Ihr Standort bleibt erreichbar. Ihre Applikation bleiben erreichbar - Hybride Security-Lösungen für moderne Rechenzentren

Transcription

1 Ihr Standort bleibt erreichbar. Ihre Applikation bleiben erreichbar - Hybride Security-Lösungen für moderne Rechenzentren DDoS Abwehr auf allen Ebenen Olaf Dupont Distribution Manager DACH o.dupont@f5.com

2 Contents DDoS market view The F5 DDoS Reference Architecture solution Key components in the F5 solution Building an F5 DDoS solution Bill of Materials Competitive Overview Summary

3 DDoS Protection Market Brief There are several key drivers that are influencing the DDoS Protection market: DDoS attacks are increasing in frequency DDoS attacks are increasing in size DoS attack are increasing in sophistication Customers have a variety of DDoS Protection solutions to choose from: Carriers and CDN s On-Premise Customer Premise Equipment (CPE) Cloud-based Services

4 More sophisticated attacks are multi-layer Application SSL DNS Network F5 Networks, Inc 4

5 Cyber-attacks in the News for 2014 Sampling of 2014 security incidents by attack type, time and impact conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses Size of circle estimates relative impact of incident in terms of cost to business IBM X-Force Threat Intelligence Quarterly - 1Q 2015 F5 Networks, Inc 5

6 Cyber-attacks in the News for 2014 Sampling of 2014 security incidents by attack type, time and impact F5 Networks, Inc 6

7 The business impact of DDoS The business impact of DDoS Cost of corrective action Reputation management F5 Networks, Inc 7

8 Sipgate DDoS in Deutschland Wie hoch war der Schaden? Der Schaden für unsere Kunden war erheblich. Fast alle Kunden waren kurzzeitig nicht erreichbar und das teilweise sogar mehrfach. Das war für Privatkunden auf jeden Fall unangenehm, aber für unsere Business-Kunden teilweise existenzbedrohend. Wir bieten mit sipgate team eine Web-Telefonanlage mit Mobilfunkintegration an, die allein in Deutschland mehr als Unternehmen einsetzen. Daher war der indirekte Schaden vermutlich enorm. Ein Spediteur schrieb, dass er seine Fahrer zeitweise nicht erreichen konnte und Aufträge ablehnen musste. Eine andere Firma berichtete von einer verpassten Telefonkonferenz, bei der Wenige es um einen Tage Großauftrag zuvor versendeten hätte gehen Kriminelle sollen. eine Den Phishing-Mail gesamten Schaden an Hunderttausende in Euro zu beziffern ist Konten. leider nicht Diese möglich, Mail gab aber vor, wir von gehen sipgate davon zu stammen aus, dass und es schon lockte eine die ziemlich Opfer unter hohe einem Zahl wäre. Vorwand auf eine präparierte Webseite. Ziel war es, die Zugangsdaten zu stehlen. Ob eine Verbindung zwischen den beiden Taten besteht und es sich vielleicht sogar um dieselben Täter handelt ist derzeit noch unklar. F5 Networks, Inc 8

9 DDoS Protection Market Brief cont Carriers and CDNs AT&T Verizon Akamai CloudFlare Customer on Premises Equipment (Appliances) F5 Networks, Arbor Networks, Radware, Narus, GenieNRM, Andrisoft, RioRey Cloud Services SMB: Neustar, BlackLotus, Corero, Imperva Enterprise: Prolexic, Verisign, F5 Silverline DDoS Protection Enterprise Secondary: F5 Silverline DDoS Protection F5 Networks, Inc 10

10 Which DDoS technology to use? CLOUD/HOSTED SERVICE HYBRID MODEL CLOUD AND ON-PREMISES DEFENSE STRENGTHS STRENGTHS STRENGTHS F5 now offers a comprehensive Completely off-premises so Combined DDoS attacks on-premises and cloud Direct solution control over infrastructure can t reach you to stop all attacks Immediate mitigation with instant response Amortized defense across Amortized thousands defense across thousands reporting of customers of customers hybrid solution Solutions can be architected to DNS anycast and multiple DNS data anycast centers and multiple data independently centers scale of one another protect you protect you Immediate mitigation with instant response WEAKNESSES and reporting WEAKNESSES Customers pay, whether attacked Direct control or not over on-premises Many point solutions in market, few infrastructure Bound by terms of service agreement comprehensive DDoS solutions Solutions can be architected Solutions focus on specific layers (not all Can to only mitigate up to max inbound independently scale of one another layers) connection size No other value. Only providing benefit when you get attacked. (excludes F5) F5 Networks, Inc 11

11 How does F5 protect against DDoS attacks?

12 F5 DDoS Protection Solution On-premises and cloud-based services for comprehensive DDoS Protection Network firewall Web application firewall SSL inspection DNS Security ON-PREMISES DDOS PROTECTION AND CLOUD SCRUBBING F5 Networks, Inc 13

13 Protect Your Business and Stay Online During a DDoS Attack On-premises and cloud-based services for comprehensive DDoS Protection F5 SILVERLINE DDOS PROTECTION When under attack F5 ON-PREMISES DDOS PROTECTION Turn on cloud-based service to stop volumetric attacks from ever reaching your network Multi-layered L3-L7 DDoS attack protection against all attack vectors 24/7 attack support from security experts Mitigate mid-volume, SSL, or application targeted attacks on-premises Complete infrastructure control Advanced L7 attack protections F5 Networks, Inc 14

14 How does F5 Silverline DDoS Protection protect against DDoS attacks?

15 F5 Offers Comprehensive DDoS Protection Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Cloud Network Application Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attackers Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks ISPa/b DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber IPS Strategic Point of Control F5 Networks, Inc 16

16 DDoS Architecture Scrubbing Center Scrubbing Center Inspection Plane Inspection Toolsets Traffic Actioner Route Management Flow Collection Visibility Portal Tier 1 Signaling Management Legitimate Users DDoS Attackers Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks Switching Copied traffic for inspection BGP signaling Routing/ACL Netflow Switching Data Plane Netflow Proxy and Asymmetric Mitigation Tier Routing (Customer VRF) GRE Tunnel Proxy IP Reflection X-Connect Customer Strategic Point of Control F5 Networks, Inc 17

17 Global Coverage SOC 24/7 Support F5 Security Operations Center (SOC) is available 24/7 with security experts ready to respond to DDoS attacks within minutes Seattle, WA US Global Coverage Fully redundant and globally distributed data centers world wide in each geographic region San Jose, CA US Ashburn, VA US Frankfurt, DE Singapore, SG Industry-Leading Bandwidth Attack mitigation bandwidth capacity over 2.0 Tbps Scrubbing capacity of over 1.0 Tbps Guaranteed bandwidth with Tier 1 carriers

18 F5 Silverline DDoS Protection - Service Options Always On Primary protection as the first line of defense The Always On subscription stops bad traffic from ever reaching your network by continuously processing all traffic through the cloudscrubbing service and returning only legitimate traffic to your network. Always Available Primary protection available on-demand The Always Available subscription runs on stand-by and can be initiated when under attack. F5 Networks, Inc 20

19 Multiple Ways to Direct Traffic to our Massive Scrubbing Centers BGP (BORDER GATEWAY PROTOCOL) ANYCAST DNS / ANYCAST Multiple Ways to Return Clean Traffic GRE TUNNELS PROXY IP REFLECTION AMAZON (AWS) DIRECT CONNECT FIBER INTERCONNECT F5 Networks, Inc 21

20 Unparalleled Visibility and Reporting Before, During, and After a DDoS Attack Attack Data Instant inspection on the filters and countermeasures used for mitigation Detailed timeline analysis on type, size, origin, and attack vector Configuration and Provisioning Configure/ review/ modify settings for both Proxy and GRE mode through the portal Detailed Communication Real time attack communications Detailed events showing attack attributes and SOC mitigations applied F5 Networks, Inc 22

21 How does F5 protect against DDoS attacks on premises?

22 F5 cloud-based scrubbing with on-premises defenses Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Cloud Network Application Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attackers Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks ISPa/b DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber IPS Strategic Point of Control F5 Networks, Inc 24

23 F5 cloud-based scrubbing with on-premises defenses Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Legitimate Users DDoS Attackers Cloud Network Application Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks Multiple ISP strategy ISPa/b CLOUD KEY FEATURES Network attacks: ICMP flood, UDP flood, SYN flood Real-time Volumetric DDoS attack detection and mitigation in the cloud Multi-layered L3-L7 DDoS attack protection DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS 24x7 expert SOC services Transparent attack IPS reporting via F5 customer portal SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Application Financial Services E-Commerce Subscriber Strategic Point of Control F5 Networks, Inc 25

24 F5 cloud-based scrubbing with on-premises defenses Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Legitimate Users DDoS Attackers Cloud Network Application Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks Multiple ISP strategy ISPa/b Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS NETWORK KEY FEATURES SSL attacks: SSL renegotiation, SSL flood The network tier at the perimeter is layer 3 and 4 network firewall services Simple load balancing to a second tier HTTP attacks: Slowloris, slow POST, recursive POST/GET Application IP reputation database Mitigates transient and IPS low-volume attacks Financial Services E-Commerce Subscriber Strategic Point of Control F5 Networks, Inc 26

25 F5 cloud-based scrubbing with on-premises defenses Threat Intelligence Feed Next-Generation Firewall Corporate Users Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Legitimate Users DDoS Attackers Cloud Cloud Scrubbing Service Volumetric attacks and floods, operations center experts, L3-7 known signature attacks Multiple ISP strategy ISPa/b Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network APPLICATION KEY FEATURES Application-aware, CPU-intensive defense mechanisms SSL termination Network and DNS Web application firewall Mitigate asymmetric and SSLbased DDoS attacks IPS SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Application Application Financial Services E-Commerce Subscriber Strategic Point of Control F5 Networks, Inc 27

26 Building a Bill of Materials. Silverline DDoS Silverline DDoS Protection is sold as a 1 year or 3 year subscription based on a combination of clean bandwidth, coverage level, and the number of assets we are protecting. There are 3 key choices for this subscription service Always On (standard services) Subscription service stops bad traffic from ever reaching your network by continuously processing all traffic through the cloud-scrubbing service Always Available Subscription service runs on standby and can be initiated on demand when under attack. Consult your F5 account team for assistance with Silverline pricing. F5 Networks, Inc 28

27 Building a Bill of Materials cont. Network DDoS This tier is comprised of LTM, AFM, DNS & IP Intelligence subscription service. The easiest way to build this element of the solution is to use the Better Bundle and then add the IPI subscription license, but the a la carte pricebook can also be used. Application DDoS This tier is comprised of LTM & ASM. This element of the solution can be provisioned using the a la carte pricelist, or the Best Bundle. The Best Bundle becomes more appropriate when additional modules (on top of LTM & ASM) are required. F5 Networks, Inc 29

28 Competitive Overview: Hybrid Solution - Many of the competitive solutions in the market do not have a hybrid offering (such as Akamai/Prolexic and Verisign). This puts F5 in a very strong position. A hybrid solution is recognized by the industry as the best way to detect and mitigate DDoS attacks. ASM often already exists Due to F5 s dominance in the ADC space, many customers already have LTM/ASM on premise. These customers therefore already have a large part of the F5 on premise DDoS capability, so to complement it with the AFM layer and Silverline is straightforward and quickly upgrades the protection to the full hybrid solution. Easy to use Portal the Silverline portal is a real unique compared to the competition. It is highly transparent, detailing information about the attack type and the method of mitigation. The Chat facility is also a powerful tool in quickly communicating with the Silverline SOC, to enable changes such as enabling DDoS protection, within minutes rather than hours as often the case with the competition. F5 Networks, Inc 30

29 Summary F5 offers the most-comprehensive hybrid DDoS solution to protect organizations against the full spectrum of modern DDoS attacks. By combining the best on-premise protection for detecting and mitigating SSL or application-targeted attacks, with the high-capacity F5 Silverline DDoS protection cloud-scrubbing service, F5 can stop volumetric attacks from even reaching the customer s network. Uplifting existing ADC customers to a the full hybrid solution is cost effective and provides a simple route to enabling the most secure protection against DDoS attacks.

30 Key Resources The F5 DDoS Protection Reference Architecture White paper: The F5 DDoS Protection Reference Architecture Best practices: F5 DDoS Protection recommended Practices The F5 Silverline DDoS Protection Service Overview F5 Networks, Inc 32

31 Explore The F5 DDoS Protection Reference Architecture f5.com/architectures F5 Networks, Inc 33

32