Andrzej Kroczek
Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg. F5 Networks
© F5 Networks, Inc 2
Mobility
SDDC/Cloud
Advanced threats
Internet ofThings
“Software defined”everything
HTTP is the new TCP
Technology Shifts Are Creating Opportunity
© F5 Networks, Inc 3
Frequency of attacks - 2014
Script kiddies
2014
The rise of hacktivism
Cyber war
Mar 04Meetup Event Planning – NTP Amplification attack carried out by extortionists
Feb 11oDesk – Temporary website disruption as result of DDoS attack
Feb 05Bitly – Outage as result of DDoS attack
Mar 24Basecamp – DDoS attack by extortionists
Mar 27SurveyGizmo – DDoS attack; Site down 2 days; ISP abandoned recovery
Mar 20Hootsuite – DDoS attack by extortionists
Mar 17Royalty Free Stock Images – DDoS attack by extortionists
Mar 11GitHub Code Host – UDP based Amplification attack
Feb 11Elance Freelance Job Site – NTP Reflection Attack; temporary website disruption
Feb 20Namecheap – Simultaneous attack on 300 websites it registers
© F5 Networks, Inc 4
The business impact of DDoS
Cost of corrective
action
Reputation management
The business impact of
DDoS
© F5 Networks, Inc 5
Which DDoS technology to use?
CLOUD/HOSTED SERVICE
• Completely off-premises so DDoS attacks can’t reach you
• Amortized defense across thousands
of customers• DNS anycast and multiple data
centers protect you
STRENGTHS
ON-PREMISES DEFENSE
• Direct control over infrastructure• Immediate mitigation with instant
response and reporting• Solutions can be architected to
independently scale of one another
STRENGTHS
• Customers pay, whether attacked or not
• Bound by terms of service agreement
• Solutions focus on specific layers (not all layers)
WEAKNESSES
• Many point solutions in market, few comprehensive DDoS solutions
• Can only mitigate up to max inbound connection size
• No other value. Only providing benefit when you get attacked. (excludes F5)
WEAKNESSES
© F5 Networks, Inc 6
Which DDoS technology to use?HYBRID MODEL CLOUD AND ON-PREM
• Combined on-premises and cloud solution to stop all attacks
• Amortized defense across thousands
of customers• DNS anycast and multiple data
centers protect you
• Immediate mitigation with instant response and reporting
• Direct control over on-premises infrastructure
• Solutions can be architected to independently scale of one another
STRENGTHS
© F5 Networks, Inc 7
Changing threatsincreasing in complexity that requires intelligence and on-going learning
Scalability and performanceNeeded to ensure
services are available during the onset of aggressive attacks
WebificationImpossible to build
safeguards into applications in a timely
manner
OwnershipChallenges with security
team making the dev team fix vulnerabilities
Attack visibilityIs often lacking details to truly track and identify
attacks and their source, and ensure compliance and
forensics
ComplianceMaintaining compliance
with government standards
Securing applications can be complex
© F5 Networks, Inc 8
F5 Offers Comprehensive DDoS Protection
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
Legitimate
Users
DDoS Attackers
CloudScrubbing Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Networkand DNS
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
Next-Generation
FirewallCorporate
Users
SSL attacks:SSL renegotiation,
SSL floodFinancialServices
E-Commerce
Subscriber
Strategic Point of Control
© F5 Networks, Inc 9
Use case
Load balancing multiple firewalls
Before f5
with f5
Consolidated datacenter protection
User
Attackers
Rising Security
Threats/Attacks
Load Balancing
Firewalls
Load Balancing w/
SSL
Network DDoS
Protection
Application DDoS
Protection
DNSSEC
Web Access Managemen
t
© F5 Networks, Inc 10
App Servers
ClassicServer
• Consolidation of firewall, app security, traffic management• Protection for data centers and application servers• High scale for the most common inbound protocols
Before f5
with f5
LoadBalancer
DNS Security
Network DDoS
Web Application Firewall
Web AccessManagement
LoadBalancer & SSL
Application DDoS
Firewall
Application Security
Data CenterFirewall
AccessSecurity
App Servers
ClassicServer
User
Consolidated datacenter protection
Top Related