Security

Protect your network and applications, improve user access, optimize performance, and reduce management complexity.

F5 SOLUTION GUIDE

F E AT U R ES

Guard against intrusions and protect sensitive data

Simplify access control, application security, and compliance management

Increase productivity with automatic access and higher performance

Lower costs through consolidation and streamlined security management

>>

>>

>>

>>

F5 Security Solutions:

Flexible, Efficient,

Cost-EffectiveKeeping your network secure, fast, and available is crucial for business

success. Security breaches can result in lost productivity, missed

opportunities, and higher costs for your organization. These harmful

situations can also damage your organization’s reputation and

deteriorate customer trust.

With F5 security solutions, you can provide secure remote access,

protect email, and simplify web access control, all while enhancing

network and application performance. Your organization will have the

tailored security it needs, and your users will enjoy the reliable, flexible

access they demand.

Protect the network-based

applications that power

your business

Many network-level security threats are directly related to the improper

use of the same protocols your applications depend on to transmit data

over the wire. To secure your applications, you can try to trace and patch

apparent vulnerabilities. You can also deploy point solutions whose sole

purpose is to protect applications, but which do nothing to enhance

performance or simplify control.

Net

wor

k Se

curit

y

T H E C H A L L E N G E

K E Y B E N E F I T S

· Mitigate malicious attacks while supporting legitimate users

· Prevent sensitive information and communications from being compromised

· Boost productivity with highly available applications

The F5® BIG-IP® Local Traffic Manager™ (LTM) Application Delivery Controller

helps you secure your network-based applications and your data, while

providing a strategic point of control and elevating application performance.

From powerful network- and protocol-level security to application attack

filtering, BIG-IP LTM offers a suite of security services to protect your business

applications.

BIG-IP LTM acts as a security proxy to guard against network-based SYN

floods and other network denial-of-service (DoS) and distributed denial-of-

service (DDoS) attacks, and it provides controls to define and enforce L4 based

filtering rules to improve network protection.

With industry-leading encryption, BIG-IP LTM also enables you to selectively

encrypt data to secure and optimize your organization’s communications.

With support for advanced encryption standard algorithms, using the most

powerful Secure Sockets Layer (SSL) encryption available, bit encryption,

and 4096 key lengths, BIG-IP LTM is the gatekeeper to your business-critical

resources. BIG-IP LTM is available on a flexible, multi-solution appliance

platform or as a virtual edition.

BIG-IPLocal Traffic Manager

FIG. 1: BIG-IP Local Traffic Manager enables high availability and protects against network-based attacks via a physical platform or virtual edition.

T H E S O L U T I O N

Provide access to networks

and applications while

ensuring security

Providing access to networks and applications is essential to increasing

worker productivity and delivering valuable customer services. To provide

users with easy access to essential web applications such as time-tracking

software for employees or Internet browsing access for hotel guests,

many organizations create minimum security networks. While these

systems may automatically log users’ IP addresses, this is no failsafe

determination of identity, and surely no guarantee of security.

Network administrators need more visibility and control over the

increasing number of users accessing applications over the network.

However, this requirement can add complexity to your IT infrastructure

and prove difficult and expensive to scale.

Web

Acc

ess

Man

agem

ent

T H E C H A L L E N G E

K E Y B E N E F I T S

· Drive identity and dynamic access control into your network

· Ensure strong endpoint security

· Simplify authentication, consolidate infrastructure, and reduce costs

· Deliver high performance, scalability, and flexibility

BIG-IP® Access Policy Manager™ (APM) is a flexible, high-performance

access and security solution that provides policy-based, context-aware access

to users while simplifying authentication, authorization, and accounting

(AAA) management. With AAA control directly on the BIG-IP system,

you can consolidate your access infrastructure, reduce authentication and

authorization costs, and support thousands of users simultaneously while

delivering hundreds of logins per second. BIG-IP APM is available as a product

module on the flexible, multi-solution BIG-IP LTM and BIG-IP LTM Virtual

Edition platforms.

FIG. 2: The BIG-IP Visual Policy Editor facilitates the creation of access policies

T H E S O L U T I O N

Achieve regulatory

compliance with high

performance

As more application traffic moves over the web, sensitive data is exposed

to attacks that target vulnerabilities in enterprise applications. The resulting

financial hit—from recovery processes, legal fees, and loss to intellectual

data—can be significant. Many administrators think their networks are

safe because they have firewalls in place, but hackers are more likely to

attack the application layer, where greater vulnerability exists.

Recent studies show:

· 75 percent of hacks happen at the application layer1

· 96.85 percent of websites have vulnerabilities that present immediate risk of attack2

· Once a breach occurs, the total average cost of a data breach is $202 per record compromised and $225 for malicious insiders or former workers3

App

licat

ion

Secu

rity

T H E C H A L L E N G E

K E Y B E N E F I T S

· Improve security while reducing the cost of compliance

· Ensure application availability and boost performance

· Get out-of-the-box application security policies with minimal configuration

· Handle changing threats with greater agility

BIG-IP® Application Security Manager™ (ASM) is an advanced web application

firewall that significantly reduces and mitigates the risk of loss or damage

to data, intellectual property, and web applications. BIG-IP ASM provides

unmatched application and website attack protection–such as protection

from the latest web threats like layer 7 DDoS. In addition, BIG-IP ASM gives

you a complete attack expert system, and it ensures compliance for key

regulatory mandates.

With BIG-IP ASM, your organization benefits from a complete solution

that reduces the need for multiple appliances, lowers maintenance and

management costs, and increases the confidentiality, availability, and integrity

of your critical business applications and processes. BIG-IP ASM is available as

a product module on the flexible, multi-solution BIG-IP LTM platform or as a

standalone device.

T H E S O L U T I O N

Internet

BIG-IP ApplicationSecurity Manager

Web ApplicationClients

Web ApplicationServers

Data

Botnet/Hacker

Firewall

FIG. 3: BIG-IP ASM provides comprehensive web application attack protection

1 Theresa Lanowitz, Gartner Inc., Security at the Application Level, http://www.gartner.com/DisplayDocument?ref=g_search&id=487227 (December 2005)

2Web Application Security Consortium, http://www.webappsec.org/projects/statistics/ (2008)

3 Robert Westervelt, Data breach costs continue to rise in 2009, Ponemon study finds, http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1379486,00.html (January 2010)

Powerful BIG-IP security

services for HTTP(s), SMTP,

and FTP

If your environment requires more than layer 3 and layer 4 inspection

services, the expertise and management you need to deploy a full-

featured web application firewall might not be available.

As an alternative, protocol security services provide powerful protection

for HTTP(s), SMTP, and FTP protocols and configuration is minimal.

Prot

ocol

Enf

orce

men

t Se

rvic

es

T H E C H A L L E N G E

K E Y B E N E F I T S

· Broad protection from HTTP attacks

· Spam-blocking SMTP security

· Centralized FTP security management

BIG-IP® Protocol Security Module™ (PSM) is aptly suited for environments

that require inspection services, where the overhead needed to deploy a full-

featured web application firewall isn’t available, or there is a need to secure

other protocols. Protocol enforcement services can be implemented on a per-

virtual-server basis and configured within a matter of minutes. By enforcing

protocol checks for HTTP(s), FTP, and SMTP, this service prevents attacks that

use protocol manipulation techniques.

T H E S O L U T I O N

HTTP(s)Protocol

FTPProtocol

SMTPProtocol

Botnet/Hacker

HTTP(s)Protocol

FTPProtocol

SMTPProtocol

BIG-IPProtocol Security Module

FIG. 4: BIG-IP Protocol Security Module provides powerful security services for HTTP(s), SMTP, and FTP protocols

Deliver secure and

accelerated remote access

to applications

IT departments must support ever-increasing numbers of mobile workers.

Ensuring that these users have secure and seamless access to applications

and data from different devices and locations becomes increasingly

challenging. IT departments might deploy point solutions from different

vendors to promote access, acceleration, and optimization.

But as the number of users grows, this siloed approach proves complex,

inflexible, and difficult to manage. It also becomes increasingly difficult to

prevent unauthorized access and attacks, as new threats are continually

evolving. This costly, error-prone environment inhibits successful remote

access and hinders business growth.

Acc

eler

ated

Rem

ote

Acc

ess

T H E C H A L L E N G E

K E Y B E N E F I T S

· Gain superior scalability for a growing mobile workforce

· Improve manageability and reduce costs

· Accelerate application performance through network optimization

· Increase productivity with anywhere client access

· Ensure security with strong endpoint protection and granular access control

BIG-IP® Edge Gateway™ is an enterprise access solution that brings together

SSL virtual private network (VPN) remote access, security, application

acceleration, and availability services for remote users. BIG-IP Edge Gateway

drives identity into the network to provide context-aware, policy-controlled,

secure remote access to applications at LAN speed.

As the industry’s most secure and accelerated access solution, BIG-IP Edge

Gateway can help your organization deliver peak performance levels to users

accessing the applications and networks that are critical to your business. With

BIG-IP Edge Gateway, customers easily deliver accelerated remote access to

enterprise applications and data for users over any network or mobile device

(including Apple iPhone, Apple iPad, Andriod, Windows Mobile, and Windows

Phone devices).

T H E S O L U T I O N

InternetBIG-IP Edge Gateway

Internal LANVLAN1

Internal LANVLAN2

Data CenterResources

Mobile Users

BIG-IP Edge Client

BIG-IP Edge Client

Branch Office Users

BIG-IP Edge Client

LAN Users

Wireless Users

BIG-IP Edge Client User Directories

DMZ

Data Center

Firewall

Firewall

Firewall

FIG. 5: BIG-IP Edge Gateway unifies access services on a single, easy-to-manage, and optimized network device

Streamline DNSSEC and

ensure high availability

for globally distributed

applications

Domain Name System (DNS) provides one of the most basic but critical

functions on the Internet. If DNS isn’t working, then it’s likely your

business isn’t working either. DNS cache poisoning and other DNS attacks

can compromise local DNS servers and make it possible for hackers to

hijack DNS responses, redirect clients to malicious sites, and access private

information. Secure your business and web presence with Domain Name

System Security (DNSSEC).

DN

S Se

curit

y

T H E C H A L L E N G E

K E Y B E N E F I T S

· Strong DNS security

· Compliance with government DNSSEC regulations

· Optional FIPS key security

· Simplified implementation and reduced management costs through network optimization

· High availability and performance

BIG-IP® Global Traffic Manager™ (GTM) with the DNSSEC feature provides

the following:

· Origin authentication of DNS data. Resolvers can verify that data has originated from authoritative sources.

· Data integrity. Resolvers can verify that responses are not modified in flight.

· Authenticated denial of existence. When there is no data for a query,

authoritative servers can provide a response that proves no data exists.

DNSSEC from F5 ensures that the answer your customers receive when asking

for name resolution comes from a trusted name server. Implementing the BIG-IP

GTM DNSSEC feature can greatly enhance your DNS security. BIG-IP GTM helps

you comply with federal DNSSEC mandates and protects your valuable domain

name and web properties from rogue servers sending invalid responses.

F5 takes the only approach to DNS security that enables organizations to

deploy DNSSEC quickly and easily into an existing global server load balancing

environment. BIG-IP GTM with the DNSSEC feature provides a scalable,

manageable, and secure DNS infrastructure that is equipped to withstand

DNS attacks.

T H E S O L U T I O N

example.com

Hacker

example.com

123.123.123.123+ public key

123.123.123.123+ public key

BIG-IPGlobal Traffic Manager

with DNSSEC

LDNS

DNS ServersClient

Data Center

example.com

FIG. 6: BIG-IP Global Traffic Manager with the DNSSEC feature enables secure and dynamic DNS responses

Extend protection for

enterprise email to the edge

of the corporate network

Each unwanted email message that crosses your organization’s corporate

gateway consumes costly bandwidth and server resources, and can be

a potential threat to security. When system capacity is strained, and

security threats increase, it becomes harder for IT departments to ensure

business continuity. Organizations often react by adding additional mail

security gateways, firewalls, and mail servers to the infrastructure, and

paying for more bandwidth to keep pace with email volume. For these

reasons, keeping messaging costs within budget is challenging.

Prot

ectio

n fo

r En

terp

rise

Emai

l

T H E C H A L L E N G E

K E Y B E N E F I T S

· Drastically reduce unwanted email and spam—by as much as 70 percent

· Base policies on real-time lookup of sender reputation

· Reduce overall infrastructure costs

T H E S O L U T I O N

Source SMTP Server

Spam ~ 70%

Internet

BIG-IP MSM

Queryfor Score

Responsewith Score

Email ServersExisting Quarantine

and Spam Inspection

TrustedSource™ IPReputation Database

Spam ~ 10%

FIG. 7: BIG-IP MSM solves message security concerns by identifying spam using IP reputation

The BIG-IP® Message Security Module™ (MSM) is a network-edge solution

that adds security intelligence to manage and filter inbound email traffic

by considering the sender’s reputation when making traffic management

decisions. BIG-IP MSM is the industry’s first reputation-based, network edge

security module.

BIG-IP MSM takes advantage of data from Secure Computing’s TrustedSource

multi-identity reputation engine to extend protection for enterprise email

to the edge of the corporate network. The solution gives organizations an

extremely powerful and efficient tool for dealing with a growing volume of

unwanted email.

L E A R N M O R E

To learn more about F5 security solutions, search for the following product and solutions pages on f5.com.

BIG-IP Local Traffic Manager

BIG-IP Access Policy Manager

BIG-IP Application Security Manager

BIG-IP Protocol Security Module

BIG-IP Edge Gateway

BIG-IP Global Traffic Manager

DNS Security (DNSSEC) Solutions

BIG-IP Message Security Module

" All in all, we can now offer

customers a highly reliable

and secure web platform,

which is an important factor

for future success."

– Steven Opstaele, Chief Infrastucture Architect at NorthgateArinso

F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com

All other product and company names herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed.

© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS, and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. CS18-00007 0211