SSL decryption for offloading and visibility comparisons

I need straightforward information on SSL Off-loading and Visibility.  Vendor documents and white papers lean too much to their product.  I have F5 10350v-f load balancers that have SSL and trying to decide between Local Traffic Manger (LTM) and SSL Orchestration which is more money.  My client is not sure what they want so I have to come up with something.  The 10350s sit in front of a DLP, with only two feeds coming to them so I don't think it should be complicated.  So the question with F5 10350 is which level of SSL decryption I should use.

On a separate program I am dealing with a Gigamon and Ixia packet brokers that will be routing to SSL decryption services as well.

Bottom line I just need objective definitions and comparisons when it come to SSL offloading vs ssl visibility vs ssl orchestration, etc. And in other SSL applications

Thanks
Ted JamesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
You said "Vendor documents and white papers lean too much to their product" which got me laughing.

What's really required, today, is very different that what was required even a year ago,

It's questionable if any off this complex tech is even remotely required anymore.

At this point... If you're running the following, most of the performance issues disappear... meaning it's difficult to have a measurable difference between offloading, orchestration, native... where native means software like Apache + NGINX serve SSL certs themselves + handle all the entire SSL (really TLS) negotiation natively rather than any other cruft between users + Webserver.

http://www.webpagetest.org/result/180917_JF_c20748af5b18e7d7070cbe3f07b2d0d8/ of a correctly configured site.

Entire SSL negotiation time == 75ms. If you run through any type of hardware, the lag between the hardware doing SSL along with proxying packets back + forth... most likely any hardware will only make speeds like this slower.

SSL config items to have working for lightning fast SSL.

1) Run HTTP/2

2) HSTS on.

3) OCSP stapling on.

4) Session resumption (caching + tickets) on.

Setup your SSL config like this with a native server first... meaning Apache listening on a public IP with no hardware between.

Get your SSL negotiation time <100ms, then start adding in expensive tech hocked by companies + retest your site speed.

My guess... you'll be getting rid of a lot of expensive hardware.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
One other passing point to keep in mind, as some vendors selling gear + services recommend this.

At all cost avoid any Public Key Pinning in your SSL config.

Anytime you read any vendor docs suggesting this, do a 180 + run, fast as you can.

If you Pin your site to a vendor's IP + with HSTS enabled, let's say for 2 years.

This means anyone who visits your site, can only visit your site for the next 2 years, if your site is still running on your vendor provided IP.

So... this is a great way to sucker people into having to stick with some vendor forever, because returning visitors will never see your site again, if the IP changes.

I won't mention any vendor's names.

Suggestion: Always keep 100% control of your SSL config. Never hand this over to any vendor. Ever. Period.
1
Ted JamesAuthor Commented:
Thank you David
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
decryption

From novice to tech pro — start learning today.