Overview: Inspection Services

A BIG-IP Next SSL Orchestrator service is defined as a pool of identical security devices. It can be configured to perform a wide range of functions, such as SSL/TLS termination, load balancing, content filtering, and application delivery optimization. Some examples of services are FireEye NX, Cisco FTD, Palo Alto NGFW, McAfee DLP, and so on.

A “service” and a “device” refer to different things in SSL Orchestrator. In this case, a device is a single appliance, while a service represents the load-balanced and monitored set of like devices. For example, a single FireEye service might define a set of multiple FireEye NX appliances (devices). SSL Orchestrator allows administrators to create many services containing several like devices.

Service Types

Services are categorized based on how they consume network traffic. Almost all modern security products today fit into at least one category, but sometimes, a security product can be configured to operate in different modes. BIG-IP Next SSL Orchestrator supports the following service types:

  • TAP - A TAP service is a passive service that only receives traffic for monitoring. It does not modify or block traffic. Each TAP service provides a packet-by-packet copy of the traffic (for example, plaintext) passing through it to an inspection device. Intrusion Detection Systems (IDS) are commonly deployed as TAP and receive an out-of-band copy of the network packets.

  • ICAP - An ICAP device adheres to RFC 3507 specifications and is often used to encapsulate payloads for various services, including DLP and malware detection products. In this case, SSL Orchestrator acts as the ICAP client, encapsulating packets and directing the traffic to a listening IP address and port on the ICAP server.

  • Inline Layer 3 - An Inline Layer 3 service is a service that passes traffic through one or more service devices at Layer 3 (IP). It is “inline” because network traffic enters one (physical or logical) interface and routes out another. In this case, the SSL Orchestrator routes to it, and it routes back. You use inline services in service chains, where each service device communicates with BIG-IP Next over two VLANs called Inward and Outward, which carry traffic toward the intranet and the Internet, respectively.

  • Inline HTTP Transparent Proxy - An HTTP Transparent Proxy device proxies HTTP (web) traffic and changes the source port as traffic flows through. The network traffic enters one (physical or logical) interface and routes out another.

About VLANS and Interfaces

A VLAN is a subset of hosts on a local area network (LAN) that operate in the same IP address space. You can create a VLAN and associate physical interfaces with that VLAN. In this way, any host that sends traffic to BIG-IP Next is logically a member of the VLAN or VLANs to which that interface belongs. Within L1-networks objects, multiple VLANs can be expressed as an array of VLAN objects, each containing the desired self-IP addresses.

VLANs are directly associated with the physical interfaces on BIG-IP Next. For each VLAN that you create, you must assign one or more BIG-IP Next interfaces to that VLAN. When you assign an interface to a VLAN, you indirectly control the hosts from which BIG-IP Next sends or receives packets.

Each VLAN has a MAC address. The MAC address of a VLAN is the same MAC address of the lowest-numbered interface assigned to that VLAN.

About VLAN tags

A VLAN tag is a unique ID number to identify the VLAN to which each packet belongs. The value of a VLAN tag can be between 1 and 4094. Once a tag is assigned to a VLAN, any packet sent from a host in that VLAN includes this VLAN tag as a header in the packet.

  • Untagged interfaces - You can create a VLAN and assign interfaces to the VLAN as untagged interfaces. When you assign interfaces as untagged interfaces, you cannot associate other VLANs with those interfaces. This limits the interface to accepting traffic only from that VLAN instead of multiple VLANs. If you want to give an interface the ability to accept and receive traffic for multiple VLANs, add the same interface to each VLAN as a tagged interface.

  • Tagged interfaces - You can create a VLAN and assign interfaces to the VLAN as single- or double-tagged interfaces. When you assign interfaces as tagged interfaces, you can associate multiple VLANs with those interfaces.