The Expectation of SSL Everywhere

Similar documents
Deploying a Next-Generation IPS Infrastructure

Complying with PCI DSS 3.0

Deploying a Next-Generation IPS Infrastructure

Protecting Against Online Banking Fraud with F5

Large FSI DDoS Protection Reference Architecture

Key Considerations in Deploying an SSL Solution

Archived. Configuring a single-tenant BIG-IP Virtual Edition in the Cloud. Deployment Guide Document Version: 1.0. What is F5 iapp?

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

Protect Against Evolving DDoS Threats: The Case for Hybrid

Securing the Cloud. White Paper by Peter Silva

Geolocation and Application Delivery

The Programmable Network

Validating Microsoft Exchange 2010 on Cisco and NetApp FlexPod with the F5 BIG-IP System

WHITE PAPER. F5 and Cisco. Supercharging IT Operations with Full-Stack SDN

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Unified Application Delivery

Enabling Long Distance Live Migration with F5 and VMware vmotion

Optimizing NetApp SnapMirror Data Replication with F5 BIG-IP WAN Optimization Manager

SNMP: Simplified. White Paper by F5

F5 and Nuage Networks Partnership Overview for Enterprises

Prompta volumus denique eam ei, mel autem

The F5 Application Services Reference Architecture

Enhancing VMware Horizon View with F5 Solutions

Multi-Tenancy Designs for the F5 High-Performance Services Fabric

Protecting Against Encrypted Threats

Data Center Virtualization Q&A

SOLUTION GUIDE. F5 Security Solutions

Deploying the BIG-IP System with Oracle Hyperion Applications

Improving VDI with Scalable Infrastructure

Webshells. Webshell Examples. How does a webshell attack work? Nir Zigler,

Maintain Your F5 Solution with Fast, Reliable Support

F5 Reference Architecture for Cisco ACI

Deploying the BIG-IP LTM with IBM QRadar Logging

DESIGN GUIDE. VMware NSX for vsphere (NSX-v) and F5 BIG-IP Design Guide

Archived. h h Health monitoring of the Guardium S-TAP Collectors to ensure traffic is sent to a Collector that is actually up and available,

Session Initiated Protocol (SIP): A Five-Function Protocol

Deploying the BIG-IP System v11 with DNS Servers

Managing the Migration to IPv6 Throughout the Service Provider Network White Paper

Considerations for VoLTE Implementation

Archived. Deploying the BIG-IP LTM with IBM Cognos Insight. Deployment Guide Document version 1.0. What s inside: 2 Products and versions tested

Key Considerations in Choosing a Web Application Firewall

F5 in AWS Part 3 Advanced Topologies and More on Highly Available Services

Securing LTE Networks What, Why, and How

The F5 Intelligent DNS Scale Reference Architecture

Vulnerability Assessment with Application Security

Cookies, Sessions, and Persistence

Meeting the Challenges of an HA Architecture for IBM WebSphere SIP

Load Balancing 101: Nuts and Bolts

Simplifying Security for Mobile Networks

A GUIDE TO DDoS PROTECTION

Achieving End-to-End Security in the Internet of Things (IoT)

Citrix Federated Authentication Service Integration with APM

Managing BIG-IP Devices with HP and Microsoft Network Management Solutions

Server Virtualization Incentive Program

F5 iapps: Moving Application Delivery Beyond the Network

Addressing Security Loopholes of Third Party Browser Plug ins UPDATED FEBRUARY 2017

Deploying the BIG-IP System with CA SiteMinder

The Myth of Network Address Translation as Security

Software-Defined Hardware: Enabling Performance and Agility with the BIG-IP iseries Architecture

Secure Mobile Access to Corporate Applications

Load Balancing 101: Nuts and Bolts

Resource Provisioning Hardware Virtualization, Your Way

align security instill confidence

Creating a Hybrid ADN Architecture with both Virtual and Physical ADCs

DECRYPT SSL AND SSH TRAFFIC TO DISRUPT ATTACKER COMMUNICATIONS AND THEFT

Document version: 1.0 What's inside: Products and versions tested Important:

21ST CENTURY CYBER SECURITY FOR MEDIA AND BROADCASTING

ENCRYPTION IN USE FACT AND FICTION. White Paper

Deploying WAN-Optimized Acceleration for VMware vmotion Between Two BIG-IP Systems

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Distributing Applications for Disaster Planning and Availability

Automating the Top 20 CIS Critical Security Controls

OpenWay by Itron Security Overview

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Solutions Guide. F5 solutions for the emerging 5G landscape

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments

Global Distributed Service in the Cloud with F5 and VMware

Converting a Cisco ACE configuration file to F5 BIG IP Format

OPTIMIZE. MONETIZE. SECURE. Agile, scalable network solutions for service providers.

Securing Your Microsoft Azure Virtual Networks

APM Cookbook: Single Sign On (SSO) using Kerberos

The Dynamic DNS Infrastructure

Optimize and Accelerate Your Mission- Critical Applications across the WAN

THE ACCENTURE CYBER DEFENSE SOLUTION

Rethinking Security: The Need For A Security Delivery Platform

Securing Your Amazon Web Services Virtual Networks

Security+ SY0-501 Study Guide Table of Contents

Best Practices in Securing a Multicloud World

Network Functions Virtualization - Everything Old Is New Again

RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Title: Planning AWS Platform Security Assessment?

HARDWARE SECURITY MODULES DEPLOYMENT STRATEGIES FOR ENTERPRISE SECURITY

SOA Infrastructure Reference Architecture: Defining the Key Elements of a Successful SOA Infrastructure Deployment

BIG IQ Reporting for Subscription and ELA Programs

Arbor White Paper Keeping the Lights On

Transcription:

The Expectation of SSL Everywhere SSL is the last line of defense for communication and commerce for people around the globe. It s time for organizations to properly embrace a higher security posture to protect SSL. White Paper

Introduction The security of data in transit has traditionally been the purview of nation states. Now the global adoption of the world wide web is bringing cryptography to the common man. But the forces of malicious actors and eavesdroppers are moving nearly all significant speech and commerce into a single cryptographic protocol: SSL. SSL is the set of cryptographic protocols that secure data in transit. Today SSL is often the only tool standing between an eavesdropper and a target, or a thief and a merchant. The stakes around SSL have been upleveled to the limit. Whether or not it s convenient to admit, it s time for organizations to uplevel their overall security posture to protect this last line of defense. Bringing Cryptography to the Common Man Long before the digital age, those in power used cryptography to defend their interests or to inflict damage on their enemies. The Roman ruler Julius Caesar was known to use ciphers to protect messages of military significance. In the Common Era, embedded ambassadors used ciphers to protect their communications with their sovereigns at home. Mary, Queen of Scots, was implicated in a regicide attempt via cryptanalysis. From Victorian England throughout the World Wars, cryptography remained in the hands of the agencies that used it in the same way it had been used before: for intelligence purposes toward the protection of the Church or the State. Then a strange thing happened with the global adoption of the World Wide Web. Suddenly, people around the world gained the ability to freely communicate with each other. At first, discussions centered on technical concepts related to the building of the infrastructure itself, and then around images of kittens. Now, wherever civic dialogue is taking place, people are using social media to communicate. But the public nature of social media allows interested agencies to monitor those communications. Right-to-privacy advocates looked to cryptography to solve this problem. For the first time in history, cryptography in the form of SSL is now being used to protect not just the interests of the powerful, but the communications of the common man as well. The common man is starting to expect the use of SSL everywhere, not to only to protect privacy, but of course also to prevent common larceny via cyber theft. To meet these expectations, global organizations must embrace a broader, higher security posture to protect SSL, the last line of defense for communication and commerce. 1

Figure 1: The F5 SSL Everywhere solution. Elevating Security Posture The proper deployment of SSL can be daunting even for seasoned administrators. The good news is that there are groups that can provide guidelines (beyond those recommended in this paper) to assist in the deployment and evaluation of a proper SSL security posture. The Open Web Application Security Project (OWASP) maintains a best practices guide for SSL. The SSL Labs project provides a comprehensive test tool that can assist administrators in evaluating their site s security posture. Among the practices recommended are methods for futureproofing ciphertext, achieving optimal key storage, and refactoring for resilient security architecture. Counter Passive Surveillance with Forward Secrecy In 2013, allegations were raised that state intelligence agencies may have been performing broad-spectrum data collection against citizens in the United States, Europe, and indeed, throughout the world. The target data was alleged to include metadata about mobile phone calls, the text for the SMS messages, and even the collection of encrypted data (ciphertext) of email and other conversations. Even if an organization lies outside the jurisdiction of a state agency, that agency 2

Even if an organization lies outside the jurisdiction of a state agency, that agency may be able to tap and record the organization s ciphertext and metadata for years. In the future, the agency may gain access to the key material that enables it to finally decrypt the millions of messages it has saved. This problem of long-term key compromise means messages that are safe today may not remain so in the future. SSL has a passive surveillance countermeasure called perfect forward secrecy (PFS) protection that adds an additional exchange to the key establishment protocol between the two sides of the SSL connection. When PFS is enabled, an attacker or eavesdropper cannot simply recover a single key to decrypt millions of previously recorded conversations. Because PFS can be achieved by simply activating an additional cryptographic cipher (which is built into the SSL termination device itself), social media providers and other privacy-concerned organizations are quickly adopting it around the world. Protect Key Material with Advanced Storage Architecture In the spring of 2014, the world was horrified to learn that a pernicious software error (since named Heartbleed) in the popular OpenSSL library had been available to exploit in millions of websites for more than two years. Heartbleed, so named because of the code s location in the heartbeat code of the library, had a devastating effect it would quietly leak the contents of the device s memory to the attacker. If anyone had known about Heartbleed before it was officially discovered in 2014, they could have been probing much of the Internet, collecting the most highprofile assets (such as private keys and server administrator passwords) without activating alerts or leaving traces in any instrumentation. Heartbleed will likely be recorded as one of the most severe Internet vulnerabilities of all time. In the Heartbleed incident, one class of SSL users could be confident that they were not vulnerable: users of FIPS 140-2 hardware security modules (HSMs). An HSM is a separate software and hardware security boundary around a cryptographic core and key store. Keys are typically generated inside the store and never leave it. Because the keys are never transferred into the memory of the network host, they could not be leaked to Heartbleed. HSM devices follow the strict FIPS 140-2 cryptographic design guidelines, and they can be costly. Financial and federal institutions have been using them for years and have found ways to increase their value in terms of both management and costefficiency. Organizations are using HSM devices as centralized key stores (for example, one pair per data center), meaning that the amount of interface training and operational overhead is centralized as well. The centralized HSMs are accessible over the internal network to services that need key decryption, so the organization saves on capital and operational costs as well. 3

Figure 2: Advanced key storage is enabling cloud security. Network-attached HSMs (nethsms) are appearing within remote data centers and private clouds. They make it possible for enterprise operations from one data center to request decryption services from a remote data center. NetHSMs are even appearing in public clouds. Organizations pair these public nethsm (so-called CloudHSM) devices with sister devices within the enterprise data center and then use centralized security controls, such as Application Delivery Controllers, to meter requests between them. The HSM devices (in private, network, or cloud configuration), along with forward secrecy, are becoming part of the fabric of the new SSL security posture. Protect Everything with Always-On SSL Everywhere Forrester Research security analyst John Kindervag writes of an approach to security called the Zero Trust Model (ZTM). The premise of ZTM is that architecture is much more robust with regards to security if every component in the network distrusts every other component and treats all interdevice traffic as if it had already bypassed other security measures. There is adoption around this model in many network architectures, especially ones where security boundaries are particularly porous, such as enterprise-to-cloud and business-to-business-to-cloud. Embracing a model where sources are always untrustworthy means protecting data in transit even within the organization itself. The Forrester model centers on a network segmentation gateway that provides security and availability services over multiple high-speed links into each network zone. The device in question must have a lot more insight into packet data, including into the application layer. In order to operate on application layer data, the device must decrypt it first, and then to adhere to the tenets of ZTM, re-encrypt when done. For years, re-encryption of SSL data after security analysis was a practice found only in the financial sector, as driven by organizations internal security policies, but it is now gaining wider adoption. 4

Figure 3: The Zero Trust Model may require re-encryption within the enterprise data center. The re-encryption of data within the organization aligns exactly with ZTM as it protects data from hosts within the network that may be compromised by attackers or surveillance agencies. However, it may also hide data from security analysis devices such as intrusion detection systems, flow monitors, and web application firewalls. Conclusion Whether the world wants to admit it or not, the stakes around Internet security have been raised into the same spheres as human rights, freedom of speech, and free commerce. Yet IT directors may look at PFS, HSMs, and ZTM and grumble that these are non-trivial investments that do not appear to add value to the bottom line of a commercial organization. And, if done improperly, wrapping data within SSL sessions throughout the network may protect the data from prying eyes at the cost of creating blind spots for the organization. The good news is that these concerns are not insurmountable. There are organizations that are solving these security challenges today with innovative architecture that meets the new security posture required by the perilous world that we now live in. F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com Americas info@f5.com Asia-Pacific apacinfo@f5.com Europe/Middle-East/Africa emeainfo@f5.com Japan f5j-info@f5.com 2015 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. WP-SEC-26052 0113 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback