f5 tls & ssl practices

SSL/TLS Trends, Practices, and Futures Brian A. McHenry, Security Solutions Architect [email protected] @bamchenry

© F5 Networks, Inc. 2

1.  Global SSL Encryption Trends and Drivers

2.  A Few “Best” Practices

3.  Solutions

4.  What’s Next?

Agenda


•  Worldwide spending on information security will reach $71.1 billion in 2014

•  Data loss prevention segment recording the fastest growth at 18.9 percent,

•  By 2015, roughly 10% of overall IT security enterprise product capabilities will be delivered in the cloud

•  Regulatory pressure will increase in Western Europe and Asia/Pacific from 2014

Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014


IoE E-Commerce Privacy Mobility

Snowden

Trajectory and Growth of Encryption

Customer Trends:

•  PFS/ECC Demanded

•  SSL Labs Application Scoring

Emerging Standards:

•  TLS 1.3, HTTP 2.0/SPDY

•  RSA -> ECC

Thought Leaders and Influence:

•  Google: SHA2, SPDY, Search Ranking by Encryption

•  Microsoft: PFS Mandated

MARKET AMPLIFIERS

SSL growing ~30% annually. Entering the Fifth wave of transition (IoE)

0.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

1998 2002 2006 2010 2014 Source: Netcraft

Mill

ions

of C

ertif

icat

es (C

A)

Years


Timeline of SSL Vulnerabilities & Attacks

February 2010

September 2011

February 2013

March 2013

March 2013 … April

2014

RC4 Attacks Weakness in CBC cipher making plaintext guessing possible

BEAST & CRIME Client-side or MITB attacks leveraging a chosen-plaintext flaw in TLS 1.0 and TLS compression flaws

RFC 5746 TLS extension for secure renegotiation quickly mainstreamed

Lucky 13 Another timing attack.

August 2009

August 2009 Insecure renegotiation vulnerability exposes all SSL stacks to DoS attack

TIME A refinement and variation of CRIME

Heartbleed The end of the Internet as we know it!


SSL Intelligence and Visibility (Full Proxy)

Enterprise key & Certificate Management

Advance HSM Support: •  Highest Performing HSM

options •  Virtualized low-bandwidth

options •  Market Leading HSM

Vendor Support

Market Leading Encryption: •  Optimized SSL in

Hardware and Software •  Cipher Diversity (RSA,

ECC, DSA) •  SSL Visibility: Proxy SSL

& Forward Proxy •  SSL Traffic Intelligence:

•  HSTS, HTTP 2.0/SPDY, OCSP Stapling, TLS Server Session Ticket

Fully Automated Key and Certificate Management: •  For all BIG-IP platforms •  For all vendor platforms •  3rd Party Integration for

best-in-class key encryption: Venafi, Symantec/ VeriSign

•  PKI Supported Environments

The Three Pillars of SSL Everywhere

Hardware Security Modules


Data Protection: Microsoft and Google Expands Encryption


Not all curves are considered equal Different Authorities: •  US NIST (US National Institute of Standards)

with 186-2 (recently superseded in 2009 by the new186-3) •  US ANSI (American National Standard Institute) with X9.62 •  US NSA (National Security Agency)

Suite-B Cryptography for TOP SECRET information exchange •  International SACG (Standards for efficient cryptography

group) with Recommended Elliptic Curve Domain Parameters •  German ECC Brainpool withECC Brainpool with their

Strict Security Requirements •  ECC Interoperability Forum composed by Certicom, Microsoft,

Redhat, Sun, NSA

If You Thought Encryption was confusing… ECC, PFS and Curves


Not all curves are considered equal Different Names: •  Secp256r1, Prime256v1, NIST

P-256 Different Kinds of Curves: •  ECC over Prime Field (Elliptic

Curve) •  ECC over Binary Field (Koblitz

Curve) Other Curves: •  Curve25519 (Google) •  Mumford (Microsoft) •  Brainpool

If You Thought Encryption was confusing… ECC, PFS and Curves

Some SSL Best Practices


•  Google has begun adjusting page rank based on SSL implementations

•  F5 customers have third-party/B2B requirements for strong encryption

•  SSL Labs’ Pulse tool has made testing easy

•  Users and businesses are choosing services based on Pulse grades

SSL: Not Just for Security


•  Set the option for Secure Renegotiation to “Require”

•  Disable SSLv2 and SSLv3 (DEFAULT in 11.5+)

•  Use an explicit, strong cipher string, such as: •  NATIVE:!SSLv2:!EXPORT:ECDHE+AES-GCM:ECDHE+AES:ECDHE

+3DES:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AES-GCM:RSA+AES:RSA+3DES:-MD5:-SSLv3:-RC4

•  Prefer Perfect Forward Secrecy (PFS) •  Done via prioritizing Ephemeral (DHE, ECDHE) ciphers in the string above

•  Enable TLS_FALLBACK_SCSV extension

•  Enable HTTP Strict Transport Security (HSTS) •  iRule in pre-Badger versions of TMOS •  Integrated into HTTP profile in next release

Achieving A+ Grades on SSLLabs.com


HTTP Strict Transport Security iRule

when HTTP_RESPONSE {

HTTP::header insert Strict-Transport-Security "max-age=[expr {$static::expires - [clock seconds]}]; includeSubDomains”

}


If I sound smart about crypto…


SSL Feature Availability

Feature TMOS TLS 1.2 10.2.3 ECC 11.5.0 PFS 11.4.0 SHA256 (SHA2) 10.2.3 SPDY 11.2.0 HTTP 2.0* 11.6.0 HSTS iRules/12.0

Feature TMOS Secure Renegotiation (RFC 5746)

10.2.3

TLS_FALLBACK_SCSV 11.5.0

Network HSM 11.2.1

Onboard HSM Y

SNI 11.1.0

Hybrid Certificates (ECC & RSA)*

11.5.0

A Peek Under the Hood


Network

Session

Application

Web application

Physical

Client / Server

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

SSL inspection and SSL DDoS mitigation

HTTP proxy, HTTP DDoS and application security

Application health monitoring and performance anomaly detection

Network

Session

Application

Web application

Physical

Client / Server

Full Proxy Security

Proxy SSL (Visibility)

ASM

SSL Forward Proxy (Visibility)

SWG


PFS, ECC and SSL Visibility Supported Key Exchange Un-Supported

Key Exchange SSL Offload (Classic)

Full Support None

SSL Forward Proxy

Client Side RSA ECDHE-RSA EDH-RSA

Server Side Full Support

ECDHE-ECDSA ECDH-ECDSA EDHE-DSS

Proxy SSL (Split/Passive SSL)

RSA ECDHE-RSA ECDH-ECDSA ECDH-ECDSA EDH-RSA DHE-DSS


Proxy Chain

HUD chains are a series of filters which implement the configuration. The HUD chain is divided into two halves, client and server side. Filters on HUD chains usually are arranged as client/server pairs. The two halves are joined by the “proxy”.

Data Center

BIG-IP Platform

Clients

T C P

S S L

H T T P

P R O X Y

H T T P

S S L

T C P

•  App “point of delivery & definition”

•  App Intelligence - layer 3- 7 visibility

•  Distinct client / server control

•  Unified services / context

•  Interoperability and gateway functions

Intelligent Full Proxy Benefits

BIG-IP Architecture – Proxy Chain


Proxy Chain

Each SSL filter handles connection to device on their side of the proxy. Normally, the two SSL filters operate completely independently. Between the two filters, all data is available unencrypted. To fully offload the backend server, remove the server side SSL filter.

Data Center

BIG-IP Platform

Clients

T C P

S S L

H T T P

P R O X Y

H T T P

S S L

T C P

•  App “point of delivery & definition”

•  App Intelligence - layer 3- 7 visibility

•  Distinct client / server control

•  Unified services / context

•  Interoperability and gateway functions


BIG-IP Architecture – SSL Termination


Data Center

Proxy Chain

Proxy SSL allows the client certificate to be presented to the server. Intermediary filters are disabled. SSL filters operate in monitor mode during the handshake. Post-handshake, SSL enables decryption and other filters.

BIG-IP Platform

Clients

T C P

S S L

H T T P

P R O X Y

H T T P

S S L

T C P

•  Allows server to perform client cert auth •  L7 content inspection after handshake •  Certificate transparent to end user


BIG-IP Architecture – Proxy SSL


Proxy Chain

Forward SSL is used in Forward Proxy deployments. “Just in time” certificate creation is used to decrypt SSL connections. Enables policy based inspection of secure content. Requires the ability to create trusted certificates to work.

Data Center

BIG-IP Platform

Clients

T C P

S S L

H T T P

P R O X Y

H T T P

S S L

T C P

•  Inspect secure traffic at network edge •  Transparent to the end user •  Policy based bypass by:

•  Source IP Address •  Destination IP Address •  Host Name (SAN,CN,SNI)

Forward SSL Proxy Benefits

BIG-IP Architecture – Forward SSL

What’s Next?


•  RFC 6797

•  HSTS is enabled by the “Strict-Transport-Security” HTTP header e.g.: Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

•  When received, browsers will: •  Automatically convert HTTP references to HTTPS references •  Disallow certificate exemptions (self-signed, etc.) •  Cache HSTS information and reuse stored values for new sessions

New Feature: HTTP Strict Transport Security

AVAILABLE IN 12.0


HTTP Strict Transport Security Configuration

HTTP Profile Screen


A Quick Primer on Certificate Revocation •  If a SSL certificate is stolen or compromised, sites need a way to revoke the

certificate so it will no longer be trusted. Revocation is handled by either CRL or OCSP.

•  CRL: Certificate Revocation List •  The browser retrieves the list of all revoked certificates from the CA. •  The browser then parses the whole list looking for the certificate in question.

•  OCSP: Online Certificate Status Protocol •  The browser sends the certificate to the CA for validation. •  The CA responds that the certificate is good, revoked, or unknown.

•  OCSP is more efficient than CRL, but there’s room for improvement!

New Feature: OCSP Stapling

AVAILABLE IN 11.6


•  OCSP and CRL checks add significant overhead: • DNS (1334ms) • TCP handshake (240ms) • SSL handshake (376ms) • Follow certificate chain (1011ms) • DNS to CA (300ms) • TCP to CA (407ms) • OCSP to CA #1 (598ms) • TCP to CA #2 (317ms) • OCSP to CA #2 (444ms) • Finish SSL handshake (1270ms) < T O TA L : 6 . 3 S e c o n d s >

•  Add up the time for each step and you'll see that over 30% of the SSL overhead comes from checking whether the certificate has been revoked.

•  These checks are serial and block downloads.

OCSP & CRL Checks Hurt Performance

This portion is revocation check overhead.


•  OCSP Stapling allows the server to attach CA signed information regarding the certificates validity.

•  Processing with OCSP enabled: • DNS (1334ms) • TCP handshake (240ms) • SSL handshake (376ms) • Follow certificate chain (1011ms) • Process OCSP Data (10ms) • Finish SSL handshake (1270ms) < T O TA L : 4 . 2 S e c o n d s > O C S P S t a p l i n g a l s o e l i m i n a t e s c o m m u n i c a t i o n w i t h a t h i r d p a r t y d u r i n g c e r t i f i c a t e v a l i d a t i o n . T h i s m a y b e c o n s i d e r e d b e t t e r s e c u r i t y s i n c e i t p r e v e n t s i n f o r m a t i o n l e a k a g e .

OCSP Stapling to the Rescue


OCSP Stapling Configuration

Profile Location Assignment to Client SSL Profile


OCSP Stapling Configuration

Changes to ‘Proxy Pool’ when ‘Use Proxy Server’ is enabled


•  SSL termination and inspection from BIG-IP® Local Traffic Manager™ (LTM)

•  Hybrid cipher support for ECC and RSA ciphers

•  SSL crypto-offload for additional SSL capacity

•  Integration with network HSMs from SafeNet and Thales for key management

SSL Everywhere RA – Bringing it all Together


SSL Everywhere

f5 tls & ssl practices

Technology

f5 networks

ssl intelligence

optimized ssl

ssl stacks

pillars of ssl

global ssl encryption

dsa ssl visibility

encryption microsoft