BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja? Tarmo Mamers Heigo Mansberg
Network Firewall Imagery stackexchange.com
Network Firewall Functions
Network Firewall Traffic OUTSIDE INSIDE INBOUND TRAFFIC OUTBOUND TRAFFIC Imagery stackexchange.com
Separately Located Segments Imagery stackexchange.com
Outbound Traffic Imagery stackexchange.com
Inbound Traffic Imagery stackexchange.com
Users vs Applications Network firewall Application firewall Secures users Secures applications Imagery F5 Networks
Network Firewall Functions
BIG-IP LTM Network D/DoS Firewall Application D/DoS Load Balancer SSL Offload Web Application Firewall DNS Security Imagery F5 Networks
BIG-IP LTM+ASM Network D/DoS Firewall Application D/DoS Load Balancer SSL Offload Web Application Firewall DNS Security Imagery F5 Networks
BIG-IP LTM+ASM+AFM Network D/DoS Firewall Application D/DoS Load Balancer SSL Offload Web Application Firewall DNS Security Imagery F5 Networks
BIG-IP Full-Proxy Architecture ASM ASM Slowloris attack XSS HTTP HTTP Data leakage SSL renegotiation SYN flood ICMP flood SSL TCP SSL TCP AFM Imagery F5 Networks
AFM & Attacks Increasing difficulty of attack detection Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) Network attacks Session attacks Application attacks F5 mitigation technologies SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation BIG-IP LTM and DNS High-scale performance, DNS Express, SSL termination, irules, SSL renegotiation validation Slowloris, Slow Post, HashDos, GET Floods BIG-IP ASM Positive and negative policy reinforcement, irules, full proxy for HTTP, server performance anomaly detection F5 Mitigation Technologies Imagery F5 Networks
AFM Features Access Control Policy DDoS Detection & Attack Mitigation Dynamic Endpoint Enforcement Manageability & Visibility
Access Control Policy Rule Lists Grouping of rules Global rules that can be used anywhere in the policy Can be referenced in multiple policies on multiple firewalls Flow Classification Criteria Time Based Protocol Source Address:Port Source VLAN Destination Address:Port GeoLocation (Country+Region) User/Group ID (11.6) Primary Actions Drop: Silently Discard Reject: Drop and Inform Sender Accept: Permit Accept Decisively: Permit and skip processing at subsequent contexts Other Actions Fire irule irule Sampling (11.6) Log Hit Count Last Hit Timestamp Overlapping Rule Detection Redundant Rule Detection Configurable Default Action Imagery F5 Networks
Policy Staging Staged Policy Enforced Policy Counting & logging only, to provide data about what will happen if the policy is enforced No impact to live traffic, but still you get insight into your newly created policy Firewall that enforces policy as usual Imagery F5 Networks
Contexts Global Global R1 R2 Route Domain Mail WWW- Staging WWW- Prod WWW- Prod Mail WWW- Test Imagery F5 Networks Virtual
DOS Detection & Mitigation Flood ARP Flood DNS Response Flood Ethernet Broadcast Packet Ethernet Multicast Packet ICMP Flood IPV6 Fragment Flood IP Fragment Flood Routing Header Type 0 TCP ACK Flood TCP RST Flood TCP SYN ACK Flood TCP SYN Flood UDP Flood Single Endpoint Flooder Single Endpoint Sweeper Fragmentation ICMP Fragment IPV6 Fragment IPV6 Fragment Overlap IPV6 Fragment Too Small IP Fragment IP Fragment Overlap IP Fragment Too Small Bad Header IPv4 Bad IP Option Bad IP TTL Value Bad IP Version Header Length > L2 Length Header Length Too Short IP Error Checksum IP Length > L2 Length IP Option Frames IP Source Address == Destination Address L2 Length >> IP Length No L4 TTL <= 1 Bad Header IPv6 Bad IPV6 Hop Count Bad IPV6 Version IPV6 Extended Header Frames IPV6 Length > L2 Length IPV6 Source Address == Destination Address Payload Length < L2 Length Too Many Extended Headers No L4 (Extended Headers Go To Or Past End of Frame) Other Host Unreachable TIDCMP Bad Header L2 Ethernet MAC Source Address == Destination Address Bad Header TCP Bad TCP Checksum Bad TCP Flags (All Cleared and SEQ# == 0) Bad TCP Flags (All Flags Set) FIN Only Set Option Present With Illegal Length SYN && FIN Set TCP Header Length > L2 Length TCP Header Length Too Short (Length < 5) TCP LAND TCP Option Overruns TCP Header Unknown TCP Option Type Bad Header UDP Bad UDP Checksum UDP LAND Bad UDP Header (UDP Length > IP Length or L2 Length) Bad Header ICMP Bad ICMP Frame ICMP Frame Too Large
Dynamic Endpoint Visibility Attacker Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Custom application Anonymous requests Financial application Anonymous proxies Scanner IP Intelligence Service (Webroot) Geolocation database Custom Dynamic IP Whitelist & Blacklist Internally infected devices and servers Imagery F5 Networks
IP Intelligence Imagery F5 Networks
Manageability & Visibility Logging Generation and Storage of Individual Security Events Independently controlled Logging for Access Control, DoS, IP-Intel Log Destinations & Publishers consistent with BigIP logging framework IPFIX Reporting Visualization of Security Statistics Reporting used for Visualizing Traffic/Attack Patterns over time Access-Control & DoS: Drill-Downs by contexts, IP, Rule, etc. Top-N reports Imagery F5 Networks
Takeaway by Infonetics Research Traditional firewalls are designed to provide security across a wide range of protocols, but aren t designed specifically to handle themassive volume, variety, and size of threats aimed at this narrow range of protocols. Though all reputable firewalls can adequately secure the enterprise perimeter, they don t necessarily scale up to meet large data center performance requirements, and if they do it may be at aprice that s hard to swallow for data center buyers.
Solutions for an application world.