Introduction to BIG-IP SSL Orchestrator

Demo Video

 

What is SSL Orchestrator?

F5 BIG-IP SSL Orchestrator is designed and purpose-built to enhance SSL/TLS infrastructure, provide security solutions with visibility into SSL/TLS encrypted traffic, and optimize and maximize your existing security investments. BIG-IP SSL Orchestrator delivers dynamic service chaining and policy-based traffic steering, applying context-based intelligence to encrypted traffic handling to allow you to intelligently manage the flow of encrypted traffic across your entire security stack, ensuring optimal availability.

Designed to easily integrate with existing architectures and to centrally manage the SSL/TLS decrypt/re-encrypt function, BIG-IP SSL Orchestrator delivers the latest SSL/ TLS encryption technologies across your entire security infrastructure. With BIG-IP SSL Orchestrator’s high-performance encryption and decryption capabilities, your organization can quickly discover hidden threats and prevent attacks at multiple stages, leveraging your existing security solutions.

BIG-IP SSL Orchestrator ensures encrypted traffic can be decrypted, inspected by security controls, then re-encrypted—delivering enhanced visibility to mitigate threats traversing the network. As a result, you can maximize your security services investment for malware, data loss prevention (DLP), ransomware, and NGFWs, thereby preventing inbound and outbound threats, including exploitation, callback, and data exfiltration.

Why is this important?

Offload your SSL decryption compute resources to F5.  Let F5 handle all the decrypt/encrypt functions so your security tools don’t have to.  This will increase the performance capabilities of your existing security solutions.  Easily create policy to bypass decryption of sensitive traffic like Banking, Finance and Healthcare related websites.  Improve high availability by leveraging SSL Orchestrator to distribute load among a group of security devices, like Next Generation Firewalls.

A comprehensive SSL decryption solution gives you much-needed visibility into encrypted traffic, which enables you to block encrypted threats.

SSL Orchestrator integrates with your existing infrastructure

An SSL Orchestrator “Service” is defined as a device that SSL Orchestrator passes decrypted traffic to.  A Service can be Layer 2 or 3. It can be unidirectional (TAP). It can be an ICAP server. It can be an Explicit or Transparent HTTP proxy.

A Layer 2 device (bridging/bump-in-wire) refers to connectivity without IP Address configuration.  Layer 2 devices pass all traffic from one interface to another interface.

A Layer 3 device (typical NAT) refers to IP Address to IP Address connectivity.  Layer 3 devices must be specifically configured to work on a network.

An Explicit Proxy device also utilizes IP Address to IP Address connectivity.  However, in this case, web applications have to be specifically configured to use an Explicit Proxy.

A Transparent Proxy device also utilizes IP Address to IP Address connectivity.  In this case, web applications DO NOT need to be configured to use a Proxy.

Other type of devices are supported, like an ICAP server or TAP device.  An ICAP server is often used for Data Loss Prevention (DLP).  A TAP device is often used for passive visibility as it receives an exact copy of decrypted traffic.

Service Chains

Service Chains are user-defined groupings of one or more Services.  Multiple Service Chains are supported by Policy (see next section).  There are no restrictions on the type of Services that can be in a Service Chain.  For example: a Service Chain can consist of one or more Layer 2 devices, and one or more Layer 3 devices, and so on.