The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), have been widely adopted by organizations to secure IP communications, and their use is growing rapidly. While TLS/SSL provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack when inspecting the encrypted traffic. In short, the encrypted communications cannot be seen as clear text and are passed through without inspection, becoming security blind spots. This creates serious risks for businesses: What if attackers are hiding malware inside the encrypted traffic?

However, performing decryption of TLS/TLS traffic on the security inspection devices, with native decryption support, can tremendously degrade the performance of those devices. This performance concern becomes even more challenging given the demands of stronger, 2048-bit certificates.

An integrated F5 and Cisco solution solves these two SSL/TLS challenges. F5 SSL Orchestrator centralizes TLS/SSL inspection across complex security architectures, enabling flexible deployment options for decrypting and re-encrypting user traffic. It also provides intelligent traffic orchestration using dynamic service chaining and policy-based management. The decrypted traffic is then inspected by one or more Cisco FTD systems, which can prevent previously hidden threats and block zero-day exploits. The Cisco Firepower Threat defense may be delivered using several combinations of Cisco Firepower and ASA platforms and software images. This solution eliminates the blind spots introduced by TLS/SSL and closes any opportunity for adversaries.

Solution Deployment

The F5 and Cisco integrated solution enables organizations to intelligently manage SSL/TLS Traffic while providing visibility into a key threat vector that attackers often use to exploit vulnerabilities, establish command and control channels, and steal data. Without SSL visibility, it is impossible to identify and prevent such threats at scale. F5 SSL Orchestrator intercepts both outbound and inbound traffic. Other security services like DLP (using ICAP), IPS, and HTTP(s) Proxies  can also be deployed alongside Cisco FTD when configured in a service chain within the decrypt zone. Cisco FTD supports both Inline (Layer 2 and Layer 3) and TAP mode of operation. In this example solution, Cisco FTD is configured as Layer 3 / routed hop.

I. Bill of Materials

• F5 SSL Orchestrator 5.1
  • Optional functional add-ons include URL filtering subscription, IP Intelligence subscription, network hardware security module (HSM), F5 Secure Web Gateway (SWG) Services and F5 Access Manager (APM).
• Cisco FTD

II. Pre-requisites

1. F5 SSL Orchestrator is licensed and set up with internal and external VLANs and Self-IP addresses.
2. An SSL certificate—preferably a subordinate certificate authority (CA)—and private key are imported into F5 SSL Orchestrator.
3. The CA certificate chain with root certificate is imported into the client browser.
4. Cisco FTD is setup with physical connectivity to F5 SSL Orchestrator.
5. This Cisco FTD system is managed by Cisco Firepower Device Manager (FDM).

III. IP Addressing

When a Cisco FTD is deployed as an Layer 3/ routed hop, we recommend configuring its IP addresses for interface in the inside zone and interface in the outside zone, from default fixed addressing subnets, provided by SSL Orchestrator, that are derived from a RFC2544 CIDR block of 192.19.0.0. This minimizes the likelihood of address collisions.

In this example,  the Cisco FTD is configured with IP address 198.19.64.61/25 on the interface in the inside zone (connected to SSL Orchestrator ‘To Service’ VLAN)  and 198.19.64.161/25 on the interface in the outside zone (connected to SSL Orchestrator ‘From Service’ VLAN). You will also need to configure static routes to the internal networks with 198.19.64.7 as the next hop and a default route to the Internet with 198.19.64.245 as the gateway. The table below explains the IP addresses that you need to configure when deploying multiple FTDs in the service pool.

IV. Configure Cisco FTD

Configure the interfaces with IP addresses and assign them to Inside and Outside zones.

Configure the static route to internal network (192.168.16.0/24) with next hop as the IP address on the ‘To Service’ VLAN of the SSL Orchestrator (198.19.64.7).

Also, configure the default route to internet with IP address on the ‘To Service’ VLAN of the SSL Orchestrator (198.19.64.245) as the gateway.

V. Deploy F5 SSL Orchestrator using Guided Configuration

SSL Orchestrator version 5.1 introduced Guided Configuration, a workflow-based architecture that provides intuitive, re-entrant configuration steps and presents a completely new and streamlined user experience.  To deploy the SSL Orchestrator application, log into the F5 system. On the F5 Web UI Main menu, navigate to SSL Orchestrator > Configuration and follow the guided configuration steps.

Step 1: Topology Properties

SSL Orchestrator creates discreet configurations based on the selected topology. Selecting explicit forward proxy topology (as shown in the example) will ultimately create an explicit proxy listener.

Step 2: SSL Properties

Select the previously imported subordinate CA certificate (see Prerequisites, above) to sign and issue certificates to the end-host for client-requested HTTPS websites that are intercepted.

Step 3: Create the Cisco Inline L3 Service

The services list section defines the security services that interact with SSL Orchestrator. The guided configuration includes a services catalog that contains common product integrations.

In the service catalog, double click on the  Inline L3 service and configure the service settings: service name, VLAN pair and port remap.

The ‘To VLAN’  and the associated interface define the network connectivity from SSL Orchestrator to the interface in the inside zone on the Cisco FTD.

The ‘From VLAN’  and the associated interface define the network connectivity from SSL Orchestrator to the interface in the outside zone on the Cisco FTD.

For the Cisco FTD to recognize that the steered traffic has been decrypted, it needs to be sent on a non-443 TCP port.

Using the service catalog, create additional security services as required, before proceeding to the next step.

Step 4: Service Chains

Create a service chain, which is an arbitrarily ordered lists of security devices. The service chain determines which services receive traffic.

Step 5: Security Policy

SSL Orchestrator’s guided configuration presents an intuitive rule-based, drag-and-drop user interface for the definition of security policies. In the background, SSL Orchestrator maintains these security policies as visual per-request policies. If traffic processing is required that exceeds the capabilities of the rule-based user interface, the underlying per-request policy can be managed directly. Use this section to create custom rules as required.

Step 6: Intercept Rule

Interception rules are based on the selected topology and define the listeners (analogous to BIG-IP Local Traffic Manager virtual servers) that accept and process different types of traffic, such as TCP, UDP, or other. The resulting BIG-IP LTM virtual servers will bind the SSL settings, VLANs, IPs, and security policies created in the topology workflow.

Step 7: Egress Settings

The egress settings section defines topology-specific egress characteristics like NAT and outbound route.

Step 8: Summary

The configuration summary page presents an expandable list of all the workflow-configured objects. Review the setting and click the Deploy button to deploy SSL Orchestrator.

SSL Orchestrator will be successfully deployed on the F5 system.

VI. Verification

Navigate to http://www.eicar.org/ and download a malware test file via HTTP and HTTPS links from the client.

Login to Cisco FDM Web UI and navigate to Analysis > Intrusions > Alerts to view the malware alert.

Conclusion

The joint solution from F5 Networks and Cisco brings together the best of application delivery and advanced malware protection to help you identify and stop even the most sophisticated attacks, whether in the data center or at the perimeter of your network. Together, we help you accelerate business growth while decreasing the risk of security breaches.

Learn more:

Product page: F5 SSL Orchestrator