For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jason_19901's avatar
Jason_19901
Icon for Nimbostratus rankNimbostratus
Mar 24, 2011

SSL offload to IPS

New to the forum. I am decrypting SSL traffic on the F5 and would like an iRule to send the unencrypted data to an IPS before it gets encrypted again on its way to the node. Is this possible?

 

application delivery
dev
devops
iRules

7 Replies

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Mar 24, 2011
    You might want to investigate utilizing Clone Pools to see if it will do what you are needing.

     

     

    SOL8573: Overview of port mirroring and clone pools

     

    http://support.f5.com/kb/en-us/solutions/public/8000/500/sol8573.html?sr=13486642

     

     

    Clone Pools can be configured to capture one way or two way traffic (Traffic to the Server from the Client - Clone Pool (Client) and traffic to the Client from the Server - Clone Pool (Server)). It does this during SSL tear down if the traffic is encrypted.
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Mar 24, 2011
    Agreed. Cloning the traffic is going to be far lighter on the systems than not.

     

     

    H
  • Steve_Brown_882's avatar
    Steve_Brown_882
    Historic F5 Account
    Mar 25, 2011
    Another interesting option I have seen tested to solve this issue actually involves using 2 different route domains on the LTM. Basically there is a front side route domain and a back side route domain with the IPS in the middle processing traffic transparently.

     

     

    Here is an exampl

     

     

    Route Domain 1 Transparent Route Domain 2

     

    VS(1.2.3.4)clientSSL --> Pool(192.168.100.100 and 192.168.100.101) --> IPS --> VS(forwarding VS)w/serverSSL

     

     

     

    Traffic passes through the VS in RD1 and is decrypted with a client SSL profile and sent to pool members in the clear. In order to reach the pool it has to exit the interface in the 192.168.100.0(RD1) vlan which is directly connected to the IPS. The IPS is then connected to a l2 only VLAN in RD2. This VLAN is set to bridge all traffic to the 192.168.100(RD2) vlan which has a forwarding VS that has a server SSL profile applied to re-encrypt to the back end.

     

     

    This is somewhat simplified version of it and I may not be explaining it perfectly but it would do the job for sure. Clone pools may be an easier option if they work in you situation.
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    May 01, 2011
    Easiest way:

    1. Virtual Server 1 listens on port 443 and has a clientSSL profile and clone pool but no default pool. It also has an iRule similar to the following: 

    
when HTTP_REQUEST {
     virtual virtual2 }

    2. Virtual Server 2 (virtual2) listens on port 80 but has a serverSSL profile. It also has a default pool.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 15, 2013

    Any idea if route domains are required? It seems like Chris's example with a VS targeting VS would work fine.

     

    Thanks, Aaron

     

  • Jacob_39432's avatar
    Jacob_39432
    Icon for Nimbostratus rankNimbostratus
    Aug 16, 2013

    The problem with clone pools is that they require the IPS to actually be targeted in some way with an IP and MAC address. Many inline IPS deployments are completely transparent and there's nothing to target at L2/3. You're doing SSL offload to a ghost. This leads to the config mentioned by Steve which I have had the unfornuate experience of dealing with at length. It works but is a very complex setup. RD's are required b/c you'r processing the same traffic 2x targeting the same L2/L3 address space.