Forum Discussion
AltocumulusUse of SSL Decryption.
Dear All
I hope you all are doing well.
Recently, we have deployed a firewall with SSL decryption features. Previously, we used F5 WAF for SSL decryption.
Should we use SSL decryption for the new firewall or the previous F5 WAF SSL decryption?
Can I use both WAF and Firewall SSL decryption? If so, what benefit will I get from using both devices?
3 Replies
Ted-NordvallAltostratus
Hello RockBD,
Are you talking about forward proxy or reverse proxy in this scenario?
Eitherway - If you have a physical F5 it will outperform firewalls in almost every case when it comes to SSL Decryption/encryption.
And if you for example use the F5 with the SSLO (SSL Orchestration) module you can decrypt outing traffic in the F5, send the traffic via ICAP (for example) to the firewall for AntiVirus scanning and so on. If you pair it with for example IP-intelligence you can also get an outbound-reputation based block for traffic. You can also use the firewall for inspection in the servicechain where it also uses its reputation engine, thus having a in-depth analysis of client traffic along with having the protection of both products.
When it comes to using it as a Reverse Proxy/Load Balancer for incoming traffic to internal servers and such i would still keep it in the F5, the F5 is designed for handling incoming webtraffic and decryption (SSL Offloading) and has all of the features for protecting incoming webtraffic.
Is the new firewall a Gen5-firewall with all the bells and whistles?
BrTed
- RockBD
I think it would be better to use SSL decryption in both places. In Firewall 1st, then the WAF.
What do you think?
- zamroni777
MVP
if your company requires every hop must be encrypted, then you will need to do that.
if not, ssl decrypt in waf only is adequate.
waf can differentiate inspection profile based on url, hostname, etc. but firewall usually cant
