SSL/TLS is extensively used to protect web traffic, but the technology can also be exploited to create security blind spots. SSL/TLS encrypted tunnels can be used to hide malicious codes and other threats from network security and performance monitoring tools. To prevent possible malware propagation across networks requires decrypt/encrypt capabilities that enable careful traffic monitoring and inspection.
Don Laursen, Sr. Product Manager from F5 and Juan Asenjo, Sr. Partner Manager at Thales e-Security, explain how a security architecture using application delivery controllers (ADCs) and hardware security modules (HSMs) can ensure you can optimizes web services with traffic inspection, while safeguarding and managing the critical cryptographic keys that underpin security.
Or why not listen to the webcast: https://www.thales-esecurity.com/knowledge-base/webcasts/protecting-application-delivery-without-network-security-blind-spots
2. 2
▌ Juan Asenjo, Sr. Partner Manager, Thales e-Security
Juan has worked in the information security field for over 20 years. He has degrees in
engineering and business, he is a Certified Information System Security Professional, and is
currently working on a post-graduate degree. His experience includes over 10 years within the
Department of Defense as an engineer and as a civilian INFOSEC liaison with the U.S. Army-
Europe.
▌ Don Laursen, Sr. Product Manager, F5 Networks
Don has been in the technology industry for over 20 years. He is a member of IEEE, ACM, and
International Privacy Professional Association. He holds an MS in computer systems, is a
CISSP certified professional, and Certified Information Privacy Professional (CIPP/US and
CIPP/Europe). Prior to joining the private sector Don spent 10 years serving as a U.S. Naval
Cryptologist in an active-duty role and as a reservist.
Our Speakers
3. 3
Objectives
▌Describe how network security blind spots occur
▌Outline threat that they represent to organization
▌Define the best practices to protect against them
▌Explain how to configure a trusted secure system
7. 7
Significant Performance Impact on Existing Security Stack
Visibility
is reduced due to the
growth of SSL usage
Malware
uses encrypted channels
to evade detection
Blind Spotsfor decryption is a
significant undertaking
Next-Gen Firewall
Performance Impact
%
79
Next-Gen IPS
Performance Impact
%
75
Threat Defense
No SSL Support
%
100
Enabling SSL on a firewall, SWG or an IPS
will reduce the overall performance of the
appliance, often by more than 80%
Performance
9. 9
Best Practices
▌Protecting against encryption blind spots with BIG-IP
Optimizes security stack through SSL offload
Centralized decrypt/encrypt capability
Support for latest ciphers and suites providing network traffic visibility
Flexible deployment to support diverse environments
▌SSL/TLS and encrypt/decrypt feature use crypto keys
Keys maintained in software can be exposed to threats
Increasing number of crypto keys are harder to manage
Customers require certified key protection for compliance
10. 10
F5 BIG-IP Solution
But critical keys can exist in
multiple places and are
vulnerable to physical and
software attacks
Connection
Origination
11. 11
F5 BIG-IP Solution with Thales nShield HSM
Connection
Origination Critical keys are protected and
managed in certified confined of
HSM and not exposed to physical
and software attacks
12. 12
Protecting and Managing the Keys
▌External nShield HSM enables enhanced security
Protects and manages critical SSL keys used by BIG-IP and
encrypt/decrypt feature
Isolate cryptography and keys in secure FIPS 140-2 Level 3 and
Common Criteria EAL 4+ boundary
Deliver lifecycle hardware key management, mitigates risks, and
facilitates regulatory compliance
13. 13
Value of HSM Integration
F5 BIG-IP
• Optimizes SSL traffic, response times, and customer experience
• Provide traffic visibility and prevent security blind spots
THALES
•Enhances security protecting crypto keys in dedicated hardware
•Provide dual controls facilitating auditing/regulatory compliance
INTEGRATION
• Delivers a proven solution with a strong and certified root of trust
14. 14
HSMs and Problems they Address
▌ What are HSMs?
Hardware Security Module
Hardened, tamper-resistant devices
isolated from host environment
Alternative to software crypto libraries
▌ What do HSMs do?
Secure cryptographic operations
Protect critical cryptographic keys
Segregate administration and
security domains and enforce policy
over the use of keys
nShield HSMs are FIPS
140-2 Level 3 and Common
Criteria EAL4+ certified
15. 15
Enhanced Security for Application Delivery Controllers
▌ Software-only system
▌ Numerous copies of keys
across system and backups
▌ Hardened security system
▌ Keys are segregated within isolated
security environment
Hardware
Security
Module
Software
environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
Hardware
Security
Module
Software
environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
16. 16
Root of Trust
▌Provides FIPS 140-2 and Common Criteria certified security
▌Isolates crypto keys and processes from host environment
▌Enforces dual controls and protects from rogue super users
▌Enhances security and ensures availability of critical keys
▌Facilitates security compliance, auditing, and reporting
17. 17
▌ Experience ‒ Leading global provider of data protection solutions for 40+ years
▌ Leadership ‒ HSMs help secure more than 80% of the world’s payment transactions
and most valuable corporate and government information
▌ Market focus ‒ Provides the best data protection solutions possible
▌ Independently certified ‒ Products certified to FIPS standards
▌ Expert advice ‒ Provides training and deployment assistance
Why Thales e-Security?
Banking Government Utilities High Tech Mobile
18. 18
Why F5?
▌ Experience ‒ 7+ Years providing SSL offload and transformation
▌ Leadership ‒ Gartner ADC Magic Quadrant Leader
▌ Market focus ‒ Application Availability, Security and Performance
▌ Certified ‒ Products certified for US Government and Global Markets
▌ Partnerships ‒ Marketing leading partnerships and ecosystem
19. 19
In Summary…
▌Preventing network security blind spots should be priority
▌ADCs increasingly taking on task/enabling traffic visibility
▌Solution delivers better performance and robust root of trust
20. 20
Time for Questions…
Thank you !
Juan Asenjo
+1.954.888.6202 / juan.asenjo@thalesesec.com
Don Laursen
+1.205.272.6860 / d.laursen@f5.com
@pgalvin63@asenjoJuan
@pgalvin63d.laursen@f5.com