We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byEvelin Wingett
Modified over 2 years ago
F5 Unified Security Solutions Ralf Sydekum Technical Manager Central & Eastern Europe
© F5 Networks, Inc. 2 Agenda Real Security Challenges and Attacks Data Center Firewall DoS & DDoS DNS Security Web Security Access Management Fast Vulnerability Assessment & App. Security
© F5 Networks, Inc. 3 Application Delivery Network UsersData Center The Leader in Application Delivery Networking SAP Microsoft Oracle At Home In the Office On the Road Business Goal: Achieve These Objectives in the Most Operationally Efficient Manner
© F5 Networks, Inc. 4 Statement - SONY Online Entertainment On April 16th and 17th, 2011….. Personal information from approximately 24.6 million SOE accounts may have been stolen…, Name, , login, hashed password,… As well as certain information from an outdated database from 2007 for customer in EU Name, bank account number, address,…
© F5 Networks, Inc. 5 Sony stock performance: Nov 2010-Nov 2011
© F5 Networks, Inc. 6 Several companies stopped the service for WikiLeaks although it is not proven that WikiLeaks violates the existing law Amazon removed all WikiLeaks content from their servers EveryDNS switched off the DNS resolution for wikileaks.org Several financial institutes locked up donation accounts What happened to WikiLeaks?
© F5 Networks, Inc. 7 Finally… Thousand of internet users unloaded their accumulated anger starting 7th Dec 2010 Web servers of Swiss Postfinance bank were down for several hours Credit card companies like Mastercard and VISA where not accessible for several hours/day over several days Paypals transaction network were slow but not taken down completely
© F5 Networks, Inc. 8 3 Basic Classes of Attack L7 (HTTP/Web): Slowloris Creates massive concurrent sessions Firewalls quickly overwhelmed Server resources completely consumed L4: TCP Flood/Syn Flood Targets any TCP aware device L3: ICMP Flood ICMP protocol attack Consumes router, Firewall and server resources BIG-IP/ASM stopped attacks! Combination of core TMOS functionality, iRules and ASM (Application Security Manager) WikiLeaks DDoS Attack Profile PCI Compliant Firewall F5 BIG-IP with ASM Module Border Router (Internet Connection) Intrusion Prevention Device ICMP floodTCP FloodSlowloris
© F5 Networks, Inc. 9 The Three Threat Vectors Network Attacks Application Attacks DDoS Attacks
© F5 Networks, Inc. 10 of network traffic is encrypted bypassing security controls Traditional network devices are failing under load… 3 out of 6 major firewalls failed under stability testing, and 5 out of 6 were vulnerable to a common exploit. Security is still expendable… 9 out of 10 IT organizations admit to sacrificing security for performance. Over 90% of IT administrator want… Security Context Security device sprawl is a challenging problem… IT biggest security challenge with device sprawl is operational complexity. 30% Blended attacks… are overwhelming conventional security devices at the edge of the data center. Security Challenges
© F5 Networks, Inc. 11 Who is the user? What devices are requesting access? When are they allowed to access? Where are they coming from? How did they navigate to the page/site? Context leverages information about the end user to improve the interaction Who What Where When How
© F5 Networks, Inc. 12 Context-aware technologies will affect $96 billion of annual consumer spending worldwide by By that time, more than 15 percent of all payment card transactions will be validated using context information. -Gartner
© F5 Networks, Inc. 13 Unified Security Architecture Traditional Approach LOAD BALANCER FIREWALL WEB APP FIREWALL DNS SECURITY ACCESS MANAGEMENT AND REMOTE ACCES DDoS PROTECTION
© F5 Networks, Inc. 14 DNSWEBACCESS LTM
Data Center Firewall
© F5 Networks, Inc. 16 Internet Data Center Perimeter Firewall Perimeter Firewall with Load Balancer Today Load Balancer Overview Traditional firewall Standalone load balancer Limitations DDoS protection Connections Scale Device management Defense methods
© F5 Networks, Inc. 17 Internet Data Center Perimeter Firewall Perimeter Firewall with Load Balancer With BIG-IP BIG-IP LTM with ASM Overview Consolidated Device Firewall Service Application Delivery Web Application Firewall Benefits Application fluency SSL visibility DDoS protection 30 + types Dynamic defense methods Best price to performance class OWASP top 10 protection
© F5 Networks, Inc. 18 F5 helps you to mitigate DDoS and flood based attacks Stateful, Default Deny Behavior High Concurrent Connection and conn/sec capacity User Geo-location awareness SSL (HW accelerated encryption/decryption) IPsec site to site Packet Filtering Flood protection mechanisms Carrier Grade NAT (NAT, NAT64) Internet Datacenter Network Firewall Internet Data Center F5.com owa.f5.com DevCentral.F5.com websupport.f5.com ihealth.f5.com downloads.F5.com Internet External Users SYN flood protection and many others High Concurrent Connection capacity User Geolocation Security Router
© F5 Networks, Inc. 19 Throughput Competitor ABC + 4 Blades $124,000 F5 BIG-IP $129,995
© F5 Networks, Inc. 20 Connections per Second Competitor ABC + 4 Blades $124,000 F5 BIG-IP $129,995
© F5 Networks, Inc. 21 Maximum Concurrent Connections Competitor ABC + 4 Blades $124,000 F5 BIG-IP $129,995
© F5 Networks, Inc. 22 SSL Drives Platform Architecture Industry increasingly using larger SSL Keys 1024 bit Keys2048 bit Keys4096 bit Keys 6x Tougher 41x Tougher Increasing CPU Processing Requirements 100% 600% 4100% Increasing CPU Processing Requirements
Denial of Service Distributed Denial of Service
© F5 Networks, Inc. 24 DoS = Denial of service DDoS = Distributed denial of service Layer 1 Cut the cable Layer 4 - or Layer 7 DDoS Thousands of attackers bring down one site Layer 7 DoS One attacker is able to bring down one site e.g. Slowloris, Slow POST Summary
© F5 Networks, Inc. 25 Protect Against: BIG-IP LTM DoS Protections Packet Filtering Syn Cookies (L4 DoS) Dynamic Reaping (L4 DoS) TCP Full Proxy (L4 DoS) Rate shaping (L4->L7 DoS) iRules (e.g. SSL DoS protection) Very High Performance Very large connection tables Protect With: Mitigating DoS Attacks
DNS Security Use Case
© F5 Networks, Inc. 27 DNS Attacks Are Common
© F5 Networks, Inc. 28 DNS is Vulnerable to Attacks Multiple DNS attacks: DDoS, Cache Poisoning, Man-in-the-middle Application timeouts (401 errors) Lost customers, lost productivity Loss of Revenue and Brand Equity Clients LDNS Data Center DNS Servers
© F5 Networks, Inc. 29 High Performance DNS – Multicore GTM Scalable DNS - DNS Express Malformed UDP packets are dropped Spread the load across devices - IP Anycast Secure DNS Queries - DNSSEC Route based on nearest Datacenter - Geolocation Complete DNS control with – DNS iRules Complete DNS Protection BIG-IP Global Traffic Manager Clients LDNS AXQ Data Center i DNS Firewall Services company.com XQAi
© F5 Networks, Inc. 30 Complete DNS control Secure DNS query responses Route based on geolocation Denial of Service mitigation Access Denied: Scalable 10x, 70% Support client requests and consolidates IT IPv6 to IPv4 The Value of Complete DNS / Web Solution
Web Security Services
© F5 Networks, Inc. 32 Security Vulnerabilities in Web-Applications PORT 80 PORT 443 Attacks Now Look To Exploit Application Vulnerabilities Perimeter Security Is Strong Forceful Browsing Cross-Site Scripting Cookie Poisoning SQL/OS Injection Hidden-Field Manipulation Parameter Tampering Buffer Overflow Brute force attacks Layer 7 DOS Webscraping CSRF Viruses ! Infrastructural Intelligence ! Non- compliant Information High Information Density = High Value Attack ! Forced Access to Information But Is Open to Web Traffic
© F5 Networks, Inc. 33 Deploy ASM Policies without false positives Predefined Policy Templates Pre-configured security policies Learning mode Automatic or manual Web Application Scanner integration IBM Rational AppScan QualysGuard Web App. Scanning Cenzic Hailstorm WhiteHat Sentinel Gradual deployment Transparent / semi-transparent / full blocking
© F5 Networks, Inc. 34 Customer Website Mitigate Vulnerabilities Now Finds a vulnerability Virtual-patching with one-click on BIG-IP ASM BIG-IP Application Security Manager Verify, assess, resolve and retest in one UI Automatic or manual creation of policies Discovery and remediation in minutes Vulnerability checking, detection and remediation Complete website protection Web Application Scanner
© F5 Networks, Inc free application scans directly from ASM/VE UI No time limits once signed up Free scans are limited health check services F5 Free Cenzic Cloud scan tests for: Free Cenzic Cloud Scans with ASM in v11.2 Find Vulnerabilities and Reduce Exposure 1.Cross-Site Scripting 2.Application Exception 3.SQL Injection 4.Open Redirect 5.Password Auto-Complete 6.Credit Card Disclosure 7.Non-SSL Password 8.Check HTTP Methods 9.Basic Auth over HTTP 10.Directory Browsing
© F5 Networks, Inc. 36 IP Intelligence Identify and allow or block IP addresses with malicious activity Use IP intelligence to defend attacks Reduce operation and capital expenses IP address feed updates every 5 min Anonymous Proxies ? BIG-IP System Scanners Financial Application IP Intelligence Service Botnet Custom Application Attacker Anonymous requests Geolocation database Internally infected devices and servers
© F5 Networks, Inc. 37 Fast IP update of malicious activity Global sensors capture IP behaviors Threat correlation reviews/ blocks/ releases IP Intelligence How it works Internet Web Attacks Reputation Windows Exploits Botnets Scanners Network Attacks DNS Semi-open Proxy Farms Exploit Honeypots Naïve User Simulation Web App Honeypots Third-party Sources Key Threats Sensor Techniques BIG-IP System Dynamic Threat IPs every 5min. IP Intelligence IP Intelligence Service Threat Correlation
© F5 Networks, Inc. 38 Graphical Reporting Detailed chart path of threats in ASM
Web Access Management
© F5 Networks, Inc. 40 Unify Access Control Authentication and Authorization Single Sign On Powerful Custom and Built- in Reporting Access and Application Analytics Context = Access Control BIG-IP Access Policy Manager Manage Access Based on Identity
© F5 Networks, Inc. 41 Enable Simplified Application Access With BIG-IP Access Policy Manager (APM)
© F5 Networks, Inc. 42 Control Access of Endpoints Ensure strong endpoint security Client or machine certificates Antivirus software version and updates Software firewall status Access to specific applications Restrict USB access Cache cleaner leaves no trace Ensure no malware enters corporate network Allow, deny, or remediate users based on endpoint attributes such as: Invoke protected workspace for unmanaged devices: BIG-IP APM
© F5 Networks, Inc. 43 Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager Dramatically reduce infrastructure costs; increase productivity
© F5 Networks, Inc. 44 ! Non- compliant Information App Security with BIG-IP ASM and APM ! Illegal requests ! Infrastructural Intelligence ASM allows legitimate requests APM offers authentication and authorization ASM Stops bad requests / responses ! Unauthorised Access Reduces the attack vector because only authenticated, authorized and legal requests are permitted to the relevant application servers APM Stops unauthorized requests Browser Applications
© F5 Networks, Inc. 45 Summary – F5 Unified Security
© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS, and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries
Trends in Endpoint Security by Richard Lau Trends in Endpoint Security by Richard Lau 29 September 2005.
1 Symantec Endpoint Protection 12.1 Unrivaled Security. Blazing Performance. Built for Virtual Environments. May 2011.
© 2013 Infoblox Inc. All Rights Reserved. Tim Connelly, Manager, Systems Engineering Tim Connelly, Manager, Systems Engineering.
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Securing DNS Infrastructure Steven Barber | Principle Sales.
UNIT 2: Firewalls Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls.
CTT Corp. Derechos reservados CHANNEL READINESS PROGRAM FOR CISCO PARTNERS Selling Cisco SMB Solutions Advanced Security Selling SMB Solutions.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Its a Network Introduction to Networking.
Database Controls 2012 National State Auditors Association Information Technology Conference September 2012.
Introduction Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Its a Network Introduction to Networking 11.0.
Infinigate Security Day September 9 th 2011 Marcel Kooring Business Development Manager.
John Clark COO, PCI Security and Compliance CCIA Fall Meeting – 7 th October 2011.
Security for Developers Threat Modeling and the Security Development Lifecycle Steven Borg & Richard Hundhausen Accentient, Inc.
1 A Tutorial on Web Security for E-Commerce. 2 Web Concepts for E-Commerce Client/Server Applications Communication Channels TCP/IP.
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public ROUTE v6 Chapter 1 1 Chapter 1: Routing Services CCNP ROUTE: Implementing IP Routing.
© 2009 Pearson Education, Inc. Publishing as Prentice Hall Chapter 9 Pankos Business Data Networks and Telecommunications, 7th edition © 2009 Pearson Education,
Copyright © 2005 SOA Software, Inc. All Rights Reserved. Specifications Subject to Change Without Notice. Overcoming the SOA Network Fallacy Roberto Medrano.
Networking Nick Feamster Georgia Tech. 2 Goal of This Tutorial Teach engineers the basics of networking and ISP operations Networks today –Business models.
1 Current Counter-measures and Responses by the Domain Name System Community Paul Twomey President and CEO 22 April 2007 APEC-OECD Malware Workshop Manila,
Briefing on Recent Attacks and Attack Trends Dennis Usle Security Solutions Architect May 2013 Radware Confidential Jan 2012.
1 Advanced Database Application Development Performance Tuning Performance Benchmarks Standardization E-Commerce Legacy Systems.
International Telecommunication Union Geneva, 9-10 February 2009 New Business Models for Network Operators David Goodman Profile Product Line Manager Subscriber.
For trusted, first class interactive communications.
Fortinet Confidential Fortinet and Hawaiian Telcom Mike Wysocki - Sales Daryl Jung - SE
© 2016 SlidePlayer.com Inc. All rights reserved.