ATC Tests F5 SSLO in the Lab
In this ATC Insight
Summary
In the Advanced Technology Center (ATC), we were asked to help one of our strategic partners F5 test out some integration with their SSL Orchestrator (SSLO). We designed and built a Proof of Concept (POC) at the ATC which integrated F5 SSL Orchestrator with Cisco FirePower, Palo Alto, FireEye, and Blue Coat security devices. The SSLO was deployed with a layer-2 architecture. Part of the testing process involved Ixia traffic generation which contained a target traffic range of 10-20Gbps throughput.
ATC Insight
The Need
F5 specifically needed to test out, demonstrate, and showcase SSL Orchestrator with other Vendors integrated into a configured service-chain. In order to meet their needs quickly, F5 utilized the help of the ATC Lab Services team in the Advanced Technology Center (ATC) to integrate several vendor solutions which included Palo Alto, Blue Coat, FireEye, and Cisco Firepower. Contained in the documentation section of this ATC Insight is a demo video (15 minutes) from our Proof of Concept (POC) environment that shows how F5 SSLO specifically works to remove and add objects in the service-chain in the event there is a loss of connectivity that is detected.
What does F5 SSLO do?
WWT's Advanced Technology Center (ATC) has a strong partnership with F5. The content contained within this ATC Insight will cover how F5 is affecting the market with dynamically orchestrating security infrastructure. Dynamically orchestrating security infrastructure is needed when an organization needs to 'seamlessly move traffic from one active security solution to another, and then change or update the first security solution. This process is performed without interrupting traffic flow or allowing encrypted traffic to bypass without a security check. When swapping out a security solution there may be a need to bypass that solution entirely. When updating a security solution, customers may only want to bypass the solution temporarily without interrupting the traffic flow, traffic decryption, and inspection for the rest of the solutions in your security stack. Customers may want to direct traffic streams to new security solutions in a dynamic service chain to try them out.
F5's SSL orchestrater simplifies many security solution changes while reducing time, cost, and impact. It also alleviates potential traffic bypass and potential exploitation. By orchestrating the security stack, customers can streamline and minimize the often time-consuming and inefficient security change-management process, reducing the risk of time-consuming negative consequences.
Security Changes at the Speed of Business: (Solution Brief Link)
- Orchestrates the security stack:
- Shortens time-consuming security change management processes, simplifying equipment changes and mitigating any detrimental impacts.
- Routes traffic based on context and policy
- Contextual classification engine increases administrative efficacy by utilizing security resources more efficiently
- Scales security services
- Scaling existing or new security services with high-availability and failover protection, achieving enhanced utilization and service availability, even during security stack changes
- Dynamic service chaining
- Creates dynamic, logical security service chains based on the type of incoming traffic leveraging existing security solutions.
- Intelligent traffic bypass
- Efficiently addresses layer 2 and layer 3 security service insertions
Demo Information
The Demo of the Dynamically Orchestrating Security Infrastructure was conducted by Sandeep Kalidini, a Network Engineer working in WWT's Infrastructure Services organization.
Timestamps and Video Screen captures
- 0:11- Changes in security stack
- Any and all changes in security stack are costly.
- 0:24-How F5 can help simplify security stack change management
- efficiently uses existing resources
- speeds up deployment time
- mitigates unintentional traffic
- transfers traffic from one solution to the other without interruption
- 0:44
- SSLO Architecture is configured
- multiple security servers
- Cisco N3K for routing and switching
- multiple security solutions deployed
- Advanced WAF and AFM
- Third Party: Fireeye, Palo Alto, WSA(for proxies), Firepower
- 1:15
- VMWare: Windows Servers, Centos, Ixia Client
- used to support and test the connectivity and production of the design
- SSLO Details
- SSLO 1 and 2 are standalone devices (recorded as not SSLOs)
- SSLO 3 and 4 are active-standby devices
- VMWare: Windows Servers, Centos, Ixia Client
- 1:38 Select Topology
- 1:48 Configuration menu
- 1:52 Topology Properties and SSL Orchestrator
- 2:34 Service List
- 3:02 Initial Service Chain
- 3:31 Security Policy
- 4:18 Interception Rule and Ingress Network Setting
- specify source and destination addresses
- specify VLAN and configure VLAN
- 4:47 Log Settings
- Log settings were not used within this demo
- 5:21 Service Chain Properties
- alter service chain to not let traffic flow through Palo Alto
- 7:06 Palo Alto removed
- 9:52 Palo Alto reconfigured to be added back in the Service Chain as a Service
- 12:00 Sample test result to see traffic running
- 13:49 F5 Dashboard Showcase of traffic and connections
- 15:02 Palo Alto Traffic is flowing properly
- 15:15 Ixia Server View of data traffic
- traffic is flowing from Palo Alto and SSLO
- Palo Alto is blocking traffic to the client end due to IP reaching out to other IPs being blocked
Final Impressions and Summary
Connectivity was established successfully between the client and the server. The traffic flowed properly through the Palo Alto firewalls and the SSLO. Based on this demo and the findings from our integrated testing in the ATC, F5's solution made the network more secure. The demo findings were a great benchmark to demonstrate how F5's solution can perform in a production environment.
Documentation
F5 SSLO-Demo
F5 SSLO-Change at the Speed of Business with Palo Alto
F5 SSLO-Change at the Speed of Business with Cisco Firepower
F5 SSLO-Change at the Speed of Business with F5 Advanced WAF and AFM
Resources:
- To learn more about Dynamic Orchestration of Security Services
- To learn more about Guided configuration of SSL Orchestrator on F5 BIG-IP.
- Guided Configuration (Link)
- To Learn more about configuration of F5 security services with SSL Orchestrator
- To Learn more about configuration of 3rd party security services with SSL Orchestrator
- If you want to bring automation to your SSLO environment, here is a tool in your toolbelt to be able to leverage.