on - edited on by
LiefZimmerman
Introduction
The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL/TLS provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. What if attackers are hiding malware inside the encrypted traffic?
An integrated F5 and Cisco WSA solution solves the SSL/TLS challenges. F5 BIG-IP SSL Orchestrator centralizes SSL/TLS inspection. The decrypted traffic is then inspected by one or more Cisco WSA VMs, which can block previously hidden threats. This solution eliminates the blind spots introduced by SSL/TLS.
Prerequisites
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.
- F5 BIG-IP version 17.1
- F5 SSL Orchestrator version 11.0
- 2x Cisco S100V Virtual Appliances
- Cisco WSA version 12.5.5
- Deployed on VMWare ESXi version 6.7
- Cisco WSA will be configured as an Explicit Proxy
Additional Help
- If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE
- For information on SSL Certificate considerations and trust, click HERE
Cisco WSA Virtual Edition Configuration
ESX Virtual Hardware Configuration
The Network Adapters should be configured like the following:
- Network Adapter 1 is used for Management and corresponds to the M1 interface on the WSA.
- Network Adapter 2 is used for Explicit Proxy connections and corresponds to the P1 interface on the WSA.
Create a Port Group for BIG-IP to connect to the P1 interfaces (Network Adapter 2) of the WSA VMs. The ESX vSwitch topology should be configured as follows:
Cisco WSA Configuration
Select Network > Interfaces
Configure the Interfaces as follows:
Note: make sure to select the option to Restrict M1 port to appliance management services only
BIG-IP SSL Orchestrator VMWare ESXi Configuration
Configure the Virtual Machine Network Adapters as follows:
- Network Adapter 1 is used for Management and corresponds to the management interface on the BIG-IP.
- Network Adapter 2 is used for Explicit Proxy connections to/from the WSAs.
- Network Adapter 3 is used for network connectivity from the BIG-IP to the North.
- Network Adapter 4 is used for network connectivity from the BIG-IP to the South.
BIG-IP SSL Orchestrator Network Configuration
The BIG-IP VLAN settings should look like the following:
- TO_WSA is the interfaces used for Explicit Proxy connections to the WSAs.
- Network_South is used for network connectivity from the BIG-IP to the South.
- Network_North is used for network connectivity from the BIG-IP to the North.
The BIG-IP Self IPs setting should look like the following:
- 10.0.0.1 will be used for Explicit Proxy connections to the WSAs.
Note: in this example SSL Orchestrator is deployed with an L3 Inbound Topology. That’s what the other two Self IPs are for. Your configuration will look different if using an L2 Topology.
BIG-IP SSL Orchestrator Configuration
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.
Navigate to SSL Orchestrator > Configuration.
Create the Cisco WSA Service
Under Services, click Add.
In the Service Catalog select the Inline HTTP tab then double click on Cisco WSA HTTP Proxy.
Give it a name, CISCO_WSA in this example.
Under Service Definition unselect the option to Auto Manage Addresses.
For the To Service VLAN select 10.0.0.1 (VLAN TO_WSA).
Click Add for HTTP Proxy Devices.
Enter the WSA IP address, 10.0.0.25 in this example.
Click Done.
Click Add to add the IP address of the 2nd Cisco WSA, 10.0.0.30 in this example.
It should look like the following:
For the From Service VLAN select 10.0.0.1 (VLAN TO_WSA).
Click Save & Next at the bottom.
Click the name of the Service Chain.
Select the CISCO_WSA Service from the left and click the arrow to move it to the right. Click Save.
Click OK
Click Save & Next at the bottom.
Click Deploy
Click OK to the Success message.
When done it should look like the following:
From the Services screen if you expand the Pool Member Status you should see both Cisco WSA VMs.
Testing the Configuration
In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:
Test this connection now and it should look like the following:
In this example Cisco WSA is configured with a Custom Category to block connections to http://192.168.0.99. When attempting to connect to this site with a web browser you should see a block page like the following:
Note: in the block page you can see Cisco WSA has identified this site as HTTP and not HTTPS. This is because SSL Orchestrator has decrypted the HTTPS and sent the content to Cisco WSA as HTTP.
Check the Dashboard on the Cisco WSA and you should see something like the following:
Here you can see the allowed (Clean) and denied (Suspect) connections.
Conclusion
This completes configuration of BIG-IP SSL Orchestrator with Cisco WSA Virtual Edition. At this point traffic that flows through SSL orchestrator will be decrypted and sent to the Cisco WSA Service and inspected for malicious payloads or policy violations.
