F5 BIG-IP SSL Orchestrator and Reversing Labs Integration Guide
An integrated F5 and Reversing Labs solution eliminates the blind spots introduced by SSL/TLS encrypted content.
Table of Contents
Introduction
F5 BIG-IP SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic. This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies. SSL Orchestrator removes the burden of decrypting content from your security tools, so they perform better and are more scalable.
An integrated F5 and Reversing Labs solution eliminates the blind spots introduced by SSL/TLS encrypted content.
Reversing Labs (RL) Spectra Detect provides comprehensive, enterprise-wide visibility into malicious files and objects to identify threats wherever they reside. High-volume, high-speed file inspection and definitive threat classification empowers security operations teams with real-time, context-rich intelligence to drive faster, more effective threat detection and response, along with more powerful and precise hunting, so dangerous malware can no longer hide and dwell within the organization.
Demo Video
Deployment Prerequisites
This guide was tested with the following software versions:
- F5 BIG-IP version 17.5
- SSL Orchestrator version 12.1.5
- Reversing Labs Spectra Detect version 5.5.1-24
- Reversing Labs Hub version 5.5.1
- Reversing Labs Worker version 5.5.1
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.
Reversing Labs Configuration
The Spectra Detect Manager, Worker and Hub nodes should be deployed and working. The Hub and Worker need to be members of the same Configuration Group. The Dashboard should look like the following:
NOTE: Proceed to the section on “Add the Connector” if the Worker and Hub are already in the same Configuration Group.
If they are not in the same Configuration Group you can resolve this from the Central Configuration screen by clicking Add New Group.
Give it a name, Hub-Group in this example.
Set the Group Type to Hub Group by clicking the down arrow on the right.
Set the Primary Host by clicking the down arrow on the right.
Enter 1 for the Router ID.
Click Add at the bottom
Click Confirm
Set the Configuration Group to Hub Group
Under Appliances select All then Save
Click Save and Apply
The Hub and the Worker should now be visible
Add the ICAP Connector
Go back to the Dashboard
Click on the Hub appliance
On the right select Actions then Connectors
Select ICAP Server on the left and then click Enable Connector
Optionally configure Max File Size and other settings on this page
Specify the REQMOD Block Page URL
NOTE: Replace 172.16.60 202 with the IP address of your Spectra Detect Manager
Disable the Use TLS option. The port should default to 1344
Click Start Connector
Click Yes
Back on the Dashboard click the green arrow next to Integrations
It should look like the following:
NOTE: you can come back later and configure the ICAP Server TLS option
SSL Orchestrator Configuration
From the SSL Orchestrator Configuration screen select the Services tab then click Add
Select the ICAP tab then double click on the Generic ICAP Service
Give it a name, RL_SpectraDetect in this example
Click the Add button for ICAP Devices
Enter the IP address of your Reversing Labs Hub, 172.16.60.201 in this example
Click Done
Set the Request and Response Modification URI to “spectraconnector”
Scroll down then click Save & Next
From the Services Chain List screen click on the name of your Service Chain, ServiceChain1 in this example
Select the RL_SpectraDetect Service and click the right arrow to move it to the right.
It should look like the following
Click Save
Click OK
Click Save & Next
Click Deploy
Click OK
Afterwards it should look like this:
Test the Solution
Access the internet from a client computer that connects through BIG-IP SSL Orchestrator. Note that the connection to www.f5.com is secure and the certificate has been verified by f5labs.com instead of Entrust, Inc. This indicates that SSL Orchestrator is decrypting and encrypting the connection.
Next I will connect to the eicar.org web site which hosts a test virus. I’ll attempt to download the EICAR.TXT file.
The test virus is successfully blocked by Reversing Labs!
The Analytics Dashboard on the Spectra Detect Manager shows more details about the files processed.
Conclusion
F5 BIG-IP SSL Orchestrator is a great solution for managing encrypted traffic. Traffic can be selectively steered to one or more security solutions to check for threats. Reversing Labs Spectra Detect works in tandem with SSO Orchestrator to protect Enterprise networks from malicious threats.
Related Content
Introduction to BIG-IP SSL Orchestrator
Integrating Security Solutions with F5 BIG-IP SSL Orchestrator