BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

Transcription

1 BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja? Tarmo Mamers Heigo Mansberg

2 Network Firewall Imagery stackexchange.com

3 Network Firewall Functions

4 Network Firewall Traffic OUTSIDE INSIDE INBOUND TRAFFIC OUTBOUND TRAFFIC Imagery stackexchange.com

5 Separately Located Segments Imagery stackexchange.com

6 Outbound Traffic Imagery stackexchange.com

7 Inbound Traffic Imagery stackexchange.com

8 Users vs Applications Network firewall Application firewall Secures users Secures applications Imagery F5 Networks

9 Network Firewall Functions

10 BIG-IP LTM Network D/DoS Firewall Application D/DoS Load Balancer SSL Offload Web Application Firewall DNS Security Imagery F5 Networks

11 BIG-IP LTM+ASM Network D/DoS Firewall Application D/DoS Load Balancer SSL Offload Web Application Firewall DNS Security Imagery F5 Networks

12 BIG-IP LTM+ASM+AFM Network D/DoS Firewall Application D/DoS Load Balancer SSL Offload Web Application Firewall DNS Security Imagery F5 Networks

13 BIG-IP Full-Proxy Architecture ASM ASM Slowloris attack XSS HTTP HTTP Data leakage SSL renegotiation SYN flood ICMP flood SSL TCP SSL TCP AFM Imagery F5 Networks

14 AFM & Attacks Increasing difficulty of attack detection Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) Network attacks Session attacks Application attacks F5 mitigation technologies SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation BIG-IP LTM and DNS High-scale performance, DNS Express, SSL termination, irules, SSL renegotiation validation Slowloris, Slow Post, HashDos, GET Floods BIG-IP ASM Positive and negative policy reinforcement, irules, full proxy for HTTP, server performance anomaly detection F5 Mitigation Technologies Imagery F5 Networks

15 AFM Features Access Control Policy DDoS Detection & Attack Mitigation Dynamic Endpoint Enforcement Manageability & Visibility

16 Access Control Policy Rule Lists Grouping of rules Global rules that can be used anywhere in the policy Can be referenced in multiple policies on multiple firewalls Flow Classification Criteria Time Based Protocol Source Address:Port Source VLAN Destination Address:Port GeoLocation (Country+Region) User/Group ID (11.6) Primary Actions Drop: Silently Discard Reject: Drop and Inform Sender Accept: Permit Accept Decisively: Permit and skip processing at subsequent contexts Other Actions Fire irule irule Sampling (11.6) Log Hit Count Last Hit Timestamp Overlapping Rule Detection Redundant Rule Detection Configurable Default Action Imagery F5 Networks

17 Policy Staging Staged Policy Enforced Policy Counting & logging only, to provide data about what will happen if the policy is enforced No impact to live traffic, but still you get insight into your newly created policy Firewall that enforces policy as usual Imagery F5 Networks

18 Contexts Global Global R1 R2 Route Domain Mail WWW- Staging WWW- Prod WWW- Prod Mail WWW- Test Imagery F5 Networks Virtual

19 DOS Detection & Mitigation Flood ARP Flood DNS Response Flood Ethernet Broadcast Packet Ethernet Multicast Packet ICMP Flood IPV6 Fragment Flood IP Fragment Flood Routing Header Type 0 TCP ACK Flood TCP RST Flood TCP SYN ACK Flood TCP SYN Flood UDP Flood Single Endpoint Flooder Single Endpoint Sweeper Fragmentation ICMP Fragment IPV6 Fragment IPV6 Fragment Overlap IPV6 Fragment Too Small IP Fragment IP Fragment Overlap IP Fragment Too Small Bad Header IPv4 Bad IP Option Bad IP TTL Value Bad IP Version Header Length > L2 Length Header Length Too Short IP Error Checksum IP Length > L2 Length IP Option Frames IP Source Address == Destination Address L2 Length >> IP Length No L4 TTL <= 1 Bad Header IPv6 Bad IPV6 Hop Count Bad IPV6 Version IPV6 Extended Header Frames IPV6 Length > L2 Length IPV6 Source Address == Destination Address Payload Length < L2 Length Too Many Extended Headers No L4 (Extended Headers Go To Or Past End of Frame) Other Host Unreachable TIDCMP Bad Header L2 Ethernet MAC Source Address == Destination Address Bad Header TCP Bad TCP Checksum Bad TCP Flags (All Cleared and SEQ# == 0) Bad TCP Flags (All Flags Set) FIN Only Set Option Present With Illegal Length SYN && FIN Set TCP Header Length > L2 Length TCP Header Length Too Short (Length < 5) TCP LAND TCP Option Overruns TCP Header Unknown TCP Option Type Bad Header UDP Bad UDP Checksum UDP LAND Bad UDP Header (UDP Length > IP Length or L2 Length) Bad Header ICMP Bad ICMP Frame ICMP Frame Too Large

20 Dynamic Endpoint Visibility Attacker Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Custom application Anonymous requests Financial application Anonymous proxies Scanner IP Intelligence Service (Webroot) Geolocation database Custom Dynamic IP Whitelist & Blacklist Internally infected devices and servers Imagery F5 Networks

21 IP Intelligence Imagery F5 Networks

22 Manageability & Visibility Logging Generation and Storage of Individual Security Events Independently controlled Logging for Access Control, DoS, IP-Intel Log Destinations & Publishers consistent with BigIP logging framework IPFIX Reporting Visualization of Security Statistics Reporting used for Visualizing Traffic/Attack Patterns over time Access-Control & DoS: Drill-Downs by contexts, IP, Rule, etc. Top-N reports Imagery F5 Networks

23 Takeaway by Infonetics Research Traditional firewalls are designed to provide security across a wide range of protocols, but aren t designed specifically to handle themassive volume, variety, and size of threats aimed at this narrow range of protocols. Though all reputable firewalls can adequately secure the enterprise perimeter, they don t necessarily scale up to meet large data center performance requirements, and if they do it may be at aprice that s hard to swallow for data center buyers.

24 Solutions for an application world.