Presentation is loading. Please wait.

Presentation is loading. Please wait.

F5 Unified Security Solutions Ralf Sydekum Technical Manager Central & Eastern Europe

Similar presentations

Presentation on theme: "F5 Unified Security Solutions Ralf Sydekum Technical Manager Central & Eastern Europe"— Presentation transcript:

1 F5 Unified Security Solutions Ralf Sydekum Technical Manager Central & Eastern Europe

2 © F5 Networks, Inc. 2 Agenda Real Security Challenges and Attacks Data Center Firewall DoS & DDoS DNS Security Web Security Access Management Fast Vulnerability Assessment & App. Security

3 © F5 Networks, Inc. 3 Application Delivery Network UsersData Center The Leader in Application Delivery Networking SAP Microsoft Oracle At Home In the Office On the Road Business Goal: Achieve These Objectives in the Most Operationally Efficient Manner

4 © F5 Networks, Inc. 4 Statement - SONY Online Entertainment On April 16th and 17th, 2011….. Personal information from approximately 24.6 million SOE accounts may have been stolen…, Name, , login, hashed password,… As well as certain information from an outdated database from 2007 for customer in EU Name, bank account number, address,…

5 © F5 Networks, Inc. 5 Sony stock performance: Nov 2010-Nov 2011

6 © F5 Networks, Inc. 6 Several companies stopped the service for WikiLeaks although it is not proven that WikiLeaks violates the existing law Amazon removed all WikiLeaks content from their servers EveryDNS switched off the DNS resolution for Several financial institutes locked up donation accounts What happened to WikiLeaks?

7 © F5 Networks, Inc. 7 Finally… Thousand of internet users unloaded their accumulated anger starting 7th Dec 2010 Web servers of Swiss Postfinance bank were down for several hours Credit card companies like Mastercard and VISA where not accessible for several hours/day over several days Paypals transaction network were slow but not taken down completely

8 © F5 Networks, Inc. 8 3 Basic Classes of Attack L7 (HTTP/Web): Slowloris Creates massive concurrent sessions Firewalls quickly overwhelmed Server resources completely consumed L4: TCP Flood/Syn Flood Targets any TCP aware device L3: ICMP Flood ICMP protocol attack Consumes router, Firewall and server resources BIG-IP/ASM stopped attacks! Combination of core TMOS functionality, iRules and ASM (Application Security Manager) WikiLeaks DDoS Attack Profile PCI Compliant Firewall F5 BIG-IP with ASM Module Border Router (Internet Connection) Intrusion Prevention Device ICMP floodTCP FloodSlowloris

9 © F5 Networks, Inc. 9 The Three Threat Vectors Network Attacks Application Attacks DDoS Attacks

10 © F5 Networks, Inc. 10 of network traffic is encrypted bypassing security controls Traditional network devices are failing under load… 3 out of 6 major firewalls failed under stability testing, and 5 out of 6 were vulnerable to a common exploit. Security is still expendable… 9 out of 10 IT organizations admit to sacrificing security for performance. Over 90% of IT administrator want… Security Context Security device sprawl is a challenging problem… IT biggest security challenge with device sprawl is operational complexity. 30% Blended attacks… are overwhelming conventional security devices at the edge of the data center. Security Challenges

11 © F5 Networks, Inc. 11 Who is the user? What devices are requesting access? When are they allowed to access? Where are they coming from? How did they navigate to the page/site? Context leverages information about the end user to improve the interaction Who What Where When How

12 © F5 Networks, Inc. 12 Context-aware technologies will affect $96 billion of annual consumer spending worldwide by By that time, more than 15 percent of all payment card transactions will be validated using context information. -Gartner


14 © F5 Networks, Inc. 14 DNSWEBACCESS LTM

15 Data Center Firewall

16 © F5 Networks, Inc. 16 Internet Data Center Perimeter Firewall Perimeter Firewall with Load Balancer Today Load Balancer Overview Traditional firewall Standalone load balancer Limitations DDoS protection Connections Scale Device management Defense methods

17 © F5 Networks, Inc. 17 Internet Data Center Perimeter Firewall Perimeter Firewall with Load Balancer With BIG-IP BIG-IP LTM with ASM Overview Consolidated Device Firewall Service Application Delivery Web Application Firewall Benefits Application fluency SSL visibility DDoS protection 30 + types Dynamic defense methods Best price to performance class OWASP top 10 protection

18 © F5 Networks, Inc. 18 F5 helps you to mitigate DDoS and flood based attacks Stateful, Default Deny Behavior High Concurrent Connection and conn/sec capacity User Geo-location awareness SSL (HW accelerated encryption/decryption) IPsec site to site Packet Filtering Flood protection mechanisms Carrier Grade NAT (NAT, NAT64) Internet Datacenter Network Firewall Internet Data Center Internet External Users SYN flood protection and many others High Concurrent Connection capacity User Geolocation Security Router

19 © F5 Networks, Inc. 19 Throughput Competitor ABC + 4 Blades $124,000 F5 BIG-IP $129,995

20 © F5 Networks, Inc. 20 Connections per Second Competitor ABC + 4 Blades $124,000 F5 BIG-IP $129,995

21 © F5 Networks, Inc. 21 Maximum Concurrent Connections Competitor ABC + 4 Blades $124,000 F5 BIG-IP $129,995

22 © F5 Networks, Inc. 22 SSL Drives Platform Architecture Industry increasingly using larger SSL Keys 1024 bit Keys2048 bit Keys4096 bit Keys 6x Tougher 41x Tougher Increasing CPU Processing Requirements 100% 600% 4100% Increasing CPU Processing Requirements

23 Denial of Service Distributed Denial of Service

24 © F5 Networks, Inc. 24 DoS = Denial of service DDoS = Distributed denial of service Layer 1 Cut the cable Layer 4 - or Layer 7 DDoS Thousands of attackers bring down one site Layer 7 DoS One attacker is able to bring down one site e.g. Slowloris, Slow POST Summary

25 © F5 Networks, Inc. 25 Protect Against: BIG-IP LTM DoS Protections Packet Filtering Syn Cookies (L4 DoS) Dynamic Reaping (L4 DoS) TCP Full Proxy (L4 DoS) Rate shaping (L4->L7 DoS) iRules (e.g. SSL DoS protection) Very High Performance Very large connection tables Protect With: Mitigating DoS Attacks

26 DNS Security Use Case

27 © F5 Networks, Inc. 27 DNS Attacks Are Common

28 © F5 Networks, Inc. 28 DNS is Vulnerable to Attacks Multiple DNS attacks: DDoS, Cache Poisoning, Man-in-the-middle Application timeouts (401 errors) Lost customers, lost productivity Loss of Revenue and Brand Equity Clients LDNS Data Center DNS Servers

29 © F5 Networks, Inc. 29 High Performance DNS – Multicore GTM Scalable DNS - DNS Express Malformed UDP packets are dropped Spread the load across devices - IP Anycast Secure DNS Queries - DNSSEC Route based on nearest Datacenter - Geolocation Complete DNS control with – DNS iRules Complete DNS Protection BIG-IP Global Traffic Manager Clients LDNS AXQ Data Center i DNS Firewall Services XQAi

30 © F5 Networks, Inc. 30 Complete DNS control Secure DNS query responses Route based on geolocation Denial of Service mitigation Access Denied: Scalable 10x, 70% Support client requests and consolidates IT IPv6 to IPv4 The Value of Complete DNS / Web Solution

31 Web Security Services

32 © F5 Networks, Inc. 32 Security Vulnerabilities in Web-Applications PORT 80 PORT 443 Attacks Now Look To Exploit Application Vulnerabilities Perimeter Security Is Strong Forceful Browsing Cross-Site Scripting Cookie Poisoning SQL/OS Injection Hidden-Field Manipulation Parameter Tampering Buffer Overflow Brute force attacks Layer 7 DOS Webscraping CSRF Viruses ! Infrastructural Intelligence ! Non- compliant Information High Information Density = High Value Attack ! Forced Access to Information But Is Open to Web Traffic

33 © F5 Networks, Inc. 33 Deploy ASM Policies without false positives Predefined Policy Templates Pre-configured security policies Learning mode Automatic or manual Web Application Scanner integration IBM Rational AppScan QualysGuard Web App. Scanning Cenzic Hailstorm WhiteHat Sentinel Gradual deployment Transparent / semi-transparent / full blocking

34 © F5 Networks, Inc. 34 Customer Website Mitigate Vulnerabilities Now Finds a vulnerability Virtual-patching with one-click on BIG-IP ASM BIG-IP Application Security Manager Verify, assess, resolve and retest in one UI Automatic or manual creation of policies Discovery and remediation in minutes Vulnerability checking, detection and remediation Complete website protection Web Application Scanner

35 © F5 Networks, Inc free application scans directly from ASM/VE UI No time limits once signed up Free scans are limited health check services F5 Free Cenzic Cloud scan tests for: Free Cenzic Cloud Scans with ASM in v11.2 Find Vulnerabilities and Reduce Exposure 1.Cross-Site Scripting 2.Application Exception 3.SQL Injection 4.Open Redirect 5.Password Auto-Complete 6.Credit Card Disclosure 7.Non-SSL Password 8.Check HTTP Methods 9.Basic Auth over HTTP 10.Directory Browsing

36 © F5 Networks, Inc. 36 IP Intelligence Identify and allow or block IP addresses with malicious activity Use IP intelligence to defend attacks Reduce operation and capital expenses IP address feed updates every 5 min Anonymous Proxies ? BIG-IP System Scanners Financial Application IP Intelligence Service Botnet Custom Application Attacker Anonymous requests Geolocation database Internally infected devices and servers

37 © F5 Networks, Inc. 37 Fast IP update of malicious activity Global sensors capture IP behaviors Threat correlation reviews/ blocks/ releases IP Intelligence How it works Internet Web Attacks Reputation Windows Exploits Botnets Scanners Network Attacks DNS Semi-open Proxy Farms Exploit Honeypots Naïve User Simulation Web App Honeypots Third-party Sources Key Threats Sensor Techniques BIG-IP System Dynamic Threat IPs every 5min. IP Intelligence IP Intelligence Service Threat Correlation

38 © F5 Networks, Inc. 38 Graphical Reporting Detailed chart path of threats in ASM

39 Web Access Management

40 © F5 Networks, Inc. 40 Unify Access Control Authentication and Authorization Single Sign On Powerful Custom and Built- in Reporting Access and Application Analytics Context = Access Control BIG-IP Access Policy Manager Manage Access Based on Identity

41 © F5 Networks, Inc. 41 Enable Simplified Application Access With BIG-IP Access Policy Manager (APM)

42 © F5 Networks, Inc. 42 Control Access of Endpoints Ensure strong endpoint security Client or machine certificates Antivirus software version and updates Software firewall status Access to specific applications Restrict USB access Cache cleaner leaves no trace Ensure no malware enters corporate network Allow, deny, or remediate users based on endpoint attributes such as: Invoke protected workspace for unmanaged devices: BIG-IP APM

43 © F5 Networks, Inc. 43 Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager Dramatically reduce infrastructure costs; increase productivity

44 © F5 Networks, Inc. 44 ! Non- compliant Information App Security with BIG-IP ASM and APM ! Illegal requests ! Infrastructural Intelligence ASM allows legitimate requests APM offers authentication and authorization ASM Stops bad requests / responses ! Unauthorised Access Reduces the attack vector because only authenticated, authorized and legal requests are permitted to the relevant application servers APM Stops unauthorized requests Browser Applications

45 © F5 Networks, Inc. 45 Summary – F5 Unified Security

46 © 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS, and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries

Download ppt "F5 Unified Security Solutions Ralf Sydekum Technical Manager Central & Eastern Europe"

Similar presentations

Ads by Google