RETHINKING DATA CENTER SECURITY Reed Shipley r.shipley@f5.com Field Systems Engineer, CISSP State / Local Government & Education
http://gcn.com/blogs/cybereye/2013/10/it-professionals-survey.aspx
September 1, 2011
OPERATION ORLANDO
2012 HIGHER EDUCATION DATA BREACH FINAL FOUR 654,000 Records 300,000 Records 350,000 Records 279,000 Records Source http://www.net-security.org/secworld.php?id=14612
Mobility BYOD is only part of the problem
It s time to rethink security
IT Security Basics Mitigating Risk AND Helping the Business Flourish No Silver Bullet Tug of War between convenience & security Ensure max network & application availability & performance Make it easy for authorized users to access resources Make it difficult for non-authorized users to access resources Make it difficult to disrupt service
Know Thy Enemy Sun Tzu What are the threats to your data center & data? - Impossible to predict the future We can look at past history - Operation Ababil - Syrian Electronic Army - WikiLeaks - Anonymous - Slow GET and POST HTTP/HTTPS - DNS Flood/Reflection/Cache Poisoning - TCP Syn, UDP, ICMP Flood - SSL renegotiation - User account brute force - Using DDoS as a distraction - OWASP Top 10 Attacks - Data Breaches - Internal users Not always malicious, but still a threat
The Big Problem: It s Us! ENTERPRISE HEADQUARTERS MOBILE USER Global access ENTERPRISE DATA CENTER Partner Vendor access BYOD: Multiple devices PARTNERS, SUPPLIERS Application diversity INTERNET DATA CENTER The CLOUD cloud Remote access DATA CENTER/ PRIVATE CLOUD HACKER ENTERPRISE REMOTE OFFICE Customer access CUSTOMER
If opportunity doesn t knock, build a door What do users complain about? - Too many passwords - Password policy too complex - Inflexible access policies - Limited or no smartphone & tablet access - Limited or no external access - Slow applications - Unavailable applications Give them the EASY button Be a hero
Myths BUSTED F5 isn t a security company - uroam acquired for Secure User Access 2003 - TMOS redesigned as Full-Proxy w/ Anti-DDoS 2004 - Magnifire acquired for Application Security 2004 - ICSA Certified - Network Firewall, SSL VPN, WAF 2012 - Security Emergency Response Team 2013-70G DDoS Mitigation at Interop 2013 - Best of Interop Finalist 2013 - Network World Review 2013 - Websense partnership 2013 - Versafe acquired for Anti-Malware & Anti-Fraud 2013
F5 s Unique Approach - Full Proxy Architecture - Focused on Inbound Data Center Protection - Context-Driven Policies - Flexibility (irules) - Big Consolidation Story
Introducing the F5 Application Delivery Firewall Bringing deep application fluency to firewall security One platform Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security EAL2+ EAL4+ (in process)
What is a Proxy? Why is it more secure? Why is protocol fluency important? Proxy firewalls can which inspect content fully and make access decisions based on more specific, granular level of information. Access control this nuanced is attractive to network administrators, however each application needs its own proxy at the application-level. http://www.paloaltonetworks.com/community/learning-center/what-is-a-firewall.html (No longer active) Data centers speak approx. 15 protocols
The importance of protocol fluency
How can I leverage LTM for security? TMOS -- Full Proxy Default Deny DDoS TCP SYN, ICMP (Smurf), UDP Flood, UDP Fragment, Ping of Death, Land, Teardrop, Slow HTTP Data Center Firewall iapp Customizable Traffic Plane irules! SSL inspection Geolocation Yes, it is stateful inspection (and more) Put all applications behind F5 LTM Limitations as a Firewall - Rule Management - Logging - Reporting - DDoS Signatures
Is F5 a UTM? Not in the traditional sense of the term - UTMs are not full-proxy - UTMs do not include application security or performance benefits - UTMs are generally marketed only to the low-end of the market - UTMs do not include high-availability features for redundancy - more
MORE Myths BUSTED BIG-IP is a load balancer, not a security device - Flexibility is the reason F5 doesn t fit into ONE category - BIG-IP fits into MANY categories - Licensing provides the features for the use case - Network World Review - bit.ly/f5nww More security will slow down our applications - Applications are faster when secured by F5 than with no security at all - Caching, compression, SSL offload, OneConnect, TCP Express I need defense in depth - F5 IS defense in depth - Just without the added complexity, cost and latency of separate devices
What about NG Firewalls?
NG Firewalls Compared to F5 Not a Full Proxy F5 is focused on INBOUND attack mitigation & secure user access Shallow protocol visibility Recommendation: Use F5 & NG to get the best of both worlds!
F5 NGFW Integration Architecture Outbound protection Corporate Users SaaS NGFW ISPa Log Server App 1 ISPb BIG-IP App 2 Users App 3
Network Security Devices vs. F5 Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration Network Firewall Limited X Limited X Limited X X Limited Limited X X X X X X X IPS Limited Partial Limited X X Limited Limited Limited Limited X X X X X X F5
The defacto standard Source/Destination IP Address Source/Destination Port Number Username/Password
Wouldn t it be nice Use more criteria (context) to make security decisions Have more options than ALLOW or DENY
Geolocation
IP Intelligence
User Directory Metadata
Target Application
Device Posture
Time of Day
Multifactor Authentication
Application & Protocol Exploits
Brute Force Detection & Captcha Insertion
Federated Identity Management Streamlined & Secure ADFS Where are the ADFS Proxies?
VDI Streamlined & Secure Where are the Security Servers? Where are the Web Interface and STA Servers?
F5 mitigation technologies F5 Mitigation Technologies DDoS MITIGATION Use case Increasing difficulty of attack detection OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack Network attacks Session attacks Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation Slowloris, Slow Post, HashDos, GET Floods BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, irules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, irules, full proxy for HTTP, server performance anomaly detection Protect against DDoS Withstand the at all layers 38 vectors largest attacks covered Gain visibility and detection of SSL encrypted attacks
Common DDoS Vectors Slowloris SYN Flood DNS Reflection SSL Renegotiation
Opportunities Improve User Experience SSO to local & cloud applications Convenient webtop with all authorized resources Ensure max network & application availability & performance Make it difficult for non-authorized users to access resources Make it easy for authorized users to access resources Streamline Architecture Easier to troubleshoot Less vendor finger pointing Less latency Reduced CapEx/OpEx Fewer service contracts Fewer devices to train employees on Mitigate Risk Reduced attack surface Proprietary operating system Full-Proxy Architecture
Miami Dade Public Library System Case study to be posted soon!
Easier, Cheaper, Faster Choose any 2 3