Securing and Accelerating the InteropNOC with F5 Networks Joe Wojcik - Consultant II - J.Wojcik@F5.com Ken Bocchino - Principal Systems Architect KB@F5.com
Agenda Overview of F5 SPDY (Pronounced Speedy ) Application Firewall Manager Application Security Manager Access Policy Manager Questions
InteropNET Architecture Overview
F5 Technologies Used in the Network ADC Application Delivery Controller LTM Local Traffic Manager GTM Global Traffic Manager AFM Advanced Firewall Manager ASM Application Security Manager AAM Application Acceleration Manager APM Access Policy Manager
The Basics - LTM Virtual Server Pool Profiles applied to the virtual server allows for protocol parsing Monitoring of pool members ensures always available services Pool Member Pool Member
The Basics - GTM WideIP Pool DC1 Virtual Server DC2 Virtual Server Wide IPs define FQDNs Pool of data center virtual IPs ensures global availability Monitoring of pool members ensures always available services
F5 Architecture Overview Client / Server Client / Server Web application Application health monitoring and performance anomaly detection Web application Application HTTP proxy, HTTP DDoS and application security Application Session SSL inspection and SSL DDoS mitigation Session Network L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Physical Physical
IPv4/IPv6 TCP HTTP SSL HTTP SSL OneConnect TCP Firewall APM F5 Architecture Overview F5 s Approach Client / Server Optional modules plug in for all F5 products and solutions Client / Server Web application Application health monitoring and performance anomaly detection Traffic management microkernel Web application Application Proxy HTTP proxy, HTTP DDoS and application security Application Session Client Server side side SSL inspection and SSL DDoS mitigation Session Network L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network irules Physical High-performance HW icontrol API Physical TMOS traffic plug-ins High-performance networking microkernel Powerful application protocol support icontrol External monitoring and control irules Network programming language
SPDY Overview Google produced 1 st Internet-Draft in 2009 Several major website already use it (Google, Twitter, Facebook, etc.) Supported in updated versions of Chrome, Firefox, Internet Explorer, Opera Kindle Fire Silk browser uses SPDY to internet sites and Amazon AWS cloud HTTP has several built-in assumptions that affect latency Single request per connection. Exclusively client-initiated requests. Uncompressed request and response headers. Redundant headers Optional data compression SPDY is designed to reduce application layer latency Many HTTP requests per TCP connection. Compress headers and eliminating unnecessary headers. Easy to implement and server-efficient Always on SSL for a more secure web Enable server initiated communications to the client
SPDY Overview Cont. SPDY doesn t replace HTTP SPDY still has HTTP methods, headers, response codes, and other HTTP elements Basic features of SPDY Multiplexed streams - Allows unlimited concurrent streams over a single TCP connection Request prioritization Assign priority to multiple requests to combat bandwidth limitations HTTP header compression - compresses request/response HTTP headers Server-initiated streams Speed up connections by sending content or hints without the client specifically requesting the resource. Server push - servers push data to clients via the X-Associated-Content header. Useful for initial-page downloads Server hint - servers suggest resources to the client via the X-Subresources header. Draft located at http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft1
SPDY & F5 F5 provides production level SPDY support in BIG-IP LTM 11.4.0 BIG-IP Local Traffic Manager (LTM) uses a SPDY service profile to provide SPDY endpoint and translation to backside HTTP. With everything handled on the F5 LTM no backend changes are required to support SPDY. The HTTP virtual server handles the initial request as a standard HTTP request, and inserts an HTTP header into the response (to inform the client that a SPDY virtual server is available to handle SPDY requests). The response is also compressesed and cached. A SPDY capable client uses SSL TLS (with NPN) to send SPDY requests to the BIG-IP system, the SPDY virtual server receives the request on port 443, converts the SPDY request into an HTTP request before sending it to the appropriate server. When the server provides a response, the BIG-IP system converts the HTTP response into an appropriate SPDY response, compresses and caches it, and sends the response to the client.
SPDY Example www.interop.com Multiplexed requests Request priority Stream ID
SPDY Some Numbers These numbers are from Google s testing and are posted on the Chromium project page. Individual performance will be based on page complexity, domain use, static/dynamic pages, and more.
AFM: High Level Capabilities Access Control Policy Stateful Firewalling - Policies, Rules, Address Lists Application Access Control (DNS, HTTP, FTP, SMTP) Advanced Firewall Manager DOS Detection & Mitigation L2-L4 Attack Mitigation, Resource Protection Protocol Specific DOS (DNS, SIP, SSL) Dynamic Endpoint Visibility & Enforcement NGFW, Botnet Defense IP Intelligence Profiles Manageability & Visibility Flexible & Powerful High Speed Logging Network, Protocol & DOS Reporting (AVR) Encrypted Traffic Handling Site-to-Site IPsec VPN tunnels High Scale SSL Termination
AFM: Access Control Policy HUD Chain LTM + ASM + APM + GTM I/O I/O Flow table Install flow Flow create L2 L2 L3 Global NW DoS HW Accelerated* *Some Vectors not HW accelerated If TCP & Non-SYN then Drop here Flow lookup No flow exists Accept decisively: allows matching packets to pass without further rule processing LMF: longest match first Query / Response Ephemeral listener Match No Match Global rules Default Accept Accept decisively Accept Route domain rules Default Accept Accept decisively Accept Listener Lookup Accept decisively path Accept path Match Match Exact match for ALG Rules processed in order Rules processed in order Listener selected with LMF Drop/ No Match Drop/Reject Reject Drop/Reject DROP or NO MATCH = Silently discard REJECT = If TCP, send RST; else DROP Accept Listener rules Configurable default Rules processed in order L3 HW Accelerated
Rule Lists Grouping of rules Global rules that can be used anywhere in the policy Can be referenced in multiple policies on multiple firewalls AFM: Access Control Policy Flow Classification Criteria Time Based Protocol Source Address Source Port Source VLAN Destination Address Destination Port Primary Actions Drop: Silently Discard Reject: Drop and Inform Sender Accept: Permit Accept Decisively: Permit and skip processing at subsequent contexts Other Actions Fire irule (as of 11.4.1) Log Hit Count Configurable Default Action
AFM: Visibility in the NOC HIGH LEVEL VERY DETAILED F5 reporting to key SIEM partners: Splunk, Q1, ArcSight Start with application-centric views and drill down to more details At-a-glance visibility and intelligence for ADF s context-aware security
F5 mitigation technologies F5 mitigation technologies DDoS MITIGATION Increasing difficulty of attack detection OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack Network attacks Session attacks Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, irules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, irules, full proxy for HTTP, server performance anomaly detection
Automatic HTTP/S DoS attack detection and protection Accurate detection technique based on latency Three different mitigation techniques escalated serially Focus on higher value productivity while automatic controls intervene DETECT A DOS CONDITION IDENTIFY POTENTIAL ATTACKERS DROP ONLY THE ATTACKERS
DDoS protection reference architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users ISPa/b Network and DNS Application E-Commerce DDoS Attacker Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control
DDoS protection reference architecture Next-Generation Firewall Corporate Users TIER 1 KEY FEATURES Legitimate Users DDoS Attacker Multiple ISP strategy ISPa/b Cloud Scrubbing Service Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Tier 1 Tier The first tier at the 2perimeter is Network and DNS IPS layer 3 SSL attacks: and 4 network SSL renegotiation, SSL flood firewall services Simple load balancing to a second tier IP reputation database HTTP attacks: Slowloris, slow POST, recursive POST/GET Application Mitigates volumetric and DNS DDoS attacks Financial Services E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control
DDoS protection reference architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users ISPa/b Network and DNS Application E-Commerce DDoS Attacker Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control
DDoS reference architecture Next-Generation Firewall Corporate Users TIER 2 KEY FEATURES The second tier is for applicationaware, CPU-intensive defense mechanisms Legitimate Users DDoS Attacker Multiple ISP strategy SSL termination Web application firewall ISPa/b Mitigate asymmetric and SSL-based DDoS attacks Cloud Scrubbing Service Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Tier 1 Network and DNS IPS SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Tier 2 Application Financial Services E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control
DDoS Protection Interop NOC Customers DDoS Attack ISPa Protecting L3 7 and DNS Network Firewall Services + DNS Services + Web Application Firewall Services + Compliance Control Partners DDoS Attack ISPb ISP provides volumetric DDoS service BIG-IP Platform BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Access Policy Manager BIG-IP Application Security Manager
Comprehensive Protections BIG-IP ASM extends protection to more than application vulnerabilities L7 DDOS XML Firewall Web Scraping Geolocation blocking ASM Web bot identification ICAP anti-virus Integration XML filtering, validation & mitigation
Four ways to build a policy Security policy checked Security policy applied DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT POLICIES Automatic No knowledge of the app required Adjusts policies if app changes Manual Advanced configuration for custom policies Virtual patching with continuous application scanning Out-of-the-box Pre-configure and validated For mission-critical apps including: Microsoft, Oracle, PeopleSoft
BIG-IP Access Policy Manager SECURE IDENTITY AND ACCESS MANAGEMENT Provide unified global access to your applications Simplified and consolidated management of your application security policies Single Sign-On (SSO) across multiple domains/authentication types Simplified access for virtual application environments Citrix XenApp/XenDesktop VMWare Horizon View Unifies security, access control and application delivery Advanced Visual Policy Editor SSL Application or VPN Tunnels for full range of user access Secure Web Gateway /w URL filtering and real-time intelligence Advanced reporting Splunk, Syslog, ArcSight, etc..
BIG-IP Access Policy Manager Provides client-side and server-side checking (Antivirus, Firewall, OS Version, etc.) Multiple AAA server support (RADIUS, Active Directory, LDAP, SecureID, Oracle, SAML, HTTP, LocalDB, TACACS+, CRLDP, OCSP, and more) Easy L4 and L7 ACL management
At Interop we provide NOC sponsors IPv4 and IPv6 VPN access to the NOC network services NOC users can VPN securely into their applications and devices locally or in our other Interop Datacenters Providing logging and access information to the ScienceLogic, PathSolutions, and Splunk servers BIG-IP Access Policy Manager Denver Colo Las Vegas NOC Sunnyvale Colo
F5 Networks Website http://www.f5.com/ F5 Networks Support Site http://support.f5.com/ F5 Networks INTEROP Show Site http://f5.enet.interop.net/ Chromium Project SPDY http://www.chromium.org/spdy F5 DDoS Recommended Practices Additional Resources http://f5.enet.interop.net/interop/f5%20ddos%20recommended%20practices.pdf