big-ip otse vastu internetti. kas tulemüüri polegi vaja? · big-ip otse vastu internetti. kas...
TRANSCRIPT
BIG-IP otse vastu internetti.Kas tulemüüri polegi vaja?
Tarmo Mamers Heigo Mansberg
Network Firewall
Imagery © stackexchange.com
Network Firewall Functions
Network Firewall Traffic
Imagery © stackexchange.com
OUTBOUND
TRAFFIC
INBOUND
TRAFFIC
INSIDEOUTSIDE
Separately Located Segments
Imagery © stackexchange.com
Outbound Traffic
Imagery © stackexchange.com
Inbound Traffic
Imagery © stackexchange.com
Users vs Applications
Network firewall Application firewall
Secures users Secures applications
Imagery © F5 Networks
Network Firewall Functions
DNS Security
Network D/DoS
Web Application FirewallLoad Balancer
SSL Offload
Application D/DoSFirewall
Imagery © F5 Networks
BIG-IP LTM
DNS Security
Network D/DoS
Web Application FirewallLoad Balancer
SSL Offload
Application D/DoSFirewall
Imagery © F5 Networks
BIG-IP LTM+ASM
DNS Security
Network D/DoS
Web Application FirewallLoad Balancer
SSL Offload
Application D/DoSFirewall
Imagery © F5 Networks
BIG-IP LTM+ASM+AFM
BIG-IP Full-Proxy Architecture
TCP
SSL
HTTP
TCP
SSL
HTTP
ICMP floodSYN flood
SSL renegotiation
DataleakageSlowloris attackXSS
AFM
ASM ASM
Imagery © F5 Networks
Application attacksNetwork attacks Session attacks
Slowloris, Slow Post,
HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP
Floods, Ping Floods and Smurf Attacks
BIG-IP ASM
Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection
DNS UDP Floods, DNS Query Floods, DNS
NXDOMAIN Floods, SSL Floods, SSL
Renegotiation
BIG-IP LTM and DNS
High-scale performance, DNS Express, SSL
termination, iRules, SSL renegotiation
validation
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, full-proxy
traffic visibility, rate-limiting, strict TCP forwarding.
F5
Miti
gatio
n T
echn
olog
ies
Application (7)Presentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)
Increasing difficulty of attack detection
F5
miti
gatio
n te
chno
logi
es
AFM & Attacks
Imagery © F5 Networks
AFM Features
Access Control
Policy
DDoS
Detection &
Attack
Mitigation
Dynamic
Endpoint
Enforcement
Manageability
& Visibility
Flow Classification Criteria• Time Based• Protocol• Source Address:Port• Source VLAN• Destination Address:Port• GeoLocation (Country+Region)• User/Group ID (11.6)
Rule Lists• Grouping of rules• “Global rules” that can
be used anywhere in the policy
• Can be referenced in multiple policies on multiple firewalls
Other Actions• Fire iRule• iRule Sampling
(11.6)• Log• Hit Count• Last Hit Timestamp
Primary Actions• Drop: Silently Discard• Reject: Drop and Inform
Sender• Accept: Permit• Accept Decisively: Permit
and skip processing at subsequent contexts • Overlapping Rule Detection
• Redundant Rule Detection
ConfigurableDefaultAction
Access Control Policy
Imagery © F5 Networks
� Firewall that enforces policy as usual
� Counting & logging only, to provide data about what
will happen if the policy is enforced
� No impact to live traffic, but still you get insight into
your newly created policy
Enforced PolicyStaged Policy
Policy Staging
Imagery © F5 Networks
Global
R1 R2
WWW-
Prod
WWW-
Prod
WWW-
Staging
WWW-
Test
Global
Route Domain
Virtual Server
Contexts
Imagery © F5 Networks
Bad Header – IPv4
• Bad IP Option
• Bad IP TTL Value
• Bad IP Version
• Header Length > L2 Length
• Header Length Too Short
• IP Error Checksum
• IP Length > L2 Length
• IP Option Frames
• IP Source Address == Destination Address
• L2 Length >> IP Length
• No L4
• TTL <= 1
Bad Header – IPv6
• Bad IPV6 Hop Count
• Bad IPV6 Version
• IPV6 Extended Header Frames
• IPV6 Length > L2 Length
• IPV6 Source Address == Destination Address
• Payload Length < L2 Length
• Too Many Extended Headers
• No L4 (Extended Headers Go To Or Past End of
Frame)
Other
• Host Unreachable
• TIDCMP
Bad Header – L2
� Ethernet MAC Source Address == Destination Address
Bad Header – TCP
� Bad TCP Checksum
� Bad TCP Flags (All Cleared and SEQ# == 0)
� Bad TCP Flags (All Flags Set)
� FIN Only Set
� Option Present With Illegal Length
� SYN && FIN Set
� TCP Header Length > L2 Length
� TCP Header Length Too Short (Length < 5)
� TCP LAND
� TCP Option Overruns TCP Header
� Unknown TCP Option Type
Bad Header – UDP
� Bad UDP Checksum
� UDP LAND
� Bad UDP Header (UDP Length > IP Length or L2 Length)
Bad Header – ICMP
� Bad ICMP Frame
� ICMP Frame Too Large
Flood
• ARP Flood
• DNS Response Flood
• Ethernet Broadcast Packet
• Ethernet Multicast Packet
• ICMP Flood
• IPV6 Fragment Flood
• IP Fragment Flood
• Routing Header Type 0
• TCP ACK Flood
• TCP RST Flood
• TCP SYN ACK Flood
• TCP SYN Flood
• UDP Flood
• Single Endpoint Flooder
• Single Endpoint Sweeper
Fragmentation
• ICMP Fragment
• IPV6 Fragment
• IPV6 Fragment Overlap
• IPV6 Fragment Too Small
• IP Fragment
• IP Fragment Overlap
• IP Fragment Too Small
DOS Detection & Mitigation
Dynamic Endpoint Visibility
– IP Intelligence Service (Webroot)
– Custom Dynamic IP Whitelist & Blacklist
Botnet
Restricted region or country
IP intelligenceservice
IP address feedupdates every 5 min
Customapplication
Financialapplication
Internally infected devices and servers
Geolocation database
Attacker
Anonymous requests
Anonymous proxies
Scanner
Imagery © F5 Networks
IP Intelligence
Imagery © F5 Networks
Manageability & Visibility
Logging – Generation and Storage of Individual Security Events
– Independently controlled Logging for Access Control, DoS, IP-Intel
– Log Destinations & Publishers consistent with BigIP logging framework
– IPFIX
Reporting – Visualization of Security Statistics
– Reporting used for Visualizing Traffic/Attack Patterns over time
– Access-Control & DoS: Drill-Downs by contexts, IP, Rule, etc.
– Top-N reports
Imagery © F5 Networks
Takeaway by Infonetics Research
Traditional firewalls are designed to provide security
across a wide range of protocols, but aren’t designed
specifically to handle the massive volume, variety, and
size of threats aimed at this narrow range of protocols.
Though all reputable firewalls can adequately secure
the enterprise perimeter, they don’t necessarily scale
up to meet large data center performance
requirements, and if they do it may be at a price that’s
hard to swallow for data center buyers.
Solutions for an application world.