SlideShare a Scribd company logo

F5 TLS & SSL Practices

Brian A. McHenry
Brian A. McHenry

The document discusses SSL/TLS trends, practices, and futures. It covers global SSL encryption trends and drivers like increased spending on security and regulatory pressure. It discusses SSL best practices like enabling TLS 1.2, disabling weak protocols, using strong cipher strings, and enabling HTTP Strict Transport Security. The document also looks at solutions from F5 like hardware security modules, advanced key and certificate management, and market leading encryption support. It explores emerging standards like TLS 1.3 and topics like elliptic curve cryptography. Finally, it discusses what's next such as OCSP stapling and F5's SSL everywhere architecture.

1 of 34
Downloaded 945 times
SSL/TLS Trends, Practices, and Futures Brian A. McHenry, Security Solutions Architect bam@f5.com @bamchenry
© F5 Networks, Inc. 2 1. Global SSL Encryption Trends and Drivers 2. A Few “Best” Practices 3. Solutions 4. What’s Next? Agenda
© F5 Networks, Inc. 3 • Worldwide spending on information security will reach $71.1 billion in 2014 • Data loss prevention segment recording the fastest growth at 18.9 percent, • By 2015, roughly 10% of overall IT security enterprise product capabilities will be delivered in the cloud • Regulatory pressure will increase in Western Europe and Asia/Pacific from 2014 Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014
© F5 Networks, Inc. 4 IoEE-Commerce Privacy Mobility S n o w d e n Trajectory and Growth of Encryption Customer Trends: • PFS/ECC Demanded • SSL Labs Application Scoring Emerging Standards: • TLS 1.3, HTTP 2.0/SPDY • RSA -> ECC Thought Leaders and Influence: • Google: SHA2, SPDY, Search Ranking by Encryption • Microsoft: PFS Mandated MARKET AMPLIFIERS SSL growing ~30% annually. Entering the Fifth wave of transition (IoE) 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1998 2002 2006 2010 2014 Source: Netcraft MillionsofCertificates(CA) Years
© F5 Networks, Inc. 5 Timeline of SSL Vulnerabilities & Attacks February 2010 September 2011 February 2013 March 2013 March 2013 … April 2014 RC4 Attacks Weakness in CBC cipher making plaintext guessing possible BEAST & CRIME Client-sideor MITB attacks leveraging a chosen-plaintext flaw in TLS 1.0 and TLS compression flaws RFC 5746 TLS extension for secure renegotiation quickly mainstreamed Lucky 13 Another timing attack. August 2009 August 2009 Insecure renegotiation vulnerability exposes all SSL stacks to DoS attack TIME A refinement and variation of CRIME Heartbleed The end of the Internet as we know it!
© F5 Networks, Inc. 6 And the Hits Just Keep on Coming…
© F5 Networks, Inc. 7 SSL  Intelligence  and   Visibility  (Full  Proxy) Enterprise  key  &  Certificate   Management   Advance  HSM  Support: • Highest  Performing   HSM   options • Virtualized   low-­‐bandwidth   options • Market  Leading  HSM   Vendor   Support   Market  Leading  Encryption:   • Optimized   SSL  in  Hardware   and  Software • Cipher  Diversity  (RSA,  ECC,   DSA) • SSL  Visibility:   Proxy  SSL  &   Forward  Proxy • SSL  Traffic  Intelligence: • HSTS,  HTTP  2.0/SPDY,   OCSP  Stapling,   TLS     Server  Session  Ticket Fully  Automated   Key  and   Certificate  Management:     • For  all  BIG-­‐IP  platforms • For  all  vendor   platforms • 3rd Party  Integration  for  best-­‐ in-­‐class  key  encryption:   Venafi,   Symantec/  VeriSign • PKI  Supported   Environments The Three Pillars of SSL Everywhere Hardware  Security  Modules  
© F5 Networks, Inc. 8 Data Protection:Microsoft and Google Expands Encryption
© F5 Networks, Inc. 9 Not all curves are considered equal Different Authorities: • US NIST (US National Institute of Standards) with 186-2 (recently superseded in 2009 by the new186-3) • US ANSI (American National Standard Institute) with X9.62 • US NSA (National Security Agency) Suite-B Cryptography for TOP SECRET information exchange • International SACG (Standards for efficient cryptography group) with Recommended Elliptic Curve Domain Parameters • German ECC Brainpool withECC Brainpool with their Strict Security Requirements • ECC Interoperability Forum composed by Certicom, Microsoft, Redhat, Sun, NSA If You Thought Encryption was confusing… ECC, PFS and Curves
© F5 Networks, Inc. 10 Not all curves are considered equal Different Names: • Secp256r1, Prime256v1, NIST P-256 • Secp384r1, NIST-P384 Different Kinds of Curves: • ECC over Prime Field (Elliptic Curve) • ECC over Binary Field (Koblitz Curve) Other Curves: • Curve25519 (Google) • Mumford (Microsoft) • Brainpool • DUAL_EC_RBNG If You Thought Encryption was confusing… ECC, PFS and Curves
Some SSL Best Practices
© F5 Networks, Inc. 12 • Google has begun adjusting page rank based on SSL implementations • F5 customers have third-party/B2B requirements for strong encryption • SSL Labs’ Pulse tool has made testing easy • Users and businesses are choosing services based on Pulse grades SSL: Not Just for Security
© F5 Networks, Inc. 13 • Set the option for Secure Renegotiation to “Require” • Disable SSLv2 and SSLv3 (DEFAULT in 11.5+) • Use an explicit, strong cipher string, such as: • !SSLv2:!EXPORT:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES- GCM:DHE+AES:DHE+3DES:RSA+AES-GCM:RSA+AES:RSA+3DES:-MD5:-SSLv3:-RC4 • Prefer Perfect Forward Secrecy (PFS) • Done via prioritizing Ephemeral (DHE, ECDHE) ciphers in the string above • Enable TLS_FALLBACK_SCSV extension • Enable HTTP Strict Transport Security (HSTS) • iRule prior to TMOS version 12.0 • Integrated into HTTP profile in next release Achieving A+ Grades on SSLLabs.com
© F5 Networks, Inc. 14 HTTP Strict Transport Security iRule when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max- age=[expr {$static::expires - [clock seconds]}]; includeSubDomains” }
© F5 Networks, Inc. 15 • RFC 6797 • HSTS is enabled by the “Strict-Transport-Security” HTTP header e.g.: Strict-Transport-Security: max-age=10886400; includeSubDomains; preload • When received, browsers will: • Automatically convert HTTP references to HTTPS references • Disallow certificate exemptions (self-signed, etc.) • Cache HSTS information and reuse stored values for new sessions New Feature: HTTP Strict Transport Security AVAILABLE IN 12.0
© F5 Networks, Inc. 16 HTTP Strict Transport Security Configuration HTTP Profile Screen
© F5 Networks, Inc. 17
© F5 Networks, Inc. 18 If I sound smart about crypto…
© F5 Networks, Inc. 19 SSL Feature Availability Feature TMOS TLS 1.2 10.2.3 ECC 11.4.0 PFS 11.4.0 SHA256 (SHA2) 10.2.3 SPDY 11.2.0 HTTP 2.0* 11.6.0 HSTS iRules/12.0 Feature TMOS Secure Renegotiation (RFC 5746) 10.2.3 TLS_FALLBACK_SCSV 11.5.0 Network HSM 11.2.1 Onboard HSM Y SNI 11.1.0 Hybrid Certificates (ECC & RSA)* 11.5.0
A Peek Under the Hood
© F5 Networks, Inc. 21 Network Session Application Web  application Physical Client  /  Server L4  Firewall:  Full  stateful  policy  enforcement  and  TCP  DDoS  mitigation SSL  inspection   and  SSL  DDoS  mitigation HTTP  proxy,  HTTP  DDoS  and  application  security Application   health  monitoring  and  performance  anomaly  detection Network Session Application Web  application Physical Client  /  Server Full Proxy Security Proxy  SSL  (Visibility) ASM SSL  Forward  Proxy   (Visibility) SWG
© F5 Networks, Inc. 22 Proxy Chain HUD chains are a series of filters which implement the configuration. The HUD chain is divided into two halves, client and server side. Filters on HUD chains usually are arranged as client/server pairs. The two halves are joined by the “proxy”. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy Chain
© F5 Networks, Inc. 23 Proxy Chain Each SSL filter handles connection to device on their side of the proxy. Normally, the two SSL filters operate completely independently. Between the two filters, all data is available unencrypted. To fully offload the backend server, remove the server side SSL filter. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – SSL Termination
© F5 Networks, Inc. 24 Data Center Proxy Chain Proxy SSL allows the client certificate to be presented to the server. Intermediary filters are disabled. SSL filters operate in monitor mode during the handshake. Post-handshake, SSL enables decryption and other filters. BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Allows server to perform client cert auth • L7 content inspection after handshake • Certificate transparent to end user Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy SSL
© F5 Networks, Inc. 25 Proxy Chain Forward SSL is used in Forward Proxy deployments. “Just in time” certificate creation is used to decrypt SSL connections. Enables policy based inspection of secure content. Requires the ability to create trusted certificates to work. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Inspect secure traffic at network edge • Transparent to the end user • Policy based bypass by: • Source IP Address • Destination IP Address • Host Name (SAN,CN,SNI) Forward SSL Proxy Benefits BIG-IP Architecture – Forward SSL
What’s Next?
© F5 Networks, Inc. 27 A Quick Primer on Certificate Revocation • If a SSL certificate is stolen or compromised, sites need a way to revoke the certificate so it will no longer be trusted. Revocation is handled by either CRL or OCSP. • CRL: Certificate Revocation List • The browser retrieves the list of all revoked certificates from the CA. • The browser then parses the whole list looking for the certificate in question. • OCSP: Online Certificate Status Protocol • The browser sends the certificate to the CA for validation. • The CA responds that the certificate is good, revoked, or unknown. • OCSP is more efficient than CRL, but there’s room for improvement! New Feature: OCSP Stapling AVAILABLE IN 11.6
© F5 Networks, Inc. 28 • OCSP and CRL checks add significant overhead: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •DNS to CA (300ms) •TCP to CA (407ms) •OCSP to CA #1 (598ms) •TCP to CA #2 (317ms) •OCSP to CA #2 (444ms) •Finish SSL handshake (1270ms) < T O TA L : 6 . 3 S e c o n d s > • Add up the time for each step and you'll see that over 30% of the SSL overhead comes from checking whether the certificate has been revoked. • These checks are serial and block downloads. OCSP & CRL Checks Hurt Performance This portion is revocation check overhead.
© F5 Networks, Inc. 29 • OCSP Stapling allows the server to attach CA signed information regarding the certificates validity. • Processing with OCSP enabled: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •Process OCSP Data (10ms) •Finish SSL handshake (1270ms) < T O TA L : 4 . 2 S e c o n d s > O C S P S t a p l i n g a l s o e l i m i n a t e s c o m m u n i c a t i o n w i t h a t h i r d p a r t y d u r i n g c e r t i f i c a t e v a l i d a t i o n . T h i s m a y b e c o n s i d e r e d b e t t e r s e c u r i t y s i n c e i t p r e v e n t s i n f o r m a t i o n l e a k a g e . OCSP Stapling to the Rescue
© F5 Networks, Inc. 30 OCSP Stapling Configuration Changes to ‘Proxy Pool’ when ‘Use Proxy Server’ is enabled
© F5 Networks, Inc. 31 OCSP Stapling Configuration Profile Location Assignment to Client SSL Profile
© F5 Networks, Inc. 32 • SSL termination and inspection from BIG-IP® Local Traffic Manager™ (LTM) • Hybrid cipher support for ECC and RSA ciphers • SSL crypto-offload for additional SSL capacity • Integration with network HSMs from SafeNet and Thales for key management SSL Everywhere RA – Bringing it all Together
© F5 Networks, Inc. 33 SSL Everywhere
F5 TLS & SSL Practices
Ad

Recommended

F5 BigIP LTM Initial, Build, Install and Licensing.
F5 BigIP LTM Initial, Build, Install and Licensing.F5 BigIP LTM Initial, Build, Install and Licensing.
F5 BigIP LTM Initial, Build, Install and Licensing.
Kapil Sabharwal
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Lior Rotkovitch
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
Denis Kolegov
 
BIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationBIG IP F5 GTM Presentation
BIG IP F5 GTM Presentation
PCCW GLOBAL
 
Cisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in ShortCisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in Short
Priyank Sharma
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
BAKOTECH
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitchAsm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
Lior Rotkovitch
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk management
AEC Networks
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
davidjohnrace
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Lior Rotkovitch
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
AEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser CachingAEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser Caching
Andrew Khoury
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
xKinAnx
 
15 intro to ssl certificate &amp; pki concept
15 intro to ssl certificate &amp; pki concept15 intro to ssl certificate &amp; pki concept
15 intro to ssl certificate &amp; pki concept
Mostafa El Lathy
 
What's Coming in CloudStack 4.19
What's Coming in CloudStack 4.19What's Coming in CloudStack 4.19
What's Coming in CloudStack 4.19
ShapeBlue
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
Stenio Ferreira
 
[Gaming on AWS] 넥슨 - AWS를 활용한 모바일 게임 서버 개발: 퍼즐 주주의 사례
[Gaming on AWS] 넥슨 - AWS를 활용한 모바일 게임 서버 개발: 퍼즐 주주의 사례[Gaming on AWS] 넥슨 - AWS를 활용한 모바일 게임 서버 개발: 퍼즐 주주의 사례
[Gaming on AWS] 넥슨 - AWS를 활용한 모바일 게임 서버 개발: 퍼즐 주주의 사례
Amazon Web Services Korea
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)
Novell
 
Web API authentication and authorization
Web API authentication and authorization Web API authentication and authorization
Web API authentication and authorization
Chalermpon Areepong
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
 
Red Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptxRed Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptx
ssuser18b1c6
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
Shain Singh
 
Ad

More Related Content

What's hot (20)

End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
BAKOTECH
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitchAsm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
Lior Rotkovitch
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk management
AEC Networks
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
davidjohnrace
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Lior Rotkovitch
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
AEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser CachingAEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser Caching
Andrew Khoury
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
xKinAnx
 
15 intro to ssl certificate &amp; pki concept
15 intro to ssl certificate &amp; pki concept15 intro to ssl certificate &amp; pki concept
15 intro to ssl certificate &amp; pki concept
Mostafa El Lathy
 
What's Coming in CloudStack 4.19
What's Coming in CloudStack 4.19What's Coming in CloudStack 4.19
What's Coming in CloudStack 4.19
ShapeBlue
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
Stenio Ferreira
 
[Gaming on AWS] 넥슨 - AWS를 활용한 모바일 게임 서버 개발: 퍼즐 주주의 사례
[Gaming on AWS] 넥슨 - AWS를 활용한 모바일 게임 서버 개발: 퍼즐 주주의 사례[Gaming on AWS] 넥슨 - AWS를 활용한 모바일 게임 서버 개발: 퍼즐 주주의 사례
[Gaming on AWS] 넥슨 - AWS를 활용한 모바일 게임 서버 개발: 퍼즐 주주의 사례
Amazon Web Services Korea
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)
Novell
 
Web API authentication and authorization
Web API authentication and authorization Web API authentication and authorization
Web API authentication and authorization
Chalermpon Areepong
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
 
Red Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptxRed Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptx
ssuser18b1c6
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
BAKOTECH
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitchAsm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
Lior Rotkovitch
 
F5 Networks: architecture and risk management
F5 Networks: architecture and risk managementF5 Networks: architecture and risk management
F5 Networks: architecture and risk management
AEC Networks
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
davidjohnrace
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Lior Rotkovitch
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
AEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser CachingAEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser Caching
Andrew Khoury
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
xKinAnx
 
15 intro to ssl certificate &amp; pki concept
15 intro to ssl certificate &amp; pki concept15 intro to ssl certificate &amp; pki concept
15 intro to ssl certificate &amp; pki concept
Mostafa El Lathy
 
What's Coming in CloudStack 4.19
What's Coming in CloudStack 4.19What's Coming in CloudStack 4.19
What's Coming in CloudStack 4.19
ShapeBlue
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
Stenio Ferreira
 
[Gaming on AWS] 넥슨 - AWS를 활용한 모바일 게임 서버 개발: 퍼즐 주주의 사례
[Gaming on AWS] 넥슨 - AWS를 활용한 모바일 게임 서버 개발: 퍼즐 주주의 사례[Gaming on AWS] 넥슨 - AWS를 활용한 모바일 게임 서버 개발: 퍼즐 주주의 사례
[Gaming on AWS] 넥슨 - AWS를 활용한 모바일 게임 서버 개발: 퍼즐 주주의 사례
Amazon Web Services Korea
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)Virtualization with KVM (Kernel-based Virtual Machine)
Virtualization with KVM (Kernel-based Virtual Machine)
Novell
 
Web API authentication and authorization
Web API authentication and authorization Web API authentication and authorization
Web API authentication and authorization
Chalermpon Areepong
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
 
Red Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptxRed Hat Openshift Fundamentals.pptx
Red Hat Openshift Fundamentals.pptx
ssuser18b1c6
 

Similar to F5 TLS & SSL Practices (20)

Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
Shain Singh
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
NetScaler 11 Update
NetScaler 11 UpdateNetScaler 11 Update
NetScaler 11 Update
MarketingArrowECS_CZ
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
CASCouncil
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Arnaud Le Hors
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
Rocket Software
 
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPlnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
PROIDEA
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
OnBoard Security, Inc. - a Qualcomm Company
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
Kurtis Kemple
 
F5 TMOS v13.0
F5 TMOS v13.0F5 TMOS v13.0
F5 TMOS v13.0
MarketingArrowECS_CZ
 
F5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 RoadshowF5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 Roadshow
patmisasi
 
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna centerCisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco Canada
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Meghan Weinreich
 
F5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric SecurityF5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric Security
Tzoori Tamam
 
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini SummitF5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Honeywell
 
Mastering the move
Mastering the moveMastering the move
Mastering the move
Trivadis
 
Purpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White PaperPurpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White Paper
Array Networks
 
Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?
Cisco Canada
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
Cisco Canada
 
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern TrafficDecrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
Shain Singh
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
NetScaler 11 Update
NetScaler 11 UpdateNetScaler 11 Update
NetScaler 11 Update
MarketingArrowECS_CZ
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
CASCouncil
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Arnaud Le Hors
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
Rocket Software
 
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPlnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
PROIDEA
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
OnBoard Security, Inc. - a Qualcomm Company
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
Kurtis Kemple
 
F5 TMOS v13.0
F5 TMOS v13.0F5 TMOS v13.0
F5 TMOS v13.0
MarketingArrowECS_CZ
 
F5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 RoadshowF5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 Roadshow
patmisasi
 
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna centerCisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco Canada
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Meghan Weinreich
 
F5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric SecurityF5 Infosec Israel 2013 Application Centric Security
F5 Infosec Israel 2013 Application Centric Security
Tzoori Tamam
 
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini SummitF5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
kimw001
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Honeywell
 
Mastering the move
Mastering the moveMastering the move
Mastering the move
Trivadis
 
Purpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White PaperPurpose-Built-SSL-VPN White Paper
Purpose-Built-SSL-VPN White Paper
Array Networks
 
Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?
Cisco Canada
 
Ad

Recently uploaded (20)

Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz
 
GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...
GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...
GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...
James Anderson
 
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptxTop 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
mkubeusa
 
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à GenèveUiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPathCommunity
 
Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...
Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...
Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...
Raffi Khatchadourian
 
Artificial_Intelligence_in_Everyday_Life.pptx
Artificial_Intelligence_in_Everyday_Life.pptxArtificial_Intelligence_in_Everyday_Life.pptx
Artificial_Intelligence_in_Everyday_Life.pptx
03ANMOLCHAURASIYA
 
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier VroomAI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
UXPA Boston
 
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
fennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solutionfennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solution
shallal2
 
Design pattern talk by Kaya Weers - 2025 (v2)
Design pattern talk by Kaya Weers - 2025 (v2)Design pattern talk by Kaya Weers - 2025 (v2)
Design pattern talk by Kaya Weers - 2025 (v2)
Kaya Weers
 
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
SOFTTECHHUB
 
Agentic Automation - Delhi UiPath Community Meetup
Agentic Automation - Delhi UiPath Community MeetupAgentic Automation - Delhi UiPath Community Meetup
Agentic Automation - Delhi UiPath Community Meetup
Manoj Batra (1600 + Connections)
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Markus Eisele
 
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Mike Mingos
 
machines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdfmachines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdf
AmirStern2
 
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptxReimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
John Moore
 
Config 2025 presentation recap covering both days
Config 2025 presentation recap covering both daysConfig 2025 presentation recap covering both days
Config 2025 presentation recap covering both days
TrishAntoni1
 
Building the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdfBuilding the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdf
Cheryl Hung
 
AI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of DocumentsAI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of Documents
UiPathCommunity
 
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Maarten Verwaest
 
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025Zilliz Cloud Monthly Technical Review: May 2025
Zilliz Cloud Monthly Technical Review: May 2025
Zilliz
 
GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...
GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...
GDG Cloud Southlake #42: Suresh Mathew: Autonomous Resource Optimization: How...
James Anderson
 
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptxTop 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
Top 5 Benefits of Using Molybdenum Rods in Industrial Applications.pptx
mkubeusa
 
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à GenèveUiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPath Automation Suite – Cas d'usage d'une NGO internationale basée à Genève
UiPathCommunity
 
Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...
Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...
Challenges in Migrating Imperative Deep Learning Programs to Graph Execution:...
Raffi Khatchadourian
 
Artificial_Intelligence_in_Everyday_Life.pptx
Artificial_Intelligence_in_Everyday_Life.pptxArtificial_Intelligence_in_Everyday_Life.pptx
Artificial_Intelligence_in_Everyday_Life.pptx
03ANMOLCHAURASIYA
 
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier VroomAI x Accessibility UXPA by Stew Smith and Olivier Vroom
AI x Accessibility UXPA by Stew Smith and Olivier Vroom
UXPA Boston
 
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
fennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solutionfennec fox optimization algorithm for optimal solution
fennec fox optimization algorithm for optimal solution
shallal2
 
Design pattern talk by Kaya Weers - 2025 (v2)
Design pattern talk by Kaya Weers - 2025 (v2)Design pattern talk by Kaya Weers - 2025 (v2)
Design pattern talk by Kaya Weers - 2025 (v2)
Kaya Weers
 
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
The No-Code Way to Build a Marketing Team with One AI Agent (Download the n8n...
SOFTTECHHUB
 
Agentic Automation - Delhi UiPath Community Meetup
Agentic Automation - Delhi UiPath Community MeetupAgentic Automation - Delhi UiPath Community Meetup
Agentic Automation - Delhi UiPath Community Meetup
Manoj Batra (1600 + Connections)
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Markus Eisele
 
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Optima Cyber - Maritime Cyber Security - MSSP Services - Manolis Sfakianakis ...
Mike Mingos
 
machines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdfmachines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdf
AmirStern2
 
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptxReimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
Reimagine How You and Your Team Work with Microsoft 365 Copilot.pptx
John Moore
 
Config 2025 presentation recap covering both days
Config 2025 presentation recap covering both daysConfig 2025 presentation recap covering both days
Config 2025 presentation recap covering both days
TrishAntoni1
 
Building the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdfBuilding the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdf
Cheryl Hung
 
AI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of DocumentsAI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of Documents
UiPathCommunity
 
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Maarten Verwaest
 
Ad

F5 TLS & SSL Practices

  • 1. SSL/TLS Trends, Practices, and Futures Brian A. McHenry, Security Solutions Architect bam@f5.com @bamchenry
  • 2. © F5 Networks, Inc. 2 1. Global SSL Encryption Trends and Drivers 2. A Few “Best” Practices 3. Solutions 4. What’s Next? Agenda
  • 3. © F5 Networks, Inc. 3 • Worldwide spending on information security will reach $71.1 billion in 2014 • Data loss prevention segment recording the fastest growth at 18.9 percent, • By 2015, roughly 10% of overall IT security enterprise product capabilities will be delivered in the cloud • Regulatory pressure will increase in Western Europe and Asia/Pacific from 2014 Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014
  • 4. © F5 Networks, Inc. 4 IoEE-Commerce Privacy Mobility S n o w d e n Trajectory and Growth of Encryption Customer Trends: • PFS/ECC Demanded • SSL Labs Application Scoring Emerging Standards: • TLS 1.3, HTTP 2.0/SPDY • RSA -> ECC Thought Leaders and Influence: • Google: SHA2, SPDY, Search Ranking by Encryption • Microsoft: PFS Mandated MARKET AMPLIFIERS SSL growing ~30% annually. Entering the Fifth wave of transition (IoE) 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1998 2002 2006 2010 2014 Source: Netcraft MillionsofCertificates(CA) Years
  • 5. © F5 Networks, Inc. 5 Timeline of SSL Vulnerabilities & Attacks February 2010 September 2011 February 2013 March 2013 March 2013 … April 2014 RC4 Attacks Weakness in CBC cipher making plaintext guessing possible BEAST & CRIME Client-sideor MITB attacks leveraging a chosen-plaintext flaw in TLS 1.0 and TLS compression flaws RFC 5746 TLS extension for secure renegotiation quickly mainstreamed Lucky 13 Another timing attack. August 2009 August 2009 Insecure renegotiation vulnerability exposes all SSL stacks to DoS attack TIME A refinement and variation of CRIME Heartbleed The end of the Internet as we know it!
  • 6. © F5 Networks, Inc. 6 And the Hits Just Keep on Coming…
  • 7. © F5 Networks, Inc. 7 SSL  Intelligence  and   Visibility  (Full  Proxy) Enterprise  key  &  Certificate   Management   Advance  HSM  Support: • Highest  Performing   HSM   options • Virtualized   low-­‐bandwidth   options • Market  Leading  HSM   Vendor   Support   Market  Leading  Encryption:   • Optimized   SSL  in  Hardware   and  Software • Cipher  Diversity  (RSA,  ECC,   DSA) • SSL  Visibility:   Proxy  SSL  &   Forward  Proxy • SSL  Traffic  Intelligence: • HSTS,  HTTP  2.0/SPDY,   OCSP  Stapling,   TLS     Server  Session  Ticket Fully  Automated   Key  and   Certificate  Management:     • For  all  BIG-­‐IP  platforms • For  all  vendor   platforms • 3rd Party  Integration  for  best-­‐ in-­‐class  key  encryption:   Venafi,   Symantec/  VeriSign • PKI  Supported   Environments The Three Pillars of SSL Everywhere Hardware  Security  Modules  
  • 8. © F5 Networks, Inc. 8 Data Protection:Microsoft and Google Expands Encryption
  • 9. © F5 Networks, Inc. 9 Not all curves are considered equal Different Authorities: • US NIST (US National Institute of Standards) with 186-2 (recently superseded in 2009 by the new186-3) • US ANSI (American National Standard Institute) with X9.62 • US NSA (National Security Agency) Suite-B Cryptography for TOP SECRET information exchange • International SACG (Standards for efficient cryptography group) with Recommended Elliptic Curve Domain Parameters • German ECC Brainpool withECC Brainpool with their Strict Security Requirements • ECC Interoperability Forum composed by Certicom, Microsoft, Redhat, Sun, NSA If You Thought Encryption was confusing… ECC, PFS and Curves
  • 10. © F5 Networks, Inc. 10 Not all curves are considered equal Different Names: • Secp256r1, Prime256v1, NIST P-256 • Secp384r1, NIST-P384 Different Kinds of Curves: • ECC over Prime Field (Elliptic Curve) • ECC over Binary Field (Koblitz Curve) Other Curves: • Curve25519 (Google) • Mumford (Microsoft) • Brainpool • DUAL_EC_RBNG If You Thought Encryption was confusing… ECC, PFS and Curves
  • 11. Some SSL Best Practices
  • 12. © F5 Networks, Inc. 12 • Google has begun adjusting page rank based on SSL implementations • F5 customers have third-party/B2B requirements for strong encryption • SSL Labs’ Pulse tool has made testing easy • Users and businesses are choosing services based on Pulse grades SSL: Not Just for Security
  • 13. © F5 Networks, Inc. 13 • Set the option for Secure Renegotiation to “Require” • Disable SSLv2 and SSLv3 (DEFAULT in 11.5+) • Use an explicit, strong cipher string, such as: • !SSLv2:!EXPORT:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES- GCM:DHE+AES:DHE+3DES:RSA+AES-GCM:RSA+AES:RSA+3DES:-MD5:-SSLv3:-RC4 • Prefer Perfect Forward Secrecy (PFS) • Done via prioritizing Ephemeral (DHE, ECDHE) ciphers in the string above • Enable TLS_FALLBACK_SCSV extension • Enable HTTP Strict Transport Security (HSTS) • iRule prior to TMOS version 12.0 • Integrated into HTTP profile in next release Achieving A+ Grades on SSLLabs.com
  • 14. © F5 Networks, Inc. 14 HTTP Strict Transport Security iRule when HTTP_RESPONSE { HTTP::header insert Strict-Transport-Security "max- age=[expr {$static::expires - [clock seconds]}]; includeSubDomains” }
  • 15. © F5 Networks, Inc. 15 • RFC 6797 • HSTS is enabled by the “Strict-Transport-Security” HTTP header e.g.: Strict-Transport-Security: max-age=10886400; includeSubDomains; preload • When received, browsers will: • Automatically convert HTTP references to HTTPS references • Disallow certificate exemptions (self-signed, etc.) • Cache HSTS information and reuse stored values for new sessions New Feature: HTTP Strict Transport Security AVAILABLE IN 12.0
  • 16. © F5 Networks, Inc. 16 HTTP Strict Transport Security Configuration HTTP Profile Screen
  • 17. © F5 Networks, Inc. 17
  • 18. © F5 Networks, Inc. 18 If I sound smart about crypto…
  • 19. © F5 Networks, Inc. 19 SSL Feature Availability Feature TMOS TLS 1.2 10.2.3 ECC 11.4.0 PFS 11.4.0 SHA256 (SHA2) 10.2.3 SPDY 11.2.0 HTTP 2.0* 11.6.0 HSTS iRules/12.0 Feature TMOS Secure Renegotiation (RFC 5746) 10.2.3 TLS_FALLBACK_SCSV 11.5.0 Network HSM 11.2.1 Onboard HSM Y SNI 11.1.0 Hybrid Certificates (ECC & RSA)* 11.5.0
  • 20. A Peek Under the Hood
  • 21. © F5 Networks, Inc. 21 Network Session Application Web  application Physical Client  /  Server L4  Firewall:  Full  stateful  policy  enforcement  and  TCP  DDoS  mitigation SSL  inspection   and  SSL  DDoS  mitigation HTTP  proxy,  HTTP  DDoS  and  application  security Application   health  monitoring  and  performance  anomaly  detection Network Session Application Web  application Physical Client  /  Server Full Proxy Security Proxy  SSL  (Visibility) ASM SSL  Forward  Proxy   (Visibility) SWG
  • 22. © F5 Networks, Inc. 22 Proxy Chain HUD chains are a series of filters which implement the configuration. The HUD chain is divided into two halves, client and server side. Filters on HUD chains usually are arranged as client/server pairs. The two halves are joined by the “proxy”. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy Chain
  • 23. © F5 Networks, Inc. 23 Proxy Chain Each SSL filter handles connection to device on their side of the proxy. Normally, the two SSL filters operate completely independently. Between the two filters, all data is available unencrypted. To fully offload the backend server, remove the server side SSL filter. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • App “point of delivery & definition” • App Intelligence - layer 3- 7 visibility • Distinct client / server control • Unified services / context • Interoperability and gateway functions Intelligent Full Proxy Benefits BIG-IP Architecture – SSL Termination
  • 24. © F5 Networks, Inc. 24 Data Center Proxy Chain Proxy SSL allows the client certificate to be presented to the server. Intermediary filters are disabled. SSL filters operate in monitor mode during the handshake. Post-handshake, SSL enables decryption and other filters. BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Allows server to perform client cert auth • L7 content inspection after handshake • Certificate transparent to end user Intelligent Full Proxy Benefits BIG-IP Architecture – Proxy SSL
  • 25. © F5 Networks, Inc. 25 Proxy Chain Forward SSL is used in Forward Proxy deployments. “Just in time” certificate creation is used to decrypt SSL connections. Enables policy based inspection of secure content. Requires the ability to create trusted certificates to work. Data Center BIG-IP Platform Clients T C P S S L H T T P P R O X Y H T T P S S L T C P • Inspect secure traffic at network edge • Transparent to the end user • Policy based bypass by: • Source IP Address • Destination IP Address • Host Name (SAN,CN,SNI) Forward SSL Proxy Benefits BIG-IP Architecture – Forward SSL
  • 27. © F5 Networks, Inc. 27 A Quick Primer on Certificate Revocation • If a SSL certificate is stolen or compromised, sites need a way to revoke the certificate so it will no longer be trusted. Revocation is handled by either CRL or OCSP. • CRL: Certificate Revocation List • The browser retrieves the list of all revoked certificates from the CA. • The browser then parses the whole list looking for the certificate in question. • OCSP: Online Certificate Status Protocol • The browser sends the certificate to the CA for validation. • The CA responds that the certificate is good, revoked, or unknown. • OCSP is more efficient than CRL, but there’s room for improvement! New Feature: OCSP Stapling AVAILABLE IN 11.6
  • 28. © F5 Networks, Inc. 28 • OCSP and CRL checks add significant overhead: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •DNS to CA (300ms) •TCP to CA (407ms) •OCSP to CA #1 (598ms) •TCP to CA #2 (317ms) •OCSP to CA #2 (444ms) •Finish SSL handshake (1270ms) < T O TA L : 6 . 3 S e c o n d s > • Add up the time for each step and you'll see that over 30% of the SSL overhead comes from checking whether the certificate has been revoked. • These checks are serial and block downloads. OCSP & CRL Checks Hurt Performance This portion is revocation check overhead.
  • 29. © F5 Networks, Inc. 29 • OCSP Stapling allows the server to attach CA signed information regarding the certificates validity. • Processing with OCSP enabled: •DNS (1334ms) •TCP handshake (240ms) •SSL handshake (376ms) •Follow certificate chain (1011ms) •Process OCSP Data (10ms) •Finish SSL handshake (1270ms) < T O TA L : 4 . 2 S e c o n d s > O C S P S t a p l i n g a l s o e l i m i n a t e s c o m m u n i c a t i o n w i t h a t h i r d p a r t y d u r i n g c e r t i f i c a t e v a l i d a t i o n . T h i s m a y b e c o n s i d e r e d b e t t e r s e c u r i t y s i n c e i t p r e v e n t s i n f o r m a t i o n l e a k a g e . OCSP Stapling to the Rescue
  • 30. © F5 Networks, Inc. 30 OCSP Stapling Configuration Changes to ‘Proxy Pool’ when ‘Use Proxy Server’ is enabled
  • 31. © F5 Networks, Inc. 31 OCSP Stapling Configuration Profile Location Assignment to Client SSL Profile
  • 32. © F5 Networks, Inc. 32 • SSL termination and inspection from BIG-IP® Local Traffic Manager™ (LTM) • Hybrid cipher support for ECC and RSA ciphers • SSL crypto-offload for additional SSL capacity • Integration with network HSMs from SafeNet and Thales for key management SSL Everywhere RA – Bringing it all Together
  • 33. © F5 Networks, Inc. 33 SSL Everywhere
  翻译: