Turo Siira System Engineer, F5 Networks DATACENTER
SECURITY
Slide 2
2 F5 Networks, Inc. Maintaining Security Today Is Challenging
Webification of appsDevice proliferation Evolving security
threatsShifting perimeter 71% of internet experts predict most
people will do work via web or mobile by 2020. 95% of workers use
at least one personal device for work. 130 million enterprises will
use mobile apps by 2014 58% of all e-theft tied to activist groups.
81% of breaches involved hacking 80% of new apps will target the
cloud. 72% IT leaders have or will move applications to the
cloud.
Slide 3
3 F5 Networks, Inc. Datacenter Security Needs To scaleTo
secureTo simplify Scale for a work-anywhere / SSL everywhere world.
Security for applications and data against sustained attacks.
Simplification of point solutions and complex firewall
configurations.
Slide 4
4 F5 Networks, Inc. Application attacksNetwork attacksSession
attacks Slowloris, Slow Post, HashDos, GET Floods SYN Flood,
Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP
Floods, Ping Floods and Smurf Attacks BIG-IP ASM Positive and
negative policy reinforcement, iRules, full proxy for HTTP, server
performance anomaly detection DNS UDP Floods, DNS Query Floods, DNS
NXDOMAIN Floods, SSL Floods, SSL Renegotiation BIG-IP LTM and GTM
High-scale performance, DNS Express, SSL termination, iRules, SSL
renegotiation validation BIG-IP AFM SynCheck, default-deny posture,
high-capacity connection table, full- proxy traffic visibility,
rate-limiting, strict TCP forwarding. Packet Velocity Accelerator
(PVA) is a purpose-built, customized hardware solution that
increases scale by an order of magnitude above software-only
solutions. F5 Mitigation Technologies Application (7)Presentation
(6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)
Increasing difficulty of attack detection F5 mitigation
technologies OSI stack DDOS MITIGATION
Slide 5
5 F5 Networks, Inc. Use case Before f5 with f5 Load Balancer
DNS Security Network DDoS Web Application Firewall Web Access
Management Load Balancer & SSL Application DDoS Firewall
Protecting the datacenter
Slide 6
6 F5 Networks, Inc. Consolidation of firewall, app security,
traffic managementConsolidation of firewall, app security, traffic
management Protection for data centers and application
serversProtection for data centers and application servers High
scale for the most common inbound protocolsHigh scale for the most
common inbound protocols Before f5 with f5 Load Balancer DNS
Security Network DDoS Web Application Firewall Web Access
Management Load Balancer & SSL Application DDoS Firewall
Protecting the datacenter
Slide 7
7 F5 Networks, Inc. SSL ! SSL Gain visibility and detection of
SSL- encrypted attacksGain visibility and detection of SSL-
encrypted attacks Achieve high- scale/high-performance SSL
proxyAchieve high- scale/high-performance SSL proxy Offload
SSLreduce load on application serversOffload SSLreduce load on
application servers SSL SSL SSL Inspection
Slide 8
8 F5 Networks, Inc. VIPRION iRules with Security: HashDosPost
of Doom HashDosPost of Doom vulnerability affects all major web
servers and application platforms. Single DevCentral iRule
mitigates vulnerability for all back-end services. Staff can
schedule patches for back-end services on their own timeline.
Slide 9
9 F5 Networks, Inc. SSL SSL iRules with Security: Prioritize
connection based on country
https://devcentral.f5.com/wiki/irules.whereis.ashx
Slide 10
10 F5 Networks, Inc. Security at the Strategic Point of Control
Virtual Physical Cloud Storage Total Application Delivery
Networking Services Clients Remote Access SSL VPN APP Firewall
Network Firewall DNS Security
Slide 11
11 F5 Networks, Inc. DNS Seurity
Slide 12
12 F5 Networks, Inc. The Dynamics of the DNS Market DNS Demand
from Internet growth, 4G/LTE, DDoS Protection and Availability
Average Daily Load for DNS (TLD) Queries in Billions 12 1110 0908
77 57 39 43 50 Typical for a single web page to consume 100+ DNS
queries from active content, advertising and analytics Global
mobile data (4G/LTE) is driving the need for fast, available DNS
86MB/mo Non-4G LTE 4G LTE 2.4GB/mo 18X Growth 2011-2016 New ICANN
TLDs will create new demands for scale Attacks on DNS becoming more
common DNS Services must be robust Distributed Available, High
Performance GSLB for multiple Datacenters Cache poisoning attacks
Reflection / Amplification DDoS Drive for DNSSEC adoption
Geographically dispersed DCs DNS Capacity Close to Subscribers
Total Service Availability
Slide 13
13 F5 Networks, Inc. DNS the F5 Way DNS the F5 Way External
Firewall DNS Load Balancing Array of DNS Servers Hidden Master DNS
Internal Firewall Internet DMZ Master DNS Infrastructure Internet
Massive performance over 10M RPS! Best DoS / DDoS Protection
Simplified management (partner) Less CAPEX and OPEX Adding
performance = DNS boxes Weak DoS/DDoS Protection Datacenter F5 DNS
Delivery Reimagined Conventional DNS Thinking DNS Firewall DNS DDoS
Protection Protocol Validation Authoritative DNS Caching Resolver
Transparent Caching High Performance DNSSEC DNSSEC Validation
Intelligent GSLB F5 Paradigm Shift
Slide 14
14 F5 Networks, Inc. Network Firewall Advanced Firewall
Manager
Slide 15
15 F5 Networks, Inc. BIG-IP Advanced Firewall Manager (AFM)
PackagingPackaging SW licenseSW license Supported on all platforms
(BIG-IP VE, BIG-IP Appliances and VIPRION)Supported on all
platforms (BIG-IP VE, BIG-IP Appliances and VIPRION) Standalone or
add to LTMStandalone or add to LTM FeaturesFeatures L4 stateful
full proxy firewallL4 stateful full proxy firewall IPsec, NAT, adv
routing, full SSL, AVR, Protocol SecurityIPsec, NAT, adv routing,
full SSL, AVR, Protocol Security DDoS (TCP, UDP, DNS, floods,
HTTP): Over 80 attack typesDDoS (TCP, UDP, DNS, floods, HTTP): Over
80 attack types GUIs for configure rules, logging, etcGUIs for
configure rules, logging, etc All under a new Security tabAll under
a new Security tab
Slide 16
16 F5 Networks, Inc. AFM GUI Configuration Main configuration
under the SecurityMain configuration under the Security
Slide 17
17 F5 Networks, Inc. AFM GUI Configuration Main configuration
under the new Security tabMain configuration under the new Security
tab Context aware rules can be configured at the object
levelContext aware rules can be configured at the object level
Slide 18
18 F5 Networks, Inc. AFM DOS protection Security > DoS
Protection > Device ConfigurationSecurity > DoS Protection
> Device Configuration Applied globallyApplied globally L2-L4
DoS attack vectors detection and thresholding in hardware on
platform using HSBe2 FPGA BIG-IP 5000 series BIG-IP 7000 series
BIG-IP 10000 series VIPRION B4300 blade VIPRION B2100 blade
Slide 19
19 F5 Networks, Inc. AFM DOS DNS protection Security > DoS
Protection > DoS ProfileSecurity > DoS Protection > DoS
Profile
Slide 20
20 F5 Networks, Inc. IP Intelligence
Slide 21
21 F5 Networks, Inc. IP Intelligence Overview IP IntelligenceIP
Intelligence Dynamic IP reputation threat preventionDynamic IP
reputation threat prevention All BIG-IP appliances and product
modulesAll BIG-IP appliances and product modules Near-real-time
updates (up to 5min intervals)Near-real-time updates (up to 5min
intervals) Dramatically reduces system loadsDramatically reduces
system loads Subscription-based serviceSubscription-based
service
Slide 22
22 F5 Networks, Inc. IP Intelligence Identify and allow or
block IP addresses with malicious activity IP address feed updates
every 5 min Use IP intelligence to defend attacks Reduce operation
and capital expenses Anonymous Proxies ? BIG-IP System Scanners
Financial Application IP Intelligence Service Botnet Custom
Application Attacker Anonymous requests Geolocation database
Internally infected devices and servers
Slide 23
23 F5 Networks, Inc. Easily manage alarms and blocking in
ASMEasily manage alarms and blocking in ASM Approve desired IPs
with WhitelistApprove desired IPs with Whitelist Policy Building
enabled for ignoringPolicy Building enabled for ignoring Easily
Configure Violation Categories IP Intelligence Service Management
in BIG-IP ASM UI
Slide 24
24 F5 Networks, Inc. Web Application Security
Slide 25
25 F5 Networks, Inc. Who Is Responsible for Application
Security? Clients ApplicationsInfrastructureStorage Developers
Engineering services DBA Network security
Slide 26
26 F5 Networks, Inc. What Is ASM? Allows the security team to
secure a website without changing the application codeAllows the
security team to secure a website without changing the application
code Provides comprehensive protection for all web application
vulnerabilities, including (D)DoSProvides comprehensive protection
for all web application vulnerabilities, including (D)DoS Logs and
reports all application traffic, attacks and usernamesLogs and
reports all application traffic, attacks and usernames Educates
admin on attack type definitions and examplesEducates admin on
attack type definitions and examples PCI compliancePCI
compliance
Slide 27
27 F5 Networks, Inc. How Does It Work? Security at application,
protocol and network level Request made Enforcement Content
scrubbing Application cloaking Security policy checked Server
response Response delivered Security policy applied BIG-IP enabled
us to improve security instead of having to invest time and money
to develop a new, more secure application. Actions: Log, block,
allow
Slide 28
28 F5 Networks, Inc. Multiple Security Layers RFC enforcement
Various HTTP limits enforcementVarious HTTP limits enforcement
Profiling of good traffic Defined list of allowed file types, URIs,
parametersDefined list of allowed file types, URIs, parameters Each
parameter is evaluated separately for: Predefined valuePredefined
value LengthLength Character setCharacter set Attack patternsAttack
patterns Looking for pattern matching signaturesLooking for pattern
matching signatures Responses are checked as well
Slide 29
29 F5 Networks, Inc. Start by checking RFC compliance 2 Then
check for various length limits in the HTTP 3 Then we can enforce
valid types for the application 4 Then we can enforce a list of
valid URLs 5 Then we can check for a list of valid parameters Then
for each parameter we will check for max value length 7 Then scan
each parameter, the URI, the headers 6 GET
/search.php?name=Acmes&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n
Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT
6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding:
gzip,deflate,sdch\r\n Accept-Language:
en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie:
SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n Start by checking
RFC compliance 2 Then check for various length limits in the HTTP 3
Then we can enforce valid types for the application 4 Then we can
enforce a list of valid URLs 5 Then we can check for a list of
valid parameters 6 Then for each parameter we will check for max
value length 7 Then scan each parameter, the URI, the headers GET
/search.php?name=Acmes&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n
Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT
6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding:
gzip,deflate,sdch\r\n Accept-Language:
en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie:
SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n Start by checking
RFC compliance 2 Then check for various length limits in the HTTP 3
Then we can enforce valid types for the application 4 Then we can
enforce a list of valid URLs 5 Then we can check for a list of
valid parameters Then for each parameter we will check for max
value length 7 Then scan each parameter, the URI, the headers 6 GET
/search.php?name=Acmes&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n
Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT
6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding:
gzip,deflate,sdch\r\n Accept-Language:
en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie:
SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n Start by checking
RFC compliance 2 Then check for various length limits in the HTTP 3
Then we can enforce valid types for the application 4 Then we can
enforce a list of valid URLs 5 Then we can check for a list of
valid parameters Then for each parameter we will check for max
value length 7 Then scan each parameter, the URI, the headers 6 GET
/search.php?name=Acmes&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n
Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT
6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding:
gzip,deflate,sdch\r\n Accept-Language:
en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie:
SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n Start by checking
RFC compliance 2 Then check for various length limits in the HTTP 3
Then we can enforce valid types for the application 4 Then we can
enforce a list of valid URLs 5 Then we can check for a list of
valid parameters Then for each parameter we will check for max
value length 7 Then scan each parameter, the URI, the headers 6 GET
/search.php?name=Acmes&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n
Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT
6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding:
gzip,deflate,sdch\r\n Accept-Language:
en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie:
SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n Start by checking
RFC compliance 2 Then check for various length limits in the HTTP 3
Then we can enforce valid types for the application 4 Then we can
enforce a list of valid URLs 5 Then we can check for a list of
valid parameters Then for each parameter we will check for max
value length 7 Then scan each parameter, the URI, the headers 6 GET
/search.php?name=Acmes&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n
Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT
6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding:
gzip,deflate,sdch\r\n Accept-Language:
en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie:
SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n Start by checking
RFC compliance 2 Then check for various length limits in the HTTP 3
Then we can enforce valid types for the application 4 Then we can
enforce a list of valid URLs 5 Then we can check for a list of
valid parameters Then for each parameter we will check for max
value length 7 Then scan each parameter, the URI, the headers
6
Slide 30
30 F5 Networks, Inc. For mission-critical applications:Any
custom application: HR APPS Finance APPS Sales APPS Marketing APPS
Streamline Deployment Options Prebuilt app policyRapid deployment
policy Out-of-the-box protection Prebuilt, preconfigured and
validated policies Immediate security with 80% of events Minimal
configuration time and starting point for more advanced policy
creation
Slide 31
31 F5 Networks, Inc. Three Ways to Build a Policy Dynamic
policy builder Automatic No knowledge of the app requiredNo
knowledge of the app required Adjusts policies if app
changesAdjusts policies if app changes Manual Advanced
configuration for custom policiesAdvanced configuration for custom
policies Integration with app scanners Virtual patching with
continuous application scanning Security policy checked Security
policy applied
Slide 32
32 F5 Networks, Inc. Attack Expert System in ASM 1. Click on
info tooltip Attack expert system makes responding to
vulnerabilities faster and easier: Violations are represented
graphically, with a tooltip to explain the violation. The entire
HTTP payload of each event is logged.
Slide 33
33 F5 Networks, Inc. Detailed Logging with Actionable Reports
At-a-glance PCI compliance reports Drill-down for information on
security posture
Slide 34
34 F5 Networks, Inc. Computational DoS mitigation in HTTP L7
Application Security Manager Transaction Per Seconds (TPS) based
anomaly detection TPS-based anomaly detection allows you to detect
and mitigate DoS attacks based on the client side. Latency based
anomaly detection Latency-based anomaly detection allows you to
detect and mitigate attacks based on the behavior of the server
side.
Slide 35
35 F5 Networks, Inc. Unified Access
Slide 36
36 F5 Networks, Inc. Business Computing Is Evolving Access
MethodsApplication FluidityInfrastructure Performance
Slide 37
37 F5 Networks, Inc. BIG-IP Local Traffic Manager + Access
Policy Manager Directory SharePointOWA Cloud Web servers App 1App n
APP OS APP OS APP OS APP OS Hosted virtual desktop Users Enabled
simplified application access
Slide 38
38 F5 Networks, Inc. Create policy Corporate domain Latest AV
software Current O/S Administrator User = HR HR AAA server Proxy
the web applications to provide authentication, authorization,
endpoint inspection, and more all typing into Layer 4-7 ACLS
through F5s Visual Policy EditorProxy the web applications to
provide authentication, authorization, endpoint inspection, and
more all typing into Layer 4-7 ACLS through F5s Visual Policy
Editor 832849 ENHANCING WEB ACCESS MANAGEMENT
Slide 39
39 F5 Networks, Inc. Access Policy using SMS token
Slide 40
40 F5 Networks, Inc. Domain user makes a SAML-supported request
for a resource. Business Partners ADFS End user Public/private
Login.example.com Sharepoint.example.com OWA.example.com
Portal.example.com Active Directory ADFS Apache/Tomcat App Data
center 1 Data center 2 APM SAML How it Works
Slide 41
41 F5 Networks, Inc. Business partners ADFS End user
Public/private Login.example.com Sharepoint.example.com
OWA.example.com Portal.example.com Active Directory ADFS
Apache/Tomcat App Data center 1 Data center 2 An SP-initiated post
is sent back to the client in the form of a redirect to
https://login.example.com. APM SAML How it Works
Slide 42
42 F5 Networks, Inc. Client posts credentials to login
credentials are validated with Active Directory. A SAML assertion
is generated, passed back to the client with a redirect to the
requested application. Business partners ADFS End user
Public/private Login.example.com Sharepoint.example.com
OWA.example.com Portal.example.com Active Directory ADFS
Apache/Tomcat App Data center 1 Data center 2 APM SAML How it
Works
Slide 43
43 F5 Networks, Inc. Client successfully logs on to application
with SAML assertion. Business partners ADFS End user Public/private
Login.example.com Sharepoint.example.com OWA.example.com
Portal.example.com Active Directory ADFS Apache/Tomcat App Data
center 1 Data center 2 APM SAML How it Works
Slide 44
44 F5 Networks, Inc. TMOS and Platform
Slide 45
45 F5 Networks, Inc. Full Proxy Security Network Session
Application Web application Physical Client / Server L4 Firewall:
Full stateful policy enforcement and TCP DDoS mitigation SSL
inspection and SSL DDoS mitigation HTTP proxy, HTTP DDoS and
application security Application health monitoring and performance
anomaly detection Network Session Application Web application
Physical Client / Server
Slide 46
46 F5 Networks, Inc. Network Session Application Web
application Physical Client / Server L4 Firewall: Full stateful
policy enforcement and TCP DDoS mitigation SSL inspection and SSL
DDoS mitigation HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network Session Application Web application Physical Client /
Server Full Proxy Security High-performance HW iRules iControl API
F5s Approach TMOS traffic plug-ins High-performance networking
microkernel Powerful application protocol support iControlExternal
monitoring and control iRulesNetwork programming language IPv4/IPv6
SSL TCP HTTP Optional modules plug in for all F5 products and
solutions ASM AFM APM Traffic management microkernel Proxy
ClientsideServerside SSL TCP OneConnect HTTP
Slide 47
47 F5 Networks, Inc. F5s Purpose-Built Design Performance and
Scalability Optimized hardware utilizing custom Field Programmable
Gate Array (FPGA) technology tightly integrated with TMOS and
software Embedded Packet Velocity Acceleration (ePVA) FPGA
delivers: Linear scaling of performance High performance
interconnect between Ethernet ports and CPUs High L4 throughput and
reduce load on cpu Integrated hardware and software DDoS protection
against large scale attacks Predictable performance for low latency
protocols (FIX) Example of unique F5 VIPRION architecture
49 F5 Networks, Inc. Application Delivery Firewall Bringing an
application-centric view to firewall security One platform SSL
inspection Application Delivery Controller DNS security Access
control Application security Network firewall EAL2+ EAL4+ (in
process) DDoS mitigation
Slide 50
50 F5 Networks, Inc. F5 BIG-IP delivers ONE PLATFORM (HW/SW)
Products ICSA-certified firewall Application delivery controller
Application security Access control DDoS mitigation SSL inspection
DNS security Access Policy Manager Local Traffic Manager
Application Security Manager Global Traffic Manager and DNSSEC
Stateful full-proxy firewallStateful full-proxy firewall On-box
logging and reportingOn-box logging and reporting Native TCP, SSL
and HTTP proxiesNative TCP, SSL and HTTP proxies Network and
Session anti-DDoSNetwork and Session anti-DDoS Dynamic,
identity-based access controlDynamic, identity-based access control
Simplified authentication, consolidated infrastructureSimplified
authentication, consolidated infrastructure Strong endpoint
security and secure remote accessStrong endpoint security and
secure remote access High performance and scalabilityHigh
performance and scalability BYOD 2.0 integration (SaaS)BYOD 2.0
integration (SaaS) VDI integration (ICA, PCoIP)VDI integration
(ICA, PCoIP) #1 application delivery controller#1 application
delivery controller Application fluencyApplication fluency
App-specific health monitoringApp-specific health monitoring
Application OffloadApplication Offload Streamlined app.
deploymentStreamlined app. deployment Leading web application
firewallLeading web application firewall PCI compliancePCI
compliance Virtual patching for vulnerabilitiesVirtual patching for
vulnerabilities HTTP anti-DDoSHTTP anti-DDoS IP protectionIP
protection Huge scale DNS solutionHuge scale DNS solution Global
server load balancingGlobal server load balancing Signed DNS
responsesSigned DNS responses Offload DNS cryptoOffload DNS crypto
Advanced Firewall Manager Application Acceleration Front End
OptimizationFront End Optimization Server offloadServer offload
Network optimizationNetwork optimization Mobile accelerationMobile
acceleration HTTP2.0 / SPDY gatewayHTTP2.0 / SPDY gateway BYOD
2.0Web and WAN optimization
Slide 51
51 F5 Networks, Inc. devcentral.f5.com
facebook.com/f5networksinc linkedin.com/companies/f5-networks
twitter.com/f5networks youtube.com/f5networksinc
Slide 52
52 F5 Networks, Inc. F5 data center firewall aces performance
test By David Newman, Network World July 22, 2013 06:05 AM ET
http://www.networkworld.com/reviews/2013/072213-firewall-test-271877.html