on 23-Feb-2021 10:07
Data transiting between clients (e.g., PCs, tablets, phones, etc.) and servers are predominantly encrypted with Secure Socket Layer (SSL) or the newer Transport Layer Security (TLS) (For reference, see the 2019 TLS Telemetry Report Summary from F5 Labs) Pervasive encryption results in threats being hidden and invisible to security inspection unless traffic is decrypted. The decryption and encryption of data by different devices that are performing security functions, such as Cisco Web Security Appliance (WSA), potentially increases overhead and latency. Added to the visibility difficulties and the fragmented nature of the security stack, enterprises are finding it challenging to design a comprehensive and lasting security strategy. F5® SSL Orchestrator™ and Cisco WSA integrate to deliver centralized visibility, orchestration, security, and control of web traffic, optimizing protection from web-based threats against any device.
Optional functional add-ons include URL filtering subscription, IP Intelligence subscription, network hardware security module (HSM), and F5 Access Manager (APM).
In this example deployment setup, the SSL Orchestrator is configured to send decrypted traffic to an inline Cisco WSA. SSL Orchestrator handles both decryption and re-encryption of HTTPS traffic, with an inspection zone installed between the ingress and egress. Decrypted traffic is steered to a service pool of Cisco WSA devices. You can also deploy the F5 system as a device sync/failover device group (including an HA pair) with a floating IP address for high availability.
How traffic flows in this deployment:
Please refer to the appropriate Cisco WSA documentation for more detailed information on configuring WSA. The following are the minimal settings required for integration with SSL Orchestrator. Configuration of the web proxy will be performed from the WSA UI. The Cisco WSA can be configured as either a transparent or explicit web proxy.
The SSL Orchestrator guided configuration presents a completely new and streamlined user experience. This workflow-based architecture provides guided configuration steps tailored to a selected topology.
SSL Orchestrator creates discreet configurations based on the selected topology. Select L3 Outbound (transparent proxy) or L3 Explicit Proxy to support decrypted forward proxy traffic flows through the Cisco WSA.
Select the previously imported subordinate CA certificate (see Prerequisites, above) for signing and issuing certificates to the end-host for client-requested HTTPS websites that are intercepted by SSL Orchestrator.
The services list section defines the security services that interact with SSL Orchestrator. The guided configuration includes a services catalog that contains common product integrations.
In the service catalog, double click the 'Cisco WSA HTTP Proxy' service and configure the service settings: Cisco WSA IP address, port, and connected VLANs.
Create these routes to route from the Cisco WSA appliance back to SSL Orchestrator.
Using the SSL Orchestrator service catalog, create additional security services as required before proceeding to the next step.
Create a service chain, which is an ordered list of security devices. The service chain determines which services receive decrypted traffic.
SSL Orchestrator’s guided configuration presents an intuitive rule-based, drag-and-drop user interface for the definition of security policies. In the background, SSL Orchestrator maintains these security policies as visual per-request policies. If traffic processing is required that exceeds the capabilities of the rule-based user interface; the underlying per-request policy can be managed directly. Use this section to create custom rules as required.
Interception rules are based on the selected topology and define the listeners (analogous to BIG-IP Local Traffic Manager virtual servers) that accept and process different types of traffic, such as TCP, UDP, or other. The resulting listeners will bind the SSL settings, VLANs, IPs, and security policies created in the topology workflow.
The egress settings section defines topology-specific egress characteristics like NAT and outbound route.
Review the setting and click deploy SSL Orchestrator.
Use one of the following ways to observe the decrypted traffic
To test an explicit forward proxy topology, configure a client’s browser proxy settings to point this listening IP and port. Ensure that the client trusts the local issuing CA certificate. Open a browser from the client and attempt to access an external HTTPS resource. Once the page is loaded, observe the server certificate of that site and take note of the certificate issuer, which should be the local issuing CA. If you have access to the client’s command-line shell and the cURL or wget utilities, you can simulate browser access using one of the following commands:
curl -vk --proxy [proxy IP:port] https://www.example.com
wget --no-check-certificate -e use_proxy=yes -e https_proxy=[proxy IP:port] -dO – https://www.example.com
Both of these commands will display both the HTML server response and the issuer of the server’s certificate.
Decrypted traffic analysis on the SSL Orchestrator
Perform a tcpdump on the SSL Orchestrator to observe the decrypted clear text traffic. This confirms the SSL interception by the F5 system.
tcpdump –lnni [interface or VLAN name] -Xs0
The security service VLANs and their corresponding application services are all visible from the SSL Orchestrator GUI: Network -> VLANs.
From the web UI, navigate to Help and Support > Packet Capture. Edit the packet capture settings, such as the network interface on which the packet capture runs. Use one of the predefined filters, or create a custom filter and Click Start Capture to begin. Click Stop Capture to end the capture.
Download the packet capture and analyze the tcpdump to observe the decrypted clear text traffic.
Learn more about SSL Orchestrator on f5.com
Recommended best practices guide: SSL Orchestrator and Cisco WSA Solution