Solution Briefs

Aviatrix F5 TechBrief

Information on multi-cloud networking, cloud network platform, cloud networking, cloud network security, cloud network operations

Issue link:

Contents of this Issue


Page 0 of 2 1 TECH BRIEF TECH BRIEF AVIATRIX FIRENET FOR F5 NETWORKS SSL ORCHESTRATON Introduction Aviatrix FireNet (Firewall Network) solution delivers flexible NextGen Firewall service insertion to simplify the inspection of traffic leaving a VPC/VNet. This capability can be extended to include advance service chaining using F5 Big -IP, which can be inserted in front of NGFW, IPS and other service appliances. To keep this tech brief short, we will use AWS as the public cloud example, although the same design principles apply for Azure and other public cloud environments. This tech brief overviews three proven designs: 1. SSL Offloading by F5 Big-IP for all traffic 2. SSL Offloading by F5 Big-IP for Ingress traffic only 3. Multi-Cloud SSL Offloading by F5 Big-IP for Ingress only Advance Service Insertion: SSL Decryption + NGFW + IPS So far, we have been talking about inspecting traffic that is initiated by applications in VPC to various destinations such as other VPCs, on-prem and internet. As most of this traffic may be encrypted, you would need to decrypt this traffic before inspecting payload. Most NGFW offer SSL decryption capabilities but their performance may take a huge hit while doing so hence it's better to offload SSL decryption to a specialized appliance that can decrypt the traffic and hand it off to the NGFW. In more security sensitive environments, just NFGW may not be enough on its own, and you may want to chain multiple types of security appliances in the path. If you put all of this together, you need 1. A way to transparently redirect interesting traffic to an SSL Offloading appliance. 2. Chain multiple security appliances (NGFW, IPS) behind the SSL Offloading appliance. 3. Manage health, scale and failover of the SSL-Offloading appliance which will manage health and scale of the security appliances. The following pattern represents an example using F5 Big-IP as the SSL-O appliance with an NGFW and IPS chained behind it. An example could be Palo Alto Networks VM-Series performing NGFW and Cisco Firepower used as NG-IPS appliance.

Articles in this issue

Links on this page

view archives of Solution Briefs - Aviatrix F5 TechBrief