Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
The F5 Security Blueprint for Extending the Defense Perimeter from On-Premises to the Cloud
Argon LAU Presales Consultant F5 Networks
#CLOUDSEC
© F5 Networks, Inc 2
1
Today’s Attacks are
Complex and
Across the Protocol Stack
© F5 Networks, Inc 3
WEB APPLCIATIONS
© F5 Networks, Inc 4
Generic malware, such as Zeus, infects a user’s device
The malware contains code designed to insert specific content to the browser session when
the user accesses specific sites The user requests the login page for Wells Fargo
This triggers the malware, which injects additional content to the browser
This information is sent to the legitimate web server as expected
This information is sent to the configured drop zone
*wellsfargo* add field *bankofamerica* add button, replace text *chase* add cc#, pin, remove text *telebank* send credentials *bankquepopulaire* …
The user enters the requested content and clicks Go
© F5 Networks, Inc
6
SSL IS SECURITY GAP
© F5 Networks, Inc
… and the FW / IPS / NGFW / UTM vendors do not have a solution.
• Malware Attack • Phishing Attack • Web Defacement • Web Application Attack • SSL Attack • DNS Attack • DDOS Attack
© F5 Networks, Inc 7
IN SECURITY, ARCHITECTURE IS KEY!!!
FULL PROXY
Security Digital Air Gap
(Inherently more secure)
Outside “Untrusted”
Inside “Trusted”
HTTP SSL
HTTP SSL
FULL PROXY
© F5 Networks, Inc
© F5 Networks, Inc 9
2
Today’s Network is
Way
Too Complex!
Anti-DDoS WAF
Server
L3/4 FW
IDS/IPS
APT/ DLP
SSL Decrypter
Load Balancer
SSL Encrypter
A/V
???
???
???
???
Many Different Devices – Increased Risk
Many Hops - Increase latency
Complicated Troubleshooting
Capacity Increase affects All
TODAY’S SECURITY APPROACH
© F5 Networks, Inc
Smart Consolidation is the way to go.
Fill the security gap
holistically using Full Proxy Architecture!
© F5 Networks, Inc
Anti-DDoS WAF
Server
L3/4 FW
IDS/IPS
APT/ DLP
SSL Decrypter
Load Balancer
SSL Encrypter
A/V Anti-DDoS +
L3/4 FW LB +
SSL Offload + WAF
Less Devices to maintain / learn
Less Hops - Decreased latency
Simplier Troubleshooting
Fewer devices – Less Risk
Lower TCO 83%
SECURITY CONSOLIDATION WITH FULL PROXY
© F5 Networks, Inc
© F5 Networks, Inc 13
3
Today’s DDoS Attacks Volume
is
Too Large
Network Time Protocol (NTP) Attacks Zero to Huge in 3 months
NEW ATTACK VECTORS EMERGE:
© F5 Networks, Inc 14
© F5 Networks, Inc 15
• DD4BC claims ~400 Gbps • Extortion demands of 1- 40 Bitcoin • FBI June 26 report – DD4BC Initially targeted at
illegal gaming/gambling, and now moving to legitimate businesses like Payment providers, banks and securities.
• UDP Amplification Attacks (NTP, SSDP, DNS); TCP SYN Floods; and Layer 7 attacks
April - June of 2015: emails sent to legitimate businesses with the threat of massive DDoS attacks
Sample from actual email
ATTACK THREATS: PAY UP OR ELSE!
16
GARTNER ON DDOS – GO HYBRID!
© F5 Networks, Inc
Hybrid DDoS Protection: “Cloud + On-Premise” Makes the most sense.
GO HYBRID
The combination of On-Prem Protection and Off-Prem
Cloud Services will enable organisations to get
Better & more Effective
Protection, Visibility and Control.
© F5 Networks, Inc 17 www.cloudsec.com | #CLOUDSEC
© F5 Networks, Inc 18
HYBRID ARCHITECTURE WITH FULL PROXY SECURITY
Public Clouds
Remote User
Data Center
APPS
WORKER
IDENTITY
SaaS
Silverline • Integrity Services (WAF) • Availability Services (DDOS) SOC
HW/VE
VE
Global Coverage
Fully redundant and globally distributed data centers world wide in each geographic region
– San Jose, CA US – Ashburn, VA US – Frankfurt, DE – Singapore, SG
Industry-Leading Bandwidth
• Attack mitigation bandwidth capacity over 2.0 Tbps
• Scrubbing capacity of over 1.0 Tbps
• Guaranteed bandwidth with Tier 1 carriers
24/7 Support
F5 Security Operations Center (SOC) is available 24/7 with security experts ready to respond to DDoS attacks within minutes
– Seattle, WA US
Frankfurt
Singapore
Ashburn
San Jose
Seattle (SOC)
GLOBAL COVERAGE
© F5 Networks, Inc
Availability & Support
Expert DDoS Mitigation Policy Setup and Management
Active Threat Monitoring
Experts in DDoS Monitoring/Mitigation & WAF policy management
F5 Security Operations Center • Wealth of DDoS Monitoring and Mitigation experience from Defense.net acquisition.
• Experts in WAF Policy Setup, management and Mitigation of Web Application Threats
• Active Monitoring of worldwide threats • 24x7x365 Availability to work alongside with
customers for: – DDoS Mitigation and Remediation – Expert policy setup, Policy fine-tuning – Proactive alert monitoring – False positives tuning, Detection tuning – Whitelist / Blacklist Set up and monitoring
F5 SECURITY OPERATIONS CENTER
© F5 Networks, Inc
© F5 Networks, Inc 21
HYBRID PROTECTION Combining the “resilience and scale” of the cloud with the “granularity and always-on capabilities” of on-premise.
Shun Signaling
Cloud (Silverline)
On-Premise (BIG-IP)
Unified Attack Command | Control
• Request for Service • IP List Management
• Protects own backyard. Not all attacks are Full pipe.
• Protects against slow/low application layer attacks that may not trigger diversion into Cloud-based scrubber.
• Handles SSL or encrypted attacks where organisations may not be allowed to put SSL key in the cloud.
• Attacks are Blended. Protects against Web Application attacks like OWASP Top 10 (SQLi, XSS, CSRF), Zero-day vulnerabilities (Shellshock, POODLE, Heartbleed)
F5 On-Premise • Protects agasint Full Pipe attacks that
congest last mile. • Mitigate Volumetric attacks before
coming in an organisation’s data centre.
• Expertise from F5 SOC to react fast and mitigate effectively.
• Automatic Signalling and attack telemetry exchange between F5 On-premise and Silverline
F5 SilverLine
SUMMARY
© F5 Networks, Inc
View on F5.com
“I just wanted to let you all know how extremely satisfied I am with the deployment procedure, management systems and support I received from… .
I can now surely say that F5 was an great choice for us and I'll gladly help out if you need a reference to onboard customers…
…., thanks for the explanations and looking after us ...thanks for all the detailed explanations that helped me drive my CTO, CEO and President to agree with my decision to go with F5-Silverline.
If you would like to have a quick call tomorrow or next week about our experience, I'd be more than glad to do so.”
-- A satisfied EMEA-based Trading Platform Customer
Key benefits of F5 • Protection against the largest attacks • Advanced and unique DDoS mitigation techniques • Team of industry expert DDoS fighters • Simple installation process
F5 Reference Architectures • Hybrid DDoS Protection
FOREIGN EXCHANGE TRADING PLATFORM
© F5 Networks, Inc
View on F5.com
“The attacks are definitely getting larger and we know that trend will continue as the number of websites we support increases. That is why we are working with F5. When the big attacks come, we’ll be ready.”
Key benefits of F5 • Protection against the largest attacks • Advanced and unique DDoS mitigation techniques • Team of industry expert DDoS fighters • Simple installation process
F5 Reference Architectures • Hybrid DDoS Protection
-- Chris Fanini, Co-Founder and CTO, Weebly
F5 Silverline DDoS Protection
© F5 Networks, Inc
Argon LAU Presales Consultant F5 Networks
#CLOUDSEC