View
224
Download
7
Category
Preview:
Citation preview
F5 comprehensive protection against application attacks
Jakub Sumpich
Territory Manager Eastern Europe
j.sumpich@f5.com
F5 Agility 2014 2
Evolving Security Threat Landscape
spear phishing
redirected traffic
DNS malformed packet
smurf attack
syn flood
slowloris
web scraping
malware
URL tampering
brute force
SSL renegotiation CSRF
recursive GET
cookie tampering
CVE
XSS
DNS Cache Poisoning Identity Extraction
Trojans
ICMP Flood
parameter tampering
social engineering
SQL Injection
UDP flood
privilege escalations
HashDos
HTTP fragmentation
excessive GET/POST
key loggers
sockstress attack
ping of death Phishing
DNS Amplification
F5 Agility 2014 3
The Growing Complexity of Application Attacks
Webification of apps
Evolving security
threats
71% of surveyed experts predict most work will be done via web-based or mobile apps by 2020
Cost of single cyber attack can be well above $1,000,000
Successful attacks per week, Penomon Institute, Cost of Cyber Crime Study
Monitored cyber attacks in US, IBM Security Services,
2014 Cyber Security Intelligence
Index
1.5M 1M
of all Americans use web apps
122
69%
F5 Agility 2014 4
Attacks are Moving “Up the Stack”
90% of security investment focused here
Network Threats Application Threats
75% of attacks focused here
Source: Gartner
F5 Agility 2014 5
• Most developers have known production software issues
• Vulnerabilities result from defects and issues
• Most developers cannot also be web security experts
• Not scalable to address on per-application basis
Some Firewall Vendors Would Have You Believe...
“Only those corporations that believe they have coding issues in their web applications need a WAF.”
F5 Agility 2014 6
• “97% of websites at immediate risk of being hacked due to vulnerabilities! • 69% of vulnerabilities are client side-attacks”
• - Web Application Security Consortium
• “8 out of 10 websites vulnerable to attack” • - WhiteHat “security report ”
• “75 percent of hacks happen at the application.” • - Gartner “Security at the Application Level”
• “64 percent of developers are not confident in their ability to write secure applications.” - Microsoft Developer Research
Almost every web application is vulnerable!
F5 Agility 2014 7
How long to resolve a vulnerability?
Website Security Statistics Report
F5 Agility 2014 8
Protecting the application layer requires a Web Application Firewall (WAF)
App Security not Addressed by Traditional Firewall Vendors
Slowloris
SQL injections
Cross site request forgery (CSRF)
HTTP DOS
Cross site scripting (XSS)
HashDOS
SSL-encrypted application attacks
Phishing attacks
GET Floods
Sensitive Data Leakage
Site reconnaissance
Web page scraping Cookie injection and poisoning
Brute force logins & forceful browsing
Session hijacking
F5 Security Strategy
F5 Agility 2014 10
We support the biggest
47 of the Fortune 50 Companies
9 of the top 10 US
Airlines 29 of the top 30 US
Commercial Banks
10 of the top 10 US Telecoms
9 of the top 10 US Wireless Carriers
10 of the top 10
Global Brands
10 of the top 10 Global Automotive Companies
9 of the top 10 Global
Oil & Gas Companies
F5 Agility 2014 11
Application Delivery Firewall (ADF) Solution Protecting your applications regardless of where they live Bringing deep application fluency and price performance to firewall security
EAL2+
EAL4+ (in process)
Network Firewall
One Platform
Traffic Management
Application Security
DNS Security
SSL Access Control
DDoS Protection
Web Fraud Protection
F5 Agility 2014 12
Full Proxy Architecture = Full Proxy Security
Network
Session
Application
Web application
Physical
Client / server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS, and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / server
F5 Agility 2014 13
Full Proxy Security
Network
Session
Application
Web Application
Physical
Client / Server
L4 Firewall: full stateful policy enforcement and TCP DDoS mitigation
SSL inspection & SSL DDoS mitigation
HTTP proxy, HTTP DDoS, and Application Security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web Application
Physical
Client / Server
SS
L
SS
L
TC
P
TC
P
Ac
ce
ss
On
eC
on
nec
t
HT
TP
Ap
p F
W
Th
ird
part
y
HT
TP
High-performance HW
iRules
iControl API
Traffic management microkernel
Proxy
Client side
Server side
F5’s Approach
• TMOS traffic plug-ins
• High-performance networking microkernel
• Powerful application protocol support
• iControl—External monitoring and control
• iRules—Network programming language
IPv4
/IP
v6
F5 Agility 2014 14
Benefits of Full-Proxy Architecture
Rule
Rule
Rule
TCP
SSL
HTTP
TCP
SSL
HTTP
Rule
Rule
Rule
ICMP flood SYN flood
SSL renegotiation
Data leakage Slowloris attack XSS
Network firewall
WAF WAF
F5 Agility 2014 15
Application Access
Network Access
Network Firewall
Network DDoS Protection
SSL DDoS Protection
DNS DDoS Protection
Application DDoS Protection
Web Application Firewall
Fraud Protection
Virtual Patching
Comprehensive Application Security
F5 Agility 2014 16
• Provide transparent protection from ever-changing threats
• Secure against the OWASP top 10 and targeted zero-day threats
• Offer bot detection measures
• Enable DAST integration and virtual patching to reduce risks from vulnerabilities
• Provide positive/negative security, L7 DoS protection, and IP reputation
• Support dynamic intelligent services
Choose the Right Web Application Firewall (WAF) Solution
Secure response delivered
Request made
Server response generated
Firewall applies security policy
Vulnerable application
Firewall security policy checked
WAF
F5 Agility 2014 17
• Provides comprehensive protection for all web application vulnerabilities, including (D)DoS
• Logs and reports all application traffic and attacks
• Educates admin. on attack type definitions and examples
• Enables L2->L7 protection
• Unifies security, access control and application delivery
• Sees application level performance
• Provides On-Demand scaling
BIG-IP Application Security Manager Powerful Adaptable Solution
ASM and SSL
ASM can do SSL termination and Offload SSL traffic from Web Servers
SSL key exchange done by hardware
SSL bulk encryption done by hardware
Centralize certificate management
SSL Offload
End-to-End Encryption
F5 Agility 2014 19
4000 series 10000 Series
5000 Series 7000 Series
Good, Better, Best Platforms
11000 Series
Choosing the Right Platform
5Gbps
3Gbps
1Gbps
200M
25M
VIPRION 2400
VIPRION 4480 VIPRION 4800
F5 physical ADCs High-performance with specialized and
dedicated hardware
Physical ADC is best for: • Fastest performance
• Highest scale
• SSL offload, compression, and DoS mitigation
• An all F5 solution: integrated HW+SW
• Edge and front door services
• Purpose-built isolation for application delivery workloads
Physical + virtual =
hybrid ADC infrastructure Ultimate flexibility and performance
Hybrid ADC is best for: • Transitioning from physical to
virtual and private data center to cloud
• Cloud bursting
• Splitting large workloads
• Tiered levels of service
F5 virtual editions Provide flexible deployment options for virtual environments and the cloud
Virtual ADC is best for: • Accelerated deployment
• Maximizing data center efficiency
• Private and public cloud deployments
• Application or tenant-based pods
• Keeping security close to the app
• Lab, test, and QA deployments
Physical Hybrid Virtual
2000 series*
New 10Gbps
*Note: 2000 Series appliances is not offered with Better or Best bundles
New VIPRION 2200
Built for intelligence, speed and scale
Users
Concurrent user sessions
200K Concurrent logins
3,000/sec.
Throughput
640 Gbps Concurrent connections
288 M Connections per second
12.2 M
SSL TPS (2K keys)
240K/sec
DNS query response
12 M/sec
Resources
F5 Agility 2014 21
Working with Other Security Technologies Ensuring the best protection requires a multi-vendor approach
ENDPOINT INSPECT/AV
CERTIFICATES ENCRYPTION
SIEM DAST MULTI-FACTOR
AUTHENTICATION
WEB ACCESS MANAGEMENT
DATABASE FIREWALL
MOBILE OS MOBILE DEVICE MANAGEMENT
SECURITY CHANGE
MANAGEMENT
FIPS/HSM SECURITY
DNS SECURITY AND SBS
WEB AND SAAS SECURITY
F5 Agility 2014 22
F5 Reference Architectures Real solutions for real problems
Benefits • Minimize deployment times
• Reduce security design costs
• Strengthen security posture
© F5 Networks, Inc.
DDoS
Protection
S/Gi Network
Simplification
Security for
Service Providers
Application
Services
Migration to Cloud
DevOps
LTE
Roaming
Intelligent
DNS Scale
Cloud
Federation
Cloud
Bursting
Secure Web
Gateway
Web Fraud Protection
High Performance
IPS
Recommended