F5 BIG-IP Zero Trust with BIG-IP SSL Orchestrator

What is Zero Trust?
Demo Video
SSL Orchestrator Role
How to Configure?
Conclusion
Related Content

What is Zero Trust?

Zero Trust is an organization’s culture, not just a configuration element. F5 BIG-IP SSL Orchestrator helps with providing the building blocks for your organization to achieve this strategy. The main Zero Trust principles are:

Never Trust
Always Verify
Continuously Monitor

However, these days, most of the traffic flowing through any network is encrypted…creating real challenges for some Zero Trust mechanisms to verify and monitor.

Demo Video

SSL Orchestrator Role

F5 BIG-IP SSL Orchestrator enables dynamic, policy-based decryption and traffic steering to maximize defense-in-depth security and enhance Zero Trust functionality. It helps secure against traffic that may be carrying an infection or ready to launch an attack.

How to Configure?

Let’s see how it works.

BIG-IP SSL Orchestrator is a product module running on top of the F5 BIG-IP platform. SSL Orchestrator has an intuitive configuration wizard. SSL Orchestrator supports a wide range of traffic processing paths, called “Topologies”

These include the following:

L3 Outbound Transparent Proxy
L3 Outbound Explicit Proxy
L2 Outbound
L3 Inbound
L2 Inbound
And more

Topology Properties let you define the traffic flow processing path needed. For this demo, we’ll select the L3 Outbound Mode.

The SSL Configuration defines how TLS is handled for this Topology flow type.

In the L3 Outbound scenario, we define the local CA certificate and key that’s used to perform local forging of remote server certificates.

Services are the set of Security Inspection Tools that are injected into the decrypted traffic flow.

SSL Orchestrator supports a wide selection of Security Inspection Tools.

Among these are tools characterized as:

Inline Layer 2, including bump-in-the-wire, and sandboxing tools
Inline Layer 3, including firewalls and IPS
Inline HTTP, including web proxies and secure web gateways
ICAP, including DLP
TAP, including passive security devices, and IDS

And a special set of F5 integrations, including Advanced WAF and Secure Web Gateway Services.

In the interest of time, we’ll fast forward through the creation of the Security Services.

Service Chains let you define ordered lists of specific Services to be assigned to policy decisions.

For this demo, we’ll create two Service Chains, one containing everything and one containing a subset.

The Security Policy defines the set of traffic-matching characteristics. Let’s create a Traffic Rule that matches sensitive personal information. Policy rules match a wide assortment of traffic characteristics. Policy rules are also additive and support advanced matching logic. We’ll select a Category Lookup condition and then enter the URL categories to match on. A matching traffic rule provides three actions:

To Allow, Reject, or Abort the flow.
To decrypt (intercept) or bypass decryption.
And to assign the flow to a specific Service Chain of Inspection Services.

So now we have one rule that bypasses TLS inspection for sensitive URL categories. Let’s also assign a default Service Chain for all other decrypted traffic flows.