For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Jun 01, 2016
Solved

SSL offload in LTM VS web service security in XML profile

Hello Experts   I am hosting web service on F5 with ASM. To enable encryption between client and F5 for xml web service, I believe if I enable SSL off loading (https) in LTM then all communication...
application delivery
ASM Advanced WAF
BIG-IP
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Jun 01, 2016

    Hi,

     

    In ASM, you can check compliance, Validate schema, inspect attachment, check for attack signatures, mask sensitive data, encrypt and sign XML content using XML profiles.

     

    SSL offloading is to encrypt the transport channel (headers+body). You can also force the xml body to be encrypted/signed using the "Web Services Security" feature in the xml profile. There is no options to encrypt JSON body in ASM.

     

    It's up to you, you can rely on https encryption only using client ssl profile or add xml body or part of body (sensitive data) encryption above to have additional security.

     

Yann_Desmarest_'s avatar
Yann_Desmarest_
Icon for Nacreous rankNacreous
Jun 01, 2016

Hi,

 

In ASM, you can check compliance, Validate schema, inspect attachment, check for attack signatures, mask sensitive data, encrypt and sign XML content using XML profiles.

 

SSL offloading is to encrypt the transport channel (headers+body). You can also force the xml body to be encrypted/signed using the "Web Services Security" feature in the xml profile. There is no options to encrypt JSON body in ASM.

 

It's up to you, you can rely on https encryption only using client ssl profile or add xml body or part of body (sensitive data) encryption above to have additional security.

 

  • ghost-rider_124's avatar
    ghost-rider_124
    Icon for Nimbostratus rankNimbostratus
    Jun 01, 2016
    thanks. But XML body will not be in https body? Can you please elaborate more.
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jun 01, 2016
    Yes xml body is in the https payload. SSL is used to encrypt the session (tcpip stack) so you encrypt the full request. When decrypting the full request using ssl profiles, you can view the http request headers and body. XML encryption is an Application level encryption so even if you decrypted the ssl, using xml enc, you can still protect the http body that contains the xml doc
  • ghost-rider_124's avatar
    ghost-rider_124
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2016
    Thanks for your reply. But when we are using SSL to encrypt header + body then whats the point to encrypt again body using XML encryption?
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jun 04, 2016
    Hi, imagine that the xml document contains a very important information that should be accessible within your corporate network only. If the client that send the xml document is outside on internet, a simple man in the middle allow anybody to read the request but not the xml doc. That case, your confidential data is safe. If you don't need any extra security measures, you should not use xml encryption. Xml signature still interesting to guarantee that the xml doc has not been alterated
Related Content