Application Delivery Firewall Customer...
Transcript of Application Delivery Firewall Customer...
2 © F5 Networks, Inc.
Maintaining Security Is Challenging
Webification of apps Device proliferation
Evolving security threats Shifting perimeter
71% of internet experts predict most people will do work via web or mobile by 2020.
95% of workers use at least one personal device for work.
130 million enterprises will use mobile apps by 2014
58% of all e-theft tied to activist groups. 81% of breaches involved hacking
80% of new apps will target the cloud.
72% IT leaders have or will move applications to the cloud.
3 © F5 Networks, Inc.
Your Business Needs
To scale To secure To simplify
Scale for a work-anywhere / SSL everywhere world.
Security for applications and data against sustained attacks.
Simplification of point solutions and complex firewall configurations.
4 © F5 Networks, Inc.
Introducing F5’s Application Delivery Firewall Aligning applications with firewall security
One platform
SSL inspection
Traffic management
DNS security
Access control
Application security
Network firewall
EAL2+ EAL4+ (in process)
DDoS mitigation
5 © F5 Networks, Inc.
“Next generation” firewall
Characteristics • Outbound user inspection • UserID and AppID • Who is doing what? • 1K users to 10K websites • Broad but shallow
Corporate (users)
F5 application delivery firewall
Data center (servers)
Characteristics • Inbound application protection • Application delivery focus • 1M users to 100 apps • Narrow but deep • Most widely deployed data center protocols
A Firewall Built for the Data Center
6 © F5 Networks, Inc.
“Next generation” firewall
Characteristics • Outbound user inspection • UserID and AppID • Who is doing what? • 1K users to 10K websites • Broad but shallow
Corporate (users)
F5 application delivery firewall
Internet data center (servers)
Characteristics • Inbound application protection • Application delivery focus • 1M users to 100 apps • Narrow but deep • 12 protocols (HTTP, SSL, etc.)
A Firewall Built for the Data Center
Secures User Activity on the Corporate Network
Secures Apps Wherever they Live
7 © F5 Networks, Inc.
Superior Performance and Scale Throughput Connections per second
Sessions Footprint
F5 (VIPRION 4480)
Juniper (SRX 5800)
Cisco (ASA 5585-X)
Check Point (61000)
F5 (VIPRION 4480)
Juniper (SRX 5800)
Cisco (ASA 5585-X)
Check Point (61000)
0
50
100
150
200
250
300
350
Gbp
s
0
100
200
Mill
ions
0
1
2
3
4
5
6
7
Mill
ions
R
ack
units
0
100
200
2x 14x
22x 10x
F5 (VIPRION 4480)
Juniper (SRX 5800)
Cisco (ASA 5585-X)
Check Point (61000)
F5 (VIPRION 4480)
Juniper (SRX 5800)
Cisco (ASA 5585-X)
Check Point (61000)
8 © F5 Networks, Inc.
Firewall Technologies
Firewalls started out as proxies to maximize
security
Stateless filters accelerated firewalls, but
weakened security
Stateful and next-gen firewalls added security
with deep inspection, but still fall short of proxies
F5 brings full proxy back to firewalls: highest
security matched by a high-scale and high-
performance architecture
A long time ago… and then… present day… and now with F5!
9 © F5 Networks, Inc.
Full Proxy Security
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
10 © F5 Networks, Inc.
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
Full Proxy Security
High-performance HW
iRules
iControl API
F5’s Approach
• TMOS traffic plug-ins • High-performance networking microkernel • Powerful application protocol support
• iControl—External monitoring and control • iRules—Network programming language
IPv4
/IPv6
SSL
TCP
HTT
P Optional modules plug in for all F5 products and solutions
APM
Fire
wal
l
…
Traffic management microkernel
Proxy
Client side
Server side SS
L
TCP
One
Con
nect
HTT
P
11 © F5 Networks, Inc.
Application-Oriented Policies and Reports
Firewall policies and reports oriented around the application
12 © F5 Networks, Inc.
Application Delivery Firewall
iRules extensibility everywhere
Products
Advanced Firewall Manager
• Stateful full-proxy firewall
• Flexible logging and reporting
• Native TCP, SSL and HTTP proxies
• Network and Session anti-DDoS
Access Policy Manager
• Dynamic, identity-based access control
• Simplified authentication infrastructure
• Endpoint security, secure remote access
Local Traffic Manager
• #1 application delivery controller
• Application fluency
• App-specific health monitoring
Application Security Manager
• Leading web application firewall
• PCI compliance
• Virtual patching for vulnerabilities
• HTTP anti-DDoS
• IP protection
Global Traffic Manager & DNSSEC
• Huge scale DNS solution
• Global server load balancing
• Signed DNS responses
• Offload DNS crypto
IP Intelligence
• Context-aware security
• IP address categorization
• IP address geolocation
SSL inspection
Traffic management
DNS security
Access control
Application security
Network firewall
DDoS mitigation
13 © F5 Networks, Inc.
PROTECTING THE DATA CENTER Use case
• Consolidation of firewall, app security, traffic management
• Protection for data centers and application servers
• High scale for the most common inbound protocols
Before f5
with f5
Load Balancer
DNS Security
Network DDoS
Web Application Firewall
Web Access Management
Load Balancer & SSL
Application DDoS
Firewall
14 © F5 Networks, Inc.
PROTECTING THE DATA CENTER Use case
• Consolidation of firewall, app security, traffic management
• Protection for data centers and application servers
• High scale for the most common inbound protocols
Before f5
with f5
Load Balancer
DNS Security
Network DDoS
Web Application Firewall
Web Access Management
Load Balancer & SSL
Application DDoS
Firewall
15 © F5 Networks, Inc.
DDoS MITIGATION
Application attacks Network attacks Session attacks
Slowloris, Slow Post, HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection
DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation
BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation
BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions.
F5 M
itiga
tion
Tech
nolo
gies
Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)
Increasing difficulty of attack detection
• Protect against DDoS at all layers – 38 vectors covered
• Withstand the largest attacks
• Gain visibility and detection of SSL encrypted attacks
F5 m
itiga
tion
tech
nolo
gies
OSI stack OSI stack
Use case
16 © F5 Networks, Inc.
SSL INSPECTION
SSL !
SSL
• Gain visibility and detection of SSL-encrypted attacks
• Achieve high-scale/high-performance SSL proxy
• Offload SSL—reduce load on application servers
Use case
SSL
SSL
17 © F5 Networks, Inc.
• Consolidated firewall and DNS Service
• High performance, scalable DNS
• Secure queries with DNSSEC
DNS Security Use case
with f5
Before f5 65,000 concurrent queries
? http://www.f5.com
http://www.f5.com
• Cache poisoning
• DNS spoofing
• Man in the middle
• DDoS
18 © F5 Networks, Inc.
• Consolidated firewall and DNS Service
• High performance, scalable DNS
• Secure queries with DNSSEC
DNS Security Use case
with f5
Before f5 65,000 concurrent queries
? http://www.f5.com
http://www.f5.com
• Cache poisoning
• DNS spoofing
• Man in the middle
• DDoS
Secure and available DNS infrastructure: Up to 6 million concurrent queries
19 © F5 Networks, Inc.
Create policy
Corporate domain
Latest AV software
Current O/S
Administrator
User = HR
HR
AAA server
• Proxy the web applications to provide authentication, authorization, endpoint inspection,
and more – all typing into Layer 4-7 ACLS through F5’s Visual Policy Editor
ENHANCING WEB ACCESS MANAGEMENT Use case
832849
20 © F5 Networks, Inc.
Project planning
Requirements definition
Design
Development
Integration & test
Installation & acceptance
• Decouple security from the SDLC
• Address new vulnerabilities immediately
• Ensure PCI compliance
• Incorporate vulnerability assessment into the SDLC
• Use business logic to address known vulnerabilities
• Allow resources to create value
RAPID VIRTUAL PATCHING SOFTWARE DEV. LIFECYCLE (SDLC)
21 © F5 Networks, Inc.
Protection from Vulnerabilities Enhanced integration: BIG-IP ASM and WhiteHat Sentinel
Customer website
• Vulnerability checking, detection and remediation
• Complete website protection
• Finds a vulnerability • Virtual-patching with one-
click on BIG-IP ASM
Vulnerability scanner
BIG-IP Application Security Manager
• Verify, assess, resolve and retest in one UI • Automatic or manual creation of policies • Discovery and remediation in minutes
• Qualys • IBM • WhiteHat • Cenzic
White Hat Sentinel
22 © F5 Networks, Inc.
IP INTELLIGENCE
IP intelligence service
IP address feed updates every 5 min
Custom application
Financial application
Internally infected devices and servers
Geolocation database
Botnet
Attacker
Anonymous requests
Anonymous proxies
Scanner
Restricted region or country
24 © F5 Networks, Inc.
Slash Response Times
Help needed
DevCentral request
One hour later F5 validates and posts fix
One week later Apache releases fix
One week later… testing and rollout still needs to take place.
Extensibility delivers protection sooner
One hour later… the customer deployed and validated the fix
A user asks for help to avoid an exploit on Apache
25 © F5 Networks, Inc.
VIPRION
iRules with Security: HashDos—Post of Doom “HashDos—Post of Doom” vulnerability affects all major web servers and application platforms.
Single DevCentral iRule mitigates vulnerability for all back-end services.
26 © F5 Networks, Inc.
VIPRION
iRules with Security: HashDos—Post of Doom “HashDos—Post of Doom” vulnerability affects all major web servers and application platforms.
Single DevCentral iRule mitigates vulnerability for all back-end services.
Staff can schedule patches for back-end services on their own timeline.
27 CONFIDENTIAL © F5 Networks, Inc.
Security TAP Partners Multi-factor
authentication DAST Certificates encryption Endpoint inspect / AV Web access
management Anti-fraud /
secure browser DB firewall
DNS security and SBS
FIPS/HSM security
Mobile device management Mobile OS Web and
SaaS security Security change
management SIEM
28 © F5 Networks, Inc.
F5 Delivers to Support Your Needs
Increased scale and performance Higher security Operational efficiency
Industry-leading capacity and throughput.
Full-proxy security, SSL inspection, and extensibility with iRules.
Consolidation of functions and an application-centric security model.
29 © F5 Networks, Inc.
devcentral.f5.com facebook.com/f5networksinc linkedin.com/companies/f5-networks twitter.com/f5networks youtube.com/f5networksinc
www.F5.com
30 © F5 Networks, Inc.
Physical ADC is best for: • Fastest performance • SSL offload • Workload isolation • Consolidation • Edge and front door services • Edge security speeds and feeds
Hybrid ADC is best for: • Complete integrated Application Delivery
Network • Tethered deployments • Symmetric ADC services • Federated authentication
Virtual ADC is best for: • Accelerated deployment • Private and public cloud environments • Application or tenant-based pods • Lab, test and QA deployments • Keep security with application
Hardware with a Purpose Best-of-breed application delivery architecture
TMOS is the implementation of software on hardware that includes physical, virtual and hybrid deployments. This creates the most flexible, advanced application delivery.
F5 Physical ADCs High-performance and specialized hardware
Physical ADCs + vADCs = F5 dynamic infrastructure Ultimate in flexibility and performance
F5 vCMP or virtual editions vADC or virtual editions provide flexible deployment options for virtual environments
31 CONFIDENTIAL © F5 Networks, Inc.
Multi-tenancy Partition vs. virtualization
Part
ition
1
Part
ition
2
Part
ition
3
Part
ition
4
OS Hardware
Inst
ance
1
Inst
ance
2
Inst
ance
3
Inst
ance
4
Hardware OS OS OS OS
Partition Virtualization
Feature Partition Virtualization Resource allocation Shared / flexible Static / dedicated
Operating system Single shared Multiple unique
32 CONFIDENTIAL © F5 Networks, Inc.
The Solution: vCMP The best of both worlds—BIG-IP version 11.x
RD
1 \
Part
ition
1
TMOS
Hardware
RD
1 \
Part
ition
1
RD
1 \
Part
ition
2
RD
1 \
Part
ition
1
RD
1 \
Part
ition
2
RD
1 \
Part
ition
1
BIG-IP LTM
BIG-IP Application Security Manager (ASM)
BIG-IP Local Traffic Manager (LTM)
BIG-IP GTM BIG-IP ASM
BIG-IP LTM BIG-IP ASM
TMOS TMOS TMOS
All multi-tenancy benefits • Resource management • VLANs/route domains • Administrative partitions • Rate shaping
All virtualization benefits • Isolated BIG-IP system guests • Performance guarantees • Independent versioning • Increased utilization
Simplified licensing
Streamlined deployment
• No other virtual infrastructure required!
33 © F5 Networks, Inc.
Security module can be plugged into the hardware and the VE.
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
7,000,000
BIG-IP 1600 BIG-IP 3600 BIG-IP 3900 BIG-IP 6900 BIG-IP 8900 BIG-IP 8950 BIG-IP 11050 VIPRION 2400 VIPRION 4400
L7 R
eque
sts
per s
econ
d (In
f-Inf
)
Unmatched Performance
BIG-IP 3900 400k L7 RPS 175K L4 CPS
4G L7/L4 TPUT
BIG-IP 6900, 600k L7 RPS 220K L4 CPS
6G L7/L4 TPUT
BIG-IP 8900/ 8950 1.9M L7 RPS 800K L4 CPS
Up to 20G TPUT
BIG-IP 11000/11050, 2.5M L7 RPS 1M L4 CPS
Up to 42G TPUT
BIG-IP 1600 100k L7 RPS 60K L4 CPS
1G L7/L4 TPUT
BIG-IP 3600 135k L7 RPS 115K L4 CPS
2G L7/L4 TPUT
34 © F5 Networks, Inc.
Bandwidth carriers
ISP’s bandwidth Your bandwidth
Many: Thread jam
Memory exhaustion
Many: CPU
Database load Thread jam Log attack
Memory exhaustion Connection flood
State Table: Too many
connections
State Table: TCP Flood.
Negative caching Proxy bypass
State Table: IP’s
Low & slow Layer 7 – Random Layer 7 – Logical
State Table: ACL Perf. Degrade
Firewall DDoS appliance APP accelerator Load balancer Web servers Database
BANDWIDTH >> PACKET >> CONNECTION >> OS >> HTTP(s) >> APP (PHP/ASP) >>> DB
DDoS Attacks Exhaust Network Resources
35 © F5 Networks, Inc.
Splunk Integration Application-centric SIEM
§ F5 reporting to Splunk § Start with application-centric views and drill down to
more details § At-a-glance visibility and intelligence for ADF’s
context-aware security
HIGH LEVEL
DETAILED
VERY DETAILED
36 © F5 Networks, Inc.
Firewall Packet Processing
I/O
DAG
HSB ETH input VLAN input
IP input
Flow lookup
Flow table
Ephem. listener
Global ACLs
Route domain ACLs
Listener Listener ACLs
No flow exist
Flow create
LTM + ASM + APM + GTM
Flow exist
Exist match for ALG
Rules processed in order*
Rules processed
in order
Rules processed
in LMF
Rules processed
in order
No Default Deny
No Default Deny Default Deny Default Deny
New flow
Accept new flow
Tunnel
Accept
Drop, Reject If no policy/action matches,
then packet is dropped
Policy and action matching
DAG = “Disaggregator”;
chooses the appropriate traffic
management microkernel (TMM)
CPU
HSB = High-speed bridge (backplane)
*Order
FPGA/ASIC = SYN cookie protection is moved into
hardware for some
platforms
37 © F5 Networks, Inc.
Today AFM—Advanced firewall manager
Consolidating Security Functions
Anti-DDoS
Firewall
Load balancer
• Traditional firewalls limited in SSL scaling • Limited DDoS protection • Management headache across devices • Traditional firewall does not have the logical
integration to provide an app-centric view
• AFM = Network and session Anti-DDoS, firewall + traffic management, SSL inspection
• Layer 3-7, • High performance and flexible • Achieve 4X cost reduction