KEEPING THE BAD GUYS OUT WHILE LETTING THE GOOD GUYS IN Paul Deakin Federal Field Systems Engineer
F5 MISSION Deliver the most secure, fast, and reliable applications to anyone anywhere at any time. F5 Networks, Inc 2
Cisco & F5 Partnership Market leaders come together What s going to occur in the next decade will be around applications - John Chambers Cisco ACI announcement - November 6, 2013
What is Cisco Application Centric Infrastructure (ACI)?
F5 Worldwide Market Share 2Q13 ADC* Market Share Leaders F5: 49.8% Netscaler: 28.4% Radware: 6.6% A10: 3.9% Cisco: 3.4% Other: 7.9% *Application Delivery Controller (ADC) Segment Includes: Server Load Balancing/Layers 4-7 Switching and Advanced (Integrated) Platforms. Graphic created by F5 based on Gartner data. Radware 7% 2Q13 Gartner ADC Market Share A10 4% Cisco 3% Other 8% Netscaler 28% F5 50% Gartner, Inc. Market Share: Enterprise Network Equipment, Worldwide, 2QCY13, Skorupa, Pham, Canales, and Real, September 2013
F5 Networks, Inc. 6
The Continuing Evolution of F5 4 Software Defined Application Services 3 Virtualization & Cloud Ready 2 Broadened Application Services 1 Application Delivery Controller F5 Networks, Inc. 7
So What Exactly Are Application Services? DDoS Protection Load Balancing App Firewall Federated Auth Acceleration SSL Offload App Deployment Cloud Hosted Data Center Hosted
keeping the bad guys out
F5 s Application Delivery Firewall Bringing an application-centric view to firewall security One platform ICSA-certified firewall Application delivery controller Application security Access control DDoS mitigation SSL inspection DNS security Full proxy visibility and control #1 ADC application fluency Extensibility Functionality across multiple systems Built for the new application-centric network
F5 Integrated Security Solutions ICSA-certified firewall Access Control Application delivery cont. DDoS Mitigation SSL inspection Application security DNS security Products Advanced firewall manager Access policy manager Local traffic manager Application security manager Global traffic manager and DNSSEC Stateful full-proxy firewall On-box logging and reporting Native TCP, SSL and HTTP proxies Network and Session anti- DDoS Dynamic, identity-based access control Simplified authentication, consolidated infrastructure Strong endpoint security and secure remote access High performance and scalability #1 application delivery controller Application fluency App-specific health monitoring Leading web application firewall PCI compliance Virtual patching for vulnerabilities HTTP anti-ddos IP protection Huge scale DNS solution Global server load balancing Signed DNS responses Offload DNS crypto irules extensibility everywhere
Security at the Critical Point in the Network Physical Virtual Storage Clients Total Application Delivery Networking Remote Services SSL L4/7 access VPN firewall Cloud
Full Proxy Security Client / Server Client / Server Web application Application health monitoring and performance anomaly detection Web application Application HTTP proxy, HTTP DDoS and application security Application Session SSL inspection and SSL DDoS mitigation Session Network L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Physical Physical
F5 mitigation technologies F5 Mitigation Technologies DDoS MITIGATION Increasing difficulty of attack detection OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack Network attacks Session attacks Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, irules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, irules, full proxy for HTTP, server performance anomaly detection Protect against DDoS at all layers Withstand the largest attacks Gain visibility and detection of SSL encrypted attacks
DDoS protection reference architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attacker ISPa/b Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E- Commerce Subscriber Threat Threat Feed Intelligence Feed Intelligence Scanner Anonymou s Proxies Anonymou s Requests Botnet Attacker s Strategic Point of Control
Network Security - BIG-IP Advanced Firewall Manager (AFM) Features L4 stateful proxy firewall Web based GUI, command line, or API management Context specific rules Packaging SW module license Add to LTM install base or run standalone
Network Security - BIG-IP Advanced Firewall Manager What makes AFM different CONTEXT! / Service Defense In Depth/ DOS Tool Kit Packet handling ACL match by context Context packet processing order
AFM v11.3 and Packet Processing Global Packet Route Domain Virtual Server Self-IP Mgmt IP Default (Drop)
SSL INSPECTION SSL?! SSL? Gain visibility and detection of SSLencrypted attacks scale/high-performance SSL proxy load on application servers
ATTACKS MOVING UP THE STACK Network Threats Application Threats 90% of security investment focused here 75% of attacks focused here
IP INTELLIGENCE Attacker Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Custom application Anonymous requests Financial application Anonymous proxies Scanner Geolocation database
ASM PROTECTS AGAINST TOP APP VULNERABILITIES OWASP Top 10 Web Application Security Risks: 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards Source: www.owasp.org
How Does ASM Work? Security at application, protocol and network level Request made Security policy checked Server response Content scrubbing Application cloaking Response delivered Security policy applied Actions: Log, block, allow BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application.
Three Ways to Build an ASM Policy Security policy checked Security policy applied Dynamic policy builder Automatic No knowledge of the app required Adjusts policies if app changes Manual Advanced configuration for custom policies Integration with app scanners Virtual patching with continuous application scanning
Protection from Vulnerabilities Enhanced integration: BIG-IP ASM and Security Scanning Services Customer website Vulnerability scanner Finds a vulnerability Virtual-patching with oneclick on BIG-IP ASM White Hat Sentinel Vulnerability checking, detection and remediation Complete website protection Qualys IBM WhiteHat Cenzic BIG-IP Application Security Manager Verify, assess, resolve and retest in one UI Automatic or manual creation of policies Discovery and remediation in minutes
0-Day Security: Mitigate Vulnerabilities with irules HashDos Post of Doom vulnerability affects all major web servers and application platforms. VIPRION Single DevCentral irule mitigates vulnerability for all back-end services.
0-Day Security: Mitigate Vulnerabilities with irules HashDos Post of Doom vulnerability affects all major web servers and application platforms. VIPRION Single DevCentral irule mitigates vulnerability for all back-end services. Staff can schedule patches for back-end services on their own timeline.
F5 DevCentral F5 s global technical community Over 100,000 members worldwide 20,000+ members from EMEA 55% of visits originate outside U.S. Over 60,000 Forum Posts All Time irules, icontrol, Advanced Design/Config, ISV solutions, and more!
How was your Heartbleed?
Heartbleed and F5 If F5 has been terminating your SSL for the last two years your applications have been safe from Heartbleed. Upgrade /hotfix your BIG-IP if If you have version 11.5.0 If you have version 11.5.1 Your BIG-IPs were vulnerable if You were using version 11.5.0 or 11.5.1 and You were using the COMPAT stack or Your management interface was accessible to the Internet. Use No irule if You are terminating SSL using a clientssl profile at the BIG-IP. Use clientside irule if You are passing SSL through the BIG-IP to vulnerable servers Use serverside irule if You have vulnerable servers accessible from Internet and intranet F5 Networks, Inc 31
Crypto s Dirty little secret SSL is always this close to being broken SSLv2 MD5 SHA1 RC4 TLS1.0 (BEAST) TLS1.1 (CRIME) TLS1.2 (Heartbleed)
letting the good guys in
Who s Requesting Access? Employees Partner Customer Administrator Manage access based on identity IT challenged to: Control access based on user-type and role Unify access to all applications Provide fast authentication and SSO Audit and report access and application metrics
ENABLE SIMPLIFIED APPLICATION ACCESS with BIG-IP Access Policy Manager (APM) SharePoint OWA Users BIG-IP Local Traffic Manager + Access Policy Manager Cloud Hosted virtual desktop APP OS APP OS APP OS APP OS Directory Web servers App 1 App n
Control Access of Endpoints Ensure strong endpoint security Users Web BIG-IP APM Allow, deny or remediate users based on endpoint attributes such as: Antivirus software version and updates Software firewall status Machine certificate validation Invoke protected workspace for unmanaged devices: Restrict USB access Cache cleaner leaves no trace Ensure no malware enters corporate network
BIG-IP Edge Client Web-delivered and standalone client Mac, Windows, Linux ios and Android Endpoint inspection Full SSL VPN Per-user flexible policy Enable mobility Smart connection roaming Uninterrupted application sessions Accelerate access Adaptive compression Client-side cache Client-side QoS
Secure Web Gateway Reference Architecture Threat Intelligence Service Facebook Facebook Games Authentication Kerberos NTLM Basic Auth 407 Real Time Classification Malware Analysis E-Commerce Private Network Secure Web Gateway Access Policy Web Security Reporting Malicious Server B2B Server Firewall Internet Entertainment Site Users Identification Mapping BIG-IP Platform Log requests and ensure acceptable use compliance Web security Youtube Viral Video Active Directory Agent Categorization Database Malware protection Control bandwidth by policy Malware LTM BIG-IP Local Traffic Manager APM BIG-IP Access Policy Manager
CONSOLIDATING APP AUTHENTICATION (SSO) Use case Salesforce.com Finance Corporate managed device Latest AV software AAA server User = Finance Expense Report App Dramatically reduce infrastructure costs; increase productivity Provides seamless access to all web resources Integrated with common applications
What is SAML? Its Web Single Sign-On (federated auth) Eliminates Need for Multiple Passwords/Password Databases in Multiple Locations. I.e., Keep your directory behind your firewall Enables enterprise apps in the Cloud
SAML lets you do this with your apps Think of it as the enterprise version of OAuth
SAML - Claims Based Authentication The process of authenticating a user based on a set of claims about its identity contained in a trusted token. Such a token is often issued and signed by an entity that stores and maintains this information about the user Claims in Action: 1) Illinois has my information and driving test results 2) I carry an Illinois driver s license 3) Georgia does not have my information, but they trust Illinois 4) So I am allowed to drive in Georgia.
Security TAP Partners Endpoint inspect / AV Certificates encryption Anti-fraud / secure browser DAST Multi-factor authentication Web access management DB firewall Mobile OS Mobile device management Security change management FIPS/HSM security DNS security and SBS Web and SaaS security SIEM
www.f5.com