Maximum Security, Zero Compromise in Availability and Performance Presented by: Teong Eng Guan MD ASEAN
2 2 Agenda Who is F5 and what to we do? IT Challenges Web Application Security Why & How? Total Defense with F5 Conclusion
3 As of 8 p.m last night
4 F5 is everywhere and in Vietnam! Impacting Everyone!
5 So what do we do? Help you and our customers to provide a better Application Experience Providing Technologies to accelerate the deployment and performance of Applications Offering solutions to secure the access and usage of applications Load balancing and Traffic management comes with the package anyway We make applications work.
6 Let s understand more about Application Delivery Networking (ADN)? Users Applications At Home In the Office On the Road Application Delivery Network SAP Microsoft Oracle/BE A IBM VMWare User Experience ADN provides the best secured user experience optimally and non-intrusively.
7 F5 Understands Businesses We understand Businesses want to be the leaders in their industry Businesses want to meet and exceed their Market Research Index (MRI) Businesses need to bring in more users/subscribers/customers/transactions Businesses have growth concerns Businesses do not have unlimited resources Businesses need to be protected from Security threats We understand that the key factor why organizations succeed is because they provide the Best User Experience to their customers.
Web Application Security The Why and How?
9 Web Application Trends and Technologies Network Load High Traffic Low Traffic Web 1.0 Audio & Video downloads File transfers Basic HTML Flat web pages Web 2.0 SOA SaaS AJAX Silverlight/Flex 3 RIA Audio & Video streaming Less More Application Complexity
The Challenge: Attacks are Moving Up the Stack 10 Network Threats Application Threats 90% of security investment focused here 75% of attacks focused here Source: Gartner
Perimeter Security (Physical World) 11
12 Enterprise Perimeter Security (EPS) Network Access Protection (Layer 1 3) Protocol Access Protection (Layer 4 6) Application Access Protection (Layer 7) IPS Web App Web App Web App Botnet Prevent only network attacks by IP address, port and service number Detect known signatures No application and session awareness No SSL protection Scale for the enterprise Reduce costly development and audit effort Prevent web attacks such as DDoS, SQL Injection, Cross Site Scripting, etc. PCI Compliance
13 Network Firewalls vs. Application Firewalls Network Firewalls Manage network traffic Protection At Network Layer 3 Manage Access to Corporate LAN s Simple Forwarding Of Approved Packets Configured Port 80/443 (HTTP/S) For Open Access Application Firewalls Manage web traffic Protection At Application Layer 7 Monitor HTTP/S & XML Protocols Protect Application & Backend Data From Malicious Attack s & Unauthorized Usage Deep Packet Inspection Of All Traffic To And From The Web Servers Packet Inspection Deep Stream Inspection
14 14 Addressing the Vulnerabilities: Web Application Firewalls, Web Access Gateways Attack Signature mitigation (inspect, generic) Full proxy WAF (proxy, inspect, rewrite) Web Access Gateway ( encrypt, sso, aaa)
15 Improved PCI Compliance Reporting PCI reporting: Details security measures required by PCI DSS 1.2 Compliancy state Steps required to become compliant
16 Layer 7 DDoS Protection DDoS Botnet L7 DDoS Traffic Signature is exactly the same as Good User. F5 intelligent L7 DDoS Blocking Good User Online Payment Service Online Payment Service is unaffected by L7 DDoS Attacks.
17 DNSsec Compliance Securing the DNS Infrastructure, Traditional DNS is insecure DNSsec secured site Recursive Name server www.foo.com DNS Servers Hacker F5 can sign any dynamically generated / load balanced DNS response F5 can transparently sign responses for existing BIND servers
18 SSL 2048 Bit Key Compliance o F5 supports 512 through 4096 bit SSL keys o 1024 bit length keys are considered insecure by NIST as of 12/31/10 o 2048 bit is ~5x more expensive to compute than 1024 bit handshake o 4096 bit is ~6x more expensive to compute than 2048 bit handshake
19 FIPS Compliance Why FIPS? The loss of private keys is considered to be a disaster because they can be used to: decrypt sensitive transactions in flight (Man In The Middle Attack) masquerade as the provider by using the keys to make more authentic phishing sites. Normal Device Host Subsystem TCP Termination HTTP Proxy SSL Processing Add-on Card Sym/Asymmetric Crypto Host Subsystem Key Mgmt. Secret Keys When a FIPS compliant box is tampered, the SSL keys stored in FIPS hardware-secured module will automatically be destroyed, rendering them useless. FIPS-140 compliant Device TCP Termination HTTP Proxy SSL Processing Symmetric Crypto Key Mgmt. Add-on Card Asymmetric Crypto Secret Keys
20 Total Defense Security Architecture Customers DMZ Network Access Application Access 4,000 Users 1,000 Users Employees Internet Internet/ Intranet GeoLocation DNSSec Web App #1 Web App #2 Web App #3 15,000 Corporate Users VPN End Point Security DNS AD/LDAP Datacenter Primary 6,000 Corporate Branch Users Datacenter - Secondary As application become webified, there s a need to address the deficiencies of the HTTP security and introduce new defences (web access management, Web App FW) to product Vulnerable Web applications.
21 21 Secure the Banking Applications Australian Bank - Perimeter control with F5/Oracle > Web Application Firewall Protect from malicious internet traffic such as SQL Injection, XSS, Web Scraping, etc IB etrade > User Authentication & Endpoint Security Check (ASM) > Web protocol threat detection > User data input validation iapply other > SSL Acceleration > Application-layer rate-shaping > Local and Global Traffic Management / load balancing > Geo-location redirection > Web Content Delivery Acceleration (WA) > PCI Data Security Standard Compliance
Security with Performance
23 Accelerate Web Performance China Bank Web Acceleration Province 1 Province 2 BIG-IP WebAccelerator Internet or WAN Province n Beijing Data Center Response time Province 34 Without acceleration With WebAccelerator (asymmetric deployment) Solution Benefits Internal banking service acceleration Infrastructure optimization (seven time more requests per second) User experience improvement (6 (6 times faster page load) Bandwidth savings (10 times higher throughput)
Security with Performance and Availability
Always On Infrastructure 25
26 Internet Banking DC - ICBC ICBC is Largest Bank by Market Capitalization Major Applications: 1. Internet Banking 50 Million Users 42% of total Bank Transactions 40% improvement Web Performance
27 Intranet Banking DC- ICBC 2. Corporate IT 100+ F5 boxes optimizing 40 apps: Core Banking Secure Access Green Terminals ATM Front Server Mainframe Front Servers Branch Office optimization 3. F5 account team is working on optimizing the remaining 198 apps
28 Sysmex America The F5 solution beat out the competition because it promised more functionality for a comparable price, and we saw it as a strategic investment that would support our growth. Art Braune, Manager of Information Technology Sysmex America Sysmex America develops clinical testing devices for the healthcare industry. To ensure business continuity and seamless communication among customers, partners, and employees, Sysmex must keep email systems highly available. The company employed the Application Ready Solution for Microsoft Exchange Server 2010 from F5 Networks and as a result, has surpassed 99.999 percent email uptime. To ensure that the implementation followed best practices, Sysmex s IT department used F5 deployment guidance, jointly developed with Microsoft, and has enjoyed superior support from F5 engineers. The solution provides Sysmex with cost-effective, centralized management and a flexible platform that it will expand to support other key systems. Customer Overview: Sysmex America, based in Mundelein, Illinois, is the United States headquarters of Sysmex Corporation, a Japanese manufacturer of clinical testing devices and solutions for the healthcare industry. Sysmex relies on email to communicate with its customers (hospitals, clinics, test centers, and blood centers), suppliers, and key business partners. F5 Local Traffic Manager and F5 Application Ready Solution for Microsoft Exchange Server 2010 Benefits: Zero downtime for email. 99.999 percent email uptime Ability to perform maintenance without disruption to users High confidence in best practices implementation Cost-effective platform for growth Vertical: Location: Healthcare Mundelein, Illinois Case Study: http://www.f5.com/pdf/case-studies/sysmex-america-cs.pdf
29 F5 Solution for Migration to IPv6 Internet IPv6 Mobile Smart Devices IPv6 IPv4 Set-Top Box PC/Laptop HSPA/HSDPA GGSN/BRAS Destination IPv6 Destination IPv6 Destination IPv4 Destination IPv4 DNS Log AAA F5 NAT64 F5 NAT44 DNS64 HSL Traffic Steering Firewall SDC Destination IPv6 Destination IPv6 Destination IPv4 Destination IPv4 VAS IPv4 VAS IPv6 Internet IPv4
30 F5: A Common & Dynamic Application Services Platform From Enterprise to Cloud Separate Consolidate Aggregate Automate Liberate Test and development Server consolidation Capacity on demand Self-Managing data centres Enterprise computing clouds on and off premise Private Public Enterprise Objective: An IT Services On-Demand Platform
31 How can F5 Application Delivery Solution help your BUSINESS? We provide the Best User Experience solution at a competitive cost. How do we provide better user experience? By Making Transactions Safer to use Eliminates fraud, theft and following security breaches By Making Transactions Faster More revenue in a shorter time span without additions By Ensuring your site is never down 24/7 transaction regardless of peak or failure, prevention of site takedown disrupting business All of the above just lead to a better user experience
32 F5 s Dynamic Application Services Infrastructure Users Resources APP OS APP OS APP OS APP OS APP OS APP OS APP OS APP OS Private Public Physical Virtual Multi-Site DCs Cloud