F5 SSL Everywhere Recommended Practices

Transcription

F5 SSL Everywhere Recommended Practices
RECOMMENDED PRACTICES
F5 SSL Everywhere
David Holmes
Principal Technical Marketing Manager
Marty Scholes
Marketing Solutions Architect
RECOMMENDED PRACTICES
F5 SSL Everywhere
Contents
Introduction3
About the acronyms SSL vs. TLS
Deployment Scenarios
4
4
Deployment scenario: Inbound enterprise applications
5
Deployment scenario: Inbound retail data center
5
Deployment scenario: Inbound SSL pass-through 6
Deployment scenario: Outbound SSL visibility
6
A recommended security posture 6
Fine-Tuning Data Protection
8
A primer on SSL cipher strings
8
Transformational services
13
Client certificates
19
SSL failover options
22
Cipher agility
25
Key Management
28
Certificate expiration notification
29
Use the certificate manager role
30
Key protection
31
Revocation verification
34
Visibility and Control
42
SSL and the OWASP Top Ten 42
SSL outbound visibility
43
Mitigating brute force attacks
47
Instrumentation: The SSL statistics panel
50
Conclusion52
2
RECOMMENDED PRACTICES
F5 SSL Everywhere
Introduction
The cryptographic protocol historically known as the Secure Sockets Layer (SSL) and now
known as Transport Layer Security (TLS) is quickly becoming the de facto protocol for all
important, and even casual, electronic communication today. Only a decade ago, SSL was
reserved only for financial institutions and the login pages of the security conscious. Today
SSL is ubiquitous. Even the world’s most popular video sites use SSL for streaming.
Although SSL can be an everywhere, all-the-time security protocol, it is not always easy
to deploy correctly, or without challenges, into an architecture. For example, SSL offers
protection for data in transit, not at rest. It offers forward secrecy, but usually at the cost
of monitoring or diagnostic utilities. SSL also faces numerous attacks, despite being
constantly improved and monitored by the Internet Engineering Task Force (IETF). Finally,
implementation issues such as the OpenSSL group’s Heartbleed incident remind the world
that cryptography is difficult—even for cryptographers.
The F5® SSL Everywhere™ reference architecture aggregates the set of common solutions
for securing data in transit from users to applications, between enterprise services, and
from corporate users to the Internet. The key to the reference architecture is the custombuilt SSL software stack that is part of every F5 BIG-IP® Local Traffic Manager™ (LTM)
deployment.
This recommended practices document, which is based on the SSL Everywhere reference
architecture, can guide architects and administrators through strategic deployments of SSL
and serve later as a quick reference for specific concerns. It includes:
• Common deployment scenarios.
• Advanced key management recommendations.
• Tips for fine-tuning data protection.
• Suggestions for enhancing visibility and control.
• Dozens of technical tips and recommended practices for maximizing security
posture (and value). These may include example F5 TMOS® shell (TMSH) commands
such as:
(tmos)# modify ltm profile http2 http2-ni enforce-tls-requirements disabled
Basic familiarity with SSL, server administration, and BIG-IP platform administration is
assumed. The recommended practices apply to the BIG-IP family of products, with
version 12.0.0 of the BIG-IP platform providing the baseline for referenced features and
configurations unless otherwise noted.
3
RECOMMENDED PRACTICES
F5 SSL Everywhere
About the acronyms SSL vs. TLS
Vagueness is anathema to engineers. As a result, many engineers refer to modern web
encryption as TLS and consider the acronym SSL obsolete. But the fact is that SSL has
become shorthand for “a secure connection” even in casual conversation between security
professionals and the same security engineers who dislike seeing SSL in print. So for the
purposes of brevity and search engine optimization, this document uses the acronym SSL
to refer to the collection of encryption protocols that encompass SSLv2, SSLv3, TLSv1,
TLSv1.1, and TLSv1.2, except where it is important to specify a particular version. When SSL
is used as an adjective (for example, SSL VPN), it should be understood that the subject
encompasses the current, accepted protocols for transport layer security.
SSLv3 is rapidly being phased out, with SSLv2 long dead. Even TLSv1.0 is discouraged
today, and only TLSv1.1/1.2 should be used whenever possible. Perhaps, in time, the
language will catch up to reality and TLS will be used in the same way SSL is commonly
used today.
Deployment Scenarios
For many organizations today, the main use case for SSL is securing data from customers
and employees on the Internet to data center applications through an Application Delivery
Controller (ADC). While the data center deployment is among the most mature of encrypted
data center technologies, it’s not without innovation (and renovation). The deployment
scenarios that follow include advanced SSL strategies such as HTTP Strict Transport
Security (HSTS) and Online Certificate Status Protocol (OCSP) stapling. The recommended
practices introduce how these technologies can be leveraged in inbound data center
deployments for outbound visibility.
4
RECOMMENDED PRACTICES
F5 SSL Everywhere
REFERENCE ARCHITECTURE: SSL Everywhere
CONTENT TYPE: Product Map
AUDIENCE: Security Architect
CUSTOMER SCENARIO: SSL Everywhere (Inbound)
DMZ
Web Application Firewall
NG-IPS
Passive Monitor, IDS,
Customer Experience Solutions
Remote Users
User
SSL Termination and Inspection
+ Cipher Agility + SSL Transformation
+ Intelligent Traffic Management
+ SSL Re-Encryption
Internet
Network
Firewall
Network
Firewall
Web/Application
Servers
BIG-IP Platform
Customer Scenarios
Data Protection
Visibility and Control
Key Management
HSM
SSL Crypto-Offload
+ SSL Termination and Inspection
+ SSL Re-Encryption
+ SSL Transformation
BIG-IP Local Traffic Manager
Simplified Business Models
GOOD
BETTER
BEST
BIG-IP Platform
Figure 1: Common deployment scenarios for SSL
Deployment scenario: Inbound enterprise applications
One of the primary deployment scenarios for SSL is to protect a suite of enterprise
applications, from Microsoft Sharepoint and Exchange to a LAMP-based CGI application.
A typical administrator for this deployment scenario is likely a network operations team
member. In a larger organization there will be a security team, a security architect, an
auditor, and sometimes even a separate certificate management team. Enterprise
administrators will use an ADC to perform SSL bridging, which is the act of decrypting
incoming connections, performing an action (such as a load-balancing pick or persistence),
and then re-encrypting the connection to a server within the enterprise. Flexibility,
extensibility, security, and visibility take precedence over availability for many of these
administrators.
Deployment scenario: Inbound retail data center
One of the most demanding scenarios for an ADC is the retail website. Even more
demanding can be deployment for a hosting company dealing with multiple retail sites.
5
RECOMMENDED PRACTICES
F5 SSL Everywhere
A hosting company that sports many very popular websites can have millions of connections
flowing through the ADC at any minute, and hundreds to thousands of new SSL connections
per second. For these customers, availability and compatibility are the most important
characteristics of their deployments. They are also concerned with compliance to standards
such as the Payment Card Industry Data Security Standard (PCI DSS). For retail customers,
the ADC is often performing SSL termination, meaning that it is decrypting incoming
connections and transitioning (proxying) the payloads to servers further into the data center.
Deployment scenario: Inbound SSL pass-through
The majority of F5 customers use BIG-IP devices for application delivery services that
include SSL. A significant number of customers use the BIG-IP platform for L4 load
balancing and traffic steering. These customers include service providers running tens of
millions of connections through single tiers of F5 ADC devices. These devices will be aware
of SSL connections but won’t be actually terminating or even inspecting those connections.
They can still provide a measure of control over the SSL flows. The term for this kind of flow
control is called SSL pass-through—the SSL traffic is passing through the ADC instead of
being terminated or bridged at the ADC.
Deployment scenario: Outbound SSL visibility
One of the most significant new applications of SSL decryption is used in a scenario that
has various names, such as SSL “air gap” or SSL interception. The problem it solves is
simple in concept: Users inside a corporate headquarters are one of the most high-profile
risks when they react to unsolicited email or browse the Internet. A targeted “spear phishing”
campaign can snare a user into clicking a link that will pull malware from the Internet
through an SSL connection. There are security solutions that scan for malware, but many of
them are unable to scale to automatically and transparently decrypt SSL connections. The
outbound SSL visibility scenario supports these security solutions. F5 devices sandwich
these security solution devices to provide decryption and re-encryption services.
A recommended security posture
The definitive resource for evaluating a web site’s SSL security posture (and comparing it
to others) is the Qualys SSL Labs report. An administrator can connect to the test site and
enter his web address, and the report will provide an elementary alphabetical grade. While
some think that a single letter is oversimplifying many complicated ideas, the SSL Labs
scanner grade is, at least, an objective, and there is no denying that SSL Labs is the most
visible project grading SSL deployments and rating SSL security postures today.
6
RECOMMENDED PRACTICES
F5 SSL Everywhere
To check a web address against the SSL Labs report, visit this address and enter the site’s
URL.
Figure 2: A simple SSL Labs security posture report
Achieving an A+ grade is a non-trivial task; however, it can be done in an afternoon (even in
less than an hour) when starting from the right point. Currently, to achieve an A+ rating with
SSL labs, a user must follow these recommendations; otherwise the site would receive the
following grade in brackets.
• Disable SSLv3 [B] & RC4 [B/C]
• Replace any SHA1 Certs [A] and sub-2k Certs [C]
• Enable TLS_FALLBACK_SCSV [A]
• Enable HTTP Strict Transport [A]
• Enable and Prefer Perfect Forward Secrecy Compatible Ciphers [A-]
Do not use DHE ciphers (only ECDHE). DHE ciphers will cap the grade at [B] on
BIG-IP.
• Enable TLS1.2 [C]
• Enable Secure Renegotiation [A-]
The DEFAULT cipher string included in BIG-IP version 12.0 will yield a B grade but offers full
hardware acceleration. To get that coveted A+ grade, an administrator would need to have
7
RECOMMENDED PRACTICES
F5 SSL Everywhere
a fairly restrictive cipher list. For example “!SSLv3:!DHE:ECDHE:RSA+HIGH” will get an
A grade on SSL labs but would require every user to have a very recent browser.
Note that the rating requirements change over time; see the Qualys SSL Labs Rating
Guide for the latest.
Fine-Tuning Data Protection
The primary goal of SSL is to secure data in transit. A BIG-IP device that is performing SSL
termination or SSL bridging has dozens of settings, many of them very powerful, that can
be fine-tuned for a specific security environment.
A primer on SSL cipher strings
The configuration knob that controls the negotiation of key-exchange, encryption, and
authentication protocols is the cipher string setting of the F5 clientssl and serverssl profiles.
Creating a cipher string that projects only strong cryptographic ciphers while maintaining
broad compatibility among browsers can be a black art. Consider this actual,
recommended cipher string for advanced BIG-IP administrators:
ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:-MD5:-SSLv3:-RC4
The BIG-IP device cipher string system is based on the one used by the open source
project OpenSSL, though it does not follow it exactly. Find the full reference for OpenSSL
cipher strings, and a few extra tips, here.
An administrator can use the tmm command from the TMOS bash shell to see which
ciphers are included in any given cipher string for any BIG-IP version:
config # tmm --clientciphers ‘DEFAULT’
The tmm command should only be run on standby devices, because running the command
incorrectly can interfere with application delivery. The cipher string is usually enclosed
in single quotes otherwise any ‘!’ characters in the cipher string confuse the shell. By
convention, UPPERCASE is always used for cipher strings.
Also note that this command is one of the few in this document that is not a native TMOS
shell command. An administrator must have access to the bash shell to run it, and can get
to the bash shell by running this command from the TMOS shell:
8
RECOMMENDED PRACTICES
F5 SSL Everywhere
(tmos)# run util bash
The ciphers represented by the cipher string are shown in the order in which they will be
preferred by the BIG-IP device. In the DEFAULT example above, the first three preferred
ciphers are:
1 DHE-RSA-AES256-GCM-SHA384
2 DHE-RSA-AES128-GCM-SHA256
3 DHE-RSA-AES256-SHA256
Unlike many server systems, when negotiating the SSL cipher with the client, the BIG-IP
system will choose the preferred cipher according to the cipher string designated by the
BIG-IP administrator rather than choosing the one preferred by the browser. Browser
vendors consider this rude, but BIG-IP administrators prefer the control.
Building a cipher string
There are four components of a cipher: key exchange, authentication, encryption, and hash.
A cipher may describe any subset or combination of these components.
• Common key exchange ciphers: RSA, DHE, ECDHE, ECDHE_ECDSA, ECDH_
ECDSA, DHE and DHE_DSS.
• Common authentication ciphers: RSA
• Common encryption ciphers: AES, RC4, DES, 3DES
• Common message hash ciphers: SHA, SHA256, MD5
The hyphen character “-“ combines the elements into a single specific cipher. For example,
the cipher string “DHE-RSA-AES256-SHA” specifies exactly one cipher.
Operators
Besides the hyphen, four other character operators are used to build cipher strings.
• Colon (:)
The colon character “:” is the delimiter between two cipher string phrases. When
used as part of a list, it is simply the additive operator. For example the cipher string
“RSA:AES” means “all RSA-based ciphers plus all AES-based ciphers” and would
include over 100 ciphers!
• Plus (+)
9
RECOMMENDED PRACTICES
F5 SSL Everywhere
The plus sign operator “+” has two uses. When used between two cipher names,
the + operator doesn’t mean add, it means “the intersection of.” The cipher string
“RSA+AES” means specifically just 11 ciphers that have RSA as the key exchange
and AES as the encryption cipher.
• Leading plus (:+)
When used in front of a cipher name (that is, after a colon), the plus sign means
“move these ciphers to the end of the list.” For example, RSA:RC4 and RSA:+RC4
will provide the same list of ciphers, but the latter will order RC4-based ciphers at
the end of the list as least preferred.
• Minus (-)
The minus operator “-“ deletes the ciphers from the list of supported ciphers while
making sure that some or all of the ciphers can be added again with later options.
The “!” operator is used more commonly than the minus. For example, “RSA:SHA:DHE+SHA” means “all RSA-based ciphers except those that use SHA” plus “all
DHE-based ciphers that include SHA”. Do not confuse the minus with the hyphen
character “-“.
• Not (!)
The not operator “!” permanently deletes ciphers from the list of supported ciphers.
The ciphers deleted can never reappear in the list even if they are explicitly stated.
For example, “RSA:!MD5:MD5” is effectively the same as “RSA”.
• At (@)
The at operator “@” specifies that the following word will designate whether the
cipher string is to order the list by cryptographic strength (@STRENGTH) or
cryptographic performance (@SPEED).
• No symbol
If none of the above symbols appears in the string, the string is interpreted as a list
of ciphers to be appended to the current preference list. If the list includes any
ciphers already present, they will be ignored.
Special keywords
The cipher string format includes a series of special keywords that can be used to group
ciphers together:
• DEFAULT
10
RECOMMENDED PRACTICES
F5 SSL Everywhere
This is the ordered list of preferred ciphers as determined by the F5 security
engineering team. It is different from the OpenSSL DEFAULT keyword. F5 optimizes
DEFAULT to be a reasonable compromise between high security and high
performance.
The F5 engineering team agonizes over the list of ciphers that make up DEFAULT in
each release. The main drawback to using DEFAULT is that when it changes (as new
ciphers are developed or old ones fall out of favor), administrators that use DEFAULT
may be surprised when they upgrade versions.
In version 12.0 of the BIG-IP system, the following unsafe ciphers are excluded from
DEFAULT and are unlikely to come back: EXPORT, SSL3, and NULL.
Solution 13156 lists the ciphers included with the DEFAULT keyword for different
versions of the BIG-IP system.
• NATIVE
The NATIVE keyword specifies the set of ciphers that are specially accelerated either
in hardware or software in the F5 SSL software stack. The performance and support
of NATIVE ciphers are much higher than non-NATIVE ciphers. The NATIVE cipher list
includes ciphers that have since been shown to be inappropriately weak for modern
use (such as RC4, MD5, and DES), so it should not be used without modification.
• COMPAT
The COMPAT cipher invokes a special mode for a handful of ciphers where the
implementation is borrowed directly from the open source OpenSSL project to
support legacy systems that could not be upgraded. Today, COMPAT should only
be used very rarely, under specific guidance, when there is no other alternative.
• ALL
The ALL string includes all ciphers except the eNULL ciphers, which need to be
explicitly enabled. The ALL ciphers are reasonably ordered by default. Use of ALL
is highly discouraged for production systems, as it will allow many unsafe ciphers.
• HIGH, MEDIUM, and LOW
These keywords are largely maintained only for the purposes of compatibility. The
HIGH string includes ciphers with 128-bit keys or larger, but in reality, HIGH is less
secure than DEFAULT. Note that HIGH includes anonymous Diffie-Helman ciphers,
which should not be used by production systems.
11
RECOMMENDED PRACTICES
F5 SSL Everywhere
The MEDIUM string includes medium-strength encryption ciphers, and the LOW
string includes ciphers that use 64- or 56-bit encryption algorithms but excludes
ciphers in the EXPORT string.
• EXPORT
The EXPORT keyword includes export encryption algorithms, including 40- and
56-bit algorithms. These ciphers were defined to comply with U.S. export rules that
have since been lifted. The EXPORT keyword is most useful when preceded by the
Not (!) operator.
Cipher string examples
Several examples of cipher strings an administrator could use for a clientssl profile:
ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:-MD5:-SSLv3:-RC4
This cipher string prioritizes elliptic-curve ciphers (EC). EC ciphers are thought to be easier
on mobile devices. The Ephemeral Diffie-Helman (DHE) cipher invokes forward secrecy. By
specifying DHE+AES, some SSLv3 ciphers get brought back in. The final “-SSLv3:-RC4”
removes them.
‘ECDHE:HIGH:+DHE:!ADH’
This string commands: Prefer elliptic curve key exchanges (ECDHE). Allow ciphers with key
sizes of 128-bits or larger (HIGH). Put ephemeral Diffie-Helman ciphers (DHE) at the end of
the list. Disallow any anonymous Diffie-Helman ciphers (!ADH).
‘HIGH:!ADH:!SSLv3:!TLSv1@SPEED’
This string says: Allow ciphers with key sizes of 128-bits or larger (HIGH). Disallow any
anonymous Diffie-Helman ciphers (!ADH). Effectively allow only TLSv1.2 and TLSv1.1
(!SSLv3 and !TLSv1). Order the remaining ciphers by speed.
F5 recommended practices for building cipher strings:
• Disable anonymous ciphers such as ADH using the !ADH phrase.
• Disable export ciphers using the !EXPORT phrase.
• Use the keyword HIGH, but be sure to disable anonymous ciphers.
• Disable SSLv3 when possible. This is an unsecure protocol version.
12
RECOMMENDED PRACTICES
F5 SSL Everywhere
Transformational services
BIG-IP devices serve as a full proxy for TCP, HTTP, and SSL, which means they create one
connection to the client (browser) and a separate connection to the server.
The transformational nature of an SSL proxy allows a site to provide SSL features that are
decoupled from the capabilities of the application servers. An architect can therefore use
the ADC to transform the interface to the web servers into any protocol the ADC supports,
regardless of the back-end transport options.
For example, an administrator can define that every application has 2K RSA keys on the
ADC even if the application servers support only 1K RSA keys. Or the architect can support
HTTP/2.0 for every application on the ADC even when none of the back-end servers
support it. In other words, transformational services provide the ability to maintain
compliance with an Internet-facing SSL policy without the need to enforce that policy on
individual servers.
This full-proxy capability allows BIG-IP devices to transform any combination of the client
and server connections below.
Client Connection
Server Connection
2K RSA
HTTP/1.1
Elliptic Curve
1K RSA
Forward Secrecy (ECDHE, DHE)
Multiplexed TCP
Client Certificate Authentication
2K RSA
SPDY
HTTP/2.0
Forward secrecy
The Edward Snowden U.S. National Security Agency (NSA) disclosures revealed that nation
states might be collecting data for later use via broad-spectrum mass surveillance. The
data includes encrypted data that the NSA could not decrypt, presumably collected in the
hope that future technology could produce the private key used to encrypt the data. One
lesson from these events is that data encrypted in motion can be archived for later analysis
and that once a private key has been compromised, all traffic encrypted with that private
key becomes visible. Put another way, all traffic encrypted with a private key is subject to
potential future decryption.
13
RECOMMENDED PRACTICES
F5 SSL Everywhere
To counter this vulnerability, forward secrecy was proposed. Forward secrecy extends the
key exchange protocol to generate a second, ephemeral key before generating the session
key. In previous SSL key exchanges, the RSA keys are used to generate a session key,
which in turn is used to encrypt the traffic. With forward secrecy, the RSA keys are used
to facilitate generating a Diffie-Helman ephemeral key pair, which is used to generate the
session key. This approach ensures that compromising the RSA private key will only provide
access to encrypted traffic. Each individual SSL session is protected by the Diffie-Helman
key pair generated on a per-session basis. Forward secrecy ensures that compromising a
private key will not expose all traffic encrypted with that private key.
BIG-IP version 12 prefers forward secrecy ciphers in the DEFAULT cipher. The
tmm – clientciphers command shows the specific forward secrecy ciphers:
[davidh@murky:Active:Standalone] ~ # tmm --clientciphers DHE:ECDHE
ID SUITE
BITS PROT
0:
159 DHE-RSA-AES256-GCM-SHA384
256 TLS1.2
2:
57 DHE-RSA-AES256-SHA
256 TLS1
3:
57 DHE-RSA-AES256-SHA
256 TLS1.1
...
23: 49192 ECDHE-RSA-AES256-SHA384
256 TLS1.2
24: 49172 ECDHE-RSA-AES256-CBC-SHA
256 TLS1
25: 49172 ECDHE-RSA-AES256-CBC-SHA
256 TLS1.1
Applications that use the DEFAULT cipher need not make any changes to take advantage
of forward secrecy. There is one scenario where forward secrecy can create problems:
key sharing, such as may be used by monitoring or other security systems. Shared-key
monitoring will fail when forward secrecy is enabled, so in such cases, forward secrecy is
not appropriate.
In cases where the SSL keys are being shared with other security services such as IDS/IPS,
the options are either to eschew forward secrecy, risking future exposure of the traffic, or to
terminate the SSL with the BIG-IP device. Terminating the SSL enables the use of forward
secrecy while also allowing monitoring by other devices.
F5 recommended practices for forward secrecy:
• Before enabling forward secrecy, ensure that the SSL private key is not being shared
with any monitoring systems or with other security devices.
• Understand that diagnostic tools such as ssldump will fail to work when forward
secrecy is enabled.
14
RECOMMENDED PRACTICES
F5 SSL Everywhere
Multiplexing TCP and SSL
The F5 OneConnect™ feature of the BIG-IP system can increase network throughput by
efficiently managing connections created between the BIG-IP system and back-end pool
members. OneConnect works with HTTP keep-alives, enabling the BIG-IP system to
minimize the number of server-side TCP connections by making existing connections
available for reuse by other clients.
For example, when a client makes a new connection to a BIG-IP virtual server configured
with a OneConnect profile, the BIG-IP system parses the HTTP request, selects a server
using the load-balancing method defined in the pool, and creates a connection to that
server. When the client’s initial HTTP request is complete, the BIG-IP system temporarily
holds the connection open and makes the idle TCP connection to the pool member
available for reuse.
F5 recommended practices for multiplexing TCP and SSL:
• Do not configure OneConnect for a virtual server doing SSL pass-through.
• See the F5 DevCentral™ article “Persisting SSL Connections” for more information.
HTTP Strict Transport Security
Many websites operate over HTTPS but offer the ability to downgrade to unencrypted
HTTP when necessary. Other sites operate primarily on HTTPS but download some
content—such as video or images—over unencrypted HTTP. A site that allows unencrypted
traffic creates an attack surface for cookie hijacking or man-in-the-middle attacks. RFC
6797 provides HTTP Strict Transport Security (HSTS), a standard for directing web clients
to connect only using secure and trusted connections.
HSTS inserts a header into HTTPS traffic that directs the client only to use trusted and
encrypted connections to retrieve objects. This restriction includes refusing to display
pages with self-signed certificates. Clients will continue to enforce the restriction for the
period of time specified in the header. All major browsers now support HSTS, making its
use a good way to ensure that all traffic stays encrypted. With the BIG-IP system, the
administrator can ensure that all pages for a domain have the HSTS header.
Enabling HSTS is one of the easiest and most powerful ways to improve an application’s
security posture. BIG-IP devices have three parameters for setting HSTS located within the
HTTP profile.
15
RECOMMENDED PRACTICES
F5 SSL Everywhere
Figure 3: Enabling HSTS in the HTTP profile
Select the Mode check box to enable HSTS. Use the Maximum Age field to specify for how
many seconds the client should enforce HSTS after last seeing the header. The default
value specifies that HSTS should be enforced for 186 days after the header was last seen,
which is consistent with SSL Labs’ recommendation that the maximum age be at least 180
days. Select the Include Subdomains check box to indicate that subdomains should also
enforce HSTS. Most administrators will want to select this option, forcing all subdomains
to use HSTS. If there is an application on a subdomain that cannot use HSTS, such as an
application that requires a self-signed certificate, then the administrator should clear this
check box.
HSTS provides a layer of protection for users against several common attack vectors,
including cookie hijacking, man-in-the-middle, and downgrade attacks, that depend on
unencrypted traffic. By selecting a single check box, administrators can ensure that all
traffic will require encryption after only one encrypted connection.
F5 product users running a version of TMOS prior to 12.0 can use a simple F5 iRules® script
to turn on HSTS. For versions 11.6.0 and earlier, see Jason Rahm’s DevCentral article called
“Implementing HTTP Strict Transport Security.”
when HTTP_RESPONSE {
HTTP::header insert Strict-Transport-Security “max-age=31536000 ;
includeSubDomains”
}
The includeSubdomains keyword instructs the browser to use encryption for object
requests within the subdomains of the site. For example, if the site is example.com, the
includeSubdomains keyword will instruct the browser to use HSTS for chat.example.com
as well. An administrator must ensure that all subdomains are compatible with SSL before
enabling includeSubdomains.
F5 recommended practices for HSTS:
• Enable HSTS for applications.
16
RECOMMENDED PRACTICES
F5 SSL Everywhere
• Use the includeSubdomains keyword, but only after ensuring all subdomains will
continue to function.
• Enable a 302 redirect on the virtual server at port 80. Solution 14996 describes how
to configure redirects from HTTP to HTTPS.
HTTP/2
HTTP/2 is poised to replace HTTP/1.1 by reducing latency in typical web traffic. HTTP/2
reduces latency by compressing the headers, multiplexing client requests, and enabling
servers to push data to the client before the client requests it. Since the major browsers
now support HTTP/2 at the client level, a web application can provide a more pleasant user
experience by implementing HTTP/2. The BIG-IP platform provides the ability to produce an
Internet-facing HTTP/2 presence without the need for any changes to the back-end web
servers.
Since the dominant version of HTTP in use today is 1.1, most administrators would prefer
to support HTTP/1.1 while making HTTP/2 available. BIG-IP devices support this scenario.
Keeping all of the traffic on a single virtual server simplifies deployment and maintenance.
The default behavior of the BIG-IP system is to support all versions, including HTTP/0.9
through HTTP/2, when an HTTP/2 profile is included. The HTTP/2 profiles can be added
to a virtual server from the Acceleration section of the virtual server configuration.
The BIG-IP platform permits SSL settings on the server side as well as the client side.
These settings are independent, enabling the administrator to provide an HTTP/2 presence
without making any changes to the web server infrastructure. All internally developed and
externally licensed software can be exposed to the Internet as HTTP/2, regardless of the
capabilities of the internal servers. In addition, the internal traffic can be encrypted between
the BIG-IP device and the internal servers. Encrypting all traffic increases the level of
security both in terms of encryption and by eliminating a possible man-in-the-middle attack
by a rogue system on the corporate LAN. The level of encryption exposed to external web
clients is independent of the level of encryption used by internal servers so the latest
algorithms can be used to face the Internet with older algorithms being used internally,
where SSL traffic is less exposed.
In response to several attacks based on SSL renegotiation, the HTTP/2 specification
requires that SSL renegotiation be disabled, but the default clientssl profile allows
renegotiation. The implication is that the default HTTP/2 settings and the default clientssl
settings are incompatible. The administrator must decide whether to disable renegotiations
(in support of HTTP/2 compatibility) or to allow renegotiations. In order to use HTTP/2, the
administrator must change the default settings of either the clientssl profile or the HTTP/2
profile.
17
RECOMMENDED PRACTICES
F5 SSL Everywhere
First, the administrator must determine whether or not renegotiations are needed. Actual
SSL renegotiations are uncommon. One of the few use cases for renegotiation is for
dynamically changing client authentication requirements based on content and then
requesting a certificate from the client. Unless an administrator’s site uses this technique,
it should be safe to leave renegotiation disabled.
For cases where the administrator wants to remain compliant with HTTP/2 requirements
and does not need renegotiation, disable renegotiation at the clientssl profile associated
with the virtual server.
Figure 4: Disabling renegotiation in a clientssl profile
F5 recommended practices for HTTP/2:
• Leave the default setting, which disallows SSL renegotiation with HTTP/2. This
restriction can be relaxed with the following TMSH command if needed.
(tmos)# modify ltm profile http2 http2-ni enforce-tls-requirements disabled
• Attach an HTTP/2 profile to every externally facing virtual server. There is no
downside.
• HTTP/2 is not yet supported for BIG-IP server-side connections. If an application
requires HTTP/2 from the client all the way to the server, use the BIG-IP device for
layer 4 load-balancing to a pool of HTTP/2 servers.
Persistence and SSL
Connection persistence is a technique to consistently pair the same client to the same
server over time. For example, suppose that a server farm has 300 servers for an
application. A user, Marty, comes in and is directed by the ADC to server 287 because it
has the lowest load. Server 287 establishes an HTTP session with Marty and loads his
profile information from the middle-tier database systems into its memory.
As Marty uses the website, his browser opens new connections to the ADC. The ADC
recognizes Marty and sends these new connections to, say, server 287, which already has
Marty’s profile information loaded. This works because Marty’s connections information
18
RECOMMENDED PRACTICES
F5 SSL Everywhere
has persisted on the ADC. Computer scientists call the property of matching requestors
to data “locality of reference.” F5 holds the original patent for ADC persistence via HTTP
cookies.
There are many ways to accomplish persistence. Some early, crude models include
persisting by client source address or layer 4 tuples.
An administrator may notice that there is a persistence method that relies on SSL session
ID. In actuality, this persistence method is rarely used for the following reasons:
• It is not uncommon for a client and server to have multiple open sessions.
• Sessions are ephemeral and can be invalidated at any time.
• Many implementations of computation session identifiers are not deterministic,
meaning that if Marty’s browser switched sessions mid-session (as it were), a
persistence method based on SSL session ID could send his new session to the
wrong server.
The only time SSL session ID should be used as a persistence method is for the SSL
pass-through case, where the BIG-IP device is not decrypting SSL and is simply passing
it through to servers that will decrypt the SSL later.
F5 recommended practices for SSL persistence:
• Use normal cookie-based persistence when SSL traffic is terminated or bridged
on the BIG-IP device in full-proxy mode and the underlying protocol is HTTP.
• For clientssl profiles where the underlying protocol is not HTTP, use layer 4
persistence.
• For SSL pass-through configurations, use SSL session ID persistence.
Client certificates
The vast majority of SSL sessions across the Internet use only one-way SSL authentication—
the client authenticates the server by examining the server’s certificate data, public key, and
associated signatures. If the server wants to identify the user, it typically asks for a
username and password after the SSL session is established.
But there are some applications that use SSL client certificate authentication as well as
SSL server authentication. This is called mutual authentication, but since the server
authentication is nearly always done anyway, people simply think of it as “client
authentication with client certificates.”
19
RECOMMENDED PRACTICES
F5 SSL Everywhere
How all the clients got their certificates is a management problem all in itself. Typically all
the clients are members of a well-funded organization (like a branch of the military) or Wall
Street traders, for instance. And often the certificates reside on smart cards or other
devices where they are accessed over public key cryptography standard (PKCS) protocol
#11.
Part 8 of the DevCentral series on SSL profiles provides a detailed breakdown of exactly
how client certificate authentication works within the TLS handshake.
Historically, the most common intersection of client certificate authentication and the F5
platform occurs in SSL termination and SSL bridging modes: the BIG-IP device is acting
as the SSL server to a client on the Internet and authenticating that client’s certificate. The
back-end servers, which trust the BIG-IP system, need to get information about the client
certificate. There are three ways to forward that client certificate information to the servers:
• X509 extraction
The oldest trick (and still one of the easiest) is to extract and insert fields from the
client certificate’s X509 directory information into the underlying HTTP stream as
headers. A typical iRules script might include gathering the issuer of the client
certificate and then inserting it into the HTTP request to the server as “F5_CLIENT_
ISSUER=[X509::issuer [SSL::cert 0]]”. See this DevCentral post for a more complete
example.
• X509 whole certificate extraction
A similar method is to extract and insert the entire certificate itself into the HTTP
stream as a multi-line PEM-encoded header. Obviously, the server-side code will
have to reassemble the certificate. The server can do the reassembly using a code
library or by executing the openssl x509 command. The iRules script to do this on
the BIG-IP device would look as simple as:
when HTTP_REQUEST {
if { [SSL::cert count] > 0 } {
HTTP::header insert “F5CC” [X509::whole [SSL::cert 0]]
}
}
• ProxySSL mode
There is a way to forward client certificates directly to the back-end server with a
special F5 SSL setting called proxySSL mode. With proxySSL, the BIG-IP device
must use the same certificate and key as the back-end server. Clients can then
connect all the way through to the server and authenticate with their certificates.
20
RECOMMENDED PRACTICES
F5 SSL Everywhere
The BIG-IP device can provide passive monitoring of the session. ProxySSL should
only be used when there is a requirement for client certificate authentication directly
to the back-end servers. See SSL and the OWASP Top Ten later in this document
for more information about proxySSL.
F5 recommended practices for client certificates:
• The SSL profile has a three-way setting for client certificate authentication: none,
request, and require. When require is used and the client authentication fails for
some reason (such as an expired certificate or OCSP failure), the user gets an ugly
browser message. Some administrators use the request setting instead, which
allows them to receive the certificate but passes the connection through even if
authentication fails. When using the request setting, also use an iRules script that
checks the certificate verification result and presents a more aesthetic error
message or an HTTP 302 redirect.
• Configure at least one revocation method—whichever one is best supported by the
certificate authority—for client certificates. Certification revocation lists (CRLs) can be
supported directly in the SSL profile. The other methods (OCSP and CRL distribution
point or CRLDP) must be done via iRules. See the revocation section of this
document for more information.
• The TLS protocol includes a way to force a new handshake but without breaking the
TCP connection. This is called a renegotiation and can be used to transition a client
from one authenticated state (none) to another (client certificate authentication).
However, the IETF frequently threatens to remove renegotiation, so consider it
abandoned, and use it accordingly.
• SSL forward proxy is a special mode that intercepts outbound SSL requests from
a client on the inside of the BIG-IP platform boundary (inside the data center). This
mode is used with the SSL outbound visibility deployment scenario. The BIG-IP
device may try to intercept connections that are using client certificate authentication,
but it will very likely not know what to do with the resulting connection. Whitelist any
allowed, known hosts into a bypass list so that the BIG-IP device will not interfere.
• There is a setting called “retain certificate” in clientssl profiles. This setting will
improve the user experience by caching the client certificate across multiple
connections (thereby avoiding extra popups in the browser). Enable this setting
unless using a rare high-bandwidth, low-memory configuration where the extra few
kilobytes associated with each connection could impact overall system performance.
21
RECOMMENDED PRACTICES
F5 SSL Everywhere
SSL failover options
Full SSL handshakes are computationally expensive. This is one reason enterprises
continue to rely on ADCs stuffed with cryptographic acceleration hardware for SSL
decryption.
Sites that have significant amounts of SSL traffic need to be aware of this particular
problem: What happens if the primary ADC stops receiving traffic and the secondary has
to pick up all those active connections?
Administrators may say they’d like the secondary device to resume each session exactly
where the primary left off. In practicality, a seamless “SSL failover” like this is a very difficult
problem to solve. In fact, the industry hasn’t yet standardized a solution. F5 customers have
three options to choose from for SSL failover. Two have very similar names: SSL session
mirroring and SSL connection mirroring. The third, SSL session tickets, is relatively new.
SSL session mirroring
Recall that an SSL session is the set of state information that describes an individual SSL
connection between a client and a server. This state information can be mirrored between
BIG-IP devices in a traffic group. When session information is mirrored, a client can connect
to any device in the group and resume the SSL session, avoiding the expensive and
higher-latency full SSL handshake.
Figure 5: SSL session mirroring enables resumption of an SSL session on any device in the group
SSL session mirroring is relatively straightforward and controlled by two knobs. The first
control is to toggle a system variable named statemirror.secure. Through the command
line interface, an administrator can issue the following command:
(tmos)# modify sys db statemirror.secure value enable
22
RECOMMENDED PRACTICES
F5 SSL Everywhere
This must be done prior to creating SSL profiles that include the new SSL session mirroring
attribute, and on all units in the cluster. It will cause the mirroring channel to drop and
reestablish.
The second control is to enable the SSL mirroring attribute in the clientssl profile associated
with the application’s virtual server.
Figure 6: Enabling the SSL session mirroring attribute in the clientssl profile
The attribute can also be set with this command:
(tmos)# modify ltm profile client-ssl test1 session-mirroring enabled
Both the check box and the TMSH command will warn if the statemirror.secure variable
discussed above has not been set.
SSL connection mirroring
The second and more sophisticated approach to mirroring is SSL connection mirroring—a
method administrators often think they want. Connection mirroring takes session mirroring
one step further: Connections to a virtual server that has connection mirroring enabled can,
in theory, be continued without interruption or restarted by any device in the device group.
In reality, ADC administrators have found that connection mirroring (SSL or otherwise) is
largely unnecessary due to the stateless and temporal nature of HTTP. The performance
cost and additional latency added by full connection mirroring is rarely worth the benefit of
fully mirrored connections for HTTP. This means that the number of valid applications for
connection mirroring is a very small number indeed, and most F5 customers use it only for
specific applications, such as long-term VPN tunnels.
SSL connection mirroring has the following restrictions:
• SSL connection mirroring is not compatible with the HTTP profile.
• Server side SSL connection mirroring is not supported.
• DTLS connection mirroring is not supported.
23
RECOMMENDED PRACTICES
F5 SSL Everywhere
• SSL connection mirroring is incompatible COMPAT ciphers.
• Multiple failover is not supported.
• Failback is not supported.
• iRules should not be applied to a virtual server using SSL connection mirroring.
• The database variable statemirror.secure must be enabled.
F5 recommended practices for SSL connection mirroring
• Only enable SSL connection mirroring for long-lived, non-HTTP sessions.
• Under high connection rates, viewing tmctl ha_stat may show “overflows”
incrementing. To mitigate this problem, change the database variable
statemirror.queuelen to 256M.
• If connections are occasionally lost on reset, enable the database variable
statemirror.verify, which will take an extra step to verify the successful mirroring
of each packet during normal transactions.
SSL session tickets
The final option for mirroring is the use of a feature that’s relatively new to the world of SSL:
called session tickets, it is defined by RFC 5077. SSL session tickets work like TCP syncookies. The server (the BIG-IP device in the cases of SSL bridging or SSL termination)
can take the state information associated with the client connection, encrypt it, give it to
the client (as a ticket), and then forget it.
When returning with a new connection, the client can present the encrypted session ticket
to the BIG-IP device, which will decrypt it and—voila!—the BIG-IP device has the needed
session information and can resume that session without remembering everything.
SSL session tickets make the session stateless for the ADC. This has three benefits:
• The session can be resumed by a different BIG-IP device.
• Sessions take less memory per connection.
• The BIG-IP devices become more resilient against session-based denial-of-service
(DoS) attacks.
Not all browsers and clients support TLS session tickets yet. Currently, a virtual server, if it
wants broad reach, must implement both session caching and SSL session tickets. For
administrators, having to manage both negates some of the benefit of SSL session tickets.
24
RECOMMENDED PRACTICES
F5 SSL Everywhere
The good news is that browsers and other TLS clients are upgrading quickly and becoming
compatible with session tickets.
F5 recommended practices for all SSL mirroring:
• Use both SSL session mirroring and SSL session tickets for inbound data center
and enterprise applications.
• A smaller number of organizations may want to use SSL connection mirroring, but
only for applications with exclusively low-bandwidth, long-lived, non-HTTP
connections.
• Applications that are under extreme memory strain due to circumstances such as
SSL connection floods should use session tickets exclusively.
Cipher agility
Handshake ciphers: RSA vs. DSA vs. ECC
Since the beginning of the SSL protocol, RSA has been the main choice for key exchange.
Over time, as brute force attacks became more feasible, RSA key lengths had to become
longer. Today the RSA keys are so large that the key exchange is a very computationally
expensive operation. Elliptic curve cryptography (ECC), a newer variant of asymmetric
cryptography, promises to provide equivalent security with much shorter keys and a
correspondingly lower demand for computing resources for key exchange.
Figure 7: The relative key lengths of RSA (factoring modulus) and ECC
Source: www.keylength.com
25
RECOMMENDED PRACTICES
F5 SSL Everywhere
The digital signature algorithm (DSA) standard was proposed by the National Institute of
Standards in 1991 and has become a U.S. government standard. A site that interacts with
federal agencies may have a need for DSA. DSA key length is the same as for RSA.
RSA is ubiquitous, DSA is used by sites interacting with federal agencies, and ECC is poised
to become the standard in the future. Which type of certificate should a site support?
The BIG-IP platform can support all three simultaneously on a single virtual server. Every
BIG-IP virtual server must have at least an RSA certificate, but can also have a DSA
certificate and an ECC certificate (called ECSDA).
F5 recommended practices for handshake cipher selection:
• Configure new virtual servers for both RSA and ECC handshakes. Administrators will
likely know if they already have a DSA requirement.
• To support multiple certificates:
1. First, upload the certificates to the BIG-IP device. In the client SSL profile, select
the new files from the Certificate, Key, and Chain drop-down lists as appropriate.
Figure 8a: Adding an ECDSA key to the client SSL profile
2. Next, click Add to add the certificate and key to the Certificate Key Chain.
Figure 8b: Adding the certificate and key to the key chain
26
RECOMMENDED PRACTICES
F5 SSL Everywhere
3. Under Ciphers, place a colon after DEFAULT and then list which ECC ciphers to
support.
Figure 8c: Indicating support for ECDHE-RSA-AES128-GCM-SHA256
4. Use the following cipher string names to enable the following groups of ciphers:
ECDHE, ECDHE_ECDSA, ECDH_ECDSA, DHE and DHE_DSS
5. Save the configuration by clicking Update.
At this point the BIG-IP device will provide both RSA and ECDSA certificates to any
connecting client.
Disabling SSLv3
SSLv3 is no longer secure, as demonstrated by the POODLE attack in 2014. Google has
removed fallback support in Chrome, and RFC 7568 deprecates its use. SSLv3 should no
longer be used by client software. Applications that comply with the PCI DSS specification
must discontinue use of SSLv3 and TLSv1 when PCI 3.0 takes effect in mid-2016. New
PCI DSS deployments must already be disabling SSLv3 and TLSv1.
In version 12.0 of the BIG-IP system, F5 has removed the SSLv3 protocol from the DEFAULT
cipher string. That is, any virtual server using a clientssl profile with the cipher string
DEFAULT will not accept client connections with SSLv3. Some administrators use a custom
cipher string for each clientssl profile, preserving the cipher list from version to version. For
example, an administrator running version 11.6 might have defined a cipher string like this:
‘TLSv1_2+AES256:SHA256:TLSv1_1:TLSv1:-RC4:SSLv3+RC4:!DES:!EXPORT’
Obviously, the way to remove SSLv3 from this cipher string would be to delete the
‘:SSLv3+RC4’ phrase. Before removing SSLv3, the administrator may want to know if the
site is processing a significant amount of SSLv3 traffic. An administrator can determine the
percentage of version 3 SSL connections by querying the clientssl profile statistics on the
device. The statistics aren’t attached to the application’s virtual server; they are collated at
the associated clientssl profile.
27
RECOMMENDED PRACTICES
F5 SSL Everywhere
Suppose that an administrator has a created a clientssl profile named ssl-exchange-2.
Query the protocol counters via the following TMSH command:
(tmos)# show ltm profile client-ssl ssl-exchange-2
F5 recommended practices for SSLv3
• Prepare to disable SSLv3 and TLSv1.
• Use this nmap script to locate any servers on the network that are still negotiating
SSLv3.
More information on tracking SSLv3 use on F5 devices can be found on DevCentral.
Figure 9: Support for SSLv3 after the POODLE attack (blue = Internet, red = F5 devices)
Key Management
G.K Chesterson once opined, “An adventure is only an inconvenience rightly considered.
An inconvenience is only an adventure wrongly considered.” So it is with the oft-maligned
art of certificate management. Some may consider it an inconvenience, but….
Who are we kidding? There is no way to make key management sexy. With some patience,
however, a veteran system administrator can take some of the adventure out of a task that
is fraught with operational and security pitfalls.
28
RECOMMENDED PRACTICES
F5 SSL Everywhere
Certificate expiration notification
Certificate expiration notification may seem like an arcane tidbit not worthy of the first
position in a certificate management discussion. Over a decade, however, the solution to
certificate expiration has been requested from F5 far more often than any other vexing little
problem.
This issue comes out of this scenario: BIG-IP LTM is delivering hundreds of websites and
applications for an enterprise. Some subset of those, still in the hundreds, is SSL-enabled.
Each of these has its own certificate, and each certificate has its own expiration date. On
any given week, one or more certificates may expire, which will cause the associated
website or application to become unavailable.
So how does an administrator stay on top of this whack-a-mole game of expiring
certificates?
There are a couple of recommended ways to monitor expiring certificates on the BIG-IP
platform. However, most administrators of medium to large organizations prefer an external
certificate management system because the organization has keys and certificates in many
locations, not only on the BIG-IP system. In particular, F5 customers have had success with
two external solutions: Venafi and Symantec.
The following tmsh sys crypto check-cert command was designed specifically to check
for expiring certificates.
(tmos)# run sys crypto check-cert
CN=www.sconats.com,OU=Domain Validated,OU=Thawte SSL123 certificate, in file /
Common/sconats_rsa.crt expired on Mar 12 23:59:59 2015 GMT
CN=192.168.2.55,OU=Marketing,O=F5 Networks,L=Loveland,ST=Colorado,C=US in file /
Common/3bd_rsa_1k.crt expired on Apr 30 23:57:36 2015 GMT
The check-cert command will scan through all of the known certificate objects on the
system. By default, check-cert will log expired or expiring certificate subject names to the
/var/log/ltm file and print them to standard output. Users with the administrator, system
manager, or certificate administrator role can run the check-cert command.
F5 recommended practices for certificate expiration notice:
• To manage certificates across an enterprise, explore external certificate management
systems from Venafi and Symantec.
• Audit not just for expiring certificates, but also certificates with weak signatures (MD5
or SHA1) and weak keys (1024-bit).
29
RECOMMENDED PRACTICES
F5 SSL Everywhere
• Use the check-cert command to monitor for expiration. For a full description of
check-cert, run the ‘help’ command:
(tmos)# help sys crypto check-cert
• The check-cert command is automatically run once a week on the BIG-IP system.
When check-cert finds expiring or expired certificates, it will write the messages to
/var/log/ltm. The administrator can then create a custom SNMP trap to have the
BIG-IP system email any results. Solution 3667 has instructions on creating custom
SNMP traps.
• Read more information about certificate expiration monitoring in Solution 14318:
Monitoring SSL Certificate Expiration on the BIG-IP System.
The certificate manager role
Large enterprise organizations with 10,000 or more employees usually have dedicated
security teams, and often they will have a person or persons whose primary job is
certificate management. Typically these individuals are not on the network operations team,
are not necessarily privy to the details of network architecture, and are not empowered to
change the configuration on network-critical devices such as load balancers or ADCs.
It is for these individuals that the certificate manager role was developed. These users can
be assigned to the certificate manager role when they authenticate to the BIG-IP system.
The role has management access only to objects related to certificates and key
management systems.
Figure 10: Assigning the certificate manager role
A user with certificate manager role can:
• Generate and import SSL keys and certificates.
30
RECOMMENDED PRACTICES
F5 SSL Everywhere
• Delete SSL keys and certificates.
• Manage on-board hardware security module (HSM) subsystems.
• Configure expiration notifications for certificates.
• Manage device certificates.
• Manage the F5 Secure Vault key protection feature.
The certificate manager cannot make network changes or modify any aspect of
applications managed by the BIG-IP platform.
Key protection
SSL keys are among an IT organization’s most prized assets. An attacker who gained
possession of a target’s SSL key could impersonate the target’s applications and create
the ultimate phishing portal.
Because of this, organizations treat their SSL private keys very, very seriously. Many
security architectures are designed to keep SSL private keys deep inside the data center,
away from the perimeter, to minimize possible threat exposure.
BIG-IP devices handle a large portion of data center SSL traffic and often retain dozens of
high-value SSL keys. Certificate managers and administrators need ways to deploy SSL
keys onto the BIG-IP devices while minimizing their exposure.
BIG-IP devices use three methods to minimize exposure of plaintext SSL keys. Two of
these involve the FIPS 140-2 standard.
FIPS 140-2 standard
FIPS 140-2 is a United States federal standard defining requirements for advanced key
protection in software and hardware systems. FIPS 140-2 consists of four security levels:
Level
Security
Description
1
Basic
At least one of the approved algorithm; rare
2
Tamper-evident
Typically a software implementation and a sticker
3
Tamper-resistant
Physical key protection and user authentication
4
Tamper-resistant II
Very sensitive physical protection
Some organizations with an interest in FIPS 140-2 will find that the second level meets their
requirements. Other organizations with more sensitive data may require the physical key
31
RECOMMENDED PRACTICES
F5 SSL Everywhere
protection provided by level 3 devices, which are called hardware security modules (HSMs).
Often level 3 devices are operated in level 2 mode to absolve the HSM user (often called
the security officer) from having to log in to the device after every reboot.
Integrated FIPS 140-2 HSM
The HSM is a clever piece of technology. Integrated HSM devices are hardware boards
designed for insertion into an appliance. SSL keys are generated within, or imported to, the
HSM. Ever after, the keys cannot be exported from the HSM. The controlling software (for
instance, the BIG-IP system) uses the HSM as an SSL accelerator, offloading to it
decryption requests.
Each HSM component has a rigorous design, testing, and certification schedule. As a
result, the performance of all HSM units is typically not equal to that of non-HSM SSL
accelerators.
Specific F5 hardware platforms have the HSM integrated directly onboard the system; find
more information in the BIG-IP Platform FIPS Administration Guide. Organizations interested
in the integrated HSM option must procure one of these specific platforms; the HSM option
cannot be added to an existing non-HSM appliance.
Platform
SSL TPS
10200v
9000
7200v
9000
5250v
5000
Platforms based on the F5 VIPRION® ADC do not have an HSM option. The F5 Virtual
Clustered Multiprocessing™ technology (vCMP) is not compatible with integrated FIPS
HSMs.
Network HSM key protection
The FIPS 140-2 level 3 HSMs have evolved to become standalone devices called network
HSM or netHSM devices. These devices reside on a network and service requests from
other appliances on or across the network. Many organizations are moving to architectures
that consolidate key management into a single cluster of network HSM devices.
F5 supports integration with, and provides integration guides for, two brands of network
HSM devices: Thales and Safenet.
32
RECOMMENDED PRACTICES
F5 SSL Everywhere
F5 recommended practices for FIPS 140-2:
• In high-security environments, use FIPS 140-2 options that include either an onboard
HSM or a network-based HSM solution such as those from Thales and SafeNet.
• Plan for HSM failure contingencies. With integrated HSM devices, the situation can
be recovered with the security officer password. Take care to keep and secure this
password.
• Create a contingency plan for the failure of both HSMs in a two-device cluster.
Typically this plan will call for additional HSM units to function as backups.
• Generate SSL private keys within the HSM for maximum security. However, some
administrators choose to generate the keys on a separate device. That key
generation device should have a hardware random number generator and should
be in a safe location in the network.
• The FIPS 140-2 specification requires the use of specific ciphers. Use following
cipher string to ensure that these ciphers get preference:
NATIVE:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:!SSLv3:!TLSv1:!EXPORT:!DH:!ADH:!LOW:!MD5:!RC4:
RSA+AES:RSA+3DES:@STRENGTH
• Monitor the number of transactions per second (TPS) of a BIG-IP device using
SNMP. There is no direct SNMP OID to monitor FIPS 140-2 TPS, but we can
calculate the FIPS TPS using several OID. In addition, if all clientssl profile on the
BIG-IP system are using keys of the security type FIPS, then the following OID can
be used, since it represents the TPS for the entire system: F5-BIGIP-SYSTEM-MIB::sy
sClientsslStatTotNativeConns
• Query the TPS for any individual clientssl profile via an OID named for the profile
itself:
F5-BIGIP-LOCAL-MIB::ltmClientSslStatTotNativeConns.”/Common/yourprofile1”
Software key protection
All non-FIPS F5 appliances can protect passphrase-encrypted keys by storing only the
encrypted key on disk. The key that protects the encrypted passphrases is stored in a
chip within the BIG-IP device.
On the disk, a passphrase-encrypted key will have a header that includes the encryption
method:
33
RECOMMENDED PRACTICES
F5 SSL Everywhere
-----BEGIN RSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,3D566DD5B6DCAD115F9969835F53D942
0FbIpHrdPj2ypaVqViLunmNGAn8bOayuoEPALDYOzwzqUSNXUAwwlPgmoqsWAmwL
6Fxhgy7m0w70Whhfm8z6dvT063qWBcBgsT4e5yz8L6sfx/zR2pBcYOjTGJ+YzKGs
UMFXfe/GG9RmDSPNHCsTuSbhJlOC7HrPTHvL/YVTvOa8K7Kqp5aRLE3N4nk5Tobg
…
The passphrases used to decrypt the individual keys are themselves encrypted by an F5
feature called Secure Vault. The Secure Vault stores its own key in a hardware chip in the
physical appliance.
Secure Vault should not be thought of as “software FIPS.” It is designed merely to ensure
that the SSL keys are not stored in plaintext in the configuration. This is especially important
considering that many administrators will periodically store device configuration archives on
backup systems in lower-security zones (such as in the cloud).
F5 recommended practices for software key protection:
• If FIPS 140-2 is not being used, certificate managers should use passphraseencrypted SSL keys protected by the Secure Vault feature. Passphrase-encrypted
SSL keys can be imported to the BIG-IP system directly when included in PKCS 12
file archives. More information can be found by viewing the help for the sys crypto
pkcs12 command:
(tmos)# help sys crypto pkcs12
• Set a specific passphrase to unlock the master key when using the Secure Vault
feature. A specific passphrase enables the manager to later recover all the keys from
a backup file, even if the original hardware key is unavailable. More information about
setting a specific passphrase for Secure Vault can found by viewing the help for the
sys crypto master-key command.
(tmos)# help sys crypto master-key
Revocation verification
The Achilles heel of the public key infrastructure (PKI) has always been defining the process
for handling compromised private keys. The trust system of PKI resides in the chains of
signed public keys. However, when one of the associated private keys is compromised,
there is no easy way to inform the participants of the PKI system. Neither is there an easy
way to revoke a certificate and then distribute the revocation information to all who need it.
34
RECOMMENDED PRACTICES
F5 SSL Everywhere
The PKI community has, over time, developed five mechanisms for distributing revocation
information:
1. Do nothing.
2. CRL files.
3. CRL distribution points.
4. OCSP servers.
5. OCSP stapling.
Use Case
Revocation Mechanism
Consumer website
OCSP stapling or do nothing
Large member website
OCSP stapling
Large enterprise
CRL distribution points
Federal
OCSP servers
SMB
CRL files
Each certificate has a serial number designated by the issuing certificate authority (CA).
When a CA is informed that a customer’s private key has been stolen or otherwise
compromised, the CA adds the associated certificate’s serial number to a giant signed list
of compromised certificate serial numbers. The list of all bad (untrustworthy) certificates
is signed by the CA itself and periodically published. The BIG-IP platform supports the
certificate revocation list distribution methods described below.
When to use certificate revocation
Certificate revocation is a necessary part of PKI, but that doesn’t mean an F5 administrator
needs to configure it. For an F5 administrator, certificate revocation matters most when
verifying a client or server certificate.
In a typical HTTPS session, the client verifies the server’s certificate but not vice versa.
Because the BIG-IP device is usually acting as the HTTPS server, there is usually no need
to configure certificate revocation on it.
The only times certificate verification needs to be configured on a BIG-IP device are:
• When the BIG-IP device is acting as an SSL client over an untrusted network. The
paranoid security administrator will, of course, assert that all networks should be
35
RECOMMENDED PRACTICES
F5 SSL Everywhere
considered untrusted, but many organizations do maintain different levels of network
trust.
• When the BIG-IP device is acting as an SSL server but is also authenticating clients
via SSL certificate authentication.
• When the BIG-IP device is acting as an HTTPS server and wants to provide its
revocation status to connecting clients via OCSP stapling.
F5 recommends practices for each revocation method use case shown in Figure 13.
Method 1: Certificate revocation lists
The oldest mechanism for the distribution of compromised certificate serial numbers is
simply a serial file called a certificate revocation list (CRL, sometimes pronounced “krill”).
The file is signed by the associated CA and made available on an FTP or web server.
Interested parties can download the file and make it available offline to their web server
or ADC.
Using straight-up CRL files is the most architecturally straightforward revocation distribution
method, but it is also most error prone. Common errors include:
• Difficulty retrieving the CRL file (for example, due to network errors).
• Growth in CRL file size, consuming resources.
• Corrupt CRL files, which happens more often than you might think.
• Bad or unverifiable CA signatures on CRL files, which are also disturbingly frequent.
In addition, BIG-IP devices have limitations on the maximum size of CRL files. The following
table shows the maximum size supported by each version of the BIG-IP system.
BIG-IP System Version
Max CRL File Size
12.0
64 MB
11.4.0 – 11.6.0
64 MB
11.0.0 – 11.3.0
32 MB
10.0.0 – 10.2.4
4 MB
For all of these reasons, straight-up CRL files are not a popular distribution mechanism.
But there can be times when CRL files make sense.
36
RECOMMENDED PRACTICES
F5 SSL Everywhere
F5 recommended practices for CRL file use:
• Use only for private certificate authorities such as an internal IT CA or test CA.
• Use only for small sets (less than 100,000) of revoked certificates.
• Automate the process of retrieving the CRL file from the certificate authority.
• Ensure that the CRL file is properly verified, not 0 length, includes a proper signature,
and hasn’t expired.
• Convert the file, if necessary, to the required PEM format.
• Finally, copy the validated and converted CRL file to the BIG-IP device and instruct
the device how to use it.
Historically, administrators that rely on CRL files have found it better to develop an
automated process on an external device (not the BIG-IP device itself) for CRL file updates.
The reason for the external device is that many BIG-IP devices are never assigned a DNS
server (so they can never be susceptible to frequent DNS failures). It is not uncommon for
a CA to change the IP addresses of their CRL servers, which becomes problematic for the
BIG-IP device because it cannot resolve the CRL server name.
Certificate administrators who want the BIG-IP device to download and verify the CRL file
can use a single command:
(tmos)# modify sys file ssl-crl gdcrl source-path http://godaddy.com/repository/
gd.crl
Use the F5 iCall® technology subsystem to schedule the update periodically. (Special
thanks are due to Matthieu Dierick for the iCall script.)
create sys icall script CRL
sys icall script CRL {
app-service none
definition {
tmsh::modify sys file ssl-crl gdcrl source-path \
https://godaddy.com/repository/gd.crl
puts “loading CRL”
}
description none
events none
}
create sys icall handler periodic START first-occurrence 2013-12-06:16:15:00
interval 30 script CRL
37
RECOMMENDED PRACTICES
F5 SSL Everywhere
While the iCall feature is an excellent solution when run on a BIG-IP device, many
administrators use a dedicated device (such as a standard Linux server) with a bash script
to update many CRLs at once. The DevCentral Codeshare includes an example of such a
script.
Method 2: OCSP
The PKI community developed a protocol that would provide the same information given by
a CRL file but in a simple request-response fashion. The OCSP is designed so that a client
can request the status of any particular certificate via its serial number and get a response
from an agent of the CA. Typically these agents are separate servers (called OCSP servers
or OCSP responders).
A modern CA will publish the URL to its associated OCSP server within its own CA
certificate. For example, Digicert lists its OCSP server as ocsp.digicert.com.
Figure 11: An example of OCSP information for a CA
38
RECOMMENDED PRACTICES
F5 SSL Everywhere
While OCSP was originally seen as a giant step forward from dealing with clunky CRL files,
administrators have since realized that OCSP is imperfect for different reasons:
• Querying a separate OCSP server for each connection increases latency and leads
to a degraded browsing experience.
• OCSP servers are not typically provisioned for high availability situations. This is
noticeable in that the servers are not reachable 100 percent of the time. Therefore
browsers have learned to “fail open” with OCSP—meaning that if they cannot
successfully connect to an OCSP server, they will proceed with the connection
anyway.
• Attackers have found interesting, trivial ways to defeat OCSP. A simple DoS attack
against the OCSP server will work. So will sending the number 3 during a man-inthe-middle attack.
For these reasons (and particularly the first), modern browsers are starting to ignore OCSP
servers and aggregating the various CA CRL databases.
With all that said, there are still valid use cases for OCSP. For example, military networks
have trusted subnets and requirements to use OCSP servers. In these cases, where
attackers theoretically cannot perform a simple DoS of the OCSP nor man-in-the-middle
its traffic. For these cases, F5 has the following recommendations for configuring OCSP.
F5 recommended practices for OCSP servers:
• Instead of using a single OCSP server, use an OCSP responder pool to maximize
availability.
• Use an OCSP monitor to monitor the health of your OCSP servers.
• Consider OCSP with a CRL fallback for those times when OCSP servers are down.
(Note that this achieves maximum operational complexity.)
Method 3A: OCSP stapling for clients
A much faster and more interesting mechanism derived from OCSP is called stapling. When
a PKI client sends an OCSP request about a particular certificate, what the client is looking
for is a response that says, “The certificate is good” or “The certificate is revoked.” This
response must be signed by the OCSP server. Because the OCSP server asymmetrically
signs the message, it doesn’t really matter which device delivers the signed message!
Therefore the message can simply be blended into the SSL handshake by the ADC.
39
RECOMMENDED PRACTICES
F5 SSL Everywhere
Figure 12: OCSP stapling, in which the client doesn’t have to communicate with the OCSP responder
RFC 4366 defines a TLS extension whereby the TLS server itself can fetch that signed
message and then present it along with its certificate to the client. In this fashion, the client
receives the certificate and the status message saying that the certificate is valid without
having to connect to a separate server. The OCSP status message includes a recent time
stamp so the client has some assurance that the status is fresh. The status response from
the OCSP server is cached by the server and then “stapled” into each connection from the
client. For the HTTPS client, the HTTPS server, and the OCSP responder, OCSP stapling is
the best of all worlds.
OCSP stapling is different from the other verification methods because the act of stapling
assists the party trying to verify the certificate used by the BIG-IP device. Consider it a
courtesy to clients connecting to the application or service.
F5 recommended practices for OCSP stapling for clients:
• Enable OCSP stapling on the BIG-IP device by defining the appropriate objects in
the SSL profile configuration.
• Use the SSL Labs tool to test that OCSP stapling is working.
• Build a script that uses the openssl s_client –status command to check the status,
then add the script to an automated process to ensure it works over time.
40
RECOMMENDED PRACTICES
F5 SSL Everywhere
• OCSP stapling implementations may vary depending on the registrar, and
organizations often use more than one registrar. Validate your OCSP stapling
configuration for each registrar you use.
Method 3B: OCSP stapling for servers
An administrator can be forgiven for assuming that the BIG-IP device will simply check for
OCSP stapling when using server-side SSL profiles. It does not. There’s actually a reason
for that: Traditionally, IT administrators use only IP addresses for server pool members to
avoid outages on DNS errors. This means that, strictly speaking, the BIG-IP device cannot
perform real server certificate verification because it cannot match the IP address to the
certificate’s DNS name. Typically those administrators will trade the security of a verified
serverssl connection in favor of high availability by implicitly trusting that portion of the
network. While that might not be the most secure strategy, it is a common one.
Even where strict certificate verification is unavailable, it is still possible to check for OCSP
revocation via stapling. Using what is called an external monitor, an administrator can check
the revocation status of SSL server pool members and then mark them down if they get
revoked. For organizations that use only IP addresses at their ADC, this may be the
preferred approach.
F5 recommended practices for OCSP stapling for servers:
• Use a BIG-IP device “external monitor” to examine OCSP responses stapled into
serverssl connections. External monitors are defined in the Local Traffic section of
the configuration.
• This DevCentral Codeshare script is an example of an external monitor that can be
used to mark a node down when its certificate status is revoked.
• Note that it is better to look for the specific revoked status, and, if absent, mark
the node as up. This is because there are many reasons a node may be unable to
respond, commonly including being down for maintenance. The TCP monitor can
mark that node as down.
Method 4: CRL distribution points
The fourth and final method of checking for certificate revocation is CRLDP, a way of using
existing corporate directories as revocation checkpoints. The technology is fairly mature,
especially when used in an Active Directory environment. CRLDP is typically used for client
certificate authentication in enterprise environments with BIG-IP® Access Policy Manager®.
41
RECOMMENDED PRACTICES
F5 SSL Everywhere
CRLDP can also be sometimes be found in the inbound retail deployment scenario. For
example, the certificate authorities GoDaddy and Entrust issue certificates with CRLDP
information embedded in their X509 data.
F5 recommended practices for CRLDP:
• Verify that your BIG-IP device is configured to use DNS and not simply IP addresses.
• A BIG-IP device using CRLDP must, of course, have a route to the CRLDP servers.
If the CRLDP servers are on the Internet, the BIG-IP device must have an outbound
Internet route.
• Check the size of the CRLs to confirm that they are not too large for the BIG-IP
system. (See the table on p. 36.)
Visibility and Control
Security management depends partly on visibility into traffic—or the ability to provide that
visibility to security devices such as web application firewalls (WAFs)— so that it may be
screened for known threats. Of course, SSL by definition obscures data. So how does an
administrator gain the visibility to make the best use of his or her security investments?
Several approaches maintain security while effectively revealing malicious traffic.
SSL and the OWASP Top Ten
The Open Web Application Security Project (OWASP) categorizes and rates classes of
application vulnerabilities every year into its OWASP Top 10 list. One of the highest priority
classes of vulnerabilities is “insufficient transport security,” by which the OWASP group
means not enough SSL.
One use case for providing transport security to an application is via SSL termination and
then sending the decrypted traffic through a WAF. a device specifically engineered to foil
application attacks such as those found in the OWASP Top Ten. One effect of SSL bridging
mode, where the ADC decrypts incoming traffic and then re-encrypts the traffic before it
leaves the ADC, is that the ADC becomes the singular place where an application firewall
can be deployed.
While SSL termination and bridging are the primary technologies used to provide visibility
into SSL for application security solutions like a WAF, there is a third way. The BIG-IP device
can be configured to eavesdrop on an encrypted session between an incoming connection
and a back-end server. This functionality is referred to as proxySSL. One of the only
cases where proxySSL is preferred is when a back-end server requires client certificate
42
RECOMMENDED PRACTICES
F5 SSL Everywhere
authentication, since client certificate authentication to the back-end server is incompatible
with SSL termination and bridging at the BIG-IP device.
With proxySSL, the BIG-IP device shares the same key and certificate as the back-end
server, and the browser completes the handshake (including client certificate authentication)
with the back-end server. The BIG-IP device can then decrypt the session key (because it
shares the same key and certificate as the server). The ADC uses the session key to decrypt
the rest of the session and forwards the decrypted payloads to a security device like a WAF.
The security device can then inspect and report on the content.
The use of proxySSL should be restricted to this specific case. Because proxySSL requires
a shared-key environment, it is ultimately incompatible with the likely security roadmap of
the TLS protocol: Forward secrecy was designed to foil systems exactly like this and is
already preferred by over 60 percent of Internet web sites.
F5 recommended practices for application security visibility:
• Use SSL termination or SSL bridging to provide inbound visibility to an application
security device like a WAF.
• If proxySSL is required to maintain client certificate authentication to the back-end
web server, configure the server to use only RSA-based ciphers. Avoid forward
secrecy because it breaks shared-key systems like proxySSL.
• When proxySSL is used with a WAF, the WAF can find malicious traffic and then
signal the ADC to block those connections. The only way to block at this point is to
send a reset (RST) packet to the client to kill its connection.
• Ensure that local logging is not used for production systems. High-speed logging to
remote logging servers or SIEMs is preferred.
SSL outbound visibility
The outbound SSL deployment scenario for the ADC is a relatively new, but rapidly growing,
phenomenon. This deployment scenario has been driven by enterprises with a need to
monitor and sanitize their outbound web traffic in attempts to mitigate advanced persistent
threats (APTs). A typical APT will start with a spear phishing campaign to introduce malware
tailored specifically to invade a single organization. Some of the most damaging penetrations
of the last five years have been as a result of APT activity, including the infamous 2011 breach
of the world’s premiere security brand, RSA. (Search for Anatomy of an Attack on the RSA
blog).
43
RECOMMENDED PRACTICES
F5 SSL Everywhere
These spear phishing campaigns begin with a series of emails injecting infected PDF, Word,
or Excel files or simply enticing links that result in a malware download. The initial malware
drop may be very quiet, performing only a few simple tasks such as keystroke logging or
email address book collection.
The attackers can then build on their received intelligence to patiently infiltrate further into
the target over months or even years.
Figure 13: The APT life-cycle
Source: Creative commons license, Dell SecureWorks
Detecting the subtle activity of spear phishing and malware activity is among the top
priorities of security administrators today. High-profile technologies such as sandboxing
and next-generation firewalls (NGFW), which have been developed to assist administrators
in detecting these threats, are being rapidly adopted. Administrators deploy the security
devices in a chain so they can complement each other (known as defense-in-depth).
The next problem to solve is the fact that these new technologies are often blind to
encrypted traffic. Malware and spear phishing authors know this and are very quickly
moving to encrypt all communication between their malware and the outside world.
Security analysts estimate that by 2017, 100 percent of new malware will use SSL to hide
its tracks.
44
RECOMMENDED PRACTICES
F5 SSL Everywhere
A deployment scenario sometimes called an SSL air gap or SSL intercept is emerging to
address the APT problem and assist the chain of outbound visibility devices (such as
sandboxes). The SSL air gap solution typically consists of an ADC on either side of the
visibility chain. The ADC closest to the users decrypts their outbound traffic and sends the
decrypted plaintext through the chain. The chain, which can now see the content, applies
policy and controls to the plaintext, detecting and sanitizing spear phishing and malware. At
the other end of the chain, another ADC re-encrypts the traffic as it leaves the data center.
In some cases, instead of going through a second ADC, the traffic can be looped back to
be re-encrypted by the first ADC.
Inspection Air Gap
Internal
Clients
LTM
AFM
Encrypted
SSL/TLS
Unencrypted
Unencrypted
Internal
BIG-IP LTM
(ingress)
Security Device(s)
LTM
External
BIG-IP LTM
(egress)
Encrypted
SSL/TLS
Internet/Public
Protected sites
Figure 14: The SSL air gap use case
The F5 solution for SSL outbound visibility is an F5 iApps® template for the SSL air gap.
The template, with its detailed deployment guide, helps an administrator set up the
necessary configuration items to decrypt and then re-encrypt the outbound traffic.
This air gap iApp template will work with BIG-IP versions 11.4.0 through 12.0 and above,
and customers are already using the F5 air gap iApps template with several partner
technologies. A partial list of those partner solutions includes:
• The F5 and SourceFire Reference Architecture.
• The F5 and FireEye Recommended Practices and Deployment Guide.
• The F5 and WebSense Deployment Guide.
However, there are some nuances that warrant additional discussion. One of these topics
is the issue of what traffic not to inspect, and the other is provisioning hardware resources
within the vCMP subsystem.
Which sites should bypass SSL inspection
There are times when an administrator will not want to inspect traffic between a corporate
user and a web site for liability reasons. Chief among these is when a corporate user
visits his or her online banking site. If the enterprise administrator snoops on the user’s
connection and somehow money is incorrectly depleted from the user’s account, the
45
RECOMMENDED PRACTICES
F5 SSL Everywhere
administrator could be seen as complicit or liable. Therefore, to reduce this complication,
administrators have learned to whitelist the financial websites. Financial firms have
experienced security teams and entire fraud departments, so their websites are vastly
cleaner than a typical website.
There are a couple of ways to implement such a whitelist for SSL bypass.
• Using F5 URL categorization
Several organizations maintain databases categorizing millions (or even billions) of URLs
and provide this information as a product or service. F5 provides access to a URL
categorization database through the F5 Secure Web Gateway Services. Secure Web
Gateway Services users can simply leverage the URL categorization database to instruct
the air gap iApp template not to inspect at financial websites.
• Manually maintaining a whitelist bypass data group
This is the more labor-intensive way to maintain a bypass list. When configuring the iApp
template, enter the name of a data group that contains the list of IP addresses to bypass.
As more addresses that should not be inspected are found over time, they can be manually
added to this list. For smaller, low-touch deployments, this may be a workable option.
F5 recommended practices for SSL air gap egress inspection:
• Use the F5 URL categorization service to automatically populate the bypass list.
• Use transparent mode instead of explicit mode for the SSL air gap inspection.
Explicit proxy mode works better for legitimate clients but ignores malware, making
the transparent mode a requirement.
• The F5 air gap iApp template offers a choice for dealing with Internet sites with
expired certificates: drop or ignore. There are more expired certificates on the
Internet than you might suspect, so F5 recommends dropping them, even though
this may increase the number of inaccessible websites. When “ignore” is specified,
expired certificates on the Internet may temporarily become valid when the air gap
rewrites the certificate.
Provisioning SSL hardware resources to vCMP
Another intricacy of the air gap solution is resource provisioning. F5 vCMP is a unique
virtualization-in-a-box platform delivered on higher-end appliances. All VIPRION chassis
systems can be configured with vCMP. In the vCMP system, one of the host processors
runs a special version of TMOS that contains an F5 hypervisor. The vCMP hypervisor
allows multiple virtual guest operating systems (which must be individual versions of TMOS).
46
RECOMMENDED PRACTICES
F5 SSL Everywhere
In this way, a VIPRION system may be shared among different IT units such as networking,
security, and DNS.
Beginning with BIG-IP version 12.0, an administrator can now control if and how SSL
resources are dedicated within the various guests inside the hypervisor. The following
options are supported:
• Dedicated: The guest will be assigned dedicated SSL cores.
• Shared (default): Guests share from a pool of SSL cores.
• None: The guest will have no access to SSL hardware (for example, BIG-IP DNS).
Figure 15: SSL resource dedication options in BIG-IP version 12.0 on the VIPRION chassis.
This functionality is available on the 5000, 7000, 10000, and 12000 platforms, as well as
the B2250 blade.
Mitigating brute force attacks
The complex nature of SSL continues to allow it to be an attack vector for distributed
denial-of-service (DDoS) attacks. In addition to complexity, SSL by design blinds network
equipment to network traffic. The combination of complexity and blindness of SSL makes
47
RECOMMENDED PRACTICES
F5 SSL Everywhere
it a target for DDoS attacks. As the volume of legitimate SSL traffic continues to increase,
malevolent DDoS traffic becomes more onerous to discern. As a result, good DDoS
defense measures have emerged as climacteric for sites, and F5 recommendations
address how to best mitigate specific classes of DDoS attacks.
SSL renegotiation attacks
SSL renegotiation is a feature that allows a client to restart an SSL connection. Since the
legitimate uses for SSL renegotiation are few and there are several attacks based on SSL
renegotiation, newer protocols such as HTTP/2 require disabling SSL renegotiation.
A single client can perform a DoS attack on a server. The premise of the attack is simple:
An SSL/TLS handshake requires at least 10 times more processing power on the server
than on the client. If a client machine and server machine were equal in RSA processing
power, the client could overwhelm the server by sending ten times as many SSL handshake
requests as the server could service. This vulnerability exists for all SSL negotiations; the
only mitigation is the ratio between the two participants, which is why SSL acceleration is
so critical.
F5 recommended practices to mitigate SSL renegotiation attacks:
• If renegotiation is not needed for an application, disable SSL renegotiation in the
clientssl profile associated with the virtual server.
• If renegotiation is needed, use the many renegotiation options associated with the
profile, including secure renegotiation, maximum renegotiation counts, and intervals.
See the SSL Administration guide for the full list of renegotiation options.
No-crypto brute force attacks
There is a new class of SSL attacks tools that could be called no-crypto attack tools. These
new attack tools boost the computational asymmetry between the client and the server by
orders of magnitude through a pronounced reduction in client workload. Basically, the new
attack clients do not perform any crypto at all—they just send pre-canned packets that look
like an SSL handshake but are not.
In his excellent analysis of handshake attacks, Vincent Bernat writes about these efficient
attack tools:
“With such a tool and a 2048 bit RSA certificate, a server is using 100 times more
processing power than the client. Unfortunately, this means that most solutions,
except rate limiting, exposed [in his analysis] may just be ineffective.”
48
RECOMMENDED PRACTICES
F5 SSL Everywhere
So far, these attacks have not been seen in the wild, but discussed in the academic and
IETF community.
F5 recommended practices for mitigating no-crypto brute force attacks:
• The ssl_hx_rlimit iRules script limits the number of connections from a single IP.
Note that this iRules script could inadvertently block legitimate users originating from
a so-called mega-proxy.
• The sslsqueeze_rx iRules script will match and block the exact sslsqueeze
signature. If an attacker ever changes the payload of the sslsqueeze tool, this iRules
script will need to be modified to match the new payload.
• Find more information in the DevCentral article called Mitigating No-Crypto Brute
Force SSL Handshake Attacks.
SSL floods
Unlike the no-crypto attacks, DDoS attacks as a flood of open SSL connections have been
seen in the wild. These attacks can be a challenge to mitigate for the SSL pass-through
deployment scenario because many devices on the network are blind to the attack.
The high-capacity SSL connection tables are largely resistant to SSL floods. A typical SSL
flood may involve only a few thousand to tens of thousands of empty SSL connections.
However, even the smallest F5 platform can absorb 500,000 SSL connections or more.
F5 recommended practices for mitigating SSL floods:
• Using SSL session tickets can enable legitimate clients to benefit from the session
cache during an SSL connection flood. See the previous section on SSL failover
options.
• In the unlikely event that the BIG-IP device’s connection table does become full,
connections will be reaped according to the adaptive reaping low-water and highwater settings. These can be adjusted downward from the default values of 85 and
95 to more quickly begin mitigating a “spiky” DDoS, thus reducing the initial attack
window. Solution 15740 provides more detail on the workings of the adaptive reaper.
(tmos)# modify ltm global-settings connection adaptive-reaper-lowater 75
• If the connection flood consists primarily of empty connections, instruct the BIG-IP
device to be more aggressive about reaping connections by modifying the TCP
profile associated with the virtual server. During a heavy attack, use smaller and
smaller values.
49
RECOMMENDED PRACTICES
F5 SSL Everywhere
(tmos)# create ltm profile tcp tcp_ddos { reset-on-timeout disabled idle-timeout
15 }
• The hardware-syn-cookie and zero-window-timeout values of the TCP profile may
also be adjusted.
Instrumentation: The SSL statistics panel
The BIG-IP platform’s SSL statistics panel is a powerful tool that collates useful counters
for protocol handshake types, key exchange types, and connection failures. To view it,
click Statistics on the left pane, select Module Statistics, and then click Local Traffic. Under
Statistics Type, select Profiles Summary and then Client SSL.
Figure 16: The SSL statistics panel
In the BIG-IP system version 12.0, the information collected and displayed for SSL includes
all the fields from the following table:
50
RECOMMENDED PRACTICES
F5 SSL Everywhere
Statistic Category
Associated Counters
Certificates / Handshakes
Valid vs. invalid vs. no certificates
Mid-connection handshakes. Secure vs. insecure
handshakes.
Insecure renegotiations rejected, SNI mismatches.
SSL Protocols
SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, DTLS
Key Exchange Methods
Anonymous Diffie-Helman (ADH), Diffie-Helman (DH) +
RSA certificate, RSA certificate, elliptic curve DiffieHelman (ECDH) with RSA certificate, ECDH with
ECDSA certificate, DH + DSS certificate
Ciphers
AES, AES-GCM, DES, RC2, RC4, no encryption
Digest Methods
MD5, SHA, none
SSL Hardware Acceleration
Full, partial, none (software)
Session Cache
Size, hits, lookups, overflows, invalidations
SSL Records
In, out, bad
Failures
Premature disconnects, handshake failures,
renegotiations rejected, fatal alerts
Session Tickets
Reused, reuse failures
SSL Forward Proxy
Connections, cached certificates, destination IP
bypasses, source IP bypasses, hostname bypasses
OCSP Stapling
Connections, response status errors, response
validation errors, certificate status errors, OCSP
connection HTTP errors, OCSP connection timeouts,
OCP connection failures
The statistics panel can provide useful information about the aggregate statistics of all
clientssl or serverssl connections. It can enable an administrator to see configuration issues
by noticing a spike in connection errors or connections that shouldn’t have been made.
Accessing SSL debugging information
To debug individual connection errors, an administrator or certificate manager may need
something more surgical than the instrument panel. The TMOS platform allows the
administrator to turn on verbose instrumentation specifically for SSL connections. Select
the System menu on the left panel, select Logs, and then select Configuration. Tune the
SSL control to get more verbose log messages. The maximum setting is Debug, which will
51
RECOMMENDED PRACTICES
F5 SSL Everywhere
log all messages associated with SSL connections, even those that are purely informational.
Typically log message are sent to the file /var/log/ltm unless otherwise configured.
Figure 17: Tuning the SSL logging level
F5 recommended practices for SSL instrumentation:
• Use the SSL statistics panel to see a holistic and aggregate statistical view.
• Change the SSL debug log setting to suit your needs. But note that SSL debug
mode may have significant performance impacts. Endeavor not to enable it on
production systems.
• Give the certificate manager role access to logs.
• Use remote logging when debugging production systems. This is critical.
Conclusion
SSL has been the standard for encrypting transactions for the past two decades. Like all
technology, SSL has experienced significant changes throughout its life, and the pace
of change is expected to continue. These changes to SSL covers vast areas, while their
impact ranges from the annoying to the critical. Changes to ciphers alone include:
• New ciphers.
• New classes of ciphers, such as ECC.
• New approaches to ciphers, such as forward secrecy.
52
RECOMMENDED PRACTICES
Advanced Threat Protection with FireEye and F5
SSL has become an attack surface that is particularly vulnerable to DDoS attacks taking
advantage of the relatively large machine costs associated with hosting SSL server traffic.
Administrators who wish to stay in front of changes, choosing proactive strategies instead
of reactive tactics, need to remain aware of the most current options and trends.
Those proactive administrators can follow F5 recommended practices to not only stay in
front of existing trends but be prepared for hitherto unforeseen changes and fundamental
shifts. These recommendations enable an organization to be favorably aligned to the
existing SSL landscape while gaining the nimbleness to meet new challenges. Following the
recommended practices optimally positions the organization for future security, scalability,
and reliability.
F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119
Americas
info@f5.com
Asia-Pacific
apacinfo@f5.com
888-882-4447
Europe/Middle-East/Africa
emeainfo@f5.com
f5.com
Japan K.K.
f5j-info@f5.com
©2015 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 1015 RECP-SEC-66014525-ssl