Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Lightboard Lessons: SSL Outbound Visibility

JRahm
Community Manager
Community Manager

on ‎06-Jul-2016 05:42

You’ve been having trouble sleeping because of the SSL visibility problem with all the fancy security tools that don’t do decryption. Put down that ambien, because this Lightboard Lesson solves it. In episode, David Holmes diagrams the Right Way (tm) to decrypt and orchestrate outbound SSL traffic, improving SSL visibility, decreasing failures and improving network performance.

Labels:
Comments
DavisLi
F5 Employee
F5 Employee
‎07-Jul-2016 00:44
Easy to understand explanation! Always loves how F5 explains technology. So, my question is, an LTM module on a powerful enough hardware plus a PEM to service chain will do it? Thanks!
0 Kudos
JRahm
Community Manager
Community Manager
‎07-Jul-2016 08:35
Hi Recontuer! Glad to hear such great feedback. The solutions depicted in this particular lightboard would lean heavily on the forward proxy functionality in the SWG module.
0 Kudos
DavisLi
F5 Employee
F5 Employee
‎07-Jul-2016 20:52

Thanks! Do we still need an LTM module as the SSL Offloader? Assuming we do not have an SSL offload device currently?

 

0 Kudos
JRahm
Community Manager
Community Manager
‎08-Jul-2016 06:54

i believe the LTM+SWG licensing combo would be required, yes, but an SE could confirm for you.

 

0 Kudos
karlkearney_514
Nimbostratus
Nimbostratus
‎14-Jul-2016 10:30

Great vid. Very digestible way of explaining it. Is there a with paper on this kind of set up? Or could you recommend reading material?

 

0 Kudos
JRahm
Community Manager
Community Manager
‎14-Jul-2016 10:34

there will be details coming, and I can't share exactly why, but my licensing information above is probably inaccurate. Hate to be cryptic, but can't give the goods just yet.

 

0 Kudos
karlkearney_514
Nimbostratus
Nimbostratus
‎14-Jul-2016 10:43

No problem at all. In fact, mystery answer is probably more fun than actual answer...so well played.

 

0 Kudos
mharris30_17770
Nimbostratus
Nimbostratus
‎14-Jul-2016 17:09

Great discussion on outbound SSL visibility. You forgot one important option; forwarding of traffic to a cloud-based filter that does everything the devices you mentioned does, in a single pass, and decrypts SSL once to do it. F5 LTM can simply build a GRE tunnel to that cloud service, and without the cost, complexity, and performance hit of distributing across multiple security appliances, or the addition of the SWG module, you have a.) SSL Visibility (even for DLP), b.) Resiliency of the cloud, and c.) Scalability of a cloud security platform that can grow in SSL performance for a reasonable recurring cost, much like you pay on all those security devices sitting in your data center that you backhaul all the traffic to in order to achieve this centralized processing of outbound SSL traffic. Nothing like combining the leader in inbound traffic management and security, with the leader in outbound traffic security in the cloud.

 

Michael_Leonha1
Nimbostratus
Nimbostratus
‎30-Aug-2016 08:04

So it is 1 month later. Post Agility. Any update on the licensing information discussed above?

 

0 Kudos
Findus
Altostratus
Altostratus
‎30-Sep-2016 00:06

From my knowledge you will need the SSL forward proxy license, which is not included in the SWG license as far as i know. You can integrate SWG into the solution, but this is an option. The SSLi solution can also be run without SWG.

 

0 Kudos
Version history
Last update:
‎06-Jul-2016 05:42
Updated by:
Community Manager
Contributors
Copyright © 2023 Khoros, LLC