For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Jun 01, 2016
Solved

SSL offload in LTM VS web service security in XML profile

Hello Experts   I am hosting web service on F5 with ASM. To enable encryption between client and F5 for xml web service, I believe if I enable SSL off loading (https) in LTM then all communication...
application delivery
ASM Advanced WAF
BIG-IP
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Jun 01, 2016

    Hi,

     

    In ASM, you can check compliance, Validate schema, inspect attachment, check for attack signatures, mask sensitive data, encrypt and sign XML content using XML profiles.

     

    SSL offloading is to encrypt the transport channel (headers+body). You can also force the xml body to be encrypted/signed using the "Web Services Security" feature in the xml profile. There is no options to encrypt JSON body in ASM.

     

    It's up to you, you can rely on https encryption only using client ssl profile or add xml body or part of body (sensitive data) encryption above to have additional security.

     

Yann_Desmarest_'s avatar
Yann_Desmarest_
Icon for Nacreous rankNacreous
Jun 01, 2016

Hi,

 

In ASM, you can check compliance, Validate schema, inspect attachment, check for attack signatures, mask sensitive data, encrypt and sign XML content using XML profiles.

 

SSL offloading is to encrypt the transport channel (headers+body). You can also force the xml body to be encrypted/signed using the "Web Services Security" feature in the xml profile. There is no options to encrypt JSON body in ASM.

 

It's up to you, you can rely on https encryption only using client ssl profile or add xml body or part of body (sensitive data) encryption above to have additional security.

 

Yann_Desmarest_'s avatar
Yann_Desmarest_
Icon for Nacreous rankNacreous
Jun 01, 2016
Yes xml body is in the https payload. SSL is used to encrypt the session (tcpip stack) so you encrypt the full request. When decrypting the full request using ssl profiles, you can view the http request headers and body. XML encryption is an Application level encryption so even if you decrypted the ssl, using xml enc, you can still protect the http body that contains the xml doc
Related Content