Lightboard Lessons: The Problem Of TLS Visibility

Internet traffic today is encrypted at a rate of almost 90%.  Our F5 Labs team wrote a TLS Telemetry Report last year that outlines several Internet-related encryption statistics.  Also, Google serve...
Published Nov 28, 2018
Version 1.0
BIG-IP
lbl
security
tls
ltwagnon's avatar
ltwagnon
Ret. Employee
Dec 11, 2018

@Piotr, I recorded the SSLO video, but time constraints didn't allow me to dig into all the details you asked about. That said, I wanted to post answers here so you would have them (and others could see as well).

 

  1. Is it mandatory to use two separate physical interfaces for each L2 service?
    • No, it's not necessary. It needs to be different L2 network, though.
  2. Is there a way to easily add AWAF/DDoS L7 policies if Inbound SSLO is configured?
    • No, not currently within the SSLO managed UI interface.
  3. Is there a way to add APM pre-authentication in case of Inbound SSLO?
    • You cannot do that in any of the releases prior to 5.1 from the SSLO UI. In 5.0 you would have 2 options: First, deploy normally and then disable the “Protected/Unprotected” lock; then modify the policy per your use in Access -> Per Request Policy. Second, you can define the policy outside first and then use that as a security policy.
  4. What is best practice to modify already configured Service Chains?
    • In 5.0 you just have to modify the definition of the service chain. Go to service chain, select the service chain that you want to edit and follow the hyperlink (name).
  5. When does it makes sense to include any service in Non Intercept Chain - as far as I understand the idea traffic processed by this chain is not decrypted so it seems to not make sense to include any service here?
    • It could be just to record the traffic.