Offloading TLS Decryption for an One-Armed Inline Tool in L3 with NAT/PAT Mode (6.1)

Introduction

Network segmentation is a widely adapted practice to ensure scalability and security in a network. Often, clients and servers within an enterprise network reside on different network segments. The traffic between the clients and servers may traverse tools, such as a Next-Generation Firewall (NGFW), deployed in one-arm mode,performing Port address translation (PAT) and inter-VLAN routing.Depending on the type of NGFW, the performance could degrade if TLS decryption is enabled in that tool. In such scenarios, it is advisable to offload the TLS decryption from tools to improve the tool's performance. You can also selectively decrypt the traffic for inspection, thereby improving the shelf life of the tool.The following Gigamon Validated Design (GVD) illustrates deploying an Inline SSL Decryption solution to offload the TLS decryption without a dummy inline tool port.

Topology Diagram

Design Overview

The given example illustrates deployment of GigaVUE-HC3 in an enterprise to offload the TLS decryption from a Next-generation firewall (NGFW), which is deployed in layer-3 one-armed mode.

The NGFW is deployed with virtual layer 3 interfaces with multiple links to a port-channel and Link aggregation control protocol (LACP) configured between NGFW and DMZ firewall. It is important to note that these two links are configured with one-armed mode redundancy and are not configured in the traditional 2 link/2 port model associated with bump-in-the-wire/virtual wire deployment modes.

An NGFW typically supports many security zones in the network. (In this case, it has two-layer-3 zones)

The Client Zone—the default gateway for the client traffic traversing via the DMZ firewall.

TheServer Zone—the default gateway for the web-application servers in the server farm.

The clients’ traffic is sent to the NGFW for security inspection, which is the default gateway, via the GigaVUE-HC3 device. The NGFW uses its internal routing to forward the traffic and translates the original IP of the client with server zone interface IP using a PAT policy before the traffic is sent to the Web-application servers. The opposite logic applies in the reverse direction.

 

To learn more about this solution, read complete details on the Gigamon Community: Offloading-TLS-Decryption-for-an-One-armed-Inline-Tool-in-L3-with-NAT-PAT-Mode6-1