F5 SSL Everywhere
3ztjr
3ztjr
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
David Holmes<br />
Principal Technical Marketing Manager<br />
Marty Scholes<br />
Marketing Solutions Architect
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
Contents<br />
Introduction 3<br />
About the acronyms <strong>SSL</strong> vs. TLS 4<br />
Deployment Scenarios 4<br />
Deployment scenario: Inbound enterprise applications 5<br />
Deployment scenario: Inbound retail data center 5<br />
Deployment scenario: Inbound <strong>SSL</strong> pass-through 6<br />
Deployment scenario: Outbound <strong>SSL</strong> visibility 6<br />
A recommended security posture 6<br />
Fine-Tuning Data Protection 8<br />
A primer on <strong>SSL</strong> cipher strings 8<br />
Transformational services 13<br />
Client certificates 19<br />
<strong>SSL</strong> failover options 22<br />
Cipher agility 25<br />
Key Management 28<br />
Certificate expiration notification 29<br />
Use the certificate manager role 30<br />
Key protection 31<br />
Revocation verification 34<br />
Visibility and Control 42<br />
<strong>SSL</strong> and the OWASP Top Ten 42<br />
<strong>SSL</strong> outbound visibility 43<br />
Mitigating brute force attacks 47<br />
Instrumentation: The <strong>SSL</strong> statistics panel 50<br />
Conclusion 52<br />
2
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
Introduction<br />
The cryptographic protocol historically known as the Secure Sockets Layer (<strong>SSL</strong>) and now<br />
known as Transport Layer Security (TLS) is quickly becoming the de facto protocol for all<br />
important, and even casual, electronic communication today. Only a decade ago, <strong>SSL</strong> was<br />
reserved only for financial institutions and the login pages of the security conscious. Today<br />
<strong>SSL</strong> is ubiquitous. Even the world’s most popular video sites use <strong>SSL</strong> for streaming.<br />
Although <strong>SSL</strong> can be an everywhere, all-the-time security protocol, it is not always easy<br />
to deploy correctly, or without challenges, into an architecture. For example, <strong>SSL</strong> offers<br />
protection for data in transit, not at rest. It offers forward secrecy, but usually at the cost<br />
of monitoring or diagnostic utilities. <strong>SSL</strong> also faces numerous attacks, despite being<br />
constantly improved and monitored by the Internet Engineering Task Force (IETF). Finally,<br />
implementation issues such as the Open<strong>SSL</strong> group’s Heartbleed incident remind the world<br />
that cryptography is difficult—even for cryptographers.<br />
The <strong>F5</strong> ® <strong>SSL</strong> <strong>Everywhere</strong> reference architecture aggregates the set of common solutions<br />
for securing data in transit from users to applications, between enterprise services, and<br />
from corporate users to the Internet. The key to the reference architecture is the custombuilt<br />
<strong>SSL</strong> software stack that is part of every <strong>F5</strong> BIG-IP ® Local Traffic Manager (LTM)<br />
deployment.<br />
This recommended practices document, which is based on the <strong>SSL</strong> <strong>Everywhere</strong> reference<br />
architecture, can guide architects and administrators through strategic deployments of <strong>SSL</strong><br />
and serve later as a quick reference for specific concerns. It includes:<br />
• Common deployment scenarios.<br />
• Advanced key management recommendations.<br />
• Tips for fine-tuning data protection.<br />
• Suggestions for enhancing visibility and control.<br />
• Dozens of technical tips and recommended practices for maximizing security<br />
posture (and value). These may include example <strong>F5</strong> TMOS ® shell (TMSH) commands<br />
such as:<br />
(tmos)# modify ltm profile http2 http2-ni enforce-tls-requirements disabled<br />
Basic familiarity with <strong>SSL</strong>, server administration, and BIG-IP platform administration is<br />
assumed. The recommended practices apply to the BIG-IP family of products, with<br />
version 12.0.0 of the BIG-IP platform providing the baseline for referenced features and<br />
configurations unless otherwise noted.<br />
3
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
About the acronyms <strong>SSL</strong> vs. TLS<br />
Vagueness is anathema to engineers. As a result, many engineers refer to modern web<br />
encryption as TLS and consider the acronym <strong>SSL</strong> obsolete. But the fact is that <strong>SSL</strong> has<br />
become shorthand for “a secure connection” even in casual conversation between security<br />
professionals and the same security engineers who dislike seeing <strong>SSL</strong> in print. So for the<br />
purposes of brevity and search engine optimization, this document uses the acronym <strong>SSL</strong><br />
to refer to the collection of encryption protocols that encompass <strong>SSL</strong>v2, <strong>SSL</strong>v3, TLSv1,<br />
TLSv1.1, and TLSv1.2, except where it is important to specify a particular version. When <strong>SSL</strong><br />
is used as an adjective (for example, <strong>SSL</strong> VPN), it should be understood that the subject<br />
encompasses the current, accepted protocols for transport layer security.<br />
<strong>SSL</strong>v3 is rapidly being phased out, with <strong>SSL</strong>v2 long dead. Even TLSv1.0 is discouraged<br />
today, and only TLSv1.1/1.2 should be used whenever possible. Perhaps, in time, the<br />
language will catch up to reality and TLS will be used in the same way <strong>SSL</strong> is commonly<br />
used today.<br />
Deployment Scenarios<br />
For many organizations today, the main use case for <strong>SSL</strong> is securing data from customers<br />
and employees on the Internet to data center applications through an Application Delivery<br />
Controller (ADC). While the data center deployment is among the most mature of encrypted<br />
data center technologies, it’s not without innovation (and renovation). The deployment<br />
scenarios that follow include advanced <strong>SSL</strong> strategies such as HTTP Strict Transport<br />
Security (HSTS) and Online Certificate Status Protocol (OCSP) stapling. The recommended<br />
practices introduce how these technologies can be leveraged in inbound data center<br />
deployments for outbound visibility.<br />
4
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
REFERENCE ARCHITECTURE: <strong>SSL</strong> <strong>Everywhere</strong><br />
CONTENT TYPE: Product Map<br />
AUDIENCE: Security Architect<br />
CUSTOMER SCENARIO: <strong>SSL</strong> <strong>Everywhere</strong> (Inbound)<br />
DMZ<br />
Web Application Firewall<br />
NG-IPS<br />
Passive Monitor, IDS,<br />
Customer Experience Solutions<br />
Remote Users<br />
User<br />
Internet<br />
Network<br />
Firewall<br />
<strong>SSL</strong> Termination and Inspection<br />
+ Cipher Agility + <strong>SSL</strong> Transformation<br />
+ Intelligent Traffic Management<br />
+ <strong>SSL</strong> Re-Encryption<br />
Network<br />
Firewall<br />
Web/Application<br />
Servers<br />
BIG-IP Platform<br />
Customer Scenarios<br />
Data Protection<br />
Visibility and Control<br />
Key Management<br />
HSM<br />
<strong>SSL</strong> Crypto-Offload<br />
+ <strong>SSL</strong> Termination and Inspection<br />
+ <strong>SSL</strong> Re-Encryption<br />
+ <strong>SSL</strong> Transformation<br />
BIG-IP Local Traffic Manager<br />
Simplified Business Models<br />
GOOD BETTER BEST<br />
BIG-IP Platform<br />
Figure 1: Common deployment scenarios for <strong>SSL</strong><br />
Deployment scenario: Inbound enterprise applications<br />
One of the primary deployment scenarios for <strong>SSL</strong> is to protect a suite of enterprise<br />
applications, from Microsoft Sharepoint and Exchange to a LAMP-based CGI application.<br />
A typical administrator for this deployment scenario is likely a network operations team<br />
member. In a larger organization there will be a security team, a security architect, an<br />
auditor, and sometimes even a separate certificate management team. Enterprise<br />
administrators will use an ADC to perform <strong>SSL</strong> bridging, which is the act of decrypting<br />
incoming connections, performing an action (such as a load-balancing pick or persistence),<br />
and then re-encrypting the connection to a server within the enterprise. Flexibility,<br />
extensibility, security, and visibility take precedence over availability for many of these<br />
administrators.<br />
Deployment scenario: Inbound retail data center<br />
One of the most demanding scenarios for an ADC is the retail website. Even more<br />
demanding can be deployment for a hosting company dealing with multiple retail sites.<br />
5
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
A hosting company that sports many very popular websites can have millions of connections<br />
flowing through the ADC at any minute, and hundreds to thousands of new <strong>SSL</strong> connections<br />
per second. For these customers, availability and compatibility are the most important<br />
characteristics of their deployments. They are also concerned with compliance to standards<br />
such as the Payment Card Industry Data Security Standard (PCI DSS). For retail customers,<br />
the ADC is often performing <strong>SSL</strong> termination, meaning that it is decrypting incoming<br />
connections and transitioning (proxying) the payloads to servers further into the data center.<br />
Deployment scenario: Inbound <strong>SSL</strong> pass-through<br />
The majority of <strong>F5</strong> customers use BIG-IP devices for application delivery services that<br />
include <strong>SSL</strong>. A significant number of customers use the BIG-IP platform for L4 load<br />
balancing and traffic steering. These customers include service providers running tens of<br />
millions of connections through single tiers of <strong>F5</strong> ADC devices. These devices will be aware<br />
of <strong>SSL</strong> connections but won’t be actually terminating or even inspecting those connections.<br />
They can still provide a measure of control over the <strong>SSL</strong> flows. The term for this kind of flow<br />
control is called <strong>SSL</strong> pass-through—the <strong>SSL</strong> traffic is passing through the ADC instead of<br />
being terminated or bridged at the ADC.<br />
Deployment scenario: Outbound <strong>SSL</strong> visibility<br />
One of the most significant new applications of <strong>SSL</strong> decryption is used in a scenario that<br />
has various names, such as <strong>SSL</strong> “air gap” or <strong>SSL</strong> interception. The problem it solves is<br />
simple in concept: Users inside a corporate headquarters are one of the most high-profile<br />
risks when they react to unsolicited email or browse the Internet. A targeted “spear phishing”<br />
campaign can snare a user into clicking a link that will pull malware from the Internet<br />
through an <strong>SSL</strong> connection. There are security solutions that scan for malware, but many of<br />
them are unable to scale to automatically and transparently decrypt <strong>SSL</strong> connections. The<br />
outbound <strong>SSL</strong> visibility scenario supports these security solutions. <strong>F5</strong> devices sandwich<br />
these security solution devices to provide decryption and re-encryption services.<br />
A recommended security posture<br />
The definitive resource for evaluating a web site’s <strong>SSL</strong> security posture (and comparing it<br />
to others) is the Qualys <strong>SSL</strong> Labs report. An administrator can connect to the test site and<br />
enter his web address, and the report will provide an elementary alphabetical grade. While<br />
some think that a single letter is oversimplifying many complicated ideas, the <strong>SSL</strong> Labs<br />
scanner grade is, at least, an objective, and there is no denying that <strong>SSL</strong> Labs is the most<br />
visible project grading <strong>SSL</strong> deployments and rating <strong>SSL</strong> security postures today.<br />
6
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
To check a web address against the <strong>SSL</strong> Labs report, visit this address and enter the site’s<br />
URL.<br />
Figure 2: A simple <strong>SSL</strong> Labs security posture report<br />
Achieving an A+ grade is a non-trivial task; however, it can be done in an afternoon (even in<br />
less than an hour) when starting from the right point. Currently, to achieve an A+ rating with<br />
<strong>SSL</strong> labs, a user must follow these recommendations; otherwise the site would receive the<br />
following grade in brackets.<br />
• Disable <strong>SSL</strong>v3 [B] & RC4 [B/C]<br />
• Replace any SHA1 Certs [A] and sub-2k Certs [C]<br />
• Enable TLS_FALLBACK_SCSV [A]<br />
• Enable HTTP Strict Transport [A]<br />
• Enable and Prefer Perfect Forward Secrecy Compatible Ciphers [A-]<br />
Do not use DHE ciphers (only ECDHE). DHE ciphers will cap the grade at [B] on<br />
BIG-IP.<br />
• Enable TLS1.2 [C]<br />
• Enable Secure Renegotiation [A-]<br />
The DEFAULT cipher string included in BIG-IP version 12.0 will yield a B grade but offers full<br />
hardware acceleration. To get that coveted A+ grade, an administrator would need to have<br />
7
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
a fairly restrictive cipher list. For example “!<strong>SSL</strong>v3:!DHE:ECDHE:RSA+HIGH” will get an<br />
A grade on <strong>SSL</strong> labs but would require every user to have a very recent browser.<br />
Note that the rating requirements change over time; see the Qualys <strong>SSL</strong> Labs Rating<br />
Guide for the latest.<br />
Fine-Tuning Data Protection<br />
The primary goal of <strong>SSL</strong> is to secure data in transit. A BIG-IP device that is performing <strong>SSL</strong><br />
termination or <strong>SSL</strong> bridging has dozens of settings, many of them very powerful, that can<br />
be fine-tuned for a specific security environment.<br />
A primer on <strong>SSL</strong> cipher strings<br />
The configuration knob that controls the negotiation of key-exchange, encryption, and<br />
authentication protocols is the cipher string setting of the <strong>F5</strong> clientssl and serverssl profiles.<br />
Creating a cipher string that projects only strong cryptographic ciphers while maintaining<br />
broad compatibility among browsers can be a black art. Consider this actual,<br />
recommended cipher string for advanced BIG-IP administrators:<br />
ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AES-<br />
GCM:RSA+AES:RSA+3DES:-MD5:-<strong>SSL</strong>v3:-RC4<br />
The BIG-IP device cipher string system is based on the one used by the open source<br />
project Open<strong>SSL</strong>, though it does not follow it exactly. Find the full reference for Open<strong>SSL</strong><br />
cipher strings, and a few extra tips, here.<br />
An administrator can use the tmm command from the TMOS bash shell to see which<br />
ciphers are included in any given cipher string for any BIG-IP version:<br />
config # tmm --clientciphers ‘DEFAULT’<br />
The tmm command should only be run on standby devices, because running the command<br />
incorrectly can interfere with application delivery. The cipher string is usually enclosed<br />
in single quotes otherwise any ‘!’ characters in the cipher string confuse the shell. By<br />
convention, UPPERCASE is always used for cipher strings.<br />
Also note that this command is one of the few in this document that is not a native TMOS<br />
shell command. An administrator must have access to the bash shell to run it, and can get<br />
to the bash shell by running this command from the TMOS shell:<br />
8
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
(tmos)# run util bash<br />
The ciphers represented by the cipher string are shown in the order in which they will be<br />
preferred by the BIG-IP device. In the DEFAULT example above, the first three preferred<br />
ciphers are:<br />
1 DHE-RSA-AES256-GCM-SHA384<br />
2 DHE-RSA-AES128-GCM-SHA256<br />
3 DHE-RSA-AES256-SHA256<br />
Unlike many server systems, when negotiating the <strong>SSL</strong> cipher with the client, the BIG-IP<br />
system will choose the preferred cipher according to the cipher string designated by the<br />
BIG-IP administrator rather than choosing the one preferred by the browser. Browser<br />
vendors consider this rude, but BIG-IP administrators prefer the control.<br />
Building a cipher string<br />
There are four components of a cipher: key exchange, authentication, encryption, and hash.<br />
A cipher may describe any subset or combination of these components.<br />
• Common key exchange ciphers: RSA, DHE, ECDHE, ECDHE_ECDSA, ECDH_<br />
ECDSA, DHE and DHE_DSS.<br />
• Common authentication ciphers: RSA<br />
• Common encryption ciphers: AES, RC4, DES, 3DES<br />
• Common message hash ciphers: SHA, SHA256, MD5<br />
The hyphen character “-“ combines the elements into a single specific cipher. For example,<br />
the cipher string “DHE-RSA-AES256-SHA” specifies exactly one cipher.<br />
Operators<br />
Besides the hyphen, four other character operators are used to build cipher strings.<br />
• Colon (:)<br />
The colon character “:” is the delimiter between two cipher string phrases. When<br />
used as part of a list, it is simply the additive operator. For example the cipher string<br />
“RSA:AES” means “all RSA-based ciphers plus all AES-based ciphers” and would<br />
include over 100 ciphers!<br />
• Plus (+)<br />
9
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
The plus sign operator “+” has two uses. When used between two cipher names,<br />
the + operator doesn’t mean add, it means “the intersection of.” The cipher string<br />
“RSA+AES” means specifically just 11 ciphers that have RSA as the key exchange<br />
and AES as the encryption cipher.<br />
• Leading plus (:+)<br />
When used in front of a cipher name (that is, after a colon), the plus sign means<br />
“move these ciphers to the end of the list.” For example, RSA:RC4 and RSA:+RC4<br />
will provide the same list of ciphers, but the latter will order RC4-based ciphers at<br />
the end of the list as least preferred.<br />
• Minus (-)<br />
The minus operator “-“ deletes the ciphers from the list of supported ciphers while<br />
making sure that some or all of the ciphers can be added again with later options.<br />
The “!” operator is used more commonly than the minus. For example, “RSA:-<br />
SHA:DHE+SHA” means “all RSA-based ciphers except those that use SHA” plus “all<br />
DHE-based ciphers that include SHA”. Do not confuse the minus with the hyphen<br />
character “-“.<br />
• Not (!)<br />
The not operator “!” permanently deletes ciphers from the list of supported ciphers.<br />
The ciphers deleted can never reappear in the list even if they are explicitly stated.<br />
For example, “RSA:!MD5:MD5” is effectively the same as “RSA”.<br />
• At (@)<br />
The at operator “@” specifies that the following word will designate whether the<br />
cipher string is to order the list by cryptographic strength (@STRENGTH) or<br />
cryptographic performance (@SPEED).<br />
• No symbol<br />
If none of the above symbols appears in the string, the string is interpreted as a list<br />
of ciphers to be appended to the current preference list. If the list includes any<br />
ciphers already present, they will be ignored.<br />
Special keywords<br />
The cipher string format includes a series of special keywords that can be used to group<br />
ciphers together:<br />
• DEFAULT<br />
10
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
This is the ordered list of preferred ciphers as determined by the <strong>F5</strong> security<br />
engineering team. It is different from the Open<strong>SSL</strong> DEFAULT keyword. <strong>F5</strong> optimizes<br />
DEFAULT to be a reasonable compromise between high security and high<br />
performance.<br />
The <strong>F5</strong> engineering team agonizes over the list of ciphers that make up DEFAULT in<br />
each release. The main drawback to using DEFAULT is that when it changes (as new<br />
ciphers are developed or old ones fall out of favor), administrators that use DEFAULT<br />
may be surprised when they upgrade versions.<br />
In version 12.0 of the BIG-IP system, the following unsafe ciphers are excluded from<br />
DEFAULT and are unlikely to come back: EXPORT, <strong>SSL</strong>3, and NULL.<br />
Solution 13156 lists the ciphers included with the DEFAULT keyword for different<br />
versions of the BIG-IP system.<br />
• NATIVE<br />
The NATIVE keyword specifies the set of ciphers that are specially accelerated either<br />
in hardware or software in the <strong>F5</strong> <strong>SSL</strong> software stack. The performance and support<br />
of NATIVE ciphers are much higher than non-NATIVE ciphers. The NATIVE cipher list<br />
includes ciphers that have since been shown to be inappropriately weak for modern<br />
use (such as RC4, MD5, and DES), so it should not be used without modification.<br />
• COMPAT<br />
The COMPAT cipher invokes a special mode for a handful of ciphers where the<br />
implementation is borrowed directly from the open source Open<strong>SSL</strong> project to<br />
support legacy systems that could not be upgraded. Today, COMPAT should only<br />
be used very rarely, under specific guidance, when there is no other alternative.<br />
• ALL<br />
The ALL string includes all ciphers except the eNULL ciphers, which need to be<br />
explicitly enabled. The ALL ciphers are reasonably ordered by default. Use of ALL<br />
is highly discouraged for production systems, as it will allow many unsafe ciphers.<br />
• HIGH, MEDIUM, and LOW<br />
These keywords are largely maintained only for the purposes of compatibility. The<br />
HIGH string includes ciphers with 128-bit keys or larger, but in reality, HIGH is less<br />
secure than DEFAULT. Note that HIGH includes anonymous Diffie-Helman ciphers,<br />
which should not be used by production systems.<br />
11
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
The MEDIUM string includes medium-strength encryption ciphers, and the LOW<br />
string includes ciphers that use 64- or 56-bit encryption algorithms but excludes<br />
ciphers in the EXPORT string.<br />
• EXPORT<br />
The EXPORT keyword includes export encryption algorithms, including 40- and<br />
56-bit algorithms. These ciphers were defined to comply with U.S. export rules that<br />
have since been lifted. The EXPORT keyword is most useful when preceded by the<br />
Not (!) operator.<br />
Cipher string examples<br />
Several examples of cipher strings an administrator could use for a clientssl profile:<br />
ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AES-<br />
GCM:RSA+AES:RSA+3DES:-MD5:-<strong>SSL</strong>v3:-RC4<br />
This cipher string prioritizes elliptic-curve ciphers (EC). EC ciphers are thought to be easier<br />
on mobile devices. The Ephemeral Diffie-Helman (DHE) cipher invokes forward secrecy. By<br />
specifying DHE+AES, some <strong>SSL</strong>v3 ciphers get brought back in. The final “-<strong>SSL</strong>v3:-RC4”<br />
removes them.<br />
‘ECDHE:HIGH:+DHE:!ADH’<br />
This string commands: Prefer elliptic curve key exchanges (ECDHE). Allow ciphers with key<br />
sizes of 128-bits or larger (HIGH). Put ephemeral Diffie-Helman ciphers (DHE) at the end of<br />
the list. Disallow any anonymous Diffie-Helman ciphers (!ADH).<br />
‘HIGH:!ADH:!<strong>SSL</strong>v3:!TLSv1@SPEED’<br />
This string says: Allow ciphers with key sizes of 128-bits or larger (HIGH). Disallow any<br />
anonymous Diffie-Helman ciphers (!ADH). Effectively allow only TLSv1.2 and TLSv1.1<br />
(!<strong>SSL</strong>v3 and !TLSv1). Order the remaining ciphers by speed.<br />
<strong>F5</strong> recommended practices for building cipher strings:<br />
• Disable anonymous ciphers such as ADH using the !ADH phrase.<br />
• Disable export ciphers using the !EXPORT phrase.<br />
• Use the keyword HIGH, but be sure to disable anonymous ciphers.<br />
• Disable <strong>SSL</strong>v3 when possible. This is an unsecure protocol version.<br />
12
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
Transformational services<br />
BIG-IP devices serve as a full proxy for TCP, HTTP, and <strong>SSL</strong>, which means they create one<br />
connection to the client (browser) and a separate connection to the server.<br />
The transformational nature of an <strong>SSL</strong> proxy allows a site to provide <strong>SSL</strong> features that are<br />
decoupled from the capabilities of the application servers. An architect can therefore use<br />
the ADC to transform the interface to the web servers into any protocol the ADC supports,<br />
regardless of the back-end transport options.<br />
For example, an administrator can define that every application has 2K RSA keys on the<br />
ADC even if the application servers support only 1K RSA keys. Or the architect can support<br />
HTTP/2.0 for every application on the ADC even when none of the back-end servers<br />
support it. In other words, transformational services provide the ability to maintain<br />
compliance with an Internet-facing <strong>SSL</strong> policy without the need to enforce that policy on<br />
individual servers.<br />
This full-proxy capability allows BIG-IP devices to transform any combination of the client<br />
and server connections below.<br />
Client Connection<br />
2K RSA<br />
Elliptic Curve<br />
Forward Secrecy (ECDHE, DHE)<br />
Client Certificate Authentication<br />
Server Connection<br />
HTTP/1.1<br />
1K RSA<br />
Multiplexed TCP<br />
2K RSA<br />
SPDY<br />
HTTP/2.0<br />
Forward secrecy<br />
The Edward Snowden U.S. National Security Agency (NSA) disclosures revealed that nation<br />
states might be collecting data for later use via broad-spectrum mass surveillance. The<br />
data includes encrypted data that the NSA could not decrypt, presumably collected in the<br />
hope that future technology could produce the private key used to encrypt the data. One<br />
lesson from these events is that data encrypted in motion can be archived for later analysis<br />
and that once a private key has been compromised, all traffic encrypted with that private<br />
key becomes visible. Put another way, all traffic encrypted with a private key is subject to<br />
potential future decryption.<br />
13
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
To counter this vulnerability, forward secrecy was proposed. Forward secrecy extends the<br />
key exchange protocol to generate a second, ephemeral key before generating the session<br />
key. In previous <strong>SSL</strong> key exchanges, the RSA keys are used to generate a session key,<br />
which in turn is used to encrypt the traffic. With forward secrecy, the RSA keys are used<br />
to facilitate generating a Diffie-Helman ephemeral key pair, which is used to generate the<br />
session key. This approach ensures that compromising the RSA private key will only provide<br />
access to encrypted traffic. Each individual <strong>SSL</strong> session is protected by the Diffie-Helman<br />
key pair generated on a per-session basis. Forward secrecy ensures that compromising a<br />
private key will not expose all traffic encrypted with that private key.<br />
BIG-IP version 12 prefers forward secrecy ciphers in the DEFAULT cipher. The<br />
tmm – clientciphers command shows the specific forward secrecy ciphers:<br />
[davidh@murky:Active:Standalone] ~ # tmm --clientciphers DHE:ECDHE<br />
ID SUITE<br />
BITS PROT<br />
0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2<br />
2: 57 DHE-RSA-AES256-SHA 256 TLS1<br />
3: 57 DHE-RSA-AES256-SHA 256 TLS1.1<br />
...<br />
23: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2<br />
24: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1<br />
25: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1<br />
Applications that use the DEFAULT cipher need not make any changes to take advantage<br />
of forward secrecy. There is one scenario where forward secrecy can create problems:<br />
key sharing, such as may be used by monitoring or other security systems. Shared-key<br />
monitoring will fail when forward secrecy is enabled, so in such cases, forward secrecy is<br />
not appropriate.<br />
In cases where the <strong>SSL</strong> keys are being shared with other security services such as IDS/IPS,<br />
the options are either to eschew forward secrecy, risking future exposure of the traffic, or to<br />
terminate the <strong>SSL</strong> with the BIG-IP device. Terminating the <strong>SSL</strong> enables the use of forward<br />
secrecy while also allowing monitoring by other devices.<br />
<strong>F5</strong> recommended practices for forward secrecy:<br />
• Before enabling forward secrecy, ensure that the <strong>SSL</strong> private key is not being shared<br />
with any monitoring systems or with other security devices.<br />
• Understand that diagnostic tools such as ssldump will fail to work when forward<br />
secrecy is enabled.<br />
14
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
Multiplexing TCP and <strong>SSL</strong><br />
The <strong>F5</strong> OneConnect feature of the BIG-IP system can increase network throughput by<br />
efficiently managing connections created between the BIG-IP system and back-end pool<br />
members. OneConnect works with HTTP keep-alives, enabling the BIG-IP system to<br />
minimize the number of server-side TCP connections by making existing connections<br />
available for reuse by other clients.<br />
For example, when a client makes a new connection to a BIG-IP virtual server configured<br />
with a OneConnect profile, the BIG-IP system parses the HTTP request, selects a server<br />
using the load-balancing method defined in the pool, and creates a connection to that<br />
server. When the client’s initial HTTP request is complete, the BIG-IP system temporarily<br />
holds the connection open and makes the idle TCP connection to the pool member<br />
available for reuse.<br />
<strong>F5</strong> recommended practices for multiplexing TCP and <strong>SSL</strong>:<br />
• Do not configure OneConnect for a virtual server doing <strong>SSL</strong> pass-through.<br />
• See the <strong>F5</strong> DevCentral article “Persisting <strong>SSL</strong> Connections” for more information.<br />
HTTP Strict Transport Security<br />
Many websites operate over HTTPS but offer the ability to downgrade to unencrypted<br />
HTTP when necessary. Other sites operate primarily on HTTPS but download some<br />
content—such as video or images—over unencrypted HTTP. A site that allows unencrypted<br />
traffic creates an attack surface for cookie hijacking or man-in-the-middle attacks. RFC<br />
6797 provides HTTP Strict Transport Security (HSTS), a standard for directing web clients<br />
to connect only using secure and trusted connections.<br />
HSTS inserts a header into HTTPS traffic that directs the client only to use trusted and<br />
encrypted connections to retrieve objects. This restriction includes refusing to display<br />
pages with self-signed certificates. Clients will continue to enforce the restriction for the<br />
period of time specified in the header. All major browsers now support HSTS, making its<br />
use a good way to ensure that all traffic stays encrypted. With the BIG-IP system, the<br />
administrator can ensure that all pages for a domain have the HSTS header.<br />
Enabling HSTS is one of the easiest and most powerful ways to improve an application’s<br />
security posture. BIG-IP devices have three parameters for setting HSTS located within the<br />
HTTP profile.<br />
15
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
Figure 3: Enabling HSTS in the HTTP profile<br />
Select the Mode check box to enable HSTS. Use the Maximum Age field to specify for how<br />
many seconds the client should enforce HSTS after last seeing the header. The default<br />
value specifies that HSTS should be enforced for 186 days after the header was last seen,<br />
which is consistent with <strong>SSL</strong> Labs’ recommendation that the maximum age be at least 180<br />
days. Select the Include Subdomains check box to indicate that subdomains should also<br />
enforce HSTS. Most administrators will want to select this option, forcing all subdomains<br />
to use HSTS. If there is an application on a subdomain that cannot use HSTS, such as an<br />
application that requires a self-signed certificate, then the administrator should clear this<br />
check box.<br />
HSTS provides a layer of protection for users against several common attack vectors,<br />
including cookie hijacking, man-in-the-middle, and downgrade attacks, that depend on<br />
unencrypted traffic. By selecting a single check box, administrators can ensure that all<br />
traffic will require encryption after only one encrypted connection.<br />
<strong>F5</strong> product users running a version of TMOS prior to 12.0 can use a simple <strong>F5</strong> iRules ® script<br />
to turn on HSTS. For versions 11.6.0 and earlier, see Jason Rahm’s DevCentral article called<br />
“Implementing HTTP Strict Transport Security.”<br />
when HTTP_RESPONSE {<br />
HTTP::header insert Strict-Transport-Security “max-age=31536000 ;<br />
includeSubDomains”<br />
}<br />
The includeSubdomains keyword instructs the browser to use encryption for object<br />
requests within the subdomains of the site. For example, if the site is example.com, the<br />
includeSubdomains keyword will instruct the browser to use HSTS for chat.example.com<br />
as well. An administrator must ensure that all subdomains are compatible with <strong>SSL</strong> before<br />
enabling includeSubdomains.<br />
<strong>F5</strong> recommended practices for HSTS:<br />
• Enable HSTS for applications.<br />
16
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
• Use the includeSubdomains keyword, but only after ensuring all subdomains will<br />
continue to function.<br />
• Enable a 302 redirect on the virtual server at port 80. Solution 14996 describes how<br />
to configure redirects from HTTP to HTTPS.<br />
HTTP/2<br />
HTTP/2 is poised to replace HTTP/1.1 by reducing latency in typical web traffic. HTTP/2<br />
reduces latency by compressing the headers, multiplexing client requests, and enabling<br />
servers to push data to the client before the client requests it. Since the major browsers<br />
now support HTTP/2 at the client level, a web application can provide a more pleasant user<br />
experience by implementing HTTP/2. The BIG-IP platform provides the ability to produce an<br />
Internet-facing HTTP/2 presence without the need for any changes to the back-end web<br />
servers.<br />
Since the dominant version of HTTP in use today is 1.1, most administrators would prefer<br />
to support HTTP/1.1 while making HTTP/2 available. BIG-IP devices support this scenario.<br />
Keeping all of the traffic on a single virtual server simplifies deployment and maintenance.<br />
The default behavior of the BIG-IP system is to support all versions, including HTTP/0.9<br />
through HTTP/2, when an HTTP/2 profile is included. The HTTP/2 profiles can be added<br />
to a virtual server from the Acceleration section of the virtual server configuration.<br />
The BIG-IP platform permits <strong>SSL</strong> settings on the server side as well as the client side.<br />
These settings are independent, enabling the administrator to provide an HTTP/2 presence<br />
without making any changes to the web server infrastructure. All internally developed and<br />
externally licensed software can be exposed to the Internet as HTTP/2, regardless of the<br />
capabilities of the internal servers. In addition, the internal traffic can be encrypted between<br />
the BIG-IP device and the internal servers. Encrypting all traffic increases the level of<br />
security both in terms of encryption and by eliminating a possible man-in-the-middle attack<br />
by a rogue system on the corporate LAN. The level of encryption exposed to external web<br />
clients is independent of the level of encryption used by internal servers so the latest<br />
algorithms can be used to face the Internet with older algorithms being used internally,<br />
where <strong>SSL</strong> traffic is less exposed.<br />
In response to several attacks based on <strong>SSL</strong> renegotiation, the HTTP/2 specification<br />
requires that <strong>SSL</strong> renegotiation be disabled, but the default clientssl profile allows<br />
renegotiation. The implication is that the default HTTP/2 settings and the default clientssl<br />
settings are incompatible. The administrator must decide whether to disable renegotiations<br />
(in support of HTTP/2 compatibility) or to allow renegotiations. In order to use HTTP/2, the<br />
administrator must change the default settings of either the clientssl profile or the HTTP/2<br />
profile.<br />
17
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
First, the administrator must determine whether or not renegotiations are needed. Actual<br />
<strong>SSL</strong> renegotiations are uncommon. One of the few use cases for renegotiation is for<br />
dynamically changing client authentication requirements based on content and then<br />
requesting a certificate from the client. Unless an administrator’s site uses this technique,<br />
it should be safe to leave renegotiation disabled.<br />
For cases where the administrator wants to remain compliant with HTTP/2 requirements<br />
and does not need renegotiation, disable renegotiation at the clientssl profile associated<br />
with the virtual server.<br />
Figure 4: Disabling renegotiation in a clientssl profile<br />
<strong>F5</strong> recommended practices for HTTP/2:<br />
• Leave the default setting, which disallows <strong>SSL</strong> renegotiation with HTTP/2. This<br />
restriction can be relaxed with the following TMSH command if needed.<br />
(tmos)# modify ltm profile http2 http2-ni enforce-tls-requirements disabled<br />
• Attach an HTTP/2 profile to every externally facing virtual server. There is no<br />
downside.<br />
• HTTP/2 is not yet supported for BIG-IP server-side connections. If an application<br />
requires HTTP/2 from the client all the way to the server, use the BIG-IP device for<br />
layer 4 load-balancing to a pool of HTTP/2 servers.<br />
Persistence and <strong>SSL</strong><br />
Connection persistence is a technique to consistently pair the same client to the same<br />
server over time. For example, suppose that a server farm has 300 servers for an<br />
application. A user, Marty, comes in and is directed by the ADC to server 287 because it<br />
has the lowest load. Server 287 establishes an HTTP session with Marty and loads his<br />
profile information from the middle-tier database systems into its memory.<br />
As Marty uses the website, his browser opens new connections to the ADC. The ADC<br />
recognizes Marty and sends these new connections to, say, server 287, which already has<br />
Marty’s profile information loaded. This works because Marty’s connections information<br />
18
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
has persisted on the ADC. Computer scientists call the property of matching requestors<br />
to data “locality of reference.” <strong>F5</strong> holds the original patent for ADC persistence via HTTP<br />
cookies.<br />
There are many ways to accomplish persistence. Some early, crude models include<br />
persisting by client source address or layer 4 tuples.<br />
An administrator may notice that there is a persistence method that relies on <strong>SSL</strong> session<br />
ID. In actuality, this persistence method is rarely used for the following reasons:<br />
• It is not uncommon for a client and server to have multiple open sessions.<br />
• Sessions are ephemeral and can be invalidated at any time.<br />
• Many implementations of computation session identifiers are not deterministic,<br />
meaning that if Marty’s browser switched sessions mid-session (as it were), a<br />
persistence method based on <strong>SSL</strong> session ID could send his new session to the<br />
wrong server.<br />
The only time <strong>SSL</strong> session ID should be used as a persistence method is for the <strong>SSL</strong><br />
pass-through case, where the BIG-IP device is not decrypting <strong>SSL</strong> and is simply passing<br />
it through to servers that will decrypt the <strong>SSL</strong> later.<br />
<strong>F5</strong> recommended practices for <strong>SSL</strong> persistence:<br />
• Use normal cookie-based persistence when <strong>SSL</strong> traffic is terminated or bridged<br />
on the BIG-IP device in full-proxy mode and the underlying protocol is HTTP.<br />
• For clientssl profiles where the underlying protocol is not HTTP, use layer 4<br />
persistence.<br />
• For <strong>SSL</strong> pass-through configurations, use <strong>SSL</strong> session ID persistence.<br />
Client certificates<br />
The vast majority of <strong>SSL</strong> sessions across the Internet use only one-way <strong>SSL</strong> authentication—<br />
the client authenticates the server by examining the server’s certificate data, public key, and<br />
associated signatures. If the server wants to identify the user, it typically asks for a<br />
username and password after the <strong>SSL</strong> session is established.<br />
But there are some applications that use <strong>SSL</strong> client certificate authentication as well as<br />
<strong>SSL</strong> server authentication. This is called mutual authentication, but since the server<br />
authentication is nearly always done anyway, people simply think of it as “client<br />
authentication with client certificates.”<br />
19
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
How all the clients got their certificates is a management problem all in itself. Typically all<br />
the clients are members of a well-funded organization (like a branch of the military) or Wall<br />
Street traders, for instance. And often the certificates reside on smart cards or other<br />
devices where they are accessed over public key cryptography standard (PKCS) protocol<br />
#11.<br />
Part 8 of the DevCentral series on <strong>SSL</strong> profiles provides a detailed breakdown of exactly<br />
how client certificate authentication works within the TLS handshake.<br />
Historically, the most common intersection of client certificate authentication and the <strong>F5</strong><br />
platform occurs in <strong>SSL</strong> termination and <strong>SSL</strong> bridging modes: the BIG-IP device is acting<br />
as the <strong>SSL</strong> server to a client on the Internet and authenticating that client’s certificate. The<br />
back-end servers, which trust the BIG-IP system, need to get information about the client<br />
certificate. There are three ways to forward that client certificate information to the servers:<br />
• X509 extraction<br />
The oldest trick (and still one of the easiest) is to extract and insert fields from the<br />
client certificate’s X509 directory information into the underlying HTTP stream as<br />
headers. A typical iRules script might include gathering the issuer of the client<br />
certificate and then inserting it into the HTTP request to the server as “<strong>F5</strong>_CLIENT_<br />
ISSUER=[X509::issuer [<strong>SSL</strong>::cert 0]]”. See this DevCentral post for a more complete<br />
example.<br />
• X509 whole certificate extraction<br />
A similar method is to extract and insert the entire certificate itself into the HTTP<br />
stream as a multi-line PEM-encoded header. Obviously, the server-side code will<br />
have to reassemble the certificate. The server can do the reassembly using a code<br />
library or by executing the openssl x509 command. The iRules script to do this on<br />
the BIG-IP device would look as simple as:<br />
when HTTP_REQUEST {<br />
if { [<strong>SSL</strong>::cert count] > 0 } {<br />
HTTP::header insert “<strong>F5</strong>CC” [X509::whole [<strong>SSL</strong>::cert 0]]<br />
}<br />
}<br />
• Proxy<strong>SSL</strong> mode<br />
There is a way to forward client certificates directly to the back-end server with a<br />
special <strong>F5</strong> <strong>SSL</strong> setting called proxy<strong>SSL</strong> mode. With proxy<strong>SSL</strong>, the BIG-IP device<br />
must use the same certificate and key as the back-end server. Clients can then<br />
connect all the way through to the server and authenticate with their certificates.<br />
20
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
The BIG-IP device can provide passive monitoring of the session. Proxy<strong>SSL</strong> should<br />
only be used when there is a requirement for client certificate authentication directly<br />
to the back-end servers. See <strong>SSL</strong> and the OWASP Top Ten later in this document<br />
for more information about proxy<strong>SSL</strong>.<br />
<strong>F5</strong> recommended practices for client certificates:<br />
• The <strong>SSL</strong> profile has a three-way setting for client certificate authentication: none,<br />
request, and require. When require is used and the client authentication fails for<br />
some reason (such as an expired certificate or OCSP failure), the user gets an ugly<br />
browser message. Some administrators use the request setting instead, which<br />
allows them to receive the certificate but passes the connection through even if<br />
authentication fails. When using the request setting, also use an iRules script that<br />
checks the certificate verification result and presents a more aesthetic error<br />
message or an HTTP 302 redirect.<br />
• Configure at least one revocation method—whichever one is best supported by the<br />
certificate authority—for client certificates. Certification revocation lists (CRLs) can be<br />
supported directly in the <strong>SSL</strong> profile. The other methods (OCSP and CRL distribution<br />
point or CRLDP) must be done via iRules. See the revocation section of this<br />
document for more information.<br />
• The TLS protocol includes a way to force a new handshake but without breaking the<br />
TCP connection. This is called a renegotiation and can be used to transition a client<br />
from one authenticated state (none) to another (client certificate authentication).<br />
However, the IETF frequently threatens to remove renegotiation, so consider it<br />
abandoned, and use it accordingly.<br />
• <strong>SSL</strong> forward proxy is a special mode that intercepts outbound <strong>SSL</strong> requests from<br />
a client on the inside of the BIG-IP platform boundary (inside the data center). This<br />
mode is used with the <strong>SSL</strong> outbound visibility deployment scenario. The BIG-IP<br />
device may try to intercept connections that are using client certificate authentication,<br />
but it will very likely not know what to do with the resulting connection. Whitelist any<br />
allowed, known hosts into a bypass list so that the BIG-IP device will not interfere.<br />
• There is a setting called “retain certificate” in clientssl profiles. This setting will<br />
improve the user experience by caching the client certificate across multiple<br />
connections (thereby avoiding extra popups in the browser). Enable this setting<br />
unless using a rare high-bandwidth, low-memory configuration where the extra few<br />
kilobytes associated with each connection could impact overall system performance.<br />
21
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
<strong>SSL</strong> failover options<br />
Full <strong>SSL</strong> handshakes are computationally expensive. This is one reason enterprises<br />
continue to rely on ADCs stuffed with cryptographic acceleration hardware for <strong>SSL</strong><br />
decryption.<br />
Sites that have significant amounts of <strong>SSL</strong> traffic need to be aware of this particular<br />
problem: What happens if the primary ADC stops receiving traffic and the secondary has<br />
to pick up all those active connections?<br />
Administrators may say they’d like the secondary device to resume each session exactly<br />
where the primary left off. In practicality, a seamless “<strong>SSL</strong> failover” like this is a very difficult<br />
problem to solve. In fact, the industry hasn’t yet standardized a solution. <strong>F5</strong> customers have<br />
three options to choose from for <strong>SSL</strong> failover. Two have very similar names: <strong>SSL</strong> session<br />
mirroring and <strong>SSL</strong> connection mirroring. The third, <strong>SSL</strong> session tickets, is relatively new.<br />
<strong>SSL</strong> session mirroring<br />
Recall that an <strong>SSL</strong> session is the set of state information that describes an individual <strong>SSL</strong><br />
connection between a client and a server. This state information can be mirrored between<br />
BIG-IP devices in a traffic group. When session information is mirrored, a client can connect<br />
to any device in the group and resume the <strong>SSL</strong> session, avoiding the expensive and<br />
higher-latency full <strong>SSL</strong> handshake.<br />
Figure 5: <strong>SSL</strong> session mirroring enables resumption of an <strong>SSL</strong> session on any device in the group<br />
<strong>SSL</strong> session mirroring is relatively straightforward and controlled by two knobs. The first<br />
control is to toggle a system variable named statemirror.secure. Through the command<br />
line interface, an administrator can issue the following command:<br />
(tmos)# modify sys db statemirror.secure value enable<br />
22
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
This must be done prior to creating <strong>SSL</strong> profiles that include the new <strong>SSL</strong> session mirroring<br />
attribute, and on all units in the cluster. It will cause the mirroring channel to drop and<br />
reestablish.<br />
The second control is to enable the <strong>SSL</strong> mirroring attribute in the clientssl profile associated<br />
with the application’s virtual server.<br />
Figure 6: Enabling the <strong>SSL</strong> session mirroring attribute in the clientssl profile<br />
The attribute can also be set with this command:<br />
(tmos)# modify ltm profile client-ssl test1 session-mirroring enabled<br />
Both the check box and the TMSH command will warn if the statemirror.secure variable<br />
discussed above has not been set.<br />
<strong>SSL</strong> connection mirroring<br />
The second and more sophisticated approach to mirroring is <strong>SSL</strong> connection mirroring—a<br />
method administrators often think they want. Connection mirroring takes session mirroring<br />
one step further: Connections to a virtual server that has connection mirroring enabled can,<br />
in theory, be continued without interruption or restarted by any device in the device group.<br />
In reality, ADC administrators have found that connection mirroring (<strong>SSL</strong> or otherwise) is<br />
largely unnecessary due to the stateless and temporal nature of HTTP. The performance<br />
cost and additional latency added by full connection mirroring is rarely worth the benefit of<br />
fully mirrored connections for HTTP. This means that the number of valid applications for<br />
connection mirroring is a very small number indeed, and most <strong>F5</strong> customers use it only for<br />
specific applications, such as long-term VPN tunnels.<br />
<strong>SSL</strong> connection mirroring has the following restrictions:<br />
• <strong>SSL</strong> connection mirroring is not compatible with the HTTP profile.<br />
• Server side <strong>SSL</strong> connection mirroring is not supported.<br />
• DTLS connection mirroring is not supported.<br />
23
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
• <strong>SSL</strong> connection mirroring is incompatible COMPAT ciphers.<br />
• Multiple failover is not supported.<br />
• Failback is not supported.<br />
• iRules should not be applied to a virtual server using <strong>SSL</strong> connection mirroring.<br />
• The database variable statemirror.secure must be enabled.<br />
<strong>F5</strong> recommended practices for <strong>SSL</strong> connection mirroring<br />
• Only enable <strong>SSL</strong> connection mirroring for long-lived, non-HTTP sessions.<br />
• Under high connection rates, viewing tmctl ha_stat may show “overflows”<br />
incrementing. To mitigate this problem, change the database variable<br />
statemirror.queuelen to 256M.<br />
• If connections are occasionally lost on reset, enable the database variable<br />
statemirror.verify, which will take an extra step to verify the successful mirroring<br />
of each packet during normal transactions.<br />
<strong>SSL</strong> session tickets<br />
The final option for mirroring is the use of a feature that’s relatively new to the world of <strong>SSL</strong>:<br />
called session tickets, it is defined by RFC 5077. <strong>SSL</strong> session tickets work like TCP syncookies.<br />
The server (the BIG-IP device in the cases of <strong>SSL</strong> bridging or <strong>SSL</strong> termination)<br />
can take the state information associated with the client connection, encrypt it, give it to<br />
the client (as a ticket), and then forget it.<br />
When returning with a new connection, the client can present the encrypted session ticket<br />
to the BIG-IP device, which will decrypt it and—voila!—the BIG-IP device has the needed<br />
session information and can resume that session without remembering everything.<br />
<strong>SSL</strong> session tickets make the session stateless for the ADC. This has three benefits:<br />
• The session can be resumed by a different BIG-IP device.<br />
• Sessions take less memory per connection.<br />
• The BIG-IP devices become more resilient against session-based denial-of-service<br />
(DoS) attacks.<br />
Not all browsers and clients support TLS session tickets yet. Currently, a virtual server, if it<br />
wants broad reach, must implement both session caching and <strong>SSL</strong> session tickets. For<br />
administrators, having to manage both negates some of the benefit of <strong>SSL</strong> session tickets.<br />
24
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
The good news is that browsers and other TLS clients are upgrading quickly and becoming<br />
compatible with session tickets.<br />
<strong>F5</strong> recommended practices for all <strong>SSL</strong> mirroring:<br />
• Use both <strong>SSL</strong> session mirroring and <strong>SSL</strong> session tickets for inbound data center<br />
and enterprise applications.<br />
• A smaller number of organizations may want to use <strong>SSL</strong> connection mirroring, but<br />
only for applications with exclusively low-bandwidth, long-lived, non-HTTP<br />
connections.<br />
• Applications that are under extreme memory strain due to circumstances such as<br />
<strong>SSL</strong> connection floods should use session tickets exclusively.<br />
Cipher agility<br />
Handshake ciphers: RSA vs. DSA vs. ECC<br />
Since the beginning of the <strong>SSL</strong> protocol, RSA has been the main choice for key exchange.<br />
Over time, as brute force attacks became more feasible, RSA key lengths had to become<br />
longer. Today the RSA keys are so large that the key exchange is a very computationally<br />
expensive operation. Elliptic curve cryptography (ECC), a newer variant of asymmetric<br />
cryptography, promises to provide equivalent security with much shorter keys and a<br />
correspondingly lower demand for computing resources for key exchange.<br />
Figure 7: The relative key lengths of RSA (factoring modulus) and ECC<br />
Source: www.keylength.com<br />
25
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
The digital signature algorithm (DSA) standard was proposed by the National Institute of<br />
Standards in 1991 and has become a U.S. government standard. A site that interacts with<br />
federal agencies may have a need for DSA. DSA key length is the same as for RSA.<br />
RSA is ubiquitous, DSA is used by sites interacting with federal agencies, and ECC is poised<br />
to become the standard in the future. Which type of certificate should a site support?<br />
The BIG-IP platform can support all three simultaneously on a single virtual server. Every<br />
BIG-IP virtual server must have at least an RSA certificate, but can also have a DSA<br />
certificate and an ECC certificate (called ECSDA).<br />
<strong>F5</strong> recommended practices for handshake cipher selection:<br />
• Configure new virtual servers for both RSA and ECC handshakes. Administrators will<br />
likely know if they already have a DSA requirement.<br />
• To support multiple certificates:<br />
1. First, upload the certificates to the BIG-IP device. In the client <strong>SSL</strong> profile, select<br />
the new files from the Certificate, Key, and Chain drop-down lists as appropriate.<br />
Figure 8a: Adding an ECDSA key to the client <strong>SSL</strong> profile<br />
2. Next, click Add to add the certificate and key to the Certificate Key Chain.<br />
Figure 8b: Adding the certificate and key to the key chain<br />
26
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
3. Under Ciphers, place a colon after DEFAULT and then list which ECC ciphers to<br />
support.<br />
Figure 8c: Indicating support for ECDHE-RSA-AES128-GCM-SHA256<br />
4. Use the following cipher string names to enable the following groups of ciphers:<br />
ECDHE, ECDHE_ECDSA, ECDH_ECDSA, DHE and DHE_DSS<br />
5. Save the configuration by clicking Update.<br />
At this point the BIG-IP device will provide both RSA and ECDSA certificates to any<br />
connecting client.<br />
Disabling <strong>SSL</strong>v3<br />
<strong>SSL</strong>v3 is no longer secure, as demonstrated by the POODLE attack in 2014. Google has<br />
removed fallback support in Chrome, and RFC 7568 deprecates its use. <strong>SSL</strong>v3 should no<br />
longer be used by client software. Applications that comply with the PCI DSS specification<br />
must discontinue use of <strong>SSL</strong>v3 and TLSv1 when PCI 3.0 takes effect in mid-2016. New<br />
PCI DSS deployments must already be disabling <strong>SSL</strong>v3 and TLSv1.<br />
In version 12.0 of the BIG-IP system, <strong>F5</strong> has removed the <strong>SSL</strong>v3 protocol from the DEFAULT<br />
cipher string. That is, any virtual server using a clientssl profile with the cipher string<br />
DEFAULT will not accept client connections with <strong>SSL</strong>v3. Some administrators use a custom<br />
cipher string for each clientssl profile, preserving the cipher list from version to version. For<br />
example, an administrator running version 11.6 might have defined a cipher string like this:<br />
‘TLSv1_2+AES256:SHA256:TLSv1_1:TLSv1:-RC4:<strong>SSL</strong>v3+RC4:!DES:!EXPORT’<br />
Obviously, the way to remove <strong>SSL</strong>v3 from this cipher string would be to delete the<br />
‘:<strong>SSL</strong>v3+RC4’ phrase. Before removing <strong>SSL</strong>v3, the administrator may want to know if the<br />
site is processing a significant amount of <strong>SSL</strong>v3 traffic. An administrator can determine the<br />
percentage of version 3 <strong>SSL</strong> connections by querying the clientssl profile statistics on the<br />
device. The statistics aren’t attached to the application’s virtual server; they are collated at<br />
the associated clientssl profile.<br />
27
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
Suppose that an administrator has a created a clientssl profile named ssl-exchange-2.<br />
Query the protocol counters via the following TMSH command:<br />
(tmos)# show ltm profile client-ssl ssl-exchange-2<br />
<strong>F5</strong> recommended practices for <strong>SSL</strong>v3<br />
• Prepare to disable <strong>SSL</strong>v3 and TLSv1.<br />
• Use this nmap script to locate any servers on the network that are still negotiating<br />
<strong>SSL</strong>v3.<br />
More information on tracking <strong>SSL</strong>v3 use on <strong>F5</strong> devices can be found on DevCentral.<br />
Figure 9: Support for <strong>SSL</strong>v3 after the POODLE attack (blue = Internet, red = <strong>F5</strong> devices)<br />
Key Management<br />
G.K Chesterson once opined, “An adventure is only an inconvenience rightly considered.<br />
An inconvenience is only an adventure wrongly considered.” So it is with the oft-maligned<br />
art of certificate management. Some may consider it an inconvenience, but….<br />
Who are we kidding? There is no way to make key management sexy. With some patience,<br />
however, a veteran system administrator can take some of the adventure out of a task that<br />
is fraught with operational and security pitfalls.<br />
28
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
Certificate expiration notification<br />
Certificate expiration notification may seem like an arcane tidbit not worthy of the first<br />
position in a certificate management discussion. Over a decade, however, the solution to<br />
certificate expiration has been requested from <strong>F5</strong> far more often than any other vexing little<br />
problem.<br />
This issue comes out of this scenario: BIG-IP LTM is delivering hundreds of websites and<br />
applications for an enterprise. Some subset of those, still in the hundreds, is <strong>SSL</strong>-enabled.<br />
Each of these has its own certificate, and each certificate has its own expiration date. On<br />
any given week, one or more certificates may expire, which will cause the associated<br />
website or application to become unavailable.<br />
So how does an administrator stay on top of this whack-a-mole game of expiring<br />
certificates?<br />
There are a couple of recommended ways to monitor expiring certificates on the BIG-IP<br />
platform. However, most administrators of medium to large organizations prefer an external<br />
certificate management system because the organization has keys and certificates in many<br />
locations, not only on the BIG-IP system. In particular, <strong>F5</strong> customers have had success with<br />
two external solutions: Venafi and Symantec.<br />
The following tmsh sys crypto check-cert command was designed specifically to check<br />
for expiring certificates.<br />
(tmos)# run sys crypto check-cert<br />
CN=www.sconats.com,OU=Domain Validated,OU=Thawte <strong>SSL</strong>123 certificate, in file /<br />
Common/sconats_rsa.crt expired on Mar 12 23:59:59 2015 GMT<br />
CN=192.168.2.55,OU=Marketing,O=<strong>F5</strong> Networks,L=Loveland,ST=Colorado,C=US in file /<br />
Common/3bd_rsa_1k.crt expired on Apr 30 23:57:36 2015 GMT<br />
The check-cert command will scan through all of the known certificate objects on the<br />
system. By default, check-cert will log expired or expiring certificate subject names to the<br />
/var/log/ltm file and print them to standard output. Users with the administrator, system<br />
manager, or certificate administrator role can run the check-cert command.<br />
<strong>F5</strong> recommended practices for certificate expiration notice:<br />
• To manage certificates across an enterprise, explore external certificate management<br />
systems from Venafi and Symantec.<br />
• Audit not just for expiring certificates, but also certificates with weak signatures (MD5<br />
or SHA1) and weak keys (1024-bit).<br />
29
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
• Use the check-cert command to monitor for expiration. For a full description of<br />
check-cert, run the ‘help’ command:<br />
(tmos)# help sys crypto check-cert<br />
• The check-cert command is automatically run once a week on the BIG-IP system.<br />
When check-cert finds expiring or expired certificates, it will write the messages to<br />
/var/log/ltm. The administrator can then create a custom SNMP trap to have the<br />
BIG-IP system email any results. Solution 3667 has instructions on creating custom<br />
SNMP traps.<br />
• Read more information about certificate expiration monitoring in Solution 14318:<br />
Monitoring <strong>SSL</strong> Certificate Expiration on the BIG-IP System.<br />
The certificate manager role<br />
Large enterprise organizations with 10,000 or more employees usually have dedicated<br />
security teams, and often they will have a person or persons whose primary job is<br />
certificate management. Typically these individuals are not on the network operations team,<br />
are not necessarily privy to the details of network architecture, and are not empowered to<br />
change the configuration on network-critical devices such as load balancers or ADCs.<br />
It is for these individuals that the certificate manager role was developed. These users can<br />
be assigned to the certificate manager role when they authenticate to the BIG-IP system.<br />
The role has management access only to objects related to certificates and key<br />
management systems.<br />
Figure 10: Assigning the certificate manager role<br />
A user with certificate manager role can:<br />
• Generate and import <strong>SSL</strong> keys and certificates.<br />
30
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
• Delete <strong>SSL</strong> keys and certificates.<br />
• Manage on-board hardware security module (HSM) subsystems.<br />
• Configure expiration notifications for certificates.<br />
• Manage device certificates.<br />
• Manage the <strong>F5</strong> Secure Vault key protection feature.<br />
The certificate manager cannot make network changes or modify any aspect of<br />
applications managed by the BIG-IP platform.<br />
Key protection<br />
<strong>SSL</strong> keys are among an IT organization’s most prized assets. An attacker who gained<br />
possession of a target’s <strong>SSL</strong> key could impersonate the target’s applications and create<br />
the ultimate phishing portal.<br />
Because of this, organizations treat their <strong>SSL</strong> private keys very, very seriously. Many<br />
security architectures are designed to keep <strong>SSL</strong> private keys deep inside the data center,<br />
away from the perimeter, to minimize possible threat exposure.<br />
BIG-IP devices handle a large portion of data center <strong>SSL</strong> traffic and often retain dozens of<br />
high-value <strong>SSL</strong> keys. Certificate managers and administrators need ways to deploy <strong>SSL</strong><br />
keys onto the BIG-IP devices while minimizing their exposure.<br />
BIG-IP devices use three methods to minimize exposure of plaintext <strong>SSL</strong> keys. Two of<br />
these involve the FIPS 140-2 standard.<br />
FIPS 140-2 standard<br />
FIPS 140-2 is a United States federal standard defining requirements for advanced key<br />
protection in software and hardware systems. FIPS 140-2 consists of four security levels:<br />
Level Security Description<br />
1 Basic At least one of the approved algorithm; rare<br />
2 Tamper-evident Typically a software implementation and a sticker<br />
3 Tamper-resistant Physical key protection and user authentication<br />
4 Tamper-resistant II Very sensitive physical protection<br />
Some organizations with an interest in FIPS 140-2 will find that the second level meets their<br />
requirements. Other organizations with more sensitive data may require the physical key<br />
31
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
protection provided by level 3 devices, which are called hardware security modules (HSMs).<br />
Often level 3 devices are operated in level 2 mode to absolve the HSM user (often called<br />
the security officer) from having to log in to the device after every reboot.<br />
Integrated FIPS 140-2 HSM<br />
The HSM is a clever piece of technology. Integrated HSM devices are hardware boards<br />
designed for insertion into an appliance. <strong>SSL</strong> keys are generated within, or imported to, the<br />
HSM. Ever after, the keys cannot be exported from the HSM. The controlling software (for<br />
instance, the BIG-IP system) uses the HSM as an <strong>SSL</strong> accelerator, offloading to it<br />
decryption requests.<br />
Each HSM component has a rigorous design, testing, and certification schedule. As a<br />
result, the performance of all HSM units is typically not equal to that of non-HSM <strong>SSL</strong><br />
accelerators.<br />
Specific <strong>F5</strong> hardware platforms have the HSM integrated directly onboard the system; find<br />
more information in the BIG-IP Platform FIPS Administration Guide. Organizations interested<br />
in the integrated HSM option must procure one of these specific platforms; the HSM option<br />
cannot be added to an existing non-HSM appliance.<br />
Platform<br />
<strong>SSL</strong> TPS<br />
10200v 9000<br />
7200v 9000<br />
5250v 5000<br />
Platforms based on the <strong>F5</strong> VIPRION ® ADC do not have an HSM option. The <strong>F5</strong> Virtual<br />
Clustered Multiprocessing technology (vCMP) is not compatible with integrated FIPS<br />
HSMs.<br />
Network HSM key protection<br />
The FIPS 140-2 level 3 HSMs have evolved to become standalone devices called network<br />
HSM or netHSM devices. These devices reside on a network and service requests from<br />
other appliances on or across the network. Many organizations are moving to architectures<br />
that consolidate key management into a single cluster of network HSM devices.<br />
<strong>F5</strong> supports integration with, and provides integration guides for, two brands of network<br />
HSM devices: Thales and Safenet.<br />
32
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
<strong>F5</strong> recommended practices for FIPS 140-2:<br />
• In high-security environments, use FIPS 140-2 options that include either an onboard<br />
HSM or a network-based HSM solution such as those from Thales and SafeNet.<br />
• Plan for HSM failure contingencies. With integrated HSM devices, the situation can<br />
be recovered with the security officer password. Take care to keep and secure this<br />
password.<br />
• Create a contingency plan for the failure of both HSMs in a two-device cluster.<br />
Typically this plan will call for additional HSM units to function as backups.<br />
• Generate <strong>SSL</strong> private keys within the HSM for maximum security. However, some<br />
administrators choose to generate the keys on a separate device. That key<br />
generation device should have a hardware random number generator and should<br />
be in a safe location in the network.<br />
• The FIPS 140-2 specification requires the use of specific ciphers. Use following<br />
cipher string to ensure that these ciphers get preference:<br />
NATIVE:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:!<strong>SSL</strong>v3:!TLSv1:!EXPORT:!DH:!ADH:!LOW:!MD5:!RC4:<br />
RSA+AES:RSA+3DES:@STRENGTH<br />
• Monitor the number of transactions per second (TPS) of a BIG-IP device using<br />
SNMP. There is no direct SNMP OID to monitor FIPS 140-2 TPS, but we can<br />
calculate the FIPS TPS using several OID. In addition, if all clientssl profile on the<br />
BIG-IP system are using keys of the security type FIPS, then the following OID can<br />
be used, since it represents the TPS for the entire system: <strong>F5</strong>-BIGIP-SYSTEM-MIB::sy<br />
sClientsslStatTotNativeConns<br />
• Query the TPS for any individual clientssl profile via an OID named for the profile<br />
itself:<br />
<strong>F5</strong>-BIGIP-LOCAL-MIB::ltmClientSslStatTotNativeConns.”/Common/yourprofile1”<br />
Software key protection<br />
All non-FIPS <strong>F5</strong> appliances can protect passphrase-encrypted keys by storing only the<br />
encrypted key on disk. The key that protects the encrypted passphrases is stored in a<br />
chip within the BIG-IP device.<br />
On the disk, a passphrase-encrypted key will have a header that includes the encryption<br />
method:<br />
33
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
-----BEGIN RSA PRIVATE KEY-----<br />
Proc-Type: 4,ENCRYPTED<br />
DEK-Info: AES-128-CBC,3D566DD5B6DCAD115F9969835<strong>F5</strong>3D942<br />
0FbIpHrdPj2ypaVqViLunmNGAn8bOayuoEPALDYOzwzqUSNXUAwwlPgmoqsWAmwL<br />
6Fxhgy7m0w70Whhfm8z6dvT063qWBcBgsT4e5yz8L6sfx/zR2pBcYOjTGJ+YzKGs<br />
UMFXfe/GG9RmDSPNHCsTuSbhJlOC7HrPTHvL/YVTvOa8K7Kqp5aRLE3N4nk5Tobg<br />
…<br />
The passphrases used to decrypt the individual keys are themselves encrypted by an <strong>F5</strong><br />
feature called Secure Vault. The Secure Vault stores its own key in a hardware chip in the<br />
physical appliance.<br />
Secure Vault should not be thought of as “software FIPS.” It is designed merely to ensure<br />
that the <strong>SSL</strong> keys are not stored in plaintext in the configuration. This is especially important<br />
considering that many administrators will periodically store device configuration archives on<br />
backup systems in lower-security zones (such as in the cloud).<br />
<strong>F5</strong> recommended practices for software key protection:<br />
• If FIPS 140-2 is not being used, certificate managers should use passphraseencrypted<br />
<strong>SSL</strong> keys protected by the Secure Vault feature. Passphrase-encrypted<br />
<strong>SSL</strong> keys can be imported to the BIG-IP system directly when included in PKCS 12<br />
file archives. More information can be found by viewing the help for the sys crypto<br />
pkcs12 command:<br />
(tmos)# help sys crypto pkcs12<br />
• Set a specific passphrase to unlock the master key when using the Secure Vault<br />
feature. A specific passphrase enables the manager to later recover all the keys from<br />
a backup file, even if the original hardware key is unavailable. More information about<br />
setting a specific passphrase for Secure Vault can found by viewing the help for the<br />
sys crypto master-key command.<br />
(tmos)# help sys crypto master-key<br />
Revocation verification<br />
The Achilles heel of the public key infrastructure (PKI) has always been defining the process<br />
for handling compromised private keys. The trust system of PKI resides in the chains of<br />
signed public keys. However, when one of the associated private keys is compromised,<br />
there is no easy way to inform the participants of the PKI system. Neither is there an easy<br />
way to revoke a certificate and then distribute the revocation information to all who need it.<br />
34
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
The PKI community has, over time, developed five mechanisms for distributing revocation<br />
information:<br />
1. Do nothing.<br />
2. CRL files.<br />
3. CRL distribution points.<br />
4. OCSP servers.<br />
5. OCSP stapling.<br />
Use Case<br />
Consumer website<br />
Large member website<br />
Large enterprise<br />
Federal<br />
SMB<br />
Revocation Mechanism<br />
OCSP stapling or do nothing<br />
OCSP stapling<br />
CRL distribution points<br />
OCSP servers<br />
CRL files<br />
Each certificate has a serial number designated by the issuing certificate authority (CA).<br />
When a CA is informed that a customer’s private key has been stolen or otherwise<br />
compromised, the CA adds the associated certificate’s serial number to a giant signed list<br />
of compromised certificate serial numbers. The list of all bad (untrustworthy) certificates<br />
is signed by the CA itself and periodically published. The BIG-IP platform supports the<br />
certificate revocation list distribution methods described below.<br />
When to use certificate revocation<br />
Certificate revocation is a necessary part of PKI, but that doesn’t mean an <strong>F5</strong> administrator<br />
needs to configure it. For an <strong>F5</strong> administrator, certificate revocation matters most when<br />
verifying a client or server certificate.<br />
In a typical HTTPS session, the client verifies the server’s certificate but not vice versa.<br />
Because the BIG-IP device is usually acting as the HTTPS server, there is usually no need<br />
to configure certificate revocation on it.<br />
The only times certificate verification needs to be configured on a BIG-IP device are:<br />
• When the BIG-IP device is acting as an <strong>SSL</strong> client over an untrusted network. The<br />
paranoid security administrator will, of course, assert that all networks should be<br />
35
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
considered untrusted, but many organizations do maintain different levels of network<br />
trust.<br />
• When the BIG-IP device is acting as an <strong>SSL</strong> server but is also authenticating clients<br />
via <strong>SSL</strong> certificate authentication.<br />
• When the BIG-IP device is acting as an HTTPS server and wants to provide its<br />
revocation status to connecting clients via OCSP stapling.<br />
<strong>F5</strong> recommends practices for each revocation method use case shown in Figure 13.<br />
Method 1: Certificate revocation lists<br />
The oldest mechanism for the distribution of compromised certificate serial numbers is<br />
simply a serial file called a certificate revocation list (CRL, sometimes pronounced “krill”).<br />
The file is signed by the associated CA and made available on an FTP or web server.<br />
Interested parties can download the file and make it available offline to their web server<br />
or ADC.<br />
Using straight-up CRL files is the most architecturally straightforward revocation distribution<br />
method, but it is also most error prone. Common errors include:<br />
• Difficulty retrieving the CRL file (for example, due to network errors).<br />
• Growth in CRL file size, consuming resources.<br />
• Corrupt CRL files, which happens more often than you might think.<br />
• Bad or unverifiable CA signatures on CRL files, which are also disturbingly frequent.<br />
In addition, BIG-IP devices have limitations on the maximum size of CRL files. The following<br />
table shows the maximum size supported by each version of the BIG-IP system.<br />
BIG-IP System Version<br />
Max CRL File Size<br />
12.0 64 MB<br />
11.4.0 – 11.6.0 64 MB<br />
11.0.0 – 11.3.0 32 MB<br />
10.0.0 – 10.2.4 4 MB<br />
For all of these reasons, straight-up CRL files are not a popular distribution mechanism.<br />
But there can be times when CRL files make sense.<br />
36
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
<strong>F5</strong> recommended practices for CRL file use:<br />
• Use only for private certificate authorities such as an internal IT CA or test CA.<br />
• Use only for small sets (less than 100,000) of revoked certificates.<br />
• Automate the process of retrieving the CRL file from the certificate authority.<br />
• Ensure that the CRL file is properly verified, not 0 length, includes a proper signature,<br />
and hasn’t expired.<br />
• Convert the file, if necessary, to the required PEM format.<br />
• Finally, copy the validated and converted CRL file to the BIG-IP device and instruct<br />
the device how to use it.<br />
Historically, administrators that rely on CRL files have found it better to develop an<br />
automated process on an external device (not the BIG-IP device itself) for CRL file updates.<br />
The reason for the external device is that many BIG-IP devices are never assigned a DNS<br />
server (so they can never be susceptible to frequent DNS failures). It is not uncommon for<br />
a CA to change the IP addresses of their CRL servers, which becomes problematic for the<br />
BIG-IP device because it cannot resolve the CRL server name.<br />
Certificate administrators who want the BIG-IP device to download and verify the CRL file<br />
can use a single command:<br />
(tmos)# modify sys file ssl-crl gdcrl source-path http://godaddy.com/repository/<br />
gd.crl<br />
Use the <strong>F5</strong> iCall ® technology subsystem to schedule the update periodically. (Special<br />
thanks are due to Matthieu Dierick for the iCall script.)<br />
create sys icall script CRL<br />
sys icall script CRL {<br />
app-service none<br />
definition {<br />
tmsh::modify sys file ssl-crl gdcrl source-path \<br />
https://godaddy.com/repository/gd.crl<br />
puts “loading CRL”<br />
}<br />
description none<br />
events none<br />
}<br />
create sys icall handler periodic START first-occurrence 2013-12-06:16:15:00<br />
interval 30 script CRL<br />
37
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
While the iCall feature is an excellent solution when run on a BIG-IP device, many<br />
administrators use a dedicated device (such as a standard Linux server) with a bash script<br />
to update many CRLs at once. The DevCentral Codeshare includes an example of such a<br />
script.<br />
Method 2: OCSP<br />
The PKI community developed a protocol that would provide the same information given by<br />
a CRL file but in a simple request-response fashion. The OCSP is designed so that a client<br />
can request the status of any particular certificate via its serial number and get a response<br />
from an agent of the CA. Typically these agents are separate servers (called OCSP servers<br />
or OCSP responders).<br />
A modern CA will publish the URL to its associated OCSP server within its own CA<br />
certificate. For example, Digicert lists its OCSP server as ocsp.digicert.com.<br />
Figure 11: An example of OCSP information for a CA<br />
38
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
While OCSP was originally seen as a giant step forward from dealing with clunky CRL files,<br />
administrators have since realized that OCSP is imperfect for different reasons:<br />
• Querying a separate OCSP server for each connection increases latency and leads<br />
to a degraded browsing experience.<br />
• OCSP servers are not typically provisioned for high availability situations. This is<br />
noticeable in that the servers are not reachable 100 percent of the time. Therefore<br />
browsers have learned to “fail open” with OCSP—meaning that if they cannot<br />
successfully connect to an OCSP server, they will proceed with the connection<br />
anyway.<br />
• Attackers have found interesting, trivial ways to defeat OCSP. A simple DoS attack<br />
against the OCSP server will work. So will sending the number 3 during a man-inthe-middle<br />
attack.<br />
For these reasons (and particularly the first), modern browsers are starting to ignore OCSP<br />
servers and aggregating the various CA CRL databases.<br />
With all that said, there are still valid use cases for OCSP. For example, military networks<br />
have trusted subnets and requirements to use OCSP servers. In these cases, where<br />
attackers theoretically cannot perform a simple DoS of the OCSP nor man-in-the-middle<br />
its traffic. For these cases, <strong>F5</strong> has the following recommendations for configuring OCSP.<br />
<strong>F5</strong> recommended practices for OCSP servers:<br />
• Instead of using a single OCSP server, use an OCSP responder pool to maximize<br />
availability.<br />
• Use an OCSP monitor to monitor the health of your OCSP servers.<br />
• Consider OCSP with a CRL fallback for those times when OCSP servers are down.<br />
(Note that this achieves maximum operational complexity.)<br />
Method 3A: OCSP stapling for clients<br />
A much faster and more interesting mechanism derived from OCSP is called stapling. When<br />
a PKI client sends an OCSP request about a particular certificate, what the client is looking<br />
for is a response that says, “The certificate is good” or “The certificate is revoked.” This<br />
response must be signed by the OCSP server. Because the OCSP server asymmetrically<br />
signs the message, it doesn’t really matter which device delivers the signed message!<br />
Therefore the message can simply be blended into the <strong>SSL</strong> handshake by the ADC.<br />
39
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
Figure 12: OCSP stapling, in which the client doesn’t have to communicate with the OCSP responder<br />
RFC 4366 defines a TLS extension whereby the TLS server itself can fetch that signed<br />
message and then present it along with its certificate to the client. In this fashion, the client<br />
receives the certificate and the status message saying that the certificate is valid without<br />
having to connect to a separate server. The OCSP status message includes a recent time<br />
stamp so the client has some assurance that the status is fresh. The status response from<br />
the OCSP server is cached by the server and then “stapled” into each connection from the<br />
client. For the HTTPS client, the HTTPS server, and the OCSP responder, OCSP stapling is<br />
the best of all worlds.<br />
OCSP stapling is different from the other verification methods because the act of stapling<br />
assists the party trying to verify the certificate used by the BIG-IP device. Consider it a<br />
courtesy to clients connecting to the application or service.<br />
<strong>F5</strong> recommended practices for OCSP stapling for clients:<br />
• Enable OCSP stapling on the BIG-IP device by defining the appropriate objects in<br />
the <strong>SSL</strong> profile configuration.<br />
• Use the <strong>SSL</strong> Labs tool to test that OCSP stapling is working.<br />
• Build a script that uses the openssl s_client –status command to check the status,<br />
then add the script to an automated process to ensure it works over time.<br />
40
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
• OCSP stapling implementations may vary depending on the registrar, and<br />
organizations often use more than one registrar. Validate your OCSP stapling<br />
configuration for each registrar you use.<br />
Method 3B: OCSP stapling for servers<br />
An administrator can be forgiven for assuming that the BIG-IP device will simply check for<br />
OCSP stapling when using server-side <strong>SSL</strong> profiles. It does not. There’s actually a reason<br />
for that: Traditionally, IT administrators use only IP addresses for server pool members to<br />
avoid outages on DNS errors. This means that, strictly speaking, the BIG-IP device cannot<br />
perform real server certificate verification because it cannot match the IP address to the<br />
certificate’s DNS name. Typically those administrators will trade the security of a verified<br />
serverssl connection in favor of high availability by implicitly trusting that portion of the<br />
network. While that might not be the most secure strategy, it is a common one.<br />
Even where strict certificate verification is unavailable, it is still possible to check for OCSP<br />
revocation via stapling. Using what is called an external monitor, an administrator can check<br />
the revocation status of <strong>SSL</strong> server pool members and then mark them down if they get<br />
revoked. For organizations that use only IP addresses at their ADC, this may be the<br />
preferred approach.<br />
<strong>F5</strong> recommended practices for OCSP stapling for servers:<br />
• Use a BIG-IP device “external monitor” to examine OCSP responses stapled into<br />
serverssl connections. External monitors are defined in the Local Traffic section of<br />
the configuration.<br />
• This DevCentral Codeshare script is an example of an external monitor that can be<br />
used to mark a node down when its certificate status is revoked.<br />
• Note that it is better to look for the specific revoked status, and, if absent, mark<br />
the node as up. This is because there are many reasons a node may be unable to<br />
respond, commonly including being down for maintenance. The TCP monitor can<br />
mark that node as down.<br />
Method 4: CRL distribution points<br />
The fourth and final method of checking for certificate revocation is CRLDP, a way of using<br />
existing corporate directories as revocation checkpoints. The technology is fairly mature,<br />
especially when used in an Active Directory environment. CRLDP is typically used for client<br />
certificate authentication in enterprise environments with BIG-IP ® Access Policy Manager ® .<br />
41
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
CRLDP can also be sometimes be found in the inbound retail deployment scenario. For<br />
example, the certificate authorities GoDaddy and Entrust issue certificates with CRLDP<br />
information embedded in their X509 data.<br />
<strong>F5</strong> recommended practices for CRLDP:<br />
• Verify that your BIG-IP device is configured to use DNS and not simply IP addresses.<br />
• A BIG-IP device using CRLDP must, of course, have a route to the CRLDP servers.<br />
If the CRLDP servers are on the Internet, the BIG-IP device must have an outbound<br />
Internet route.<br />
• Check the size of the CRLs to confirm that they are not too large for the BIG-IP<br />
system. (See the table on p. 36.)<br />
Visibility and Control<br />
Security management depends partly on visibility into traffic—or the ability to provide that<br />
visibility to security devices such as web application firewalls (WAFs)— so that it may be<br />
screened for known threats. Of course, <strong>SSL</strong> by definition obscures data. So how does an<br />
administrator gain the visibility to make the best use of his or her security investments?<br />
Several approaches maintain security while effectively revealing malicious traffic.<br />
<strong>SSL</strong> and the OWASP Top Ten<br />
The Open Web Application Security Project (OWASP) categorizes and rates classes of<br />
application vulnerabilities every year into its OWASP Top 10 list. One of the highest priority<br />
classes of vulnerabilities is “insufficient transport security,” by which the OWASP group<br />
means not enough <strong>SSL</strong>.<br />
One use case for providing transport security to an application is via <strong>SSL</strong> termination and<br />
then sending the decrypted traffic through a WAF. a device specifically engineered to foil<br />
application attacks such as those found in the OWASP Top Ten. One effect of <strong>SSL</strong> bridging<br />
mode, where the ADC decrypts incoming traffic and then re-encrypts the traffic before it<br />
leaves the ADC, is that the ADC becomes the singular place where an application firewall<br />
can be deployed.<br />
While <strong>SSL</strong> termination and bridging are the primary technologies used to provide visibility<br />
into <strong>SSL</strong> for application security solutions like a WAF, there is a third way. The BIG-IP device<br />
can be configured to eavesdrop on an encrypted session between an incoming connection<br />
and a back-end server. This functionality is referred to as proxy<strong>SSL</strong>. One of the only<br />
cases where proxy<strong>SSL</strong> is preferred is when a back-end server requires client certificate<br />
42
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
authentication, since client certificate authentication to the back-end server is incompatible<br />
with <strong>SSL</strong> termination and bridging at the BIG-IP device.<br />
With proxy<strong>SSL</strong>, the BIG-IP device shares the same key and certificate as the back-end<br />
server, and the browser completes the handshake (including client certificate authentication)<br />
with the back-end server. The BIG-IP device can then decrypt the session key (because it<br />
shares the same key and certificate as the server). The ADC uses the session key to decrypt<br />
the rest of the session and forwards the decrypted payloads to a security device like a WAF.<br />
The security device can then inspect and report on the content.<br />
The use of proxy<strong>SSL</strong> should be restricted to this specific case. Because proxy<strong>SSL</strong> requires<br />
a shared-key environment, it is ultimately incompatible with the likely security roadmap of<br />
the TLS protocol: Forward secrecy was designed to foil systems exactly like this and is<br />
already preferred by over 60 percent of Internet web sites.<br />
<strong>F5</strong> recommended practices for application security visibility:<br />
• Use <strong>SSL</strong> termination or <strong>SSL</strong> bridging to provide inbound visibility to an application<br />
security device like a WAF.<br />
• If proxy<strong>SSL</strong> is required to maintain client certificate authentication to the back-end<br />
web server, configure the server to use only RSA-based ciphers. Avoid forward<br />
secrecy because it breaks shared-key systems like proxy<strong>SSL</strong>.<br />
• When proxy<strong>SSL</strong> is used with a WAF, the WAF can find malicious traffic and then<br />
signal the ADC to block those connections. The only way to block at this point is to<br />
send a reset (RST) packet to the client to kill its connection.<br />
• Ensure that local logging is not used for production systems. High-speed logging to<br />
remote logging servers or SIEMs is preferred.<br />
<strong>SSL</strong> outbound visibility<br />
The outbound <strong>SSL</strong> deployment scenario for the ADC is a relatively new, but rapidly growing,<br />
phenomenon. This deployment scenario has been driven by enterprises with a need to<br />
monitor and sanitize their outbound web traffic in attempts to mitigate advanced persistent<br />
threats (APTs). A typical APT will start with a spear phishing campaign to introduce malware<br />
tailored specifically to invade a single organization. Some of the most damaging penetrations<br />
of the last five years have been as a result of APT activity, including the infamous 2011 breach<br />
of the world’s premiere security brand, RSA. (Search for Anatomy of an Attack on the RSA<br />
blog).<br />
43
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
These spear phishing campaigns begin with a series of emails injecting infected PDF, Word,<br />
or Excel files or simply enticing links that result in a malware download. The initial malware<br />
drop may be very quiet, performing only a few simple tasks such as keystroke logging or<br />
email address book collection.<br />
The attackers can then build on their received intelligence to patiently infiltrate further into<br />
the target over months or even years.<br />
Figure 13: The APT life-cycle<br />
Source: Creative commons license, Dell SecureWorks<br />
Detecting the subtle activity of spear phishing and malware activity is among the top<br />
priorities of security administrators today. High-profile technologies such as sandboxing<br />
and next-generation firewalls (NGFW), which have been developed to assist administrators<br />
in detecting these threats, are being rapidly adopted. Administrators deploy the security<br />
devices in a chain so they can complement each other (known as defense-in-depth).<br />
The next problem to solve is the fact that these new technologies are often blind to<br />
encrypted traffic. Malware and spear phishing authors know this and are very quickly<br />
moving to encrypt all communication between their malware and the outside world.<br />
Security analysts estimate that by 2017, 100 percent of new malware will use <strong>SSL</strong> to hide<br />
its tracks.<br />
44
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
A deployment scenario sometimes called an <strong>SSL</strong> air gap or <strong>SSL</strong> intercept is emerging to<br />
address the APT problem and assist the chain of outbound visibility devices (such as<br />
sandboxes). The <strong>SSL</strong> air gap solution typically consists of an ADC on either side of the<br />
visibility chain. The ADC closest to the users decrypts their outbound traffic and sends the<br />
decrypted plaintext through the chain. The chain, which can now see the content, applies<br />
policy and controls to the plaintext, detecting and sanitizing spear phishing and malware. At<br />
the other end of the chain, another ADC re-encrypts the traffic as it leaves the data center.<br />
In some cases, instead of going through a second ADC, the traffic can be looped back to<br />
be re-encrypted by the first ADC.<br />
Internal<br />
Clients<br />
Encrypted<br />
LTM<br />
AFM<br />
Unencrypted<br />
Inspection Air Gap<br />
Unencrypted<br />
LTM<br />
Encrypted<br />
<strong>SSL</strong>/TLS<br />
Internal<br />
BIG-IP LTM<br />
(ingress)<br />
Security Device(s)<br />
External<br />
BIG-IP LTM<br />
(egress)<br />
<strong>SSL</strong>/TLS<br />
Internet/Public<br />
Protected sites<br />
Figure 14: The <strong>SSL</strong> air gap use case<br />
The <strong>F5</strong> solution for <strong>SSL</strong> outbound visibility is an <strong>F5</strong> iApps ® template for the <strong>SSL</strong> air gap.<br />
The template, with its detailed deployment guide, helps an administrator set up the<br />
necessary configuration items to decrypt and then re-encrypt the outbound traffic.<br />
This air gap iApp template will work with BIG-IP versions 11.4.0 through 12.0 and above,<br />
and customers are already using the <strong>F5</strong> air gap iApps template with several partner<br />
technologies. A partial list of those partner solutions includes:<br />
• The <strong>F5</strong> and SourceFire Reference Architecture.<br />
• The <strong>F5</strong> and FireEye Recommended Practices and Deployment Guide.<br />
• The <strong>F5</strong> and WebSense Deployment Guide.<br />
However, there are some nuances that warrant additional discussion. One of these topics<br />
is the issue of what traffic not to inspect, and the other is provisioning hardware resources<br />
within the vCMP subsystem.<br />
Which sites should bypass <strong>SSL</strong> inspection<br />
There are times when an administrator will not want to inspect traffic between a corporate<br />
user and a web site for liability reasons. Chief among these is when a corporate user<br />
visits his or her online banking site. If the enterprise administrator snoops on the user’s<br />
connection and somehow money is incorrectly depleted from the user’s account, the<br />
45
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
administrator could be seen as complicit or liable. Therefore, to reduce this complication,<br />
administrators have learned to whitelist the financial websites. Financial firms have<br />
experienced security teams and entire fraud departments, so their websites are vastly<br />
cleaner than a typical website.<br />
There are a couple of ways to implement such a whitelist for <strong>SSL</strong> bypass.<br />
• Using <strong>F5</strong> URL categorization<br />
Several organizations maintain databases categorizing millions (or even billions) of URLs<br />
and provide this information as a product or service. <strong>F5</strong> provides access to a URL<br />
categorization database through the <strong>F5</strong> Secure Web Gateway Services. Secure Web<br />
Gateway Services users can simply leverage the URL categorization database to instruct<br />
the air gap iApp template not to inspect at financial websites.<br />
• Manually maintaining a whitelist bypass data group<br />
This is the more labor-intensive way to maintain a bypass list. When configuring the iApp<br />
template, enter the name of a data group that contains the list of IP addresses to bypass.<br />
As more addresses that should not be inspected are found over time, they can be manually<br />
added to this list. For smaller, low-touch deployments, this may be a workable option.<br />
<strong>F5</strong> recommended practices for <strong>SSL</strong> air gap egress inspection:<br />
• Use the <strong>F5</strong> URL categorization service to automatically populate the bypass list.<br />
• Use transparent mode instead of explicit mode for the <strong>SSL</strong> air gap inspection.<br />
Explicit proxy mode works better for legitimate clients but ignores malware, making<br />
the transparent mode a requirement.<br />
• The <strong>F5</strong> air gap iApp template offers a choice for dealing with Internet sites with<br />
expired certificates: drop or ignore. There are more expired certificates on the<br />
Internet than you might suspect, so <strong>F5</strong> recommends dropping them, even though<br />
this may increase the number of inaccessible websites. When “ignore” is specified,<br />
expired certificates on the Internet may temporarily become valid when the air gap<br />
rewrites the certificate.<br />
Provisioning <strong>SSL</strong> hardware resources to vCMP<br />
Another intricacy of the air gap solution is resource provisioning. <strong>F5</strong> vCMP is a unique<br />
virtualization-in-a-box platform delivered on higher-end appliances. All VIPRION chassis<br />
systems can be configured with vCMP. In the vCMP system, one of the host processors<br />
runs a special version of TMOS that contains an <strong>F5</strong> hypervisor. The vCMP hypervisor<br />
allows multiple virtual guest operating systems (which must be individual versions of TMOS).<br />
46
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
In this way, a VIPRION system may be shared among different IT units such as networking,<br />
security, and DNS.<br />
Beginning with BIG-IP version 12.0, an administrator can now control if and how <strong>SSL</strong><br />
resources are dedicated within the various guests inside the hypervisor. The following<br />
options are supported:<br />
• Dedicated: The guest will be assigned dedicated <strong>SSL</strong> cores.<br />
• Shared (default): Guests share from a pool of <strong>SSL</strong> cores.<br />
• None: The guest will have no access to <strong>SSL</strong> hardware (for example, BIG-IP DNS).<br />
Figure 15: <strong>SSL</strong> resource dedication options in BIG-IP version 12.0 on the VIPRION chassis.<br />
This functionality is available on the 5000, 7000, 10000, and 12000 platforms, as well as<br />
the B2250 blade.<br />
Mitigating brute force attacks<br />
The complex nature of <strong>SSL</strong> continues to allow it to be an attack vector for distributed<br />
denial-of-service (DDoS) attacks. In addition to complexity, <strong>SSL</strong> by design blinds network<br />
equipment to network traffic. The combination of complexity and blindness of <strong>SSL</strong> makes<br />
47
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
it a target for DDoS attacks. As the volume of legitimate <strong>SSL</strong> traffic continues to increase,<br />
malevolent DDoS traffic becomes more onerous to discern. As a result, good DDoS<br />
defense measures have emerged as climacteric for sites, and <strong>F5</strong> recommendations<br />
address how to best mitigate specific classes of DDoS attacks.<br />
<strong>SSL</strong> renegotiation attacks<br />
<strong>SSL</strong> renegotiation is a feature that allows a client to restart an <strong>SSL</strong> connection. Since the<br />
legitimate uses for <strong>SSL</strong> renegotiation are few and there are several attacks based on <strong>SSL</strong><br />
renegotiation, newer protocols such as HTTP/2 require disabling <strong>SSL</strong> renegotiation.<br />
A single client can perform a DoS attack on a server. The premise of the attack is simple:<br />
An <strong>SSL</strong>/TLS handshake requires at least 10 times more processing power on the server<br />
than on the client. If a client machine and server machine were equal in RSA processing<br />
power, the client could overwhelm the server by sending ten times as many <strong>SSL</strong> handshake<br />
requests as the server could service. This vulnerability exists for all <strong>SSL</strong> negotiations; the<br />
only mitigation is the ratio between the two participants, which is why <strong>SSL</strong> acceleration is<br />
so critical.<br />
<strong>F5</strong> recommended practices to mitigate <strong>SSL</strong> renegotiation attacks:<br />
• If renegotiation is not needed for an application, disable <strong>SSL</strong> renegotiation in the<br />
clientssl profile associated with the virtual server.<br />
• If renegotiation is needed, use the many renegotiation options associated with the<br />
profile, including secure renegotiation, maximum renegotiation counts, and intervals.<br />
See the <strong>SSL</strong> Administration guide for the full list of renegotiation options.<br />
No-crypto brute force attacks<br />
There is a new class of <strong>SSL</strong> attacks tools that could be called no-crypto attack tools. These<br />
new attack tools boost the computational asymmetry between the client and the server by<br />
orders of magnitude through a pronounced reduction in client workload. Basically, the new<br />
attack clients do not perform any crypto at all—they just send pre-canned packets that look<br />
like an <strong>SSL</strong> handshake but are not.<br />
In his excellent analysis of handshake attacks, Vincent Bernat writes about these efficient<br />
attack tools:<br />
“With such a tool and a 2048 bit RSA certificate, a server is using 100 times more<br />
processing power than the client. Unfortunately, this means that most solutions,<br />
except rate limiting, exposed [in his analysis] may just be ineffective.”<br />
48
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
So far, these attacks have not been seen in the wild, but discussed in the academic and<br />
IETF community.<br />
<strong>F5</strong> recommended practices for mitigating no-crypto brute force attacks:<br />
• The ssl_hx_rlimit iRules script limits the number of connections from a single IP.<br />
Note that this iRules script could inadvertently block legitimate users originating from<br />
a so-called mega-proxy.<br />
• The sslsqueeze_rx iRules script will match and block the exact sslsqueeze<br />
signature. If an attacker ever changes the payload of the sslsqueeze tool, this iRules<br />
script will need to be modified to match the new payload.<br />
• Find more information in the DevCentral article called Mitigating No-Crypto Brute<br />
Force <strong>SSL</strong> Handshake Attacks.<br />
<strong>SSL</strong> floods<br />
Unlike the no-crypto attacks, DDoS attacks as a flood of open <strong>SSL</strong> connections have been<br />
seen in the wild. These attacks can be a challenge to mitigate for the <strong>SSL</strong> pass-through<br />
deployment scenario because many devices on the network are blind to the attack.<br />
The high-capacity <strong>SSL</strong> connection tables are largely resistant to <strong>SSL</strong> floods. A typical <strong>SSL</strong><br />
flood may involve only a few thousand to tens of thousands of empty <strong>SSL</strong> connections.<br />
However, even the smallest <strong>F5</strong> platform can absorb 500,000 <strong>SSL</strong> connections or more.<br />
<strong>F5</strong> recommended practices for mitigating <strong>SSL</strong> floods:<br />
• Using <strong>SSL</strong> session tickets can enable legitimate clients to benefit from the session<br />
cache during an <strong>SSL</strong> connection flood. See the previous section on <strong>SSL</strong> failover<br />
options.<br />
• In the unlikely event that the BIG-IP device’s connection table does become full,<br />
connections will be reaped according to the adaptive reaping low-water and highwater<br />
settings. These can be adjusted downward from the default values of 85 and<br />
95 to more quickly begin mitigating a “spiky” DDoS, thus reducing the initial attack<br />
window. Solution 15740 provides more detail on the workings of the adaptive reaper.<br />
(tmos)# modify ltm global-settings connection adaptive-reaper-lowater 75<br />
• If the connection flood consists primarily of empty connections, instruct the BIG-IP<br />
device to be more aggressive about reaping connections by modifying the TCP<br />
profile associated with the virtual server. During a heavy attack, use smaller and<br />
smaller values.<br />
49
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
(tmos)# create ltm profile tcp tcp_ddos { reset-on-timeout disabled idle-timeout<br />
15 }<br />
• The hardware-syn-cookie and zero-window-timeout values of the TCP profile may<br />
also be adjusted.<br />
Instrumentation: The <strong>SSL</strong> statistics panel<br />
The BIG-IP platform’s <strong>SSL</strong> statistics panel is a powerful tool that collates useful counters<br />
for protocol handshake types, key exchange types, and connection failures. To view it,<br />
click Statistics on the left pane, select Module Statistics, and then click Local Traffic. Under<br />
Statistics Type, select Profiles Summary and then Client <strong>SSL</strong>.<br />
Figure 16: The <strong>SSL</strong> statistics panel<br />
In the BIG-IP system version 12.0, the information collected and displayed for <strong>SSL</strong> includes<br />
all the fields from the following table:<br />
50
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
Statistic Category<br />
Certificates / Handshakes<br />
<strong>SSL</strong> Protocols<br />
Associated Counters<br />
Valid vs. invalid vs. no certificates<br />
Mid-connection handshakes. Secure vs. insecure<br />
handshakes.<br />
Insecure renegotiations rejected, SNI mismatches.<br />
<strong>SSL</strong>v2, <strong>SSL</strong>v3, TLSv1.0, TLSv1.1, TLSv1.2, DTLS<br />
Key Exchange Methods Anonymous Diffie-Helman (ADH), Diffie-Helman (DH) +<br />
RSA certificate, RSA certificate, elliptic curve Diffie-<br />
Helman (ECDH) with RSA certificate, ECDH with<br />
ECDSA certificate, DH + DSS certificate<br />
Ciphers<br />
Digest Methods<br />
<strong>SSL</strong> Hardware Acceleration<br />
Session Cache<br />
<strong>SSL</strong> Records<br />
Failures<br />
Session Tickets<br />
<strong>SSL</strong> Forward Proxy<br />
OCSP Stapling<br />
AES, AES-GCM, DES, RC2, RC4, no encryption<br />
MD5, SHA, none<br />
Full, partial, none (software)<br />
Size, hits, lookups, overflows, invalidations<br />
In, out, bad<br />
Premature disconnects, handshake failures,<br />
renegotiations rejected, fatal alerts<br />
Reused, reuse failures<br />
Connections, cached certificates, destination IP<br />
bypasses, source IP bypasses, hostname bypasses<br />
Connections, response status errors, response<br />
validation errors, certificate status errors, OCSP<br />
connection HTTP errors, OCSP connection timeouts,<br />
OCP connection failures<br />
The statistics panel can provide useful information about the aggregate statistics of all<br />
clientssl or serverssl connections. It can enable an administrator to see configuration issues<br />
by noticing a spike in connection errors or connections that shouldn’t have been made.<br />
Accessing <strong>SSL</strong> debugging information<br />
To debug individual connection errors, an administrator or certificate manager may need<br />
something more surgical than the instrument panel. The TMOS platform allows the<br />
administrator to turn on verbose instrumentation specifically for <strong>SSL</strong> connections. Select<br />
the System menu on the left panel, select Logs, and then select Configuration. Tune the<br />
<strong>SSL</strong> control to get more verbose log messages. The maximum setting is Debug, which will<br />
51
RECOMMENDED PRACTICES<br />
<strong>F5</strong> <strong>SSL</strong> <strong>Everywhere</strong><br />
log all messages associated with <strong>SSL</strong> connections, even those that are purely informational.<br />
Typically log message are sent to the file /var/log/ltm unless otherwise configured.<br />
Figure 17: Tuning the <strong>SSL</strong> logging level<br />
<strong>F5</strong> recommended practices for <strong>SSL</strong> instrumentation:<br />
• Use the <strong>SSL</strong> statistics panel to see a holistic and aggregate statistical view.<br />
• Change the <strong>SSL</strong> debug log setting to suit your needs. But note that <strong>SSL</strong> debug<br />
mode may have significant performance impacts. Endeavor not to enable it on<br />
production systems.<br />
• Give the certificate manager role access to logs.<br />
• Use remote logging when debugging production systems. This is critical.<br />
Conclusion<br />
<strong>SSL</strong> has been the standard for encrypting transactions for the past two decades. Like all<br />
technology, <strong>SSL</strong> has experienced significant changes throughout its life, and the pace<br />
of change is expected to continue. These changes to <strong>SSL</strong> covers vast areas, while their<br />
impact ranges from the annoying to the critical. Changes to ciphers alone include:<br />
• New ciphers.<br />
• New classes of ciphers, such as ECC.<br />
• New approaches to ciphers, such as forward secrecy.<br />
52
RECOMMENDED PRACTICES<br />
Advanced Threat Protection with FireEye and <strong>F5</strong><br />
<strong>SSL</strong> has become an attack surface that is particularly vulnerable to DDoS attacks taking<br />
advantage of the relatively large machine costs associated with hosting <strong>SSL</strong> server traffic.<br />
Administrators who wish to stay in front of changes, choosing proactive strategies instead<br />
of reactive tactics, need to remain aware of the most current options and trends.<br />
Those proactive administrators can follow <strong>F5</strong> recommended practices to not only stay in<br />
front of existing trends but be prepared for hitherto unforeseen changes and fundamental<br />
shifts. These recommendations enable an organization to be favorably aligned to the<br />
existing <strong>SSL</strong> landscape while gaining the nimbleness to meet new challenges. Following the<br />
recommended practices optimally positions the organization for future security, scalability,<br />
and reliability.<br />
<strong>F5</strong> Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 f5.com<br />
Americas<br />
info@f5.com<br />
Asia-Pacific<br />
apacinfo@f5.com<br />
Europe/Middle-East/Africa<br />
emeainfo@f5.com<br />
Japan K.K.<br />
f5j-info@f5.com<br />
©2015 <strong>F5</strong> Networks, Inc. All rights reserved. <strong>F5</strong>, <strong>F5</strong> Networks, and the <strong>F5</strong> logo are trademarks of <strong>F5</strong> Networks, Inc. in the U.S. and in certain other countries. Other <strong>F5</strong> trademarks are identified at f5.com.<br />
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by <strong>F5</strong>. 1015 RECP-SEC-66014525-ssl