Deploying a Next-Generation IPS Infrastructure

Similar documents
Deploying a Next-Generation IPS Infrastructure

Complying with PCI DSS 3.0

Large FSI DDoS Protection Reference Architecture

Prompta volumus denique eam ei, mel autem

WHITE PAPER. F5 and Cisco. Supercharging IT Operations with Full-Stack SDN

Deploying the BIG-IP LTM with IBM QRadar Logging

Improving VDI with Scalable Infrastructure

The F5 Application Services Reference Architecture

The Programmable Network

F5 and Nuage Networks Partnership Overview for Enterprises

Load Balancing 101: Nuts and Bolts

Multi-Tenancy Designs for the F5 High-Performance Services Fabric

Archived. Deploying the BIG-IP LTM with IBM Cognos Insight. Deployment Guide Document version 1.0. What s inside: 2 Products and versions tested

Load Balancing 101: Nuts and Bolts

Protect Against Evolving DDoS Threats: The Case for Hybrid

Enhancing VMware Horizon View with F5 Solutions

The F5 Intelligent DNS Scale Reference Architecture

Managing BIG-IP Devices with HP and Microsoft Network Management Solutions

Geolocation and Application Delivery

Archived. Configuring a single-tenant BIG-IP Virtual Edition in the Cloud. Deployment Guide Document Version: 1.0. What is F5 iapp?

Optimizing NetApp SnapMirror Data Replication with F5 BIG-IP WAN Optimization Manager

Securing the Cloud. White Paper by Peter Silva

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

Managing the Migration to IPv6 Throughout the Service Provider Network White Paper

Unified Application Delivery

Protecting Against Online Banking Fraud with F5

Securing LTE Networks What, Why, and How

Deploying the BIG-IP System with Oracle Hyperion Applications

DESIGN GUIDE. VMware NSX for vsphere (NSX-v) and F5 BIG-IP Design Guide

Simplifying Security for Mobile Networks

Deploying the BIG-IP System with CA SiteMinder

Vulnerability Assessment with Application Security

Archived. h h Health monitoring of the Guardium S-TAP Collectors to ensure traffic is sent to a Collector that is actually up and available,

Validating Microsoft Exchange 2010 on Cisco and NetApp FlexPod with the F5 BIG-IP System

Key Considerations in Choosing a Web Application Firewall

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Cookies, Sessions, and Persistence

Maintain Your F5 Solution with Fast, Reliable Support

Enabling Long Distance Live Migration with F5 and VMware vmotion

Data Center Virtualization Q&A

Document version: 1.0 What's inside: Products and versions tested Important:

Deploying the BIG-IP System v11 with DNS Servers

Key Considerations in Deploying an SSL Solution

Meeting the Challenges of an HA Architecture for IBM WebSphere SIP

Secure Mobile Access to Corporate Applications

Addressing Security Loopholes of Third Party Browser Plug ins UPDATED FEBRUARY 2017

Optimize and Accelerate Your Mission- Critical Applications across the WAN

F5 iapps: Moving Application Delivery Beyond the Network

F5 Reference Architecture for Cisco ACI

SNMP: Simplified. White Paper by F5

The Expectation of SSL Everywhere

OPTIMIZE. MONETIZE. SECURE. Agile, scalable network solutions for service providers.

Server Virtualization Incentive Program

Prompta volumus denique eam ei, mel autem

A GUIDE TO DDoS PROTECTION

Distributing Applications for Disaster Planning and Availability

F5 icontrol. In this white paper, get an introduction to F5 icontrol service-enabled management API. F5 White Paper

Software-Defined Hardware: Enabling Performance and Agility with the BIG-IP iseries Architecture

VMware vcenter Site Recovery Manager

Solutions Guide. F5 solutions for the emerging 5G landscape

Webshells. Webshell Examples. How does a webshell attack work? Nir Zigler,

NGIPS Recommended Practices

F5 in AWS Part 3 Advanced Topologies and More on Highly Available Services

Protecting Against Encrypted Threats

Resource Provisioning Hardware Virtualization, Your Way

Providing Security and Acceleration for Remote Users

Session Initiated Protocol (SIP): A Five-Function Protocol

SOLUTION GUIDE. F5 Security Solutions

Deploying WAN-Optimized Acceleration for VMware vmotion Between Two BIG-IP Systems

Creating a Hybrid ADN Architecture with both Virtual and Physical ADCs

BIG IQ Reporting for Subscription and ELA Programs

The Dynamic DNS Infrastructure

BIG-IP Global Traffic Manager

SOA Infrastructure Reference Architecture: Defining the Key Elements of a Successful SOA Infrastructure Deployment

Citrix Federated Authentication Service Integration with APM

TCP Optimization for Service Providers

Considerations for VoLTE Implementation

Converting a Cisco ACE configuration file to F5 BIG IP Format

Network Functions Virtualization - Everything Old Is New Again

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments

Securing Your Microsoft Azure Virtual Networks

BUILDING A NEXT-GENERATION FIREWALL

Securing Your Amazon Web Services Virtual Networks

The Myth of Network Address Translation as Security

Enabling Flexibility with Intelligent File Virtualization

The Top 6 WAF Essentials to Achieve Application Security Efficacy

How to Future-Proof Application Delivery

Automating the Data Center

Deploying the BIG-IP LTM with Oracle JD Edwards EnterpriseOne

WHITE PAPER. Applying Software-Defined Security to the Branch Office

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Best Practices in Securing a Multicloud World

Archived. Deploying the BIG-IP LTM with IBM Lotus inotes BIG-IP LTM , 10.1, 11.2, IBM Lotus inotes 8.5 (applies to 8.5.

IBM Cloud Internet Services: Optimizing security to protect your web applications

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

APM Cookbook: Single Sign On (SSO) using Kerberos

Pulse Secure Application Delivery

Sichere Applikations- dienste

Deploy F5 Application Delivery and Security Services in Private, Public, and Hybrid IT Cloud Environments

SOA: Challenges and Solutions

Transcription:

Deploying a Next-Generation IPS Infrastructure Enterprises require intrusion prevention systems (IPSs) to protect their network against attacks. However, implementing an IPS involves challenges of scale and performance. Leveraging the power of an Application Delivery Controller allows enterprises to efficiently deploy a next-generation IPS infrastructure. White Paper by F5

Introduction A rising number of malicious attacks has made implementing an intrusion prevention system (IPS) a top priority for enterprises large and small. An IPS identifies common vulnerabilities and exposures, and then mitigates them by dropping the malicious packets or blocking traffic from the offending IP address. However, ensuring the efficiency of the IPS infrastructure has become more difficult with the increasing ubiquity of encryption. When deployed as a network device, an IPS has little visibility into encrypted packets and the computing power necessary to decrypt and re-encrypt traffic results in decreased performance and increased vulnerability. However, if enterprises deploy their IPS behind an Application Delivery Controller (ADC) such as the F5 BIG-IP system, they can manage their IPS from a strategic point of control that allows them to offload SSL termination and gives them visibility into and control over the traffic being inspected by the IPS sensors. By efficiently leveraging IPS resources, you can optimize IPS performance, simplify IPS management, increase business agility, and improve your overall security posture. Defense in Depth Without Compromise Malicious attacks and regulations and compliance standards such as PCI DSS have turned the implementation of an effective IPS into a must-have for any organization. Despite the necessity for a strong and flexible IPS, many enterprises struggle with the management and use of this essential tool. Questions of scalability, SSL termination difficulties, and problems managing the flow of traffic to the IPS sensors continue to trouble organizations that attempt to establish a true, in-depth defense posture. The Challenges of Implementing an IPS The problem is getting worse. With an increasing focus on privacy and security, the online world is moving toward ubiquitous encryption. This presents a challenge for standalone intrusion prevention systems, which are simply not designed to efficiently decrypt and re-encrypt the floods of encrypted traffic that pass through them thus preventing these systems from performing their objectives of inspecting traffic and mitigating attacks.

An IPS is designed to inspect every single packet of incoming traffic for malicious attacks. As the traffic increases either naturally or as the result of an attack an enterprise s IPS becomes overwhelmed with the amount of data it must process. Because of the overabundance of information and difficulties of handling encrypted traffic, enterprises are faced with two unfortunate options. They can buy more IPSs to cope with the increased traffic, which increases CapEx obviously and OpEx with the difficulty of managing the ballooning infrastructure and associated security logs generated. Alternately, many organizations simply switch off the prevention feature of the IPS, in effect turning it into a simple intrusion detection system (IDS), which sends alerts when it s under attack, but doesn t do anything to prevent or stop the attack. Attack logs build up, and engineers have to spend more time analyzing them which compounds the problem of having a massive amount of information, but not enough resources to leverage it. Finally, traditional network IPS deployments occasionally open enterprises to more vulnerability as they don t support hitless upgrades. Without hitless upgrades, IT struggles to keep their IPS infrastructure updated, configured, and highly available, because they have to turn off the IPS as they add new sensors. In addition to the new vulnerability windows opened, organizations have the added pain of scheduling these service changes only during low-traffic hours or on weekends. We are quickly moving into an SSLeverywhere world. "203 was a banner year for the SSL industry, according to Netcraft s January 204 web server survey. Since the January 203 survey, SSL use among the million busiest sites has increased by 48 percent." A stand-alone IPS is not equipped to deal with this explosion of encrypted traffic. Implementing Next-Generation IPS Strengthens the Security Posture of the Enterprise A comprehensive security architecture necessarily includes a strong network firewall, robust DDoS protection, a web application firewall, and an efficient IPS. One of the keys to building that security posture is freeing IPS sensors to do what they do best: detect and prevent malicious attacks. The best way to do this involves managing those IPS sensors from one high-performance platform that provides for load balancing, traffic management, and offload of decryption. Security from a strategic point of control Enterprises can benefit by implementing a strategic point of control from which to manage their IPS sensors. Placing a high-performance ADC, such as the BIG-IP system, in front of a pool of IPS sensors enables you to more easily manage your IPS, decrease total cost of ownership, reduce the amount of time spent on reviewing logs and running analytics, and enhance the ability of your IPS sensors to identify and mitigate attacks. 2

No Application Left Unprotected Combining a next-generation IPS with the BIG-IP system empowers you to optimize your IPS, augment your security posture, and better protect your network and your mission- critical applications. The full-proxy architecture of BIG-IP ADCs increases the usefulness of the IPS through policy-based traffic steering that involves inspecting and pre-dropping malicious traffic before it reaches the IPS sensors. BIG-IP ADCs also load balance the traffic among a pool of IPS sensors, ensuring that they are all working efficiently and that no one sensor ever becomes overwhelmed with traffic. In addition, when intensive decryption and encryption functions are offloaded to a BIG-IP ADC, you ensure that your IPS remains highly available and enables the IPS sensors to focus on identifying and mitigating attacks on the network. Deploying a Next-Generation IPS Architecture When you deploy a next-generation IPS, you can realize the many benefits of managing your IPS from a strategic point of control: Achieve improved security posture via a comprehensive security services architecture. Ensure regulatory compliance with standards such as PCI DSS. Optimize IPS performance by offloading SSL termination. Gain insight into and control over encrypted traffic. Realize efficiencies in your IPS by steering the necessary traffic to the IPS sensors without overloading them. Easily scale, manage, and update IPS sensor pools. Ensure business continuity through hitless upgrades. Reduce OpEx through the ease of maintenance. Reduce CapEx through more efficient IPS utilization. 3

Conclusion In today s security climate, implementing a strong IPS infrastructure is a requirement, not a luxury. Enterprises can mitigate the traditional difficulties of deploying and managing a robust IPS infrastructure when they deploy a BIG-IP ADC in conjunction with a pool of IPS sensors. You can realize greatly increased efficiency in your IPS infrastructures by offloading SSL termination and allowing BIG-IP ADCs to intelligently steer and load balance the incoming waves of traffic. These increased efficiencies allow the IPS to focus on identifying and mitigating threats to the network and ensure that no application is left unprotected. Burt, Chris. "SSL Use Among Million Busiest Sites Up by 48% Year-Over-Year: Netcraft Survey." TheWHIR.com. http://www.thewhir.com/web-hosting-news/ssl-use-among-millionbusiest-sites-48-year-year-netcraft-survey (accessed February 9, 204). F5 Networks, Inc. 40 Elliott Avenue West, Seattle, WA 989 888-882-4447 www.f5.com Americas info@f5.com Asia-Pacific apacinfo@f5.com Europe/Middle-East/Africa emeainfo@f5.com Japan f5j-info@f5.com 206 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. WP-SEC-23752-next-generation-IPS 03 4

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback