5.1 Using Fundamental Identities. Fundamental Trigonometric Identities.
The New Security Perimeter: Applications and Identities · The New Security Perimeter: Applications...
Transcript of The New Security Perimeter: Applications and Identities · The New Security Perimeter: Applications...
The New Security Perimeter: Applications and Identities
Timo Lohenoja, CISSP
Systems Engineer
F5 Networks
© F5 Networks, Inc 2
Applications are Driving Innovation and Massive Growth in Data…
Sources: Forbes, Nielsen, IDC, EMC, Statista
…but also creating an exponential increase in the attack surface
© F5 Networks, Inc 3
…Resulting in an Unprecedented Increase in Attacks
Source of data breaches
Sources: IT Business Edge, Krebs on Security, Security Week, CSO Online
© F5 Networks, Inc 4
App Servers
DB Servers
NGFW IPS / IDS DLP
Attackers
Fraudsters
$$$Security Spend
Internal Users
Security Investments Completely Misaligned with Reality
© F5 Networks, Inc 5
Security Investments Completely Misaligned with Reality
Perimeter Security Identity & Application Security
of attacks are
focused here
25% of security
investment
90% of attacks are
focused here
75% of security
investment
10%
Source: Gartner
© F5 Networks, Inc 6
Important Trends in Threat Vectors
OF WEBSITES HAVE
AT LEAST 1 SERIOUS
VULNERABILITYWhiteHat Security Statistics Report
2015
86%AVERAGE NUMBER OF
VULNERABILITIES
PER WEBSITEWhiteHat Security Statistics Report
2015
56
OF IT PROS ARE
CONFIDENT USERS
AVOID PHISHING2015 CyberThreat Defense
20%MALICIOUS IP’S
LAUNCHED EVERYDAYThreat Brief Report, Webroot, May
2015
85,000BOTS ACTIVELY
ATTACKING Symantec Internet Security Report
2014
2.3M
A WEBSITE IS HIT BY
A CRITICAL EXPLOIT F5 Research
23 minEVERY
OF SECURITY
PROFESSIONALS
EMPLOY WAF2015 Cisco Annual Security Report
56%
NO CYBER-ATTACK
RESPONSE IN PLACEF5 Networks Survey Research 2016
36%
© F5 Networks, Inc 7
Traditionally, Data was Secure Inside the Perimeter
Authorised
User
Managed
Devices Apps Data
P E R I M E T E R S E C U R I T Y
Unknown
UsersMalicious
Users
Authorised
UsersDLP Fire-
wallIPS
© F5 Networks, Inc 8
The Perimeter has Dissolved…
P E R I M E T E R S E C U R I T Y
…and Zero Trust is the new mantra
ZERO TRUSTUntrusted
Users
© F5 Networks, Inc 9
Cloud Apps and Mobility have Changed the Game
3.2 billion unknown users7.4 billion unsecured devices
1 billionapplications
44 ZB of data by 2020
© F5 Networks, Inc 10
Today’s Requirement: Protect Identities, Apps, and Data
© F5 Networks, Inc 11
Access, Identity, and App Protection Solutions
APPLICATION PROTECTIONIDENTITY AND ACCESS MANAGEMENT
PROTECT APPLICATIONSSafeguard your apps, regardless of where they live
PROTECT ACCESS AND IDENTITYEnable secure access for any user on any device
© F5 Networks, Inc 12
Access, Identity, and App Protection Solutions
APPLICATION PROTECTIONIDENTITY AND ACCESS MANAGEMENT
SSL Inspection and Interception
Web Application Firewall DDoS Protection
DNS Security
Web Fraud Protection
IP IntelligenceCarrier Class Firewall
Identity Federation
Application Access Management
Enterprise Mobility Gateway
Secure Web Gateway
Remote Access
© F5 Networks, Inc 13
Less control over user access and
policies do not follow apps
Overwhelming volume of
application traffic
Traditional security solutions are
blind to SSL traffic
Perimeter approach
is no longer adequate
The Traditional Approach to Security is Inadequate
© F5 Networks, Inc 14
NETWORK PERIMETER
App
The New Perimeter is an App PerimeterApps are the gateways to data
SSL
SSL
SS
L
APP
PER-APP / PER-USER PERIMETER
NEW PERIMETERTRADITIONAL
✖SSL-visible, Location-independent, Session-
based, Continuous trust verification, Strategic
control points, Application availability ✔
IT’S TIME TO RETHINK SECURITY ARCHITECTURES
© F5 Networks, Inc 15
Identity is the Key to Adaptive Authentication and Access
Device type and integrity
Browser Location
Operatingsystem
OS
Authentication
Access method
Network
integrity
Network
quality and
availability
Connection
integrity
App type/ version
v3.1
App location App importance and risk
!!!
© F5 Networks, Inc 16
• Outsourced applications and infrastructure
• Applications enforcing “authority” over user identity
• Need to provide access to customers and supply chain without manual user account management and password resets
Federating Identity for Cloud Applications
Data Center
Applications Applications
Internet
Identity and Access Management
Physical Virtual
Salesforce Office 365 Concur Google docs
Devices
© F5 Networks, Inc 17
User ID
Location
End point
Device health
Device type
Malware
Sensitive Data
Human
User ID
Location
End point
Device health
Device type
Malware
Sensitive Data
Human
High-Value App
Optimising Security with Risk-based Policy Protection
Low-Value AppNorth Korea
Allow
Challenge
OTP
Client Cert.
Deny
Allow
Challenge
OTP
Client Cert.
Deny
United Kingdom
© F5 Networks, Inc 18
• Transform one type of authentication into another
• Support various standards-based protocols (SAML, Kerberos, NTLM)
• Enable flexible selection of SSO techniques appropriate to the application
• Allow centralised session control of all applications, including SaaS apps
Identity Federation and SSO Solutions
Users
Certificates
Password
Token
Federation (SAML)
Adaptive Auth
Certificates
Dynamic Forms
Kerberos Delegation
Simple Assertion
SAML Pass-through
Apps
Private/Public
Cloud
SSO Selection
Endpoint Validation
Step-Up Auth
Fraud Protection
© F5 Networks, Inc 19
Identity Federation and SSO with Adaptive Authentication
On-Premises Infrastructure
CorporateApplications
Users
Attackers
SaaS
Office 365
GoogleApps
Salesforce
DirectoryServices
Corporate Users
Identity federation
PublicCloud
PrivateCloud
Corporation
LOGIN
8 3 2 8 4 9
SAMLIdentity management
Multi-factor authentication
SAMLReal-time access control
Access policy enforcement
© F5 Networks, Inc 20
Application Attacks are Inevitable
Prepare for application attacks
every 23 minutes
95% of breaches through 2018 will be caused by misconfigured firewalls, not vulnerabilities
86% of websites has at least 1 vulnerability and an average of 56 per website
75% of Internet threats target web servers
2.3M bots actively attacking
Sources: Cisco, WhiteHat Security, Gartner, Symantec
© F5 Networks, Inc 21
• Most network architectures are not built for SSL encryption
• SSL on NGFW products impacts performance by 80%
• Malware using SSL to evade network monitoring
• Without security tools to inspect SSL traffic, attacker actions can go undetected
• Trends toward SSL Everywhere, including HTTP/2 and TLS 1.3
Encryption Creates a Blind Spot in Your Network
© F5 Networks, Inc 22
TODAY
30%
2017
70%
Amount of Encrypted Enterprise Traffic
© F5 Networks, Inc 23
IoEE-Commerce Privacy Mobility
Snowden
Trajectory and Growth of Encryption
Customer Trends:
• Higher Security Standards
• Security more mobile
Emerging Standards:
• TLS 1.3, HTTP 2.0/SPDY
• RSA -> ECC
Thought Leaders and Influence:
• Google: SHA2, SPDY, Search Ranking by Encryption
• Microsoft: PFS Mandated
MARKET AMPLIFIERS
SSL growing ~30% annually. Entering the Fifth wave of transition (IoE)
0,0
0,5
1,0
1,5
2,0
2,5
3,0
3,5
1998 2002 2006 2010 2014
Source: Netcraft
Mil
lio
ns o
f C
ert
ific
ate
s (
CA
)
Years
© F5 Networks, Inc 24
Industry trendsAn increasing share of network traffic is being encrypted
• Increased customer awareness (PFS, Heartbleed)
• Insider threat
• New regulatory and compliance requirements
• Evolving cryptography and new standards
•
• Everything is connected
DRIVING CHANGE
2017TODAY
70%
ENCRYPTED TRAFFIC
30%
Fortune, Apr 2015
0
5
10
15
20
25
30
35
40
45
50
SSL Grading
A
B
C
F
Qualys Jun 2016
Encryption Creates a Blind Spot in Your Network
Herculon SSL Orchestrator
© F5 Networks, Inc 27
Policy-Based Dynamic Service Chaining
© F5 Networks, Inc 28
Topologies and general functions
Single-box deployment
Out
Inline L3Services
Inline L2Services
DLP/ICAPServices
Receive Only
Services
Clients
InspectionZone
InspectionZone
BIG-IPIngress
In Out
In Out
• Simplified Configuration
• Robust service chaining
• Internal signaling
Two-box deployment
Out
Inline L3Services
Inline L2Services
DLP/ICAPServices
Receive Only
Services
Clients
InspectionZone
InspectionZone
Cleartext Zone
L3Services
AdditionalSecurityServices
BIG-IPIngress
BIG-IPEgress
In Out
In Out
• Robust service chaining
• Recapitalize throughput
• Policy-driven separation
• Internal and external signaling
Transparent ingress proxy Explicit ingress proxy Signaling
© F5 Networks, Inc 29
Security service chaining
Create services
Inline
Layer 2
Inline
Layer 2
Inline
Layer 3
Receive
Only
DLP
ICAP
Inline
Layer 2
Chain services
Inline Layer 3
Inline Layer 2
ReceiveOnly
DLPICAP
Inline Layer 3
Inline Layer 2
ReceiveOnly
Inline Layer 3
DLPICAP
ReceiveOnly
Select services
Source
Addr
Dest
AddrIP Geo
Host
Name
IPI
Cat
URLF
Cat
Dest
Port
Proto
Traffic
Classifier
Engine
PacketChain
© F5 Networks, Inc 30
Back to the Web Application Firewalls…
© F5 Networks, Inc 31
The Right Tool for the Job
BIF
UR
CA
TIO
N O
F F
IRE
WA
LL
S
“Next Generation” Firewall
• Outbound user inspection
• 1K users to 10K web sites
• Broad but shallow
• UserID and AppID
• Who is doing what?
Corporate
(users)
Web Application Firewall
Internet Data Center
(servers)
• Inbound application protection
• 1M users to 100 apps
• Narrow but deep
• Application delivery focus
• Web specific protocols (HTTP, SSL, etc.)
© F5 Networks, Inc 32
Layer 7 security is not addressed by traditional IPS and firewall products
Intrusion Prevention Systems and Standard Firewalls
Intrusion Prevention
SystemsTraditional Firewall • Examines all traffic for
malicious app inputs
• Primarily uses anomalous and signature-based detection
• Some stateful protocol analysis capabilities
Encryption Unknowns
???
FragmentationObfuscation
• Lacks understanding of L7 protocol logic
• Doesn’t protect against all exploitable app vulnerabilities
© F5 Networks, Inc 33
Web Application Firewall CapabilitiesProtect against layer 7 attacks with granularity
Protects against
layer 7 DDoS
attacks
DAST/VA integration
with extensive
automated and virtual
patches
Understands the
business logic
behind your web app
Full-proxy
protection
against and
OWASP top 10
Virtual Edition CloudAppliance
Combines
negative and
positive security
models
Deep understanding
of the application,
not just generic
attacks
WAF
© F5 Networks, Inc 34
Traditional Security Devices vs WAF
WAF IPS NGFW
Multiprotocol Security *
IP Reputation *
Web Attack Signatures *
Web Vulnerabilities Signatures *
Automatic Policy Learning *
URL, Parameter, Cookie, and Form Protection *
Leverage Vulnerability Scan Results *
Browser Fingerprinting
Protection against Layer 7 DDoS Attacks
Pro-active Modification of Application Requests/Responses
Advanced Protection for Web Services (SOAP, XML, AJAX)
* Source: Gartner "Web Application Firewalls Are Worth the Investment for Enterprises"
= Good to very good
= Average or fair
= Below average
© F5 Networks, Inc 35
Advanced vs Traditional Web Application Firewall
TRADITIONAL WAF
• Signatures (OWASP Top 10)
• DAST integration
• Site learning
• File/URL/Parameter/Header/Cookie enforcement
• Protocol enforcement
• Login enforcement / Session tracking
• Data leak prevention
• Flow enforcement
• IP blacklisting
ADVANCED WAF
• Bot detection
• Client fingerprinting
• Web scraping prevention
• Brute force mitigation
• L7 DDoS protection
• Heavy URL mitigation
• CAPTCHA challenges
• HTTP header sanitisation/insertion
• Anti-CSRF token insertion
• Perfect Forward Secrecy (PFS) ciphers
© F5 Networks, Inc 36
Hybrid Protection from Advanced Application Attacks
ON-PREMISES WAF
• Protect core applications in data
center
• Virtual patching
• Layer 7 DDoS
• Protect applications in the cloud, co-lo,
data center
• Provide flexible application fluency
• App/Dev policy development
• 24/7 attack support from security experts
CLOUD-BASED WAF
Policy
Import/Export
© F5 Networks, Inc 37
Combined Hybrid WAF = No application left unprotected
More Capability Considerations
ConsiderationsOn-prem
WAF
Cloud
WAF
Have resources to manage WAF?
Need to maintain app blocking control?
Willing to use professional services ?
PCI compliance challenges
VA/DAST part of app development/protection
Must protect cloud-based apps
Must protect tier 2 apps
Prefer outsourcing app security
Require 3rd party policy creation with 24x7x365 support
Hybrid WAF
deployment
© F5 Networks, Inc 38
Application Protection: Cloud-based and On-premises
ISPa/b
Multiple ISP strategy
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Next-GenerationFirewall Corporate Users
Network Application
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Data Center Firewall
WAFHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
SSL attacks:SSL renegotiation,
SSL floodFinancialServices
E-Commerce
Subscriber
Strategic Point of Control
CustomerRouter
Signaling
Hybrid integration with ADC to
synchronise threat information and request service
LegitimateUsers
Attackers Volumetric DDoS protection, Managed
Application firewall service, zero-day threat mitigation
with iRules
WAF
DDoS
Cloud
© F5 Networks, Inc 39
DDoS Attack Targets
Volumetric Attacks
Volumetric Attacks on
Bandwidth
Attacks on RAM
Attacks on RAM. Firewall state
tables.
Attacks on CPU
Attacks on CPU.
IPS Signature Scanning.
Attacks on Server
Attacks on Server stack. Low
and Slow.
Attacks on crypto
Attacks on crypto capacity.
SSL floods.
Targeted Attacks
Targeted Attacks.
Bugs and flaws in stack.
Internet
Telco Router
Inbound Application
Traffic
Core
Data Center
DMZ
Enterprise Router
Virtual Server Farm
Silverline
Outbound User LAN
Traffic
WiFiUsers
Internet Edge
DHD
DHD
DDoS Hybrid Defender’s place in the network
DDoS mitigation
• At network edge
• Front of the applications server farms
• As-a-service in the cloud
Comprehensive solution:
• Dedicated security appliance
• DDoS Threat intel
• Silverline always available subscription
© F5 Networks, Inc 41
• Protects attacks on the network through to the application
• Only single vendor with native, seamlessly integrated
on-premises and cloud-based scrubbing services
• Leverages industry-leading application protections to
defend against L7 DDoS
• Unsurpassed SSL performance with SSL termination
and outbound SSL interception protection
• Ensures app availability and performance with leading datacenter
scalability and up to 1.7 Tbps of cloud-based scrubbing capacity
DDoS Hybrid Defender
F5 delivers comprehensive protection in a single box
Key Benefits
© F5 Networks, Inc 42
Best Practices in Protecting Your Applications
42
© F5 Networks, Inc 43
Remote
Access
SSL
Inspection
Network
Firewall
Enterprise
Mobility Gateway
Secure Web
Gateway
Traffic
Management
DDoS
Protection
Web Fraud
Protection
Web App
Firewall
Access
Federation
App Access
Management
DNS
Security
Comprehensive Security Solutions for the New Perimeter
APPLICATION ACCESS APPLICATION PROTECTION
Confidentiality IntegrityAvailability
Risk-Based PoliciesIntelligence and Visibility
Hybrid Delivery