Application Delivery Firewall Customer...

APPLICATION DELIVERY FIREWALL

Tim O’Connor [email protected]

2 © F5 Networks, Inc.

Maintaining Security Is Challenging

Webification of apps Device proliferation

Evolving security threats Shifting perimeter

71% of internet experts predict most people will do work via web or mobile by 2020.

95% of workers use at least one personal device for work.

130 million enterprises will use mobile apps by 2014

58% of all e-theft tied to activist groups. 81% of breaches involved hacking

80% of new apps will target the cloud.

72% IT leaders have or will move applications to the cloud.


Your Business Needs

To scale To secure To simplify

Scale for a work-anywhere / SSL everywhere world.

Security for applications and data against sustained attacks.

Simplification of point solutions and complex firewall configurations.


Introducing F5’s Application Delivery Firewall Aligning applications with firewall security

One platform

SSL inspection

Traffic management

DNS security

Access control

Application security

Network firewall

EAL2+ EAL4+ (in process)

DDoS mitigation


“Next generation” firewall

Characteristics •  Outbound user inspection •  UserID and AppID •  Who is doing what? •  1K users to 10K websites •  Broad but shallow

Corporate (users)

F5 application delivery firewall

Data center (servers)

Characteristics •  Inbound application protection •  Application delivery focus •  1M users to 100 apps •  Narrow but deep •  Most widely deployed data center protocols

A Firewall Built for the Data Center


“Next generation” firewall

Characteristics •  Outbound user inspection •  UserID and AppID •  Who is doing what? •  1K users to 10K websites •  Broad but shallow

Corporate (users)

F5 application delivery firewall

Internet data center (servers)

Characteristics •  Inbound application protection •  Application delivery focus •  1M users to 100 apps •  Narrow but deep •  12 protocols (HTTP, SSL, etc.)

A Firewall Built for the Data Center

Secures User Activity on the Corporate Network

Secures Apps Wherever they Live


Superior Performance and Scale Throughput Connections per second

Sessions Footprint

F5 (VIPRION 4480)

Juniper (SRX 5800)

Cisco (ASA 5585-X)

Check Point (61000)

F5 (VIPRION 4480)

Juniper (SRX 5800)

Cisco (ASA 5585-X)

Check Point (61000)

0

50

100

150

200

250

300

350

Gbp

s

0

100

200

Mill

ions

0

1

2

3

4

5

6

7

Mill

ions

R

ack

units

0

100

200

2x 14x

22x 10x

F5 (VIPRION 4480)

Juniper (SRX 5800)

Cisco (ASA 5585-X)

Check Point (61000)

F5 (VIPRION 4480)

Juniper (SRX 5800)

Cisco (ASA 5585-X)

Check Point (61000)


Firewall Technologies

Firewalls started out as proxies to maximize

security

Stateless filters accelerated firewalls, but

weakened security

Stateful and next-gen firewalls added security

with deep inspection, but still fall short of proxies

F5 brings full proxy back to firewalls: highest

security matched by a high-scale and high-

performance architecture

A long time ago… and then… present day… and now with F5!


Full Proxy Security

Network

Session

Application

Web application

Physical

Client / Server

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

SSL inspection and SSL DDoS mitigation

HTTP proxy, HTTP DDoS and application security

Application health monitoring and performance anomaly detection

Network

Session

Application

Web application

Physical

Client / Server


Network

Session

Application

Web application

Physical

Client / Server

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

SSL inspection and SSL DDoS mitigation

HTTP proxy, HTTP DDoS and application security

Application health monitoring and performance anomaly detection

Network

Session

Application

Web application

Physical

Client / Server

Full Proxy Security

High-performance HW

iRules

iControl API

F5’s Approach

•  TMOS traffic plug-ins •  High-performance networking microkernel •  Powerful application protocol support

•  iControl—External monitoring and control •  iRules—Network programming language

IPv4

/IPv6

SSL

TCP

HTT

P Optional modules plug in for all F5 products and solutions

APM

Fire

wal

l

…

Traffic management microkernel

Proxy

Client side

Server side SS

L

TCP

One

Con

nect

HTT

P


Application-Oriented Policies and Reports

Firewall policies and reports oriented around the application


Application Delivery Firewall

iRules extensibility everywhere

Products

Advanced Firewall Manager

•  Stateful full-proxy firewall

•  Flexible logging and reporting

•  Native TCP, SSL and HTTP proxies

•  Network and Session anti-DDoS

Access Policy Manager

•  Dynamic, identity-based access control

•  Simplified authentication infrastructure

•  Endpoint security, secure remote access

Local Traffic Manager

•  #1 application delivery controller

•  Application fluency

•  App-specific health monitoring

Application Security Manager

•  Leading web application firewall

•  PCI compliance

•  Virtual patching for vulnerabilities

•  HTTP anti-DDoS

•  IP protection

Global Traffic Manager & DNSSEC

•  Huge scale DNS solution

•  Global server load balancing

•  Signed DNS responses

•  Offload DNS crypto

IP Intelligence

•  Context-aware security

•  IP address categorization

•  IP address geolocation

SSL inspection

Traffic management

DNS security

Access control

Application security

Network firewall

DDoS mitigation


PROTECTING THE DATA CENTER Use case

•  Consolidation of firewall, app security, traffic management

•  Protection for data centers and application servers

•  High scale for the most common inbound protocols

Before f5

with f5

Load Balancer

DNS Security

Network DDoS

Web Application Firewall

Web Access Management

Load Balancer & SSL

Application DDoS

Firewall


DDoS MITIGATION

Application attacks Network attacks Session attacks

Slowloris, Slow Post, HashDos, GET Floods

SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks

BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection

DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation

BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation

BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions.

F5 M

itiga

tion

Tech

nolo

gies

Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)

Increasing difficulty of attack detection

•  Protect against DDoS at all layers – 38 vectors covered

•  Withstand the largest attacks

•  Gain visibility and detection of SSL encrypted attacks

F5 m

itiga

tion

tech

nolo

gies

OSI stack OSI stack

Use case


SSL INSPECTION

SSL !

SSL

•  Gain visibility and detection of SSL-encrypted attacks

•  Achieve high-scale/high-performance SSL proxy

•  Offload SSL—reduce load on application servers

Use case

SSL

SSL


•  Consolidated firewall and DNS Service

•  High performance, scalable DNS

•  Secure queries with DNSSEC

DNS Security Use case

with f5

Before f5 65,000 concurrent queries

? http://www.f5.com

http://www.f5.com

•  Cache poisoning

•  DNS spoofing

•  Man in the middle

•  DDoS


•  Consolidated firewall and DNS Service

•  High performance, scalable DNS

•  Secure queries with DNSSEC

DNS Security Use case

with f5

Before f5 65,000 concurrent queries

? http://www.f5.com

http://www.f5.com

•  Cache poisoning

•  DNS spoofing

•  Man in the middle

•  DDoS

Secure and available DNS infrastructure: Up to 6 million concurrent queries


Create policy

Corporate domain

Latest AV software

Current O/S

Administrator

User = HR

HR

AAA server

•  Proxy the web applications to provide authentication, authorization, endpoint inspection,

and more – all typing into Layer 4-7 ACLS through F5’s Visual Policy Editor

ENHANCING WEB ACCESS MANAGEMENT Use case

832849


Project planning

Requirements definition

Design

Development

Integration & test

Installation & acceptance

•  Decouple security from the SDLC

•  Address new vulnerabilities immediately

•  Ensure PCI compliance

•  Incorporate vulnerability assessment into the SDLC

•  Use business logic to address known vulnerabilities

•  Allow resources to create value

RAPID VIRTUAL PATCHING SOFTWARE DEV. LIFECYCLE (SDLC)


Protection from Vulnerabilities Enhanced integration: BIG-IP ASM and WhiteHat Sentinel

Customer website

• Vulnerability checking, detection and remediation

• Complete website protection

• Finds a vulnerability • Virtual-patching with one-

click on BIG-IP ASM

Vulnerability scanner

BIG-IP Application Security Manager

• Verify, assess, resolve and retest in one UI •  Automatic or manual creation of policies •  Discovery and remediation in minutes

• Qualys •  IBM • WhiteHat • Cenzic

White Hat Sentinel


IP INTELLIGENCE

IP intelligence service

IP address feed updates every 5 min

Custom application

Financial application

Internally infected devices and servers

Geolocation database

Botnet

Attacker

Anonymous requests

Anonymous proxies

Scanner

Restricted region or country


Protect Against Newly Published Vulnerabilities That Do Not Have a Patch


Slash Response Times

Help needed

DevCentral request

One hour later F5 validates and posts fix

One week later Apache releases fix

One week later… testing and rollout still needs to take place.

Extensibility delivers protection sooner

One hour later… the customer deployed and validated the fix

A user asks for help to avoid an exploit on Apache


VIPRION

iRules with Security: HashDos—Post of Doom “HashDos—Post of Doom” vulnerability affects all major web servers and application platforms.

Single DevCentral iRule mitigates vulnerability for all back-end services.


VIPRION

iRules with Security: HashDos—Post of Doom “HashDos—Post of Doom” vulnerability affects all major web servers and application platforms.

Single DevCentral iRule mitigates vulnerability for all back-end services.

Staff can schedule patches for back-end services on their own timeline.

27 CONFIDENTIAL © F5 Networks, Inc.

Security TAP Partners Multi-factor

authentication DAST Certificates encryption Endpoint inspect / AV Web access

management Anti-fraud /

secure browser DB firewall

DNS security and SBS

FIPS/HSM security

Mobile device management Mobile OS Web and

SaaS security Security change

management SIEM


F5 Delivers to Support Your Needs

Increased scale and performance Higher security Operational efficiency

Industry-leading capacity and throughput.

Full-proxy security, SSL inspection, and extensibility with iRules.

Consolidation of functions and an application-centric security model.


devcentral.f5.com facebook.com/f5networksinc linkedin.com/companies/f5-networks twitter.com/f5networks youtube.com/f5networksinc

www.F5.com


Physical ADC is best for: •  Fastest performance •  SSL offload •  Workload isolation •  Consolidation •  Edge and front door services •  Edge security speeds and feeds

Hybrid ADC is best for: • Complete integrated Application Delivery

Network • Tethered deployments • Symmetric ADC services • Federated authentication

Virtual ADC is best for: • Accelerated deployment • Private and public cloud environments • Application or tenant-based pods •  Lab, test and QA deployments • Keep security with application

Hardware with a Purpose Best-of-breed application delivery architecture

TMOS is the implementation of software on hardware that includes physical, virtual and hybrid deployments. This creates the most flexible, advanced application delivery.

F5 Physical ADCs High-performance and specialized hardware

Physical ADCs + vADCs = F5 dynamic infrastructure Ultimate in flexibility and performance

F5 vCMP or virtual editions vADC or virtual editions provide flexible deployment options for virtual environments


Multi-tenancy Partition vs. virtualization

Part

ition

1

Part

ition

2

Part

ition

3

Part

ition

4

OS Hardware

Inst

ance

1

Inst

ance

2

Inst

ance

3

Inst

ance

4

Hardware OS OS OS OS

Partition Virtualization

Feature Partition Virtualization Resource allocation Shared / flexible Static / dedicated

Operating system Single shared Multiple unique


The Solution: vCMP The best of both worlds—BIG-IP version 11.x

RD

1 \

Part

ition

1

TMOS

Hardware

RD

1 \

Part

ition

1

RD

1 \

Part

ition

2

RD

1 \

Part

ition

1

RD

1 \

Part

ition

2

RD

1 \

Part

ition

1

BIG-IP LTM

BIG-IP Application Security Manager (ASM)

BIG-IP Local Traffic Manager (LTM)

BIG-IP GTM BIG-IP ASM

BIG-IP LTM BIG-IP ASM

TMOS TMOS TMOS

All multi-tenancy benefits •  Resource management •  VLANs/route domains •  Administrative partitions •  Rate shaping

All virtualization benefits •  Isolated BIG-IP system guests •  Performance guarantees •  Independent versioning •  Increased utilization

Simplified licensing

Streamlined deployment

•  No other virtual infrastructure required!


Security module can be plugged into the hardware and the VE.

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

7,000,000

BIG-IP 1600 BIG-IP 3600 BIG-IP 3900 BIG-IP 6900 BIG-IP 8900 BIG-IP 8950 BIG-IP 11050 VIPRION 2400 VIPRION 4400

L7 R

eque

sts

per s

econ

d (In

f-Inf

)

Unmatched Performance

BIG-IP 3900 400k L7 RPS 175K L4 CPS

4G L7/L4 TPUT

BIG-IP 6900, 600k L7 RPS 220K L4 CPS

6G L7/L4 TPUT

BIG-IP 8900/ 8950 1.9M L7 RPS 800K L4 CPS

Up to 20G TPUT

BIG-IP 11000/11050, 2.5M L7 RPS 1M L4 CPS

Up to 42G TPUT


1G L7/L4 TPUT


2G L7/L4 TPUT


Bandwidth carriers

ISP’s bandwidth Your bandwidth

Many: Thread jam

Memory exhaustion

Many: CPU

Database load Thread jam Log attack

Memory exhaustion Connection flood

State Table: Too many

connections

State Table: TCP Flood.

Negative caching Proxy bypass

State Table: IP’s

Low & slow Layer 7 – Random Layer 7 – Logical

State Table: ACL Perf. Degrade

Firewall DDoS appliance APP accelerator Load balancer Web servers Database

BANDWIDTH >> PACKET >> CONNECTION >> OS >> HTTP(s) >> APP (PHP/ASP) >>> DB

DDoS Attacks Exhaust Network Resources


Splunk Integration Application-centric SIEM

§  F5 reporting to Splunk §  Start with application-centric views and drill down to

more details §  At-a-glance visibility and intelligence for ADF’s

context-aware security

HIGH LEVEL

DETAILED

VERY DETAILED


Firewall Packet Processing

I/O

DAG

HSB ETH input VLAN input

IP input

Flow lookup

Flow table

Ephem. listener

Global ACLs

Route domain ACLs

Listener Listener ACLs

No flow exist

Flow create

LTM + ASM + APM + GTM

Flow exist

Exist match for ALG

Rules processed in order*

Rules processed

in order

Rules processed

in LMF

Rules processed

in order

No Default Deny

No Default Deny Default Deny Default Deny

New flow

Accept new flow

Tunnel

Accept

Drop, Reject If no policy/action matches,

then packet is dropped

Policy and action matching

DAG = “Disaggregator”;

chooses the appropriate traffic

management microkernel (TMM)

CPU

HSB = High-speed bridge (backplane)

*Order

FPGA/ASIC = SYN cookie protection is moved into

hardware for some

platforms


Today AFM—Advanced firewall manager

Consolidating Security Functions

Anti-DDoS

Firewall

Load balancer

•  Traditional firewalls limited in SSL scaling •  Limited DDoS protection •  Management headache across devices •  Traditional firewall does not have the logical

integration to provide an app-centric view

•  AFM = Network and session Anti-DDoS, firewall + traffic management, SSL inspection

•  Layer 3-7, •  High performance and flexible •  Achieve 4X cost reduction

Application Delivery Firewall Customer...

Documents

Transcript of Application Delivery Firewall Customer...