www.thales-esecurity.com Protecting Application Delivery without Network Security Blind Spots Juan Asenjo, Thales e-Security Don Laursen, F5 Networks
Apr 16, 2017
www.thales-esecurity.com
Protecting Application Delivery without Network Security Blind Spots Juan Asenjo, Thales e-SecurityDon Laursen, F5 Networks
2
▌Juan Asenjo, Sr. Partner Manager, Thales e-Security
Juan has worked in the information security field for over 20 years. He has degrees in engineering and business, he is a Certified Information System Security Professional, and is currently working on a post-graduate degree. His experience includes over 10 years within the Department of Defense as an engineer and as a civilian INFOSEC liaison with the U.S. Army-Europe.
▌Don Laursen, Sr. Product Manager, F5 NetworksDon has been in the technology industry for over 20 years. He is a member of IEEE, ACM, and International Privacy Professional Association. He holds an MS in computer systems, is a CISSP certified professional, and Certified Information Privacy Professional (CIPP/US and CIPP/Europe). Prior to joining the private sector Don spent 10 years serving as a U.S. Naval Cryptologist in an active-duty role and as a reservist.
Our Speakers
3
Objectives
▌Describe how network security blind spots occur
▌Outline threat that they represent to organization
▌Define the best practices to protect against them
▌Explain how to configure a trusted secure system
4
Introduction
SSL is growing and that presents a challenge for our customers
Most network architectures are obsolete. They are not built for SSL encryption. Enabling SSL on NG security products impacts performance (80% degradation).
Cyber criminals are growing more sophisticated and evasive in their attacks
Traditional network architectures are built for little or no encryption. Attackers are planting SSL-encrypted malware on compromised servers to evade network monitoring. Without security tools to inspect SSL traffic, attacker actions can go undetected.
Un-Encrypted Threat
Encrypted Threat
Apps
Apps
IPS DLP SWG Any Security
Security ServicesUntrusted Networks Resources
SSL BLIND SPOT
5
Network Security Blind Spots▌Hinders work of network security tools
Network health monitoringDLP, IDS, IPS Malware detection
▌ Requires visibility into network traffic
Security Dashboard (SIEMS)Policy and Privacy Enforcement Troubleshooting
ENCRYPTED
6
Typical Security Stack
Users / Devices
User
InternetFirewall F5 BIG-IP Firewall
IPS(Pool)
DLP(Pool)
Web Gateway
(Pool)
Anti-Malware
(Pool)
Decrypt and Steer (based
on policy, bypass options)
Re-encrypt
ICAPInline
Insertion (L2 Mode)
1-Armed / 2-Armed
NGFW(Pool)
Inline Insertion (L3
Mode)
7
Significant Performance Impact on Existing Security Stack
Visibilityis reduced due to the growth of SSL usage
Malwareuses encrypted
channels to evade detection
Blind Spots
for decryption is a significant undertaking
Next-Gen FirewallPerformance Impact
%79
Next-Gen IPSPerformance Impact%7
5
Threat DefenseNo SSL Support
%100Enabling SSL on a firewall, SWG or an
IPS will reduce the overall performance of the appliance, often
by more than 80%
Performance
8
Threat
▌Threat to your organizationENCRYPTED
9
Best Practices ▌Protecting against encryption blind spots with BIG-IP
Optimizes security stack through SSL offloadCentralized decrypt/encrypt capability Support for latest ciphers and suites providing network traffic visibilityFlexible deployment to support diverse environments
▌SSL/TLS and encrypt/decrypt feature use crypto keys
Keys maintained in software can be exposed to threatsIncreasing number of crypto keys are harder to manageCustomers require certified key protection for compliance
10
F5 BIG-IP Solution
But critical keys can exist in multiple places and are vulnerable to physical and
software attacks
Connection Origination
11
F5 BIG-IP Solution with Thales nShield HSM
Connection Origination Critical keys are protected and
managed in certified confined of HSM and not exposed to
physical and software attacks
12
Protecting and Managing the Keys
▌External nShield HSM enables enhanced security
Protects and manages critical SSL keys used by BIG-IP and encrypt/decrypt featureIsolate cryptography and keys in secure FIPS 140-2 Level 3 and Common Criteria EAL 4+ boundaryDeliver lifecycle hardware key management, mitigates risks, and facilitates regulatory compliance
13
Value of HSM Integration
F5 BIG-IP• Optimizes SSL traffic, response times, and customer
experience• Provide traffic visibility and prevent security blind spots
THALES•Enhances security protecting crypto keys in dedicated hardware•Provide dual controls facilitating auditing/regulatory complianceINTEGRATION
• Delivers a proven solution with a strong and certified root of trust
14
HSMs and Problems they Address
▌ What are HSMs?Hardware Security ModuleHardened, tamper-resistant devices isolated from host environmentAlternative to software crypto libraries
▌ What do HSMs do?Secure cryptographic operationsProtect critical cryptographic keysSegregate administration and security domains and enforce policy over the use of keys
nShield HSMs are FIPS 140-2 Level 3 and
Common Criteria EAL4+ certified
15
Enhanced Security for Application Delivery Controllers▌ Software-only system▌ Numerous copies of keys
across system and backups
▌ Hardened security system▌ Keys are segregated within
isolated security environment
Hardware Security Module
Software environmentApplication
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
Hardware Security Module
Software environmentApplication
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
16
Root of Trust
▌Provides FIPS 140-2 and Common Criteria certified security
▌Isolates crypto keys and processes from host environment
▌Enforces dual controls and protects from rogue super users
▌Enhances security and ensures availability of critical keys
▌Facilitates security compliance, auditing, and reporting
17
▌ Experience ‒ Leading global provider of data protection solutions for 40+ years
▌ Leadership ‒ HSMs help secure more than 80% of the world’s payment transactions and most valuable corporate and government information
▌ Market focus ‒ Provides the best data protection solutions possible
▌ Independently certified ‒ Products certified to FIPS standards
▌ Expert advice ‒ Provides training and deployment assistance
Why Thales e-Security?
Banking Government Utilities High Tech Mobile
18
Why F5?
▌Experience ‒ 7+ Years providing SSL offload and transformation
▌Leadership ‒ Gartner ADC Magic Quadrant Leader
▌Market focus ‒ Application Availability, Security and Performance
▌Certified ‒ Products certified for US Government and Global Markets
▌Partnerships ‒ Marketing leading partnerships and ecosystem
19
In Summary…
▌Preventing network security blind spots should be priority
▌ADCs increasingly taking on task/enabling traffic visibility
▌Solution delivers better performance and robust root of trust
20
Time for Questions…
Thank you !Juan Asenjo
+1.954.888.6202 / [email protected]
Don Laursen+1.205.272.6860 / [email protected]
@pgalvin63 @asenjoJuan
@pgalvin63 [email protected]