F5 SSL Everywhere

Recommendations

Info

RECOMMENDED PRACTICES F5 SSL Everywhere Contents Introduction 3 About the acronyms SSL vs. TLS 4 Deployment Scenarios 4 Deployment scenario: Inbound enterprise applications 5 Deployment scenario: Inbound retail data center 5 Deployment scenario: Inbound SSL pass-through 6 Deployment scenario: Outbound SSL visibility 6 A recommended security posture 6 Fine-Tuning Data Protection 8 A primer on SSL cipher strings 8 Transformational services 13 Client certificates 19 SSL failover options 22 Cipher agility 25 Key Management 28 Certificate expiration notification 29 Use the certificate manager role 30 Key protection 31 Revocation verification 34 Visibility and Control 42 SSL and the OWASP Top Ten 42 SSL outbound visibility 43 Mitigating brute force attacks 47 Instrumentation: The SSL statistics panel 50 Conclusion 52 2
RECOMMENDED PRACTICES F5 SSL Everywhere Introduction The cryptographic protocol historically known as the Secure Sockets Layer (SSL) and now known as Transport Layer Security (TLS) is quickly becoming the de facto protocol for all important, and even casual, electronic communication today. Only a decade ago, SSL was reserved only for financial institutions and the login pages of the security conscious. Today SSL is ubiquitous. Even the world’s most popular video sites use SSL for streaming. Although SSL can be an everywhere, all-the-time security protocol, it is not always easy to deploy correctly, or without challenges, into an architecture. For example, SSL offers protection for data in transit, not at rest. It offers forward secrecy, but usually at the cost of monitoring or diagnostic utilities. SSL also faces numerous attacks, despite being constantly improved and monitored by the Internet Engineering Task Force (IETF). Finally, implementation issues such as the OpenSSL group’s Heartbleed incident remind the world that cryptography is difficult—even for cryptographers. The F5 ® SSL Everywhere reference architecture aggregates the set of common solutions for securing data in transit from users to applications, between enterprise services, and from corporate users to the Internet. The key to the reference architecture is the custombuilt SSL software stack that is part of every F5 BIG-IP ® Local Traffic Manager (LTM) deployment. This recommended practices document, which is based on the SSL Everywhere reference architecture, can guide architects and administrators through strategic deployments of SSL and serve later as a quick reference for specific concerns. It includes: • Common deployment scenarios. • Advanced key management recommendations. • Tips for fine-tuning data protection. • Suggestions for enhancing visibility and control. • Dozens of technical tips and recommended practices for maximizing security posture (and value). These may include example F5 TMOS ® shell (TMSH) commands such as: (tmos)# modify ltm profile http2 http2-ni enforce-tls-requirements disabled Basic familiarity with SSL, server administration, and BIG-IP platform administration is assumed. The recommended practices apply to the BIG-IP family of products, with version 12.0.0 of the BIG-IP platform providing the baseline for referenced features and configurations unless otherwise noted. 3
Page 1: RECOMMENDED PRACTICES F5 SSL Everyw
Page 5 and 6: RECOMMENDED PRACTICES F5 SSL Everyw
Page 53:
RECOMMENDED PRACTICES Advanced Thre
show all

F5 SSL Everywhere

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?