easiest option.

 

There's also the Next Generation IPS reference deployment guide, specifically designed for Sourcefire, but applicable to other IPS platforms:

 

https://f5.com/resources/white-papers/ngips-recommended-practices-f5-big-ip-and-ciscosourcefire-ngips-load-balancing