Ads 468x60px

Featured Posts

29 June 2020

SSL Orchestrator (SSLO)



I didn’t know anything about Network Packet Broker (NPB) till I took a webinar about Gigamon and I understood all the uses cases where this product fits. It was nearly one year ago. Later on, Ariadnex organized talks in Mérida (Spain) to speak about NPB. Since then, I’ve read about NPBs. Gigamon and FireEye are two NPB manufacturers which are able to decrypt SSL traffic, redirect it, and encrypt it again. They work from Layer 1 to Layer 7. However, there is another product, similar to NPBs, which works from layer 2 and it’s able to improve SSL visibility and management. It is SSL Orchestrator (SSLO) by F5 Networks.

A few years ago, nobody read the newspaper online with SSL because all of these websites were HTTP instead of HTTPS. However, today, most newspapers, and also most websites, work with SSL. Therefore, SSL is increasingly used in the Internet. It’s important to highlight SSL is used for privacy. We have to know SSL traffic is encrypted for privacy and not for security. Nobody will see the content of that traffic even when the content is malicious traffic. We need to watch out what's going on even when the traffic is encrypted with SSL.

SSL Adoption
 
Companies should know what kind of traffic is inside SSL packets. Companies need SSL Visibility to know if there are malware inside SSL packets or if there are data leaks. Security engineers need to know what kind of traffic they can decrypt and what kind of traffic is forbidden to decrypt. Most companies, which are worry about this matter, have a daisy-chain of products to decrypt and encrypt again and again SSL traffic regarding what they want to know and what they want to do. Today, the daisy-chain architecture is already deprecated.

Traditional SSL daisy-chain network design
 
Network Packet Brokers such as Gigamon and FireEye, and SSL Orchestrators like F5 SSLO are able to decrypt SSL traffic, classify the traffic, redirect the traffic to another security appliance, such as a Web Gateway, IDS/TAP, DLP/ICAP or IPS/NGFW, to be analysed, and finally re-encrypt the traffic for outgoing. This architecture is easier to configure. We can add and delete security appliances easily. In addition, if one security appliance fails, we can even bypass the failed appliance quickly.

High performance decryption and SSL Orchestration
 
This new architecture is called Dynamic Service Chain because it’s really simple to add appliances dynamically. It allows Dynamic Scaling. For instance, when there is a bottleneck in the IPS/NGFW appliance, it’s easy to add more IPS/NGFW appliances. We only have to configure a pool of appliances with more devices. What’s more, we can also choose what kind of traffic we are going to redirect for analysing with the IDS/TAP and what kind of traffic we don’t want to redirect to any security appliance.

SSL Orchestrator - A functional Overview
 
I think, technologies such as NPB and SSLO are disruptive because we can analyse and we can know the content of SSL traffic. I mean, we have more SSL visibility which is really important for most companies to detect malware, attacks, data leaks, etc.

Have a nice day my friends!

22 June 2020

What’s new in FortiOS 6.4



I attended to a webinar about What’s new in FortiOS 6.4 several weeks ago, and I would like to highlight the most interesting security features from my point of view. There are lots of new features. Some of them more interesting than others. Some of them more useful than others. Anyway, the best is testing by your own. These new security features and improvements will be the trends of many others firewall manufacturers and also the security protection features of many companies.

The new FortiOS 6.4 has improved the SD-WAN functionality and the easy of use. For instance, IPv4 policies and IPv6 policies are consolidated in the same policy configuration. FGSP (FortiGate Session Life Support) supports UTM inspection on asymmetric traffic which is great because it means Fortinet is working to improve this protocol. Who knows if we will be able to configure a cluster with different models in the next version. There is also a bandwidth test button and a bandwidth monitor in WAN interfaces which are really useful for Internet speed tests and monitoring bandwidth in real time. What’s more, we already have an spectrum analysis tool with this new version. It is usually an expensive tool but it's free with FortiOS 6.4. We only need FortiGate + FortiAP. These are some interesting new security features for Security-Driven Networking.

Spectrum Analysis

FortiOS is increasingly integrated with more cloud platforms such as AWS, Azure, Alibaba, OCI or Google Cloud. This new version also supports Rackspace Cloud. Therefore, we already can deploy FortiGate instances in most cloud platforms. We’ll have the same GUI in cloud instances than physical and virtual firewall devices. Moreover, PAYG allows to add more CPU and RAM as we grow.

AWS autoscaling group for dynamic address objects

Zero-Trust Network Access has also two interesting new security features. The first one is FortiGate has a small NAC module which will be really useful for branch offices with small and medium FortiGate devices. Therefore, FortiNAC is not necessary in these small networks. However, FortiSwitch is necessary. The second interesting security feature is the new IoT subscription service which updates the IoT device database automatically. We no longer have to wait for firmware upgrading to detect new IoT devices such as new smartTVs.

FortiSwitch NAC Policies

The last but not the least important is the new features of the Fabric Management Center. FortiView and Monitor disappear. We can add this information from the dashboard with widgets. We no longer have to create a group for each Active Directory group but FSSO connector detect all groups and are ready for use in the firewall policies. There are also new automation action and improvements with Webhook. Actually, there are lots of new features regarding Fabric Management Center which I encourage you to read and test.

Webhook Automation
 
That’s all my friends. Read, test and play with this new FortiOS version.
Related Posts Plugin for WordPress, Blogger...

Entradas populares