Summary

In the Advanced Technology Center (ATC), we were asked to help one of our strategic partners F5 test out some integration with their SSL Orchestrator (SSLO).  We designed and built a Proof of Concept (POC) at the ATC which integrated F5 SSL Orchestrator with Cisco FirePower, Palo Alto, FireEye, and Blue Coat security devices. The SSLO was deployed with a layer-2 architecture. Part of the testing process involved Ixia traffic generation which contained a target traffic range of 10-20Gbps throughput.

F5 SSL Orchestrator

ATC Insight

The Need

F5 specifically needed to test out, demonstrate, and showcase SSL Orchestrator with other Vendors integrated into a configured service-chain.  In order to meet their needs quickly, F5 utilized the help of the ATC Lab Services team in the Advanced Technology Center (ATC) to integrate several vendor solutions which included Palo Alto, Blue Coat, FireEye, and Cisco Firepower.  Contained in the documentation section of this ATC Insight is a demo video (15 minutes) from our Proof of Concept (POC) environment that shows how F5 SSLO specifically works to remove and add objects in the service-chain in the event there is a loss of connectivity that is detected.

What does F5 SSLO do?

WWT's Advanced Technology Center (ATC) has a strong partnership with F5. The content contained within this ATC Insight will cover how F5 is affecting the market with dynamically orchestrating security infrastructure. Dynamically orchestrating security infrastructure is needed when an organization needs to 'seamlessly move traffic from one active security solution to another, and then change or update the first security solution. This process is performed without interrupting traffic flow or allowing encrypted traffic to bypass without a security check. When swapping out a security solution there may be a need to bypass that solution entirely. When updating a security solution, customers may only want to bypass the solution temporarily without interrupting the traffic flow, traffic decryption, and inspection for the rest of the solutions in your security stack. Customers may want to direct traffic streams to new security solutions in a dynamic service chain to try them out.

F5's SSL orchestrater simplifies many security solution changes while reducing time, cost, and impact. It also alleviates potential traffic bypass and potential exploitation. By orchestrating the security stack, customers can streamline and minimize the often time-consuming and inefficient security change-management process, reducing the risk of time-consuming negative consequences.

Security Changes at the Speed of Business: (Solution Brief Link)

  • Orchestrates the security stack:
    • Shortens time-consuming security change management processes, simplifying equipment changes and mitigating any detrimental impacts.
  • Routes traffic based on context and policy
    • Contextual classification engine increases administrative efficacy by utilizing security resources more efficiently
  • Scales security services
    • Scaling existing or new security services with high-availability and failover protection, achieving enhanced utilization and service availability, even during security stack changes
  • Dynamic service chaining
    • Creates dynamic, logical security service chains based on the type of incoming traffic leveraging existing security solutions.
  • Intelligent traffic bypass
    • Efficiently addresses layer 2 and layer 3 security service insertions

Demo Information

The Demo of the Dynamically Orchestrating Security Infrastructure was conducted by Sandeep Kalidini, a Network Engineer working in WWT's Infrastructure Services organization. 

Timestamps and Video Screen captures

  • 0:11- Changes in security stack
    • Any and all changes in security stack are costly.
Changes in security stack
  • 0:24-How F5 can help simplify security stack change management
    • efficiently uses existing resources
    • speeds up deployment time
    • mitigates unintentional traffic
    • transfers traffic from one solution to the other without interruption
Simplifying security stack change management
  • 0:44
    • SSLO Architecture is configured
    • multiple security servers
    • Cisco N3K for routing and switching
    • multiple security solutions deployed
      • Advanced WAF and AFM
      • Third Party: Fireeye, Palo Alto, WSA(for proxies), Firepower
SSLO Architecture is Configured
  • 1:15
    • VMWare: Windows Servers, Centos, Ixia Client
      • used to support and test the connectivity and production of the design
    • SSLO Details
      • SSLO 1 and 2 are standalone devices (recorded as not SSLOs)
      • SSLO 3 and 4 are active-standby devices
VMWare Support, Connectivity and Production Test
  • 1:38 Select Topology
Select Topology
  • 1:48 Configuration menu
Configuration Menu
  • 1:52 Topology Properties and SSL Orchestrator
Topology Properties

 

SSL Orchestrator
  • 2:34 Service List
Service List
  • 3:02 Initial Service Chain
Service Chain List
  • 3:31 Security Policy
Security Policy
  • 4:18 Interception Rule and Ingress Network Setting
    • specify source and destination addresses
    • specify VLAN and configure VLAN
Interception Rule
  • 4:47 Log Settings
    • Log settings were not used within this demo
Log Settings
  • 5:21 Service Chain Properties
    • alter service chain to not let traffic flow through Palo Alto
Services Chain Properties
  • 7:06 Palo Alto removed
Palo Alto Removed
  • 9:52 Palo Alto reconfigured to be added back in the Service Chain as a Service
Palo Alto configured to be added back in the Service Chain as a Service
  • 12:00 Sample test result to see traffic running
Sample test result to see traffic running
  • 13:49 F5 Dashboard Showcase of traffic and connections
F5 Dashboard Showcase of traffic and connections
  • 15:02 Palo Alto Traffic is flowing properly
Palo Alto Traffic is flowing properly
  • 15:15 Ixia Server View of data traffic
    • traffic is flowing from Palo Alto and SSLO
    • Palo Alto is blocking traffic to the client end due to IP reaching out to other IPs being blocked
Ixia Server View of data traffic

 

Final Impressions and Summary

Connectivity was established successfully between the client and the server. The traffic flowed properly through the Palo Alto firewalls and the SSLO. Based on this demo and the findings from our integrated testing in the ATC, F5's solution made the network more secure. The demo findings were a great benchmark to demonstrate how F5's solution can perform in a production environment. 

Documentation

F5 SSLO-Demo

F5 SSLO-Change at the Speed of Business with Palo Alto

F5 SSLO-Change at the Speed of Business with Cisco Firepower

F5 SSLO-Change at the Speed of Business with F5 Advanced WAF and AFM

Resources:

  • To learn more about Dynamic Orchestration of Security Services
    • F5 SSL Orchestrator Homepage (Link)
    • Solution Brief (Link)
    • Technical Overview and Configuration Articles (Link)
  • To learn more about Guided configuration of SSL Orchestrator on F5 BIG-IP.
    • Guided Configuration (Link)
  • To Learn more about configuration of F5 security services with SSL Orchestrator
    • F5 Advanced Firewall Manager (Link)
    • F5 Advanced Web application Firewall (Link)
  • To Learn more about configuration of 3rd party security services with SSL Orchestrator
  • If you want to bring automation to your SSLO environment, here is  a tool in your toolbelt to be able to leverage.

 

Technologies