Part of DVUSD’s mission is their commitment to the principles and practices of continuous improvement. A methodology not only adapted for their student bodies, but for the technology that powers them as well. With approximately 4,000 employees, 35,000 students, and 38 schools in the district, it’s important that the technology they use allows for continuous improvement in step with the rest of DVUSD – and that’s the reason they chose to go with the F5® SSLO Orchestrator.
Challenges:
DVUSD delivers applications for and protects the data of tens of thousands of students securely by using multiple security tools to inspect traffic. One of the security tools is a cluster of intelligent proxies from Lightspeed Systems. Since most traffic is HTTPS these days, each device, including the Lightspeed boxes, need the ability to decrypt and re-encrypt TLS/SSL in bulk – this poses several challenges:
- Multiple single points of failure
In order for all the tools to work together they are required to be in-line (i.e. one after another) and if any one of the security devices die, the whole stream dies. - Not future proof
Any time a new security device is added, advanced coordination, planning, and maintenance windows are required. - Latency
Most web traffic is encrypted with HTTPS, requiring you to decrypt and re-encrypt SSL/TLS sessions in order to gain visibility into the traffic at every device. - Increasing costs
Terminating TLS/SSL requires horsepower, and horsepower typically calls for greater license, instance, or server costs. - Inflexibility
With all the devices in-line, they lack the flexibility needed for traffic steering or bypassing devices during maintenance operations (i.e. code upgrades).
Solution:
F5 SSL Orchestrator® (SSLO) utilizes F5’s leading SSL processing capabilities to handle the heavy burden of decrypting and re-encrypting HTTP traffic, while providing policy-based logic to decide which security devices should see the traffic flows. This is accomplished by creating a “decrypt zone” where the organization’s security appliances will be placed, including the Lightspeed proxies.
The solution selectively forwards and decrypts traffic to Layer 2 and 3 in-line services, receive-only devices, ICAP services, and HTTP explicit & transparent proxies.
Benefits:
This SSLO solution provides a number of benefits, allowing DVUSD to keep their technology goals aligned with their organizational goals of continuous improvement.
- Eliminated single points of failure
The SSLO devices were implemented in a redundant fashion so that if one device dies, traffic fails over to the standby unit. Additionally, the SSLO devices are monitoring the security devices much like the BIG-IP® LTM® monitors pool members. If a decryption device fails it will be removed from the security chain and forward traffic to the next security device. - Future-proof
As a single point for decrypting and re-encrypting traffic it allows additional inspection services to be added (or removed) in the future, without the additional need for decrypting and re-encrypting traffic. - Decreased latency
F5 is the best in the industry at terminating TLS/SSL. Performing this once at the SSLO devices avoids the increased latency associated with terminating at every security device. - Cost savings
Terminating TLS/SSL at the SSLO devices allows DVUSD to minimize spend on device licenses and instance/server costs. - Flexibility
SSLO allows for easy traffic steering and bypassing of devices during maintenance operations such as code upgrades.
Whether you’re a school district delivering applications to thousands of students & teachers, or a large financial enterprise servicing millions of customers every second – visibility into your outgoing and incoming web traffic is mission-critical to security.
F5’s SSLO solution can provide the visibility you need today, with the flexibility of change tomorrow.
We typically respond same business day, but guarantee a response by the next business day.