RETHINKING DATA CENTER SECURITY. Reed Shipley Field Systems Engineer, CISSP State / Local Government & Education

Transcription

1 RETHINKING DATA CENTER SECURITY Reed Shipley Field Systems Engineer, CISSP State / Local Government & Education

2

3 September 1, 2011

4

5 OPERATION ORLANDO

6 2012 HIGHER EDUCATION DATA BREACH FINAL FOUR 654,000 Records 300,000 Records 350,000 Records 279,000 Records Source

7 Mobility BYOD is only part of the problem

8 It s time to rethink security

9 IT Security Basics Mitigating Risk AND Helping the Business Flourish No Silver Bullet Tug of War between convenience & security Ensure max network & application availability & performance Make it easy for authorized users to access resources Make it difficult for non-authorized users to access resources Make it difficult to disrupt service

10 Know Thy Enemy Sun Tzu What are the threats to your data center & data? - Impossible to predict the future We can look at past history - Operation Ababil - Syrian Electronic Army - WikiLeaks - Anonymous - Slow GET and POST HTTP/HTTPS - DNS Flood/Reflection/Cache Poisoning - TCP Syn, UDP, ICMP Flood - SSL renegotiation - User account brute force - Using DDoS as a distraction - OWASP Top 10 Attacks - Data Breaches - Internal users Not always malicious, but still a threat

11 The Big Problem: It s Us! ENTERPRISE HEADQUARTERS MOBILE USER Global access ENTERPRISE DATA CENTER Partner Vendor access BYOD: Multiple devices PARTNERS, SUPPLIERS Application diversity INTERNET DATA CENTER The CLOUD cloud Remote access DATA CENTER/ PRIVATE CLOUD HACKER ENTERPRISE REMOTE OFFICE Customer access CUSTOMER

12 If opportunity doesn t knock, build a door What do users complain about? - Too many passwords - Password policy too complex - Inflexible access policies - Limited or no smartphone & tablet access - Limited or no external access - Slow applications - Unavailable applications Give them the EASY button Be a hero

13

14 Myths BUSTED F5 isn t a security company - uroam acquired for Secure User Access TMOS redesigned as Full-Proxy w/ Anti-DDoS Magnifire acquired for Application Security ICSA Certified - Network Firewall, SSL VPN, WAF Security Emergency Response Team G DDoS Mitigation at Interop Best of Interop Finalist Network World Review Websense partnership Versafe acquired for Anti-Malware & Anti-Fraud 2013

15 F5 s Unique Approach - Full Proxy Architecture - Focused on Inbound Data Center Protection - Context-Driven Policies - Flexibility (irules) - Big Consolidation Story

16 Introducing the F5 Application Delivery Firewall Bringing deep application fluency to firewall security One platform Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security EAL2+ EAL4+ (in process)

17 What is a Proxy? Why is it more secure? Why is protocol fluency important? Proxy firewalls can which inspect content fully and make access decisions based on more specific, granular level of information. Access control this nuanced is attractive to network administrators, however each application needs its own proxy at the application-level. (No longer active) Data centers speak approx. 15 protocols

18 The importance of protocol fluency

19 How can I leverage LTM for security? TMOS -- Full Proxy Default Deny DDoS TCP SYN, ICMP (Smurf), UDP Flood, UDP Fragment, Ping of Death, Land, Teardrop, Slow HTTP Data Center Firewall iapp Customizable Traffic Plane irules! SSL inspection Geolocation Yes, it is stateful inspection (and more) Put all applications behind F5 LTM Limitations as a Firewall - Rule Management - Logging - Reporting - DDoS Signatures

20 Is F5 a UTM? Not in the traditional sense of the term - UTMs are not full-proxy - UTMs do not include application security or performance benefits - UTMs are generally marketed only to the low-end of the market - UTMs do not include high-availability features for redundancy - more

21 MORE Myths BUSTED BIG-IP is a load balancer, not a security device - Flexibility is the reason F5 doesn t fit into ONE category - BIG-IP fits into MANY categories - Licensing provides the features for the use case - Network World Review - bit.ly/f5nww More security will slow down our applications - Applications are faster when secured by F5 than with no security at all - Caching, compression, SSL offload, OneConnect, TCP Express I need defense in depth - F5 IS defense in depth - Just without the added complexity, cost and latency of separate devices

22 What about NG Firewalls?

23 NG Firewalls Compared to F5 Not a Full Proxy F5 is focused on INBOUND attack mitigation & secure user access Shallow protocol visibility Recommendation: Use F5 & NG to get the best of both worlds!

24 F5 NGFW Integration Architecture Outbound protection Corporate Users SaaS NGFW ISPa Log Server App 1 ISPb BIG-IP App 2 Users App 3

25 Network Security Devices vs. F5 Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration Network Firewall Limited X Limited X Limited X X Limited Limited X X X X X X X IPS Limited Partial Limited X X Limited Limited Limited Limited X X X X X X F5

26 The defacto standard Source/Destination IP Address Source/Destination Port Number Username/Password

27 Wouldn t it be nice Use more criteria (context) to make security decisions Have more options than ALLOW or DENY

28 Geolocation

29 IP Intelligence

30 User Directory Metadata

31 Target Application

32 Device Posture

33 Time of Day

34 Multifactor Authentication

35 Application & Protocol Exploits

36 Brute Force Detection & Captcha Insertion

37 Federated Identity Management Streamlined & Secure ADFS Where are the ADFS Proxies?

38 VDI Streamlined & Secure Where are the Security Servers? Where are the Web Interface and STA Servers?

39 F5 mitigation technologies F5 Mitigation Technologies DDoS MITIGATION Use case Increasing difficulty of attack detection OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack Network attacks Session attacks Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation Slowloris, Slow Post, HashDos, GET Floods BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, irules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, irules, full proxy for HTTP, server performance anomaly detection Protect against DDoS Withstand the at all layers 38 vectors largest attacks covered Gain visibility and detection of SSL encrypted attacks

40 Common DDoS Vectors Slowloris SYN Flood DNS Reflection SSL Renegotiation

41

42 Opportunities Improve User Experience SSO to local & cloud applications Convenient webtop with all authorized resources Ensure max network & application availability & performance Make it difficult for non-authorized users to access resources Make it easy for authorized users to access resources Streamline Architecture Easier to troubleshoot Less vendor finger pointing Less latency Reduced CapEx/OpEx Fewer service contracts Fewer devices to train employees on Mitigate Risk Reduced attack surface Proprietary operating system Full-Proxy Architecture

43

44

45 Miami Dade Public Library System Case study to be posted soon!

46 Easier, Cheaper, Faster Choose any 2 3

47