Your SlideShare is downloading. ×
Introducing Application Delivery Networking
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Introducing Application Delivery Networking

335
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
335
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Next Generation Firewalls Presented by: Bill Beverley Security Technology Sales Manager
  • 2. 2 Security at the heart of the network
  • 3. 3 Comprehensive Security? “Securing access to and delivery of data and applications.” Network and Application security are both “well known” disciplines
  • 4. 4 Application Security: HTTP Most people associate app security with HTTP and the Web Internet traffic is growing at 50%–60% annually* – In 2006 the US was averaging 450-800 PB / month* On top of HTTP: – HTML, XML, AJAX, PHP, JavaScript, etc… Limitless attack vectors and scope *Andrew Odlyzko: University of Minnesota – Feb 2008
  • 5. 5 The Port 80 Hole: HTTP “64% of the 10 million security incidents tracked targeted port 80.” DATA Information Week
  • 6. 6 Application Vulnerability Statistics
  • 7. 7 What’s Driving Application Attacks? Secure Networks – Effectiveness of Network Firewalls Target-rich Application Environments – “Webification”: Fat Browsers – Feature rich & data rich environments – Increasingly trusted environments (SSL offers a False Sense of Security) – Technology adoption is still running ahead of security appreciation Profit – Applications deliver data & data delivers $ (or £ or €)
  • 8. 8 Just fix the App!! Easy to say, harder to deliver... Application Security Application Patching Application Application Scalability Development Add: application availability Application Performance
  • 9. 9 The Result: A Growing Network Problem Users Network Point Solutions Applications DoS Protection Mobile Phone SSL CRM SFA Rate Shaping Acceleration CRM ERP PDA Server Load Balancer ERP ERP Laptop CRM SFA Content Application Acceleration Firewall Desktop Connection Traffic Optimization Compression Customize SFA Application Co-location
  • 10. 10 …And Then Who Owns It? New Security Hole High Cost To Scale Slow Performance ? Application Network Administrator Application Developer Traditional Networks Applications Focus on are Focused on Business Logic and Connectivity Functionality
  • 11. 11 …And Then, Who’s Responsible? High cost of operation Application Architecture Network Guy Operations Security Grant limited views View specific application Grant limited control Control only defined applications Grant limited monitoring Test only defined applications
  • 12. 12 Fix it in the Network? Corporate Headquarters Users Branch Office Applications ISP availability Web Servers ISP bandwidth Application Servers Databases •Application Availability/Performance •Equipment/Power Failures •Application Availability/Performance •Maintenance Downtime •Equipment/Power Failures •Natural Disaster •Information Theft Remote Users •ISP Availability/Bandwidth •Maintenance Downtime •Natural Disaster •Unauthorized Access •WAN Availability/Performance •Viruses •Application Availability/Performance •Application Availability/Performance •Information Theft •Information Theft •Unauthorized Access •ISP Availability/Bandwidth •Viruses •Unauthorized Access •Viruses •WAN Availability/Performance
  • 13. 13 Segment #1: Perimeter Firewalls Corporate Headquarters Users Branch Office Applications ISP availability Web Servers Application Servers ISP bandwidth Databases •Application Availability/Performance •Equipment/Power Failures •Application Availability/Performance •Maintenance Downtime •Equipment/Power Failures •Natural Disaster •Information Theft Remote Users •ISP Availability/Bandwidth •Maintenance Downtime •Natural Disaster •Unauthorized Access •WAN Availability/Performance •Viruses •Application Availability/Performance •Application Availability/Performance •Information Theft •Information Theft •Unauthorized Access •ISP Availability/Bandwidth •Viruses •Unauthorized Access •Viruses •WAN Availability/Performance
  • 14. 14 Current Network Solutions • Network Firewalls • Perfect Socket Management Devices • They Live in Layers 3-4 • What about Layers 2, 5, & 7? • IPS • Packet Re-assembly Devices • What about Application Session Awareness? • What about SSL? • >70% of Customers Run IPS in Transparent Mode.
  • 15. 15 Application Solutions: WAFs • Web Application Firewalls are a great start • Have insight into the application and business logic • Terminate SSL • Plug the Port 80 Hole • But… • What about other Apps? • What about other Layers?
  • 16. 16 Web Application Firewalls Stateful inspection of Sits inline application traffic in the context New type of device, of the application spanning operations, Bidirectional network, and application Policy-based solution tailored personal for each app – Positive + negative security Conclusion: The Right Tool for the Job for HTTP But …
  • 17. 17 Applications Tunnel Through Traditional Firewalls
  • 18. 18 Next Generation Firewalls A marriage of Application Intelligence and Network Control – Secures Layers 2 – 7 – Secures any port, any protocol, any application Apply Security at the same point as the rest of the Application Business Logic – Provide Security during delivery, not just at ingress or egress Application Delivery Security
  • 19. 19 Solution Requirements Secure Applications With Application-Aware Security Must be Session Aware Must be Behavior Policy Bound Must Understand Business Logic Let the firewalls do what they do They’re perfect socket management devices They’re not perfect session management devices. Accountability Audit Trail Flexibility Adaptable to Application AND Environmental Changes Leverage the 3 Ps…
  • 20. 20 Three P’s PROXY architecture to distinguish a good request and a bad one by examining all information POSITIVE security logic (i.e. Business Logic) to give zero day protection POLICIES centralised for ease of control, administration & auditing
  • 21. 21 Secure Policy-Based Delivery Look At Application Security Holistically Security Optimization Availability New Services HTTP Access to Intranet CIFS Access to File Share “Public” Context Unique Real-Time Enforcement Server “A” Side HTTP Access to Intranet Context “B” Only the Services Needed and Allowed are Used and Available
  • 22. 22 Separate ALL Stop Bad Enterprise Resources Users from Traffic Before it Enterprise Uses Network Uses Redundant Resources PMP, PEP and MS Branch OfficeResources Provide Single, but PMP, PEP and MS Redundant Management, Remote PEP and MS Access and Auditing of Local Access Each Unique Access and Optimize Bulk Context. Who, What, Remote Traffic to When, Why, Where and ` Remote PEP and MS Centralized Internet How Resources ` Foreign City Dynamically Provide ` Optimized Service based on Context Contractors Employees Visitors TeleCommuters Mobile Users
  • 23. 23 Application Delivery Security AAA for registration and access control to specific applications Application Firewall to protect the portal’s web apps Application Delivery Controllers to secure application transport and delivery Unauthorized Secure, High Performance Platform User/Transaction Validity user from a valid terminal Applications & Data Access Authorization Partner Employee Customer Corporate Invalid Applications & transaction Network Perimeter Security Data from a valid system (Firewall, Virus Scan, IDS, etc.)
  • 24. 24 Intelligent Application Controllers are the Next Generation Firewalls Type of communication: XSS, SQL Injection, Data Leaks, Spam, 7 Application Layer E-mail, file transfer, User Sessions, Cookies, HTML… client/server. Encryption, data conversion: 6 Presentation Layer ASCII to EBCDIC, SSL, SSH, XML Encryption, Images BCD to binary, etc. Starts, stops session. 5 Session Layer Maintains order. Sockets, RPC, NetBIOS Auth, PPtP Ensures delivery of entire Port filters, SYN/ACK Attacks, 4 Transport Layer file or message. Port Scans, MitM Routes data to different IP Frag, Spoofing, Smurfs, Ping of death, 3 Network Layer LANs and WANs based on network address. IPsec, TTL Data Link Transmits packets from 2 node to node based on VLANs, ARP Poisoning (MAC) Layer station address. Electrical signals and 1 Physical Layer cabling. Management Interface Segmentation
  • 25. 25 Bill Beverley - Security Technology Sales Manager Email: b.beverley@f5.com Tel: +44 (0)1932 582 000 Mob: +44 (0)7974 678 664

×