4.12. Implementing STIP Mode

4.12.1. What it is

SSL/TLS Inspection Proxy (STIP) refers to a category of network devices that perform SSL visibility/interception functions. STIP compliance is part of Common Criteria (CC) that provides a common set of requirements for the security functionality of IT products and the assurance measures to be applied to the IT products during a security evaluation. F5 is a member of the technical committee (amongst other vendors) who participated in the drafting of STIP PP (Protection Profile). Version 1.0 of the STIP PP was published in August 2019. Think of the BIG-IP as the Network Device and SSL Orchestrator as the STIP. Some of these new STIP features are included and enabled within SSL Orchestrator by default whereas others can only be enabled by activating a special “CC Mode” of operation in the BIG-IP (tmsh ccmode).

For more information, refer to: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=414&id=414

STIP mode is available for BIG-IP 16.1.3.1 and above, and SSL Orchestrator 9.3 and above.


4.12.2. How to build it

To enable STIP functionality, first adhere to the following prerequisites:

  • Ensure that you are on an F5 BIG-IP TMOS version that supports STIP, BIG-IP 16.1.3.1 and above.

  • Ensure that the SSL Orchestrator module is licensed and provisioned on your system.

  • Ensure that SSL Orchestrator iAppLX version is 9.3 or above.


To configure SSL Orchestrator for STIP compliance, you must run the ccmode script from the BIG-IP console shell. When the SSL Orchestrator module is provisioned, the ccmode script makes additional changes to the BIG-IP MCP configuration, including DB variables, to make the system STIP compliant.

  • Step 1: Execute the ccmode script on the BIG-IP system.

    ccmode
    

    Note: When STIP mode is enabled, the system intercepts and inspects the TLS traffic. At any point you can modify the inspectionconsent DB variable to false to disable TLS traffic inspection.


  • Step 2: Reboot the BIG-IP.


  • Step 3: Navigate to the SSL Orchestrator configuration menu. You will notice that the status bar now includes a STIP mode indicator.

    ../../_images/image1012.png

    Figure 101: STIP indicator


    SSL Orchestrator will also change the default client side SSL cipher presets. Instead of the DEFAULT cipher string, the default will now be a new f5-cc-stip cipher group.


The following table describes the enhancements added with STIP mode. Note that some features come standard with SSL Orchestrator, and others require ccmode activation.

* Requires ccmode enabled

** Requires both ccmode and STIP mode enabled

Enhancement

Requires ccmode

Description

Support for preservation of a secure state on failure

Yes*

In STIP/CC mode, the fault_monitord daemon detects the following failures and halts the system (“bricks the box”) if the failures occur:

  • Deterministic Random Bit Generator (DRBG) failure

  • Integrity test failure

  • External audit server is unavailable

Support for AES-CCM and AES-CCM8

No

BIG-IP supports (RSA)-AES128-CCM and (RSA)-AES128-CCM8 ciphers.

Restrictions on Security Roles

No

Introduces a new Log Manager role that grants users permission to view the system’s configuration data, similar to an Auditor role. However, the users with this role can modify the system log configuration settings, including creating log filters, destinations, and publishers. In addition, the users with the Log Manager role have access to all partitions on the system. For more information on the roles, refer to: https://techdocs.f5.com/en-us/bigip-17-0-0/big-ip-systems-user-account-administration/user-roles.html

Support for ECDH-RSA for SSL forward proxy

No

BIG-IP supports Elliptic Curve Diffie-Helman (ECDH) ciphers in SSL Forward Proxy

Support for FFDHE for SSL Forward Proxy

No

BIG-IP supports Negotiated Finite Field Diffie-Helman Ephemeral (FFDHE) ciphers. For more information, refer to: https://support.f5.com/csp/article/K79342815

Support for certificatePolicies, authorityKeyIdentifier KeyUsage and ExtendedKeyUsage extensions

No

Enhancements to the SSL Forward Proxy capabilities allow you to add extensions to the forged server certificate. You can now:

  • Add the Authority Key Identifier (AKI) extension to the forged server certificate if the CA certificate has a Subject key Identify (SKI) extension.

  • Add KeyUsage and ExtendedKeyUsage values to the forged server certificate as per the supported cert type.

  • Add certificatePolicies as an extension to the forged server certificate using the SSL:forward_proxy extension <oid oid-value> iRule command.

Support for cryptographic key destruction

No

In STIP mode, the cryptographic keys and critical security parameters in BIG-IP that are no longer required are destroyed based on the specified cryptographic key destruction method. That is, the following values are overwritten with zeros, ones, random data, or a new value of the key.

  • TLS ECDSA public key

  • DRBG entropy input string

  • DRBG V and Key values

  • TLS RSA public and private key

  • TLS ECDSA private key

  • TLS EC Diffie-Hellman public and private key

  • TLS Finite Field Diffie-Hellman private key

  • TLS Pre-Master Secret and Master Secret

  • Derived TLS session key (AES, HMAC)

  • SSH Shared Secret

  • Derived SSH session key (AES, HMAC)

  • SSH EC Diffie-Hellman public and private key

  • SSH RSA public and private key

  • SSH ECDSA public and private key

SSL private keys should not be exported from BIG-IP when CC/FIPS enabled.

Yes*

When the STIP mode is activated, no key can be exported via plaintext

Support to revoke forged certificate

No

The following iRule command is introduced to revoke the forged server certificate in SSL forward proxy.

SSL::forward_proxy cert status revoke

For a detailed example on the usage of the iRule, refer to: https://clouddocs.f5.com/api/irules/SSL__forward_proxy.html

The iRule command along with X509 commands is used to extract and match the specific sets of attributes in the origin server certificate to identify the certificates to be revoked. Also, the Server Cert Status check macro in SSL Orchestrator policy is enhanced to recognize the revoked certificate status and displays the certificate revoked message on a block page.

Support to Send SSL session logs using log publisher

Yes**

SSL Orchestrator can log details of the forged server certificate and pass it to external log consumers using log publisher. TMM generates SSL session logs when the STIP (CC) mode is enabled.

SSL profile switching based on ClientHello SNI matches

No

Support to switch the SSL profile of an outbound topology based on SNI matches. This feature is useful when switching a CA issuer for different tenants or bypassing TLS for mutual TLS sessions by SNI hostname. To facilitate this, SNI Server Name (FQDN) field is added to the SSL Configurations page. It indicates the FDQN to match when a client TLS request arrives. The correct client SSL profile is selected based on the ClientHello value of the client. Also, the Default SNI check box is added to the SSL Configurations page to indicate if it is the default client SSL profile. One of the profiles should be designated as the default. If a client does not send a Server Name attribute in its ClientHello message, the default SSL profile is selected.

Abort support in blocked TLS session

No

The SSL Orchestrator security policy now contains a new abort option as a blocking action.

TLS traffic inspection in STIP mode

Yes**

When STIP mode is enabled, the system intercepts and inspects the TLS traffic. You can modify the value of the DB Variable ssl.forwardproxy.inspectionconsent to false if you do not want the system to inspect the TLS traffic.

SSLO connection summary logs policy action

Yes**

The SSL Orchestrator connection summary logs now have enhanced capabilities to log new data such as Ingress/Egress VLAN, policy rule names, URL categories, TLS handshake status, reset causes, and connection failures. Previously, there was no way to identify which policy rule was taking effect and directing the traffic to the ending (allow or reject). Now, with the rule name logging in the summary logs, you can determine which rules reject, allow, abort, or bypass traffic making it easier to spot and troubleshoot problems.

Use the server certificate fields (Issuer DN, SANs, Subject DN) to bypass SSL forward proxy interception

No

The following conditions are added to SSL Orchestrator policy on which the admin can decide whether to Bypass or Intercept SSL traffic and Reject or Allow the traffic:

  • Server Name (TLS Client Hello)

  • Server Certificate (Subject DN)

  • Server Certificate (Issuer DN)

  • Server Certificate (SANs)

A new option is added to SSL Bypass Set agent “Bypass on SSL Client Hello” which is disabled by default. The option when enabled will take SSL bypass action immediately without triggering server-side handshake.

Support to prevent audit data loss

Yes*

If the local log destination is critically full or if the connection between BIG-IP and the external audit server is disconnected, the system enters a secure state to prevent the loss of audit data.

Support to generate a CSR with CA set to True in basicConstraints

No

A CSR can be created with basicConstraints and, keyUsage extensions that are used to identify the type of certificate holder/subject and the purpose of the key, respectively. The basicConstraints extension is critical in restricting any End Entity certificate to issue/sign any other certificates.The keyUsage bit helps in usage restriction when you want to restrict a key that could be used for more than one operation. For more information refer to, https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9