?
Security Transformation Security Operations
6 minute read

ATC Lab Services Tests F5 SSLO in ATC

In the Advanced Technology Center (ATC), we were asked to help one of our strategic partners F5 test out some integration with their SSL Orchestrator (SSLO). We designed and built a Proof of Concept (POC) at the ATC which integrated F5 SSL Orchestrator with Cisco FirePower, Palo Alto, FireEye, and Blue Coat security devices. The SSLO was deployed with a layer-2 architecture. Part of the testing process involved Ixia traffic generation which contained a target traffic range of 10-20Gbps throughput. If you would like to read more about our testing, please continue to the ATC Insight section.

In This Insight

copy link

Summary

In the Advanced Technology Center (ATC), we were asked to help one of our strategic partners F5 test out some integration with their SSL Orchestrator (SSLO).  We designed and built a Proof of Concept (POC) at the ATC which integrated F5 SSL Orchestrator with Cisco FirePower, Palo Alto, FireEye, and Blue Coat security devices. The SSLO was deployed with a layer-2 architecture. Part of the testing process involved Ixia traffic generation which contained a target traffic range of 10-20Gbps throughput. If you would like to read more about our testing, please continue to the ATC Insight section.

copy link

ATC Insight

The Need

F5 specifically needed to test out, demonstrate, and showcase SSL Orchestrator with other Vendors integrated into a configured service-chain.  In order to meet their needs quickly, F5 utilized the help of the ATC Lab Services team in the Advanced Technology Center (ATC) to integrate several vendor solutions which included Palo Alto, Blue Coat, FireEye, and Cisco Firepower.  Contained in the documentation section of this ATC Insight is a demo video (15 minutes) from our Proof of Concept (POC) environment that shows how F5 SSLO specifically works to remove and add objects in the service-chain in the event there is a loss of connectivity that is detected.

What does F5 SSLO do?

WWT's Advanced Technology Center (ATC) has a strong partnership with F5. The content contained within this ATC Insight will cover how F5 is affecting the market with dynamically orchestrating security infrastructure. Dynamically orchestrating security infrastructure is needed when an organization needs to ‘seamlessly move traffic from one active security solution to another, and then change or update the first security solution. This process is performed without interrupting traffic flow or allowing encrypted traffic to bypass without a security check. When swapping out a security solution there may be a need to bypass that solution entirely. When updating a security solution, customers may only want to bypass the solution temporarily without interrupting the traffic flow, traffic decryption, and inspection for the rest of the solutions in your security stack. Customers may want to direct traffic streams to new security solutions in a dynamic service chain to try them out.

F5's SSL orchestrater simplifies many security solution changes while reducing time, cost, and impact. It also alleviates potential traffic bypass and potential exploitation. By orchestrating the security stack, customers can streamline and minimize the often time-consuming and inefficient security change-management process, reducing the risk of time-consuming negative consequences.

Key Features of F5 Dynamic Orchestration: (From Link)

  • Orchestrates the security stack:
    • Shortens time-consuming security change management processes, simplifying equipment changes and mitigating any detrimental impacts.
  • Routes traffic based on context and policy
    • Contextual classification engine increases administrative efficacy by utilizing security resources more efficiently
  • Scales security services
    • Scaling existing or new security services with high-availability and failover protection, achieving enhanced utilization and service availability, even during security stack changes
  • Dynamic service chaining
    • Creates dynamic, logical security service chains based on the type of incoming traffic leveraging existing security solutions.
  • Intelligent traffic bypass
    • Efficiently addresses layer 2 and layer 3 security service insertions

Demo Information

The Demo of the Dynamically Orchestrating Security Infrastructure was conducted by Sandeep Kalidini, a Network Engineer working in WWT's Infrastructure Services organization. 

Timestamps and Video Screen captures

  • 0:11- Changes in security stack
    • Any and all changes in security stack are costly.
  • 0:24-How F5 can help simplify security stack change management
    • efficiently uses existing resources
    • speeds up deployment time
    • mitigates unintentional traffic
    • transfers traffic from one solution to the other without interruption
  • 0:44
    • SSLO Architecture is configured
    • multiple security servers
    • Cisco N3K for routing and switching
    • multiple security solutions deployed
      • Advanced WAF and AFM
      • Third Party: Fireeye, Palo Alto, WSA(for proxies), Firepower
  • 1:15
    • VMWare: Windows Servers, Centos, Ixia Client
      • used to support and test the connectivity and production of the design
    • SSLO Details
      • SSLO 1 and 2 are standalone devices (recorded as not SSLOs)
      • SSLO 3 and 4 are active-standby devices
  • 1:38 Select Topology
  • 1:48 Configuration menu
  • 1:52 Topology Properties and SSL Orchestrator

 

  • 2:34 Service List
  • 3:02 Initial Service Chain
  • 3:31 Security Policy
  • 4:18 Interception Rule and Ingress Network Setting
    • specify source and destination addresses
    • specify VLAN and configure VLAN
  • 4:47 Log Settings
    • Log settings were not used within this demo
  • 5:21 Service Chain Properties
    • alter service chain to not let traffic flow through Palo Alto
  • 7:06 Palo Alto removed
  • 9:52 Palo Alto reconfigured to be added back in the Service Chain as a Service
  • 12:00 Sample test result to see traffic running
  • 13:49 F5 Dashboard Showcase of traffic and connections
  • 15:02 Palo Alto Traffic is flowing properly
  • 15:15 Ixia Server View of data traffic
    • traffic is flowing from Palo Alto and SSLO
    • Palo Alto is blocking traffic to the client end due to IP reaching out to other IPs being blocked

 

Final Impressions and Summary

Connectivity was established successfully between the client and the server. The traffic flowed properly through the Palo Alto firewalls and the SSLO. Based on this demo and the findings from our integrated testing in the ATC, F5's solution made the network more secure. The demo findings were a great benchmark to demonstrate how F5's solution can perform in a production environment. 

copy link

Documentation

Resources:

  • To learn more about Dynamic Orchestration of Security Services
    • F5 SSL Orchestrator Homepage (Link)
    • Solution Brief (Link)
    • Technical Overview and Configuration Articles (Link)
  • To learn more about Guided configuration of SSL Orchestrator on F5 BIG-IP.
    • Guided Configuration (Link)
  • To Learn more about configuration of F5 security services with SSL Orchestrator
    • F5 Advanced Firewall Manager (Link)
    • F5 Advanced Web application Firewall (Link)
  • To Learn more about configuration of 3rd party security services with SSL Orchestrator
  • If you want to bring automation to your SSLO environment, here is  a tool in your toolbelt to be able to leverage.