Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paul Deakin Federal Field Systems Engineer APPLICATION SECURITY TECH TALK.

Similar presentations


Presentation on theme: "Paul Deakin Federal Field Systems Engineer APPLICATION SECURITY TECH TALK."— Presentation transcript:

1 Paul Deakin Federal Field Systems Engineer APPLICATION SECURITY TECH TALK

2 2© F5 Networks, Inc. Welcome! OverviewOverview IntroductionIntroduction What does F5 have to do with Security?What does F5 have to do with Security?

3 3© F5 Networks, Inc. Audience Participation is ENCOURAGED!Audience Participation is ENCOURAGED! Ask questions, I’ll do my best to answer themAsk questions, I’ll do my best to answer them Audience Participation is ENCOURAGED!Audience Participation is ENCOURAGED! Ask questions, I’ll do my best to answer themAsk questions, I’ll do my best to answer them

4 4© F5 Networks, Inc. What’s Our Motivation?

5 5© F5 Networks, Inc.

6 6 What is a Web Application vulnerability? “A vulnerability is a weakness or hole in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application.” - owasp.org

7 7© F5 Networks, Inc. OWASP Top 10OWASP Top 10 InjectionInjection Cross Site Scripting (XSS)Cross Site Scripting (XSS) Broken Authentication and Session ManagementBroken Authentication and Session Management Insecure Direct Object ReferencesInsecure Direct Object References Cross Site Request ForgeryCross Site Request Forgery Security MisconfigurationSecurity Misconfiguration Insecure Cryptographic StorageInsecure Cryptographic Storage Failure To Restrict URL AccessFailure To Restrict URL Access Insufficient Transport Layer ProtectionInsufficient Transport Layer Protection Unvalidated Redirects and ForwardsUnvalidated Redirects and Forwards Application Layer Attacks

8 8© F5 Networks, Inc. Web Application Security Concepts Term “Vulnerability” often used too loosely, should be distinguished from: Threats: Worms, Viruses, Bots, Trojans, Sniffers, Key Loggers, Back Doors Attacks: SQL Injection, XSS, CSRF, DOS, Command Injection Counter-Measures: Detect, Deter, Deny – Authentication, Access Control, Session Management, Input Validation, Error Handling, Logging, Cryptography

9 9© F5 Networks, Inc. HOW F5 CAN HELP YOU

10 10© F5 Networks, Inc. Want to go deeper?

11 11© F5 Networks, Inc. HOW F5 CAN HELP YOU OWASP Top 10 compliant Integration with vulnerability assessment vendors WhiteHat and Cenzic enable custom ASM policies based on findings. Both signature and non-signature (zero day) based security. WhiteHat Sentinel integrated for further signature based protection. Support for Positive (whitelist) and Negative (blacklist) security models. A/V Scan capable via integrated ICAP client for file uploads. Learning mode allows transparent observation of Web App to distinguish actual violations from false positives.

12 12© F5 Networks, Inc. HOW F5 CAN HELP YOU PCI compliant (with integrated checklist) ASM DataGuard blocks SS/CC numbers and features custom pattern matching Enforces limits: URL/I lengths, message length, query-string length, char set Police fields for inputs and output, both legal and illegal. ASM eliminates the need for expensive re-coding of the Web App to patch urgent vulnerabilities.

13 13© F5 Networks, Inc.

14 14© F5 Networks, Inc. Have you been hacked? Tell me about it… What does “Hacked” mean to you? The best Security Analysis teams in the world often find inconclusively. Real-Time monitoring is paramount. Real-Time alerting is critical.

15 15© F5 Networks, Inc. HOW F5 CAN HELP YOU Logging

16 16© F5 Networks, Inc. HOW F5 CAN HELP YOU SNMP Alerting Email Alerting

17 17© F5 Networks, Inc. So where do we sit in the network?

18 18© F5 Networks, Inc.

19 19© F5 Networks, Inc. DDOS: Are you ready? Tell me about it… Denial of Service attacks ARE NOT always malicious. Traditionally DOS attacks have taken place at L3/L4. L7 DOS attacks much harder to ID.

20 20© F5 Networks, Inc. DDOS: Are you ready? Must be careful mitigating L7 DOS attacks by simple source IP To properly mitigate L7 DOS attacks, need to inspect either request frequency rate or server response time and take a close look at Latency. As many DOS attacks are scripted, can inject a small amount of code (Java Script) in the server response via BIG-IP ASM.

21 21© F5 Networks, Inc. DDOS: Are you ready? Can protect back-end Web App by throttling request per second (RPS) to an object or number Can set criteria for response latency and TPS. The key is combining multiple L7 DOS prevention methods Reporting page for DOS engine will provide values detected

22 22© F5 Networks, Inc. HOW F5 CAN HELP YOU F5 BIG-IP Local Traffic Manager (LTM) L3/4 DOS prevention F5 BIG-IP Application Security Manager (ASM) provides customizable multifaceted L7 DOS prevention. F5 BIG-IP Global Traffic Manager (GTM) with DNS Express provides DNS DDOS prevention Deploy many GTMs using a single IP address and single namespace to mitigate DNS DDOS attacks using IP Anycast.

23 23© F5 Networks, Inc. A closer look…

24 24© F5 Networks, Inc.

25 25© F5 Networks, Inc. HOW F5 CAN HELP YOU VDI is still a server based computing (SBC) model susceptible to DOS. Multiple VDIs can be placed behind BIG-IP for intrinsic resource cloaking and advanced network access control (e.g., subnet, geo-location). Allow remote VDI clients access to VDIs based on context (e.g., AD username/group). F5 has partnered with mulitple MDM vendors to pair APM network access control with MDM security.

26 26© F5 Networks, Inc. HOW F5 CAN HELP YOU Secure FAT clients with APM end-point inspection. Windows FAT clients can be placed into “Windows Protected Workspace” restricting USB, CD-ROM, VOLUME, and APP access. Can secure VMware View Security Server from unauthorized access. TLS security to View client for enhanced security and performance (DTLS UDP transport vs encapsulated UDP into TCP as with SSL) Centralized AAA to multiple auth realms for multiple VDIs. Support CAC w/XenApp as Citrix AGEE solution.

27 27© F5 Networks, Inc. HOW F5 CAN HELP YOU APM Visual Policy Editor (VPE)

28 28© F5 Networks, Inc.

29 29© F5 Networks, Inc. Do you know your users? Enterprises still face numerous challenges with end-point compliance (disparate clients, data leakage, OS Patch level). End-points often not updated to the latest personal security signatures (firewall, AV, Spyware, etc). Anonymous proxies cloak the true source IP of the client, networks continue to struggle with this. Guest/contractor access difficult to establish without end-point inspection.

30 30© F5 Networks, Inc. HOW F5 CAN HELP YOU Inspect system registry to determine if client is a corporate asset. Grant access based on AD context (username/security group). Enforce Windows Protected Workspace for Windows clients; lockdown access to USB ports, HDD Volumes, Optical Drives, and Applications. Extend GPOs to any client (does not have to be a member of an AD domain) with GPAnywhere. Allow/Deny access based on AV signature version (support for over 100+ personal security clients) Erase all session related data upon session termination (browser history, forms, cookies, etc)

31 31© F5 Networks, Inc. HOW F5 CAN HELP YOU Enforce CAPTCHA support on logon to mitigate script based brute force attacks. SSL VPN soft virtual interface and route table wiped upon session termination. On systems where clean-up controls can’t be enforced, block access to all file downloads to avoid temporary internet files from being stored or data leakage. Combine end-point inspection with ASM and iRules to block access to file types based on extension and block access to sensitive information such as Social Security Numbers and Credit Card Numbers.

32 32© F5 Networks, Inc. HOW F5 CAN HELP YOU

33 33© F5 Networks, Inc.

34 34© F5 Networks, Inc. HOW F5 CAN HELP YOU Network Access Control (NAC) limits clients to specific subnets. Client soft virtual interface and route table entries are wiped upon session termination. Support for split tunnel VPN APM Dynamic Webtop provides client context based resource assignments APM AAA provides central point of authentication (AD, LDAP, Radius, SecureID, OAM) and certificate authentication (CAC/PIV, OCSP/CRLDP). APM provides advanced Kerberos authentication (KPT, KCD).

35 35© F5 Networks, Inc. THANK YOU

36 36© F5 Networks, Inc. devcentral.f5.com facebook.com/f5networksinc linkedin.com/companies/f5-networks twitter.com/f5networks youtube.com/f5networksinc


Download ppt "Paul Deakin Federal Field Systems Engineer APPLICATION SECURITY TECH TALK."

Similar presentations


Ads by Google