SSL Orchestrator Use Case: Secure Web Gateway (SWG) "as a Service"
In this blog
Secure Web Gateway (SWG) protects users from web-based threats in addition to applying and enforcing corporate acceptable use policies. Instead of connecting directly to a website, a user accesses the SWG, which is then responsible for connecting the user to the desired website and performing functions such as URL filtering, web visibility, malicious content inspection, web access controls and other security measures.
Typical SWG features include:
- User authentication
- Enforcement of an Acceptable Use Policy (AUP)
- Website category database (google.com = Search Engines)
- Logging and Reporting
SSL Orchestrator has support for running Secure Web Gateway (SWG) "as a Service" inside the Service Chain. This allows you to take an existing F5 SWG solution and migrate or move it to the same BIG-IP as SSL Orchestrator.
A typical SWG deployment will have a Per-Session Policy that handles authentication. Then a Per-Request Policy that enforces the AUP.
A Secure Web Gateway (SWG) deployment identifies the user before allowing access to the internet. All requests and responses from the user are inspected. SSL Orchestrator Forward proxy authentication is used to authenticate the user. To learn more about user authentication you could refer to the article.
Enforcement of an Acceptable Use Policy (AUP)
A Per-Request Policy is used to enforce the AUP. You can find this from the Configuration Utility under Access > Profiles / Policies > Per-Request Policies. Click Edit for the Per-Session Policy and a new window like this should open:
This policy does a Protocol Lookup to determine if the content is HTTP, then performs a Category Lookup based on the host header in the URI. Response Analytics will check for malicious content and pass that information on to the URL Lookup Agent. The Category is compared to the URL Filter which maps URL categories to Allow/Deny Actions. As a final result the request is either Allowed or Denied (Reject).
Note: In a per-request SWG policy you would typically have a Protocol Lookup for HTTP and HTTPS. But in this case the SSL Orchestrator will perform SSL decryption so the SWG Service will receive plain-text, HTTP content. Therefore, this SWG policy is ready to be used with SSL Orchestrator.
Website category database (google.com = Search Engines)
The URL Filter is configured from Access > Secure Web Gateway > URL Filters.
Select CorporateURLFilter in this example.
This opens the Category editor. Different Categories and sub-categories are available to make Allow or Deny decisions. In this example the Games and Shopping categories have been set to Deny.
Logging and reporting
User activity is logged and a dashboard with statistical information about traffic logged by the BIG-IP system for SWG. Graphs, such as Top URLs by Request Count and Top Categories by Blocked Request Count, summarize activities over time and provide access to underlying statistics.
The SWG Per-Request Policy is easy to export from one BIG-IP to another. From the Configuration Utility select Access > Profiles / Policy > Per-Request Policies.
Click Export then OK to save the policy.
The policy file can be directly imported into another BIG-IP device. On the Per-Request Policies screen click Import.
Give the Policy a name, click Browse to select the policy file then Import.
This policy is ready for SSL Orchestrator to use with SWGaaS. You can click Edit to verify the policy is correct.
From the SSL Orchestrator Configuration page select Services then click Add.
F5 Secure Web Gateway is available on the F5 tab. Double-click the icon to configure.
Give it a name. Set the Access Profile Scope to Profile. Set the Per Request Policy to the policy imported previously. Click Save and Next.
Add the newly created SWGaaS to an existing Service Chain or create a new one.
Select the F5_SWG Service on the left and click the right arrow to move it to the Selected column. Click Save.
Save & Next.
Note: be sure that a Security Policy has the Service Chain applied. Go to a client computer and test access to various web sites. News sites are allowed but Shopping is set to Block so sites like amazon.com and walmart.com should be blocked.
Details from espn.com. The padlock indicates the connection is encrypted. The Issued By field indicates that this was intercepted & signed by SSL Orchestrator.
Any attempts to visit a site categorized as Shopping or Games will be blocked.
The configuration is now complete.
SWG as a service provides a lot of security to traffic and has various other benefits like URL filtering, application control, Data loss prevention etc. SWG can be configured on the same BIG-IP device an SSL is configured and can be used as a service with subscription. To know more about Secure Web Gateway and Features refer to the articles below.
Secure Web Gateway Articles:
F5 deployment basic articles:
F5 SSLO Deployment articles: