We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byEvelin Wingett
Modified over 2 years ago
F5 Unified Security Solutions Ralf Sydekum Technical Manager Central & Eastern Europe
© F5 Networks, Inc. 2 Agenda Real Security Challenges and Attacks Data Center Firewall DoS & DDoS DNS Security Web Security Access Management Fast Vulnerability Assessment & App. Security
© F5 Networks, Inc. 3 Application Delivery Network UsersData Center The Leader in Application Delivery Networking SAP Microsoft Oracle At Home In the Office On the Road Business Goal: Achieve These Objectives in the Most Operationally Efficient Manner
© F5 Networks, Inc. 4 Statement - SONY Online Entertainment On April 16th and 17th, 2011….. Personal information from approximately 24.6 million SOE accounts may have been stolen…, Name, , login, hashed password,… As well as certain information from an outdated database from 2007 for customer in EU Name, bank account number, address,…
© F5 Networks, Inc. 5 Sony stock performance: Nov 2010-Nov 2011
© F5 Networks, Inc. 6 Several companies stopped the service for WikiLeaks although it is not proven that WikiLeaks violates the existing law Amazon removed all WikiLeaks content from their servers EveryDNS switched off the DNS resolution for wikileaks.org Several financial institutes locked up donation accounts What happened to WikiLeaks?
© F5 Networks, Inc. 7 Finally… Thousand of internet users unloaded their accumulated anger starting 7th Dec 2010 Web servers of Swiss Postfinance bank were down for several hours Credit card companies like Mastercard and VISA where not accessible for several hours/day over several days Paypals transaction network were slow but not taken down completely
© F5 Networks, Inc. 8 3 Basic Classes of Attack L7 (HTTP/Web): Slowloris Creates massive concurrent sessions Firewalls quickly overwhelmed Server resources completely consumed L4: TCP Flood/Syn Flood Targets any TCP aware device L3: ICMP Flood ICMP protocol attack Consumes router, Firewall and server resources BIG-IP/ASM stopped attacks! Combination of core TMOS functionality, iRules and ASM (Application Security Manager) WikiLeaks DDoS Attack Profile PCI Compliant Firewall F5 BIG-IP with ASM Module Border Router (Internet Connection) Intrusion Prevention Device ICMP floodTCP FloodSlowloris
© F5 Networks, Inc. 9 The Three Threat Vectors Network Attacks Application Attacks DDoS Attacks
© F5 Networks, Inc. 10 of network traffic is encrypted bypassing security controls Traditional network devices are failing under load… 3 out of 6 major firewalls failed under stability testing, and 5 out of 6 were vulnerable to a common exploit. Security is still expendable… 9 out of 10 IT organizations admit to sacrificing security for performance. Over 90% of IT administrator want… Security Context Security device sprawl is a challenging problem… IT biggest security challenge with device sprawl is operational complexity. 30% Blended attacks… are overwhelming conventional security devices at the edge of the data center. Security Challenges
© F5 Networks, Inc. 11 Who is the user? What devices are requesting access? When are they allowed to access? Where are they coming from? How did they navigate to the page/site? Context leverages information about the end user to improve the interaction Who What Where When How
© F5 Networks, Inc. 12 Context-aware technologies will affect $96 billion of annual consumer spending worldwide by By that time, more than 15 percent of all payment card transactions will be validated using context information. -Gartner
© F5 Networks, Inc. 13 Unified Security Architecture Traditional Approach LOAD BALANCER FIREWALL WEB APP FIREWALL DNS SECURITY ACCESS MANAGEMENT AND REMOTE ACCES DDoS PROTECTION
© F5 Networks, Inc. 14 DNSWEBACCESS LTM
Data Center Firewall
© F5 Networks, Inc. 16 Internet Data Center Perimeter Firewall Perimeter Firewall with Load Balancer Today Load Balancer Overview Traditional firewall Standalone load balancer Limitations DDoS protection Connections Scale Device management Defense methods
© F5 Networks, Inc. 17 Internet Data Center Perimeter Firewall Perimeter Firewall with Load Balancer With BIG-IP BIG-IP LTM with ASM Overview Consolidated Device Firewall Service Application Delivery Web Application Firewall Benefits Application fluency SSL visibility DDoS protection 30 + types Dynamic defense methods Best price to performance class OWASP top 10 protection
© F5 Networks, Inc. 18 F5 helps you to mitigate DDoS and flood based attacks Stateful, Default Deny Behavior High Concurrent Connection and conn/sec capacity User Geo-location awareness SSL (HW accelerated encryption/decryption) IPsec site to site Packet Filtering Flood protection mechanisms Carrier Grade NAT (NAT, NAT64) Internet Datacenter Network Firewall Internet Data Center F5.com owa.f5.com DevCentral.F5.com websupport.f5.com ihealth.f5.com downloads.F5.com Internet External Users SYN flood protection and many others High Concurrent Connection capacity User Geolocation Security Router
© F5 Networks, Inc. 19 Throughput Competitor ABC + 4 Blades $124,000 F5 BIG-IP $129,995
© F5 Networks, Inc. 20 Connections per Second Competitor ABC + 4 Blades $124,000 F5 BIG-IP $129,995
© F5 Networks, Inc. 21 Maximum Concurrent Connections Competitor ABC + 4 Blades $124,000 F5 BIG-IP $129,995
© F5 Networks, Inc. 22 SSL Drives Platform Architecture Industry increasingly using larger SSL Keys 1024 bit Keys2048 bit Keys4096 bit Keys 6x Tougher 41x Tougher Increasing CPU Processing Requirements 100% 600% 4100% Increasing CPU Processing Requirements
Denial of Service Distributed Denial of Service
© F5 Networks, Inc. 24 DoS = Denial of service DDoS = Distributed denial of service Layer 1 Cut the cable Layer 4 - or Layer 7 DDoS Thousands of attackers bring down one site Layer 7 DoS One attacker is able to bring down one site e.g. Slowloris, Slow POST Summary
© F5 Networks, Inc. 25 Protect Against: BIG-IP LTM DoS Protections Packet Filtering Syn Cookies (L4 DoS) Dynamic Reaping (L4 DoS) TCP Full Proxy (L4 DoS) Rate shaping (L4->L7 DoS) iRules (e.g. SSL DoS protection) Very High Performance Very large connection tables Protect With: Mitigating DoS Attacks
DNS Security Use Case
© F5 Networks, Inc. 27 DNS Attacks Are Common
© F5 Networks, Inc. 28 DNS is Vulnerable to Attacks Multiple DNS attacks: DDoS, Cache Poisoning, Man-in-the-middle Application timeouts (401 errors) Lost customers, lost productivity Loss of Revenue and Brand Equity Clients LDNS Data Center DNS Servers
© F5 Networks, Inc. 29 High Performance DNS – Multicore GTM Scalable DNS - DNS Express Malformed UDP packets are dropped Spread the load across devices - IP Anycast Secure DNS Queries - DNSSEC Route based on nearest Datacenter - Geolocation Complete DNS control with – DNS iRules Complete DNS Protection BIG-IP Global Traffic Manager Clients LDNS AXQ Data Center i DNS Firewall Services company.com XQAi
© F5 Networks, Inc. 30 Complete DNS control Secure DNS query responses Route based on geolocation Denial of Service mitigation Access Denied: Scalable 10x, 70% Support client requests and consolidates IT IPv6 to IPv4 The Value of Complete DNS / Web Solution
Web Security Services
© F5 Networks, Inc. 32 Security Vulnerabilities in Web-Applications PORT 80 PORT 443 Attacks Now Look To Exploit Application Vulnerabilities Perimeter Security Is Strong Forceful Browsing Cross-Site Scripting Cookie Poisoning SQL/OS Injection Hidden-Field Manipulation Parameter Tampering Buffer Overflow Brute force attacks Layer 7 DOS Webscraping CSRF Viruses ! Infrastructural Intelligence ! Non- compliant Information High Information Density = High Value Attack ! Forced Access to Information But Is Open to Web Traffic
© F5 Networks, Inc. 33 Deploy ASM Policies without false positives Predefined Policy Templates Pre-configured security policies Learning mode Automatic or manual Web Application Scanner integration IBM Rational AppScan QualysGuard Web App. Scanning Cenzic Hailstorm WhiteHat Sentinel Gradual deployment Transparent / semi-transparent / full blocking
© F5 Networks, Inc. 34 Customer Website Mitigate Vulnerabilities Now Finds a vulnerability Virtual-patching with one-click on BIG-IP ASM BIG-IP Application Security Manager Verify, assess, resolve and retest in one UI Automatic or manual creation of policies Discovery and remediation in minutes Vulnerability checking, detection and remediation Complete website protection Web Application Scanner
© F5 Networks, Inc free application scans directly from ASM/VE UI No time limits once signed up Free scans are limited health check services F5 Free Cenzic Cloud scan tests for: Free Cenzic Cloud Scans with ASM in v11.2 Find Vulnerabilities and Reduce Exposure 1.Cross-Site Scripting 2.Application Exception 3.SQL Injection 4.Open Redirect 5.Password Auto-Complete 6.Credit Card Disclosure 7.Non-SSL Password 8.Check HTTP Methods 9.Basic Auth over HTTP 10.Directory Browsing
© F5 Networks, Inc. 36 IP Intelligence Identify and allow or block IP addresses with malicious activity Use IP intelligence to defend attacks Reduce operation and capital expenses IP address feed updates every 5 min Anonymous Proxies ? BIG-IP System Scanners Financial Application IP Intelligence Service Botnet Custom Application Attacker Anonymous requests Geolocation database Internally infected devices and servers
© F5 Networks, Inc. 37 Fast IP update of malicious activity Global sensors capture IP behaviors Threat correlation reviews/ blocks/ releases IP Intelligence How it works Internet Web Attacks Reputation Windows Exploits Botnets Scanners Network Attacks DNS Semi-open Proxy Farms Exploit Honeypots Naïve User Simulation Web App Honeypots Third-party Sources Key Threats Sensor Techniques BIG-IP System Dynamic Threat IPs every 5min. IP Intelligence IP Intelligence Service Threat Correlation
© F5 Networks, Inc. 38 Graphical Reporting Detailed chart path of threats in ASM
Web Access Management
© F5 Networks, Inc. 40 Unify Access Control Authentication and Authorization Single Sign On Powerful Custom and Built- in Reporting Access and Application Analytics Context = Access Control BIG-IP Access Policy Manager Manage Access Based on Identity
© F5 Networks, Inc. 41 Enable Simplified Application Access With BIG-IP Access Policy Manager (APM)
© F5 Networks, Inc. 42 Control Access of Endpoints Ensure strong endpoint security Client or machine certificates Antivirus software version and updates Software firewall status Access to specific applications Restrict USB access Cache cleaner leaves no trace Ensure no malware enters corporate network Allow, deny, or remediate users based on endpoint attributes such as: Invoke protected workspace for unmanaged devices: BIG-IP APM
© F5 Networks, Inc. 43 Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager Dramatically reduce infrastructure costs; increase productivity
© F5 Networks, Inc. 44 ! Non- compliant Information App Security with BIG-IP ASM and APM ! Illegal requests ! Infrastructural Intelligence ASM allows legitimate requests APM offers authentication and authorization ASM Stops bad requests / responses ! Unauthorised Access Reduces the attack vector because only authenticated, authorized and legal requests are permitted to the relevant application servers APM Stops unauthorized requests Browser Applications
© F5 Networks, Inc. 45 Summary – F5 Unified Security
© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS, and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries
ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Web Application Protection Against Hackers and Security Vulnerabilities Barracuda Web Application Firewall.
Deploying XenApp and XenDesktop with BIG-IP Brent Imhoff – Field Systems Engineer Gary Zaleski – Solutions Architect Michael Koyfman – Solutions Architect.
2 Industry trends and challenges Windows Server 2012: Modern workstyle, enabled Access from virtually anywhere, any device Full Windows experience.
Andrzej Kroczek Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg. F5 Networks.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
1 Traveling? Don’t Forget OIE! A global OIE rollout case study.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Security fundamentals Topic 10 Securing the network perimeter.
1 SharePoint Momentum 17K+ Customers, 100M Licenses Leader in Gartner ® Magic Quadrants, Forrester Wave TM Continued Platform and Application Innovation.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES Establish secure topologies. Secure.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Web Application Firewall (WAF) RSA ® Conference 2013.
SESSION ID: Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO.
Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.
© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.
©2013 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Best Practices to Secure the Mobile Enterprise Macy Torrey
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 9 TCP/IP Protocol Suite and IP Addressing.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Matt Jennings. What is DDoS? Recent DDoS attacks History of DDoS Prevention Techniques.
© Blue Coat Systems, Inc All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.
What’s New in WatchGuard Dimension v1.2 WatchGuard Training.
© F5 Networks, Inc. 1 F5 User’s Group September 13 th 2011 Agenda TMOS version 11 New features and overview Demo vCMP Demo and discuss iApps
Norman SecureSurf Protect your users when surfing the Internet.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Module 14: Configuring Server Security Compliance.
Global Systems Division (GSD) Information and Technology Services Web Services Gateway Implementation Michael Doney Bobby Kelley Peter Lannigan John Parker.
C Copyright © 2005, Oracle. All rights reserved. Practice Solutions.
©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties Building Your Security Strategy with 3D.
Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
Defending Against Denial of Service Attacks Presented By: Jordan Deveroux 1.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security Network Perimeter Security Intrusion Detection and Prevention.
Web Server Administration TEC 236 Securing the Web Environment.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
© 2008 FedEx. All rights reserved. FedEx Ship Manager ® at fedex.com Shipping Administration Presentation for administrators.
Palo Alto Networks Jay Flanyak Channel Business Manager
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA,
1 Advanced Tools for Account Searches and Portfolios Dawn Gamache Cindy Bylander.
KFSensor Honeypot and Intrusion Detection System Sunil Gurung [60-475] Security and Privacy on the Internet.
Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.
Check Point Virtual Gateway Protects Microsoft Azure Cloud Infrastructure with a Full Range of Security Defenses and Threat Prevention Solutions MICROSOFT.
Introduction to ikhlas ikhlas is an affordable and effective Online Accounting Solution that is currently available in Brunei.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Time for a BREAK! You have 45 Minutes. Time Left 44.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Introduction to Scaling Networks Scaling Networks.
Barracuda Networks Steve Scheidegger Commercial Account Manager
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 10 Routing Fundamentals and Subnets.
© 2017 SlidePlayer.com Inc. All rights reserved.