F5 SSL Everywhere

Recommendations

Info

RECOMMENDED PRACTICES F5 SSL Everywhere About the acronyms SSL vs. TLS Vagueness is anathema to engineers. As a result, many engineers refer to modern web encryption as TLS and consider the acronym SSL obsolete. But the fact is that SSL has become shorthand for “a secure connection” even in casual conversation between security professionals and the same security engineers who dislike seeing SSL in print. So for the purposes of brevity and search engine optimization, this document uses the acronym SSL to refer to the collection of encryption protocols that encompass SSLv2, SSLv3, TLSv1, TLSv1.1, and TLSv1.2, except where it is important to specify a particular version. When SSL is used as an adjective (for example, SSL VPN), it should be understood that the subject encompasses the current, accepted protocols for transport layer security. SSLv3 is rapidly being phased out, with SSLv2 long dead. Even TLSv1.0 is discouraged today, and only TLSv1.1/1.2 should be used whenever possible. Perhaps, in time, the language will catch up to reality and TLS will be used in the same way SSL is commonly used today. Deployment Scenarios For many organizations today, the main use case for SSL is securing data from customers and employees on the Internet to data center applications through an Application Delivery Controller (ADC). While the data center deployment is among the most mature of encrypted data center technologies, it’s not without innovation (and renovation). The deployment scenarios that follow include advanced SSL strategies such as HTTP Strict Transport Security (HSTS) and Online Certificate Status Protocol (OCSP) stapling. The recommended practices introduce how these technologies can be leveraged in inbound data center deployments for outbound visibility. 4
RECOMMENDED PRACTICES F5 SSL Everywhere REFERENCE ARCHITECTURE: SSL Everywhere CONTENT TYPE: Product Map AUDIENCE: Security Architect CUSTOMER SCENARIO: SSL Everywhere (Inbound) DMZ Web Application Firewall NG-IPS Passive Monitor, IDS, Customer Experience Solutions Remote Users User Internet Network Firewall SSL Termination and Inspection + Cipher Agility + SSL Transformation + Intelligent Traffic Management + SSL Re-Encryption Network Firewall Web/Application Servers BIG-IP Platform Customer Scenarios Data Protection Visibility and Control Key Management HSM SSL Crypto-Offload + SSL Termination and Inspection + SSL Re-Encryption + SSL Transformation BIG-IP Local Traffic Manager Simplified Business Models GOOD BETTER BEST BIG-IP Platform Figure 1: Common deployment scenarios for SSL Deployment scenario: Inbound enterprise applications One of the primary deployment scenarios for SSL is to protect a suite of enterprise applications, from Microsoft Sharepoint and Exchange to a LAMP-based CGI application. A typical administrator for this deployment scenario is likely a network operations team member. In a larger organization there will be a security team, a security architect, an auditor, and sometimes even a separate certificate management team. Enterprise administrators will use an ADC to perform SSL bridging, which is the act of decrypting incoming connections, performing an action (such as a load-balancing pick or persistence), and then re-encrypting the connection to a server within the enterprise. Flexibility, extensibility, security, and visibility take precedence over availability for many of these administrators. Deployment scenario: Inbound retail data center One of the most demanding scenarios for an ADC is the retail website. Even more demanding can be deployment for a hosting company dealing with multiple retail sites. 5
Page 1 and 2: RECOMMENDED PRACTICES F5 SSL Everyw
Page 3: RECOMMENDED PRACTICES F5 SSL Everyw
Page 53: RECOMMENDED PRACTICES Advanced Thre

F5 SSL Everywhere

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?