RETHINKING DATA CENTER SECURITY. Reed Shipley Field Systems Engineer, CISSP State / Local Government & Education

Similar documents
Architecture: Consolidated Platform. Eddie Augustine Major Accounts Manager: Federal

DATACENTER SECURITY. Paul Deakin System Engineer, F5 Networks

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

KEEPING THE BAD GUYS OUT WHILE LETTING THE GOOD GUYS IN. Paul Deakin Federal Field Systems Engineer

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Securing and Accelerating the InteropNOC with F5 Networks

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

F5 Synthesis Information Session. April, 2014

Comprehensive datacenter protection

SAS and F5 integration at F5 Networks. Updates for Version 11.6

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Large FSI DDoS Protection Reference Architecture

Web Applications Security. Radovan Gibala F5 Networks

F5 Application Security. Radovan Gibala Field Systems Engineer

Network Security. Thierry Sans

Providing Secure, Fast and Available

Check Point DDoS Protector Introduction

Corrigendum 3. Tender Number: 10/ dated

F5-Networks Application Delivery Fundamentals. Download Full Version :

haltdos - Web Application Firewall

O365 Solutions. Three Phase Approach. Page 1 34

F5 Big-IP Application Security Manager v11

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

F5 Networks Defence Methodiken auf Transportund Applikationsebene. Specialist SE - Security

Mitigating DDoS A acks with F5 Technology

Sichere Applikations- dienste

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Estrategias de mitigación de amenazas a las aplicaciones bancarias. Carlos Valencia Sales Engineer - LATAM

Training UNIFIED SECURITY. Signature based packet analysis

SECURE YOUR APPLICATIONS, SIMPLIFY AUTHENTICATION AND CONSOLIDATE YOUR INFRASTRUCTURE

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Securing the Next Generation Data Center

Intelligent and Secure Network

Imperva Incapsula Website Security

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Configuring attack detection and prevention 1

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

THUNDER WEB APPLICATION FIREWALL

Venusense UTM Introduction

CyberP3i Course Module Series

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Configuring BIG-IP ASM v12.1 Application Security Manager

Business Strategy Theatre

The F5 Intelligent DNS Scale Reference Architecture

Security for the Cloud Era

Enterprise D/DoS Mitigation Solution offering

Imperva Incapsula Product Overview

Configuring attack detection and prevention 1

ADC im Cloud - Zeitalter

Chapter 9. Firewalls

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

Check Point DDoS Protector Simple and Easy Mitigation

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Gladiator Incident Alert

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

THE KERNEL. Our in-house professional team is highly skilled in delivering cutting-edge solutions to our clients.

AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Configuring Access Rules

The Protocols that run the Internet

Deploying the BIG-IP System with HTTP Applications

TLS 1.1 Security fixes and TLS extensions RFC4346

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1

AKAMAI CLOUD SECURITY SOLUTIONS

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

COMPUTER NETWORK SECURITY

August 14th, 2018 PRESENTED BY:

Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can t See

Silverline DDoS Protection. Filip Verlaeckt

Deploying the BIG-IP System with HTTP Applications

Microsoft Internet Security & Acceleration Server Overview

CSE 565 Computer Security Fall 2018

Table of Content Security Trend

Evaluation Criteria for Web Application Firewalls

A10 DDOS PROTECTION CLOUD

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

Configuring F5 for SSL Intercept

New World, New IT, New Security

Fregata. DDoS Mitigation Solution. Technical Specifications & Datasheet 1G-5G

Pulse Secure Application Delivery

BIG-IP APM: Access Policy Manager v11. David Perodin Field Systems Engineer

Deploying F5 with Microsoft Active Directory Federation Services

Cloudflare Advanced DDoS Protection

Key Considerations in Choosing a Web Application Firewall

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Web Application Firewall Subscription on Cyberoam UTM appliances

SaaS. Public Cloud. Co-located SaaS Containers. Cloud

Transcription:

RETHINKING DATA CENTER SECURITY Reed Shipley r.shipley@f5.com Field Systems Engineer, CISSP State / Local Government & Education

http://gcn.com/blogs/cybereye/2013/10/it-professionals-survey.aspx

September 1, 2011

OPERATION ORLANDO

2012 HIGHER EDUCATION DATA BREACH FINAL FOUR 654,000 Records 300,000 Records 350,000 Records 279,000 Records Source http://www.net-security.org/secworld.php?id=14612

Mobility BYOD is only part of the problem

It s time to rethink security

IT Security Basics Mitigating Risk AND Helping the Business Flourish No Silver Bullet Tug of War between convenience & security Ensure max network & application availability & performance Make it easy for authorized users to access resources Make it difficult for non-authorized users to access resources Make it difficult to disrupt service

Know Thy Enemy Sun Tzu What are the threats to your data center & data? - Impossible to predict the future We can look at past history - Operation Ababil - Syrian Electronic Army - WikiLeaks - Anonymous - Slow GET and POST HTTP/HTTPS - DNS Flood/Reflection/Cache Poisoning - TCP Syn, UDP, ICMP Flood - SSL renegotiation - User account brute force - Using DDoS as a distraction - OWASP Top 10 Attacks - Data Breaches - Internal users Not always malicious, but still a threat

The Big Problem: It s Us! ENTERPRISE HEADQUARTERS MOBILE USER Global access ENTERPRISE DATA CENTER Partner Vendor access BYOD: Multiple devices PARTNERS, SUPPLIERS Application diversity INTERNET DATA CENTER The CLOUD cloud Remote access DATA CENTER/ PRIVATE CLOUD HACKER ENTERPRISE REMOTE OFFICE Customer access CUSTOMER

If opportunity doesn t knock, build a door What do users complain about? - Too many passwords - Password policy too complex - Inflexible access policies - Limited or no smartphone & tablet access - Limited or no external access - Slow applications - Unavailable applications Give them the EASY button Be a hero

Myths BUSTED F5 isn t a security company - uroam acquired for Secure User Access 2003 - TMOS redesigned as Full-Proxy w/ Anti-DDoS 2004 - Magnifire acquired for Application Security 2004 - ICSA Certified - Network Firewall, SSL VPN, WAF 2012 - Security Emergency Response Team 2013-70G DDoS Mitigation at Interop 2013 - Best of Interop Finalist 2013 - Network World Review 2013 - Websense partnership 2013 - Versafe acquired for Anti-Malware & Anti-Fraud 2013

F5 s Unique Approach - Full Proxy Architecture - Focused on Inbound Data Center Protection - Context-Driven Policies - Flexibility (irules) - Big Consolidation Story

Introducing the F5 Application Delivery Firewall Bringing deep application fluency to firewall security One platform Network firewall Traffic management Application security Access control DDoS mitigation SSL inspection DNS security EAL2+ EAL4+ (in process)

What is a Proxy? Why is it more secure? Why is protocol fluency important? Proxy firewalls can which inspect content fully and make access decisions based on more specific, granular level of information. Access control this nuanced is attractive to network administrators, however each application needs its own proxy at the application-level. http://www.paloaltonetworks.com/community/learning-center/what-is-a-firewall.html (No longer active) Data centers speak approx. 15 protocols

The importance of protocol fluency

How can I leverage LTM for security? TMOS -- Full Proxy Default Deny DDoS TCP SYN, ICMP (Smurf), UDP Flood, UDP Fragment, Ping of Death, Land, Teardrop, Slow HTTP Data Center Firewall iapp Customizable Traffic Plane irules! SSL inspection Geolocation Yes, it is stateful inspection (and more) Put all applications behind F5 LTM Limitations as a Firewall - Rule Management - Logging - Reporting - DDoS Signatures

Is F5 a UTM? Not in the traditional sense of the term - UTMs are not full-proxy - UTMs do not include application security or performance benefits - UTMs are generally marketed only to the low-end of the market - UTMs do not include high-availability features for redundancy - more

MORE Myths BUSTED BIG-IP is a load balancer, not a security device - Flexibility is the reason F5 doesn t fit into ONE category - BIG-IP fits into MANY categories - Licensing provides the features for the use case - Network World Review - bit.ly/f5nww More security will slow down our applications - Applications are faster when secured by F5 than with no security at all - Caching, compression, SSL offload, OneConnect, TCP Express I need defense in depth - F5 IS defense in depth - Just without the added complexity, cost and latency of separate devices

What about NG Firewalls?

NG Firewalls Compared to F5 Not a Full Proxy F5 is focused on INBOUND attack mitigation & secure user access Shallow protocol visibility Recommendation: Use F5 & NG to get the best of both worlds!

F5 NGFW Integration Architecture Outbound protection Corporate Users SaaS NGFW ISPa Log Server App 1 ISPb BIG-IP App 2 Users App 3

Network Security Devices vs. F5 Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Layer 7 DoS Attacks Brute Force Login Attacks App. Security and Acceleration Network Firewall Limited X Limited X Limited X X Limited Limited X X X X X X X IPS Limited Partial Limited X X Limited Limited Limited Limited X X X X X X F5

The defacto standard Source/Destination IP Address Source/Destination Port Number Username/Password

Wouldn t it be nice Use more criteria (context) to make security decisions Have more options than ALLOW or DENY

Geolocation

IP Intelligence

User Directory Metadata

Target Application

Device Posture

Time of Day

Multifactor Authentication

Application & Protocol Exploits

Brute Force Detection & Captcha Insertion

Federated Identity Management Streamlined & Secure ADFS Where are the ADFS Proxies?

VDI Streamlined & Secure Where are the Security Servers? Where are the Web Interface and STA Servers?

F5 mitigation technologies F5 Mitigation Technologies DDoS MITIGATION Use case Increasing difficulty of attack detection OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack Network attacks Session attacks Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation Slowloris, Slow Post, HashDos, GET Floods BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, irules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, irules, full proxy for HTTP, server performance anomaly detection Protect against DDoS Withstand the at all layers 38 vectors largest attacks covered Gain visibility and detection of SSL encrypted attacks

Common DDoS Vectors Slowloris SYN Flood DNS Reflection SSL Renegotiation

Opportunities Improve User Experience SSO to local & cloud applications Convenient webtop with all authorized resources Ensure max network & application availability & performance Make it difficult for non-authorized users to access resources Make it easy for authorized users to access resources Streamline Architecture Easier to troubleshoot Less vendor finger pointing Less latency Reduced CapEx/OpEx Fewer service contracts Fewer devices to train employees on Mitigate Risk Reduced attack surface Proprietary operating system Full-Proxy Architecture

Miami Dade Public Library System Case study to be posted soon!

Easier, Cheaper, Faster Choose any 2 3

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback