UNIFIED SECURITYUNIFIED SECURITY

Ralf SydekumRalf SydekumTechnical Manager Central EuropeTechnical Manager Central Europe

UNIFIED SECURITYUNIFIED SECURITY

CyberCyber--attacks in the News for 2011attacks in the News for 2011

IBM X-Force 2011 Trend and Risk Report March 2012

of network traffic is encrypted bypassing security controls

Security is still expendable… Security device sprawl is a

30% Blended attacks… are overwhelming conventional security devices at the edge of the data center.

Security ChallengesSecurity Challenges

Traditional network devices are failing under load… 3 out of 6 major firewalls failed under stability testing, and 5 out of 6 were vulnerable to a common exploit.

Security is still expendable… 9 out of 10 IT organizations admit to sacrificing security for performance.

Over 90% of IT administrator want…

Security Context

Security device sprawl is a challenging problem… IT biggest security challenge with device sprawl is operational complexity.

Statement Statement -- SONY SONY Online EntertainmentOnline Entertainmenthttp://blog.eu.playstation.com/http://blog.eu.playstation.com/

•• On April 16th and 17th, 2011….. Personal information from On April 16th and 17th, 2011….. Personal information from approximately 24.6 million SOE accounts may have been approximately 24.6 million SOE accounts may have been stolen…,stolen…,•• Name, eName, e--mail, login, hashed password,…mail, login, hashed password,…

•• As As well as certain information from an outdated database from well as certain information from an outdated database from 2007 for 10.700 customer in EU2007 for 10.700 customer in EU•• Name, bank account number, address,…Name, bank account number, address,…

Sony stock performance: Sony stock performance: Nov 2010Nov 2010--Nov Nov 20112011

•• Several companies stopped the service for Several companies stopped the service for WikiLeaksWikiLeaks although although it is not proven that it is not proven that WikiLeaksWikiLeaks violates the existing lawviolates the existing law

•• Amazon removed all Amazon removed all WikiLeaksWikiLeaks content from their serverscontent from their servers•• EveryDNSEveryDNS switched off the DNS resolution for wikileaks.orgswitched off the DNS resolution for wikileaks.org•• Several financial institutes locked up donation accountsSeveral financial institutes locked up donation accounts

What happened What happened toto WikiLeaksWikiLeaks??

Finally…Finally…

•• Thousand of internet users unloaded their accumulated anger starting Thousand of internet users unloaded their accumulated anger starting 7th Dec 20107th Dec 2010

•• Web Web servers of servers of Swiss Swiss PostfinancePostfinancebank were down bank were down for several for several hourshours

•• Credit card companies Credit card companies likelike•• Credit card companies Credit card companies likelikeMastercardMastercard and VISA and VISA where where notnotaccessible for several hours/dayaccessible for several hours/dayover over several several daysdays

•• Paypal’sPaypal’s transaction network transaction network werewereslowslow but not but not taken down completelytaken down completely

•• 3 Basic Classes of Attack 3 Basic Classes of Attack •• L7 (HTTP/Web): Slowloris L7 (HTTP/Web): Slowloris

•• Creates massive concurrent sessions Creates massive concurrent sessions •• Firewalls quickly overwhelmedFirewalls quickly overwhelmed•• Server resources completely consumed Server resources completely consumed

•• L4: TCP Flood/Syn Flood L4: TCP Flood/Syn Flood •• Targets any TCP aware deviceTargets any TCP aware device

•• L3: ICMP FloodL3: ICMP Flood

WikiLeaks DDoS Attack ProfileWikiLeaks DDoS Attack Profile

Border Router (Internet Connection)

ICMP flood TCP FloodSlowloris

•• L3: ICMP FloodL3: ICMP Flood•• ICMP protocol attackICMP protocol attack•• Consumes router, Firewall and server resourcesConsumes router, Firewall and server resources

•• BIGBIG--IP/ASM stopped attacks!IP/ASM stopped attacks!•• Combination of core TMOS functionality, Combination of core TMOS functionality, iRulesiRules and and

ASM (Application Security ASM (Application Security ManagerManager))

PCI Compliant Firewall

F5 BIG-IP with ASM Module

Intrusion Prevention Device

The Three Threat VectorsThe Three Threat Vectors

Network Attacks Application AttacksDDoS Attacks

Unified Security Unified Security Architecture Architecture

Traditional Approach

LOAD BALANCER

FIREWALLWEB APPFIREWALL

DDoSPROTECTION

DNSSECURITY

ACCESSMANAGEMENTAND REMOTE

ACCES

DNS WEB ACCESS

LTM

DATA CENTER FIREWALLDATA CENTER FIREWALLDATA CENTER FIREWALLDATA CENTER FIREWALL

BIF

UR

CAT

ION

Next Generation Firewall

EnterpriseDatacenter

Datacenter Firewall

Internet Datacenter

Two different use cases Two different use cases

BIF

UR

CAT

ION

OF

FIR

EW

ALLSCharacteristics

• Outbound User Inspection• UserID and AppID• Who is doing What?• 1K users to 10K web sites• Broad but Shallow

Datacenter

(Users)

Datacenter

(servers)

Characteristics

• Inbound Application Protection• Application Delivery Focus• 1M users to 100 Apps• Narrow but Deep• 12 Protocols (HTTP, SSL, etc)

Internet Data Center Perimeter FirewallInternet Data Center Perimeter FirewallPerimeter Firewall with Load Balancer

Today

Overview• Traditional firewall• Standalone load balancer

Load Balancer

Limitations• DDoS protection• Connections• Scale• Device management• Defense methods

Internet Data Center Perimeter FirewallInternet Data Center Perimeter FirewallPerimeter Firewall with Load Balancer

With BIG-IPOverview• Consolidated Device• Firewall Service• Application Delivery• Web Application Firewall

Benefits

BIG-IP LTM with ASM

Benefits• Application fluency• SSL visibility• DDoS protection 30 + types• Dynamic defense methods• Best price to performance class• OWASP top 10 protection

Connections per SecondConnections per Second

Competitor ABC + 4 Blades$124,000

F5 BIG-IP 11050$129,995

WEB SECURITY SERVICES WEB SECURITY SERVICES WEB SECURITY SERVICES WEB SECURITY SERVICES

Integrated ADC SecurityIntegrated ADC SecurityBIGBIG--IP Application Security Manager IP Application Security Manager

• Simplifies and streamlines network topology • Unifies app. security and deliver for full L2 to L7 protection

BIG-IP LTM + ASM

SECURE APPLICATIONS & DATA

• Application Proxy• Transaction Assurance• Resource Cloaking• Network and protocol attack

prevention• Secure Network Address

Translation• Port Mapping• Selective Content Encryption

BIG-IP LTM + ASM

PROTECT WEB APPLICATIONS

• Layer 7 Web app. protection

• Secures latest interactive apps.

• Protects from OWASP Top 10+

• Educates admin. on attack type

• Logs and reports all traffic

• Meets PCI Compliance

• Out-of-the-box deployment

• Quickly resolves vulnerabilities

OWASP Top 10 Web Application Security Risks: OWASP Top 10 Web Application Security Risks: 1.1. Injection Injection 2.2. CrossCross--Site Scripting (XSS) Site Scripting (XSS) 3.3. Broken Authentication and Session Management Broken Authentication and Session Management

Protection Protection FFrom Top Web Application rom Top Web Application VulnerabilitiesVulnerabilities(Open Web Application Security Project)(Open Web Application Security Project)

4.4. Insecure Direct Object References Insecure Direct Object References 5.5. CrossCross--Site Request Forgery (CSRF) Site Request Forgery (CSRF) 6.6. Security Misconfiguration Security Misconfiguration 7.7. Insecure Cryptographic Storage Insecure Cryptographic Storage 8.8. Failure to Restrict URL Access Failure to Restrict URL Access 9.9. Insufficient Transport Layer Protection Insufficient Transport Layer Protection 10.10. Unvalidated Redirects and Forwards Unvalidated Redirects and Forwards

Source: www.owasp.org

Customer Website

Mitigate Vulnerabilities NowMitigate Vulnerabilities Now

• Finds a vulnerability

• Virtual-patching with

one-click on BIG-IP ASM

Web Application Scanner

BIG-IP Application Security Manager

• Verify, assess, resolve and retest in one UI

• Automatic or manual creation of policies

• Discovery and remediation in minutes

• Vulnerability checking,

detection and remediation

• Complete website protection

•• 3 free basic scans with “Open Cenzic Cloud Trial Account"3 free basic scans with “Open Cenzic Cloud Trial Account"•• "Connect with Cenzic Cloud" (for existing users)"Connect with Cenzic Cloud" (for existing users)•• Import vulnerabilities from Cenzic Cloud or load file Import vulnerabilities from Cenzic Cloud or load file

Quick Cenzic Cloud ConnectionQuick Cenzic Cloud Connection

IP IntelligenceIP IntelligenceIdentify and allow or block IP addresses with malicious activityIdentify and allow or block IP addresses with malicious activity

IP Intelligence Service

• Use IP intelligence to defend attacks

• Reduce operation and capital expenses

?

Scanners

Internally infected devices and servers

•• Fast IP update of malicious activity Fast IP update of malicious activity •• Global sensors capture IP behaviorsGlobal sensors capture IP behaviors•• Threat correlation reviews/ blocks/ releases Threat correlation reviews/ blocks/ releases

IP IntelligenceIP IntelligenceHow it worksHow it works

Key Threats Sensor Techniques

Web Attacks

Reputation

Windows Exploits

Botnets

Scanners

Network Attacks

DNS

Semi-open Proxy Farms

Exploit Honeypots

Naïve User Simulation

Web App Honeypots

Third-party Sources

Graphical ReportingGraphical ReportingDetailed chart path of threats in ASMDetailed chart path of threats in ASM

WEB ACCESS MANAGEMENTWEB ACCESS MANAGEMENTWEB ACCESS MANAGEMENTWEB ACCESS MANAGEMENT

One Access Solution One Access Solution –– BIGBIG--IP APMIP APM

All AccessUse Cases

Web Access Management:• Proxy to HTTP apps

– Custom– 3rd party

Remote Access: • SSL VPN

– Network Access– Portal Access– App Tunnels

BIG-IP Access Policy Manager

Application Access Control:• Proxy to Non-HTTP apps

– Citrix ICA– ActiveSync– Outlook Anywhere

Web Access ManagementAuthentication Alternatives Today

APP 1

APP 2

APP 3

123

Proxy Web Servers

APP n

1 Code in the Application• Costly, difficult to

change• Not repeatable, less

secure

2 3Agents on Servers• Difficult to manage• Not interoperable or secure• Decentralized and costly

Specialized Access Proxies• Doesn’t scale and not

reliable• More boxes and

expensive

Directory

Enable Simplified Enable Simplified Application AccessApplication AccessWith With BIGBIG--IP Access Policy Manager (APM)IP Access Policy Manager (APM)

Authentication All in One and Fast SSO Authentication All in One and Fast SSO F5 BIGF5 BIG--IP Access Policy ManagerIP Access Policy Manager

Dramatically reduce infrastructure costs; increase productivityDramatically reduce infrastructure costs; increase productivity

Control Access of EndpointsControl Access of EndpointsEnsure strong endpoint securityEnsure strong endpoint security

Allow, deny, or remediate Allow, deny, or remediate Invoke protected workspace Invoke protected workspace

BIG-IP APM

• Client or machine certificates

• Antivirus software versionand updates

• Software firewall status

• Access to specific applications

• Restrict USB access

• Cache cleaner leaves no trace

• Ensure no malware enters corporate network

Allow, deny, or remediate Allow, deny, or remediate users based on endpoint users based on endpoint attributes such as:attributes such as:

Invoke protected workspace Invoke protected workspace for unmanaged for unmanaged devices:devices:

!Non-

compliantInformation

App Security with BIGApp Security with BIG--IP ASM and APMIP ASM and APM

!Illegal

requests

ASM allowslegitimate requests

ASMStops bad requests /responses

!InfrastructuralIntelligenceAPM offers authentication

and authorization

!Unauthorised

Access

Reduces the attack vector because only authenticate d, authorized and legal requests are permitted to the relevant ap plication servers

APMStops

unauthorizedrequests

BrowserApplications

DNSDNS SECURITY USE CASESSECURITY USE CASESDNSDNS SECURITY USE CASESSECURITY USE CASES

DNS Attacks Are CommonDNS Attacks Are Common

DNS DNS is is Vulnerable to AttacksVulnerable to Attacks

Data Center

DNS Servers www.company.com

• Multiple DNS attacks: DDoS, Cache Poisoning, Man-in-the-middle• Application timeouts (401 errors)• Lost customers, lost productivity• Loss of Revenue and Brand Equity

LDNS

Complete DNS Protection Complete DNS Protection BIGBIG--IP Global Traffic ManagerIP Global Traffic Manager

LDNS

Data Center

company.com

X QA i

• High Performance DNS – Multicore GTM

• Scalable DNS - DNS Express

• Malformed UDP packets are dropped

• Spread the load across devices - IP Anycast

• Secure DNS Queries - DNSSEC

• Route based on nearest Datacenter - Geolocation

• Complete DNS control with – DNS iRules

LDNS

A

X

Q

i

Exponential and Efficient DNS Performance Exponential and Efficient DNS Performance Implement DNS ExpressImplement DNS Express

DNS ExpressDNS Express

•• HighHigh--speed response and DDoS protection with inspeed response and DDoS protection with in--memory DNSmemory DNS

•• Authoritative DNS serving out of RAMAuthoritative DNS serving out of RAM

•• Configuration size for tens of millions of recordsConfiguration size for tens of millions of records

•• Scalable DNS PerformanceScalable DNS Performance

•• Consolidate DNS ServersConsolidate DNS Servers DNS Server•• Consolidate DNS ServersConsolidate DNS Servers

ManageDNS

Records

NIC

OSAdminAuthRoles

DynamicDNS

DHCP

AnswerDNS

Query

AnswerDNS

Query

AnswerDNS

Query

AnswerDNS

Query

AnswerDNS

Query

DNS Express in TMOS

DNS Server

queries/second BIG-IP 1600: ~300k qpsBIG-IP 3900: ~600k qpsBIG-IP 8900: ~1.5 Million

VIPRIONUp to 6 million qps!

Rethinking your approach through Rethinking your approach through consolidationconsolidation

Traditional Datacenter

Anti-DDoS

IPS

F5 Datacenter Firewall Transformation

Anti-DDoS

Remote AccessIPS

Firewall

Load Balancer

App Servers

• Traditional firewalls blind to SSL• Limited DDoS protection• Management headache across devices

• Layer 3-7, DDoS protection• High performance and flexible• Achieve 4X cost reduction

Remote Access

Firewall

Load Balancer

Summary Summary –– F5 Unified SecurityF5 Unified Security