Ganzheitlicher Schutz von Rechenzentren, Web-Servern und ...€¦ · series of high-profile DDoS...
Transcript of Ganzheitlicher Schutz von Rechenzentren, Web-Servern und ...€¦ · series of high-profile DDoS...
Ganzheitlicher Schutz von Rechenzentren, Web-Servern und Anwendungen
Technical Workshop 2014
ETK networks solution GmbH und CMS IT-Consulting GmbH
© F5 Networks, Inc 2
The evolution of attackers
April 2012
Anonymous knocks down
the sites of the U.S. Dept.
of Justice, the CIA, and
the British Secret
Intelligence Service.
December 2010
WikiLeaks supporters hit
PayPal, Visa, Mastercard,
and other financial sites
with DDoS attacks.
January 2008
Anonymous executes a
series of high-profile
DDoS attacks against the
Church of Scientology.
Script kiddies
September 2012
Syrian Cyber Fighters
launch Operation Ababil
with DDoS attacks on 13
U.S. banks to protest an
anti-Muslim video.
April 2011
Attackers use a DDoS
attack against Sony to
mask the theft of millions
of customer records.
2008 2009 2010 2011 20122007 2013
The rise of hacktivism
Cyber war
© F5 Networks, Inc 3
Attack types and targets are expanding
May June July Aug Sep Oct Nov Dec
2012201220122012
Spear Phishing
Physical Access
XSS
Attack TypeAttack TypeAttack TypeAttack Type
Size of circle estimates relative impact of incident in terms of cost to business
© F5 Networks, Inc 4
Attack types and targets are expanding
BankBank
Bank
NonProfit
NonProfit
Bank
Bank
BankGov
Industrial
OnlineSVC
NonProfit
Gov
Auto
OnlineServices
GovGov
OnlineServices
OnlineSVC
OnlineServices
Industrial
EDU
Bank
Bank Bank
Gov
OnlineServices
OnlineSVC
GovOnline
Services
OnlineServices
News & Media
Edu
Telco
CnsmrElectric
CnsmrElectric
Bank
Telco
OnlineServices
OnlineServices
Education
FoodSvc
OnlineServices
Bank
News & Media Gov
Soft-ware
Bank
Telco
Non-Profit
E-commUtility
News & Media
Edu
Bank
OnlineServices
Bank
BankOnline
Services
OnlineServices
Bank
FoodService
BankingGaming
Gov
GovAuto
Soft-ware
News &Media
OnlineServices
ConsumerElectric
OnlineServices
Gov
Util
HealthSoft-ware
OnlineServices
GovCnsmr
Elec
OnlineSvcs
GovRetail
Bank
Bank
OnlineServices
Soft-ware
Bank
EduNews &Media
OnlineServices
OnlineServices
OnlineServices
OnlineServices
Gov
Gov
Indu-strial
Airport Retail
News &Media
Auto
Telco
Gov
Edu
DNSProvider
DNSProvider
GlobalDelivery
Auto
Gov
DNSProvider
DNSProvider
DNSProvider
Gov
ConsumerElectronics
Gove
Bank
Bank
BankGov
OnlineSvc
Software
OnlineGaming
Telco
News &Media
Edu
Soft-ware
News &Media
Edu
News &Media
OnlineServices
Gov
Auto
Entnment
Gov
Utility
News &Media
OnlineSvc
News &Media
Spear Phishing
Physical Access
Unknown
Attack TypeAttack TypeAttack TypeAttack Type
Size of circle estimates relative impact of incident in terms of cost to business
Jan Feb Mar Apr May Jun
2013201320132013
© F5 Networks, Inc 5
More sophisticated attacks are multi-layer
Application
SSL
DNS
Network
Goal of layer-7 DDoS reconnaissance
• Obtain list of site URIs
• Sort by time-to-complete (CPU cost)
• Sort list by megabytes (Bandwidth)
Spiders for rent on Internet that will do this
• Though they are often known by security community
• Can be done with simple wget script
# wget –r –wait=1 -nv https://the.target.com
Application Reconnaissance
© F5 Networks, Inc 7
Sixty-five percent [of surveyed organizations] reported experiencing an average of three – DDoS
attacks in the past 12 months, with an average downtime of 54 minutes.
– 2012 Ponemon Institute Survey
© F5 Networks, Inc 8
The business impact of DDoS
Cost of
corrective action
Reputation
management
The business The business The business The business
impact of DDoSimpact of DDoSimpact of DDoSimpact of DDoS
© F5 Networks, Inc 9
Which DDoS technology to use?
CLOUD/HOSTED SERVICE
Content delivery network
Communications service provider
Cloud-based DDoS service
ON-PREMISES DEFENSE
Network firewall with SSL inspection
Web application firewall
On-premises DDoS solution
Intrusion detection/prevention
© F5 Networks, Inc 10
Which DDoS technology to use?
CLOUD/HOSTED SERVICE
• Completely off-premises so DDoS attacks can’t reach you
• Amortized defense across thousands of customers
• DNS anycast and multiple data centers protect you
STRENGTHS
ON-PREMISES DEFENSE
• Direct control over infrastructure.
• Immediate mitigation with instant response and reporting.
• Solutions can be architected to independently scale of one another.
STRENGTHS
• Customers pay, whether attacked or not
• Bound by terms of service agreement
• Solutions focus on specific layers (not all layers)
WEAKNESSES
• Many point solutions in market, few comprehensive DDoS solutions.
• Can only mitigate up to max inbound connection size
• No other value. Only providing benefit when you get attacked. (excludes F5)
WEAKNESSES
HYBRID MODEL CLOUD AND ON-PREM
• Completely off-premises so DDoS attacks can’t reach you
• Amortized defense across thousands of customers
• DNS anycast and multiple data centers protect you
• Direct control over infrastructure.
• Immediate mitigation with instant response and reporting.
• Solutions can be architected to independently scale of one another.
STRENGTHS
How does F5 on-premise protect against DDoS attacks?
SessionSessionSessionSession
NetworkNetworkNetworkNetwork
ApplicationApplicationApplicationApplication
Incre
asi
ng
dif
ficu
lty
PhysicalPhysicalPhysicalPhysical
Data LinkData LinkData LinkData Link
NetworkNetworkNetworkNetwork
TransportTransportTransportTransport
SessionSessionSessionSession
PresentationPresentationPresentationPresentation
ApplicationApplicationApplicationApplication
SYN floods, connection floods, UDP floods, PUSH and ACK
floods, teardrop, ICMP floods, ping floods, and smurf attacks
DNS UDP floods, DNS query floods, DNS NXDOMAIN floods,
SSL floods, SSL renegotiation
OWASP Top 10 (SQL injection, XSS, CSRF, etc.), Slowloris,
Slow POST, HashDos, GET floods
Security/DDoS Taxonomy
© F5 Networks, Inc 13
“As attackers employ ever more sophisticated DDoStechniques it is imperative that organizations rethink
their DDoS response strategy to provide comprehensive, multi-layer DDoS mitigation”
© F5 Networks, Inc 14
DDoS protection reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL renegotiation,
SSL flood
HTTP attacks:Slowloris,
slow POST,recursive POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network
and DNS
Tier 1
© F5 Networks, Inc 15
DDoS reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL renegotiation,
SSL flood
HTTP attacks:Slowloris,
slow POST,recursive POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network
and DNS
Tier 1 • The first tier at the perimeter is layer 3 and 4 network firewall services
• Simple load balancing to a second tier
• IP reputation database
• Mitigates volumetric and DNS DDoS attacks
TIER 1 KEY FEATURES
© F5 Networks, Inc 16
DDoS protection reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL renegotiation,
SSL flood
HTTP attacks:Slowloris,
slow POST,recursive POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network
and DNS
Tier 1
© F5 Networks, Inc 17
DDoS reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL renegotiation,
SSL flood
HTTP attacks:Slowloris,
slow POST,recursive POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network
and DNS
Tier 1• The second tier is for application-aware, CPU-intensive defense mechanisms
• SSL termination
• Web application firewall
• Mitigate asymmetric and SSL-based DDoS attacks
TIER 2 KEY FEATURES
How does F5 off-premise protect against DDoS attacks?
F5 Solution Mapping
SessionSessionSessionSession
NetworkNetworkNetworkNetwork
ApplicationApplicationApplicationApplication
LTMLTMLTMLTM
AFMAFMAFMAFM
LTMLTMLTMLTM
GTMGTMGTMGTM
OnOnOnOn----prempremprempremOffOffOffOff----premprempremprem
F5 F5 F5 F5 SilverlineSilverlineSilverlineSilverline
ASMASMASMASM
LTM +LTM +LTM +LTM + iRuleiRuleiRuleiRule
Logical Multilayer Architecture
Tier 2
Corporate Users
IPS
Next-Generation Firewall
FinancialServices
E-Commerce
Subscriber
DDoSAttacker
LegitimateUsers
ISPa/b
Multiple ISP strategy
Tier 1
NetworkNetworkNetworkNetwork
SessionSessionSessionSession
AFMAFMAFMAFM
LTMLTMLTMLTM
GTMGTMGTMGTM
Tier 2
ApplicationApplicationApplicationApplication
ASMASMASMASM
LTM + LTM + LTM + LTM + iRuleiRuleiRuleiRule
Tier 3
F5 F5 F5 F5 SilverlineSilverlineSilverlineSilverline
Tier 2
Tier 1
NetworkNetworkNetworkNetwork
SessionSessionSessionSession
AFMAFMAFMAFM
LTMLTMLTMLTM
GTMGTMGTMGTM
Tier 2
ApplicationApplicationApplicationApplication
ASMASMASMASM
LTM + LTM + LTM + LTM + iRuleiRuleiRuleiRule
Tier 3
F5 F5 F5 F5 SilverlineSilverlineSilverlineSilverline
� TMOS – CMP/Proxy/Default Deny
� IP Intelligence – IP Blacklist Feed
� SYN Check – SYN Flood protection
(Hardware based >= BIG-IP 5000s
� Strict TCP Forwarding – Mitigates
transport layer violations
� Rate limiting
� All of the above
� iRules programmability
� SSL Termination
� Hardware based
� Version enforcement
� Renegotiation Validation
� Protocol awareness
� HTTP
� DNS Express/DNS Services
� IP Anycast – Globally distribute DNS
traffic (Global CMP)
� IP Intelligence – IP Blacklist Feed
� DNS Express – CMP enabled DNS
server
� DNS iRules – Offensive capability
(respond 127.0.0.1?)
� IP Intelligence
� DAST Integration
� HTTP DDoS Detection/Mitigation
� Server performance anomaly
detection
� HTTP Rate Limiting
� Client side defense
� Bot detection
� In the Application layer LTM provides
functionality by leveraging iRules
� F5 Acquisition (Defense.net)
� Cloud based service
� Always-on or On-demand service
� Available now
� Expanding service offerings
© F5 Networks, Inc 22
Good | Better | Best: Delivering Greater Customer Value
BIG-IP Local Traffic
Manager
BIG-IP Global Traffic
Manager
BIG-IP Application
Acceleration Manager
BIG-IP Advanced Firewall
Manager
SDN Services
Advanced Routing
BIG-IP Access Policy
Manager
BIG-IP Application Security
Manager
FLE
XIB
ILIT
YF
LE
XIB
ILIT
YF
LE
XIB
ILIT
YF
LE
XIB
ILIT
Y
Make it easier to
adopt advanced F5
functionality
SIM
PLIC
ITY
SIM
PLIC
ITY
SIM
PLIC
ITY
SIM
PLIC
ITY
Consolidate into
fewer common
configurations
BE
ST V
ALU
EB
ES
T V
ALU
EB
ES
T V
ALU
EB
ES
T V
ALU
E
Save up to 65% lower
prices vs. buying as
components
Good | Better | Best Offerings Customer Benefits
612
186
38
58
Good Better Best
200 200 200 200 M M M M VE Price VE Price VE Price VE Price Comparison ($K)Comparison ($K)Comparison ($K)Comparison ($K)
Bought As Bundle
Bought As Components
4261
76
42
99
135
Good Better Best
4200v 4200v 4200v 4200v System Price System Price System Price System Price Comparison ($K)Comparison ($K)Comparison ($K)Comparison ($K)
Logical Multilayer Architecture
Tier 2
Corporate Users
IPS
Next-Generation Firewall
FinancialServices
E-Commerce
Subscriber
DDoSAttacker
LegitimateUsers
ISPa/b
Multiple ISP strategy
Tier 1
NetworkNetworkNetworkNetwork
SessionSessionSessionSession
AFMAFMAFMAFM
LTMLTMLTMLTM
GTMGTMGTMGTM
Tier 2
ApplicationApplicationApplicationApplication
ASMASMASMASM
LTM + LTM + LTM + LTM + iRuleiRuleiRuleiRule
Tier 3
F5 F5 F5 F5 SilverlineSilverlineSilverlineSilverline
F5 BIGF5 BIGF5 BIGF5 BIG----IP IP IP IP
BetterBetterBetterBetter
LicenseLicenseLicenseLicense
F5 BIGF5 BIGF5 BIGF5 BIG----IP IP IP IP
Best Best Best Best
LicenseLicenseLicenseLicense
Conclusion
• Comprehensive DDoS protections requires a multi-layer approach
• Your existing F5 products can be leveraged to great effect
• Small additions (DNS Express, IP Intelligence) have a high return on investment
• New F5 services allow you to quickly deploy off-prem protection
• We focused today on DDoS; however this same architecture could be applied to generalized L4-7 application security
© F5 Networks, Inc 25
Key customer benefits
ALL BACKED BY WORLD-CLASS SUPPORT AND PROFESSIONAL SERVICES
Maintain application
availability
Save money for
your company
Protect network
infrastructure
Safeguard your
brand reputation
Defend against
targeted attacks
Stay one
step ahead
© F5 Networks, Inc 26
Next steps
• Participate in information-sharing with your solution providers.
• Work toward an Open DDOS Protection Alliance (the OWASP for DDoS).
• Start asking vendors questions about interoperability.
• Develop an organizational preparedness plan for DDoS.
© F5 Networks, Inc 27
Key Resources
• DDoSDDoSDDoSDDoS RunbookRunbookRunbookRunbook: : : : 10 Steps to Prep for DDoS
https://blog.whitehatsec.com/checklisthttps://blog.whitehatsec.com/checklisthttps://blog.whitehatsec.com/checklisthttps://blog.whitehatsec.com/checklist----totototo----prepareprepareprepareprepare----yourselfyourselfyourselfyourself----inininin----advanceadvanceadvanceadvance----ofofofof----aaaa----ddosddosddosddos----attack/attack/attack/attack/
• Best Practices: Best Practices: Best Practices: Best Practices: How to Configure F5 for DDoS Protection
https://f5.com/solutions/architectures/ddoshttps://f5.com/solutions/architectures/ddoshttps://f5.com/solutions/architectures/ddoshttps://f5.com/solutions/architectures/ddos----protection/ddosprotection/ddosprotection/ddosprotection/ddos----exclusiveexclusiveexclusiveexclusive
© F5 Networks, Inc 28
The F5 DDoS Protection
Reference Architecture
f5.com/architectures
Explore
Appendix
© F5 Networks, Inc 31
DDoS Protection - SMB data center deployment
Network Firewall Services+ DNS Services
+ Web Application Firewall Services + Compliance Control
BIG-IP Platform
Next-Generation Firewall
Users leverage NGFW foroutbound protection
Customers
DDoS Attack
ISPa
Partners
DDoS Attack
ISPb
ISP providesvolumetric DDoS
service
Employees
Protecting L3–7 and DNS
GOOD BETTER BEST
Simplified Business Models
BIG-IP Advanced Firewall Manager
BIG-IP Local Traffic Manager
BIG-IP Global Traffic Manager
BIG-IP Access Policy Manager
BIG-IP Application Security Manager
© F5 Networks, Inc 32
DDoS Protection - Enterprise data center deployment
Network Firewall Services + DNS Services
+ Simple Load Balancing to Tier 2
BIG-IP Platform
Next-Generation Firewall
Users leverage NGFW foroutbound protection
Employees
+ IP Intelligence(IPI) Module
Can inspect SSL at
either tier
BIG-IP Platform
Web Application Firewall Services
+ SSL Termination
Customers
DDoS Attack
ISPa
Partners
DDoS Attack
ISPb
ISP providesvolumetric DDoS
service
CloudScrubbing
Service
Tier 1: Protecting L3–4 and DNS Tier 2: Protecting L7
GOOD BETTER BEST
Simplified Business Models
+ IP Intelligence
BIG-IP Advanced Firewall Manager
BIG-IP Local Traffic Manager
BIG-IP Global Traffic Manager
BIG-IP Access Policy Manager
BIG-IP Application Security Manager
© F5 Networks, Inc 33
DDoS protection - Large FSI data center deployment
Customers
DDoS Attack
ISPa
Partners
DDoS Attack
ISPb
Multiple ISP strategy
CloudScrubbing
Service
GOOD BETTER BEST
Simplified Business Models
+ IP Intelligence
BIG-IP Advanced Firewall Manager
BIG-IP Local Traffic Manager
BIG-IP Global Traffic Manager
BIG-IP Application Security Manager
L
Network Firewall Services+ Simple Load Balancing
to Tier 2
BIG-IP Platform
ASM LTMAFM LTM
Web Application Firewall Services
+ SSL Termination
VIPRION Platform
+ IP Intelligence (IPI) Module
Tier 1: Protecting L3–4 and DNS
DNS Services
BIG-IP Platform
GTM
Network HSM (FIPS-140)
SSL inspection at either tier
SSLre-encryption
Tier 2: Protecting L7
© F5 Networks, Inc 34
Network Firewall Services+ DNS Services
BIG-IP Platform
Next-Generation Firewall
Users leverage NGFW foroutbound protection
Customers
DDoS Attack
ISPa
Partners
DDoS Attack
ISPb
ISP providesvolumetric DDoS
service
Employees
Protecting L3–4 and DNS
Virtualized Web
Application Firewall
provides fault
isolation
+ Compliance
Customers can run VE on the existing hypervisors
already supporting their app infrastructure
Protecting L7
Web Server
GOOD BETTER BEST
Simplified Business ModelsBIG-IP Advanced Firewall Manager
BIG-IP Local Traffic Manager
BIG-IP Global Traffic Manager
BIG-IP Application Security Manager
DDoS Protection - SMB data center deploymentHybrid platform architecture
© F5 Networks, Inc 35
Network Firewall Services + DNS Services
+ Simple Load Balancing to Tier 2+ SSL Inspection
BIG-IP Platform
Next-Generation Firewall
Users leverage NGFW foroutbound protection
Employees
+ IP Intelligence(IPI) Module
Customers
DDoS Attack
ISPa
Partners
DDoS Attack
ISPb
ISP providesvolumetric DDoS
service
CloudScrubbing
Service
Tier 1: Protecting L3–4 and DNS
GOOD BETTER BEST
Simplified Business Models
+ IP Intelligence
BIG-IP Advanced Firewall Manager
BIG-IP Local Traffic Manager
BIG-IP Global Traffic Manager
BIG-IP Application Security Manager
Virtualized Web
Application Firewall
provides fault
isolation
+ Compliance
Customers can run VE on the existing hypervisors
already supporting their app infrastructure
Protecting L7
Web Server
DDoS Protection - Enterprise data center deploymentHybrid platform architecture
Tier 2: Protecting L7 and apps