Even before the advent of HTTPS Everywhere, we struggled to ensure that every inspection tool got a peek at the traffic as it left the data center. With over 60% of Internet traffic encrypted and rising, that challenge is only growing. Simultaneously, HTTPS traffic is encrypted by stronger ciphers, designed to defeat most man-in-the-middle solutions. Specifically, Perfect Forward Secrecy (PFS) ciphers are creating blindspots in security and inspection solutions that rely on passive decryption architectures such as span ports.
F5 administrators have long relied on BIG-IP for the secure and flexible termination of HTTPS traffic. Over the past few years, the proprietary SSL/TLS stack on BIG-IP has served as a layer of protection for vulnerable OpenSSL stacks and a transformation gateway for legacy client browsers and/or servers. The drivers for SSL termination on BIG-IP now have more to do with centralized management and enforcement of encryption policies than true offload. In point of fact, you’ll find many articles here on DevCentral about improving your SSL Labs grade.
Since version 11.3 of BIG-IP, F5 has also offered SSL Forward Proxy capability, enabling F5 administrators to insert BIG-IP in outbound traffic paths, enabling the decryption of traffic headed to the Internet. In subsequent releases, F5 continued to enhance the flexibility of this outbound decryption solution and has been maintaining a specialized SSL Intercept iApp template for configuring more advanced service-insertion and service-chaining features.
Today, F5 announces the evolution of the SSL Intercept iApp with the new F5 SSL Orchestrator solution. The SSL Orchestrator simplifies and enhances the flexibility of creating dynamic service-chain in air gap architecture. The goal is to enable the most flexible service insertion for any system requiring decrypted traffic. Unlike many other solutions, the F5 SSL Orchestrator can provide multiple service-insertion methods simultaneously: L2, L3, ICAP, and even F5’s unique passive clone pools. Additionally, the SSL Orchestrator is able to selectively re-encrypt traffic without Forward Secrecy ciphers, enabling you to preserve existing architectures and investments in third-party technologies. Last but not least, it wouldn’t be an F5 solution without high availability, and the SSL Orchestrator enables security solutions such as IPS, NGFW, and anti-malware to be monitored and load-balanced to ensure availability.