Embed Size (px)
Citation preview
Keeping the Bad Guys Out Letting the Good Guys In Jay De Leo, Federal FSE III May 28, 2014
F5 Company Snapshot
2Q12 Gartner Advanced Platform DC Market Share
Gartner, Inc. Market Share: Application Acceleration Equipment, Worldwide, CYQ212, Joe
Skorupa, Nhat Pham, Sept 2012
• Leading provider of Application Delivery Networking products that optimize the security, performance & availability of network applications, servers and storage systems
• FY12 Revenue: $1.38B (+31% y/y)
15 of the 15 executive branch agencies, plus many other
DoD, civilian and commercial organizations rely on F5.
Government Agencies Trust F5
• Certifications
• FIPS 140-2 Level 2
• Common Criteria EAL2 (EAL4 In Process)
• DISA STIG
• 3 Year ATO at DISA
• DIACAP/DITSCAP MAC II Level Certification
• JITC PKE
• In Process: TIC Lab/JITC APL (UCCO TN 1312201)
Government Certifications
F5 BIG-IP Product Suite
• Fast, secure, available
• Best-in-class hardware platform and software virtual instance
Application Delivery Services
F5: An Intelligent Services Platform Product Modules
APM
ASM
AFM
WBA
WOM
AAM
Fast
Secure
LTM
GTM
Available
: Local Traffic Manager
: WebAccelerator
: Access Policy Manager
: Global Traffic Manager
: WAN Optimization Manager
: Application Acceleration Manager
: Application Security Manager
: Advanced Firewall Manager
• Local Server Load Balancing
• Application Layer Health Monitoring
• ACLs, Packet Filters, SYN Flood Protection
• Automated Global Site Redirection
• Network and Application Health Monitoring
• DNSSEC, IP Geolocation
• HTTP Protocol Optimization
• Intelligent Browser Referencing
• Image Optimization
• Symmetric Adaptive Compression
• Symmetric Data Deduplication
• L7 QoS
• WebAccelerator Features
• WAN Optimization Features
• Combined Module with 11.4
• User Access Control
• CAC/PIV/Smartcard Enablement
• Portal, WebTop
• Layer 7 Targeted Attack Prevention / DDoS / DDDoS
• Data Leakage Protection
• OWASP Top Ten
• Full-Proxy Firewall
• Layer 4 DoS Protection
• Protocol Anomaly Detection
F5 Security Architecture
Question
• What is Network Defense In Depth?
Network Defense in Depth
Lack of performance and scale
Inability respond to changing threats
Failure to extend new services
Complexity and cost of multiple vendors
Internet
Load
Balancer
DNS Security
Network DDoS
Web Application
Firewall
Web Access
Management
Load
Balancer
& SSL
Application DDoS Firewall
Service Defense in Depth: Full Proxy Security
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
Service Defense in Depth: Full Proxy Security
High-performance HW
iRules
iControl API
F5’s Approach
• TMOS traffic plug-ins
• High-performance networking microkernel
• Powerful application protocol support
• iControl—External monitoring and control
• iRules—Network programming language
IPv4
/IP
v6
SS
L
TC
P
HTTP
Optional modules plug in for all F5 products and solutions
AP
M
Fir
ew
all
…
Traffic management microkernel
Proxy
Client
side
Server
side
SS
L
TC
P
On
eC
on
ne
ct
HTTP
Full Proxy Security Enables Service Defense Bring deep application fluency to security
One platform
SSL
inspection
Traffic
management
DNS
security
Access
control
Application
security
Network
firewall
DDoS
mitigation
Keeping the Bad Guys Out
Question
• What’s the difference between network security and application security?
© F5 Networks, Inc 15
Most detected activity has targeted unclassified networks connected to the Internet, but foreign
cyberactors are also targeting classified networks. Importantly, much of the nation's critical proprietary
data are on sensitive but unclassified networks.
James Clapper
Director of National Intelligence
http://news.cnet.com/8301-1009_3-57573902-83/intelligence-chief-offers-dire-warning-on-cyberattacks/
Cyber-attacks in the News for 2011
IBM X-Force 2011 Trend and Risk Report March 2012
© F5 Networks, Inc 17
F5 Integrated Security Solutions
iRules extensibility everywhere
Products
Advanced Firewall Manager Access Policy
Manager
Local Traffic
Manager
Application Security
Manager
Global Traffic Manager and
DNSSEC
• Stateful full-proxy firewall
• On-box logging and
reporting
• Native TCP, SSL and HTTP
proxies
• Network and Session anti-
DDoS
• Dynamic, identity-based
access control
• Simplified authentication,
consolidated infrastructure
• Strong endpoint security
and secure remote access
• High performance and
scalability
• #1 application delivery
controller
• Application fluency
• App-specific health
monitoring
• Leading web application
firewall
• PCI compliance
• Virtual patching for
vulnerabilities
• HTTP anti-DDoS
• IP protection
• Huge scale DNS solution
• Global server load
balancing
• Signed DNS responses
• Offload DNS crypto
ICSA-certified
firewall
Application
delivery cont.
Application
security
Access
Control
DDoS
Mitigation
SSL
inspection
DNS
security
Web Application
Security
Proactively secure all
web applications from
current and future
threats.
OWASP
Top 10
Get protection from the
top threats without
impacting app
performance or scale.
Dynamic App
Security
Testing
Key partnerships give
you full vulnerability
checking and website
protection.
SDLC
Use built-in security
capabilities to
accelerate and improve
app development.
IP
Intelligence
Defend against
malicious activity and
web attacks.
Targeted Attack Protection Use case
BIG-IP Application
Security Manager
Web 2.0 Apps
Datacenter
Load Balancer
HACKER
Private
cloud apps
Security?
INTERNET
Users
Request made Vulnerable application No security policy
Unsecure response delivered / Hacker given access
Targeted Attack Protection Use case
BIG-IP Application
Security Manager
Web 2.0 Apps
Datacenter
BIG-IP Application
Security Manager
HACKER
Private
cloud apps
BIG-IP Application
Security Manager
Request made
BIG-IP ASM applies security policy
Vulnerable application
Secure response delivered
BIG-IP ASM security policy checked
INTERNET
Users
© F5 Networks, Inc 21
SSL INSPECTION
SSL? !
SSL?
• Gain visibility and
detection of SSL-
encrypted attacks
• Achieve high-scale/high-
performance SSL proxy
• Offload SSL—reduce load
on application servers
© F5 Networks, Inc 22
IP INTELLIGENCE
IP intelligence
service
IP address feed
updates every 5 min
Custom
application
Financial
application
Geolocation database
Botnet
Attacker
Anonymous
requests
Anonymous
proxies
Scanner
Restricted
region or
country
DDoS Protection Use case
Syn Flood
ICMP flood
TCP Flood
Slowloris
Attacks
The infamous Wikileaks firewall failures
© F5 Networks, Inc 24
DDoS MITIGATION
Application attacks Network attacks Session attacks
OWASP Top 10 (SQL
Injection, XSS, CSRF, etc.),
Slowloris, Slow Post,
HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop,
ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASM
Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection
DNS UDP Floods, DNS Query Floods, DNS
NXDOMAIN Floods, SSL Floods, SSL
Renegotiation
BIG-IP LTM and GTM
High-scale performance, DNS Express,
SSL termination, iRules, SSL
renegotiation validation
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, full-proxy
traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware
solution that increases scale by an order of magnitude above software-only
solutions.
F5
Mit
iga
tio
n T
ech
no
logie
s
Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)
Increasing difficulty of attack detection
• Protect against DDoS
at all layers
• Withstand the
largest attacks
• Gain visibility and
detection of SSL
encrypted attacks
F5
mit
iga
tio
n t
ech
no
logie
s
OSI stack OSI stack
© F5 Networks, Inc 25
ASM PROTECTS AGAINST TOP APP VULNERABILITIES
OWASP Top 10 Web Application Security Risks:
1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards
Source: www.owasp.org
© F5 Networks, Inc 26
How Does ASM Work? Security at application, protocol and network level
Request made
Content scrubbing
Application cloaking
Security policy
checked Server response
Response
delivered
Security policy
applied
BIG-IP enabled us to improve security instead of having to
invest time and money to develop a new, more secure application.
Actions:
Log, block, allow
© F5 Networks, Inc 27
Three Ways to Build an ASM Policy
Dynamic policy builder
Automatic –
• No knowledge of the app required
• Adjusts policies if app changes
Manual –
• Advanced configuration for custom
policies
Integration with app scanners
• Virtual patching with continuous
application scanning
Security policy
checked
Security policy
applied
© F5 Networks, Inc 28
Protection from Vulnerabilities Enhanced integration: BIG-IP ASM and Security Scanning Services
Customer website
• Vulnerability checking,
detection and
remediation
• Complete website
protection
• Finds a vulnerability
• Virtual-patching with one-
click on BIG-IP ASM
Vulnerability scanner
BIG-IP Application Security Manager
• Verify, assess, resolve and retest in one UI
• Automatic or manual creation of policies
• Discovery and remediation in minutes
• Qualys
• IBM
• WhiteHat
• Cenzic
White Hat Sentinel
© F5 Networks, Inc 29
VIPRION
“HashDos—Post of Doom” vulnerability affects all major web
servers and application platforms.
Single DevCentral iRule mitigates vulnerability for all
back-end services.
0-Day Security: Mitigate Vulnerabilities with iRules
© F5 Networks, Inc 30
VIPRION
“HashDos—Post of Doom” vulnerability affects all major web
servers and application platforms.
Single DevCentral iRule mitigates vulnerability for all
back-end services.
Staff can schedule patches for back-end services on
their own timeline.
0-Day Security: Mitigate Vulnerabilities with iRules
© F5 Networks, Inc 31
How was your Heartbleed?
© F5 Networks, Inc 32
Heartbleed and F5
Upgrade /hotfix your BIG-IP if…
If you have version 11.5.0
If you have version 11.5.1
Use No iRule if…
You are terminating SSL using a clientssl profile at
the BIG-IP.
If F5 has been terminating your SSL for the last two years your applications have been safe from Heartbleed.
Vulnerable only if…
You were using version 11.5.0 or 11.5.1 and
You were using the COMPAT stack or
Your management interface was accessible to the
Internet.
Use clientside iRule if…
You are passing SSL through the BIG-IP to
vulnerable servers
Use serverside iRule if…
You have vulnerable servers accessible from
Internet and intranet
© F5 Networks, Inc 33
F5 Integrated Security Solutions
iRules extensibility everywhere
Products
Advanced Firewall manager Access Policy
Manager
Local Traffic
Manager
Application Security
Manager
Global Traffic Manager and
DNSSEC
• Stateful full-proxy firewall
• On-box logging and
reporting
• Native TCP, SSL and HTTP
proxies
• Network and Session anti-
DDoS
• Dynamic, identity-based
access control
• Simplified authentication,
consolidated infrastructure
• Strong endpoint security
and secure remote access
• High performance and
scalability
• #1 application delivery
controller
• Application fluency
• App-specific health
monitoring
• Leading web application
firewall
• PCI compliance
• Virtual patching for
vulnerabilities
• HTTP anti-DDoS
• IP protection
• Huge scale DNS solution
• Global server load
balancing
• Signed DNS responses
• Offload DNS crypto
ICSA-certified
firewall
Application
delivery cont.
Application
security
Access
Control
DDoS
Mitigation
SSL
inspection
DNS
security
Letting the Good Guys …Out?
© F5 Networks, Inc 35
Secure Web Gateway Reference Architecture
Access Policy Web Security
Reporting
Secure Web Gateway
Private Network
Users BIG-IP Platform
Active Directory
Firewall
Malicious Server
Entertainment Site
Youtube
B2B Server
Internet
Malware
Agent Categoriz-ation
Database
Log requests and ensure
acceptable use compliance
Web security
Malware protection
Control bandwidth by policy
LTM
APM
BIG-IP Local Traffic Manager
BIG-IP Access Policy Manager
Identification
Mapping
Threat Intelligence Service
Real Time
Classification
Malware
Analysis
Viral Video
E-Commerce
Facebook Games
Authentication
Kerberos NTLM Basic Auth 407
Letting the Good Guys In
Question
• From an IT perspective, how do you define context?
© F5 Networks, Inc 38
Who’s Requesting Access?
IT challenged to:
• Control access based on user-type and role
• Unify access to all applications
• Provide fast authentication and SSO
• Audit and report access and application metrics
Manage access based on identity
Employees Partner Customer Administrator
Proxy Web Servers
App 1
App 2
App 3
1
1 Code in the Application
• Costly, difficult to change
• Not repeatable, less secure
Agents on servers
• Difficult to manage
• Not interoperable or secure
• Decentralized and costly
2
2
3 Specialized Access Proxies
• Doesn’t scale and basic reliability
• More boxes and expensive
App n
3
Policy Manager
Directory
Authentication Alternatives Today
BIG-IP benefits:
• Reduce costs and complexity
• Gain superior scalability and high
availability
• Better security with Dynamic L4
– L7 ACL control at LTM speeds
• Repeatable, across multiple
applications
Proxy Web Servers
App 1
App 2
App 3
App n
LTM +
APM
Policy Manager
Directory
A Better Alternative
© F5 Networks, Inc 41
BIG-IP Local Traffic Manager +
Access Policy Manager
Directory
SharePoint OWA
Cloud
Web servers
App 1 App n
APP
OS
APP
OS
APP
OS
APP
OS
Hosted virtual
desktop
Users
with BIG-IP Access Policy Manager (APM)
Enable Simplified Application Access
BIG-IP® APM features:
• CAC/PIV/Smartcard Enablement
• Centralizes single sign-on and access control services
• Full proxy L4 – L7 access control at BIG-IP speeds
• Adds endpoint inspection to the access policy
• Visual Policy Editor (VPE) provides policy-based access control
• VPE Rules—programmatic interface for custom access policies
• Supports IPv6
BIG-IP® APM ROI benefits:
• Scales to 100K users on a single device
• Consolidates auth. infrastructure
• Simplifies remote, web and application access control
*AAA = Authentication, authorization and accounting
Unified Access and Control with BIG-IP Access Policy Manager (APM)
Control Access of Endpoints Ensure strong endpoint security
Users
BIG-IP APM
• Antivirus software version and updates
• Software firewall status
• Machine certificate validation
Allow, deny or remediate users based on endpoint
attributes such as:
Invoke protected workspace for unmanaged
devices:
• Restrict USB access
• Cache cleaner leaves no trace
• Ensure no malware enters corporate network
Web
Question
• What is Federation, or Federated Security?
© F5 Networks, Inc 45
• Dramatically reduce
infrastructure costs;
increase productivity
• Provides seamless
access to all web
resources
• Integrated with
common applications
Use case
CONSOLIDATING APP AUTHENTICATION (SSO)
AAA
server
Corporate managed
device
Latest AV software
Expense Report
App
Finance
Salesforce.com
User = Finance
© F5 Networks, Inc 46
What is SAML?
• Its Web Single Sign-On (Federated Auth)
• Eliminates Need for Multiple Passwords/Password Databases in Multiple Locations. I.e., Keep your directory behind your firewall
• Enables enterprise apps in the Cloud
© F5 Networks, Inc 47
SAML lets you do this with your apps
Think of it as the enterprise version of OAuth
© F5 Networks, Inc 48
SAML - Claims Based Authentication
• The process of authenticating a user based on a set of claims about its identity contained in a trusted token.
• Such a token is often issued and signed by an entity that stores and maintains this information about the user
Claims in Action:
1) Texas has my information and driving test results
2) I carry a Texas driver’s license
3) Hawaii does not have my information, but they trust Texas
4) So I am allowed to drive in Hawaii
Application Acceleration and Global Availability
Question
• Why does application acceleration matter?
Application Delivery Optimization
Holistic approach to improving performance throughout the application delivery chain
Network
• Connect applications and
users in a global enterprise
• Provide the fastest network at
the lowest cost
• Increase network efficiency to
best utilize resources
Client
• Improve the user experience
for traditional and mobile
users
• Deliver the right content to
the right user in the fastest
time
Data center
• Improve availability of
enterprise applications
• Increase application server
capacity
• Integrate new technologies
without recoding applications
Acceleration in the Data Center
Load balance
• Distribute application load
across multiple servers to
increase availability
Offload
• Increase server capacity
• Accelerate SSL processing
• Manage TCP connections
more efficiently
SPDY gateway
• Leverage SPDY and other
protocols without recoding
applications
Fast cache
• Offload repetitive traffic from
web and application servers
to increase server capacity
Accelerating the Network
Compression and deduplication
• Reduce amount of data transmitted
• Improve network throughput and response
• Increase bandwidth efficiency
Protocol optimization
• Tune TCP and HTTP parameters to
adapt to changing network conditions
Loss correction
• Correct for high-loss networks to
decrease transmission time and
improve user experience
Accelerating the Client
Content control
• Deliver content to clients with
minimal network overhead
Data reduction
• Optimize images and files for
mobile browsers to improve
page load times
Improving the Mobile Experience
Web performance
• Optimize content for mobile
devices and reduce round
trips to improve page load
times
Global load balance
• Connect users to the closest
application resources to
minimize latency
Improve Application Performance Users are directed by context
Content
type, size, security
Network Conditions
local, remote, public, private
Site Status
performance, location, capacity
Client Status
location, device, relationship
Global Application Availability
Data Center 1 Data Center 2
OPTIMIZED APPLICATIONS & DATA
• Dynamic Datacenter Load Balancing
• TCP Optimization
• Health Monitoring
• Geolocation
• Automatic site-to-site failover
• IPv6/IPv4 Translation
SECURE APPLICATIONS & DATA
• Transaction Assurance
• Dynamic DNSSEC
• DNS DDoS Mitigation
with BIG-IP Global Traffic Manager (GTM)
Automation
Automation
iControl
iControl
Monitoring and Management
Front End Virtualization
App Server Virtualization
Storage Virtualization
Demand
F5 Provision
Detection
VM Provision
Demand
Detection
F5 Deprovision
vCenter
Dynamic Services Automation
• AskF5 Knowledge Base : askf5.com
• iHealth Diagnostics : ihealth.f5.com
• DevCentral : devcentral.f5.com
• Web Support : websupport.f5.com
• Free Web-based Training : LTM Essentials
• http://university.f5.com
• Account Team
Additional Resources
