F5 comprehensive protection against application attacks Jakub Sumpich Territory Manager Eastern Europe j.sumpich@f5.com
Evolving Security Threat Landscape cookie tampering Identity Extraction DNS Cache Poisoning parameter tampering excessive GET/POST SSL renegotiation malware CSRF redirected traffic slowloris sockstress attack Trojans ICMP Flood HashDos privilege escalations smurf attack SQL Injection spear phishing CVE UDP flood DNS malformed packet syn flood brute force recursive GET social engineering URL tampering HTTP fragmentation web scraping ping of death DNS Amplification Phishing XSS key loggers 2
The Growing Complexity of Application Attacks Webification of apps 71% of surveyed 69% of all experts predict most work will be done via web-based or mobile apps by 2020 Americans use web apps 1M Cost of single cyber attack can be well above $1,000,000 Evolving security threats 122 Successful attacks per week, Penomon Institute, Cost of Cyber Crime Study 1.5M Monitored cyber attacks in US, IBM Security Services, 2014 Cyber Security Intelligence Index 3
Attacks are Moving Up the Stack Network Threats 90% of security investment focused here Application Threats 75% of attacks focused here Source: Gartner 4
Some Firewall Vendors Would Have You Believe... Only those corporations that believe they have coding issues in their web applications need a WAF. Most developers have known production software issues Vulnerabilities result from defects and issues Most developers cannot also be web security experts Not scalable to address on per-application basis 5
Almost every web application is vulnerable! 97% of websites at immediate risk of being hacked due to vulnerabilities! 69% of vulnerabilities are client side-attacks - Web Application Security Consortium 8 out of 10 websites vulnerable to attack - WhiteHat security report 75 percent of hacks happen at the application. - Gartner Security at the Application Level 64 percent of developers are not confident in their ability to write secure applications. - Microsoft Developer Research 6
How long to resolve a vulnerability? Website Security Statistics Report 7
App Security not Addressed by Traditional Firewall Vendors Slowloris Site reconnaissance HTTP DOS Session hijacking Sensitive Data Cross site scripting (XSS) Leakage HashDOS Cookie injection and poisoning Cross site request forgery (CSRF) Web page scraping SQL injections Phishing attacks Brute force logins & forceful browsing GET Floods SSL-encrypted application attacks Protecting the application layer requires a Web Application Firewall (WAF) 8
F5 Security Strategy
We support the biggest 9 of the 47 of the top 10 US Airlines 29 of the top 30 US Commercial Banks Fortune 50 Companies 9 of the 10 of the top 10 US Wireless Carriers top 10 US Telecoms 10 of 10 of the the top 10 Global Brands top 10 Global Automotive Companies 9 of the top 10 Global Oil & Gas Companies 10
Application Delivery Firewall (ADF) Solution Protecting your applications regardless of where they live Bringing deep application fluency and price performance to firewall security One Platform Network Firewall Traffic Management Application Security Access Control DDoS Protection SSL DNS Security Web Fraud Protection EAL2+ EAL4+ (in process) 11
Full Proxy Architecture = Full Proxy Security Client / server Client / server Web application Web application Application Application SSL inspection and SSL DDoS mitigation Session Session L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Network Physical Physical Application health monitoring and performance anomaly detection HTTP proxy, HTTP DDoS, and application security 12
Full Proxy Security Third party Client / Server Access Application SSL Client Server side side HTTP SSL HTTP HTTP proxy, HTTP DDoS, and Application Security SSL inspection & SSL DDoS mitigation Session L4 Firewall: full stateful policy enforcement and irules TCP DDoS mitigation Network Web Application TCP Web Application Proxy TCP IPv4/IPv6 Client / Server Traffic management microkernel Application health monitoring and performance anomaly detection OneConnect App FW F5 s Approach Network Physical TMOS traffic plug-ins High-performance networking microkernel Powerful application protocol support Session icontrol API High-performance HW Application Physical icontrol External monitoring and control irules Network programming language 13
Benefits of Full-Proxy Architecture WAF WAF HTTP Rule Rule HTTP SSL renegotiation SSL Rule Rule SSL SYN flood ICMP flood TCP Rule Rule TCP Slowloris attack XSS Data leakage Network firewall 14
Comprehensive Application Security Virtual Patching Network DDoS Protection Network Access Application Access DNS DDoS Protection Fraud Protection SSL DDoS Protection Network Firewall Web Application Firewall Application DDoS Protection 15
Choose the Right Web Application Firewall (WAF) Solution Provide transparent protection from ever-changing threats Secure against the OWASP top 10 and targeted zero-day threats Offer bot detection measures Enable DAST integration and virtual patching to reduce risks from vulnerabilities Provide positive/negative security, L7 DoS protection, and IP reputation Server response generated Support dynamic intelligent services WAF Request made Secure response delivered Vulnerable application Firewall applies security policy Firewall security policy checked 16
BIG-IP Application Security Manager Powerful Adaptable Solution Provides comprehensive protection for all web application vulnerabilities, including (D)DoS Logs and reports all application traffic and attacks Educates admin. on attack type definitions and examples Enables L2->L7 protection Unifies security, access control and application delivery Sees application level performance Provides On-Demand scaling 17
ASM and SSL SSL Offload ASM can do SSL termination and Offload SSL traffic from Web Servers SSL key exchange done by hardware SSL bulk encryption done by hardware End-to-End Encryption Centralize certificate management
Choosing the Right Platform Good, Better, Best Platforms 25M 2000 series* 200M 4000 series 1Gbps 5000 Series 3Gbps 7000 Series Virtual 5Gbps New 10Gbps 10000 Series 11000 Series Physical F5 virtual editions F5 physical ADCs Provide flexible deployment options for virtual environments and the cloud High-performance with specialized and dedicated hardware Virtual ADC is best for: Physical ADC is best for: Accelerated deployment Maximizing data center efficiency Private and public cloud deployments Application or tenant-based pods Keeping security close to the app Lab, test, and QA deployments New VIPRION 2200 Fastest performance Highest scale SSL offload, compression, and DoS mitigation An all F5 solution: integrated HW+SW Edge and front door services Purpose-built isolation for application delivery workloads *Note: 2000 Series appliances is not offered with Better or Best bundles VIPRION 2400 VIPRION 4480 VIPRION 4800 Hybrid Physical + virtual = hybrid ADC infrastructure Ultimate flexibility and performance Hybrid ADC is best for: Transitioning from physical to virtual and private data center to cloud Cloud bursting Splitting large workloads Tiered levels of service 19
Built for intelligence, speed and scale Users Resources Concurrent user sessions 200K Concurrent logins 3,000/sec. Throughput 640 Gbps Concurrent connections 288 M DNS query response 12 M/sec SSL TPS (2K keys) 240K/sec Connections per second 12.2 M
Working with Other Security Technologies Ensuring the best protection requires a multi-vendor approach ENDPOINT INSPECT/AV CERTIFICATES ENCRYPTION MOBILE OS SIEM MOBILE DEVICE MANAGEMENT DAST SECURITY CHANGE MANAGEMENT MULTI-FACTOR AUTHENTICATIO N FIPS/HSM SECURITY WEB ACCESS MANAGEMENT DATABASE FIREWALL DNS SECURITY WEB AND AND SBS SAAS SECURITY 21
F5 Reference Architectures Real solutions for real problems High Performance IPS S/Gi Network Simplification DDoS Protection Benefits Security for Service Providers LTE Roaming Web Fraud Protection Migration to Cloud Application Services Intelligent DNS Scale Cloud Federation DevOps Cloud Bursting Secure Web Gateway Minimize deployment times Reduce security design costs Strengthen security posture F5F5 Agility Networks, 2014 Inc. 22