1. F5 Unified Security Solutions
Ralf Sydekum
Technical Manager Central & Eastern Europe

2. Agenda Real Security Challenges and Attacks Data Center Firewall
DoS & DDoS
DNS Security
Web Security
Access Management
Fast Vulnerability Assessment & App. Security JC

3. The Leader in Application Delivery Networking
Users
Data Center
Application
Delivery
Network
At Home
In the Office
On the Road
SAP
Microsoft
Oracle
Business Goal: Achieve These Objectives in the Most Operationally Efficient Manner

4. Statement - SONY Online Entertainment http://blog.eu.playstation.com/
On April 16th and 17th, 2011….. Personal information from approximately 24.6 million SOE accounts may have been stolen…,
Name, , login, hashed password,…
As well as certain information from an outdated database from 2007 for customer in EU
Name, bank account number, address,… JC

5. Sony stock performance: Nov 2010-Nov 2011JC
Why Significant? 
By volume, the largest data breach of the year.
Has kept a permanent drag on Sony’s stock.
SQL injection made it onto the agenda of board rooms worldwide.
This breach forever shifted the purpose of hacktivism from defacement to data theft.  The hacker's intent wasn’t to embarrass a company, but rather to bring it down.
Summary:  Hacktivists broke into Sony worldwide, stealing about 100M data records (about 12M unencrypted).
Details:  Sony's video game online network was breached which led to the theft of names, addresses and credit card data.

6. What happened to WikiLeaks?
Several companies stopped the service for WikiLeaks although it is not proven that WikiLeaks violates the existing law
Amazon removed all WikiLeaks content from their servers
EveryDNS switched off the DNS resolution for wikileaks.org
Several financial institutes locked up donation accounts RS

7. Finally…
Thousand of internet users unloaded their accumulated anger starting 7th Dec 2010
Web servers of Swiss Postfinance bank were down for several hours
Credit card companies like Mastercard and VISA where not accessible for several hours/day over several days
Paypal’s transaction network were slow but not taken down completely RS
A botnet in general is a collection of software agents, or robots, that run autonomously and automatically. It consists of a lot of “infected” PCs which can be remote controlled to do e.g. a distributed denial of service attack or send spam.
In this case, the group, called Anonymous, has been encouraging volunteers to download software called LOIC (Low Orbit Ion Cannon), which lets them centrally control these systems and direct them into a DDoS (distributed denial of service) attack. The point of the attacks is to put pressure on financial companies that recently cut ties with the WikiLeaks website over its planned publication of more than 250,000 U.S. Department of State classified

8. WikiLeaks DDoS Attack Profile
ICMP flood
Slowloris
TCP Flood
3 Basic Classes of Attack
L7 (HTTP/Web): Slowloris
Creates massive concurrent sessions
Firewalls quickly overwhelmed
Server resources completely consumed
L4: TCP Flood/Syn Flood
Targets any TCP aware device
L3: ICMP Flood
ICMP protocol attack
Consumes router, Firewall and server resources
BIG-IP/ASM stopped attacks!
Combination of core TMOS functionality, iRules and ASM (Application Security Manager)
Border Router (Internet Connection)
Intrusion Prevention Device
PCI Compliant Firewall
F5 BIG-IP with ASM Module

9. The Three Threat Vectors
DDoS Attacks
Network Attacks
Application Attacks
? JC

10. Over 90% of IT administrator want…
Security Challenges
30%
Blended attacks… are overwhelming conventional security devices at the edge of the data center.
of network traffic is encrypted bypassing security controls
Security is still expendable… 9 out of 10 IT organizations admit to sacrificing security for performance.
Security device sprawl is a challenging problem… IT biggest security challenge with device sprawl is operational complexity.
Over 90% of IT administrator want…
Security Context
The diversity of today’s attacks are overwhelming conventional security devices at the edge of the data center\
"…the average organizational cost of a data breach this year increased to $4 million, up 18% from 2009."  2010 Annual Study: Global Cost of a Data Breach Report (PDF), March 8th, 2011.
Unemployment figures from the Bureau of Labor Statistics October report. There are now over 4 million IT workers and the vast majority of them are already employed. Network Architects enjoy a 0.2% unemployment rate.
A Ponemon 2011 survey ( had the following question:
Which of the following are the biggest information/network security challenges facing your company?
Managing the complexity of security – 33%
Preventing insider data theft – 21%
Compliance – 19%
Preventing Data Breaches – 12%
Enforcing security policies- 15%
On traditional firewall failure (
Traditional network devices are failing under load… 3 out of 6 major firewalls failed under stability testing, and 5 out of 6 were vulnerable to a common exploit.

11. Context leverages information about the end user to improve the interaction
Who
What
Where
When
How
Who is the user?
What devices are requesting access?
When are they allowed to access?
Where are they coming from?
How did they navigate to the page/site?

12. Context-aware technologies will affect $96 billion of annual consumer spending worldwide by By that time, more than 15 percent of all payment card transactions will be validated using context information.
-Gartner
Gartner Says Context-Aware Technologies Will Affect $96 Billion of Annual Consumer Spending Worldwide by 2015
Analysts Discuss Latest Industry Trends at Gartner Symposium/ITxpo, October 16-20, in Orlando
Orlando, Fla., October 20, 2011— Context-aware technologies will affect $96 billion of annual consumer spending worldwide by 2015, according to Gartner, Inc. By that time, more than 15 percent of all payment card transactions will be validated using context information.
Gartner analysts discussed the growing importance of context-aware computing at Gartner Symposium/ITxpo, being held here through Thursday.
"Context-aware computing is the method by which new experiences are constructed that blend information from mobile, social, digital and physical world sources," said William Clark, research vice president at Gartner. "The disruptions caused by context-aware computing will include major user, technology and business shifts, including the use of model-driven security in fraud detection and prevention, convergence in television, game, Web and mobile advertising, and new styles of application programming. The advanced use of personal information in customizing user experiences will result in the interest of governments in regulating contextual information access and control."
Gartner estimates that by 2015, 40 percent of the world's smartphone users will opt-in to context service providers that track their activities. Given the overall smartphone base, this equates to about 720 million people or about 10 percent of the global population. Payment card issuers and retailers currently hold important transactional information per person, and social platforms such as Facebook can provide some influence, but the ubiquity of the devices and the convenience of context-enriched services mean that although those providers are sources of context, they cannot deliver "the last contextual moment of choice."
However, by 2015, smartphone adoption of iOS, Android, Windows Phone and other smartphone platforms will stand at more than 1.8 billion people. This collection of vendors already possess vast amounts of information about the digital habits, and by 2015, the intent of users will be combined with further enhancements of both indoor and outdoor 3D mapping databases. This will mean that context providers will be able to use location as a foundation to allow them to redefine how consumers search for and pay for products and services. This will present a new set of opportunities, and a change in the positioning of financial service providers, consumer packaged goods companies and retailers.
"Enterprises can leverage context-aware computing to better target and deliver on the promise of increased customer intimacy for millions of consumers," Mr. Clark said. "For CIOs, the timing of investment in context-aware computing will be critical. Organizations that do not prepare for thoughtful information sharing — balancing usage, privacy and business models of consumers, context providers, and the enterprises themselves, will be at a severe disadvantage. Organizations will need to coordinate in how context-enriched services will change their physical store, e-commerce and mobile-user experiences. Investing too heavily, too early will squander IT, marketing and operational resources."
Transportation, utilities, energy and healthcare firms stand to gain considerable efficiency from context-aware computing, with notable use cases and case studies emanating from location and presence-enhanced apps.
"There is little doubt that context will be a defining principle of mobile business for the next decade, especially advertising and marketing," said Mr. Clark. "Context also will be a key criterion for the selection of partners and many mobile business systems will exploit contextual cloud services hosted by others, emerging as a major commercial battleground with powerful vendors, such as Nokia, Microsoft, Baidu, Amazon, Google and Apple, striving to own the consumer's context."

13. Unified Security Architecture
Traditional Approach
Unified Security Architecture
DDoS
PROTECTION
FIREWALL
WEB APP
FIREWALL
LOAD BALANCER
DNS
SECURITY
ACCESS
MANAGEMENT
AND REMOTE
ACCES
Current Traditional Firewalls
LACK OF performance and scale
INABILITY TO RESPOND to changing threats
FAILURE to extend new services
COMPLEXITY AND COST of multiple vendors
Fast – Marketshare Intelligent ADC market
Today focus on secure
Traditional protection methods attempt to piece together many individual point products such as static firewalls, DDoS appliances, DNS appliances, web application firewalls, and application delivery controllers.  This approach increases complexity, latency, and adds more points of failure. Worse, this approach fails to integrate information from different attack vectors, and fails to unify the response. Additionally, traditional approaches have no way of evolving as the attacks themselves evolve.
The high performance internet firewall firewall builds on the F5 vision of the “dynamic data center” by acting as a strategic point of control for security enforcement from the network to the application layer. ( Architecting F5 control points throughout the data center, for access, traffic management, acceleration, storage, and security enables a new model for secure application delivery built around the dynamics of the network, data, protocols, applications, and users.

14. With F5’s IDC Firewall, customers are able to:
TMOS
AVAILABLE
SECURE
FAST
DNS
WEB
ACCESS
GTM
ASM
APM
MODULE SECURITY
DNS
WEB
ACCESS
DYNAMIC THREAT DEFENSE
LTM
DDoS PROTECTION
PROTOCOL SECURITY
SSL TERMINATION
NETWORK FIREWALL
With F5’s IDC Firewall, customers are able to:
Reduce hardware and operating cost by as much as 50%
Defend against 30+ DDoS attack types across both the network and application layers.
Leverage the performance and scalability of BIG-IP to handle 10 times more connections per second over any other network firewall.
Protect by using iRules against newly published vulnerabilities that do not have a patch.
As in the case of the SSL Renegotiation DOS attack, F5 published on its user community site, DevCentral, a countermeasure within hours of the exploit being published.
Scale up to 72 Gbps of throughput with 72 million concurrent connections on a single device.
iRULES
iCONTROL
iAPPS
TMOS

15. Data Center Firewall

16. Internet Data Center Perimeter Firewall
Perimeter Firewall with Load Balancer
Today
Overview
Traditional firewall
Standalone load balancer
Limitations
DDoS protection
Connections
Scale
Device management
Defense methods
Example 5 Junipers to scale to our 1 device (FACT CHECK)
Threats:
Traditional Network Attacks
DDoS Attacks to Multiple Protocols
Web Application Attacks (OWASP)
SSL Renegotiation Attack
OS/WS/APP Enumeration Data Loss
Threats Addressed:
DDoS: SYN-Flood Protection
Triggering Events:
Firewall HW Refresh
Firewall Failure from Scale
DDoS Attack Mitigation
Technical Benefits:
SYN-Flood Protection
L4 ACLs
Application Layer Gateways
Load Balancer

17. Internet Data Center Perimeter Firewall
Perimeter Firewall with Load Balancer
With BIG-IP
Overview
Consolidated Device
Firewall Service
Application Delivery
Web Application Firewall
Benefits
Application fluency
SSL visibility
DDoS protection 30 + types
Dynamic defense methods
Best price to performance class
OWASP top 10 protection
Threats Addressed:
Traditional Network Attacks
DDoS Attacks to Multiple Protocols
Web Application Attacks (OWASP)
OS/WS/APP Enumeration Data Loss
SSL Renegotiation Attack
Business Benefits
Reduce CAPEX
Reduce OPEX
Brand Protection
Revenue Assurance
Technical Benefits:
Performance and Scale
DDoS Mitigations: UDP, TCP, SIP, DNS, HTTP, SSL
SSL Termination, Inspection, Re-Encryption and Certificate Storage
Default Deny + Packet Filters ACLs
Protocol Security
Full Proxy Application Profiles
Zero Day Dynamic Security Context (iRules)
Fingerprinting Cloaking
OWASP Attack Mitigations
Advanced HTTP Analytics
ICSA Certified Network Firewall
ICSA Certified Web Application Firewall
BIG-IP LTM with ASM

18. Internet Datacenter Network Firewall
SYN flood protection and many others
User Geolocation Security
Internet
Data Center
F5.com
owa.f5.com
DevCentral.F5.com
websupport.f5.com
ihealth.f5.com
downloads.F5.com
External Users
Router
Internet
High Concurrent Connection capacity
F5 helps you to mitigate DDoS and flood based attacks
Stateful, Default Deny Behavior
High Concurrent Connection and conn/sec capacity
User Geo-location awareness
SSL (HW accelerated encryption/decryption)
IPsec site to site
Packet Filtering
Flood protection mechanisms
Carrier Grade NAT (NAT, NAT64)
3 minute slide – probably one of the most important slides
This slide need to make the audience understand where with network firewalls we can propose are solution
LTM is intended and suited to be a data center firewall located at the very top of the network where some of the below take place:
Most of the traffic that traverses the network firewall hits the LTM and by that makes the network firewall redundant.
High capacity data centers that their firewalls have to deal with high performance requirements – webmonsters, large DCs.
Where the network firewall has a large security security rule base due to LTM having many virtual servers (mane internal segments).
LTM will not be a firewall between the user and the internet, at best can be between the internet and applications.
LTM can be a datacenter network firewall – it CANNOT be a corporate / enterprise firewall – this is a key message.

19. Competitor ABC + 4 Blades
Throughput
42 Gbps
20 Gbps
F5 BIG-IP 11050
$129,995
Competitor ABC + 4 Blades
$124,000

20. Connections per Second1M
175K
F5 BIG-IP 11050
$129,995
Competitor ABC + 4 Blades
$124,000

21. Maximum Concurrent Connections
F5 BIG-IP 11050
$129,995
Competitor ABC + 4 Blades
$124,000

22. SSL Drives Platform Architecture
Increasing CPU Processing Requirements
Increasing CPU Processing Requirements
4100%
41x Tougher
600%
100%
6x Tougher
1024 bit Keys
2048 bit Keys
4096 bit Keys
Industry increasingly using larger SSL Keys

23. Denial of Service Distributed Denial of Service

24. Summary DoS = Denial of service DDoS = Distributed denial of service
Layer 1
Cut the cable 
Layer 4 - or Layer 7 DDoS
Thousands of attackers bring down one site
Layer 7 DoS
One attacker is able to bring down one site
e.g. Slowloris, Slow POST
Layer 4 Transport: SYN Flood – Incomplete TCP Handshake
Layer 7 Application: Slowloris – Incomplete HTTP Requests
This is what you mostly saw in the past, botnet.
There is a new kind of L7 – Dos since the last couple of years where you only need to send a few packets, like one packet per sec. to make a server unavailable because you carefully choose packets which do a lot of damage to the server.

25. Mitigating DoS Attacks
Protect Against:
Protect With:
VIPRION
Network Based
Distributed Denial Of Service (DDOS)
BIG-IP LTM DoS Protections
Packet Filtering
Syn Cookies (L4 DoS)
Dynamic Reaping (L4 DoS)
TCP Full Proxy (L4 DoS)
Rate shaping (L4->L7 DoS)
iRules (e.g. SSL DoS protection)
Very High Performance
Very large connection tables RS

26. DNS Security Use Case

27. DNS Attacks Are Common

28. DNS is Vulnerable to Attacks
Data Center
DNS Servers
Clients
LDNS
Large financial institution is being targeted by DDoS attacks from BOTs around the world attacking a single name server.
Above DNS max (150K) server likely to crash = no DNS responses and needs rebooting.
Multiple DNS attacks: DDoS, Cache Poisoning, Man-in-the-middle
Application timeouts (401 errors)
Lost customers, lost productivity
Loss of Revenue and Brand Equity

29. Complete DNS Protection BIG-IP Global Traffic Manager
DNS Firewall Services
Data Center
company.com
Clients X A Q i
LDNS
High Performance DNS – Multicore GTM
Scalable DNS - DNS Express
Malformed UDP packets are dropped
Spread the load across devices - IP Anycast
Secure DNS Queries - DNSSEC
Route based on nearest Datacenter - Geolocation
Complete DNS control with – DNS iRules
DNS Denial of service attacks had been gaining in popularity for several years… but the threat gained higher visibility during the wiki leaks attacks.
Several customers almost lost their entire DNS infrastructure during the attacks. DNS was identified as a weak link in the infrastructure DNS DDOS defense.
Fortunately, F5 was already working on a game changing performance enhancement for DNS.
DNS firewall security with iRules capabilities using:
DNSSEC – Secure DNS queries with dynamically signed responses
DNS Express – Authoritative DNS offload server scales up to 10x with 6mil queries per second and consolidating DNS infrastructure up to 70x
Multicore GTM – Increase DNS performance
IP Anycast -
DNS iRules - DNS filtering capabilities using packet filters for DNS
Step 1: Multicore GTM to enable GSLB to scale with the number of CPU cores = fast WIP queries
Step 2: DNS Express to become a DNS slave, offloading the resolution of non-WIP queries = fast standard queries
Step 3: IP Anycast integration to allow multiple boxes to answer on the same IP address… spreading the load across multiple devices.
No DNS queries needed to be answered by the back-end DNS infrastructure = DNS Shield / DNS Firewall
Combined with the new VIPRION on GTM module and high end GTM devices… the DNS price / query was at an all time new low… enabling organizations to scale cost effectively.
Also, the DNS Proxy automatically drops malformed UDP packets that don’t appear to be DNS queries…. Providing another layer of initial DNS protection. X A Q i

30. The Value of Complete DNS / Web Solution
Scalable 10x, 70%
Denial of Service mitigation
Support client requests and consolidates IT
IPv6 to IPv4
Complete DNS control
Access Denied:
DNS Denial of service attacks had been gaining in popularity for several years… but the threat gained higher visibility during the wiki leaks attacks.
Several customers almost lost their entire DNS infrastructure during the attacks. DNS was identified as a weak link in the infrastructure DNS DDOS defense.
Fortunately, F5 was already working on a game changing performance enhancement for DNS.
DNS firewall security with iRules capabilities using:
DNSSEC – Secure DNS queries with dynamically signed responses
DNS Express – Authoritative DNS offload server scales up to 10x with 6mil queries per second and consolidating DNS infrastructure up to 70x
Multicore GTM – Increase DNS performance
IP Anycast – distribute loads across devices and route based on geolocation
DNS iRules - DNS filtering capabilities using packet filters for DNS
Step 1: Multicore GTM to enable GSLB to scale with the number of CPU cores = fast WIP queries
Step 2: DNS Express to become a DNS slave, offloading the resolution of non-WIP queries = fast standard queries
Step 3: IP Anycast integration to allow multiple boxes to answer on the same IP address… spreading the load across multiple devices.
No DNS queries needed to be answered by the back-end DNS infrastructure = DNS Shield
Combined with the new VIPRION on GTM module and high end GTM devices… the DNS price / query was at an all time new low… enabling organizations to scale cost effectively.
Also, the DNS Proxy automatically drops malformed UDP packets that don’t appear to be DNS queries…. Providing another layer of initial DNS protection.
Route based on geolocation
Secure DNS query responses

31. Web Security Services

32. Security Vulnerabilities in Web-Applications
Attacks Now Look To
Exploit Application
Vulnerabilities !
Non-compliant
Information
Perimeter Security
Is Strong
Forceful Browsing
Cross-Site Scripting
Cookie Poisoning
SQL/OS Injection
Hidden-Field Manipulation
Parameter Tampering Buffer Overflow
Brute force attacks Layer 7 DOS
Webscraping
CSRF
Viruses
PORT 80
PORT 443 !
Forced
Access to
Information !
Infrastructural
Intelligence
But Is Open
to Web Traffic
High
Information
Density =
High Value
Attack

33. Deploy ASM Policies without false positives
Predefined Policy Templates
Pre-configured security policies
Learning mode
Automatic or manual
Web Application Scanner integration
IBM Rational AppScan
QualysGuard Web App. Scanning
Cenzic Hailstorm
WhiteHat Sentinel
Gradual deployment
Transparent / semi-transparent / full blocking

34. Mitigate Vulnerabilities Now
Customer Website
Web Application Scanner
Finds a vulnerability
Virtual-patching with one-click on BIG-IP ASM
Vulnerability checking, detection and remediation
Complete website protection
BIG-IP Application Security Manager
*Note: Available in 11.2 Release
Overview
Verify, assess, resolve and retest in one UI
Automatic or manual creation of policies
Discovery and remediation in minutes

35. Free Cenzic Cloud Scans with ASM in v11
Free Cenzic Cloud Scans with ASM in v11.2 Find Vulnerabilities and Reduce Exposure
3 free application scans directly from ASM/VE UI
No time limits once signed up
Free scans are limited health check services
F5 Free Cenzic Cloud scan tests for:
Only the following three checks are included in non-F5 free promotions: CSS, Password Autocomplete and Non-SSL Password is checked
Pre-11.2, the user was required to generate an XML file that described the vulnerabilities on Cenzic Hailstorm product, it was then required to export it and import it to ASM. Pre 11.1 : we had no integration.
Cross-Site Scripting
Credit Card Disclosure
Application Exception
Non-SSL Password
SQL Injection
Check HTTP Methods
Open Redirect 
Basic Auth over HTTP
Password Auto-Complete
Directory Browsing

36. IP Intelligence Identify and allow or block IP addresses with malicious activity
IP Intelligence Service
Botnet
Attacker
Custom Application
IP address feed updates every 5 min
Anonymous requests
Financial Application
BIG-IP System
Attackers could be automated bots, phishing proxies, valid users creating violations.
Tor (short for The onion router) is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace Internet activity, including "visits to Web sites, online posts, instant messages and other communication forms", back to the user[5] and is intended to protect users' personal freedom, privacy, and ability to conduct confidential business by keeping their internet activities from being monitored. (For more info:
First service where we get context data from the cloud
With iRules IP Intelligence works outbound too and a response to a risky IP would be identified and e.g. blocked
Geolocation database
Anonymous Proxies ?
Internally infected devices and servers
Scanners
Use IP intelligence to defend attacks
Reduce operation and capital expenses

37. IP Intelligence How it works
Fast IP update of malicious activity
Global sensors capture IP behaviors
Threat correlation reviews/ blocks/ releases
IP Intelligence Service
Threat Correlation
Key Threats
Sensor Techniques
Internet
Semi-open Proxy Farms
Dynamic Threat IPs
every 5min.
Web Attacks
Reputation
Windows Exploits
Botnets
Scanners
Network Attacks
DNS
Global network of sensors deployed to attract malicious activity
Sophisticated and diverse sensor types are designed to capture IP behavioral activity
Raw incident data are pushed to the cloud as events occur
Automated algorithm deployed to:
Identify suspicious IPs
Gather evidence by examining activities by the IP, correlate these activities
Place IP on Trial by applying built-in rules
Determine verdict and sentence the IP to appropriate block term
Upon serving time, IP is released and put on indefinite review status
Exploit Honeypots
Naïve User Simulation
IP Intelligence
BIG-IP System
Web App Honeypots
Third-party Sources

38. Graphical Reporting Detailed chart path of threats in ASM

39. Web Access Management

40. Context = Access Control BIG-IP Access Policy Manager
Unify Access Control
Authentication and Authorization
Single Sign On
Powerful Custom and Built- in Reporting
Access and Application Analytics
Manage Access Based on Identity

41. Enable Simplified Application Access With BIG-IP Access Policy Manager (APM)
BIG-IP APM = AAA control on BIG-IP
Integrates with AAA servers—including Active Directory, LDAP, RADIUS, and Native RSA SecurID

42. Control Access of Endpoints Ensure strong endpoint security
BIG-IP APM
Allow, deny, or remediate users based on endpoint attributes such as:
Invoke protected workspace for unmanaged devices:
Client or machine certificates
Antivirus software version and updates
Software firewall status
Access to specific applications
Restrict USB access
Cache cleaner leaves no trace
Ensure no malware enters corporate network
Endpoint Security
More than a dozen different endpoint security checks available (Large number of agents available, e.g. Virtual Keyboard, AV and firewall checks, process, file, and registry checks, extended Windows info, client and machine certificates, etc.)
Manage endpoints via Group Policy enforcement and Protected Workspace (Endpoint remediation capabilities like Protected Workspace and Full Armor-based AD Policy enforcement, in addition to Cache Cleaner, redirects to remediation pages, and message and decision boxes).

43. Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager
Dramatically reduce infrastructure costs; increase productivity
Able to show the different back-end or server side auth mechanisms that we can support
Integrate and distribute users to apps.
Multi-domain Single Sign-On to applications and networks
ACA now in APM = OCSP , CRLDP (Certificate Revocation List) and TACACS+ (Cisco version of RADIUS)
Easy and simple authentication design
Single Sign-On to multiple LTM/APM or Edge Gateway virtual servers. Example:
* Client Cert authentication to an iPhone/iPad back to APM/Edge Gateway using Kerberos Constrained Delegation (KCD) and Kerberos Protocol Transition (KPT) to perform backend SSO
Easy configuration for settings and domains
Configure different cookie settings and SSO methods for different domains or different hosts in the same domain
ending multiple separate domains or multiple hosts within same domains
NTLM, Basic, Header
KPT,

44. App Security with BIG-IP ASM and APM
Stops bad
requests /
responses
ASM allows
legitimate requests
APM offers authentication
and authorization !
Illegal requests !
Non-compliant
Information
Browser !
Unauthorised
Access !
Infrastructural
Intelligence
Applications
Also mention the capabilities of APM to “store” the domain cookies and send the APM cookies only to the client.
APM
Stops
unauthorized
requests
Reduces the attack vector because only authenticated, authorized and legal requests are permitted to the relevant application servers

45. Summary – F5 Unified Security