SSL Orchestrator Service Extensions: User Coaching

To err is human. To accidentally send sensitive data to an AI chatbot in the course of innocently troubleshooting an enterprise payroll system issue is...a disaster. The truth is, this sort of thing happens more often than anyone would like to admit, and it's exceedingly easy to do.

One obvious solution might be to simply prohibit access to generative AI tools, like ChatGPT, from within the enterprise. In some places that makes sense. But in other places, where generative AI can be a useful tool in day-to-day operations, a more subtle approach may be needed.

Ultimately, in those places, the problem isn't the tool. The weakest link in any security architecture is (and probably always will be) the user. Sometimes the most appropriate solution is simply to "guide" users in the right direction. That is what User Coaching is all about.

Introduction

Before diving into the topic of User Coaching, it is important first to introduce the Service Extensions concept. In F5 BIG-IP 17.0, SSL Orchestrator delivered a new feature called "Office365 Tenant Restrictions". This feature implements an HTTP header injection function to enable organizations to control their users' access to company-only Office 365 resources, thus preventing a significant data exfiltration vector. But more than this, the feature introduced a NEW type of inspection service...not one that sent inspection traffic to external security tools, or to F5 SWG and/or AWAF policies, but to a simple "loopback" VIP and an iRule. This VIP sits close to the original proxy flow, so incurs almost no additional latency. But the magic here, and why we're calling this a "service extension", is that this new service type delivers an entirely new programmable inspection service object directly inside the service chain, and that presents enormous possibilities for additional security value without additional external tooling. At this point, all you have to do is create an Office 365 Tenant Restrictions service in the SSL Orchestrator UI, insert that into any/all service chains, and replace the built-in tenant restrictions iRule with your own functions. The service type is only triggered on decrypted HTTP, so can safely be inserted into any service chain.

One such powerful use case for service extensions is User Coaching, which we'll explore next.

 

User Coaching

Very simply, User Coaching notifies and "coaches" a user when they attempt to access something that may violate local security policy. Some things can be blocked, but it's often useful to coach but then still allow access. For example, enterprise policy may allow access to external generative AI tools, again, like ChatGPT, Copilot, etc., but you want users to be aware that they're treading into potentially dangerous territory. In most cases, when the user sees the coaching page, they'll head back to safer ground knowing that additional scrutiny will be applied if going forward despite the warning.

User Coaching is implemented in an F5 SSL Orchestrator outbound (forward proxy) scenario as a Service Extension -> an iRule solution placed directly on the service chain. The solution is fully customizable, including the look/feel and messaging of the coaching and blocking pages. How and what triggers user coaching, and how users/browsers are uniquely identified (without any agent required on the end-user device).

The User Coaching Service Extension can be found here: User Coaching Service Extension and includes an installer to create all of the necessary objects:

## From the BIG-IP Shell, fetch the installer and make it executable: 
curl -sk https://raw.githubusercontent.com/f5devcentral/sslo-service-extensions/refs/heads/main/user-coaching/user-coaching-installer.sh -o user-coaching-installer.sh
chmod +x user-coaching-installer.sh

## Export the BIG-IP admin username and password for the installer to use: 
export BIGUSER='admin:password' 

## Launch the installer: 
./user-coaching-installer.sh

The installer will create the default coaching and blocking HTML (iFile objects), the user-coaching iRule, and the new User Coaching inspection service. Once this is complete, simply add the new service to your SSL Orchestrator service chain(s), customize the trigger conditions, coaching/blocking messaging, and client identifier type in the iRule static variables, and then let'er rip. With the defaults in place, and an active URLDB subscription on the BIG-IP, attempt to access a generative AI site will generate this warning. Hitting the Agree button generates a log entry detailing the source (user) and destination (IP and host).

If you want users to enter a justification to continue, set the REQUIRE_JUSTIFICATION static variable to 1, requiring the user to enter some justification text before agreeing, which is then added to the log.

Or if you need to block something, add those URL categories to the BLOCKING_CATEGORIES array to generate a fully-customizable blocking page:

 

Summary

Service Extensions provide game-changing power and flexibility to your SSL Orchestrator deployment. The catalog of utilities is small, for now, but will definitely grow over time as new ideas emerge. And User Coaching should prove to be an effective measure in your security architecture, without binding users to overly restrictive policies.

If you think of any interesting use cases for Service Extensions, please let us know!