Intelligent and Secure Network BIG-IP IP Global Delivery Intelligence v11.2 IP Intelligence Service Brian Boyan - b.boyan@f5.com Tony Ganzer t.ganzer@f5.com
2 Agenda Welcome & Intro Introduce F5 IP Intelligence Offering Security challenges Intelligent Network Global Delivery Intelligence IP Intelligence service Q & A
3 Security Challenges 54% A Denial of Service tool using SSL/TLS showed the of hacking breaches potential for an everyday laptop in larger organizations on an average connection to occur happen at the take down an enterprise web web application server We still see SQL Injection as a choice point of entry for attacker Threat detection today hinges on two elements: identifying suspicious activity among billions of data points, and refining a large set of suspicious incidents down to those that matter Anonymous proxies have steadily increased, more than quadrupling in number as compared to three years ago. The most significant change we saw in 2011 was the rise of hacktivism against larger organizations worldwide
4 The Shift To The Intelligent Network We want to leverage the business data We need to approach security different Users expect a better experience Business Analytics Evolving Threats Personalized Experience
5 Context leverages information about the end user to improve the interaction Who What Who is the user? What devices are requesting access? When are they allowed to access? How Where eeae are they eycoming from? Where How did they navigate to the page/site? When
6 What s Required To Build Context Capture Analyze Classify Events Analysis Action
7 New Subscription Services Global Delivery Intelligence
Locate IQ Intelligence 8 Trust IQ Intelligence Subscription Free IP Intelligence Today Free Location Service Context Fast Available Secure An ecosystem of cloud-based services to make better network decisions.
Trust IQ Intelligence Locate IQ Intelligence xxx IQ Intelligence 9 xxx IQ Intelligence Subscription IP Intelligence Free Today Free Location Service Roadmap Context Fast Available Secure An ecosystem of cloud-based services to make better network decisions.
10 IP Intelligence: Defend Against Malicious Activity and Web Attacks We need to approach security different Enhance automated application delivery decisions adding better intelligence and stronger security based on context. Layer of IP threat protection delivers context to identify and block IP threats using a dynamic data set of high-risk IP addresses. Visibility into threats from multiple sources leverages a global threat sensor network Deliver intelligence in a simple way reveals inbound and outbound communication Evolving Threats Real-time updates keep protection at peak performance refreshing database every five minutes.
11 IP Intelligence Reputation Deny access to infected IPs Scanners Probes, scans, brute force Windows Exploits Known distributed IPs Denial of Service DoS, DDoS, Syn flood Web Attacks IPs used for SQL Injection, CSRF Phishing Proxies Phishing sites host BotNets Infected IPs controlled by Bots Anonymous Proxies Anon services, Tor
Security Landscape 12 Network-based Threats Web-based attacks Anonymization: click fraud, malware, scraping and hacking Zombies hired for DOS attacks Website vulnerability probing Windows exploits High volume of exploiters, probers Scanners Probing across TCP ports and sensors Botnets Command and Control Zombie behavior Malware Security Implications Changing threat landscape Proliferation of malware, hacking, virus Malicious ecosystem growing Evolving attack motivations Evolved from notoriety to profit Profit leads to sophisticated attacks Enterprises have limited visibility & constraints Each has view on threat landscape Existing infrastructure under severe operational pressure Threat landscape requires Increase security posture Reduce appliance processing time Appliance leverages added layer of security intelligence
Threat Categories - IP Intelligence Protection 13 Categories Windows Exploits Web Attacks Botnets Scanners Denial of Service Reputation Phishing Exploits Windows exploit category includes active IP Address offering or distributing malware, shell code, rootkits, worms or viruses Web attacks category includes cross site scripting, iframe injection, SQL injection, cross domain injection or domain password brute force Botnet category includes Botnet C&C channels and infected zombie machine controlled by Bot master Scanners category includes all reconnaissance such as probes, host scan, domain scan and password brute force Denial of Services category includes DOS, DDOS, anomalous syn flood, anomalous traffic detection Deny access from IP addresses currently known to be infected with malware. This category also includes IPs with average low Reputation Index score. Enabling this category will prevent access from sources identified to contact malware distribution points Phishing category includes IP addresses hosting phishing sites, other kind of fraud activities such as Ad Click Fraud or Gaming fraud Proxy Proxy category includes IP addresses providing proxy and anonymization services. This category also includes TOR anonymizer IP addresses
14 IP Intelligence Overview Service Module IP Intelligence Dynamic Threat IPs All BIG-IP appliances Near-real-time updates (up to 5min intervals) Dramatically reduces system loads Subscription-based service IP Intelligence Highlights Developed from customer-driven demand Ever-increasing i volume of threats Improves security stopping known bad traffic Static and publicly available Black Lists are insufficient Compelling value Better appliance efficiency reducing network traffic Value-add layer of IP-based security Faster threat response with near-real-time updates Provisioned across Multiple Threat Types Delivering Dynamic Updates in near real-time
IP Intelligence How it works 15 Fast IP update of malicious activity Global sensors capture IP behaviors Threat correlation reviews/ blocks/ releases KeyThreats Sensor Techniques Semi-open Proxy Farms Web Attacks Reputation Windows Exploits Botnets Scanners Network Attacks DNS Exploit Honeypots Naïve User Simulation Web App Honeypots Third-party Sources
IP Intelligence Identify and allow or block IP addresses with malicious activity 16 IP Intelligence Service? Scanners Internally infected devices and servers Use IP intelligence to defend attacks Reduce operation and capital expenses
17 IP Intelligence Use Cases for BIG-IP Use Cases Threat Prevention Scenarios Benefits Malicious Inbound Connection Attempts Rejecting inbound connection attempts from known Threat IPs Automatically update real-time feeds Improve security and performance Enhance perimeter security Mitigate DoS attacks Increase device throughput Malicious Outbound Communications Packet Parsing Reduction Block outbound communications from infected endpoints (i.e., zombies) to botnet networks Reduce processing time (e.g., form input parsing and validation overhead) by blocking sites from known Threat IPs Reduce security risk Prevent frauds Prevent information leakage Increase performance and scalability of protected applications Anonymization Prevention Block inbound connections from anonymous Increase security and performance of proxies device Prevent frauds Phishing Protection Botnets Protect high-value websites by preventing access of site objects by phishing sites, or by any non end-user source Block botnet C&C channels and infected zombie machine controlled by Bot master for DoS and other attacks Increase availability and performance of protected servers/applications Prevent frauds Improve security and performance Enhance perimeter security Mitigate DoS attacks Increase device throughput
18 irules Availability for IP Intelligence All BIG-IP Systems
Easily Configure Violation Categories IP Intelligence Service Management in BIG-IP ASM UI 19 Easily manage alarms and blocking in ASM Approve desired IPs with Whitelist Policy Building enabled for ignoring
IP Intelligence Violation Reporting 20 View and learn the current IP violations in BIG-IP ASM UI
21 Graphical Reporting Detailed chart path of threats in BIG-IP ASM
22 IP Intelligence Database and Limitations Database is refreshed as frequent as every 5 min Status is available in ASM UI Current Limitations: IPv6 is not supported
23 BIG-IP Global Delivery Intelligence: Key Points Intelligence-based predicted Threat IPs Based on observation, context and statistical modeling Aging & correlation of Threat IP data Broad-based threat identification Global l network of sensors addressing diverse use cases Threat IPs are catalogued and tracked indefinitely Cloud-based architected Global Delivery Intelligence: subscription-based service Real-time continuous updates Available throughout h t all BIG-IP IP systems Configurable in ASM UI Accessible from irules for all BIG-IP solutions
24 Brian Boyan - b.boyan@f5.com Tony Ganzer t.ganzer@f5.com http://www.f5.com/featured/video/ip-intelligence-service