KEEPING THE BAD GUYS OUT WHILE LETTING THE GOOD GUYS IN. Paul Deakin Federal Field Systems Engineer

Similar documents
Architecture: Consolidated Platform. Eddie Augustine Major Accounts Manager: Federal

SAS and F5 integration at F5 Networks. Updates for Version 11.6

DATACENTER SECURITY. Paul Deakin System Engineer, F5 Networks

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Securing and Accelerating the InteropNOC with F5 Networks

F5 Synthesis Information Session. April, 2014

RETHINKING DATA CENTER SECURITY. Reed Shipley Field Systems Engineer, CISSP State / Local Government & Education

Herding Cats. Carl Brothers, F5 Field Systems Engineer

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

Comprehensive datacenter protection

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

Providing Secure, Fast and Available

BIG-IP APM: Access Policy Manager v11. David Perodin Field Systems Engineer

Sichere Applikations- dienste

GOING WHERE NO WAFS HAVE GONE BEFORE

ADC im Cloud - Zeitalter

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

The Top 6 WAF Essentials to Achieve Application Security Efficacy

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

F5 Networks Defence Methodiken auf Transportund Applikationsebene. Specialist SE - Security

Maximum Security, Zero Compromise in Availability and Performance

Adaptacyjny dostęp do aplikacji wszędzie i z każdego urządzenia

TLS 1.1 Security fixes and TLS extensions RFC4346

F5 Big-IP Application Security Manager v11

Network Security. Thierry Sans

F5 Application Security. Radovan Gibala Field Systems Engineer

Estrategias de mitigación de amenazas a las aplicaciones bancarias. Carlos Valencia Sales Engineer - LATAM

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

F5-Networks Application Delivery Fundamentals. Download Full Version :

Corrigendum 3. Tender Number: 10/ dated

Imperva Incapsula Product Overview

AKAMAI CLOUD SECURITY SOLUTIONS

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

Providing Security and Acceleration for Remote Users

BIG-IP Access Policy Manager : Visual Policy Editor. Version 12.1

Security+ SY0-501 Study Guide Table of Contents

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Large FSI DDoS Protection Reference Architecture

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

Silverline DDoS Protection. Filip Verlaeckt

Providing Fast, Secure, and

New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Solutions Business Manager Web Application Security Assessment

CNS-207-2I Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Complying with PCI DSS 3.0

Vulnerability Assessment with Application Security

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

PCI DSS Compliance. White Paper Parallels Remote Application Server

Intelligent and Secure Network

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Managed Application Security trends and best practices in application security

THUNDER WEB APPLICATION FIREWALL

Unified Secure Access Beyond VPN

O365 Solutions. Three Phase Approach. Page 1 34

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Security Readiness Assessment

Imperva Incapsula Website Security

TIBCO Cloud Integration Security Overview

Future-ready security for small and mid-size enterprises

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Enhancing VMware Horizon View with F5 Solutions

August 14th, 2018 PRESENTED BY:

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Cloud, SDN and BIGIQ. Philippe Bogaerts Senior Field Systems Engineer

Deploying F5 with Microsoft Active Directory Federation Services

New Features for ASA Version 9.0(2)

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

haltdos - Web Application Firewall

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Introduction. The Safe-T Solution

Management and Orchestration with F5 BIG-IQ 4.5. Philippe Bogaerts F5 Networks

SSL VPNs or IPsec VPNs The Challenges of Remote Access. February 2 nd, 2007 Chris Witeck- Director of Product Marketing

Understanding of basic networking concepts (routing, switching, VLAN, firewall functionality)

RHM Presentation. Maas 360 Mobile device management

Cisco Firepower NGFW. Anticipate, block, and respond to threats

NetScaler for Apps and Desktops CNS-222; 5 Days; Instructor-led

Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can t See

Web Applications Security. Radovan Gibala F5 Networks

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

Application Layer Security

BIG-IP Access Policy Manager : Portal Access. Version 12.1

Enabling Public Cloud Interconnect Services F5 Application Connector

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Cisco s Appliance-based Content Security: IronPort and Web Security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Security Overview and Cisco ACE Replacement

Deploying F5 with Microsoft Active Directory Federation Services

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

SaaS. Public Cloud. Co-located SaaS Containers. Cloud

Advanced Techniques for DDoS Mitigation and Web Application Defense

Optimize and Accelerate Your Mission- Critical Applications across the WAN

Transcription:

KEEPING THE BAD GUYS OUT WHILE LETTING THE GOOD GUYS IN Paul Deakin Federal Field Systems Engineer

F5 MISSION Deliver the most secure, fast, and reliable applications to anyone anywhere at any time. F5 Networks, Inc 2

Cisco & F5 Partnership Market leaders come together What s going to occur in the next decade will be around applications - John Chambers Cisco ACI announcement - November 6, 2013

What is Cisco Application Centric Infrastructure (ACI)?

F5 Worldwide Market Share 2Q13 ADC* Market Share Leaders F5: 49.8% Netscaler: 28.4% Radware: 6.6% A10: 3.9% Cisco: 3.4% Other: 7.9% *Application Delivery Controller (ADC) Segment Includes: Server Load Balancing/Layers 4-7 Switching and Advanced (Integrated) Platforms. Graphic created by F5 based on Gartner data. Radware 7% 2Q13 Gartner ADC Market Share A10 4% Cisco 3% Other 8% Netscaler 28% F5 50% Gartner, Inc. Market Share: Enterprise Network Equipment, Worldwide, 2QCY13, Skorupa, Pham, Canales, and Real, September 2013

F5 Networks, Inc. 6

The Continuing Evolution of F5 4 Software Defined Application Services 3 Virtualization & Cloud Ready 2 Broadened Application Services 1 Application Delivery Controller F5 Networks, Inc. 7

So What Exactly Are Application Services? DDoS Protection Load Balancing App Firewall Federated Auth Acceleration SSL Offload App Deployment Cloud Hosted Data Center Hosted

keeping the bad guys out

F5 s Application Delivery Firewall Bringing an application-centric view to firewall security One platform ICSA-certified firewall Application delivery controller Application security Access control DDoS mitigation SSL inspection DNS security Full proxy visibility and control #1 ADC application fluency Extensibility Functionality across multiple systems Built for the new application-centric network

F5 Integrated Security Solutions ICSA-certified firewall Access Control Application delivery cont. DDoS Mitigation SSL inspection Application security DNS security Products Advanced firewall manager Access policy manager Local traffic manager Application security manager Global traffic manager and DNSSEC Stateful full-proxy firewall On-box logging and reporting Native TCP, SSL and HTTP proxies Network and Session anti- DDoS Dynamic, identity-based access control Simplified authentication, consolidated infrastructure Strong endpoint security and secure remote access High performance and scalability #1 application delivery controller Application fluency App-specific health monitoring Leading web application firewall PCI compliance Virtual patching for vulnerabilities HTTP anti-ddos IP protection Huge scale DNS solution Global server load balancing Signed DNS responses Offload DNS crypto irules extensibility everywhere

Security at the Critical Point in the Network Physical Virtual Storage Clients Total Application Delivery Networking Remote Services SSL L4/7 access VPN firewall Cloud

Full Proxy Security Client / Server Client / Server Web application Application health monitoring and performance anomaly detection Web application Application HTTP proxy, HTTP DDoS and application security Application Session SSL inspection and SSL DDoS mitigation Session Network L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Physical Physical

F5 mitigation technologies F5 Mitigation Technologies DDoS MITIGATION Increasing difficulty of attack detection OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack Network attacks Session attacks Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, irules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, irules, full proxy for HTTP, server performance anomaly detection Protect against DDoS at all layers Withstand the largest attacks Gain visibility and detection of SSL encrypted attacks

DDoS protection reference architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attacker ISPa/b Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E- Commerce Subscriber Threat Threat Feed Intelligence Feed Intelligence Scanner Anonymou s Proxies Anonymou s Requests Botnet Attacker s Strategic Point of Control

Network Security - BIG-IP Advanced Firewall Manager (AFM) Features L4 stateful proxy firewall Web based GUI, command line, or API management Context specific rules Packaging SW module license Add to LTM install base or run standalone

Network Security - BIG-IP Advanced Firewall Manager What makes AFM different CONTEXT! / Service Defense In Depth/ DOS Tool Kit Packet handling ACL match by context Context packet processing order

AFM v11.3 and Packet Processing Global Packet Route Domain Virtual Server Self-IP Mgmt IP Default (Drop)

SSL INSPECTION SSL?! SSL? Gain visibility and detection of SSLencrypted attacks scale/high-performance SSL proxy load on application servers

ATTACKS MOVING UP THE STACK Network Threats Application Threats 90% of security investment focused here 75% of attacks focused here

IP INTELLIGENCE Attacker Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Custom application Anonymous requests Financial application Anonymous proxies Scanner Geolocation database

ASM PROTECTS AGAINST TOP APP VULNERABILITIES OWASP Top 10 Web Application Security Risks: 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards Source: www.owasp.org

How Does ASM Work? Security at application, protocol and network level Request made Security policy checked Server response Content scrubbing Application cloaking Response delivered Security policy applied Actions: Log, block, allow BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application.

Three Ways to Build an ASM Policy Security policy checked Security policy applied Dynamic policy builder Automatic No knowledge of the app required Adjusts policies if app changes Manual Advanced configuration for custom policies Integration with app scanners Virtual patching with continuous application scanning

Protection from Vulnerabilities Enhanced integration: BIG-IP ASM and Security Scanning Services Customer website Vulnerability scanner Finds a vulnerability Virtual-patching with oneclick on BIG-IP ASM White Hat Sentinel Vulnerability checking, detection and remediation Complete website protection Qualys IBM WhiteHat Cenzic BIG-IP Application Security Manager Verify, assess, resolve and retest in one UI Automatic or manual creation of policies Discovery and remediation in minutes

0-Day Security: Mitigate Vulnerabilities with irules HashDos Post of Doom vulnerability affects all major web servers and application platforms. VIPRION Single DevCentral irule mitigates vulnerability for all back-end services.

0-Day Security: Mitigate Vulnerabilities with irules HashDos Post of Doom vulnerability affects all major web servers and application platforms. VIPRION Single DevCentral irule mitigates vulnerability for all back-end services. Staff can schedule patches for back-end services on their own timeline.

F5 DevCentral F5 s global technical community Over 100,000 members worldwide 20,000+ members from EMEA 55% of visits originate outside U.S. Over 60,000 Forum Posts All Time irules, icontrol, Advanced Design/Config, ISV solutions, and more!

How was your Heartbleed?

Heartbleed and F5 If F5 has been terminating your SSL for the last two years your applications have been safe from Heartbleed. Upgrade /hotfix your BIG-IP if If you have version 11.5.0 If you have version 11.5.1 Your BIG-IPs were vulnerable if You were using version 11.5.0 or 11.5.1 and You were using the COMPAT stack or Your management interface was accessible to the Internet. Use No irule if You are terminating SSL using a clientssl profile at the BIG-IP. Use clientside irule if You are passing SSL through the BIG-IP to vulnerable servers Use serverside irule if You have vulnerable servers accessible from Internet and intranet F5 Networks, Inc 31

Crypto s Dirty little secret SSL is always this close to being broken SSLv2 MD5 SHA1 RC4 TLS1.0 (BEAST) TLS1.1 (CRIME) TLS1.2 (Heartbleed)

letting the good guys in

Who s Requesting Access? Employees Partner Customer Administrator Manage access based on identity IT challenged to: Control access based on user-type and role Unify access to all applications Provide fast authentication and SSO Audit and report access and application metrics

ENABLE SIMPLIFIED APPLICATION ACCESS with BIG-IP Access Policy Manager (APM) SharePoint OWA Users BIG-IP Local Traffic Manager + Access Policy Manager Cloud Hosted virtual desktop APP OS APP OS APP OS APP OS Directory Web servers App 1 App n

Control Access of Endpoints Ensure strong endpoint security Users Web BIG-IP APM Allow, deny or remediate users based on endpoint attributes such as: Antivirus software version and updates Software firewall status Machine certificate validation Invoke protected workspace for unmanaged devices: Restrict USB access Cache cleaner leaves no trace Ensure no malware enters corporate network

BIG-IP Edge Client Web-delivered and standalone client Mac, Windows, Linux ios and Android Endpoint inspection Full SSL VPN Per-user flexible policy Enable mobility Smart connection roaming Uninterrupted application sessions Accelerate access Adaptive compression Client-side cache Client-side QoS

Secure Web Gateway Reference Architecture Threat Intelligence Service Facebook Facebook Games Authentication Kerberos NTLM Basic Auth 407 Real Time Classification Malware Analysis E-Commerce Private Network Secure Web Gateway Access Policy Web Security Reporting Malicious Server B2B Server Firewall Internet Entertainment Site Users Identification Mapping BIG-IP Platform Log requests and ensure acceptable use compliance Web security Youtube Viral Video Active Directory Agent Categorization Database Malware protection Control bandwidth by policy Malware LTM BIG-IP Local Traffic Manager APM BIG-IP Access Policy Manager

CONSOLIDATING APP AUTHENTICATION (SSO) Use case Salesforce.com Finance Corporate managed device Latest AV software AAA server User = Finance Expense Report App Dramatically reduce infrastructure costs; increase productivity Provides seamless access to all web resources Integrated with common applications

What is SAML? Its Web Single Sign-On (federated auth) Eliminates Need for Multiple Passwords/Password Databases in Multiple Locations. I.e., Keep your directory behind your firewall Enables enterprise apps in the Cloud

SAML lets you do this with your apps Think of it as the enterprise version of OAuth

SAML - Claims Based Authentication The process of authenticating a user based on a set of claims about its identity contained in a trusted token. Such a token is often issued and signed by an entity that stores and maintains this information about the user Claims in Action: 1) Illinois has my information and driving test results 2) I carry an Illinois driver s license 3) Georgia does not have my information, but they trust Illinois 4) So I am allowed to drive in Georgia.

Security TAP Partners Endpoint inspect / AV Certificates encryption Anti-fraud / secure browser DAST Multi-factor authentication Web access management DB firewall Mobile OS Mobile device management Security change management FIPS/HSM security DNS security and SBS Web and SaaS security SIEM

www.f5.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback