Written by Tim Cullen, CISSP, F5-CTS
Senior Security Architect at ADAPTURE

In our recent post about the new F5 iSeries line of products, we discussed some of the hardware changes and performance increases the iSeries boasts. I wanted to take this conversation a step further and discuss how to fully utilize that hardware with a software solution package that is just as groundbreaking. Enter F5 Herculon!

F5 Networks created Herculon as a software solution package for very specific security traffic needs.  Before we get too deep into that though, let’s discuss how security protections have changed over time.

Security Protections of the Past

Security solutions tend to be appliance-based, because an appliance can dedicate system resources better than a PC-based solution due to minimal overhead needed for physical user interaction and the heavy system resource loads for that inspection application. For example, a Web Application Firewall, or WAF, must inspect all http traffic (inbound or outbound) and still not introduce latency to a point that impacts customer experience. This is a tough balancing act. When I say inspect all http traffic, I do mean all traffic.  A webpage has frames, input fields, images, text, active scripting code, like JAVA or something similar, and external link references for content.  This is just to name a few of the most commonly used options for a website.  A WAF must not only enforce how the HTTP protocol should be working, but inspect content, apply signature matching against thousands of attack signatures, carry out parameter enforcement of the web content, and conduct behavior analysis of the user’s actions—in both directions. It should do all of this and introduce the least amount of impact on the user experience.  This can be what we call a “box killer,” if it is not sized correctly.  The security industry has met this challenge well in the past.

A New Frontier

Now we are looking at the new frontier of security—terms like “Service Chaining” or “Hybrid DDoS Protection” and “Cloud Security Connectors”.  This expands the realms we are securing from hardware and application layer security to contextual and behavioral based security postures.  With these new approaches to security, we needed to change the way security products work and their approach to protecting your data.  Companies like F5 Networks saw this coming and created a very simple approach to a very complex problem.

F5 Networks has a pretty expansive portfolio of products, and it can be a bit intimidating to try to build a “Bill of Materials” for a solution.  So they decided to simplify solutions by adding together the most common ones for certain purposes.  Their first approach to this was the “Good, Better, Best” licensing model, which packaged multiple software modules that are usually deployed together.  This reduced the BOM ordering complexity and pricing, while allowing a path for future growth and adding other licensable options.  Now that the security protection criteria has changed, F5 has moved into another “bundling” style solution to help customers get the most out of their products.  The Herculon solution has two offerings:  The SSL Orchestrator and the DDoS Hybrid Defender.  Both solutions provide a complete approach to their respective focuses.  This piece will review the SSL Orchestrator. (Part 2 will review the DDoS Defender).

F5 SSL Orchestrator

SSL Orchestrator was created out of necessity.  So many sites are converting to SSL-based communications to help limit some security concerns like web scraping or content injection, as well as helping a site visitor feel more secure when browsing the page.  Encrypting a site can make it more difficult for a malicious actor to change the site’s contents or eavesdrop on the visitor’s conversation.  The problem is that many firewalls and IDS/IPS devices are rendered blind by this technology.  So do you lose the effectiveness of your security products?  The short answer is, yes.  They can become pretty useless at that point.  The cleanest way to handle this issue is by using an SSL offload device.  F5 LTM has a very robust SSL offload technology solution already built-in for many years now.  This can give you visibility into the communications which, in turn, gives you the ability to use the Firewall and IDS/IPS effectively—all while retaining data integrity.

If we extrapolate this example a bit further, there are some very exciting benefits to SSL offloading.  Since the F5 device is a full Layer 7 Proxy device, it will, as is its nature, break down the request completely and have that data available for whatever needs to be done with it.  Opening the SSL communication path means we can add additional scanning services to inspect the data, such as Firewalls, Anti-Virus, IDS/IPS, Data Leakage Protection technologies or Advanced Persistent Threat protection devices.

Adding these other scanning and protection services is what is known as “Service Chaining”.  Administrators can chain together multiple “services” for inspection before re-encrypting the communication and sending it to the original destination or application.  SSL offload also removes the need for the scanning/protection devices to have to attempt decrypting the communications before inspecting them, which increases the overhead and latency and that, in turn, impacts the devices’ capabilities.  Think of it as an interception of the SSL communications.  This approach enables the organization to incorporate multiple scanning and protection technologies without adding the overhead of SSL to their already heavy-duty work efforts and increasing the security accuracy for the communications.

Click here for Part 2 – where I review the F5 Herculon DDoS Hybrid Defender.

F5 EOL Announcements in 2016

A number of BIG-IP devices have reached EOL/EOSL status, as designated by the OEM. Customers whose platforms are designated End of Life (EoL), and who are currently under maintenance contracts, will continue to receive technical support until the expiration of the service contract renewal date. But customers are encouraged to upgrade their systems before the service contract renewal date expires.