I recently read an interesting blog post on an ADC vendor’s site that demonstrates a Rube Goldberg approach to showing common SSL information. Now I won’t name names but I will admit that it inspired me to write a quick blog post to show the business-ready alternative to the science project approach!
So this vendor suggested an approach that included the following steps:
1. Review pages of documentation
2. Create custom iStat database
3. Code TCL scripts to populate database
4. Create custom website via TCL
5. Expose your internal SSL connection data to the public Internet
And here are the insights an administrator can get ahold of, after following the aforementioned steps:
Now with Avi Networks, the Avi Vantage platform offers security insights that are integrated within the web interface and presented in a visually intuitive format which make the insights more actionable. For instance, when setting up SSL, if an admin accidentally misconfigures the system in a way that it becomes less secure, the admin gets real time feedback based on the security score. This enables the admin to quickly see the performance rating of the ciphers and compatibility ratings of clients that may be connected to the specific application.
We recommend the following steps (I know, I know…):
1. Click the Security Tab
And here are the results an admin will see on the dashboard:
Configuring ciphers now becomes a simpler task as we provide a list for you to quickly enable/disable specific ciphers with a simple point-and-click. We also allow admins to reorder the ciphers by dragging and dropping them to the appropriate spot. For example, the fact that a site’s performance and speed can be improved significantly by turning on RC4 and V5 ciphers sacrificing the security posture in the process is something an admin needs to know. Such feedback is extremely valuable when setting up a complex application delivery and security configuration.
The Avi Vantage platform has a minimum security threshold feature, with which you can ensure that each and every tenant/user of the Avi Vantage load balancers doesn't have the ability to break something that will open up a vulnerability. For instance, you wouldn't be allowed to configure or turn on SSL 3.0 because this would expose you to the POODLE vulnerability.
For each application that is load balanced with Avi Vantage you can click on the security tab of the admin console to get granular insights into the SSL traffic flow, along with DDoS attacks. You can also get full insights into users visiting the site and know if they are negotiating with RSA, ECC, with or without perfect forward secrecy. You can further drill down into the logs and get visibility into users using IE6, and also the cipher versions and the SSL versions they are using. If there is a security risk you can quickly drill down and and block or mitigate the risk within seconds.
Learn more about Avi Networks and software defined application services - visit our resource center or join us on our weekly demo.