Embed Size (px)
Citation preview
Paul Deakin
System Engineer, F5 Networks
DATACENTER SECURITY
Datacenter Security Needs
To scale To secure To simplify
Scale for a work-anywhere /
SSL everywhere world.
Security for applications and data
against sustained attacks.
Simplification of point solutions and
complex firewall configurations.
• It started simple
• More user types, services
• Application issues
Datacenter
Bandwidth
carriers
ISP’s bandwidth
Your bandwidth
Many:
Thread jam
Memory exhaustion
Many:
CPU
Database load
Thread jam
Log attack
Memory exhaustion
Connection flood
State Table:
Too many
connections
State Table:
TCP Flood.
Negative caching
Proxy bypass
State Table:
IP’s
Low & slow
Layer 7 – Random
Layer 7 – Logical
State Table:
ACL Perf.
Degrade
Firewall DDoS appliance APP accelerator Load balancer Web servers Database
BANDWIDTH >> PACKET >> CONNECTION >> OS >> HTTP(s) >> APP (PHP/ASP) >>> DB
DDoS Attacks Exhaust Network Resources
Application attacks Network attacks Session attacks
Slowloris, Slow Post,
HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods,
Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASM
Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection
DNS UDP Floods, DNS Query Floods,
DNS NXDOMAIN Floods, SSL Floods,
SSL Renegotiation
BIG-IP LTM and GTM
High-scale performance, DNS Express,
SSL termination, iRules, SSL
renegotiation validation
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, full-
proxy traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customized
hardware solution that increases scale by an order of magnitude above
software-only solutions.
F5
Mit
iga
tio
n T
ec
hn
olo
gie
s
Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)
Increasing difficulty of attack detection
F5
mit
igati
on
tec
hn
olo
gie
s
OSI stack OSI stack
DDOS MITIGATION
App 1
Back office +
Network Management
Corporate Users
ISPa
ISPb
SaaS
NGFW BIG-IP LTM
IPS
SSL VPN
Outbound protection
App 2
App 3 Web application firewall
Typical Architecture
Known and unknown
Users
App 1
Back office +
Network Management
Corporate Users
ISPa
ISPb
SaaS
NGFW BIG-IP LTM
IPS
SSL VPN
Outbound protection
App 2
App 3 Web application firewall
Typical Architecture DDOS protector
Known and unknown
Users
BIG-IP AFM
Known and unknown
Users
ISPa
ISPb
SaaS NGFW
Log
Server
Outbound protection
App 1
Application services
Public resources
Corporate Users
App 2
App 3
LTM AFM APM
L2-L4 DDoS, L3/L4 access
control, authentication/SSO
LTM AFM ASM
L2-L7 DDoS, WAF for critical
apps and compliance control
LTM AFM DNS
SVC
Corp user access to back
office + DNS services
ADF deployment options
BIG-IP
ADC Reference Architecture
Inbound protection
Use case
Before f5
with f5
Load
Balancer
DNS Security
Network DDoS
Web Application Firewall
Web Access
Management
Load
Balancer & SSL
Application DDoS
Firewall
Protecting the datacenter
• Consolidation of
firewall, app security,
traffic management
• Protection for data
centers and
application servers
• High scale for the
most common inbound
protocols
Before f5
with f5
Load
Balancer
DNS Security
Network DDoS
Web Application Firewall
Web Access
Management
Load
Balancer & SSL
Application DDoS
Firewall
Protecting the datacenter
SSL !
SSL
• Gain visibility and
detection of SSL-
encrypted attacks
• Achieve high-
scale/high-performance
SSL proxy
• Offload SSL—reduce
load on application
servers
SSL
SSL
SSL Inspection
SYN Check™ SYN-Cookie Protection (HW/SW)
Mitigating SYN Floods using the SYN Check
feature.
TMOS has a build in feature from version 9.4 to
deal with SYN floods using SYN Cookies in a
function called SYN Check.
All PVA2 and ePVA platform deals with SYN
Cookies in either SW or HW the other platforms in
SW only.
F5 support up to 640 million SYN Cookies in HW
on the high-end platform down to 20 million in HW
on the single U appliance.
VIPRION
iRules with Security: HashDos—Post of Doom “HashDos—Post of Doom” vulnerability affects all major web
servers and application platforms.
Single DevCentral iRule mitigates vulnerability for all
back-end services.
Staff can schedule patches for back-end services
on their own timeline.
SSL
SSL
iRules with Security: Prioritize connection based on country
https://devcentral.f5.com/wiki/irules.whereis.ashx
The Dynamics of the DNS Market DNS Demand from Internet growth, 4G/LTE, DDoS Protection and Availability
Average Daily Load for DNS (TLD)
Queries in Billions
‘12 ‘11 ‘10 ‘09 ‘08
77
57
39 43 50
Typical for a single web page to consume
100+ DNS queries from active content,
advertising and analytics
Global mobile data (4G/LTE) is driving
the need for fast, available DNS
86MB/mo
Non-4G LTE
4G LTE
2.4GB/mo
18X Growth
2011-2016
New ICANN TLDs will create new
demands for scale
Attacks on DNS becoming more common
DNS Services must be robust
Distributed Available, High Performance
GSLB for multiple Datacenters
Cache poisoning attacks
Reflection / Amplification DDoS
Drive for DNSSEC adoption
Geographically dispersed DCs
DNS Capacity Close to Subscribers
Total Service Availability
DNS the F5 Way
External
Firewall
DNS Load
Balancing Array of
DNS Servers
Hidden
Master DNS
Internal
Firewall Internet
DMZ
Master DNS
Infrastructure Internet
• Massive performance over 10M RPS!
• Best DoS / DDoS Protection
• Simplified management (partner)
• Less CAPEX and OPEX
• Adding performance = DNS boxes
• Weak DoS/DDoS Protection
Datacenter
F5 DNS Delivery Reimagined
Conventional DNS Thinking
DNS Firewall
DNS DDoS Protection
Protocol Validation
Authoritative DNS
Caching Resolver
Transparent Caching
High Performance DNSSEC
DNSSEC Validation
Intelligent GSLB
F5 Paradigm Shift
Advanced Firewall Manager
BIG-IP Advanced Firewall Manager (AFM)
• Packaging
• SW license
• Supported on all platforms (BIG-IP VE, BIG-IP Appliances and VIPRION)
• Standalone or add to LTM
• Features
• L4 stateful full proxy firewall
• IPsec, NAT, adv routing, full SSL, AVR, Protocol Security
• DDoS (TCP, UDP, DNS, floods, HTTP): Over 80 attack types
• GUIs for configure rules, logging, etc
• All under a new Security tab
AFM GUI Configuration • Main configuration under the Security
AFM GUI Configuration • Main configuration under the new Security tab
• Context aware rules can be configured at the object level
AFM DOS protection
• Security > DoS Protection > Device Configuration
• Applied globally
L2-L4 DoS attack vectors detection and thresholding in hardware on platform using HSBe2 FPGA BIG-IP 5000 series
BIG-IP 7000 series
BIG-IP 10000 series
VIPRION B4300 blade
VIPRION B2100 blade
AFM DOS DNS protection
• Security > DoS Protection > DoS Profile
DoS Report Samples
IP Intelligence
IP Intelligence Overview • IP Intelligence
• Dynamic Threat IPs
• All BIG-IP appliances
• Near-real-time updates (up to 5min intervals)
• Dramatically reduces system loads
• Subscription-based service
IP Intelligence Identify and allow or block IP addresses with malicious activity
• Use IP intelligence to defend attacks
• Reduce operation and capital expenses
?
Scanners
IP Intelligence
Service
Internally infected
devices and servers
iRules Availability for IP Intelligence All BIG-IP Systems
• Easily manage alarms and blocking in ASM
• Approve desired IPs with Whitelist
• Policy Building enabled for ignoring
Easily Configure Violation Categories IP Intelligence Service Management in BIG-IP ASM UI
Web Application Security
Web Applications
Web Server
Data
Database server
Backend App Server
Application Server
CGI scripts
HTTP Request HTML Page
Browser
• Web applications are complex entities, consisting of many components , that may be:
• Internally developed
• Externally developed
• Off –the-shelf
• Majority of e-commerce applications consist of at least 3 main components
• Web server
• Application server
• Database
• Interaction may exist at all levels between user and database.
Anatomy of Web Application
• The browser is the entity interacting with the web application
• Sends HTTP requests
• Receives an HTML page
• At any level of the web application structure, data can be manipulated, leaked out or exploited.
• Without any protection, holes and backdoors exist at every layer
Web Server
Data
Database server
Backend App Server
Application Server
CGI scripts
HTTP Request HTML Page
Browser
Web Browser
Applications at Risk
Web Browser
Web Browser
Without the application context, requests appear
legal and pass through firewalls
“We Already Have a Firewall”
Allow 80 (HTTP)
Allow 443 (HTTPS)
SSL secures traffic, but
also secures attacks
ASM security features • ASM provide protection against:
• Parameters Tampering
• Dynamic Parameter Tampering
• Cookie Poisoning
• Buffer Overflow
• Stealth Commanding
• Backdoor & Debug
• CSS
• HTTP Hardening
• SQL Injection
• HTTP Methods
• File Upload
• Dada Encoding
• 3rd party mis-configuration
• Known Vulnerabilities
• Unicode Support
• Application Path Blocking
• Hidden Field Manipulation
• ASM provides XML protection against:
• XML parsing exploits
• XML injection
• (passed into XML stream)
• WSDL discovery and manipulation with schemas
• XML DoS attack against web services
• XML - Common application attack (SQL injection etc)
Computational DoS mitigation in HTTP L7 – Application Security Manager
Transaction Per Seconds (TPS) based anomaly
detection
TPS-based anomaly detection allows you to detect and
mitigate DoS attacks based on the client side.
Latency based anomaly detection
Latency-based anomaly detection allows you to detect
and mitigate attacks based on the behavior of the
server side.
OWASP Top 10 Web Application Security Risks:
1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards
Protection From Top Web App. Vulnerabilities (Open Web Application Security Project)
Source: www.owasp.org
Unified Access
BIG-IP Local Traffic Manager
+ Access Policy Manager
Directory
SharePoint OWA
Cloud
Web servers
App 1 App n
APP
OS
APP
OS
APP
OS
APP
OS
Hosted virtual
desktop
Users
Enabled simplified application access
Create policy
Corporate domain
Latest AV software
Current O/S
Administrator
User = HR
HR
AAA
server
• Proxy the web applications to
provide authentication,
authorization, endpoint inspection,
and more – all typing into Layer 4-7
ACLS through F5’s Visual Policy
Editor
8 3 2 8 4 9
ENHANCING WEB ACCESS MANAGEMENT
Access Policy using SMS token
Domain user makes a SAML-supported request for a resource.
Business Partners Business Partners
ADFS
End user
Public/private
Login.example.com
Sharepoint.example.com
OWA.example.com
Portal.example.com
Active Directory
ADFS
Apache/Tomcat App
Data center 1
Data center 2
APM SAML How it Works
Business partners Business partners
ADFS
End user
Public/private
Login.example.com
Sharepoint.example.com
OWA.example.com
Portal.example.com
Active Directory
ADFS
Apache/Tomcat App
Data center 1
Data center 2
An SP-initiated post is sent back to the client in the form of a
redirect to https://login.example.com.
APM SAML How it Works
Client posts credentials to login… credentials are validated with
Active Directory.
A SAML assertion is generated, passed back to the client with
a redirect to the requested application.
Business partners Business partners
ADFS
End user
Public/private
Login.example.com
Sharepoint.example.com
OWA.example.com
Portal.example.com
Active Directory
ADFS
Apache/Tomcat App
Data center 1
Data center 2
APM SAML How it Works
Client successfully logs on to application with SAML assertion.
Business partners Business partners
ADFS
End user
Public/private
Login.example.com
Sharepoint.example.com
OWA.example.com
Portal.example.com
Active Directory
ADFS
Apache/Tomcat App
Data center 1
Data center 2
APM SAML How it Works
TMOS and Platform
Full Proxy Security
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
Full Proxy Security
High-performance HW
iRules
iControl API
F5’s Approach
• TMOS traffic plug-ins
• High-performance networking microkernel
• Powerful application protocol support
• iControl—External monitoring and control
• iRules—Network programming language
IPv4
/IP
v6
SS
L
TC
P
HT
TP
Optional modules plug in for all F5 products and solutions
AS
M
AF
M
AP
M
Traffic management microkernel
Proxy
Client
side
Server
side SS
L
TC
P
On
eC
on
nec
t
HT
TP
F5’s Purpose-Built Design Performance and Scalability
Optimized hardware utilizing custom Field Programmable Gate Array (FPGA) technology tightly integrated with TMOS and software
Embedded Packet Velocity Acceleration (ePVA) FPGA delivers:
• Linear scaling of performance
• High performance interconnect between Ethernet ports and CPU’s
• High L4 throughput and reduce load on cpu
• Integrated hardware and software DDoS protection against large scale attacks
• Predictable performance for low latency protocols (FIX)
Example of unique F5 VIPRION architecture
Platform Overview
Platform Throughput
(Gbs)
Max Conc.
Conns
L4 Connection/s
(CPS)
SSL TPS
(2K keys) HW SYN cookies/s
VIPRION 4800
8 blade (B4340) 640 576,000,000 8,000,000 240,000 640,000,000
VIPRION 4480
4 blade (B4340) 320 288,000,000 4,400,000 120,000 320,000,000
VIPRION 4480
1 blade (B4340) 80 72,000,000 1,100,000 30,000 80,000,000
VIPRION 2400
4 blade (B2100) 160 48,000,000 1,600,000 40,000 160,000,000
VIPRION 2400
1 blade (B2100) 40 12,000,000 400,000 10,000 40,000,000
BIG-IP 10200 80 36,000,000 1,000,000 75,000 80,000,000
BIG-IP 7200 40 24,000,000 775,000 25,000 40,000,000
BIG-IP 5200 30 24,000,000 700,000 21,000 40,000,000
BIG-IP 4200 10 10,000,000 300,000 9,000 N/A
BIG-IP 2200 5 5,000,000 150,000 4,000 N/A
VIPRION 4800
VIPRION 44xx Chassis
VIPRION 2400 Chassis
BIG-IP 10x00
BIG-IP 7x00
BIG-IP 5x00
BIG-IP 4x00
BIG-IP 2x00 Series
TMOS Architecture
High
Performance
SSL
GeoLocation
Services
Rate
Shaping Fast Cache
High
Performance
Compression
Dynamic
Routing
TCP
Multiplexing
& Optimal
Connection
Handling
Full
IPv6/IPv4
Gateway
iRules
Programming iControl API
Management
Control Plane
(MCP) & High
Speed
Logging
Full L2
Switching
DoS and
DDOS
Protection
iSessions:
F5 secure,
optimized
tunneling
Message-Based
Traffic
Management:
Universal Switching
Engine (USE)
Universal
Persistence:
Transaction
Integrity
Unique High Performance Hardware
TCP Express:
F5’s Adaptive
TCP Stack
(client side)
TCP Express:
F5’s Adaptive
TCP Stack
(server side)
Full Proxy Architecture
Common Services
F5’s TMOS
BIG-IP
Local Traffic
Manager
BIG-IP
Global Traffic
Manager
BIG-IP
Application
Acceleration
Manager
BIG-IP
Advanced
Firewall Manager
BIG-IP
Access Policy
Manager
BIG-IP
Application
Security Manager
LTM GTM AAM AFM APM ASM
Application Delivery Firewall Bringing an application-centric view to firewall security
• Full proxy—visibility and control
• #1 ADC—application fluency
• Extensibility
• Functionality across multiple systems
• Built for the new application-centric network
One platform
ICSA-certified
firewall
Application
delivery
controller
Application
security
Access
control
DDoS
mitigation
SSL
inspection
DNS
security
F5 BIG-IP delivers
ONE PLATFORM (HW/SW)
Products
ICSA-certified
firewall Application
delivery controller
Application
security
Access
control
DDoS
mitigation
SSL
inspection
DNS
security
Access Policy
Manager
Local Traffic
Manager
Application
Security Manager
Global Traffic
Manager and
DNSSEC
• Stateful full-proxy
firewall
• On-box logging and
reporting
• Native TCP, SSL and
HTTP proxies
• Network and Session
anti-DDoS
• Dynamic, identity-based
access control
• Simplified authentication,
consolidated infrastructure
• Strong endpoint security and
secure remote access
• High performance and
scalability
• VDI integration (ICA, PCoIP)
• #1 application
delivery controller
• Application fluency
• App-specific health
monitoring
• Application Offload
• Streamlined app.
deployment
• Leading web
application firewall
• PCI compliance
• Virtual patching for
vulnerabilities
• HTTP anti-DDoS
• IP protection
• Huge scale DNS
solution
• Global server load
balancing
• Signed DNS
responses
• Offload DNS crypto
Advanced Firewall
Manager Application
Acceleration
• Front End
Optimization
• Server offload
• Network optimization
• Mobile acceleration
• HTTP2.0 / SPDY
gateway
Web and WAN optimization
F5 Delivers to Support Your Needs
Increased scale and performance Higher security Operational efficiency
Industry-leading capacity and
throughput.
Full-proxy security, SSL inspection,
and extensibility with iRules.
Consolidation of functions and an
application-centric security model.
