How To Inspect Secure Traffic
Вставка
- Опубліковано 9 вер 2024
- Over 80% of all Internet traffic is encrypted, and some companies choose to not inspect that encrypted traffic at all. Attackers routinely send malware via encrypted traffic, so it's important to inspect the encrypted traffic to be able to defend against malicious activity. But, how do you inspect encrypted traffic? And, what is the best approach for doing this? Watch the video to learn more!
I was hoping to see actually how the inspection is being handled as the title says "How To Inspect Secure Traffic
" otherwise, title should say "Buy Our SSL Inspection Product"!
If I get this right, you basically send all the traffic you want to decrypt to the SSLO, decrypt the traffic, send the decrypted traffic to the NGFW for security profiling, send the decrypted traffic back to the SSLO, encrypt the traffic and then send it to the destination? The first thing that pops into mind is - latency
everything in tech is a series of choices. The product is all about orchestration, sending traffic to any number of services for inspection, correction, etc. The idea is that the offloading the encryption once instead of at every step in the service chain should save overall from the hopping back and forth. Not only that, but centralizing the orchestration prevents points of failure in any one service.
@@JasonRahm thanks!
ha!
I always wondered what the SSL Orchestrator was....
Now i know :]
How does the decryption/re-encryption process not get detected? Do security warnings get thrown for every site or is this “undetectable”?
Great question! In this case, the device doing the decryption (SSL Orchestrator) is the same one that is sending it to the detection devices (IDS, IPS, Sandbox, DLP, etc). As for the client, they would connect to the F5 SSL Orchestrator and, from their perspective, it is the server, so no security warnings would be given.
Please tell me that the shirt is actually reversed so that it shows up on this reversed video :-)
You got it! Yes, we had specially made shirts with the logos reversed so when we 'flipped' the video in post, it would be accurate. Good eyes & thanks for the comment!! So, we're not all left handed. :-)
How about dont
What happens if the SSLO is down?
Great question, ahmed! We always recommend deploying the SSLO in High Availability (HA) configuration. If one SSLO went down, traffic would be interrupted momentarily as sessions would need to be re-established on the new active device. Another possibility is to setup mirroring, but that's a big cost to resources. Because most of the traffic would be stateless HTTP, impact would be minimal. I hope this helps!
@@devcentral it helps
IMHO, it's a business case to see whether it makes sense to deploy a HA SSLO or not
Thanks a lot for your videos, great effort, keep it up
Gr8
Glad you enjoyed it!
Do you have a course that teaches developers to roll on their own security scheme for their development web app project?
Hi and thanks for the comment(s)! We do have some free training courses: www.f5.com/services/training/free-training-courses
But, most are focused on F5 solutions. This one might be of value - Getting Started with Programmability: www.f5.com/services/training/free-training-courses/getting-started-with-programmability
This course discusses Programmability within the context of BIG-IP and specifically the new technology, iControl REST. You will be introduced to foundational technologies, JSON and REST, and then experience a series of increasingly more complex examples that allow you to explore how iControl REST is used to program BIG-IP.
where person is writing ? is this on a glass? how is this annotation works can anyone explain it to me?
It's a physical board, like a chalk board. Except his is made of a special material that can be used on camera. So he is writing on a real board with a special marker.
This is how: ua-cam.com/video/U7E_L4wCPTc/v-deo.html
If we have NGFW in place, why would we need separate solution for waf/ ips / ids?
NGFW can handle that stuff .
Great question and point! It's true that NGFW can handle much more than the traditional network firewalls of the past. However, it's still true that other security devices are probably in place for an organization (other than just the NGFW). With that, it's important to have one device that can decrypt the traffic and send it to all the security devices in the architecture. Otherwise, you would have to decrypt/encrypt each time you send it to another device. Hope this helps!
@@devcentral In case of NGFW, traffic comes in gets decrypted ( didn't get encrypt/ decrypt every time)
Also, I believe NGFW is primarily a firewall and may possess such capabilities but might not perform that we'll with decryption along with other stuff.
Waste if you are trying to implement a in-line architecture
This comment saved me time. thank you
Decrypting user data violating user privacy.
Hi Abhay, the SSL Orchestrator allows you to set up policies where you can bypass the decryption for certain websites (URLs, etc). So, for banking or healthcare or government sites (governed by privacy laws, regulations, etc), you can simply bypass all the inspection services and not decrypt the traffic at all. In this case, the SSL Orchestrator simply acts as a proxy device and passes the traffic on to the destination without ever decrypting it.
This also usually weakens the TLS ecosystem at the same time. @@devcentral