Embed Size (px)
Citation preview
F5 Government Tech Talk Secure Your Critical Applications Jay De Leo, Federal Field Systems Engineer April 28, 2014
F5 Company Snapshot
2Q12 Gartner Advanced Platform DC Market Share
Gartner, Inc. Market Share: Application Acceleration Equipment, Worldwide, CYQ212, Joe Skorupa, Nhat Pham, Sept 2012
• Leading provider of Application Delivery Networking products that optimize the security, performance & availability of network applications, servers and storage systems
• FY12 Revenue: $1.38B (+31% y/y)
15 of the 15 executive branch agencies, plus many other DoD, civilian and commercial organizations rely on F5.
Government Agencies Trust F5
• Certifications • FIPS 140-2 Level 2 • Common Criteria EAL2 (EAL4 In Process) • DISA STIG • 3 Year ATO at DISA • DIACAP/DITSCAP MAC II Level Certification • JITC PKE • In Process: TIC Lab/JITC APL (UCCO TN 1312201)
Government Certifications
BIG-IP Virtual Edition
F5 BIG-IP Product Suite
• Fast, secure, available
• Best-in-class hardware platform and software virtual instance
Application Delivery Services
BIG-IP Hardware Platform
Clients
Application
F5: An Intelligent Services Platform F5 makes the connected world run better
iRules iControl iApps
Hardware Software
TMOS
Secure
Available
Fast
DevCentral User Community
Programmable/Extensible
Enterprise
Foundation
Customizable Traffic Management
Intelligent Integrated
Context aware
Scale
Delivers applications to high-performance mobile and remote users while providing dynamic, flexible and powerful security.
Improves performance, increases employee productivity, boosts business operations and drives e-commerce revenue.
Fast
Secure
Intelligent Ecosystem
Efficiently delivers highly reliable application services while maintaining maximum availability regardless of location or state.
Available
F5: An Intelligent Services Platform Product Modules
APM ASM AFM
WBA WOM AAM
Fast
Secure
LTM GTM
Available
: Local Traffic Manager
: WebAccelerator
: Access Policy Manager
: Global Traffic Manager
: WAN Optimization Manager : Application Acceleration Manager
: Application Security Manager : Advanced Firewall Manager
• Local Server Load Balancing • Application Layer Health Monitoring • ACLs, Packet Filters, SYN Flood Protection
• Automated Global Site Redirection • Network and Application Health Monitoring • DNSSEC, IP Geolocation
• HTTP Protocol Optimization • Intelligent Browser Referencing • Image Optimization
• Symmetric Adaptive Compression • Symmetric Data Deduplication • L7 QoS
• WebAccelerator Features • WAN Optimization Features • Combined Module with 11.4
• User Access Control • CAC/PIV/Smartcard Enablement • Portal, WebTop
• Layer 7 Targeted Attack Prevention / DDoS / DDDoS • Data Leakage Protection • OWASP Top Ten
• Full-Proxy Firewall • Layer 4 DoS Protection • Protocol Anomaly Detection
F5 Security Architecture
Network Defense in Depth
Lack of performance and scale
Inability respond to changing threats
Failure to extend new services
Complexity and cost of multiple vendors
Internet
Load Balancer
DNS Security
Network DDoS
Web Application Firewall
Web Access Management
Load Balancer
& SSL
Application DDoS Firewall
Question
• What is a Proxy?
• What is a Full Proxy?
• What is the difference between a forward proxy and a reverse proxy?
Service Defense in Depth: Full Proxy Security
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
Service Defense in Depth: Full Proxy Security
High-performance HW
iRules
iControl API
F5’s Approach
• TMOS traffic plug-ins • High-performance networking microkernel • Powerful application protocol support
• iControl—External monitoring and control • iRules—Network programming language
IPv4
/IPv
6
SSL
TCP
HTT
P Optional modules plug in for all F5 products and solutions
APM
Fire
wal
l
…
Traffic management microkernel
Proxy
Client side
Server side SS
L
TCP
OneC
onne
ct
HTT
P
Full Proxy Security Enables Service Defense Bring deep application fluency to security
One platform
SSL inspection
Traffic management
DNS security
Access control
Application security
Network firewall
DDoS mitigation
F5 Solutions for Access Management and Authentication
Proxy Web Servers
App 1
App 2
App 3
1
1 Code in the Application • Costly, difficult to change • Not repeatable, less secure
Agents on servers • Difficult to manage • Not interoperable or secure • Decentralized and costly
2
2
3 Specialized Access Proxies • Doesn’t scale and basic reliability • More boxes and expensive
App n
3
Policy Manager
Directory
Authentication Alternatives Today
BIG-IP benefits:
• Reduce costs and complexity
• Gain superior scalability and high availability
• Better security with Dynamic L4 – L7 ACL control at LTM speeds
• Repeatable, across multiple applications
Proxy Web Servers
App 1
App 2
App 3
App n
LTM + APM
Policy Manager
Directory
A Better Alternative
© F5 Networks, Inc 17
BIG-IP Local Traffic Manager + Access Policy Manager
Directory
SharePoint OWA
Cloud
Web servers
App 1 App n
APP OS
APP OS
APP OS
APP OS
Hosted virtual desktop
Users
with BIG-IP Access Policy Manager (APM) Enable Simplified Application Access
BIG-IP® APM features: • CAC/PIV/Smartcard Enablement • Centralizes single sign-on and access control services • Full proxy L4 – L7 access control at BIG-IP speeds • Adds endpoint inspection to the access policy • Visual Policy Editor (VPE) provides policy-based access control • VPE Rules—programmatic interface for custom access policies • Supports IPv6
BIG-IP® APM ROI benefits: • Scales to 100K users on a single device • Consolidates auth. infrastructure • Simplifies remote, web and application access control
*AAA = Authentication, authorization and accounting
Unified Access and Control with BIG-IP Access Policy Manager (APM)
Control Access of Endpoints Ensure strong endpoint security
Users
BIG-IP APM
• Antivirus software version and updates
• Software firewall status
• Machine certificate validation
Allow, deny or remediate users based on endpoint attributes such as:
Invoke protected workspace for unmanaged devices:
• Restrict USB access
• Cache cleaner leaves no trace
• Ensure no malware enters corporate network
Web
Seamless Experience with a Universal Portal
• Webtop unites internal and external application resources across your Enterprise
• Provides seamless presentation and access to Windows, Web, SaaS, Mobile Applications and data
• WebTop helps organizations with RDP, VMware and Citrix consolidate on a single platform
F5 Solutions for Application Security
Question
• Who needs to worry about application security?
• What the difference between network security and application security?
“ © F5 Networks, Inc 23
Most detected activity has targeted unclassified networks connected to the Internet, but foreign
cyberactors are also targeting classified networks. Importantly, much of the nation's critical proprietary
data are on sensitive but unclassified networks.
James Clapper Director of National Intelligence
http://news.cnet.com/8301-1009_3-57573902-83/intelligence-chief-offers-dire-warning-on-cyberattacks/
Cyber-attacks in the News for 2011
IBM X-Force 2011 Trend and Risk Report March 2012
Web Application Security
Proactively secure all web applications from current and future threats.
OWASP Top 10
Get protection from the top threats without impacting app performance or scale.
Dynamic App Security Testing
Key partnerships give you full vulnerability checking and website protection.
SDLC
Use built-in security capabilities to accelerate and improve app development.
IP Intelligence
Defend against malicious activity and web attacks.
Targeted Attack Protection Use case
BIG-IP Application Security Manager
Web 2.0 Apps
Datacenter
Load Balancer
HACKER
Private cloud apps
Security?
INTERNET
Users
Request made Vulnerable application No security policy
Unsecure response delivered / Hacker given access
Targeted Attack Protection Use case
BIG-IP Application Security Manager
Web 2.0 Apps
Datacenter
BIG-IP Application Security Manager
HACKER
Private cloud apps
BIG-IP Application Security Manager
Request made
BIG-IP ASM applies security policy
Vulnerable application
Secure response delivered
BIG-IP ASM security policy checked
INTERNET
Users
DDoS Protection Use case
Syn Flood
ICMP flood
TCP Flood
Slowloris
Attacks
The infamous Wikileaks firewall failures
BIG-IP Application Security Manager Powerful Adaptable Security
• Web Application Firewall • Provides comprehensive protection for all web application vulnerabilities, including DDoS • Logs and reports all application traffic and attacks • Educates admins on attack type definitions and examples • Enables L2->L7 protection • Unifies security, access control and application delivery • Sees application level performance • Provides On-Demand scaling
F5 Solutions for Application Acceleration
Acceleration in the Data Center
Load balance • Distribute application load
across multiple servers to increase availability
Offload • Increase server capacity • Accelerate SSL processing • Manage TCP connections
more efficiently
SPDY gateway • Leverage SPDY and other
protocols without recoding applications
Fast cache • Offload repetitive traffic from
web and application servers to increase server capacity
Accelerating the Network
Compression and deduplication • Reduce amount of data transmitted • Improve network throughput and response • Increase bandwidth efficiency
Protocol optimization • Tune TCP and HTTP parameters to
adapt to changing network conditions
Loss correction • Correct for high-loss networks to
decrease transmission time and improve user experience
Accelerating the Client
Content control • Deliver content to clients with
minimal network overhead
Data reduction • Optimize images and files for
mobile browsers to improve page load times
Improving the Mobile Experience
Web performance • Optimize content for mobile
devices and reduce round trips to improve page load times
Global load balance • Connect users to the closest
application resources to minimize latency
Application Delivery Optimization
Holistic approach to improving performance throughout the application delivery chain
Network • Connect applications and
users in a global enterprise • Provide the fastest network at
the lowest cost • Increase network efficiency to
best utilize resources
Client • Improve the user experience
for traditional and mobile users
• Deliver the right content to the right user in the fastest time
Data center • Improve availability of
enterprise applications • Increase application server
capacity • Integrate new technologies
without recoding applications
F5 Solutions for VDI
• Authentication must be managed in multiple locations • Authentication integration requires manual scripting • Requires separate ticketing server
and special configuration
Point Solutions Are Complex Citrix VDI Infrastructure
Ticketing Servers
Citrix XML Brokers
Authentication Management
Citrix Web Interface
Sites
Authentication Management
Citrix Receiver
Mobile Users
STA
XML
Internal Users
ICA/HDX
Directory
Authentication Management
• Eliminate Web Interface sites and STA for all clients • Gain single policy and configuration setup,
SSO for all clients • Remove troubleshooting complexity • Reduce CapEx and OpEx
Consolidate and Simplify Simplified Access for Citrix VDI
Directory
BIG-IP Local Traffic Manager + Application Policy Manager
XML – ICA/HDX
Citrix Receiver
Mobile Users
Internal Users
Citrix XML Brokers
CapEx and OpEx
© F5 Networks, Inc 39
vSphere
DMZ
View Security Servers VMware View Server
View Connection Servers
Clients
Consolidate and Simplify Simplified Access for VMware View
• Eliminate View Security Server for all but zero clients. Offload of security server functions. • Gain single policy and configuration setup, SSO for all clients • Remove troubleshooting complexity • Native proxy for PCoIP & RDP connections • Reduce CapEx and OpEx
• ICSA Network Firewall & SSL/TLS Certified
BIG-IP
Replace Firewall, Security Servers and Traffic Management Device with
a single BIG-IP device
F5 Unified Solution Reduces Complexity
• Application access management • SSL VPN – remote access • Present OWA, VMware View
next to Citrix Apps in Portal Mode
• Vendor-agnostic solution provides the flexibility to adapt to changing demands
VDI Challenge:
• Connecting users to preferred data center
• By geographical location (lowest latency)
• By business unit or customer
Alternatives:
• Manual configuration and maintenance of multiple namespaces
F5 Approach:
• Single namespace solution
Single Namespace
Client
BIG-IP Global Traffic Manager
VDI Desktop.example.com
Client connects to closest DC
Request is forwarded to preferred DC
Client is redirected
Storage
vSphere
Virtual Desktops
Data Center 1
BIG-IP Local Traffic Manager
+ Application Policy Manager
Storage
vSphere
Virtual Desktops
Data Center 2
BIG-IP Local Traffic Manager
+ Application Policy Manager
• Sends VDI users to the closest data center
• Continuously monitors the entire infrastructure, including network and application health
• Enables automatic failover during outages
• Ensures persistence to prevent broken sessions
Global Failover and Cross-Site Resiliency
Geolocation services
Clients
BIG-IP Global Traffic Manager
Data Center 1
BIG-IP Local Traffic Manager + Application Policy Manager
Hypervisor
Virtual Desktops
Data Center 2
BIG-IP Local Traffic Manager + Application Policy Manager
Hypervisor
Virtual Desktops
Data Center 3
BIG-IP Local Traffic Manager + Application Policy Manager
Hypervisor
Virtual Desktops
Monitoring via iQuery
Improve VM Density
Typical virtualized server ! SSL ! Caching ! Compression ! One Connect ! TCP Optimization
Offload
Same server with BIG-IP
Automation
Automation
iControl
iControl
Monitoring and Management
Front End Virtualization BIG-IP
Local Traffic Manager
App Server Virtualization BIG-IP
Local Traffic Manager
Storage Virtualization
F5 Provision
Detection
VM Provision
Detection
F5 Deprovision
Clients
Web Clients
Web Clients
vCenter
Dynamic Services Automation
The F5 Difference
Question
• How can F5 secure and optimize your application deployments?
© F5 Networks, Inc 47
Applications F5 can help deploy, optimize, and protect
• Microsoft
• VMware
• Oracle
• SAP
• Citrix
• Even home-grown, custom-built applications • F5 is application agnostic
• Technology Alliances: • http://www.f5.com/products/technology/
© F5 Networks, Inc 48
Key F5 Differentiators • Application Fluency
• L7 Intelligence and application partnerships
• Massive Performance and Scale without sacrificing L7 intelligence
• Advanced Functionality • Application security, access policy management, application and WAN
optimization, caching, compression, and SSL termination on one platform
• Ease of Use and Deployment • GUI, Templates, iApps
• Extensibility, Flexibility and Control • iRules and iControl
• DevCentral • Active User Community
• AskF5 Knowledge Base : askf5.com
• iHealth Diagnostics : ihealth.f5.com
• DevCentral : devcentral.f5.com
• Web Support : websupport.f5.com
• Free Web-based Training : LTM Essentials • http://university.f5.com
• Account Team
Additional Resources
