DATACENTER SECURITY. Paul Deakin System Engineer, F5 Networks

Similar documents
Architecture: Consolidated Platform. Eddie Augustine Major Accounts Manager: Federal

KEEPING THE BAD GUYS OUT WHILE LETTING THE GOOD GUYS IN. Paul Deakin Federal Field Systems Engineer

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Securing and Accelerating the InteropNOC with F5 Networks

RETHINKING DATA CENTER SECURITY. Reed Shipley Field Systems Engineer, CISSP State / Local Government & Education

Providing Secure, Fast and Available

F5 Synthesis Information Session. April, 2014

The DNS of Things. A. 2001:19b8:10 1:2::f5f5:1d Q. WHERE IS Peter Silva Sr. Technical Marketing

Herding Cats. Carl Brothers, F5 Field Systems Engineer

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

SAS and F5 integration at F5 Networks. Updates for Version 11.6

BIG-IP APM: Access Policy Manager v11. David Perodin Field Systems Engineer

Sichere Applikations- dienste

Comprehensive datacenter protection

Estrategias de mitigación de amenazas a las aplicaciones bancarias. Carlos Valencia Sales Engineer - LATAM

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

F5-Networks Application Delivery Fundamentals. Download Full Version :

Securing the Next Generation Data Center

Intelligent and Secure Network

The Top 6 WAF Essentials to Achieve Application Security Efficacy

August 14th, 2018 PRESENTED BY:

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

O365 Solutions. Three Phase Approach. Page 1 34

F5 Big-IP Application Security Manager v11

F5 Application Security. Radovan Gibala Field Systems Engineer

Large FSI DDoS Protection Reference Architecture

Czas na nowe platformy sprzętowe F5! Dlaczego są to najbardziej programowalne urządzenia ADC na rynku

SECURE YOUR APPLICATIONS, SIMPLIFY AUTHENTICATION AND CONSOLIDATE YOUR INFRASTRUCTURE

GOING WHERE NO WAFS HAVE GONE BEFORE

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

THUNDER WEB APPLICATION FIREWALL

Enhancing VMware Horizon View with F5 Solutions

Providing Security and Acceleration for Remote Users

Network Security. Thierry Sans

Providing Fast, Secure, and

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Corrigendum 3. Tender Number: 10/ dated

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1

Optimize and Accelerate Your Mission- Critical Applications across the WAN

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

BIG-IP DNS Services: Implementations. Version 12.0

Imperva Incapsula Product Overview

Configuring BIG-IP ASM v12.1 Application Security Manager

haltdos - Web Application Firewall

Security Overview and Cisco ACE Replacement

ADC im Cloud - Zeitalter

F5 VMware Virtual Community Roundtable. VMware Alliance F5

Pulse Secure Application Delivery

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

BIG-IP DNS Services: Implementations. Version 12.1

Maximum Security, Zero Compromise in Availability and Performance

TIBCO Cloud Integration Security Overview

Applications Security

Simplifying Security for Mobile Networks

Citrix SD-WAN for Optimal Office 365 Connectivity and Performance

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Citrix NetScaler Basic and Advanced Administration Bootcamp

Web Applications Security. Radovan Gibala F5 Networks

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

BIG-IP Access Policy Manager : Portal Access. Version 12.0

Deploying the BIG-IP System with Microsoft SharePoint 2016

BIG-IP Access Policy Manager : Third- Party Integration. Version 13.1

ISG-600 Cloud Gateway

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Unified Secure Access Beyond VPN

BIG-IP Access Policy Manager and BIG-IP Edge Client for Windows Phone 8.1 v1.0.0

Brocade Virtual Traffic Manager and Parallels Remote Application Server

BIG-IP Access Policy Manager : Portal Access. Version 12.1

BIG-IP System: Initial Configuration. Version 12.0

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

BIG-IP Analytics: Implementations. Version 12.0

BIG-IP Access Policy Manager : Portal Access. Version 13.0

SaaS. Public Cloud. Co-located SaaS Containers. Cloud

F5 IPv6 Solutions. Ariel Santa Cruz FSE SoLA F5 Networks Inc. F5 Networks, Inc.

BIG-IQ Cloud and VMware ESXi : Setup. Version 1.0

Deploying the BIG-IP System with Microsoft SharePoint

Citrix NetScaler Make web applications run five times better

Check Point Virtual Systems & Identity Awareness

The Dynamic DNS Infrastructure

The F5 Intelligent DNS Scale Reference Architecture

Hybride Cloud Szenarien HHochverfügbar mit KEMP Loadbalancern. Köln am 10.Oktober 2017

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

DEPLOYMENT GUIDE HOW TO DEPLOY MICROSOFT SHAREPOINT 2016 WITH A10 THUNDER ADC

Deploying F5 with Microsoft SharePoint 2013 and 2010

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Mitigating DDoS A acks with F5 Technology

Future-Proof Your Hardware Investment PRESENTED BY:

Cloud, SDN and BIGIQ. Philippe Bogaerts Senior Field Systems Engineer

Transcription:

DATACENTER SECURITY Paul Deakin System Engineer, F5 Networks

Datacenter Security Needs To scale To secure To simplify Scale for a work-anywhere / SSL everywhere world. Security for applications and data against sustained attacks. Simplification of point solutions and complex firewall configurations.

Datacenter It started simple More user types, services Application issues

DDoS Attacks Exhaust Network Resources Firewall DDoS appliance APP accelerator Load balancer Web servers Database Bandwidth carriers ISP s bandwidth Your bandwidth State Table: ACL Perf. Degrade State Table: IP s Low & slow Layer 7 Random Layer 7 Logical State Table: TCP Flood. Negative caching Proxy bypass State Table: Too many connections Many: CPU Database load Thread jam Log attack Memory exhaustion Connection flood BANDWIDTH >> PACKET >> CONNECTION >> OS >> HTTP(s) >> APP (PHP/ASP) >>> DB Many: Thread jam Memory exhaustion

F5 mitigation technologies F5 Mitigation Technologies DDOS MITIGATION Increasing difficulty of attack detection OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack Network attacks Session attacks Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation Slowloris, Slow Post, HashDos, GET Floods BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, irules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, irules, full proxy for HTTP, server performance anomaly detection

Typical Architecture Outbound protection Corporate Users SaaS SSL VPN ISPa IPS App 1 ISPb NGFW BIG-IP LTM App 2 Known and unknown Users Web application firewall App 3 Back office + Network Management

Typical Architecture DDOS protector Outbound protection Corporate Users SaaS SSL VPN ISPa IPS App 1 ISPb BIG-IP AFM NGFW BIG-IP LTM App 2 Known and unknown Users Web application firewall App 3 Back office + Network Management

ADC Reference Architecture Outbound protection Corporate Users SaaS NGFW ISPa Log Server Inbound protection App 1 ISPb BIG-IP LTM AFM APM L2-L4 DDoS, L3/L4 access control, authentication/sso App 2 Known and unknown Users LTM AFM ASM LTM AFM DNS SVC L2-L7 DDoS, WAF for critical apps and compliance control Corp user access to back office + DNS services ADF deployment options App 3 Application services Public resources

Protecting the datacenter Use case Before f5 Firewall Network DDoS Application DDoS Web Access Management Load Balancer DNS Security Load Balancer & SSL Web Application Firewall with f5

Protecting the datacenter Before f5 Firewall Network DDoS Application DDoS Web Access Management Load Balancer DNS Security Load Balancer & SSL Web Application Firewall with f5 Consolidation of firewall, app security, traffic management Protection for data centers and application servers High scale for the most common inbound protocols

SSL Inspection SSL! SSL SSL SSL Gain visibility and detection of SSLencrypted attacks Achieve highscale/high-performance SSL proxy Offload SSL reduce load on application servers

SYN Check SYN-Cookie Protection (HW/SW) Mitigating SYN Floods using the SYN Check feature. TMOS has a build in feature from version 9.4 to deal with SYN floods using SYN Cookies in a function called SYN Check. All PVA2 and epva platform deals with SYN Cookies in either SW or HW the other platforms in SW only. F5 support up to 640 million SYN Cookies in HW on the high-end platform down to 20 million in HW on the single U appliance.

irules with Security: HashDos Post of Doom HashDos Post of Doom vulnerability affects all major web servers and application platforms. VIPRION Single DevCentral irule mitigates vulnerability for all back-end services. Staff can schedule patches for back-end services on their own timeline.

irules with Security: Prioritize connection based on country SSL SSL https://devcentral.f5.com/wiki/irules.whereis.ashx

39 43 50 57 77 The Dynamics of the DNS Market DNS Demand from Internet growth, 4G/LTE, DDoS Protection and Availability Average Daily Load for DNS (TLD) Queries in Billions Typical for a single web page to consume 100+ DNS queries from active content, advertising and analytics Global mobile data (4G/LTE) is driving the need for fast, available DNS 18X Growth 2011-2016 4G LTE 2.4GB/mo Non-4G LTE 08 09 10 11 12 86MB/mo New ICANN TLDs will create new demands for scale Attacks on DNS becoming more common DNS Services must be robust Distributed Available, High Performance GSLB for multiple Datacenters Cache poisoning attacks Total Service Availability Reflection / Amplification DDoS Geographically dispersed DCs Drive for DNSSEC adoption DNS Capacity Close to Subscribers

DNS the F5 Way Conventional DNS Thinking Adding performance = DNS boxes Internet External Firewall DNS Load Balancing Array of DNS Servers Internal Firewall Hidden Master DNS Weak DoS/DDoS Protection DMZ Datacenter F5 Paradigm Shift F5 DNS Delivery Reimagined Internet Master DNS Infrastructure DNS Firewall DNS DDoS Protection Massive performance over 10M RPS! Best DoS / DDoS Protection Protocol Validation Authoritative DNS Caching Resolver Transparent Caching High Performance DNSSEC DNSSEC Validation Simplified management (partner) Less CAPEX and OPEX Intelligent GSLB

Advanced Firewall Manager

BIG-IP Advanced Firewall Manager (AFM) Packaging SW license Supported on all platforms (BIG-IP VE, BIG-IP Appliances and VIPRION) Standalone or add to LTM Features L4 stateful full proxy firewall IPsec, NAT, adv routing, full SSL, AVR, Protocol Security DDoS (TCP, UDP, DNS, floods, HTTP): Over 80 attack types GUIs for configure rules, logging, etc All under a new Security tab

AFM GUI Configuration Main configuration under the Security

AFM GUI Configuration Main configuration under the new Security tab Context aware rules can be configured at the object level

AFM DOS protection Security > DoS Protection > Device Configuration Applied globally L2-L4 DoS attack vectors detection and thresholding in hardware on platform using HSBe2 FPGA BIG-IP 5000 series BIG-IP 7000 series BIG-IP 10000 series VIPRION B4300 blade VIPRION B2100 blade

AFM DOS DNS protection Security > DoS Protection > DoS Profile

DoS Report Samples

IP Intelligence

IP Intelligence Overview IP Intelligence Dynamic Threat IPs All BIG-IP appliances Near-real-time updates (up to 5min intervals) Dramatically reduces system loads Subscription-based service

IP Intelligence Identify and allow or block IP addresses with malicious activity IP Intelligence Service? Scanners Internally infected devices and servers Use IP intelligence to defend attacks Reduce operation and capital expenses

irules Availability for IP Intelligence All BIG-IP Systems

Easily Configure Violation Categories IP Intelligence Service Management in BIG-IP ASM UI Easily manage alarms and blocking in ASM Approve desired IPs with Whitelist Policy Building enabled for ignoring

Web Application Security

Web Applications Web applications are complex entities, consisting of many components, that may be: Internally developed Externally developed Off the-shelf Data Database server Backend App Server Application Server Majority of e-commerce applications consist of at least 3 main components Web server Application server Database CGI scripts Web Server HTTP Request HTML Page Interaction may exist at all levels between user and database. Browser

Anatomy of Web Application The browser is the entity interacting with the web application Sends HTTP requests Receives an HTML page Data Database server Backend App Server Application Server At any level of the web application structure, data can be manipulated, leaked out or exploited. CGI scripts Web Server Without any protection, holes and backdoors exist at every layer HTTP Request Browser HTML Page

We Already Have a Firewall Web Browser Web Browser Allow 80 (HTTP) Allow 443 (HTTPS) Applications at Risk Web Browser SSL secures traffic, but also secures attacks Without the application context, requests appear legal and pass through firewalls

ASM security features ASM provide protection against: Parameters Tampering Dynamic Parameter Tampering Cookie Poisoning Buffer Overflow Stealth Commanding Backdoor & Debug CSS HTTP Hardening SQL Injection HTTP Methods File Upload Dada Encoding 3rd party mis-configuration Known Vulnerabilities Unicode Support Application Path Blocking Hidden Field Manipulation ASM provides XML protection against: XML parsing exploits XML injection (passed into XML stream) WSDL discovery and manipulation with schemas XML DoS attack against web services XML - Common application attack (SQL injection etc)

Computational DoS mitigation in HTTP L7 Application Security Manager Transaction Per Seconds (TPS) based anomaly detection TPS-based anomaly detection allows you to detect and mitigate DoS attacks based on the client side. Latency based anomaly detection Latency-based anomaly detection allows you to detect and mitigate attacks based on the behavior of the server side.

Protection From Top Web App. Vulnerabilities (Open Web Application Security Project) OWASP Top 10 Web Application Security Risks: 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards Source: www.owasp.org

Unified Access

Enabled simplified application access SharePoint OWA Users BIG-IP Local Traffic Manager + Access Policy Manager Cloud Hosted virtual desktop APP OS APP OS APP OS APP OS Directory Web servers App 1 App n

ENHANCING WEB ACCESS MANAGEMENT Create policy Administrator 832849 Corporate domain Latest AV software User = HR AAA server HR Current O/S Proxy the web applications to provide authentication, authorization, endpoint inspection, and more all typing into Layer 4-7 ACLS through F5 s Visual Policy Editor

Access Policy using SMS token

APM SAML How it Works Domain user makes a SAML-supported request for a resource. Data center 1 Login.example.com Portal.example.com End user Public/private Data center 2 Active Directory ADFS Business Partners Business Partners OWA.example.com Sharepoint.example.com ADFS Apache/Tomcat App

APM SAML How it Works An SP-initiated post is sent back to the client in the form of a redirect to https://login.example.com. Data center 1 Login.example.com Portal.example.com End user Public/private Data center 2 Active Directory ADFS Business partners Business partners OWA.example.com Sharepoint.example.com ADFS Apache/Tomcat App

APM SAML How it Works Client posts credentials to login credentials are validated with Active Directory. Data center 1 Login.example.com Portal.example.com End user Public/private A SAML assertion is generated, passed back to the client with a redirect to the requested application. Data center 2 Active Directory ADFS Business partners Business partners ADFS OWA.example.com Sharepoint.example.com Apache/Tomcat App

APM SAML How it Works Client successfully logs on to application with SAML assertion. Data center 1 Login.example.com Portal.example.com End user Public/private Data center 2 Active Directory ADFS Business partners Business partners OWA.example.com Sharepoint.example.com ADFS Apache/Tomcat App

TMOS and Platform

Full Proxy Security Client / Server Client / Server Application health monitoring and performance anomaly detection Web application Web application HTTP proxy, HTTP DDoS and application security Application Application SSL inspection and SSL DDoS mitigation Session Session L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Network Physical Physical

IPv4/IPv6 TCP HTTP SSL HTTP SSL OneConnect TCP AFM ASM APM Full Proxy Security F5 s Approach Client / Server Optional modules plug in for all F5 products and solutions Client / Server Web application Application health monitoring and performance anomaly detection Traffic management microkernel Web application Application Session Proxy HTTP proxy, HTTP DDoS and application security Client side Server side SSL inspection and SSL DDoS mitigation Application Session Network Physical L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation irules High-performance HW icontrol API Network Physical TMOS traffic plug-ins High-performance networking microkernel Powerful application protocol support icontrol External monitoring and control irules Network programming language

F5 s Purpose-Built Design Performance and Scalability Optimized hardware utilizing custom Field Programmable Gate Array (FPGA) technology tightly integrated with TMOS and software Embedded Packet Velocity Acceleration (epva) FPGA delivers: Example of unique F5 VIPRION architecture Linear scaling of performance High performance interconnect between Ethernet ports and CPU s High L4 throughput and reduce load on cpu Integrated hardware and software DDoS protection against large scale attacks Predictable performance for low latency protocols (FIX)

Platform Overview Platform VIPRION 4800 8 blade (B4340) VIPRION 4480 4 blade (B4340) VIPRION 4480 1 blade (B4340) VIPRION 2400 4 blade (B2100) VIPRION 2400 1 blade (B2100) Throughput (Gbs) Max Conc. Conns L4 Connection/s (CPS) SSL TPS (2K keys) HW SYN cookies/s 640 576,000,000 8,000,000 240,000 640,000,000 320 288,000,000 4,400,000 120,000 320,000,000 80 72,000,000 1,100,000 30,000 80,000,000 160 48,000,000 1,600,000 40,000 160,000,000 40 12,000,000 400,000 10,000 40,000,000 BIG-IP 10200 80 36,000,000 1,000,000 75,000 80,000,000 BIG-IP 7200 40 24,000,000 775,000 25,000 40,000,000 BIG-IP 5200 30 24,000,000 700,000 21,000 40,000,000 BIG-IP 4200 10 10,000,000 300,000 9,000 N/A BIG-IP 2200 5 5,000,000 150,000 4,000 N/A VIPRION 4800 VIPRION 44xx Chassis VIPRION 2400 Chassis BIG-IP 10x00 BIG-IP 7x00 BIG-IP 5x00 BIG-IP 4x00 BIG-IP 2x00 Series

TMOS Architecture LTM GTM AAM AFM APM ASM BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Application Acceleration Manager BIG-IP Advanced Firewall Manager BIG-IP Access Policy Manager BIG-IP Application Security Manager TCP Express: F5 s Adaptive TCP Stack (client side) Full Proxy Architecture F5 s TMOS Common Services TCP Express: F5 s Adaptive TCP Stack (server side) DoS and DDOS Protection High Performance SSL GeoLocation Services Rate Shaping Fast Cache High Performance Compression Dynamic Routing Message-Based Traffic Management: Universal Switching Engine (USE) isessions: F5 secure, optimized tunneling TCP Multiplexing & Optimal Connection Handling Full IPv6/IPv4 Gateway irules Programming icontrol API Management Control Plane (MCP) & High Speed Logging Full L2 Switching Universal Persistence: Transaction Integrity Unique High Performance Hardware

Application Delivery Firewall Bringing an application-centric view to firewall security One platform ICSA-certified firewall Application delivery controller Application security Access control DDoS mitigation SSL inspection DNS security Full proxy visibility and control #1 ADC application fluency Extensibility Functionality across multiple systems Built for the new application-centric network

F5 BIG-IP delivers ICSA-certified firewall Access control Application delivery controller DDoS mitigation Application security SSL inspection DNS security Web and WAN optimization Products Advanced Firewall Manager Access Policy Manager Local Traffic Manager Application Security Manager Global Traffic Manager and DNSSEC Application Acceleration Stateful full-proxy firewall On-box logging and reporting Native TCP, SSL and HTTP proxies Network and Session anti-ddos Dynamic, identity-based access control Simplified authentication, consolidated infrastructure Strong endpoint security and secure remote access High performance and scalability VDI integration (ICA, PCoIP) #1 application delivery controller Application fluency App-specific health monitoring Application Offload Streamlined app. deployment Leading web application firewall PCI compliance Virtual patching for vulnerabilities HTTP anti-ddos IP protection Huge scale DNS solution Global server load balancing Signed DNS responses Offload DNS crypto Front End Optimization Server offload Network optimization Mobile acceleration HTTP2.0 / SPDY gateway ONE PLATFORM (HW/SW)

F5 Delivers to Support Your Needs Increased scale and performance Higher security Operational efficiency Industry-leading capacity and throughput. Full-proxy security, SSL inspection, and extensibility with irules. Consolidation of functions and an application-centric security model.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback