Presentation on theme: "F5 Unified Security Solutions"— Presentation transcript:
1F5 Unified Security Solutions Ralf SydekumTechnical Manager Central & Eastern Europe
2Agenda Real Security Challenges and Attacks Data Center Firewall DoS & DDoSDNS SecurityWeb SecurityAccess ManagementFast Vulnerability Assessment & App. SecurityJC
3The Leader in Application Delivery Networking UsersData CenterApplicationDeliveryNetworkAt HomeIn the OfficeOn the RoadSAPMicrosoftOracleBusiness Goal: Achieve These Objectives in the Most Operationally Efficient Manner
4Statement - SONY Online Entertainment http://blog.eu.playstation.com/ On April 16th and 17th, 2011….. Personal information from approximately 24.6 million SOE accounts may have been stolen…,Name, , login, hashed password,…As well as certain information from an outdated database from 2007 for customer in EUName, bank account number, address,…JC
5Sony stock performance: Nov 2010-Nov 2011 JCWhy Significant? By volume, the largest data breach of the year.Has kept a permanent drag on Sony’s stock.SQL injection made it onto the agenda of board rooms worldwide.This breach forever shifted the purpose of hacktivism from defacement to data theft. The hacker's intent wasn’t to embarrass a company, but rather to bring it down.Summary: Hacktivists broke into Sony worldwide, stealing about 100M data records (about 12M unencrypted).Details: Sony's video game online network was breached which led to the theft of names, addresses and credit card data.
6What happened to WikiLeaks? Several companies stopped the service for WikiLeaks although it is not proven that WikiLeaks violates the existing lawAmazon removed all WikiLeaks content from their serversEveryDNS switched off the DNS resolution for wikileaks.orgSeveral financial institutes locked up donation accountsRS
7Finally…Thousand of internet users unloaded their accumulated anger starting 7th Dec 2010Web servers of Swiss Postfinance bank were down for several hoursCredit card companies like Mastercard and VISA where not accessible for several hours/day over several daysPaypal’s transaction network were slow but not taken down completelyRSA botnet in general is a collection of software agents, or robots, that run autonomously and automatically. It consists of a lot of “infected” PCs which can be remote controlled to do e.g. a distributed denial of service attack or send spam.In this case, the group, called Anonymous, has been encouraging volunteers to download software called LOIC (Low Orbit Ion Cannon), which lets them centrally control these systems and direct them into a DDoS (distributed denial of service) attack. The point of the attacks is to put pressure on financial companies that recently cut ties with the WikiLeaks website over its planned publication of more than 250,000 U.S. Department of State classified
8WikiLeaks DDoS Attack Profile ICMP floodSlowlorisTCP Flood3 Basic Classes of AttackL7 (HTTP/Web): SlowlorisCreates massive concurrent sessionsFirewalls quickly overwhelmedServer resources completely consumedL4: TCP Flood/Syn FloodTargets any TCP aware deviceL3: ICMP FloodICMP protocol attackConsumes router, Firewall and server resourcesBIG-IP/ASM stopped attacks!Combination of core TMOS functionality, iRules and ASM (Application Security Manager)Border Router (Internet Connection)Intrusion Prevention DevicePCI Compliant FirewallF5 BIG-IP with ASM Module
9The Three Threat Vectors DDoS AttacksNetwork AttacksApplication Attacks? JC
10Over 90% of IT administrator want… Security Challenges30%Blended attacks… are overwhelming conventional security devices at the edge of the data center.of network traffic is encrypted bypassing security controlsSecurity is still expendable… 9 out of 10 IT organizations admit to sacrificing security for performance.Security device sprawl is a challenging problem… IT biggest security challenge with device sprawl is operational complexity.Over 90% of IT administrator want…Security ContextThe diversity of today’s attacks are overwhelming conventional security devices at the edge of the data center\"…the average organizational cost of a data breach this year increased to $4 million, up 18% from 2009." 2010 Annual Study: Global Cost of a Data Breach Report (PDF), March 8th, 2011.Unemployment figures from the Bureau of Labor Statistics October report. There are now over 4 million IT workers and the vast majority of them are already employed. Network Architects enjoy a 0.2% unemployment rate.A Ponemon 2011 survey (http://www.checkpoint.com/downloads/whitepapers/ponemon-check-point-march2011.pdf) had the following question:Which of the following are the biggest information/network security challenges facing your company?Managing the complexity of security – 33%Preventing insider data theft – 21%Compliance – 19%Preventing Data Breaches – 12%Enforcing security policies- 15%On traditional firewall failure (https://www.infosecisland.com/blogview/12944-Analysis-Shows-Firewalls-Fail-to-Deliver-as-Promised.html)Traditional network devices are failing under load… 3 out of 6 major firewalls failed under stability testing, and 5 out of 6 were vulnerable to a common exploit.
11Context leverages information about the end user to improve the interaction WhoWhatWhereWhenHowWho is the user?What devices are requesting access?When are they allowed to access?Where are they coming from?How did they navigate to the page/site?
12Context-aware technologies will affect $96 billion of annual consumer spending worldwide by By that time, more than 15 percent of all payment card transactions will be validated using context information.-GartnerGartner Says Context-Aware Technologies Will Affect $96 Billion of Annual Consumer Spending Worldwide by 2015Analysts Discuss Latest Industry Trends at Gartner Symposium/ITxpo, October 16-20, in OrlandoOrlando, Fla., October 20, 2011— Context-aware technologies will affect $96 billion of annual consumer spending worldwide by 2015, according to Gartner, Inc. By that time, more than 15 percent of all payment card transactions will be validated using context information.Gartner analysts discussed the growing importance of context-aware computing at Gartner Symposium/ITxpo, being held here through Thursday."Context-aware computing is the method by which new experiences are constructed that blend information from mobile, social, digital and physical world sources," said William Clark, research vice president at Gartner. "The disruptions caused by context-aware computing will include major user, technology and business shifts, including the use of model-driven security in fraud detection and prevention, convergence in television, game, Web and mobile advertising, and new styles of application programming. The advanced use of personal information in customizing user experiences will result in the interest of governments in regulating contextual information access and control."Gartner estimates that by 2015, 40 percent of the world's smartphone users will opt-in to context service providers that track their activities. Given the overall smartphone base, this equates to about 720 million people or about 10 percent of the global population. Payment card issuers and retailers currently hold important transactional information per person, and social platforms such as Facebook can provide some influence, but the ubiquity of the devices and the convenience of context-enriched services mean that although those providers are sources of context, they cannot deliver "the last contextual moment of choice."However, by 2015, smartphone adoption of iOS, Android, Windows Phone and other smartphone platforms will stand at more than 1.8 billion people. This collection of vendors already possess vast amounts of information about the digital habits, and by 2015, the intent of users will be combined with further enhancements of both indoor and outdoor 3D mapping databases. This will mean that context providers will be able to use location as a foundation to allow them to redefine how consumers search for and pay for products and services. This will present a new set of opportunities, and a change in the positioning of financial service providers, consumer packaged goods companies and retailers."Enterprises can leverage context-aware computing to better target and deliver on the promise of increased customer intimacy for millions of consumers," Mr. Clark said. "For CIOs, the timing of investment in context-aware computing will be critical. Organizations that do not prepare for thoughtful information sharing — balancing usage, privacy and business models of consumers, context providers, and the enterprises themselves, will be at a severe disadvantage. Organizations will need to coordinate in how context-enriched services will change their physical store, e-commerce and mobile-user experiences. Investing too heavily, too early will squander IT, marketing and operational resources."Transportation, utilities, energy and healthcare firms stand to gain considerable efficiency from context-aware computing, with notable use cases and case studies emanating from location and presence-enhanced apps."There is little doubt that context will be a defining principle of mobile business for the next decade, especially advertising and marketing," said Mr. Clark. "Context also will be a key criterion for the selection of partners and many mobile business systems will exploit contextual cloud services hosted by others, emerging as a major commercial battleground with powerful vendors, such as Nokia, Microsoft, Baidu, Amazon, Google and Apple, striving to own the consumer's context."
13Unified Security Architecture Traditional ApproachUnified Security ArchitectureDDoSPROTECTIONFIREWALLWEB APPFIREWALLLOAD BALANCERDNSSECURITYACCESSMANAGEMENTAND REMOTEACCESCurrent Traditional FirewallsLACK OF performance and scaleINABILITY TO RESPOND to changing threatsFAILURE to extend new servicesCOMPLEXITY AND COST of multiple vendorsFast – Marketshare Intelligent ADC marketToday focus on secureTraditional protection methods attempt to piece together many individual point products such as static firewalls, DDoS appliances, DNS appliances, web application firewalls, and application delivery controllers. This approach increases complexity, latency, and adds more points of failure. Worse, this approach fails to integrate information from different attack vectors, and fails to unify the response. Additionally, traditional approaches have no way of evolving as the attacks themselves evolve.The high performance internet firewall firewall builds on the F5 vision of the “dynamic data center” by acting as a strategic point of control for security enforcement from the network to the application layer. (http://devcentral.f5.com/weblogs/macvittie/archive/2010/06/17/what-is-a-strategic-point-of-control-anyway.aspx) Architecting F5 control points throughout the data center, for access, traffic management, acceleration, storage, and security enables a new model for secure application delivery built around the dynamics of the network, data, protocols, applications, and users.
14With F5’s IDC Firewall, customers are able to: TMOSAVAILABLESECUREFASTDNSWEBACCESSGTMASMAPMMODULE SECURITYDNSWEBACCESSDYNAMIC THREAT DEFENSELTMDDoS PROTECTIONPROTOCOL SECURITYSSL TERMINATIONNETWORK FIREWALLWith F5’s IDC Firewall, customers are able to:Reduce hardware and operating cost by as much as 50%Defend against 30+ DDoS attack types across both the network and application layers.Leverage the performance and scalability of BIG-IP to handle 10 times more connections per second over any other network firewall.Protect by using iRules against newly published vulnerabilities that do not have a patch.As in the case of the SSL Renegotiation DOS attack, F5 published on its user community site, DevCentral, a countermeasure within hours of the exploit being published.Scale up to 72 Gbps of throughput with 72 million concurrent connections on a single device.iRULESiCONTROLiAPPSTMOS
16Internet Data Center Perimeter Firewall Perimeter Firewall with Load BalancerTodayOverviewTraditional firewallStandalone load balancerLimitationsDDoS protectionConnectionsScaleDevice managementDefense methodsExample 5 Junipers to scale to our 1 device (FACT CHECK)Threats:Traditional Network AttacksDDoS Attacks to Multiple ProtocolsWeb Application Attacks (OWASP)SSL Renegotiation AttackOS/WS/APP Enumeration Data LossThreats Addressed:DDoS: SYN-Flood ProtectionTriggering Events:Firewall HW RefreshFirewall Failure from ScaleDDoS Attack MitigationTechnical Benefits:SYN-Flood ProtectionL4 ACLsApplication Layer GatewaysLoad Balancer
17Internet Data Center Perimeter Firewall Perimeter Firewall with Load BalancerWith BIG-IPOverviewConsolidated DeviceFirewall ServiceApplication DeliveryWeb Application FirewallBenefitsApplication fluencySSL visibilityDDoS protection 30 + typesDynamic defense methodsBest price to performance classOWASP top 10 protectionThreats Addressed:Traditional Network AttacksDDoS Attacks to Multiple ProtocolsWeb Application Attacks (OWASP)OS/WS/APP Enumeration Data LossSSL Renegotiation AttackBusiness BenefitsReduce CAPEXReduce OPEXBrand ProtectionRevenue AssuranceTechnical Benefits:Performance and ScaleDDoS Mitigations: UDP, TCP, SIP, DNS, HTTP, SSLSSL Termination, Inspection, Re-Encryption and Certificate StorageDefault Deny + Packet Filters ACLsProtocol SecurityFull Proxy Application ProfilesZero Day Dynamic Security Context (iRules)Fingerprinting CloakingOWASP Attack MitigationsAdvanced HTTP AnalyticsICSA Certified Network FirewallICSA Certified Web Application FirewallBIG-IP LTM with ASM
18Internet Datacenter Network Firewall SYN flood protection and many othersUser Geolocation SecurityInternetData CenterF5.comowa.f5.comDevCentral.F5.comwebsupport.f5.comihealth.f5.comdownloads.F5.comExternal UsersRouterInternetHigh Concurrent Connection capacityF5 helps you to mitigate DDoS and flood based attacksStateful, Default Deny BehaviorHigh Concurrent Connection and conn/sec capacityUser Geo-location awarenessSSL (HW accelerated encryption/decryption)IPsec site to sitePacket FilteringFlood protection mechanismsCarrier Grade NAT (NAT, NAT64)3 minute slide – probably one of the most important slidesThis slide need to make the audience understand where with network firewalls we can propose are solutionLTM is intended and suited to be a data center firewall located at the very top of the network where some of the below take place:Most of the traffic that traverses the network firewall hits the LTM and by that makes the network firewall redundant.High capacity data centers that their firewalls have to deal with high performance requirements – webmonsters, large DCs.Where the network firewall has a large security security rule base due to LTM having many virtual servers (mane internal segments).LTM will not be a firewall between the user and the internet, at best can be between the internet and applications.LTM can be a datacenter network firewall – it CANNOT be a corporate / enterprise firewall – this is a key message.
22SSL Drives Platform Architecture Increasing CPU Processing RequirementsIncreasing CPU Processing Requirements4100%41x Tougher600%100%6x Tougher1024 bit Keys2048 bit Keys4096 bit KeysIndustry increasingly using larger SSL Keys
24Summary DoS = Denial of service DDoS = Distributed denial of service Layer 1Cut the cable Layer 4 - or Layer 7 DDoSThousands of attackers bring down one siteLayer 7 DoSOne attacker is able to bring down one sitee.g. Slowloris, Slow POSTLayer 4 Transport: SYN Flood – Incomplete TCP HandshakeLayer 7 Application: Slowloris – Incomplete HTTP RequestsThis is what you mostly saw in the past, botnet.There is a new kind of L7 – Dos since the last couple of years where you only need to send a few packets, like one packet per sec. to make a server unavailable because you carefully choose packets which do a lot of damage to the server.
25Mitigating DoS Attacks Protect Against:Protect With:VIPRIONNetwork BasedDistributed Denial Of Service (DDOS)BIG-IP LTM DoS ProtectionsPacket FilteringSyn Cookies (L4 DoS)Dynamic Reaping (L4 DoS)TCP Full Proxy (L4 DoS)Rate shaping (L4->L7 DoS)iRules (e.g. SSL DoS protection)Very High PerformanceVery large connection tablesRS
28DNS is Vulnerable to Attacks Data CenterDNS ServersClientsLDNSLarge financial institution is being targeted by DDoS attacks from BOTs around the world attacking a single name server.Above DNS max (150K) server likely to crash = no DNS responses and needs rebooting.Multiple DNS attacks: DDoS, Cache Poisoning, Man-in-the-middleApplication timeouts (401 errors)Lost customers, lost productivityLoss of Revenue and Brand Equity
29Complete DNS Protection BIG-IP Global Traffic Manager DNS Firewall ServicesData Centercompany.comClientsXAQiLDNSHigh Performance DNS – Multicore GTMScalable DNS - DNS ExpressMalformed UDP packets are droppedSpread the load across devices - IP AnycastSecure DNS Queries - DNSSECRoute based on nearest Datacenter - GeolocationComplete DNS control with – DNS iRulesDNS Denial of service attacks had been gaining in popularity for several years… but the threat gained higher visibility during the wiki leaks attacks.Several customers almost lost their entire DNS infrastructure during the attacks. DNS was identified as a weak link in the infrastructure DNS DDOS defense.Fortunately, F5 was already working on a game changing performance enhancement for DNS.DNS firewall security with iRules capabilities using:DNSSEC – Secure DNS queries with dynamically signed responsesDNS Express – Authoritative DNS offload server scales up to 10x with 6mil queries per second and consolidating DNS infrastructure up to 70xMulticore GTM – Increase DNS performanceIP Anycast -DNS iRules - DNS filtering capabilities using packet filters for DNSStep 1: Multicore GTM to enable GSLB to scale with the number of CPU cores = fast WIP queriesStep 2: DNS Express to become a DNS slave, offloading the resolution of non-WIP queries = fast standard queriesStep 3: IP Anycast integration to allow multiple boxes to answer on the same IP address… spreading the load across multiple devices.No DNS queries needed to be answered by the back-end DNS infrastructure = DNS Shield / DNS FirewallCombined with the new VIPRION on GTM module and high end GTM devices… the DNS price / query was at an all time new low… enabling organizations to scale cost effectively.Also, the DNS Proxy automatically drops malformed UDP packets that don’t appear to be DNS queries…. Providing another layer of initial DNS protection.XAQi
30The Value of Complete DNS / Web Solution Scalable 10x, 70%Denial of Service mitigationSupport client requests and consolidates ITIPv6 to IPv4Complete DNS controlAccess Denied:DNS Denial of service attacks had been gaining in popularity for several years… but the threat gained higher visibility during the wiki leaks attacks.Several customers almost lost their entire DNS infrastructure during the attacks. DNS was identified as a weak link in the infrastructure DNS DDOS defense.Fortunately, F5 was already working on a game changing performance enhancement for DNS.DNS firewall security with iRules capabilities using:DNSSEC – Secure DNS queries with dynamically signed responsesDNS Express – Authoritative DNS offload server scales up to 10x with 6mil queries per second and consolidating DNS infrastructure up to 70xMulticore GTM – Increase DNS performanceIP Anycast – distribute loads across devices and route based on geolocationDNS iRules - DNS filtering capabilities using packet filters for DNSStep 1: Multicore GTM to enable GSLB to scale with the number of CPU cores = fast WIP queriesStep 2: DNS Express to become a DNS slave, offloading the resolution of non-WIP queries = fast standard queriesStep 3: IP Anycast integration to allow multiple boxes to answer on the same IP address… spreading the load across multiple devices.No DNS queries needed to be answered by the back-end DNS infrastructure = DNS ShieldCombined with the new VIPRION on GTM module and high end GTM devices… the DNS price / query was at an all time new low… enabling organizations to scale cost effectively.Also, the DNS Proxy automatically drops malformed UDP packets that don’t appear to be DNS queries…. Providing another layer of initial DNS protection.Route based on geolocationSecure DNS query responses
32Security Vulnerabilities in Web-Applications Attacks Now Look ToExploit ApplicationVulnerabilities!Non-compliantInformationPerimeter SecurityIs StrongForceful BrowsingCross-Site ScriptingCookie PoisoningSQL/OS InjectionHidden-Field ManipulationParameter Tampering Buffer OverflowBrute force attacks Layer 7 DOSWebscrapingCSRFVirusesPORT 80PORT 443!ForcedAccess toInformation!InfrastructuralIntelligenceBut Is Opento Web TrafficHighInformationDensity=High ValueAttack
33Deploy ASM Policies without false positives Predefined Policy TemplatesPre-configured security policiesLearning modeAutomatic or manualWeb Application Scanner integrationIBM Rational AppScanQualysGuard Web App. ScanningCenzic HailstormWhiteHat SentinelGradual deploymentTransparent / semi-transparent / full blocking
34Mitigate Vulnerabilities Now Customer WebsiteWeb Application ScannerFinds a vulnerabilityVirtual-patching with one-click on BIG-IP ASMVulnerability checking, detection and remediationComplete website protectionBIG-IP Application Security Manager*Note: Available in 11.2 ReleaseOverviewVerify, assess, resolve and retest in one UIAutomatic or manual creation of policiesDiscovery and remediation in minutes
35Free Cenzic Cloud Scans with ASM in v11 Free Cenzic Cloud Scans with ASM in v11.2 Find Vulnerabilities and Reduce Exposure3 free application scans directly from ASM/VE UINo time limits once signed upFree scans are limited health check servicesF5 Free Cenzic Cloud scan tests for:Only the following three checks are included in non-F5 free promotions: CSS, Password Autocomplete and Non-SSL Password is checkedPre-11.2, the user was required to generate an XML file that described the vulnerabilities on Cenzic Hailstorm product, it was then required to export it and import it to ASM. Pre 11.1 : we had no integration.Cross-Site ScriptingCredit Card DisclosureApplication ExceptionNon-SSL PasswordSQL InjectionCheck HTTP MethodsOpen Redirect Basic Auth over HTTPPassword Auto-CompleteDirectory Browsing
36IP Intelligence Identify and allow or block IP addresses with malicious activity IP Intelligence ServiceBotnetAttackerCustom ApplicationIP address feed updates every 5 minAnonymous requestsFinancial ApplicationBIG-IP SystemAttackers could be automated bots, phishing proxies, valid users creating violations.Tor (short for The onion router) is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace Internet activity, including "visits to Web sites, online posts, instant messages and other communication forms", back to the user and is intended to protect users' personal freedom, privacy, and ability to conduct confidential business by keeping their internet activities from being monitored. (For more info:First service where we get context data from the cloudWith iRules IP Intelligence works outbound too and a response to a risky IP would be identified and e.g. blockedGeolocation databaseAnonymous Proxies?Internally infected devices and serversScannersUse IP intelligence to defend attacksReduce operation and capital expenses
37IP Intelligence How it works Fast IP update of malicious activityGlobal sensors capture IP behaviorsThreat correlation reviews/ blocks/ releasesIP Intelligence ServiceThreat CorrelationKey ThreatsSensor TechniquesInternetSemi-open Proxy FarmsDynamic Threat IPsevery 5min.Web AttacksReputationWindows ExploitsBotnetsScannersNetwork AttacksDNSGlobal network of sensors deployed to attract malicious activitySophisticated and diverse sensor types are designed to capture IP behavioral activityRaw incident data are pushed to the cloud as events occurAutomated algorithm deployed to:Identify suspicious IPsGather evidence by examining activities by the IP, correlate these activitiesPlace IP on Trial by applying built-in rulesDetermine verdict and sentence the IP to appropriate block termUpon serving time, IP is released and put on indefinite review statusExploit HoneypotsNaïve User SimulationIP IntelligenceBIG-IP SystemWeb App HoneypotsThird-party Sources
38Graphical Reporting Detailed chart path of threats in ASM
40Context = Access Control BIG-IP Access Policy Manager Unify Access ControlAuthentication and AuthorizationSingle Sign OnPowerful Custom and Built- in ReportingAccess and Application AnalyticsManage Access Based on Identity
41Enable Simplified Application Access With BIG-IP Access Policy Manager (APM) BIG-IP APM = AAA control on BIG-IPIntegrates with AAA servers—including Active Directory, LDAP, RADIUS, and Native RSA SecurID
42Control Access of Endpoints Ensure strong endpoint security BIG-IP APMAllow, deny, or remediate users based on endpoint attributes such as:Invoke protected workspace for unmanaged devices:Client or machine certificatesAntivirus software version and updatesSoftware firewall statusAccess to specific applicationsRestrict USB accessCache cleaner leaves no traceEnsure no malware enters corporate networkEndpoint SecurityMore than a dozen different endpoint security checks available (Large number of agents available, e.g. Virtual Keyboard, AV and firewall checks, process, file, and registry checks, extended Windows info, client and machine certificates, etc.)Manage endpoints via Group Policy enforcement and Protected Workspace (Endpoint remediation capabilities like Protected Workspace and Full Armor-based AD Policy enforcement, in addition to Cache Cleaner, redirects to remediation pages, and message and decision boxes).
43Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager Dramatically reduce infrastructure costs; increase productivityAble to show the different back-end or server side auth mechanisms that we can supportIntegrate and distribute users to apps.Multi-domain Single Sign-On to applications and networksACA now in APM = OCSP , CRLDP (Certificate Revocation List) and TACACS+ (Cisco version of RADIUS)Easy and simple authentication designSingle Sign-On to multiple LTM/APM or Edge Gateway virtual servers. Example:* Client Cert authentication to an iPhone/iPad back to APM/Edge Gateway using Kerberos Constrained Delegation (KCD) and Kerberos Protocol Transition (KPT) to perform backend SSOEasy configuration for settings and domainsConfigure different cookie settings and SSO methods for different domains or different hosts in the same domainending multiple separate domains or multiple hosts within same domainsNTLM, Basic, HeaderKPT,
44App Security with BIG-IP ASM and APM Stops badrequests /responsesASM allowslegitimate requestsAPM offers authenticationand authorization!Illegal requests!Non-compliantInformationBrowser!UnauthorisedAccess!InfrastructuralIntelligenceApplicationsAlso mention the capabilities of APM to “store” the domain cookies and send the APM cookies only to the client.APMStopsunauthorizedrequestsReduces the attack vector because only authenticated, authorized and legal requests are permitted to the relevant application servers