DATACENTER SECURITY. Paul Deakin System Engineer, F5 Networks

Transcription

1 DATACENTER SECURITY Paul Deakin System Engineer, F5 Networks

2 Datacenter Security Needs To scale To secure To simplify Scale for a work-anywhere / SSL everywhere world. Security for applications and data against sustained attacks. Simplification of point solutions and complex firewall configurations.

3 Datacenter It started simple More user types, services Application issues

4 DDoS Attacks Exhaust Network Resources Firewall DDoS appliance APP accelerator Load balancer Web servers Database Bandwidth carriers ISP s bandwidth Your bandwidth State Table: ACL Perf. Degrade State Table: IP s Low & slow Layer 7 Random Layer 7 Logical State Table: TCP Flood. Negative caching Proxy bypass State Table: Too many connections Many: CPU Database load Thread jam Log attack Memory exhaustion Connection flood BANDWIDTH >> PACKET >> CONNECTION >> OS >> HTTP(s) >> APP (PHP/ASP) >>> DB Many: Thread jam Memory exhaustion

5 F5 mitigation technologies F5 Mitigation Technologies DDOS MITIGATION Increasing difficulty of attack detection OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack Network attacks Session attacks Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation Slowloris, Slow Post, HashDos, GET Floods BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, irules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, irules, full proxy for HTTP, server performance anomaly detection

6 Typical Architecture Outbound protection Corporate Users SaaS SSL VPN ISPa IPS App 1 ISPb NGFW BIG-IP LTM App 2 Known and unknown Users Web application firewall App 3 Back office + Network Management

7 Typical Architecture DDOS protector Outbound protection Corporate Users SaaS SSL VPN ISPa IPS App 1 ISPb BIG-IP AFM NGFW BIG-IP LTM App 2 Known and unknown Users Web application firewall App 3 Back office + Network Management

8 ADC Reference Architecture Outbound protection Corporate Users SaaS NGFW ISPa Log Server Inbound protection App 1 ISPb BIG-IP LTM AFM APM L2-L4 DDoS, L3/L4 access control, authentication/sso App 2 Known and unknown Users LTM AFM ASM LTM AFM DNS SVC L2-L7 DDoS, WAF for critical apps and compliance control Corp user access to back office + DNS services ADF deployment options App 3 Application services Public resources

9 Protecting the datacenter Use case Before f5 Firewall Network DDoS Application DDoS Web Access Management Load Balancer DNS Security Load Balancer & SSL Web Application Firewall with f5

10 Protecting the datacenter Before f5 Firewall Network DDoS Application DDoS Web Access Management Load Balancer DNS Security Load Balancer & SSL Web Application Firewall with f5 Consolidation of firewall, app security, traffic management Protection for data centers and application servers High scale for the most common inbound protocols

11 SSL Inspection SSL! SSL SSL SSL Gain visibility and detection of SSLencrypted attacks Achieve highscale/high-performance SSL proxy Offload SSL reduce load on application servers

12 SYN Check SYN-Cookie Protection (HW/SW) Mitigating SYN Floods using the SYN Check feature. TMOS has a build in feature from version 9.4 to deal with SYN floods using SYN Cookies in a function called SYN Check. All PVA2 and epva platform deals with SYN Cookies in either SW or HW the other platforms in SW only. F5 support up to 640 million SYN Cookies in HW on the high-end platform down to 20 million in HW on the single U appliance.

13 irules with Security: HashDos Post of Doom HashDos Post of Doom vulnerability affects all major web servers and application platforms. VIPRION Single DevCentral irule mitigates vulnerability for all back-end services. Staff can schedule patches for back-end services on their own timeline.

14 irules with Security: Prioritize connection based on country SSL SSL

15 The Dynamics of the DNS Market DNS Demand from Internet growth, 4G/LTE, DDoS Protection and Availability Average Daily Load for DNS (TLD) Queries in Billions Typical for a single web page to consume 100+ DNS queries from active content, advertising and analytics Global mobile data (4G/LTE) is driving the need for fast, available DNS 18X Growth G LTE 2.4GB/mo Non-4G LTE MB/mo New ICANN TLDs will create new demands for scale Attacks on DNS becoming more common DNS Services must be robust Distributed Available, High Performance GSLB for multiple Datacenters Cache poisoning attacks Total Service Availability Reflection / Amplification DDoS Geographically dispersed DCs Drive for DNSSEC adoption DNS Capacity Close to Subscribers

16 DNS the F5 Way Conventional DNS Thinking Adding performance = DNS boxes Internet External Firewall DNS Load Balancing Array of DNS Servers Internal Firewall Hidden Master DNS Weak DoS/DDoS Protection DMZ Datacenter F5 Paradigm Shift F5 DNS Delivery Reimagined Internet Master DNS Infrastructure DNS Firewall DNS DDoS Protection Massive performance over 10M RPS! Best DoS / DDoS Protection Protocol Validation Authoritative DNS Caching Resolver Transparent Caching High Performance DNSSEC DNSSEC Validation Simplified management (partner) Less CAPEX and OPEX Intelligent GSLB

17 Advanced Firewall Manager

18 BIG-IP Advanced Firewall Manager (AFM) Packaging SW license Supported on all platforms (BIG-IP VE, BIG-IP Appliances and VIPRION) Standalone or add to LTM Features L4 stateful full proxy firewall IPsec, NAT, adv routing, full SSL, AVR, Protocol Security DDoS (TCP, UDP, DNS, floods, HTTP): Over 80 attack types GUIs for configure rules, logging, etc All under a new Security tab

19 AFM GUI Configuration Main configuration under the Security

20 AFM GUI Configuration Main configuration under the new Security tab Context aware rules can be configured at the object level

21 AFM DOS protection Security > DoS Protection > Device Configuration Applied globally L2-L4 DoS attack vectors detection and thresholding in hardware on platform using HSBe2 FPGA BIG-IP 5000 series BIG-IP 7000 series BIG-IP series VIPRION B4300 blade VIPRION B2100 blade

22 AFM DOS DNS protection Security > DoS Protection > DoS Profile

23 DoS Report Samples

24 IP Intelligence

25 IP Intelligence Overview IP Intelligence Dynamic Threat IPs All BIG-IP appliances Near-real-time updates (up to 5min intervals) Dramatically reduces system loads Subscription-based service

26 IP Intelligence Identify and allow or block IP addresses with malicious activity IP Intelligence Service? Scanners Internally infected devices and servers Use IP intelligence to defend attacks Reduce operation and capital expenses

27 irules Availability for IP Intelligence All BIG-IP Systems

28 Easily Configure Violation Categories IP Intelligence Service Management in BIG-IP ASM UI Easily manage alarms and blocking in ASM Approve desired IPs with Whitelist Policy Building enabled for ignoring

29 Web Application Security

30 Web Applications Web applications are complex entities, consisting of many components, that may be: Internally developed Externally developed Off the-shelf Data Database server Backend App Server Application Server Majority of e-commerce applications consist of at least 3 main components Web server Application server Database CGI scripts Web Server HTTP Request HTML Page Interaction may exist at all levels between user and database. Browser

31 Anatomy of Web Application The browser is the entity interacting with the web application Sends HTTP requests Receives an HTML page Data Database server Backend App Server Application Server At any level of the web application structure, data can be manipulated, leaked out or exploited. CGI scripts Web Server Without any protection, holes and backdoors exist at every layer HTTP Request Browser HTML Page

32 We Already Have a Firewall Web Browser Web Browser Allow 80 (HTTP) Allow 443 (HTTPS) Applications at Risk Web Browser SSL secures traffic, but also secures attacks Without the application context, requests appear legal and pass through firewalls

33 ASM security features ASM provide protection against: Parameters Tampering Dynamic Parameter Tampering Cookie Poisoning Buffer Overflow Stealth Commanding Backdoor & Debug CSS HTTP Hardening SQL Injection HTTP Methods File Upload Dada Encoding 3rd party mis-configuration Known Vulnerabilities Unicode Support Application Path Blocking Hidden Field Manipulation ASM provides XML protection against: XML parsing exploits XML injection (passed into XML stream) WSDL discovery and manipulation with schemas XML DoS attack against web services XML - Common application attack (SQL injection etc)

34 Computational DoS mitigation in HTTP L7 Application Security Manager Transaction Per Seconds (TPS) based anomaly detection TPS-based anomaly detection allows you to detect and mitigate DoS attacks based on the client side. Latency based anomaly detection Latency-based anomaly detection allows you to detect and mitigate attacks based on the behavior of the server side.

35 Protection From Top Web App. Vulnerabilities (Open Web Application Security Project) OWASP Top 10 Web Application Security Risks: 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards Source:

36 Unified Access

37 Enabled simplified application access SharePoint OWA Users BIG-IP Local Traffic Manager + Access Policy Manager Cloud Hosted virtual desktop APP OS APP OS APP OS APP OS Directory Web servers App 1 App n

38 ENHANCING WEB ACCESS MANAGEMENT Create policy Administrator Corporate domain Latest AV software User = HR AAA server HR Current O/S Proxy the web applications to provide authentication, authorization, endpoint inspection, and more all typing into Layer 4-7 ACLS through F5 s Visual Policy Editor

39 Access Policy using SMS token

40 APM SAML How it Works Domain user makes a SAML-supported request for a resource. Data center 1 Login.example.com Portal.example.com End user Public/private Data center 2 Active Directory ADFS Business Partners Business Partners OWA.example.com Sharepoint.example.com ADFS Apache/Tomcat App

41 APM SAML How it Works An SP-initiated post is sent back to the client in the form of a redirect to Data center 1 Login.example.com Portal.example.com End user Public/private Data center 2 Active Directory ADFS Business partners Business partners OWA.example.com Sharepoint.example.com ADFS Apache/Tomcat App

42 APM SAML How it Works Client posts credentials to login credentials are validated with Active Directory. Data center 1 Login.example.com Portal.example.com End user Public/private A SAML assertion is generated, passed back to the client with a redirect to the requested application. Data center 2 Active Directory ADFS Business partners Business partners ADFS OWA.example.com Sharepoint.example.com Apache/Tomcat App

43 APM SAML How it Works Client successfully logs on to application with SAML assertion. Data center 1 Login.example.com Portal.example.com End user Public/private Data center 2 Active Directory ADFS Business partners Business partners OWA.example.com Sharepoint.example.com ADFS Apache/Tomcat App

44 TMOS and Platform

45 Full Proxy Security Client / Server Client / Server Application health monitoring and performance anomaly detection Web application Web application HTTP proxy, HTTP DDoS and application security Application Application SSL inspection and SSL DDoS mitigation Session Session L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Network Physical Physical

46 IPv4/IPv6 TCP HTTP SSL HTTP SSL OneConnect TCP AFM ASM APM Full Proxy Security F5 s Approach Client / Server Optional modules plug in for all F5 products and solutions Client / Server Web application Application health monitoring and performance anomaly detection Traffic management microkernel Web application Application Session Proxy HTTP proxy, HTTP DDoS and application security Client side Server side SSL inspection and SSL DDoS mitigation Application Session Network Physical L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation irules High-performance HW icontrol API Network Physical TMOS traffic plug-ins High-performance networking microkernel Powerful application protocol support icontrol External monitoring and control irules Network programming language

47 F5 s Purpose-Built Design Performance and Scalability Optimized hardware utilizing custom Field Programmable Gate Array (FPGA) technology tightly integrated with TMOS and software Embedded Packet Velocity Acceleration (epva) FPGA delivers: Example of unique F5 VIPRION architecture Linear scaling of performance High performance interconnect between Ethernet ports and CPU s High L4 throughput and reduce load on cpu Integrated hardware and software DDoS protection against large scale attacks Predictable performance for low latency protocols (FIX)

48 Platform Overview Platform VIPRION blade (B4340) VIPRION blade (B4340) VIPRION blade (B4340) VIPRION blade (B2100) VIPRION blade (B2100) Throughput (Gbs) Max Conc. Conns L4 Connection/s (CPS) SSL TPS (2K keys) HW SYN cookies/s ,000,000 8,000, , ,000, ,000,000 4,400, , ,000, ,000,000 1,100,000 30,000 80,000, ,000,000 1,600,000 40, ,000, ,000, ,000 10,000 40,000,000 BIG-IP ,000,000 1,000,000 75,000 80,000,000 BIG-IP ,000, ,000 25,000 40,000,000 BIG-IP ,000, ,000 21,000 40,000,000 BIG-IP ,000, ,000 9,000 N/A BIG-IP ,000, ,000 4,000 N/A VIPRION 4800 VIPRION 44xx Chassis VIPRION 2400 Chassis BIG-IP 10x00 BIG-IP 7x00 BIG-IP 5x00 BIG-IP 4x00 BIG-IP 2x00 Series

49 TMOS Architecture LTM GTM AAM AFM APM ASM BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Application Acceleration Manager BIG-IP Advanced Firewall Manager BIG-IP Access Policy Manager BIG-IP Application Security Manager TCP Express: F5 s Adaptive TCP Stack (client side) Full Proxy Architecture F5 s TMOS Common Services TCP Express: F5 s Adaptive TCP Stack (server side) DoS and DDOS Protection High Performance SSL GeoLocation Services Rate Shaping Fast Cache High Performance Compression Dynamic Routing Message-Based Traffic Management: Universal Switching Engine (USE) isessions: F5 secure, optimized tunneling TCP Multiplexing & Optimal Connection Handling Full IPv6/IPv4 Gateway irules Programming icontrol API Management Control Plane (MCP) & High Speed Logging Full L2 Switching Universal Persistence: Transaction Integrity Unique High Performance Hardware

50 Application Delivery Firewall Bringing an application-centric view to firewall security One platform ICSA-certified firewall Application delivery controller Application security Access control DDoS mitigation SSL inspection DNS security Full proxy visibility and control #1 ADC application fluency Extensibility Functionality across multiple systems Built for the new application-centric network

51 F5 BIG-IP delivers ICSA-certified firewall Access control Application delivery controller DDoS mitigation Application security SSL inspection DNS security Web and WAN optimization Products Advanced Firewall Manager Access Policy Manager Local Traffic Manager Application Security Manager Global Traffic Manager and DNSSEC Application Acceleration Stateful full-proxy firewall On-box logging and reporting Native TCP, SSL and HTTP proxies Network and Session anti-ddos Dynamic, identity-based access control Simplified authentication, consolidated infrastructure Strong endpoint security and secure remote access High performance and scalability VDI integration (ICA, PCoIP) #1 application delivery controller Application fluency App-specific health monitoring Application Offload Streamlined app. deployment Leading web application firewall PCI compliance Virtual patching for vulnerabilities HTTP anti-ddos IP protection Huge scale DNS solution Global server load balancing Signed DNS responses Offload DNS crypto Front End Optimization Server offload Network optimization Mobile acceleration HTTP2.0 / SPDY gateway ONE PLATFORM (HW/SW)

52 F5 Delivers to Support Your Needs Increased scale and performance Higher security Operational efficiency Industry-leading capacity and throughput. Full-proxy security, SSL inspection, and extensibility with irules. Consolidation of functions and an application-centric security model.

53