Service Extensions with SSL Orchestrator SaaS Tenant Isolation Demo

Key Concepts

• SSL Orchestrator Service Extensions: A feature of F5 BIG-IP SSL Orchestrator that allows for customization and extension of its capabilities.
• SAS Tenant Isolation: A specific service extension designed to isolate tenants within a Software as a Service (SaaS) environment.
• L3 Outbound Topology: A network configuration where traffic flows from the internal network to the external network at Layer 3.
• Service Chain: A sequence of security services that traffic passes through.
• I Rule: A set of commands executed by BIG-IP to control traffic flow and apply policies.
• Strict Mode / Moderate Mode: Different levels of restriction for content filtering.
• Header Injection: The process of adding custom headers to HTTP requests, often used for policy enforcement or testing.
• Upstream Servers: Servers that receive traffic after it has been processed by security devices.

SAS Tenant Isolation Demonstration

This demonstration showcases the SSL Orchestrator Service Extensions, specifically focusing on SAS Tenant Isolation. The process is based on a provided GitHub repository.

Installation and Configuration

1. Download Installer: The process begins with downloading an installer script using a CLI command.
2. Mark Script Executable: The downloaded script is then marked as executable.
3. Export BIG-IP Credentials: BIG-IP username and password are exported for the installer to use.
4. Run Installer: The installer is executed, which configures the SSL Orchestrator.

SSL Orchestrator Setup

• The SSL Orchestrator is configured with an L3 Outbound Topology.
• A Service Chain is established, which will be modified to include the tenant isolation service.

Tenant Isolation Configuration (YouTube Example)

1. Edit I Rule: The I Rule created by the installer is edited.
2. Enable YouTube Restrictions: The setting for YouTube is changed from 0 (disabled) to 1 (enabled).
3. Mode Selection: YouTube restrictions are set to Strict Mode. A Moderate Mode is also mentioned as an option.
4. Update Configuration: The changes are updated.
5. Create Tenant Isolation Service: The installer automatically creates a service named "tenant isolation service."
6. Add Service to Service Chain: The "tenant isolation service" is added to the existing service chain.
7. Deploy Service Chain: The updated service chain is deployed.

Testing Tenant Isolation

1. Client-Side Test:
   • YouTube is opened on a client computer.
   • Upon reloading, searching for potentially "illegal or not good" content results in a message: "some results have been removed because restricted mode is enabled." This confirms the YouTube policy is functioning.

Header Injection Policy Testing

1. Access I Rule: The demonstration returns to the BIG-IP to examine the I Rule, specifically the "userdefined settings" section.
2. Enable Header Injection: The header injection feature is turned on.
3. Configure Testing Headers: Specific testing headers are configured to be sent to upstream servers.
4. Initial Client Request (HTTPBin): A previous request to HTTPBin on the client side does not show these injected headers.
5. Refresh Client Request (HTTPBin): After refreshing the HTTPBin site, the injected headers are now visible, confirming they are being sent properly.
6. Custom Header Testing: The ability to change the testing headers is demonstrated, allowing for troubleshooting of header transmission to upstream servers.
7. Final Client Request Confirmation: Reloading the client page shows the custom headers being sent upstream, verifying the header injection policy is working.

Conclusion

The demonstration successfully illustrates the implementation and testing of SSL Orchestrator Service Extensions for SAS Tenant Isolation, using YouTube restrictions and header injection as practical examples. The process involves installation, configuration of the SSL Orchestrator, modification of I Rules and service chains, and client-side validation to ensure policies are enforced as intended.