Post on 28-Mar-2015
F5 Unified Security Solutions
Ralf Sydekum
Technical Manager Central & Eastern Europe
r.sydekum@f5.com
© F5 Networks, Inc.
2
Agenda
•Real Security Challenges and Attacks
•Data Center Firewall
•DoS & DDoS
•DNS Security
•Web Security
•Access Management
•Fast Vulnerability Assessment & App. Security
© F5 Networks, Inc.
3
ApplicationDeliveryNetwork
Users Data Center
The Leader in Application Delivery Networking
SAPMicrosoftOracle
At HomeIn the OfficeOn the Road
Business Goal: Achieve These Objectives in the Most Operationally Efficient Manner
© F5 Networks, Inc.
4
Statement - SONY Online Entertainmenthttp://blog.eu.playstation.com/
• On April 16th and 17th, 2011….. Personal information from approximately 24.6 million SOE accounts may have been stolen…,• Name, e-mail, login, hashed password,…
• As well as certain information from an outdated database from 2007 for 10.700 customer in EU• Name, bank account number, address,…
© F5 Networks, Inc.
5
Sony stock performance: Nov 2010-Nov 2011
© F5 Networks, Inc.
6
• Several companies stopped the service for WikiLeaks although it is not proven that WikiLeaks violates the existing law
• Amazon removed all WikiLeaks content from their servers
• EveryDNS switched off the DNS resolution for wikileaks.org
• Several financial institutes locked up donation accounts
What happened to WikiLeaks?
© F5 Networks, Inc.
7
Finally…
• Thousand of internet users unloaded their accumulated anger starting 7th Dec 2010
• Web servers of Swiss Postfinancebank were down for several hours
• Credit card companies likeMastercard and VISA where notaccessible for several hours/dayover several days
• Paypal’s transaction network wereslow but not taken down completely
© F5 Networks, Inc.
8
• 3 Basic Classes of Attack • L7 (HTTP/Web): Slowloris
• Creates massive concurrent sessions • Firewalls quickly overwhelmed• Server resources completely consumed
• L4: TCP Flood/Syn Flood • Targets any TCP aware device
• L3: ICMP Flood• ICMP protocol attack• Consumes router, Firewall and server resources
• BIG-IP/ASM stopped attacks!• Combination of core TMOS functionality, iRules and
ASM (Application Security Manager)
WikiLeaks DDoS Attack Profile
PCI Compliant Firewall
F5 BIG-IP with ASM Module
Border Router (Internet Connection)
Intrusion Prevention Device
ICMP flood TCP FloodSlowloris
© F5 Networks, Inc.
9
The Three Threat Vectors
Network Attacks Application AttacksDDoS Attacks
© F5 Networks, Inc.
10
of network traffic is encrypted bypassing security controls
Traditional network devices are failing under load… 3 out of 6 major firewalls failed under stability testing, and 5 out of 6 were vulnerable to a common exploit.
Security is still expendable… 9 out of 10 IT organizations admit to sacrificing security for performance.
Over 90% of IT administrator want…
Security Context
Security device sprawl is a challenging problem… IT biggest security challenge with device sprawl is operational complexity.
30% Blended attacks… are overwhelming conventional security devices at the edge of the data center.
Security Challenges
© F5 Networks, Inc.
11
• Who is the user?
• What devices are requesting access?
• When are they allowed to access?
• Where are they coming from?
• How did they navigate to the page/site?
Context leverages information about the end user to improve the interaction
Who
What
Where
When
How
© F5 Networks, Inc.
12
“Context-aware technologies will affect $96 billion of
annual consumer spending worldwide by 2015. By
that time, more than 15 percent of all payment card
transactions will be validated using context
information.
-Gartner
© F5 Networks, Inc.
13
Unified Security Architecture Traditional Approach
LOAD BALANCER
FIREWALLWEB APP
FIREWALL
DNS
SECURITY
ACCESS
MANAGEMENT
AND REMOTE
ACCES
DDoS
PROTECTION
© F5 Networks, Inc.
14
TMOS TMOS
AVAILABLE
SECURE
FAST
AVAILABLE
SECURE
FAST
SECURE SECURE
iRULES
iCONTROLiAPPS
TMO
S
TMO
S
TMO
S
NETWORK FIREWALLNETWORK FIREWALL
SSL TERMINATIONSSL TERMINATION
PROTOCOL SECURITYPROTOCOL SECURITY
DDoS PROTECTIONDDoS PROTECTION
DYNAMIC THREAT DEFENSEDYNAMIC THREAT DEFENSE
GTM ASM APMMODULE SECURITY
DNS WEB ACCESS
DN
S
WEB
ACCE
SS
LTM
Data Center Firewall
© F5 Networks, Inc.
16
Internet Data Center Perimeter FirewallPerimeter Firewall with Load Balancer
Today
Load Balancer
Overview• Traditional firewall• Standalone load balancer
Limitations• DDoS protection• Connections• Scale• Device management• Defense methods
© F5 Networks, Inc.
17
Internet Data Center Perimeter FirewallPerimeter Firewall with Load Balancer
With BIG-IP
BIG-IP LTM with ASM
Overview• Consolidated Device• Firewall Service• Application Delivery• Web Application Firewall
Benefits• Application fluency• SSL visibility• DDoS protection 30 + types• Dynamic defense methods• Best price to performance class• OWASP top 10 protection
© F5 Networks, Inc.
18
• F5 helps you to mitigate DDoS and flood based attacks• Stateful, Default Deny Behavior
• High Concurrent Connection and conn/sec capacity
• User Geo-location awareness
• SSL (HW accelerated encryption/decryption)
• IPsec site to site
• Packet Filtering
• Flood protection mechanisms
• Carrier Grade NAT (NAT, NAT64)
Internet Datacenter Network Firewall
Internet Data Center
F5.com
owa.f5.com
DevCentral.F5.com
websupport.f5.com
ihealth.f5.com
downloads.F5.com
Internet
External Users
SYN flood protection and many others
High Concurrent Connection
capacity
User Geolocation Security
Router
© F5 Networks, Inc.
19
Throughput
Competitor ABC + 4 Blades$124,000
F5 BIG-IP 11050$129,995
42 Gbps 20 Gbps
© F5 Networks, Inc.
20
Connections per Second
1M 175K
Competitor ABC + 4 Blades$124,000
F5 BIG-IP 11050$129,995
© F5 Networks, Inc.
21
Maximum Concurrent Connections
24M 2.25M
Competitor ABC + 4 Blades$124,000
F5 BIG-IP 11050$129,995
© F5 Networks, Inc.
22
SSL Drives Platform Architecture
Industry increasingly using larger SSL Keys
1024 bit Keys 2048 bit Keys 4096 bit Keys
6x Tougher
41x Tougher
Increasing CPU Processing Requirements
100%
600%
4100%Increasing CPU Processing Requirements
Denial of ServiceDistributed Denial of Service
© F5 Networks, Inc.
24
• DoS = Denial of service
• DDoS = Distributed denial of service
• Layer 1• Cut the cable
• Layer 4 - or Layer 7 DDoS• Thousands of attackers bring down one site
• Layer 7 DoS• One attacker is able to bring down one site
• e.g. Slowloris, Slow POST
Summary
© F5 Networks, Inc.
25
Network BasedDistributed
Denial Of Service (DDOS)
Protect Against:
VIPRION
BIG-IP LTM DoS Protections• Packet Filtering• Syn Cookies (L4 DoS)• Dynamic Reaping (L4 DoS)• TCP Full Proxy (L4 DoS)• Rate shaping (L4->L7 DoS)• iRules (e.g. SSL DoS protection)• Very High Performance• Very large connection tables
Protect With:
Mitigating DoS Attacks
DNS Security Use Case
© F5 Networks, Inc.
27
DNS Attacks Are Common
© F5 Networks, Inc.
28
DNS is Vulnerable to Attacks
• Multiple DNS attacks: DDoS, Cache Poisoning, Man-in-the-middle• Application timeouts (401 errors)• Lost customers, lost productivity• Loss of Revenue and Brand Equity
Clients LDNS
Data Center
DNS Servers www.company.com
© F5 Networks, Inc.
29
•High Performance DNS – Multicore GTM
•Scalable DNS - DNS Express
•Malformed UDP packets are dropped
•Spread the load across devices - IP Anycast
• Secure DNS Queries - DNSSEC
• Route based on nearest Datacenter - Geolocation
• Complete DNS control with – DNS iRules
Complete DNS Protection BIG-IP Global Traffic Manager
Clients LDNS
A
X
Q
Data Center
i
DNS Firewall Services
company.com
X QA i
© F5 Networks, Inc.
30
Complete DNS control
Secure DNS query responsesRoute based on geolocation
Denial of Service mitigation
Access Denied:
http://f5.com
Scalable 10x, 70%
Support client requests and consolidates IT
IPv6 to IPv4
The Value of Complete DNS / Web Solution
Web Security Services
© F5 Networks, Inc.
32
Security Vulnerabilities in Web-Applications
PORT 80
PORT 443
Attacks Now Look ToExploit ApplicationVulnerabilities
Perimeter SecurityIs Strong
Forceful BrowsingCross-Site Scripting
Cookie Poisoning
SQL/OS InjectionHidden-Field Manipulation
Parameter TamperingBuffer Overflow
Brute force attacksLayer 7 DOS
WebscrapingCSRF
Viruses
!InfrastructuralIntelligence
!Non-compliantInformation
HighInformationDensity=High ValueAttack
!ForcedAccess toInformation
But Is Opento Web Traffic
© F5 Networks, Inc.
33
Deploy ASM Policies without false positives
• Predefined Policy Templates• Pre-configured security policies
• Learning mode• Automatic or manual
• Web Application Scanner integration• IBM Rational AppScan
• QualysGuard Web App. Scanning
• Cenzic Hailstorm
• WhiteHat Sentinel
• Gradual deployment• Transparent / semi-transparent / full blocking
© F5 Networks, Inc.
34
Customer Website
• Finds a vulnerability• Virtual-patching with
one-click on BIG-IP ASM
BIG-IP Application Security Manager
• Verify, assess, resolve and retest in one UI• Automatic or manual creation of policies• Discovery and remediation in minutes
• Vulnerability checking, detection and remediation
• Complete website protection
Web Application Scanner
© F5 Networks, Inc.
35
• 3 free application scans directly from ASM/VE UI
• No time limits once signed up
• Free scans are limited health check services
F5 Free Cenzic Cloud scan tests for:
Free Cenzic Cloud Scans with ASM in v11.2
Find Vulnerabilities and Reduce Exposure
1. Cross-Site Scripting
2. Application Exception
3. SQL Injection
4. Open Redirect
5. Password Auto-Complete
6. Credit Card Disclosure
7. Non-SSL Password
8. Check HTTP Methods
9. Basic Auth over HTTP
10.Directory Browsing
© F5 Networks, Inc.
36
IP IntelligenceIdentify and allow or block IP addresses with malicious activity
• Use IP intelligence to defend attacks
• Reduce operation and capital expenses
IP address feed updates every 5 min
Anonymous Proxies
?
BIG-IP System
Scanners
Financial Application
IP Intelligence Service
Botnet
CustomApplication
Attacker
Anonymous requests
Geolocation database
Internally infected devices and servers
© F5 Networks, Inc.
37
• Fast IP update of malicious activity
• Global sensors capture IP behaviors
• Threat correlation reviews/ blocks/ releases
IP IntelligenceHow it works
Internet
Web Attacks
Reputation
Windows Exploits
Botnets
Scanners
Network Attacks
DNS
Semi-open Proxy Farms
Exploit Honeypots
Naïve User Simulation
Web App Honeypots
Third-party Sources
Key Threats Sensor Techniques
BIG-IP System
Dynamic Threat IPsevery 5min.
IP Intelligence
IP Intelligence ServiceThreat Correlation
© F5 Networks, Inc.
38
Graphical ReportingDetailed chart path of threats in ASM
Web Access Management
© F5 Networks, Inc.
40
• Unify Access Control
• Authentication and Authorization
• Single Sign On
• Powerful Custom and Built-in Reporting
• Access and Application Analytics
Context = Access ControlBIG-IP Access Policy Manager
Manage Access Based on Identity
© F5 Networks, Inc.
41
Enable Simplified Application AccessWith BIG-IP Access Policy Manager (APM)
© F5 Networks, Inc.
42
Control Access of EndpointsEnsure strong endpoint security
• Client or machine certificates
• Antivirus software versionand updates
• Software firewall status
• Access to specific applications
• Restrict USB access
• Cache cleaner leaves no trace
• Ensure no malware enters corporate network
Allow, deny, or remediate users based on endpoint attributes such as:
Invoke protected workspace for unmanaged devices:
BIG-IP APM
© F5 Networks, Inc.
43
Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager
Dramatically reduce infrastructure costs; increase productivity
© F5 Networks, Inc.
44
!Non-
compliantInformation
App Security with BIG-IP ASM and APM
!Illegal
requests
!InfrastructuralIntelligence
ASM allowslegitimate requests
APM offers authenticationand authorization
ASMStops bad requests /responses
!Unauthorised
Access
Reduces the attack vector because only authenticated, authorized and legal requests are permitted to the relevant application servers
APMStops
unauthorizedrequests
BrowserApplications
© F5 Networks, Inc.
45
Summary – F5 Unified Security
© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS, and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries