New generation of security solutions for Service

Providers

Grzegorz Kornacki – F5 Field Systems Engineer

Krystian Baniak – Infradata Senior Security Consultant

© F5 Networks, Inc 2

The security environment is also challenging

Explosive data growth

Worldwide mobile data to grow 13 times by

2018

Total mobile subscriptions to reach 9.1 billion

by 2018

Security attacks

A DDoS attack occurs on the web every 2

minutes

Attacks over 10 Gbps have increased nearly

50%

Network innovation

213 4G LTE networks have launched in 81

countries

More than 50% of leading operators plan to

deploy SDN and NFV by 2014

New VAS services

40% of global YouTube traffic is mobile, up from

6% in 2011

Facebook has over 800 million monthly mobile

users, up 150% since 2011

© F5 Networks, Inc 3

Evolving threats to mobile networks

Device

Battery drain attacks

Mobile malware and bots

Network

RAN resource exhaustion

Revenue leakage—weak APN controls

Terms and conditions violations

Application

Server-side malware

Application DDoS

PCRF

HSS

MRF

CSCF

SGW

MME

PCEF

Subscribers

Hacker

eNodeB

© F5 Networks, Inc 4

Problem with security in the network

No comprehensive security solution

Data center firewallDNS

security

Network DDoS

protection

S/Gi

firewallDiameter security Load balancing

Application

DDoS protection

Vendor A Vendor B Vendor C Vendor A Vendor D Vendor E Vendor F

Easy to have 5 or more different vendors

with point products to provide security across the network

© F5 Networks, Inc 5

Consequences of complexity

Significantly higher

cost structureLower network quality

Significantly more time and

resources to deployLower customer satisfaction Damaged brand reputation

B R

a n d

© F5 Networks, Inc 6

Key security needs

Data center firewall S/Gi network firewall DNS securityDiameter signaling

protection

Site-to-site

VPN traffic protection

Market-

leading ADC

Dynamic multi-layered security at industry-leading scale

and performance to simplify and reduce costs

© F5 Networks, Inc 7

F5 can helpWith dynamic multi-layered security solutions for the device, network, and data center

Mobile Users

Fixed Users

Applications/Enterprise

Data Center

Internet/Cloud

S/Gi

Firewall

DDoS

Mitigation

DNS

Security

Data Center

Firewall

Application

Firewall

Diameter

Security

Application VisibilityFull Proxy

Massive

Scalability

30+ DDoS

Vectors

Unified Platform Dynamic

and FlexibleNFV Ready

Centralized Management

Security for

Service Providers

Customer Scenarios

Core Functionality

Professional Services and Support

© F5 Networks, Inc 8

Platform consolidation: happening now

Network function consolidation

L2 switching

MPLS L2 PE

L3 routing

MPLS L3 PE

BRAS/BNG

Full Proxy

(TCP opt, HHE)

Firewall

L3/L4

Steering

Policy Enforcement

CGNAT

TCP OPTIM

DPI/PCEF

L7 STEERING

FW/CGN

HTTP HE

2010–20142005–2010 L2–L3 L4–L7

IP Routing

MPLS L2 PE

MPLS L3 PE

BRAS/BNG

Multi-service

router

Dedicated platforms,

different vendors

Single platform,

L2–L3 consolidation

Dedicated platforms,

different vendors

Unified platform,

L4–L7 consolidation

© F5 Networks, Inc 9

F5 Network Services

A unified platform and single management framework

Intelligent traffic managementCGNAT and

IPv6 migration

ICSA certified

network firewall

Policy

enforcement

Header enrichment and TCP

optimization

Local

DNS

URL

filtering

© F5 Networks, Inc 10

F5 can helpWith dynamic multi-layered security solutions for the device, network, and data center

iRules extensibility everywhere

Products

Advanced firewall managerAccess policy

manager

Local traffic

managerApplication security manager Global traffic manager and DNSSEC

• Stateful full-proxy firewall

• On-box logging and reporting

• Native TCP, SSL and HTTP proxies

• Network and Session anti-DDoS

• Dynamic, identity-based access control

• Simplified authentication, consolidated

infrastructure

• Strong endpoint security and secure remote

access

• High performance and scalability

• #1 application delivery controller

• Application fluency

• App-specific health monitoring

• Leading web application firewall

• PCI compliance

• Virtual patching for vulnerabilities

• HTTP anti-DDoS

• IP protection

• Huge scale DNS solution

• Global server load balancing

• Signed DNS responses

• Offload DNS crypto

ICSA-certified

firewall

Application

delivery cont.

Application

security

Access

control

DDoS

mitigation

SSL

inspection

DNS

security

© F5 Networks, Inc 11

Key F5 capability details

Massive scalability, capacity,

and performance

• 640 Gbps throughput

• 288 million concurrent sessions

• 8 million connections

per second

Dedicated hardware– and software-enabled virtual

editions

• Portfolio of appliances and chassis

• Software-enabled virtual editions

• F5 ScaleN vertical and horizontal scaling

Unified platform

and management

• Any service on any blade or virtual editions that

are software-enabled

• BIG-IQ platform: intuitive, flexible, and scalable

services management

SDN– and NFV–ready

• Virtual editions

• Unmatched hypervisor support

• Open APIs

• Abstraction

Full-proxy architecture

• L4-L7 visibility and control

• Terminate, inspect, and manipulate sessions

• Per-subscriber and per-application control

Extensibility and flexibility

with iRules/iControl

• iRules scripting language to customize traffic

policies and control

• iControl open API to integrate to third-party

systems for orchestration

• 130,000+ developer community

© F5 Networks, Inc 12

Question 1: What is the maximum Packets per second a 1 Gbit/s link can handle?

Answer:

~1.488.096 Packets per Second per Gbit Link

© F5 Networks, Inc 13

Question 1: What is the maximum Packets per second a 1 Gbit/s link can handle?

[1,000,000,000 b/s / (84 B * 8 b/B)] == 1,488,096 f/s (maximum rate)

Frame Part Minimum Frame Size

Inter Frame Gap (9.6 ms) 12 bytes

MAC Preamble (+ SFD) 8 bytes

MAC Destination Address 6 bytes

MAC Source Address 6 bytes

MAC Type (or length) 2 bytes

Payload (Network PDU) 46 bytes

Check Sequence (CRC) 4 bytes

Total Frame Physical Size 84 bytes

 

© F5 Networks, Inc 14

Question 2: What is the maximum CPS that can be established via a 1 Gig link?

Answer:

~1.488.096 Connections per Second

Because every packet can be a Connection establishment (SYN Packet, first UDP in flow)

© F5 Networks, Inc 15

Question 3: What is the maximum CPS F5 Firewall can handle?

Connections per second

0

2

4

6

8

Mill

ion

s

Juniper

(SRX 5800)

Cisco

(ASA 5585-X)

Check Point (61000)

350k400k600k

21x

F5

(VIPRION 4800)

8M

© F5 Networks, Inc 16

Extending the intelligent services frameworkTMOS programmability

iRules

Intercept, inspect, transform, direct, and make decisions based

on inbound and outbound application traffic.

iApps iControl

Define and tie all related application availability, security, and

optimization services to the application. Deploy these services

with optimum, application-specific configurations in only a few

minutes.

Intercept, inspect, transform, direct, and make decisions based

on inbound and outbound application traffic.

79% of F5 customers

deploy iRules on production

BIG-IP devices.

iRules contain ~600

application traffic

management commands

84%

faster

deploy time

90%

accuracy

of configuration

Over 5,500

management API calls=

Dev Central: A community of 105,000+ developers in 191 countries publishing and engaging in real-time app delivery solutions. You never have

to wait for us.

© F5 Networks, Inc 17

Agenda

• SP Firewall scenario (F5 AFM)

• Web Application Firewall scenario (F5 ASM)

New Generation Security Solutions for SP

Practical Presentation

© F5 Networks, Inc 18

Practical Scenario

Lab ArchitectureF5 VE 11.5.0

AFM/ASM/LTM

F5 VE 11.5.0

BIG-IQ Orchestrator

ClientServer hosting

Web Applications

(Hack-It)

Web Application TeamSecurity Team

Configure LTM

Security Requirements

WAF policy

Configure AFM/ASM

Izz ad-din al Quassam CyberFighters

DDoS attacks on Bank of America, NYSE, Wells Fargo, PNC, Chase, SunTrust, Capital One and others.

Peak attacks 75G, including mix of layer 3, 4, 5 and 7 attacks.

Anti-DDoS scrubbers used for network attacks. F5 for Layer 7.

Spotlight: Operation Ababil – September 2012

The CyberFighters appeared to have performed extensive network reconnaissance on data centers for each of the targets.

Network reconnaissance likely included timing information on all available links and database queries.

© F5 Networks, Inc 21

Consolidating mobile policy and securityUse case

Protection for networks

and applicationsFewer devices translates to lower latency for subscribers

Consolidation of firewall, application security, and traffic

management

Before f5

with f5

Load

Balancer

Firewall

DNS Security

Network DDoS

Load

Balancer & SSL

Application DDoS

Web Application Firewall

Web Access

Management

Chain is as strong as its weakest link

© F5 Networks, Inc 22

Consolidating mobile policy and securityUse case

Protection for networks

and applicationsFewer devices translates to lower latency for subscribers

Consolidation of firewall, application security, and traffic

management

Before f5

with f5

Load

Balancer

Firewall

DNS Security

Network DDoS

Load

Balancer & SSL

Application DDoS

Web Application Firewall

Web Access

Management

© F5 Networks, Inc 23

Take a phased approach to this architecture: examples

DNS

Security

at Scale

S/Gi

Network

Security

at Scale

DDoS

Protection

in Data

Center

DC FW

1

DNS

2

S/Gi FW

3

NFV

4

HE

5

S/Gi FW

1

CGNAT

2

NFV

3

DNS

4

DNS

1

S/Gi FW

2

NFV

3

CGNAT

4

Immediate

pain pointImplementation phase

Next-Gen

Network

F5 provides you with unmatched flexibility and extensibility

that future-proofs your network