Estrategias de mitigación de amenazas a las aplicaciones bancarias. Carlos Valencia Sales Engineer - LATAM c.valencia@f5.com 2017 F5 Networks 1
- - - - - - - 2017 F5 Networks 2
2017 F5 Networks 3
The Big Picture High Performance DNS DNS DNS / DNS FW Threat Intelligence Feed/IPI Next-Generation Firewall Corporate Users Scanner DDoS Attacker (app attacks) Anonymous Proxies Anonymous Requests Botnet Attackers Cloud Apps Router Network Protection Application Protection Customer Fraud Protection L3/L4 DDoS, DNS, SIP DDoS Application D/DoS ASM DC Apps Partner DDoS Attacker (Volumetric attacks) Cloud Silverline Cloud-Based Platform Volumetric Attacks ISP may provide rudimentary DDoS service L3/L4 Protection Local DDoS ICMP flood, UDP Flood, SYN Flood, TCP-state floods DOS detection using behavioral analysis HTTP DOS: GET Flood, Slowloris/slow POST, recursive POST/GET (DHD Only) DNS DOS: DNS amplification, query flood,dictionary attack, DNS poisoning NGFW IPS/IDS WAF L7 DDoS SSL L5-L7 Protection (CPU Intensive) GET Flood, Slowloris/slow POST, recursive POST/GET, DOS detection using behavioral analysis OWASP Top 10 SQLi/XSS/CSRF/0-day/etc Hybrid SSL DOS: SSL renegotiation, SSL Flood WAF in general 2017 F5 Networks 4
Private Cloud Consistent Policies Cloud Portability Top Security Visibility Lowest TCO F5 BIG-IP Direct Connect Cloud Interconnection / Public Cloud Traditional Data Center 2017 F5 Networks 5
2017 F5 Networks 6
2017 F5 Networks 7
90% 28% Firewalls IDS/ IPS DLP SIEM Anti Virus 28% Firewalls IDS/ IPS DLP APT Anti Virus 2017 F5 Networks 8
28 44 72 % Firewalls DLP Anti Virus IDS/ IPS SIEM 2017 F5 Networks 9
Protection against Web Application vulnerabilities CSRF Cookie manipulation OWASP top 10 Brute force attacks Forceful browsing Buffer overflows Web scraping Parameter tampering SQL injections information leakage Field manipulation Session high jacking Cross-site scripting Zero-day attacks Command injection ClickJacking Bots Business logic flaws WAF 2017 F5 Networks 10
Traditional Firewall Intrusion Prevention Systems Examines all traffic for malicious app inputs Primarily uses anomalous and signature-based detection Some stateful protocol analysis capabilities Lacks understanding of L7 protocol logic Doesn t protect against all exploitable app vulnerabilities Layer 7 security is not addressed by traditional IPS & firewall vendors 2017 F5 Networks 11
Secures, federates access to any application, anywhere Multi-factor Auth XYZ Corp. Username PW+PIN LOGIN Remote users, mobile users, contractors, etc. Hacker Private Cloud Internet Hybrid Cloud SAML SAML Office 365 Salesforce Other SaaS Apps SaaS Apps Public Cloud Identity Federation Single or Multi- Factor Auth STOP Corporate user Identity Data Center Directory Services App App User/User Group Endpoint Check VDI Network Location Connection Type Corporate (L3/L4) Apps MDM/EMM Device Posture 2017 F5 Networks 12
2017 F5 Networks 13
2017 2016 F5 Networks F5 Networks 14
SSL 2017 F5 Networks 15
2017 2016 F5 Networks F5 Networks 16
2017 F5 Networks 17
Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attacker ISPa/b Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E- Commerce Subscriber Threat Threat Feed Intelligence Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control 2017 F5 Networks 18
DDoS approach CLOUD/HOSTED SERVICE STRENGTHS Completely off-premises so DDoS attacks can t reach you Amortized defense across thousands of customers DNS anycast and multiple data centers protect you WEAKNESSES Customers pay, whether attacked or not Bound by terms of service agreement Solutions focus on specific layers (not all layers) ON-PREMISES DEFENSE STRENGTHS Direct control over infrastructure Immediate mitigation with instant response and reporting Solutions can be architected to independently scale of one another WEAKNESSES Many point solutions in market, few comprehensive DDoS solutions Can only mitigate up to max inbound connection size Deployments can be costly and complex 2017 F5 Networks 19
Hybrid DDOS Protection Combining the resilience and scale of the cloud with the granularity and alwayson capabilities of on-premise. Signaling Request for Service IP List Management Cloud On-Premise Unified Attack Command Control
DDoS Architecture Scrubbing Center Inspection Tools provide input on attacks for Traffic Actioner & SOC Traffic Actioner injects routes and steers traffic Inspection Toolsets Traffic Actioner Route Management Scrubbing Center Inspection Plane Flow Collection Flow collection aggregates attack data from all sources Visibility Portal Portal provides realtime reporting and configuration Cloud Signaling Management Legitimate Users DDoS Copied traffic for inspection BGP signaling Netflow Data Plane Netflow GRE Tunnel Proxy IP Reflection WAF Silverline Switching Routing/ACL Network Mitigation Proxy Mitigation Routing (Customer VRF) L2VPN Customer DDoS Attackers Volumetric DDoS protection, Managed Application firewall service, zero-day threat mitigation with irules Switching mirrors traffic to Inspection Toolsets and Routing layer Ingress Router applies ACLs and filters traffic Network Mitigation removes advanced L4 attacks Proxy Mitigation removes L7 Application attacks Egress Routing returns good traffic back to customer
2017 F5 Networks 22
APPLICATION LAYER ATTACKS TRADITIONAL DDOS MITIGATION 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 82% 77% 54% 25% 20% HTTP DNS HTTPS SMTP SIP/VoIP IRC Other DNS is the second most targeted protocol after HTTP. DNS DoS techniques range from: Flooding requests to a given host Reflection attacks against DNS infrastructure Reflect / Amplification attacks DNS Cache Poisoning attempts 6% 9% Cybercrime is a persistent threat in today s world and, despite best efforts, no business is immune. Network Solutions Of the customers that mitigate DDoS attacks, many choose a technique that inhibits the ability of DNS to do its job DNS is based on UDP DNS DDoS often uses spoofed sources Using an ACL block legitimate clients DNS attacks use massive volumes of source addresses, breaking many firewalls. 2017 F5 Networks 23 60% 50% 40% 30% 20% 10% 0%
CONVENTIONAL DNS THINKING Internet External Firewall DNS Load Balancing Array of DNS Servers Internal Firewall Hidden Master DNS Performance = Add DNS boxes Weak DoS/DDoS Protection Firewall is THE bottleneck PARADIGM SHIFT DNS DELIVERY REIMAGINED Internet DNS Master DNS Infrastructure DNS Firewall DNS DDoS Protection Protocol Validation Authoritative DNS Caching Resolver Transparent Caching High Performance DNSSEC DNSSEC Validation Scalable performance over 10M RPS! Strong DoS/DDoS protection Lower CapEx and OpEx Intelligent GSLB 2017 F5 Networks 24
Devices DMZ Data Center F5 DNS Firewall Services LDNS Internet DNS DNS Servers Apps DNS DDoS mitigation with DNS Express Protocol inspection and validation DNS record type ACL* Block access to Malicious IPs (DNS Firewall) High performance DNS cache Stateful Never accepts unsolicited responses ICSA Certified - deployment in the DMZ Scale across devices IP Anycast Secure responses DNSSEC DNSSEC responses rate limited Complete DNS control irules & Programmability DDoS threshold alerting* DNS logging and reporting Hardened DNS code 2017 F5 Networks 25
2017 F5 Networks 26
Secured Data center Customer Browser SIEM WAF HIPS Network firewall Traffic Management NIPS DLP HTTP/HTTPS Manipulating user actions: Social engineering Weak browser settings Malicious data theft Inadvertent data loss Leveraging Browser application behavior Caching content, disk cookies, history Add-ons, Plug-ins Embedding malware: Keyloggers Framegrabbers Data miners MITB / MITM Phishers / Pharmers 2017 F5 Networks 27
The malware contains code designed to This insert triggers specific the content malware, to the browser session which when injects the additional user accesses specific sites content to the browser This information is sent to the legitimate The user web requests server as the expected login page for Wells Fargo *wellsfargo* add field *bankofamerica* add button, replace text *chase* add cc#, pin, remove text Generic malware, such *telebank* as send credentials Zeus, infects a user s device *bankquepopulaire* The user enters the requested content and clicks Go This information is sent to the configured drop zone 2017 F5 Networks 28
The inclusion of this additional input field due to malware will now trigger an alert HTML Source Integrity is based on the expected number of forms, input fields, and scripts This page is expected to and and 14 six input scripts fields have only four forms 2017 F5 Networks 29
This triggers to malware to run The information is encrypted and sent to the web server The victim makes a secure connection to a web site The victim is infected with malware Password revealer icon The victim submits the web form The victim enters data into the web form This content can The be information is also sent stolen by the malware to the drop zone in clear text 2017 F5 Networks 30
How HFO Works Field Without Name HFO Obfuscation Data center Web application Sec. Appliance LTM 2017 F5 Networks 31
MY BANK.COM My Bank.com Gather client details related to the transaction Run a series of checks to identify suspicious activity Assign risk score to transaction Send alert based on score Apply L7 encryption to all communications between client and server 2017 F5 Networks 32
4. Test spoofed site 1. Copy website Web Application Internet 3. Upload copy to spoofed site 2. Save copy to computer Alert at each stage of phishing site development 2017 F5 Networks 33
2017 F5 Networks 34
MSP Native App Services SaaS Servers Servers Servers Servers Servers Servers Cloud Interconnect Corporate Datacenter(s) With Private Cloud Each Cloud Provides Siloed Native App Services: Basic, Proprietary, and Inconsistent 2017 F5 Networks 35
Your cloud strategy should be an extension of your data center strategy: app-centric Enable both network and application security Deliver high application availability; not just infrastructure availability Ensure application performance Centralize management and orchestration of the application Streamline app delivery and security services across on-premises and cloud Defend against attacks Ensure secure user access Deliver app performance Gain traffic visibility Orchestrate tasks centrally Application Application Database Analytics Letting you focus on ensuring availability, security, and performance for each application DNS Identity Website Commerce VPN Load Balancing Storage Mobile 2017 F5 Networks, F5 Inc 36
Full control Limited control App-Centric Strategy SaaS apps Packaged apps Apps Mobile apps External websites Dev & test LOB (HR, Acct.) Custom apps ERP, CRM On-premises Public cloud 2017 F5 Networks 37
Shared Responsibility in Amazon AWS The idea behind this is to educate customers that they still need to be responsible for a large proportion of the services required to deliver applications in the cloud. AWS Shared Responsibility Model 2017 F5 Networks 38
Shared Responsibility in Microsoft Azure The idea behind this is to educate customers that they still need to be responsible for a large proportion of the services required to deliver application in the cloud. Azure Shared Responsibility Model 2017 F5 Networks 39
Apps Identity Control Platform Apps Active Directory Apps 2017 F5 Networks 40
Use Case Disaster Recovery Seamless global app experience Requirements Application availability and performance L4-L7 Services DNS Orchestration DNS L4-L7 Services Location-based and contextual user access VPN Active-Active deployment for cost efficiency Insight and visibility into application traffic Compute Compute Recommended application delivery services Local and global load balancing DNS SSL VPN or IPSec tunnel Access & identity Consistent DevOps + Management Tools Storage Storage Data Center Cloud Provider Key benefits: Seamless customer experience Secured and optimized site to site connectivity Advanced application health monitoring 2017 F5 Networks 41
Traditional New On-Premises Cloud Interconnection Public/Private Cloud Servers Servers Servers Strategic Control Point Distributed Strategic Control Points Application Services Application Services Virtual Edition Hardware aas Containers 2017 F5 Networks 42