Securing and Accelerating the InteropNOC with F5 Networks

Similar documents
Architecture: Consolidated Platform. Eddie Augustine Major Accounts Manager: Federal

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

KEEPING THE BAD GUYS OUT WHILE LETTING THE GOOD GUYS IN. Paul Deakin Federal Field Systems Engineer

Herding Cats. Carl Brothers, F5 Field Systems Engineer

DATACENTER SECURITY. Paul Deakin System Engineer, F5 Networks

F5 Synthesis Information Session. April, 2014

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

Comprehensive datacenter protection

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

RETHINKING DATA CENTER SECURITY. Reed Shipley Field Systems Engineer, CISSP State / Local Government & Education

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

BIG-IP APM: Access Policy Manager v11. David Perodin Field Systems Engineer

Providing Secure, Fast and Available

SAS and F5 integration at F5 Networks. Updates for Version 11.6

Estrategias de mitigación de amenazas a las aplicaciones bancarias. Carlos Valencia Sales Engineer - LATAM

Sichere Applikations- dienste

Deploying F5 with Microsoft Active Directory Federation Services

Mitigating DDoS A acks with F5 Technology

Large FSI DDoS Protection Reference Architecture

BIG-IP Access Policy Manager : Visual Policy Editor. Version 12.1

BIG-IP Local Traffic Manager : Implementations. Version 12.1

Deploying F5 with Microsoft Active Directory Federation Services

haltdos - Web Application Firewall

F5-Networks Application Delivery Fundamentals. Download Full Version :

BIG-IP Access Policy Manager : Portal Access. Version 13.0

BIG-IP Application Security Manager : Implementations. Version 13.0

Imperva Incapsula Product Overview

Corrigendum 3. Tender Number: 10/ dated

SECURE YOUR APPLICATIONS, SIMPLIFY AUTHENTICATION AND CONSOLIDATE YOUR INFRASTRUCTURE

Fregata. DDoS Mitigation Solution. Technical Specifications & Datasheet 1G-5G

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

August 14th, 2018 PRESENTED BY:

BIG-IP Analytics: Implementations. Version 12.0

BIG-IP Local Traffic Management: Profiles Reference. Version 12.1

ADC im Cloud - Zeitalter

Network Security. Thierry Sans

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

BIG-IP Access Policy Manager : Portal Access. Version 12.1

F5 Networks Defence Methodiken auf Transportund Applikationsebene. Specialist SE - Security

Systrome Next Gen Firewalls

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

Silverline DDoS Protection. Filip Verlaeckt

Imperva Incapsula Website Security

O365 Solutions. Three Phase Approach. Page 1 34

Deploying F5 with Microsoft Dynamics CRM 2015 and 2016

Advanced Techniques for DDoS Mitigation and Web Application Defense

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall

BIG-IP System: Implementing a Passive Monitoring Configuration. Version 13.0

BIG-IP Access Policy Manager : Implementations. Version 12.1

BIG-IP Local Traffic Management: Basics. Version 12.1

ISG-600 Cloud Gateway

Additional Security Services on AWS

BIG-IP Network Firewall: Policies and Implementations. Version 13.0

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

F5 Big-IP Application Security Manager v11

Configuring F5 for SSL Intercept

Configuring BIG-IP ASM v12.1 Application Security Manager

A10 DDOS PROTECTION CLOUD

Citrix NetScaler Make web applications run five times better

PROTECTING INFORMATION ASSETS NETWORK SECURITY

F5 Application Security. Radovan Gibala Field Systems Engineer

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Cisco s Appliance-based Content Security: IronPort and Web Security

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Providing Security and Acceleration for Remote Users

THUNDER WEB APPLICATION FIREWALL

Maximum Security, Zero Compromise in Availability and Performance

BIG-IP Access Policy Manager :Visual Policy Editor. Version 12.0

Deploying F5 with Microsoft Dynamics CRM 2011 and 2013

Intelligent and Secure Network

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

BIG-IP Access Policy Manager : Application Access. Version 13.0

Deploying the BIG-IP System with Oracle WebLogic Server

Disclaimer CONFIDENTIAL 2

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1

Web Application Firewall for Web Environments

BIG-IP Access Policy Manager : Portal Access. Version 12.0

AccessEnforcer Version 4.0 Features List

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Palo Alto Networks PCNSE7 Exam

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

IxLoad-Attack TM : Network Security Testing

Cato Cloud. Global SD-WAN with Built-in Network Security. Solution Brief. Cato Cloud Solution Brief. The Future of SD-WAN. Today.

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Check Point Virtual Systems & Identity Awareness

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

BIG-IP Access Policy Manager : Application Access. Version 12.0

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

BIG-IP Access Policy Manager : Third- Party Integration. Version 13.1

Deploying the BIG-IP System with Oracle E-Business Suite

BIG-IP APM Operations Guide

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

New Features for ASA Version 9.0(2)

BIG-IP Access Policy Manager : Network Access. Version 13.0

Transcription:

Securing and Accelerating the InteropNOC with F5 Networks Joe Wojcik - Consultant II - J.Wojcik@F5.com Ken Bocchino - Principal Systems Architect KB@F5.com

Agenda Overview of F5 SPDY (Pronounced Speedy ) Application Firewall Manager Application Security Manager Access Policy Manager Questions

InteropNET Architecture Overview

F5 Technologies Used in the Network ADC Application Delivery Controller LTM Local Traffic Manager GTM Global Traffic Manager AFM Advanced Firewall Manager ASM Application Security Manager AAM Application Acceleration Manager APM Access Policy Manager

The Basics - LTM Virtual Server Pool Profiles applied to the virtual server allows for protocol parsing Monitoring of pool members ensures always available services Pool Member Pool Member

The Basics - GTM WideIP Pool DC1 Virtual Server DC2 Virtual Server Wide IPs define FQDNs Pool of data center virtual IPs ensures global availability Monitoring of pool members ensures always available services

F5 Architecture Overview Client / Server Client / Server Web application Application health monitoring and performance anomaly detection Web application Application HTTP proxy, HTTP DDoS and application security Application Session SSL inspection and SSL DDoS mitigation Session Network L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Physical Physical

IPv4/IPv6 TCP HTTP SSL HTTP SSL OneConnect TCP Firewall APM F5 Architecture Overview F5 s Approach Client / Server Optional modules plug in for all F5 products and solutions Client / Server Web application Application health monitoring and performance anomaly detection Traffic management microkernel Web application Application Proxy HTTP proxy, HTTP DDoS and application security Application Session Client Server side side SSL inspection and SSL DDoS mitigation Session Network L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network irules Physical High-performance HW icontrol API Physical TMOS traffic plug-ins High-performance networking microkernel Powerful application protocol support icontrol External monitoring and control irules Network programming language

SPDY Overview Google produced 1 st Internet-Draft in 2009 Several major website already use it (Google, Twitter, Facebook, etc.) Supported in updated versions of Chrome, Firefox, Internet Explorer, Opera Kindle Fire Silk browser uses SPDY to internet sites and Amazon AWS cloud HTTP has several built-in assumptions that affect latency Single request per connection. Exclusively client-initiated requests. Uncompressed request and response headers. Redundant headers Optional data compression SPDY is designed to reduce application layer latency Many HTTP requests per TCP connection. Compress headers and eliminating unnecessary headers. Easy to implement and server-efficient Always on SSL for a more secure web Enable server initiated communications to the client

SPDY Overview Cont. SPDY doesn t replace HTTP SPDY still has HTTP methods, headers, response codes, and other HTTP elements Basic features of SPDY Multiplexed streams - Allows unlimited concurrent streams over a single TCP connection Request prioritization Assign priority to multiple requests to combat bandwidth limitations HTTP header compression - compresses request/response HTTP headers Server-initiated streams Speed up connections by sending content or hints without the client specifically requesting the resource. Server push - servers push data to clients via the X-Associated-Content header. Useful for initial-page downloads Server hint - servers suggest resources to the client via the X-Subresources header. Draft located at http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft1

SPDY & F5 F5 provides production level SPDY support in BIG-IP LTM 11.4.0 BIG-IP Local Traffic Manager (LTM) uses a SPDY service profile to provide SPDY endpoint and translation to backside HTTP. With everything handled on the F5 LTM no backend changes are required to support SPDY. The HTTP virtual server handles the initial request as a standard HTTP request, and inserts an HTTP header into the response (to inform the client that a SPDY virtual server is available to handle SPDY requests). The response is also compressesed and cached. A SPDY capable client uses SSL TLS (with NPN) to send SPDY requests to the BIG-IP system, the SPDY virtual server receives the request on port 443, converts the SPDY request into an HTTP request before sending it to the appropriate server. When the server provides a response, the BIG-IP system converts the HTTP response into an appropriate SPDY response, compresses and caches it, and sends the response to the client.

SPDY Example www.interop.com Multiplexed requests Request priority Stream ID

SPDY Some Numbers These numbers are from Google s testing and are posted on the Chromium project page. Individual performance will be based on page complexity, domain use, static/dynamic pages, and more.

AFM: High Level Capabilities Access Control Policy Stateful Firewalling - Policies, Rules, Address Lists Application Access Control (DNS, HTTP, FTP, SMTP) Advanced Firewall Manager DOS Detection & Mitigation L2-L4 Attack Mitigation, Resource Protection Protocol Specific DOS (DNS, SIP, SSL) Dynamic Endpoint Visibility & Enforcement NGFW, Botnet Defense IP Intelligence Profiles Manageability & Visibility Flexible & Powerful High Speed Logging Network, Protocol & DOS Reporting (AVR) Encrypted Traffic Handling Site-to-Site IPsec VPN tunnels High Scale SSL Termination

AFM: Access Control Policy HUD Chain LTM + ASM + APM + GTM I/O I/O Flow table Install flow Flow create L2 L2 L3 Global NW DoS HW Accelerated* *Some Vectors not HW accelerated If TCP & Non-SYN then Drop here Flow lookup No flow exists Accept decisively: allows matching packets to pass without further rule processing LMF: longest match first Query / Response Ephemeral listener Match No Match Global rules Default Accept Accept decisively Accept Route domain rules Default Accept Accept decisively Accept Listener Lookup Accept decisively path Accept path Match Match Exact match for ALG Rules processed in order Rules processed in order Listener selected with LMF Drop/ No Match Drop/Reject Reject Drop/Reject DROP or NO MATCH = Silently discard REJECT = If TCP, send RST; else DROP Accept Listener rules Configurable default Rules processed in order L3 HW Accelerated

Rule Lists Grouping of rules Global rules that can be used anywhere in the policy Can be referenced in multiple policies on multiple firewalls AFM: Access Control Policy Flow Classification Criteria Time Based Protocol Source Address Source Port Source VLAN Destination Address Destination Port Primary Actions Drop: Silently Discard Reject: Drop and Inform Sender Accept: Permit Accept Decisively: Permit and skip processing at subsequent contexts Other Actions Fire irule (as of 11.4.1) Log Hit Count Configurable Default Action

AFM: Visibility in the NOC HIGH LEVEL VERY DETAILED F5 reporting to key SIEM partners: Splunk, Q1, ArcSight Start with application-centric views and drill down to more details At-a-glance visibility and intelligence for ADF s context-aware security

F5 mitigation technologies F5 mitigation technologies DDoS MITIGATION Increasing difficulty of attack detection OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack Network attacks Session attacks Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, irules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, irules, full proxy for HTTP, server performance anomaly detection

Automatic HTTP/S DoS attack detection and protection Accurate detection technique based on latency Three different mitigation techniques escalated serially Focus on higher value productivity while automatic controls intervene DETECT A DOS CONDITION IDENTIFY POTENTIAL ATTACKERS DROP ONLY THE ATTACKERS

DDoS protection reference architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users ISPa/b Network and DNS Application E-Commerce DDoS Attacker Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control

DDoS protection reference architecture Next-Generation Firewall Corporate Users TIER 1 KEY FEATURES Legitimate Users DDoS Attacker Multiple ISP strategy ISPa/b Cloud Scrubbing Service Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Tier 1 Tier The first tier at the 2perimeter is Network and DNS IPS layer 3 SSL attacks: and 4 network SSL renegotiation, SSL flood firewall services Simple load balancing to a second tier IP reputation database HTTP attacks: Slowloris, slow POST, recursive POST/GET Application Mitigates volumetric and DNS DDoS attacks Financial Services E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control

DDoS protection reference architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users ISPa/b Network and DNS Application E-Commerce DDoS Attacker Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control

DDoS reference architecture Next-Generation Firewall Corporate Users TIER 2 KEY FEATURES The second tier is for applicationaware, CPU-intensive defense mechanisms Legitimate Users DDoS Attacker Multiple ISP strategy SSL termination Web application firewall ISPa/b Mitigate asymmetric and SSL-based DDoS attacks Cloud Scrubbing Service Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Tier 1 Network and DNS IPS SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Tier 2 Application Financial Services E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control

DDoS Protection Interop NOC Customers DDoS Attack ISPa Protecting L3 7 and DNS Network Firewall Services + DNS Services + Web Application Firewall Services + Compliance Control Partners DDoS Attack ISPb ISP provides volumetric DDoS service BIG-IP Platform BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Access Policy Manager BIG-IP Application Security Manager

Comprehensive Protections BIG-IP ASM extends protection to more than application vulnerabilities L7 DDOS XML Firewall Web Scraping Geolocation blocking ASM Web bot identification ICAP anti-virus Integration XML filtering, validation & mitigation

Four ways to build a policy Security policy checked Security policy applied DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT POLICIES Automatic No knowledge of the app required Adjusts policies if app changes Manual Advanced configuration for custom policies Virtual patching with continuous application scanning Out-of-the-box Pre-configure and validated For mission-critical apps including: Microsoft, Oracle, PeopleSoft

BIG-IP Access Policy Manager SECURE IDENTITY AND ACCESS MANAGEMENT Provide unified global access to your applications Simplified and consolidated management of your application security policies Single Sign-On (SSO) across multiple domains/authentication types Simplified access for virtual application environments Citrix XenApp/XenDesktop VMWare Horizon View Unifies security, access control and application delivery Advanced Visual Policy Editor SSL Application or VPN Tunnels for full range of user access Secure Web Gateway /w URL filtering and real-time intelligence Advanced reporting Splunk, Syslog, ArcSight, etc..

BIG-IP Access Policy Manager Provides client-side and server-side checking (Antivirus, Firewall, OS Version, etc.) Multiple AAA server support (RADIUS, Active Directory, LDAP, SecureID, Oracle, SAML, HTTP, LocalDB, TACACS+, CRLDP, OCSP, and more) Easy L4 and L7 ACL management

At Interop we provide NOC sponsors IPv4 and IPv6 VPN access to the NOC network services NOC users can VPN securely into their applications and devices locally or in our other Interop Datacenters Providing logging and access information to the ScienceLogic, PathSolutions, and Splunk servers BIG-IP Access Policy Manager Denver Colo Las Vegas NOC Sunnyvale Colo

F5 Networks Website http://www.f5.com/ F5 Networks Support Site http://support.f5.com/ F5 Networks INTEROP Show Site http://f5.enet.interop.net/ Chromium Project SPDY http://www.chromium.org/spdy F5 DDoS Recommended Practices Additional Resources http://f5.enet.interop.net/interop/f5%20ddos%20recommended%20practices.pdf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback