F5 Tech Talk: Securing Critical Applicationsgovernmentvideosolutionsforum.com/pdf/SecuringCriticalApplications... · F5 Tech Talk: Securing Critical Applications Brian A. McHenry,

F5 Tech Talk: Securing Critical Applications Brian A. McHenry, Security Solutions Architect March 5, 2014

© F5 Networks, Inc 2

F5 Overview

-

50,000

100,000

150,000

200,000

250,000

300,000

350,000

400,000

$ Th

ousa

nds

Publicly traded on NASDAQ

3,300+ employees

Leading provider of application and data delivery networking

IPO in 1999 FY15 revenue: US$1.5B

Our products sit at strategic points of control in any

infrastructure

1,380,000,000


Maintaining security is challenging

Webification of apps

Evolving security threats

71% of surveyed experts predict most work will be done via web-based or mobile apps by 2020.

69% of all Americans use web apps.

Single cyber attack costs

$1,000,000 122 Successful attacks per week


Changing threats increasing in complexity that requires intelligence and on-

going learning

Scalability and performance

Needed to ensure services are available during the

onset of aggressive attacks

Webification Impossible to build

safeguards into applications in a timely manner

Ownership Challenges with security

team making the dev team fix vulnerabilities

Attack visibility Is often lacking details to

truly track and identify attacks and their source,

and ensure compliance and forensics

Securing applications can be complex


BIG-IP® Application Security Manager™

Dynamic Multi-

Layered Security

•  Turn-on with license key or standalone •  Caching, compression and SSL acceleration included in

standalone

BIG-IP Local Traffic Manager BIG-IP Application Security Manager

Secure response delivered

Request made

BIG-IP ASM security policy checked

Server response generated

BIG-IP ASM applies security policy

Vulnerable application

•  Provides transparent protection from ever changing threats •  Ensure application availability while under attack •  Deployed as a full proxy or transparent full proxy (bridge mode) •  Minimal impact on application performance

•  Drop, block or forward request

•  Application attack filtering & inspection

•  SSL , TCP, HTTP DoS mitigation

•  Response inspection for errors and leakage of sensitive information

BIG-IP ASM security policy checked


Full proxy security

Network

Session

Application

Web application

Physical

Client / Server

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

SSL inspection and SSL DDoS mitigation

HTTP proxy, HTTP DDoS and application security

Application health monitoring and performance anomaly detection

Network

Session

Application

Web application

Physical

Client / Server


Common attacks on web applications BIG-IP ASM delivers comprehensive protection against critical web attacks

CSRF Cookie manipulation OWASP top 10 Brute force attacks Forceful browsing Buffer overflows Web scraping Parameter

tampering SQL injections information leakage Field manipulation Session high jacking Cross-site scripting Zero-day attacks Command injection ClickJacking Bots Business logic flaws


How does ASM work? Start by checking RFC compliance 1

Then check for various length limits in the HTTP 2

Then we can enforce valid types for the application 3

Then we can enforce a list of valid URLs 4

Then we can check for a list of valid parameters 5

Then for each parameter we will check for max value length 6

Then scan each parameter, the URI, the headers with attack signatures

7

GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226









7

GET /search.php?name=Acme’s&admin=1 HTTP/1.1\r\n Host: foo.com\r\n\r\n Connection: keep-alive\r\n\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n\ Referer: http://172.29.44.44/search.php?q=data\r\n\r\n Accept-Encoding: gzip,deflate,sdch\r\n\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226\r\n









7










7










7










7










7

GET /search.asp?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226









7

GET /search.do ?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226









7










7

GET /login.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226









7

GET /logout.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226









7










7










7



BIG-IP Application Security Manager

Multiple deployment options

Visibility and analysis

Comprehensive protections

•  Standalone or ADC add-on •  Appliance or Virtual edition •  Manual or automatic policy

building •  3rd party DAST integration

•  Visibility and analysis •  High speed customizable syslog •  Granular attack details •  Expert attack tracking

and profiling •  Policy & compliance reporting •  Integrates with SIEM software •  Full HTTP/S request logging

•  Protection from all web app vulnerabilities including DDoS

•  Advanced anti-BOT mitigation •  Integrated XML firewall

BIG-IP ® ASM™ protects the applications your business relies on most and scales to meet changing demands.


L7 DDOS

Web Scraping

Web bot identification

XML filtering, validation & mitigation

ICAP anti-virus Integration

XML Firewall

Geolocation blocking

Comprehensive Protections BIG-IP ASM extends protection to more than application vulnerabilities

ASM


Automatic HTTP/S DoS attack detection and protection

•  Accurate detection technique—based on latency •  Three different mitigation techniques escalated serially

•  Focus on higher value productivity while automatic controls intervene

IDENTIFY POTENTIAL ATTACKERS

DROP ONLY THE ATTACKERS

DETECT A DOS CONDITION


Highly accurate anti-bot and scanner protection

•  Differentiate between script and browser •  Inspection of user interaction with browser

•  Distinguish real-user from bot

•  Mitigate automated attacks, scanners, botnets and intellectual property scrappers •  Detect a persistent scrapper that uses multiple ip addresses or a single request

session

ASM Website

Application Security

Web Bot

User


IP intelligence service

IP address feed updates every 5 min

Geolocation database

Botnet

Anonymous requests

Anonymous proxies

Scanner

Restricted region or country

Attacker

Custom application

Financial application

Internally infected devices and servers

IP intelligence and geo - location enforcement


Detailed logging with actionable reports

At-a-glance PCI compliance reports Drill-down for information on security posture


Attack Expert System in ASM

Attack expert system makes responding to vulnerabilities faster and easier: Violations are represented graphically, with a tooltip to explain the violation. The entire HTTP payload of each event is logged.

1. CLICK ON INFO TOOLTIP


Protection from Vulnerabilities Enhanced integration: BIG-IP ASM and leading DAST vendors

Customer website

•  Vulnerability checking, detection and remediation

•  Complete website protection

BIG-IP Application Security Manager •  Verify, assess, resolve and retest in one UI

•  Automatic or manual creation of policies •  Discovery and remediation in minutes •  Automatic notification of website changes*

Vulnerability scanner •  Finds a vulnerability •  Virtual-patching with one-

click on BIG-IP ASM

DAST Solutions •  Qualys •  IBM •  WhiteHa

t •  Cenzic


Identify, virtually patch, mitigate vulnerabilities

Configure vulnerability policy in BIG-IP ASM

Mitigate web app attacks Scan application with:

Hacker

Clients

Tim

ely

thre

at m

itiga

tion

Assurance

Manual

WAF

Scan


Four ways to build a policy

Security policy checked

Security policy applied

DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT POLICIES

Automatic •  No knowledge of

the app required •  Adjusts policies if

app changes

Manual •  Advanced

configuration for custom policies

•  Virtual patching with continuous application scanning

•  Out-of-the-box •  Pre-configure and validated •  For mission-critical apps

including: Microsoft, Oracle, PeopleSoft


Enhanced visibility and analysis

Statistics collected

URLs Methods

Server/client latency Client IPs and geos

Throughput User agents

Response codes User sessions

Views

Virtual server

Pool member

Response codes

URLs and HTTP methods

Application analytics for assured availability •  ASM logs provide deeper intelligence

grouped by application and user •  Rules can be applied based on user

behavior •  Latency monitoring provides:

•  Business intelligence/capacity planning

•  Troubleshooting and performance tuning

•  Anomalous behavior detection


Security TAP Partners

ENDPOINT INSPECT / AV

CERTIFICATES ENCRYPTION SIEM DAST

MULTI-FACTOR AUTHENTICATIO

N WEB ACCESS MANAGEMENT DB FIREWALL

MOBILE OS MOBILE DEVICE MANAGEMENT

SECURITY CHANGE

MANAGEMENT FIPS/HSM SECURITY

DNS SECURITY AND SBS

WEB AND SAAS SECURITY


Hardware with a Purpose Best-of-breed application delivery architecture

TMOS is the implementation of software on hardware that includes physical, virtual and hybrid deployments. This creates the most flexible, advanced application delivery.

Physical ADCs + vADCs = F5 dynamic infrastructure Ultimate in flexibility and performance

F5 vCMP or virtual editions vADC or virtual editions provide flexible deployment options for virtual environments

F5 physical ADCs High-performance and specialized hardware

Hybrid ADC is best for: •  Complete integrated application

delivery network •  Tethered deployments •  Symmetric ADC services •  Federated authentication

Virtual ADC is best for: •  Accelerated deployment •  Private and public cloud environments •  Application or tenant-based pods •  Lab, test and QA deployments •  Keep security with application

Physical ADC is best for: •  Fastest performance •  SSL offload •  Workload isolation •  Consolidation •  Edge and front door services •  Edge security speeds and feeds


EFFECTIVE APPLICATION PROTECTIONS

SIMPLIFIED AND RAPID POLICY DEPLOYMENT

PCI COMPLIANCE

DETAILED ATTACK INSPECTION AND FILTERING

HIGH SCALABILITY AND PERFORMANCE

ENHANCED VISIBILITY AND ACTIONABLE REPORTING

Advanced application firewall

BIG-IP ASM

BIG –IP PLATFORM SECURITY

BIG-IP AFM BIG-IP ASM All BIG-IP



BIG-IP ASM protects the applications your business relies on most •  Allows the security team to secure a website without

changing the application code •  Provides comprehensive protection for all web application

vulnerabilities, including (D)DoS •  Logs and reports all application traffic, attacks and

usernames •  Educates admin on attack type definitions and examples •  Helps ensure PCI compliance


What This Means

Users Quickly secure apps against aggressive DDoS attacks and provide rapid application vulnerability patching

Ensure application availability and performance when under attack

Maintain full visibility in to attacks and policy effectiveness

Business Protect your business, customers and partners

Easily mitigate compliance risks

Consolidate resources and reduce operational costs

Improve security posture and corporate reputation

F5 Cloud Federation Author Name, Author Title if appropriate [Date]

Software as a Service Many organizations are realizing the benefits of adopting cloud-based services rather than deploying and maintaining in-house solutions. Software as a Service (SaaS) providers can deliver niche expertise in a cost-effective, multi-tenancy environment via a ready-to-consume, subscription-based model.


SaaS market drivers

Any location Any time Any device Mobility 24x7 workforce Bring your own device

“ © F5 Networks, Inc 41

The SaaS market is expected to grow 16.8%, from $14.3 billion in 2012 to $16.7 billion in 2013, with projections

of $21.3 billion for 2015.

83.0% of all companies expect to adopt SaaS technology.


Who’s requesting access?

Employees Partners Customers Administrators

Manage access based on identity

IT is challenged to: •  Control access based on user type and roles •  Unify access to all applications (mobile, VDI, web, client-server, SaaS) •  Provide fast authentication and single sign-on (SSO) •  Audit and report access and application metrics

The Problem with SaaS The benefits of adopting a SaaS model often come at the cost of up-to-the-minute access control and reliable security policy enforcement.


Linear delivery is gone


It’s now a complex matrix

Cloud

More delivery models More endpoints More apps

SaaS


The problem with SaaS

IDENTITY AND ACCESS MANAGEMENT SILOS

“For an average of 26 different online accounts, users had only five different passwords.”

—Experian, 2012

“A quarter of the people surveyed admitted to using less secure passwords on mobile devices to save time.”

—Deloitte, 2013

Data Center

Applications Applications

Internet

Identity and Access Management

Physical Virtual

Salesforce Office 365 Concur Google docs

Devices

F5 Cloud Federation Eliminate identity and access management (IAM) silos.


Consistent security across all services

Any Device

Consistent Security Everywhere

Enterprise Resources

External Resources

Scalability

Centralized Management

Single Sign-On

Identity and Access

Management Cloud Federation

Customer Scenarios

Core Functionality

Professional Services and Support

Consistency Integration

IP Reputation

Multi-Factor Authentication Authorization IP

Geolocation Context Services

Device Inspection Analytics


F5 Cloud Federation Architecture

Strategic Point of Control

On-Premises Infrastructure

Corporate Applications

Users

Attackers

Access Management

SaaS Providers

Office 365

Google Apps

Salesforce

Directory Services

Corporate Users

Identity federation

SAML Real-time access control

Access policy enforcement

SAML Identity management

Multi-factor authentication


On-Premises Infrastructure

BIG-IP Local Traffic Manager

BIG-IP Access Policy Manager

Corporate Applications

LTM APM Users

Attackers BIG-IP Platform

SaaS Providers

Office 365

Google Apps

Salesforce

Application Services + Access Policy Management

Directory Services

Corporate Users

F5 Cloud Federation Architecture

Introducing Secure Web Gateway Inbound and outbound access managment


Secure Web Gateway in APM

with

SWG

Campus

Web Filtering

Internet

ThreatSeeker Intelligence

Cloud

Data for real-time URL classification & advanced malware detection

HQ

SaaS Apps

•  Protects users on-premise •  Keeps confidential data

confidential •  Identity-based policies •  Inbound and outbound

security •  Websense ThreatSeeker

backend Servers Servers AD

URL Classification

Advanced Malware Detection


•  The only solution to offer outbound & inbound access controls

•  Inbound: All you have on APM (Access, VPN & SAML etc.)

•  Outbound: block dangerous websites or malware infectious web applications

•  Enable business for social web media applications in granular fashions based on different job needs (marketing ok to access Facebook etc..)

•  Detect and block malware inside a web page

F5 Secure Web Gateway – The best approach


BIG-IP APM Use Cases

Accelerated Remote Access

Enterprise Data & Apps

Federation Cloud, SaaS, and Partner

Apps

Internet Secure Web Gateway Internet Apps

Mobile Apps Mobile

Application Management

BIG-IP APM

App Access Management OAM VDI Exchange Sharepoint


Next-Generation Firewall

Users leverage NGFW for

outbound protection

Employees

Can inspect SSL at

either tier

Customers

DDoS Attack

Partners

DDoS Attack ISP provides

volumetric DDoS service

Cloud Scrubbing

Service GOOD BETTER BEST

Simplified Business Models

+ IP Intelligence

BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager

BIG-IP Global Traffic Manager BIG-IP Access Policy Manager


Application Delivery Firewall infrastructure

ISPa

ISPb

Network Firewall Services + DNS Services

+ Simple Load Balancing to Tier 2

BIG-IP Platform

+ IP Intelligence (IPI) Module

BIG-IP Platform

Web Application Firewall Services

+ SSL Termination

Tier 2: Protecting L7 Tier 1: Protecting L3–4 and DNS


Application attacks Network attacks Session attacks

OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods

SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks

BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection

DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation

BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation

BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions.

F5 m

itiga

tion

tech

nolo

gies

Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)

Increasing difficulty of attack detection

F5 m

itiga

tion

tech

nolo

gies

OSI stack

OSI stack

DDoS MITIGATION

Documents

F5 Tech Talk: Securing Critical Applicationsgovernmentvideosolutionsforum.com/pdf/SecuringCriticalApplications... · F5 Tech Talk: Securing Critical Applications Brian A. McHenry,