F5 BIG-IP SSL Orchestrator and Reversing Labs Spectra Detect Integration Demo

Key Concepts

SSL Orchestrator (SSLO): An F5 solution designed to manage and orchestrate SSL/TLS decryption and encryption for security services.
ReversingLabs Spectra Detect: A threat detection platform that analyzes files for malicious content.
L3 Outbound Topology: A network configuration for SSL Orchestrator where traffic flows out from the internal network.
SSL Policy: Rules defined within SSL Orchestrator to determine how SSL/TLS traffic is handled (e.g., decryption, bypass).
Service Chain: A sequence of security services (e.g., firewalls, IPS, malware scanners) that decrypted traffic is routed through.
ITAP Connector (Intelligent Threat Analysis Platform): A connector within ReversingLabs Spectra Detect that allows integration with external systems, acting as a server to receive files for analysis.
Hub (ReversingLabs): The central management component of ReversingLabs Spectra Detect, responsible for orchestrating workers and providing the ITAP interface.
Worker (ReversingLabs): Components of ReversingLabs Spectra Detect that perform the actual file analysis.
Big-IP (F5): The underlying platform for F5's application delivery and security services, including SSL Orchestrator.
SSL Decryption: The process of intercepting and decrypting SSL/TLS encrypted traffic to allow inspection by security devices.
IICAR Test File: A standardized, non-malicious file used to test the detection capabilities of anti-malware software.

Integration of SSL Orchestrator with ReversingLabs Spectra Detect

This demonstration outlines the process of integrating F5's SSL Orchestrator with ReversingLabs Spectra Detect to enable real-time threat scanning of decrypted network traffic. The integration ensures that outbound encrypted traffic is decrypted by SSL Orchestrator, sent to ReversingLabs for analysis, and then re-encrypted before reaching its destination.

Pre-configuration Requirements

Before initiating the integration, the following components must be pre-configured:

SSL Orchestrator:
- Configured with an L3 outbound topology.
- An SSL policy is in place.
- A service chain is defined, but without an active service yet.
ReversingLabs Spectra Detect:
- The Spectra Detect Manager is configured.
- Both the Hub and Worker components are configured.
- Crucially, the Hub and Worker must be in the same "hub group" for proper functioning.

Step-by-Step Integration Process

The integration involves configuring the ITAP connector on ReversingLabs and then adding ReversingLabs as an IAP service within SSL Orchestrator.

1. Enabling the ITAP Connector on ReversingLabs Hub

Access Point: On the ReversingLabs Hub, navigate to Actions > Connectors.
Connector Selection: Choose the IAP Server connector.
Configuration Settings:
- The "Service alias" field is optional and not necessary for this integration.
- Options are available to configure a block page for request modification, including uploading a custom file.
- An option to use TLS for communication is available and supported, though it was not enabled in this specific demo.
Verification: After configuration, the ITAP connector status should indicate it is configured.

2. Adding ReversingLabs as an IAP Service to SSL Orchestrator

Navigation: On the SSL Orchestrator interface, go to Services > Add new service.
Service Type: Select IAP > Generic IAP.
Service Naming: Name the service "RL Spectra Detect".
IP Address Configuration: Enter the IP address of the ReversingLabs Hub. In this demo, the Hub's IP address ended with the last octet .201.
Default Settings: Most other settings can be left at their default values.
Saving: Save the new service configuration.

3. Activating the Service in the Service Chain and Deployment

Service Chain Integration: Move the newly created "RL Spectra Detect" service into the existing service chain. This step makes the service active.
Deployment: Initiate the deployment process on SSL Orchestrator.
Verification: A green circle next to the "RL Spectra Detect" service indicates that the IAP server (ReversingLabs Hub) is healthy and the Big-IP (SSL Orchestrator) is successfully connected to it.

Testing the Integration

The integration's functionality was tested using a Windows client connected to the internet through the SSL Orchestrator.

1. Verifying SSL Decryption

Client Setup: A Windows client was used, with its internet traffic routed via the SSL Orchestrator.
Certificate Inspection: When accessing a website (e.g., f5.com), the client's browser showed the certificate as being verified by f5Labs.com. This is a key indicator that the Big-IP is successfully performing SSL decryption and re-signing the traffic, rather than the original certificate authority (e.g., entrust).

2. Threat Detection Test with IICAR File

Test File: The IICAR anti-malware test file was used. This file is widely recognized by threat vendors as malicious for testing purposes, despite being safe.
Download Attempt: An attempt was made to download the IICAR test file from the Windows client.
Result: The download request was immediately blocked by Reversing Labs, displaying a message: "The request was blocked by Reversing Labs." This confirms that ReversingLabs Spectra Detect successfully intercepted and identified the "malicious" file.

3. Verification on ReversingLabs Analytics Page

Analytics Review: The ReversingLabs analytics page was accessed to confirm the detection.
Detection Confirmation: The downloaded ZIP file was clearly identified as malicious, with the specific threat named as the "IICAR test virus".

Conclusion

The demonstration successfully showcased the seamless integration between F5 SSL Orchestrator and ReversingLabs Spectra Detect. SSL Orchestrator effectively decrypts outbound network traffic, forwards the content to Spectra Detect for comprehensive threat scanning, and then re-encrypts the traffic. This integration provides a robust solution for detecting and blocking malicious content within encrypted traffic flows, enhancing overall network security.