Ganzheitlicher Schutz von Rechenzentren, Web-Servern und ...€¦ · series of high-profile DDoS...

Ganzheitlicher Schutz von Rechenzentren, Web-Servern und Anwendungen

Technical Workshop 2014

ETK networks solution GmbH und CMS IT-Consulting GmbH

[email protected]

© F5 Networks, Inc 2

The evolution of attackers

April 2012

Anonymous knocks down

the sites of the U.S. Dept.

of Justice, the CIA, and

the British Secret

Intelligence Service.

December 2010

WikiLeaks supporters hit

PayPal, Visa, Mastercard,

and other financial sites

with DDoS attacks.

January 2008

Anonymous executes a

series of high-profile

DDoS attacks against the

Church of Scientology.

Script kiddies

September 2012

Syrian Cyber Fighters

launch Operation Ababil

with DDoS attacks on 13

U.S. banks to protest an

anti-Muslim video.

April 2011

Attackers use a DDoS

attack against Sony to

mask the theft of millions

of customer records.

2008 2009 2010 2011 20122007 2013

The rise of hacktivism

Cyber war


Attack types and targets are expanding

May June July Aug Sep Oct Nov Dec

2012201220122012

Spear Phishing

Physical Access

XSS

Attack TypeAttack TypeAttack TypeAttack Type

Size of circle estimates relative impact of incident in terms of cost to business


Attack types and targets are expanding

BankBank

Bank

NonProfit

NonProfit

Bank

Bank

BankGov

Industrial

OnlineSVC

NonProfit

Gov

Auto

OnlineServices

GovGov

OnlineServices

OnlineSVC

OnlineServices

Industrial

EDU

Bank

Bank Bank

Gov

OnlineServices

OnlineSVC

GovOnline

Services

OnlineServices

News & Media

Edu

Telco

CnsmrElectric

CnsmrElectric

Bank

Telco

OnlineServices

OnlineServices

Education

FoodSvc

OnlineServices

Bank

News & Media Gov

Soft-ware

Bank

Telco

Non-Profit

E-commUtility

News & Media

Edu

Bank

OnlineServices

Bank

BankOnline

Services

OnlineServices

Bank

FoodService

BankingGaming

Gov

GovAuto

Soft-ware

News &Media

OnlineServices

ConsumerElectric

OnlineServices

Gov

Util

HealthSoft-ware

OnlineServices

GovCnsmr

Elec

OnlineSvcs

GovRetail

Bank

Bank

OnlineServices

Soft-ware

Bank

EduNews &Media

OnlineServices

OnlineServices

OnlineServices

OnlineServices

Gov

Gov

Indu-strial

Airport Retail

News &Media

Auto

Telco

Gov

Edu

DNSProvider

DNSProvider

GlobalDelivery

Auto

Gov

DNSProvider

DNSProvider

DNSProvider

Gov

ConsumerElectronics

Gove

Bank

Bank

BankGov

OnlineSvc

Software

OnlineGaming

Telco

News &Media

Edu

Soft-ware

News &Media

Edu

News &Media

OnlineServices

Gov

Auto

Entnment

Gov

Utility

News &Media

OnlineSvc

News &Media

Spear Phishing

Physical Access

Unknown

Attack TypeAttack TypeAttack TypeAttack Type

Size of circle estimates relative impact of incident in terms of cost to business

Jan Feb Mar Apr May Jun

2013201320132013


More sophisticated attacks are multi-layer

Application

SSL

DNS

Network

Goal of layer-7 DDoS reconnaissance

• Obtain list of site URIs

• Sort by time-to-complete (CPU cost)

• Sort list by megabytes (Bandwidth)

Spiders for rent on Internet that will do this

• Though they are often known by security community

• Can be done with simple wget script

# wget –r –wait=1 -nv https://the.target.com

Application Reconnaissance


Sixty-five percent [of surveyed organizations] reported experiencing an average of three – DDoS

attacks in the past 12 months, with an average downtime of 54 minutes.

– 2012 Ponemon Institute Survey


The business impact of DDoS

Cost of

corrective action

Reputation

management

The business The business The business The business

impact of DDoSimpact of DDoSimpact of DDoSimpact of DDoS


Which DDoS technology to use?

CLOUD/HOSTED SERVICE

Content delivery network

Communications service provider

Cloud-based DDoS service

ON-PREMISES DEFENSE

Network firewall with SSL inspection

Web application firewall

On-premises DDoS solution

Intrusion detection/prevention


Which DDoS technology to use?

CLOUD/HOSTED SERVICE

• Completely off-premises so DDoS attacks can’t reach you

• Amortized defense across thousands of customers

• DNS anycast and multiple data centers protect you

STRENGTHS

ON-PREMISES DEFENSE

• Direct control over infrastructure.

• Immediate mitigation with instant response and reporting.

• Solutions can be architected to independently scale of one another.

STRENGTHS

• Customers pay, whether attacked or not

• Bound by terms of service agreement

• Solutions focus on specific layers (not all layers)

WEAKNESSES

• Many point solutions in market, few comprehensive DDoS solutions.

• Can only mitigate up to max inbound connection size

• No other value. Only providing benefit when you get attacked. (excludes F5)

WEAKNESSES

HYBRID MODEL CLOUD AND ON-PREM

• Completely off-premises so DDoS attacks can’t reach you

• Amortized defense across thousands of customers

• DNS anycast and multiple data centers protect you

• Direct control over infrastructure.

• Immediate mitigation with instant response and reporting.

• Solutions can be architected to independently scale of one another.

STRENGTHS

How does F5 on-premise protect against DDoS attacks?

SessionSessionSessionSession

NetworkNetworkNetworkNetwork

ApplicationApplicationApplicationApplication

Incre

asi

ng

dif

ficu

lty

PhysicalPhysicalPhysicalPhysical

Data LinkData LinkData LinkData Link


TransportTransportTransportTransport


PresentationPresentationPresentationPresentation


SYN floods, connection floods, UDP floods, PUSH and ACK

floods, teardrop, ICMP floods, ping floods, and smurf attacks

DNS UDP floods, DNS query floods, DNS NXDOMAIN floods,

SSL floods, SSL renegotiation

OWASP Top 10 (SQL injection, XSS, CSRF, etc.), Slowloris,

Slow POST, HashDos, GET floods

Security/DDoS Taxonomy


“As attackers employ ever more sophisticated DDoStechniques it is imperative that organizations rethink

their DDoS response strategy to provide comprehensive, multi-layer DDoS mitigation”


DDoS protection reference architecture

LegitimateUsers

Threat Feed Intelligence

DDoSAttacker

ISPa/b

CloudScrubbing

Service

Scanner AnonymousProxies

AnonymousRequests

Botnet Attackers

Network attacks:ICMP flood,UDP flood,SYN flood

DNS attacks:DNS amplification,

query flood,dictionary attack,

DNS poisoning

IPS

Next-Generation Firewall

Tier 2

SSL attacks:SSL renegotiation,

SSL flood

HTTP attacks:Slowloris,

slow POST,recursive POST/GET

Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2


Strategic Point of Control

Multiple ISP strategy

Network

and DNS

Tier 1


DDoS reference architecture

LegitimateUsers


DDoSAttacker

ISPa/b

CloudScrubbing

Service


AnonymousRequests

Botnet Attackers




DNS poisoning

IPS


Tier 2


SSL flood



Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2




Network

and DNS

Tier 1 • The first tier at the perimeter is layer 3 and 4 network firewall services

• Simple load balancing to a second tier

• IP reputation database

• Mitigates volumetric and DNS DDoS attacks

TIER 1 KEY FEATURES


DDoS protection reference architecture

LegitimateUsers


DDoSAttacker

ISPa/b

CloudScrubbing

Service


AnonymousRequests

Botnet Attackers




DNS poisoning

IPS


Tier 2


SSL flood



Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2




Network

and DNS

Tier 1


DDoS reference architecture

LegitimateUsers


DDoSAttacker

ISPa/b

CloudScrubbing

Service


AnonymousRequests

Botnet Attackers




DNS poisoning

IPS


Tier 2


SSL flood



Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2




Network

and DNS

Tier 1• The second tier is for application-aware, CPU-intensive defense mechanisms

• SSL termination

• Web application firewall

• Mitigate asymmetric and SSL-based DDoS attacks

TIER 2 KEY FEATURES

How does F5 off-premise protect against DDoS attacks?

F5 Solution Mapping




LTMLTMLTMLTM

AFMAFMAFMAFM

LTMLTMLTMLTM

GTMGTMGTMGTM

OnOnOnOn----prempremprempremOffOffOffOff----premprempremprem

F5 F5 F5 F5 SilverlineSilverlineSilverlineSilverline

ASMASMASMASM

LTM +LTM +LTM +LTM + iRuleiRuleiRuleiRule

Logical Multilayer Architecture

Tier 2

Corporate Users

IPS


FinancialServices

E-Commerce

Subscriber

DDoSAttacker

LegitimateUsers

ISPa/b


Tier 1



AFMAFMAFMAFM

LTMLTMLTMLTM

GTMGTMGTMGTM

Tier 2


ASMASMASMASM

LTM + LTM + LTM + LTM + iRuleiRuleiRuleiRule

Tier 3


Tier 2

Tier 1



AFMAFMAFMAFM

LTMLTMLTMLTM

GTMGTMGTMGTM

Tier 2


ASMASMASMASM


Tier 3


� TMOS – CMP/Proxy/Default Deny

� IP Intelligence – IP Blacklist Feed

� SYN Check – SYN Flood protection

(Hardware based >= BIG-IP 5000s

� Strict TCP Forwarding – Mitigates

transport layer violations

� Rate limiting

� All of the above

� iRules programmability

� SSL Termination

� Hardware based

� Version enforcement

� Renegotiation Validation

� Protocol awareness

� HTTP

� DNS Express/DNS Services

� IP Anycast – Globally distribute DNS

traffic (Global CMP)

� IP Intelligence – IP Blacklist Feed

� DNS Express – CMP enabled DNS

server

� DNS iRules – Offensive capability

(respond 127.0.0.1?)

� IP Intelligence

� DAST Integration

� HTTP DDoS Detection/Mitigation

� Server performance anomaly

detection

� HTTP Rate Limiting

� Client side defense

� Bot detection

� In the Application layer LTM provides

functionality by leveraging iRules

� F5 Acquisition (Defense.net)

� Cloud based service

� Always-on or On-demand service

� Available now

� Expanding service offerings


Good | Better | Best: Delivering Greater Customer Value

BIG-IP Local Traffic

Manager

BIG-IP Global Traffic

Manager

BIG-IP Application

Acceleration Manager

BIG-IP Advanced Firewall

Manager

SDN Services

Advanced Routing

BIG-IP Access Policy

Manager

BIG-IP Application Security

Manager

FLE

XIB

ILIT

YF

LE

XIB

ILIT

YF

LE

XIB

ILIT

YF

LE

XIB

ILIT

Y

Make it easier to

adopt advanced F5

functionality

SIM

PLIC

ITY

SIM

PLIC

ITY

SIM

PLIC

ITY

SIM

PLIC

ITY

Consolidate into

fewer common

configurations

BE

ST V

ALU

EB

ES

T V

ALU

EB

ES

T V

ALU

EB

ES

T V

ALU

E

Save up to 65% lower

prices vs. buying as

components

Good | Better | Best Offerings Customer Benefits

612

186

38

58

Good Better Best

200 200 200 200 M M M M VE Price VE Price VE Price VE Price Comparison ($K)Comparison ($K)Comparison ($K)Comparison ($K)

Bought As Bundle

Bought As Components

4261

76

42

99

135

Good Better Best

4200v 4200v 4200v 4200v System Price System Price System Price System Price Comparison ($K)Comparison ($K)Comparison ($K)Comparison ($K)

Logical Multilayer Architecture

Tier 2

Corporate Users

IPS


FinancialServices

E-Commerce

Subscriber

DDoSAttacker

LegitimateUsers

ISPa/b


Tier 1



AFMAFMAFMAFM

LTMLTMLTMLTM

GTMGTMGTMGTM

Tier 2


ASMASMASMASM


Tier 3


F5 BIGF5 BIGF5 BIGF5 BIG----IP IP IP IP

BetterBetterBetterBetter

LicenseLicenseLicenseLicense

F5 BIGF5 BIGF5 BIGF5 BIG----IP IP IP IP

Best Best Best Best

LicenseLicenseLicenseLicense

Conclusion

• Comprehensive DDoS protections requires a multi-layer approach

• Your existing F5 products can be leveraged to great effect

• Small additions (DNS Express, IP Intelligence) have a high return on investment

• New F5 services allow you to quickly deploy off-prem protection

• We focused today on DDoS; however this same architecture could be applied to generalized L4-7 application security


Key customer benefits

ALL BACKED BY WORLD-CLASS SUPPORT AND PROFESSIONAL SERVICES

Maintain application

availability

Save money for

your company

Protect network

infrastructure

Safeguard your

brand reputation

Defend against

targeted attacks

Stay one

step ahead


Next steps

• Participate in information-sharing with your solution providers.

• Work toward an Open DDOS Protection Alliance (the OWASP for DDoS).

• Start asking vendors questions about interoperability.

• Develop an organizational preparedness plan for DDoS.


Key Resources

• DDoSDDoSDDoSDDoS RunbookRunbookRunbookRunbook: : : : 10 Steps to Prep for DDoS

https://blog.whitehatsec.com/checklisthttps://blog.whitehatsec.com/checklisthttps://blog.whitehatsec.com/checklisthttps://blog.whitehatsec.com/checklist----totototo----prepareprepareprepareprepare----yourselfyourselfyourselfyourself----inininin----advanceadvanceadvanceadvance----ofofofof----aaaa----ddosddosddosddos----attack/attack/attack/attack/

• Best Practices: Best Practices: Best Practices: Best Practices: How to Configure F5 for DDoS Protection

https://f5.com/solutions/architectures/ddoshttps://f5.com/solutions/architectures/ddoshttps://f5.com/solutions/architectures/ddoshttps://f5.com/solutions/architectures/ddos----protection/ddosprotection/ddosprotection/ddosprotection/ddos----exclusiveexclusiveexclusiveexclusive


The F5 DDoS Protection

Reference Architecture

f5.com/architectures

Explore

Appendix


DDoS Protection - SMB data center deployment

Network Firewall Services+ DNS Services

+ Web Application Firewall Services + Compliance Control

BIG-IP Platform


Users leverage NGFW foroutbound protection

Customers

DDoS Attack

ISPa

Partners

DDoS Attack

ISPb

ISP providesvolumetric DDoS

service

Employees

Protecting L3–7 and DNS

GOOD BETTER BEST

Simplified Business Models

BIG-IP Advanced Firewall Manager

BIG-IP Local Traffic Manager

BIG-IP Global Traffic Manager

BIG-IP Access Policy Manager

BIG-IP Application Security Manager


DDoS Protection - Enterprise data center deployment

Network Firewall Services + DNS Services

+ Simple Load Balancing to Tier 2

BIG-IP Platform



Employees

+ IP Intelligence(IPI) Module

Can inspect SSL at

either tier

BIG-IP Platform

Web Application Firewall Services

+ SSL Termination

Customers

DDoS Attack

ISPa

Partners

DDoS Attack

ISPb


service

CloudScrubbing

Service

Tier 1: Protecting L3–4 and DNS Tier 2: Protecting L7

GOOD BETTER BEST


+ IP Intelligence




BIG-IP Access Policy Manager



DDoS protection - Large FSI data center deployment

Customers

DDoS Attack

ISPa

Partners

DDoS Attack

ISPb


CloudScrubbing

Service

GOOD BETTER BEST


+ IP Intelligence





L

Network Firewall Services+ Simple Load Balancing

to Tier 2

BIG-IP Platform

ASM LTMAFM LTM

Web Application Firewall Services

+ SSL Termination

VIPRION Platform

+ IP Intelligence (IPI) Module

Tier 1: Protecting L3–4 and DNS

DNS Services

BIG-IP Platform

GTM

Network HSM (FIPS-140)

SSL inspection at either tier

SSLre-encryption

Tier 2: Protecting L7


Network Firewall Services+ DNS Services

BIG-IP Platform



Customers

DDoS Attack

ISPa

Partners

DDoS Attack

ISPb


service

Employees

Protecting L3–4 and DNS

Virtualized Web

Application Firewall

provides fault

isolation

+ Compliance

Customers can run VE on the existing hypervisors

already supporting their app infrastructure

Protecting L7

Web Server

GOOD BETTER BEST

Simplified Business ModelsBIG-IP Advanced Firewall Manager




DDoS Protection - SMB data center deploymentHybrid platform architecture


Network Firewall Services + DNS Services

+ Simple Load Balancing to Tier 2+ SSL Inspection

BIG-IP Platform



Employees

+ IP Intelligence(IPI) Module

Customers

DDoS Attack

ISPa

Partners

DDoS Attack

ISPb


service

CloudScrubbing

Service

Tier 1: Protecting L3–4 and DNS

GOOD BETTER BEST


+ IP Intelligence





Virtualized Web

Application Firewall

provides fault

isolation

+ Compliance

Customers can run VE on the existing hypervisors

already supporting their app infrastructure

Protecting L7

Web Server

DDoS Protection - Enterprise data center deploymentHybrid platform architecture

Tier 2: Protecting L7 and apps

Ganzheitlicher Schutz von Rechenzentren, Web-Servern und ...€¦ · series of high-profile DDoS...

Documents

Transcript of Ganzheitlicher Schutz von Rechenzentren, Web-Servern und ...€¦ · series of high-profile DDoS...