Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2

8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2

1/30

Securing and Accelerating the InteropNOC withF5 Networks

Joe Wojcik - Consultant II - [email protected] Bocchino - Principal Systems Architect [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]


2/30

Agenda

Overview of F5 SPDY (Pronounced Speedy) Application Firewall Manager Application Security Manager

Access Policy Manager Questions


3/30

InteropNET Architecture Overview


4/30

F5 Technologies Used in the Network

ADC Application Delivery Controller LTM Local Traffic Manager GTM Global Traffic Manager AFM Advanced Firewall Manager

ASM Application Security Manager AAM Application Acceleration Manager APM Access Policy Manager


5/30

The Basics - LTM

Profiles applied to the virtual serallows for protocol parsing

Monitoring of pool members ensalways available services

Virtual

Server

Pool

PoolMember

PoolMember


6/30

The Basics - GTM

Wide IPs define FQDNs Pool of data center virtual IPs

ensures global availability Monitoring of pool members ens

always available services

WideIP

Pool

DC1

VirtualServer

DC2VirtualServer


7/30

Network

Session

Application

Web application

Physical

Client / Server

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

SSL inspection and SSL DDoS mitigation

HTTP proxy, HTTP DDoS and application security

Application health monitoring and performance anomaly detection

Ne

Se

Appl

Web applica

Phy

Client

F5 Architecture Overview


8/30

Network

Session

Application

Web application

Physical

Client / Server

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

SSL inspection and SSL DDoS mitigation

HTTP proxy, HTTP DDoS and application security

Application health monitoring and performance anomaly detection

Ne

Se

Appl

Web applica

Phy

Client

High-performance HW

iRules

iControl API

F5s Approach

TMOS traffic plug-ins High-performance networking microkernel Powerful application protocol support

iControl External monitoring and control iRules Network programming language

I P v 4

/ I P v 6

S S L

T C P

H T T P

Optional modules plug in for all F5 products and solutions

A P M

F i r e w a l

l

Traffic management microkernel

Proxy

Clientside

Serverside

S S L

T C P

O n e C o n n e c t

H T T P

F5 Architecture Overview


9/30

SPDY Overview

Google produced 1 st Internet-Draft in 2009 Several major website already use it (Google, Twitter, Facebook, etc.) Supported in updated versions of Chrome, Firefox, Internet Explorer, Opera Kindle Fire Silk browser uses SPDY to internet sites and Amazon AWS cloud

HTTP has several built-in assumptions that affect latency Single request per connection. Exclusively client-initiated requests. Uncompressed request and response headers. Redundant headers Optional data compression

SPDY is designed to reduce application layer latency Many HTTP requests per TCP connection. Compress headers and eliminating unnecessary headers. Easy to implement and server-efficient Always on SSL for a more secure web Enable server initiated communications to the client


10/30

SPDY Overview Cont.

SPDY doesnt replace HTTP SPDY still has HTTP methods, headers,

response codes, and other HTTP elements Basic features of SPDY

Multiplexed streams - Allows unlimited concurrentstreams over a single TCP connection

Request prioritization Assign priority to multiple requests to combat bandwidthlimitations

HTTP header compression - compresses request/response HTTP headers Server-initiated streams

Speed up connections by sending content or hints without the client specificallyrequesting the resource. Server push - servers push data to clients via the X-Associated-Content header.

Useful for initial-page downloads Server hint - servers suggest resources to the client via the X-Subresources

header.

Draft located at http://www.chromium. org/spdy/spdy-protocol/spdy-protocol-draft1
http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft1http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft1http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft1


11/30

SPDY & F5

F5 provides production level SPDY support in BIG-IP LTM 11.4.0

BIG-IP Local Traffic Manager (LTM) uses a SPDY service profile to provide SPDYendpoint and translation to backside HTTP. With everything handled on the F5 LTM nobackend changes are required to support SPDY.

The HTTP virtual server handles the initial request as a standard HTTP request, andinserts an HTTP header into the response (to inform the client that a SPDY virtualserver is available to handle SPDY requests). The response is also compressesed andcached.

A SPDY capable client uses SSL TLS (with NPN) to send SPDY requests to the BIG-IPsystem, the SPDY virtual server receives the request on port 443, converts the SPDYrequest into an HTTP request before sending it to the appropriate server.

When the server provides a response, the BIG-IP system converts the HTTP responseinto an appropriate SPDY response, compresses and caches it, and sends theresponse to the client.


12/30

SPDY Example www.interop.com

Multiplexed requests

Request priority

Stream ID


13/30

SPDY Some Numbers

These numbers are from Googles testing and are posted on the Chromium

project page.

Individual performance will be based on page complexity, domain use,static/dynamic pages, and more.


14/30

AFM: High Level Capabilities Access Control Policy

Stateful Firewalling - Policies, Rules, Address Lists Application Access Control (DNS, HTTP, FTP, SMTP)

DOS Detection & Mitigation L2-L4 Attack Mitigation, Resource Protection Protocol Specific DOS (DNS, SIP, SSL)

Dynamic Endpoint Visibility & Enforcement NGFW, Botnet Defense IP Intelligence Profiles

Manageability & Visibility Flexible & Powerful High Speed Logging Network, Protocol & DOS Reporting (AVR)

Encrypted Traffic Handling Site-to-Site IPsec VPN tunnels High Scale SSL Termination

Advanced Firewall M


15/30

I/O

L2

L3 Flow lookup

Ephemerallistener

Globalrules

Routedomain

rules

ListenerLookup

No flow exists

Flow create

HUD ChainLTM + ASM + APM + GTM

Exact match for ALG Rules processed in order Listener selectedwith LMF

Flowtable

Query /Response

Match

NoMatch Accept

Default Accept Default Accept

Rules processed in order

Acceptdecisively path

Accept pathAccept

Accept

decisively

Accept decisively

Ru

Match

Install flow

Match

A

GlobalNW DoS

DROP or NO MATCH = Silently discardREJECT = If TCP, send RST; else DROP

Drop/RejectDrop/Reject No Match Drop/Reject

Accept decisively: allows matching packets topass without further rule processingLMF: longest match first

If TCP & Non-SYNthen Drop here

HW Accelerated*

*Some Vectors not HW accelerated

AFM: Access Control Policy


16/30

Flow Classification Criteria Time Based Protocol Source Address Source Port Source VLAN Destination Address Destination Port

Rule Lists Grouping of rules Global rules that can be used

anywhere in the policy Can be referenced in multiple

policies on multiple firewalls

Primary Actions Drop: Silently Discard Reject: Drop and Inform Sender Accept: Permit Accept Decisively: Permit and skip

processing at subsequent contexts

Co

AFM: Access Control Policy


17/30

F5 reporting to key SIEM partners: Splunk, Q1, ArcSight

Start with application-centric views and drill down tomore details

At-a- glance visibility and intelligence for ADFs context -awaresecurity

HIGH LEVEL

AFM: Visibility in the NOC


18/30

ApplicatioNetwork attacks Session attacks

OWASP Top Injection, XSSSlowloris, SloHashDos, GE

SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods,Teardrop, ICMP Floods, Ping Floods and Smurf Attacks

BIG-IP ASMPositive and n

policy reinforiRules, full prserver performanomaly detec

DNS UDP Floods, DNS Query Floods,DNS NXDOMAIN Floods, SSL Floods,SSL Renegotiation

BIG-IP LTM and GTMHigh-scale performance, DNS

Express, SSL termination, iRules, SSLrenegotiation validation

BIG-IP AFMSynCheck, default-deny posture, high-capacity connection table, full-

proxy traffic visibility, rate-limiting, strict TCP forwarding.

Packet Velocity Accelerator (PVA) is a purpose-built, customizedhardware solution that increases scale by an order of magnitudeabove software-only solutions.

APresentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)

Increasing difficulty of attack detection

F 5 m i t i g a t i o n t e c h n o

l o g i e s

OSI stack

DDoS MITIGATION


19/30

Automatic HTTP/S DoS attack detection and protection

Accurate detection technique based on latency

Three different mitigation techniques escalated serially Focus on higher value productivity while automatic controls intervene

IDENTIFY POTENT

DROP ONLY THE A

DETECT A DOS CO


20/30

DDoS protection reference architecture

LegitimateUsers

Threat Feed Intelligence

DDoSAttacker

ISPa/b

CloudScrubbing Service

Scanner AnonymousProxies

AnonymousRequests

Botnet Attackers

Network attacks:

ICMP flood,UDP flood,SYN flood

DNS attacks:DNS amplification,

query flood,dictionary attack,

DNS poisoning

IPS

Next-Generation Firewall

Tier 2

SSL attacks:

SSL renegotiation,SSL flood

HTTP attacks:

Slowloris,slow POST,

recursive POST/GET

Application

Tier 2


Multiple ISP strategy

Network andDNS

Tier 1


21/30


LegitimateUsers


DDoSAttacker

ISPa/b



AnonymousRequests

Botnet Attackers

Network attacks:




DNS poisoning

IPS


Tier 2

SSL attacks:


HTTP attacks:

Slowloris,

slow POST,recursive POST/GET

Application

Tier 2



Network andDNS

Tier 1 The first tier at the perimeter layer 3and 4 network firewall servic

Simple load balancingto a second tier

IP reputation database

Mitigates volumetric and DN

attacks

TIER 1 KEY FEATURES


22/30


LegitimateUsers


DDoSAttacker

ISPa/b



AnonymousRequests

Botnet Attackers

Network attacks:




DNS poisoning

IPS


Tier 2

SSL attacks:


HTTP attacks:

Slowloris,


Application

Tier 2



Network andDNS

Tier 1


23/30

DDoS reference architecture

LegitimateUsers


DDoSAttacker

ISPa/b



AnonymousRequests

Botnet Attackers

Network attacks:




DNS poisoning

IPS


Tier 2

SSL attacks:


HTTP attacks:

Slowloris,


Application

Tier 2



Network andDNS

Tier 1 The second tier is for application-aware,CPU-intensive defense mechanisms

SSL termination

Web application firewall

Mitigate asymmetric and SSL-basedDDoS attacks

TIER 2 KEY FEATURES


24/30

DDoS Protection Interop NOC

Network Firewall Services+ DNS Services

+ Web Application Firewall Services+ Compliance Control

BIG-IP Platform

Customers

DDoS Attack

ISPa

Partners

DDoS Attack

ISPb

ISP providesvolumetric DDoS

service

Protecting L3 7 and DNS

BIG-IP Advanced Firewall Manager

BIG-IP Local Traffic Manager

BIG-IP Global Traffic Manager

BIG-IP Access Policy Manager

BIG-IP Application Security Manager


25/30

L7 DDOS

Web Scraping

Web botidentification

XML filtering,validation & mitigation

ICAP anti-virusIntegration

XML Firewall

Geolocationblocking

Comprehensive ProtectionsBIG-IP ASM extends protection to more than application vulnerabilities

ASM


26/30

Four ways to build a policy

Security policychecked

Security policyapplied

DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT PO

Automatic No knowledge of the

app required Adjusts policies if app

changes

Manual Advanced

configuration forcustom policies

Virtual patching with continuousapplication scanning

Out-of-the-bo Pre-configure For mission-cr

including: MicPeopleSoft


27/30

Provide unified global access to your applications Simplified and consolidated management of your application security policies

Single Sign-On (SSO) across multiple domains/authentication types

Simplified access for virtual application environments Citrix XenApp/XenDesktop VMWare Horizon View

Unifies security, access control and application delivery

Advanced Visual Policy Editor

SSL Application or VPN Tunnels for full range of user access

Secure Web Gateway /w URL filtering and real-time intelligence

Advanced reporting

Splunk, Syslog, ArcSight, etc..

BIG-IP Access Policy ManagerSECURE IDENTITY AND ACCESS MANAGEMENT


28/30

Provides client-sideand server-sidechecking ( Antivirus,Firewall, OS Version, etc.)

Multiple AAA serversupport (RADIUS,

Active Directory,LDAP, SecureID,Oracle, SAML,HTTP, LocalDB,TACACS+, CRLDP,

OCSP, and more) Easy L4 and L7 ACLmanagement



29/30

At Interop weprovide NOCsponsors IPv4 andIPv6 VPN access to

the NOC networkservices NOC users can VPN

securely into theirapplications anddevices locally or inour other InteropDatacenters

Providing loggingand accessinformation to theScienceLogic,PathSolutions, andSplunk servers


Denver Colo

Sunnyvale Co

Las Vegas NOC


30/30

F5 Networks Website http://www.f5.com/

F5 Networks Support Site

http://support.f5.com/ F5 Networks INTEROP Show Site

http://f5.enet.interop.net/

Chromium Project SPDY http://www.chromium.o rg/spdy

F5 DDoS Recommended Practices http://f5.enet.i nterop.net/interop/F5%20DDoS%20Recommended%20Practices.pdf

Additional Resources
http://www.f5.com/http://www.f5.com/http://support.f5.com/http://support.f5.com/http://f5.enet.interop.net/http://f5.enet.interop.net/http://www.chromium.org/spdyhttp://www.chromium.org/spdyhttp://www.chromium.org/spdyhttp://f5.enet.interop.net/interop/F5%20DDoS%20Recommended%20Practices.pdfhttp://f5.enet.interop.net/interop/F5%20DDoS%20Recommended%20Practices.pdfhttp://f5.enet.interop.net/interop/F5%20DDoS%20Recommended%20Practices.pdfhttp://f5.enet.interop.net/interop/F5%20DDoS%20Recommended%20Practices.pdfhttp://www.chromium.org/spdyhttp://f5.enet.interop.net/http://support.f5.com/http://www.f5.com/

Documents

Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2