f5 unified security solutions ralf sydekum technical manager central & eastern europe...

F5 Unified Security Solutions

Ralf Sydekum

Technical Manager Central & Eastern Europe

[email protected]

mailto:[email protected]

© F5 Networks, Inc.

2

Agenda

•Real Security Challenges and Attacks

•Data Center Firewall

•DoS & DDoS

•DNS Security

•Web Security

•Access Management

•Fast Vulnerability Assessment & App. Security


3

ApplicationDeliveryNetwork

Users Data Center

The Leader in Application Delivery Networking

SAPMicrosoftOracle

At HomeIn the OfficeOn the Road

Business Goal: Achieve These Objectives in the Most Operationally Efficient Manner


4

Statement - SONY Online Entertainmenthttp://blog.eu.playstation.com/

• On April 16th and 17th, 2011….. Personal information from approximately 24.6 million SOE accounts may have been stolen…,• Name, e-mail, login, hashed password,…

• As well as certain information from an outdated database from 2007 for 10.700 customer in EU• Name, bank account number, address,…


5

Sony stock performance: Nov 2010-Nov 2011


6

• Several companies stopped the service for WikiLeaks although it is not proven that WikiLeaks violates the existing law

• Amazon removed all WikiLeaks content from their servers

• EveryDNS switched off the DNS resolution for wikileaks.org

• Several financial institutes locked up donation accounts

What happened to WikiLeaks?


7

Finally…

• Thousand of internet users unloaded their accumulated anger starting 7th Dec 2010

• Web servers of Swiss Postfinancebank were down for several hours

• Credit card companies likeMastercard and VISA where notaccessible for several hours/dayover several days

• Paypal’s transaction network wereslow but not taken down completely


8

• 3 Basic Classes of Attack • L7 (HTTP/Web): Slowloris

• Creates massive concurrent sessions • Firewalls quickly overwhelmed• Server resources completely consumed

• L4: TCP Flood/Syn Flood • Targets any TCP aware device

• L3: ICMP Flood• ICMP protocol attack• Consumes router, Firewall and server resources

• BIG-IP/ASM stopped attacks!• Combination of core TMOS functionality, iRules and

ASM (Application Security Manager)

WikiLeaks DDoS Attack Profile

PCI Compliant Firewall

F5 BIG-IP with ASM Module

Border Router (Internet Connection)

Intrusion Prevention Device

ICMP flood TCP FloodSlowloris


9

The Three Threat Vectors

Network Attacks Application AttacksDDoS Attacks


10

of network traffic is encrypted bypassing security controls

Traditional network devices are failing under load… 3 out of 6 major firewalls failed under stability testing, and 5 out of 6 were vulnerable to a common exploit.

Security is still expendable… 9 out of 10 IT organizations admit to sacrificing security for performance.

Over 90% of IT administrator want…

Security Context

Security device sprawl is a challenging problem… IT biggest security challenge with device sprawl is operational complexity.

30% Blended attacks… are overwhelming conventional security devices at the edge of the data center.

Security Challenges


11

• Who is the user?

• What devices are requesting access?

• When are they allowed to access?

• Where are they coming from?

• How did they navigate to the page/site?

Context leverages information about the end user to improve the interaction

Who

What

Where

When

How


12

“Context-aware technologies will affect $96 billion of

annual consumer spending worldwide by 2015. By

that time, more than 15 percent of all payment card

transactions will be validated using context

information.

-Gartner


13

Unified Security Architecture Traditional Approach

LOAD BALANCER

FIREWALLWEB APP

FIREWALL

DNS

SECURITY

ACCESS

MANAGEMENT

AND REMOTE

ACCES

DDoS

PROTECTION


14

TMOS TMOS

AVAILABLE

SECURE

FAST

AVAILABLE

SECURE

FAST

SECURE SECURE

iRULES

iCONTROLiAPPS

TMO

S

TMO

S

TMO

S

NETWORK FIREWALLNETWORK FIREWALL

SSL TERMINATIONSSL TERMINATION

PROTOCOL SECURITYPROTOCOL SECURITY

DDoS PROTECTIONDDoS PROTECTION

DYNAMIC THREAT DEFENSEDYNAMIC THREAT DEFENSE

GTM ASM APMMODULE SECURITY

DNS WEB ACCESS

DN

S

WEB

ACCE

SS

LTM

Data Center Firewall


16

Internet Data Center Perimeter FirewallPerimeter Firewall with Load Balancer

Today

Load Balancer

Overview• Traditional firewall• Standalone load balancer

Limitations• DDoS protection• Connections• Scale• Device management• Defense methods


17

Internet Data Center Perimeter FirewallPerimeter Firewall with Load Balancer

With BIG-IP

BIG-IP LTM with ASM

Overview• Consolidated Device• Firewall Service• Application Delivery• Web Application Firewall

Benefits• Application fluency• SSL visibility• DDoS protection 30 + types• Dynamic defense methods• Best price to performance class• OWASP top 10 protection


18

• F5 helps you to mitigate DDoS and flood based attacks• Stateful, Default Deny Behavior

• High Concurrent Connection and conn/sec capacity

• User Geo-location awareness

• SSL (HW accelerated encryption/decryption)

• IPsec site to site

• Packet Filtering

• Flood protection mechanisms

• Carrier Grade NAT (NAT, NAT64)

Internet Datacenter Network Firewall

Internet Data Center

F5.com

owa.f5.com

DevCentral.F5.com

websupport.f5.com

ihealth.f5.com

downloads.F5.com

Internet

External Users

SYN flood protection and many others

High Concurrent Connection

capacity

User Geolocation Security

Router


19

Throughput

Competitor ABC + 4 Blades$124,000

F5 BIG-IP 11050$129,995

42 Gbps 20 Gbps


20

Connections per Second

1M 175K


F5 BIG-IP 11050$129,995


21

Maximum Concurrent Connections

24M 2.25M


F5 BIG-IP 11050$129,995


22

SSL Drives Platform Architecture

Industry increasingly using larger SSL Keys

1024 bit Keys 2048 bit Keys 4096 bit Keys

6x Tougher

41x Tougher

Increasing CPU Processing Requirements

100%

600%

4100%Increasing CPU Processing Requirements

Denial of ServiceDistributed Denial of Service


24

• DoS = Denial of service

• DDoS = Distributed denial of service

• Layer 1• Cut the cable

• Layer 4 - or Layer 7 DDoS• Thousands of attackers bring down one site

• Layer 7 DoS• One attacker is able to bring down one site

• e.g. Slowloris, Slow POST

Summary


25

Network BasedDistributed

Denial Of Service (DDOS)

Protect Against:

VIPRION

BIG-IP LTM DoS Protections• Packet Filtering• Syn Cookies (L4 DoS)• Dynamic Reaping (L4 DoS)• TCP Full Proxy (L4 DoS)• Rate shaping (L4->L7 DoS)• iRules (e.g. SSL DoS protection)• Very High Performance• Very large connection tables

Protect With:

Mitigating DoS Attacks

DNS Security Use Case


27

DNS Attacks Are Common


28

DNS is Vulnerable to Attacks

• Multiple DNS attacks: DDoS, Cache Poisoning, Man-in-the-middle• Application timeouts (401 errors)• Lost customers, lost productivity• Loss of Revenue and Brand Equity

Clients LDNS

Data Center

DNS Servers www.company.com


29

•High Performance DNS – Multicore GTM

•Scalable DNS - DNS Express

•Malformed UDP packets are dropped

•Spread the load across devices - IP Anycast

• Secure DNS Queries - DNSSEC

• Route based on nearest Datacenter - Geolocation

• Complete DNS control with – DNS iRules

Complete DNS Protection BIG-IP Global Traffic Manager

Clients LDNS

A

X

Q

Data Center

i

DNS Firewall Services

company.com

X QA i


30

Complete DNS control

Secure DNS query responsesRoute based on geolocation

Denial of Service mitigation

Access Denied:

http://f5.com

Scalable 10x, 70%

Support client requests and consolidates IT

IPv6 to IPv4

The Value of Complete DNS / Web Solution

Web Security Services


32

Security Vulnerabilities in Web-Applications

PORT 80

PORT 443

Attacks Now Look ToExploit ApplicationVulnerabilities

Perimeter SecurityIs Strong

Forceful BrowsingCross-Site Scripting

Cookie Poisoning

SQL/OS InjectionHidden-Field Manipulation

Parameter TamperingBuffer Overflow

Brute force attacksLayer 7 DOS

WebscrapingCSRF

Viruses

!InfrastructuralIntelligence

!Non-compliantInformation

HighInformationDensity=High ValueAttack

!ForcedAccess toInformation

But Is Opento Web Traffic


33

Deploy ASM Policies without false positives

• Predefined Policy Templates• Pre-configured security policies

• Learning mode• Automatic or manual

• Web Application Scanner integration• IBM Rational AppScan

• QualysGuard Web App. Scanning

• Cenzic Hailstorm

• WhiteHat Sentinel

• Gradual deployment• Transparent / semi-transparent / full blocking


34

Customer Website

• Finds a vulnerability• Virtual-patching with

one-click on BIG-IP ASM

BIG-IP Application Security Manager

• Verify, assess, resolve and retest in one UI• Automatic or manual creation of policies• Discovery and remediation in minutes

• Vulnerability checking, detection and remediation

• Complete website protection

Web Application Scanner


35

• 3 free application scans directly from ASM/VE UI

• No time limits once signed up

• Free scans are limited health check services

F5 Free Cenzic Cloud scan tests for:

Free Cenzic Cloud Scans with ASM in v11.2

Find Vulnerabilities and Reduce Exposure

1. Cross-Site Scripting

2. Application Exception

3. SQL Injection

4. Open Redirect

5. Password Auto-Complete

6. Credit Card Disclosure

7. Non-SSL Password

8. Check HTTP Methods

9. Basic Auth over HTTP

10.Directory Browsing


36

IP IntelligenceIdentify and allow or block IP addresses with malicious activity

• Use IP intelligence to defend attacks

• Reduce operation and capital expenses

IP address feed updates every 5 min

Anonymous Proxies

?

BIG-IP System

Scanners

Financial Application

IP Intelligence Service

Botnet

CustomApplication

Attacker

Anonymous requests

Geolocation database

Internally infected devices and servers


37

• Fast IP update of malicious activity

• Global sensors capture IP behaviors

• Threat correlation reviews/ blocks/ releases

IP IntelligenceHow it works

Internet

Web Attacks

Reputation

Windows Exploits

Botnets

Scanners

Network Attacks

DNS

Semi-open Proxy Farms

Exploit Honeypots

Naïve User Simulation

Web App Honeypots

Third-party Sources

Key Threats Sensor Techniques

BIG-IP System

Dynamic Threat IPsevery 5min.

IP Intelligence

IP Intelligence ServiceThreat Correlation


38

Graphical ReportingDetailed chart path of threats in ASM

Web Access Management


40

• Unify Access Control

• Authentication and Authorization

• Single Sign On

• Powerful Custom and Built-in Reporting

• Access and Application Analytics

Context = Access ControlBIG-IP Access Policy Manager

Manage Access Based on Identity


41

Enable Simplified Application AccessWith BIG-IP Access Policy Manager (APM)


42

Control Access of EndpointsEnsure strong endpoint security

• Client or machine certificates

• Antivirus software versionand updates

• Software firewall status

• Access to specific applications

• Restrict USB access

• Cache cleaner leaves no trace

• Ensure no malware enters corporate network

Allow, deny, or remediate users based on endpoint attributes such as:

Invoke protected workspace for unmanaged devices:

BIG-IP APM


43

Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager

Dramatically reduce infrastructure costs; increase productivity


44

!Non-

compliantInformation

App Security with BIG-IP ASM and APM

!Illegal

requests

!InfrastructuralIntelligence

ASM allowslegitimate requests

APM offers authenticationand authorization

ASMStops bad requests /responses

!Unauthorised

Access

Reduces the attack vector because only authenticated, authorized and legal requests are permitted to the relevant application servers

APMStops

unauthorizedrequests

BrowserApplications


45

Summary – F5 Unified Security

© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS, and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries

f5 unified security solutions ralf sydekum technical manager central & eastern europe...

Documents

security slide

f5 networks

biggest security challenge

efficient manner slide

blended attacks

network traffic

wikileaks content

tcp aware device l3