Protecting application delivery without network security blind spots

www.thales-esecurity.com

Protecting Application Delivery without Network Security Blind Spots Juan Asenjo, Thales e-SecurityDon Laursen, F5 Networks

2

▌Juan Asenjo, Sr. Partner Manager, Thales e-Security

Juan has worked in the information security field for over 20 years. He has degrees in engineering and business, he is a Certified Information System Security Professional, and is currently working on a post-graduate degree. His experience includes over 10 years within the Department of Defense as an engineer and as a civilian INFOSEC liaison with the U.S. Army-Europe.

▌Don Laursen, Sr. Product Manager, F5 NetworksDon has been in the technology industry for over 20 years. He is a member of IEEE, ACM, and International Privacy Professional Association. He holds an MS in computer systems, is a CISSP certified professional, and Certified Information Privacy Professional (CIPP/US and CIPP/Europe). Prior to joining the private sector Don spent 10 years serving as a U.S. Naval Cryptologist in an active-duty role and as a reservist.

Our Speakers

3

Objectives

▌Describe how network security blind spots occur

▌Outline threat that they represent to organization

▌Define the best practices to protect against them

▌Explain how to configure a trusted secure system

4

Introduction

SSL is growing and that presents a challenge for our customers

Most network architectures are obsolete. They are not built for SSL encryption. Enabling SSL on NG security products impacts performance (80% degradation).

Cyber criminals are growing more sophisticated and evasive in their attacks

Traditional network architectures are built for little or no encryption. Attackers are planting SSL-encrypted malware on compromised servers to evade network monitoring. Without security tools to inspect SSL traffic, attacker actions can go undetected.

Un-Encrypted Threat

Encrypted Threat

Apps

Apps

IPS DLP SWG Any Security

Security ServicesUntrusted Networks Resources

SSL BLIND SPOT

5

Network Security Blind Spots▌Hinders work of network security tools

Network health monitoringDLP, IDS, IPS Malware detection

▌ Requires visibility into network traffic

Security Dashboard (SIEMS)Policy and Privacy Enforcement Troubleshooting

ENCRYPTED

6

Typical Security Stack

Users / Devices

User

InternetFirewall F5 BIG-IP Firewall

IPS(Pool)

DLP(Pool)

Web Gateway

(Pool)

Anti-Malware

(Pool)

Decrypt and Steer (based

on policy, bypass options)

Re-encrypt

ICAPInline

Insertion (L2 Mode)

1-Armed / 2-Armed

NGFW(Pool)

Inline Insertion (L3

Mode)

7

Significant Performance Impact on Existing Security Stack

Visibilityis reduced due to the growth of SSL usage

Malwareuses encrypted

channels to evade detection

Blind Spots

for decryption is a significant undertaking

Next-Gen FirewallPerformance Impact

%79

Next-Gen IPSPerformance Impact%7

5

Threat DefenseNo SSL Support

%100Enabling SSL on a firewall, SWG or an

IPS will reduce the overall performance of the appliance, often

by more than 80%

Performance

8

Threat

▌Threat to your organizationENCRYPTED

9

Best Practices ▌Protecting against encryption blind spots with BIG-IP

Optimizes security stack through SSL offloadCentralized decrypt/encrypt capability Support for latest ciphers and suites providing network traffic visibilityFlexible deployment to support diverse environments

▌SSL/TLS and encrypt/decrypt feature use crypto keys

Keys maintained in software can be exposed to threatsIncreasing number of crypto keys are harder to manageCustomers require certified key protection for compliance

10

F5 BIG-IP Solution

But critical keys can exist in multiple places and are vulnerable to physical and

software attacks

Connection Origination

11

F5 BIG-IP Solution with Thales nShield HSM

Connection Origination Critical keys are protected and

managed in certified confined of HSM and not exposed to

physical and software attacks

12

Protecting and Managing the Keys

▌External nShield HSM enables enhanced security

Protects and manages critical SSL keys used by BIG-IP and encrypt/decrypt featureIsolate cryptography and keys in secure FIPS 140-2 Level 3 and Common Criteria EAL 4+ boundaryDeliver lifecycle hardware key management, mitigates risks, and facilitates regulatory compliance

13

Value of HSM Integration

F5 BIG-IP• Optimizes SSL traffic, response times, and customer

experience• Provide traffic visibility and prevent security blind spots

THALES•Enhances security protecting crypto keys in dedicated hardware•Provide dual controls facilitating auditing/regulatory complianceINTEGRATION

• Delivers a proven solution with a strong and certified root of trust

14

HSMs and Problems they Address

▌ What are HSMs?Hardware Security ModuleHardened, tamper-resistant devices isolated from host environmentAlternative to software crypto libraries

▌ What do HSMs do?Secure cryptographic operationsProtect critical cryptographic keysSegregate administration and security domains and enforce policy over the use of keys

nShield HSMs are FIPS 140-2 Level 3 and

Common Criteria EAL4+ certified

15

Enhanced Security for Application Delivery Controllers▌ Software-only system▌ Numerous copies of keys

across system and backups

▌ Hardened security system▌ Keys are segregated within

isolated security environment

Hardware Security Module

Software environmentApplication

Hardware platform

Hypervisor

Operating System

CPU

Memory Storage

Back-ups

Hardware Security Module

Software environmentApplication

Hardware platform

Hypervisor

Operating System

CPU

Memory Storage

Back-ups

16

Root of Trust

▌Provides FIPS 140-2 and Common Criteria certified security

▌Isolates crypto keys and processes from host environment

▌Enforces dual controls and protects from rogue super users

▌Enhances security and ensures availability of critical keys

▌Facilitates security compliance, auditing, and reporting

17

▌ Experience ‒ Leading global provider of data protection solutions for 40+ years

▌ Leadership ‒ HSMs help secure more than 80% of the world’s payment transactions and most valuable corporate and government information

▌ Market focus ‒ Provides the best data protection solutions possible

▌ Independently certified ‒ Products certified to FIPS standards

▌ Expert advice ‒ Provides training and deployment assistance

Why Thales e-Security?

Banking Government Utilities High Tech Mobile

18

Why F5?

▌Experience ‒ 7+ Years providing SSL offload and transformation

▌Leadership ‒ Gartner ADC Magic Quadrant Leader

▌Market focus ‒ Application Availability, Security and Performance

▌Certified ‒ Products certified for US Government and Global Markets

▌Partnerships ‒ Marketing leading partnerships and ecosystem

19

In Summary…

▌Preventing network security blind spots should be priority

▌ADCs increasingly taking on task/enabling traffic visibility

▌Solution delivers better performance and robust root of trust

20

Time for Questions…

Thank you !Juan Asenjo

+1.954.888.6202 / [email protected]

Don Laursen+1.205.272.6860 / [email protected]

@pgalvin63 @asenjoJuan

@pgalvin63 [email protected]