The New Security Perimeter: Applications and Identities · The New Security Perimeter: Applications...

The New Security Perimeter: Applications and Identities

Timo Lohenoja, CISSP

Systems Engineer

F5 Networks

© F5 Networks, Inc 2

Applications are Driving Innovation and Massive Growth in Data…

Sources: Forbes, Nielsen, IDC, EMC, Statista

…but also creating an exponential increase in the attack surface


…Resulting in an Unprecedented Increase in Attacks

Source of data breaches

Sources: IT Business Edge, Krebs on Security, Security Week, CSO Online


App Servers

DB Servers

NGFW IPS / IDS DLP

Attackers

Fraudsters

$$$Security Spend

Internal Users

Security Investments Completely Misaligned with Reality


Security Investments Completely Misaligned with Reality

Perimeter Security Identity & Application Security

of attacks are

focused here

25% of security

investment

90% of attacks are

focused here

75% of security

investment

10%

Source: Gartner


Important Trends in Threat Vectors

OF WEBSITES HAVE

AT LEAST 1 SERIOUS

VULNERABILITYWhiteHat Security Statistics Report

2015

86%AVERAGE NUMBER OF

VULNERABILITIES

PER WEBSITEWhiteHat Security Statistics Report

2015

56

OF IT PROS ARE

CONFIDENT USERS

AVOID PHISHING2015 CyberThreat Defense

20%MALICIOUS IP’S

LAUNCHED EVERYDAYThreat Brief Report, Webroot, May

2015

85,000BOTS ACTIVELY

ATTACKING Symantec Internet Security Report

2014

2.3M

A WEBSITE IS HIT BY

A CRITICAL EXPLOIT F5 Research

23 minEVERY

OF SECURITY

PROFESSIONALS

EMPLOY WAF2015 Cisco Annual Security Report

56%

NO CYBER-ATTACK

RESPONSE IN PLACEF5 Networks Survey Research 2016

36%


Traditionally, Data was Secure Inside the Perimeter

Authorised

User

Managed

Devices Apps Data

P E R I M E T E R S E C U R I T Y

Unknown

UsersMalicious

Users

Authorised

UsersDLP Fire-

wallIPS


The Perimeter has Dissolved…

P E R I M E T E R S E C U R I T Y

…and Zero Trust is the new mantra

ZERO TRUSTUntrusted

Users


Cloud Apps and Mobility have Changed the Game

3.2 billion unknown users7.4 billion unsecured devices

1 billionapplications

44 ZB of data by 2020


Today’s Requirement: Protect Identities, Apps, and Data


Access, Identity, and App Protection Solutions

APPLICATION PROTECTIONIDENTITY AND ACCESS MANAGEMENT

PROTECT APPLICATIONSSafeguard your apps, regardless of where they live

PROTECT ACCESS AND IDENTITYEnable secure access for any user on any device


Access, Identity, and App Protection Solutions

APPLICATION PROTECTIONIDENTITY AND ACCESS MANAGEMENT

SSL Inspection and Interception

Web Application Firewall DDoS Protection

DNS Security

Web Fraud Protection

IP IntelligenceCarrier Class Firewall

Identity Federation

Application Access Management

Enterprise Mobility Gateway

Secure Web Gateway

Remote Access


Less control over user access and

policies do not follow apps

Overwhelming volume of

application traffic

Traditional security solutions are

blind to SSL traffic

Perimeter approach

is no longer adequate

The Traditional Approach to Security is Inadequate


NETWORK PERIMETER

App

The New Perimeter is an App PerimeterApps are the gateways to data

SSL

SSL

SS

L

APP

PER-APP / PER-USER PERIMETER

NEW PERIMETERTRADITIONAL

✖SSL-visible, Location-independent, Session-

based, Continuous trust verification, Strategic

control points, Application availability ✔

IT’S TIME TO RETHINK SECURITY ARCHITECTURES


Identity is the Key to Adaptive Authentication and Access

Device type and integrity

Browser Location

Operatingsystem

OS

Authentication

Access method

Network

integrity

Network

quality and

availability

Connection

integrity

App type/ version

v3.1

App location App importance and risk

!!!


• Outsourced applications and infrastructure

• Applications enforcing “authority” over user identity

• Need to provide access to customers and supply chain without manual user account management and password resets

Federating Identity for Cloud Applications

Data Center

Applications Applications

Internet

Identity and Access Management

Physical Virtual

Salesforce Office 365 Concur Google docs

Devices


User ID

Location

End point

Device health

Device type

Malware

Sensitive Data

Human

User ID

Location

End point

Device health

Device type

Malware

Sensitive Data

Human

High-Value App

Optimising Security with Risk-based Policy Protection

Low-Value AppNorth Korea

Allow

Challenge

OTP

Client Cert.

Deny

Allow

Challenge

OTP

Client Cert.

Deny

United Kingdom


• Transform one type of authentication into another

• Support various standards-based protocols (SAML, Kerberos, NTLM)

• Enable flexible selection of SSO techniques appropriate to the application

• Allow centralised session control of all applications, including SaaS apps

Identity Federation and SSO Solutions

Users

Certificates

Password

Token

Federation (SAML)

Adaptive Auth

Certificates

Dynamic Forms

Kerberos Delegation

Simple Assertion

SAML Pass-through

Apps

Private/Public

Cloud

SSO Selection

Endpoint Validation

Step-Up Auth

Fraud Protection


Identity Federation and SSO with Adaptive Authentication

On-Premises Infrastructure

CorporateApplications

Users

Attackers

SaaS

Office 365

GoogleApps

Salesforce

DirectoryServices

Corporate Users

Identity federation

PublicCloud

PrivateCloud

Corporation

LOGIN

8 3 2 8 4 9

SAMLIdentity management

Multi-factor authentication

SAMLReal-time access control

Access policy enforcement


Application Attacks are Inevitable

Prepare for application attacks

every 23 minutes

95% of breaches through 2018 will be caused by misconfigured firewalls, not vulnerabilities

86% of websites has at least 1 vulnerability and an average of 56 per website

75% of Internet threats target web servers

2.3M bots actively attacking

Sources: Cisco, WhiteHat Security, Gartner, Symantec


• Most network architectures are not built for SSL encryption

• SSL on NGFW products impacts performance by 80%

• Malware using SSL to evade network monitoring

• Without security tools to inspect SSL traffic, attacker actions can go undetected

• Trends toward SSL Everywhere, including HTTP/2 and TLS 1.3

Encryption Creates a Blind Spot in Your Network


TODAY

30%

2017

70%

Amount of Encrypted Enterprise Traffic


IoEE-Commerce Privacy Mobility

Snowden

Trajectory and Growth of Encryption

Customer Trends:

• Higher Security Standards

• Security more mobile

Emerging Standards:

• TLS 1.3, HTTP 2.0/SPDY

• RSA -> ECC

Thought Leaders and Influence:

• Google: SHA2, SPDY, Search Ranking by Encryption

• Microsoft: PFS Mandated

MARKET AMPLIFIERS

SSL growing ~30% annually. Entering the Fifth wave of transition (IoE)

0,0

0,5

1,0

1,5

2,0

2,5

3,0

3,5

1998 2002 2006 2010 2014

Source: Netcraft

Mil

lio

ns o

f C

ert

ific

ate

s (

CA

)

Years


Industry trendsAn increasing share of network traffic is being encrypted

• Increased customer awareness (PFS, Heartbleed)

• Insider threat

• New regulatory and compliance requirements

• Evolving cryptography and new standards

•

• Everything is connected

DRIVING CHANGE

2017TODAY

70%

ENCRYPTED TRAFFIC

30%

Fortune, Apr 2015

0

5

10

15

20

25

30

35

40

45

50

SSL Grading

A

B

C

F

Qualys Jun 2016

Encryption Creates a Blind Spot in Your Network

Herculon SSL Orchestrator


Policy-Based Dynamic Service Chaining


Topologies and general functions

Single-box deployment

Out

Inline L3Services

Inline L2Services

DLP/ICAPServices

Receive Only

Services

Clients

InspectionZone

InspectionZone

BIG-IPIngress

In Out

In Out

• Simplified Configuration

• Robust service chaining

• Internal signaling

Two-box deployment

Out

Inline L3Services

Inline L2Services

DLP/ICAPServices

Receive Only

Services

Clients

InspectionZone

InspectionZone

Cleartext Zone

L3Services

AdditionalSecurityServices

BIG-IPIngress

BIG-IPEgress

In Out

In Out

• Robust service chaining

• Recapitalize throughput

• Policy-driven separation

• Internal and external signaling

Transparent ingress proxy Explicit ingress proxy Signaling


Security service chaining

Create services

Inline

Layer 2

Inline

Layer 2

Inline

Layer 3

Receive

Only

DLP

ICAP

Inline

Layer 2

Chain services

Inline Layer 3

Inline Layer 2

ReceiveOnly

DLPICAP

Inline Layer 3

Inline Layer 2

ReceiveOnly

Inline Layer 3

DLPICAP

ReceiveOnly

Select services

Source

Addr

Dest

AddrIP Geo

Host

Name

IPI

Cat

URLF

Cat

Dest

Port

Proto

Traffic

Classifier

Engine

PacketChain


Back to the Web Application Firewalls…


The Right Tool for the Job

BIF

UR

CA

TIO

N O

F F

IRE

WA

LL

S

“Next Generation” Firewall

• Outbound user inspection

• 1K users to 10K web sites

• Broad but shallow

• UserID and AppID

• Who is doing what?

Corporate

(users)

Web Application Firewall

Internet Data Center

(servers)

• Inbound application protection

• 1M users to 100 apps

• Narrow but deep

• Application delivery focus

• Web specific protocols (HTTP, SSL, etc.)


Layer 7 security is not addressed by traditional IPS and firewall products

Intrusion Prevention Systems and Standard Firewalls

Intrusion Prevention

SystemsTraditional Firewall • Examines all traffic for

malicious app inputs

• Primarily uses anomalous and signature-based detection

• Some stateful protocol analysis capabilities

Encryption Unknowns

???

FragmentationObfuscation

• Lacks understanding of L7 protocol logic

• Doesn’t protect against all exploitable app vulnerabilities


Web Application Firewall CapabilitiesProtect against layer 7 attacks with granularity

Protects against

layer 7 DDoS

attacks

DAST/VA integration

with extensive

automated and virtual

patches

Understands the

business logic

behind your web app

Full-proxy

protection

against and

OWASP top 10

Virtual Edition CloudAppliance

Combines

negative and

positive security

models

Deep understanding

of the application,

not just generic

attacks

WAF


Traditional Security Devices vs WAF

WAF IPS NGFW

Multiprotocol Security *

IP Reputation *

Web Attack Signatures *

Web Vulnerabilities Signatures *

Automatic Policy Learning *

URL, Parameter, Cookie, and Form Protection *

Leverage Vulnerability Scan Results *

Browser Fingerprinting

Protection against Layer 7 DDoS Attacks

Pro-active Modification of Application Requests/Responses

Advanced Protection for Web Services (SOAP, XML, AJAX)

* Source: Gartner "Web Application Firewalls Are Worth the Investment for Enterprises"

= Good to very good

= Average or fair

= Below average


Advanced vs Traditional Web Application Firewall

TRADITIONAL WAF

• Signatures (OWASP Top 10)

• DAST integration

• Site learning

• File/URL/Parameter/Header/Cookie enforcement

• Protocol enforcement

• Login enforcement / Session tracking

• Data leak prevention

• Flow enforcement

• IP blacklisting

ADVANCED WAF

• Bot detection

• Client fingerprinting

• Web scraping prevention

• Brute force mitigation

• L7 DDoS protection

• Heavy URL mitigation

• CAPTCHA challenges

• HTTP header sanitisation/insertion

• Anti-CSRF token insertion

• Perfect Forward Secrecy (PFS) ciphers


Hybrid Protection from Advanced Application Attacks

ON-PREMISES WAF

• Protect core applications in data

center

• Virtual patching

• Layer 7 DDoS

• Protect applications in the cloud, co-lo,

data center

• Provide flexible application fluency

• App/Dev policy development

• 24/7 attack support from security experts

CLOUD-BASED WAF

Policy

Import/Export


Combined Hybrid WAF = No application left unprotected

More Capability Considerations

ConsiderationsOn-prem

WAF

Cloud

WAF

Have resources to manage WAF?

Need to maintain app blocking control?

Willing to use professional services ?

PCI compliance challenges

VA/DAST part of app development/protection

Must protect cloud-based apps

Must protect tier 2 apps

Prefer outsourcing app security

Require 3rd party policy creation with 24x7x365 support

Hybrid WAF

deployment


Application Protection: Cloud-based and On-premises

ISPa/b

Multiple ISP strategy

Scanner Anonymous Proxies

Anonymous Requests

Botnet Attackers

Threat Intelligence Feed

Next-GenerationFirewall Corporate Users

Network Application

Network attacks:ICMP flood,UDP flood,SYN flood

DNS attacks:DNS amplification,

query flood,dictionary attack,DNS poisoning

IPS

Data Center Firewall

WAFHTTP attacks:

Slowloris,slow POST,

recursive POST/GET

SSL attacks:SSL renegotiation,

SSL floodFinancialServices

E-Commerce

Subscriber

Strategic Point of Control

CustomerRouter

Signaling

Hybrid integration with ADC to

synchronise threat information and request service

LegitimateUsers

Attackers Volumetric DDoS protection, Managed

Application firewall service, zero-day threat mitigation

with iRules

WAF

DDoS

Cloud


DDoS Attack Targets

Volumetric Attacks

Volumetric Attacks on

Bandwidth

Attacks on RAM

Attacks on RAM. Firewall state

tables.

Attacks on CPU

Attacks on CPU.

IPS Signature Scanning.

Attacks on Server

Attacks on Server stack. Low

and Slow.

Attacks on crypto

Attacks on crypto capacity.

SSL floods.

Targeted Attacks

Targeted Attacks.

Bugs and flaws in stack.

Internet

Telco Router

Inbound Application

Traffic

Core

Data Center

DMZ

Enterprise Router

Virtual Server Farm

Silverline

Outbound User LAN

Traffic

WiFiUsers

Internet Edge

DHD

DHD

DDoS Hybrid Defender’s place in the network

DDoS mitigation

• At network edge

• Front of the applications server farms

• As-a-service in the cloud

Comprehensive solution:

• Dedicated security appliance

• DDoS Threat intel

• Silverline always available subscription


• Protects attacks on the network through to the application

• Only single vendor with native, seamlessly integrated

on-premises and cloud-based scrubbing services

• Leverages industry-leading application protections to

defend against L7 DDoS

• Unsurpassed SSL performance with SSL termination

and outbound SSL interception protection

• Ensures app availability and performance with leading datacenter

scalability and up to 1.7 Tbps of cloud-based scrubbing capacity

DDoS Hybrid Defender

F5 delivers comprehensive protection in a single box

Key Benefits


Best Practices in Protecting Your Applications

42


Remote

Access

SSL

Inspection

Network

Firewall

Enterprise

Mobility Gateway

Secure Web

Gateway

Traffic

Management

DDoS

Protection

Web Fraud

Protection

Web App

Firewall

Access

Federation

App Access

Management

DNS

Security

Comprehensive Security Solutions for the New Perimeter

APPLICATION ACCESS APPLICATION PROTECTION

Confidentiality IntegrityAvailability

Risk-Based PoliciesIntelligence and Visibility

Hybrid Delivery

The New Security Perimeter: Applications and Identities · The New Security Perimeter: Applications...

Documents

Transcript of The New Security Perimeter: Applications and Identities · The New Security Perimeter: Applications...