F5 Networks: architecture and risk management


Published on

Presentación realizada por el Ing. Hugo Tovar en el Desayuno con F5 Networks el 18 de octubre de 2012.

Published in: Technology

F5 Networks: architecture and risk management

  1. 1. Architecture and RiskManagementHugo TovarSystems EngineerMéxico, Central America & the Caribbean
  2. 2. Agenda •  Application Delivery Challenges •  Unified Architecture •  Security Challenges •  Data Center Firewall •  Security Use Cases •  Contextual Access Control for Mobility and BYOD •  Vulnerability assessment & Application Security •  Call to action2 © F5 Networks, Inc.
  3. 3. “ • Application delivery and optimization solutions are underutilized and poorly understood in many IT organizations. • The skills required to fully utilize these solutions are broad and touch on multiple IT disciplines. 2011: Mark Fabbi, Distinguished Analyst “Three Phases to Improve Application Delivery Teams”3 © F5 Networks, Inc.
  4. 4. Edge Gateway –Manager (GTM) – F5 Network Diagram Global Traffic Provides SSL VPN remote Automatically routes access security with applicationbest performing data acceleration connections to the Manager GatewayProvides secure, VPN remote Access Policy closest or (APM) – – Provides SSL Edge and optimization servicespolicy-based of theAscontrol. center in Local Traffic access edge accessoraother at the the eventand Manager (LTM)with application acceleration security – context-aware, of an outage, overload, full proxy between network, allusers and simplifies authentication, authorization, in one efficient, scalable, and times for users disruption. The and applicationresponsebrowsersuser connections Centralizes result is faster servers, spreads from Web Accelerator (WA) – Stops web services at the edge of the and optimization cost effective solution(AAA)clustered servers using a the BIG- across of Manager – Manager (ASM) broad Enterprise Security content Applicationnetwork, is a centralized and optimal use multiple management directlythe – An range of needlessly re-requesting dataall in one efficient, and accounting multiple pagecenters from on scalable, and techniques to secure, optimize and load devices management appliance for F5 BIG-IP® balance IP systemadvanced web applicationsolution that WAN webcost effective firewall users of server. Enables Optimizationto handle (WOM) – Speeds data servers traffic userModule more application you a applications and their data that givescritical consolidated, real-time to 10 and increases interactive performance up view protects over the enable you to dramatically simplify F5 ARX File Virtualization devicesWAN and provides high performance, transfers your entire F5 against application-specific application delivery by defending and high availability for application traffic times data management and reduce storage costs. By introducing intelligent encryption, infrastructurebypass conventional firewalls attacks that storage infrastructure, ARX eliminates the file virtualizationbetween file into the BIG-IP devices Data Manager Software – file system discovery, data profiling, disruption associated with storage administration and automates many and powerful reporting give organizations a detailed look inside storage management tasks. The result is a dramatic improvement in the environment so that better management policies can be cost, agility, and business efficiency created for a more efficient and cost-effective storage environment4 © F5 Networks, Inc.
  5. 5. Top Issues for Retail Bank IT Executives… Issue Ratings: 5 = Very Important 5,00 4,50 4,00 3,50 3,00 2,50 2,00 1,50 1,00 0,50 0,00 Payments Reg impact on Core Multichannel Mobility Cloud Computing Compliance Systems Delivery Source: CEB TowerGroup; N = 11 banks, November 2011 …Align with the top IT Initiatives5 © F5 Networks, Inc. Exhibit #: Issue 356-E1
  6. 6. Traditional Approach Security Architecture Unified DDoS WEB APP LOAD FIREWALL PROTECTION FIREWALL BALANCER ACCESSMANAGEMENT DNS SECURITY6 © F5 Networks, Inc.
  7. 7. Unified Security Architecture DNS   WEB   ACCESS   LTM  7 © F5 Networks, Inc.
  8. 8. F5 – Best Alternative for SSL Acceleration Emerging security risks with 512 and 1024 length keys Support for Large SSL Keys (2048 & 4096) Cumulative Cumulative Key Size 32 Bit Commodity 64Bit Commodity Performance Slowdown Performance Slowdown 512 2,357 TPS N/A   8008 TPS N/A   1024 525 TPS 4.5x 1570 TPS 5.1x 2048 96 TPS 5.5x 273 TPS 5.8x 4096 15 TPS 6.4x 38 TPS 7.2x Key Size PB100/200 11000 Series 8900 Series 1024 58,000 TPS 120,000 TPS 58,000 TPS 2048 12,000 TPS 24,000 TPS 12,000 TPS 4096 1800 TPS 3500 TPS 1800 TPS8 ** Note: These numbers are initial performance results © F5 Networks, Inc.
  9. 9. Security Challenges 54% A Denial of Service tool… using SSL/TLS showed the of hacking breaches potential for an everyday laptop in larger organizations on an average connection to occur happen at the take down an enterprise web web application server Anonymous proxies… have Threat detection today… hinges on two steadily increased, more than We still see elements: identifying suspicious activity quadrupling in number as SQL Injection as a choice point of among billions of data points, and compared to three years ago. entry for attacker refining a large set of suspicious incidents down to those that matter The most significant change we saw in 2011 was the rise of “hacktivism” against larger organizations worldwide9 © F5 Networks, Inc.
  10. 10. What happened to WikiLeaks •  Several companies stopped the service for WikiLeaks although it is not proven that WikiLeaks violates the existing law •  Amazon removed all WikiLeaks content from their servers •  EveryDNS switched off the DNS resolution for wikileaks.org •  Several financial institutes locked up donation accounts10 © F5 Networks, Inc.
  11. 11. Finally…•  Thousand of internet users unloaded their accumulated anger starting 7th Dec 2010 •  Web servers of Swiss Postfinance bank were down for several hours •  Credit card companies like Mastercard and VISA where not accessible for several hours/day over several days •  Paypal’s transaction network were slow but not taken down completely11 © F5 Networks, Inc.
  12. 12. Behind the scenes•  Operation Payback admitted to this attack. They are also known as Anonymous from previous attacks•  They used a modified version of the tool called LOIC •  Originally developed for load tests •  Nearly 50,000 people downloaded it to “join voluntary botnet” •  It performs a DoS or DDoS on a target site by flooding the server with TCP packets, UDP packets or HTTP requests to disrupt the service of a host12 © F5 Networks, Inc.
  13. 13. How did customers leverage their ADC to address the DDoS problem? http://youtu.be/VGDN5xAHCak13 © F5 Networks, Inc.
  14. 14. Slowloris, Slow POST attack How to choke a web server slowly... Takes down a web server with minimal bandwidth Slowloris begins by sending a partial HTTP request... ...Followed by subsequent HTTP headers… …One at a time ..Very slowly... ...and never ends... Slow POST attack The data is sent very slow Server holds connection open and runs out of available connections Result – server is unavailable with no errors in the logs14 © F5 Networks, Inc.
  15. 15. Everyone is vulnerable http://www.whitehatsec.com/home/resource/stats.html Data were collected from 3000 websites in 2010 The average number of serious* vulnerabilities per website, the percentage of reported vulnerabilities that have been resolved (Remediation Rate), and average the number of days a website is exposed to at least one serious vulnerability15 (Window of Exposure). © F5 Networks, Inc.
  16. 16. What Has Been Missing? BIG-IP Now Certified as Network Firewall User Access Data Protection App Security16 © F5 Networks, Inc.
  17. 17. The World’s Fastest and Most Extensible Data Center Firewall17 © F5 Networks, Inc.
  18. 18. What’s a Data Center Firewall? How is it different from Conventional and NGFW? Conventional NGFW DCFW •  Layer 3, 4 •  Layer 7, AppID, UserID •  Layer 3-7, In-bound •  Mostly In-bound •  Out-bound Analysis •  Application Delivery •  Management, •  Who is doing what? •  In-bound User Context Reporting •  Broad but Shallow: •  SSL Termination •  Unaware of users, 1000 users connecting applications, context to 20,000 sites, 40,000 •  Narrow but Deep: 1M protocols users 100 applications, •  Used everywhere, but 6 Protocols unintelligent, ancient •  Used primarily in technology Enterprise to monitor •  Used by Consumer users within Banking, Social media18 © F5 Networks, Inc.
  19. 19. SYN floodDC Firewall User Geolocation protection and many others Security External Users The Internet Data Center image cannot be display ed. The image cannot be displayed. Your computer may not have enough memory to open the image, or the The image cannot be The image cannot be displayed. Your computer have been corrupted. image may may not have enough memory to open the your computer, and then open Restart displayed. Your computer may not F5.com image, or the image may have been corrupted. the file again. If the red x still appears, have enough memory Restart your computer, and then openyou may have to delete the image and the file to open the image, or again. If the red x still appears, you may have to it again. then insert delete the image and then insert it again. the image may have been corrupted. owa.f5.com Restart your computer, and then DevCentral.F5.com open the file again. If Internet the red x still appears, you may have to delete the image and then insert it again. websupport.f5.com Router ihealth.f5.com High Concurrent Connection downloads.F5.com capacity•  F5 helps you to mitigate DDoS and flood based attacks •  Stateful, Default Deny Behavior •  High Concurrent Connection and conn/sec capacity •  User Geo-location awareness •  SSL (HW accelerated encryption/decryption) •  IPsec site to site •  Packet Filtering •  Flood protection mechanisms19 •  Carrier Grade NAT (NAT, NAT64) © F5 Networks, Inc.
  20. 20. Mitigating DoS Attacks Protect Against: Protect With: Network Based Distributed Denial Of Service (DDOS) VIPRION BIG-IP LTM DoS Protections •  Packet Filtering •  Syn Cookies (L4 DoS) •  Dynamic Reaping (L4 DoS) •  TCP Full Proxy (L4 DoS) •  Rate shaping (L4->L7 DoS) •  iRules (e.g. SSL DoS protection) •  Very High Performance •  Very large connection tables20 © F5 Networks, Inc.
  21. 21. Securing and Scaling DNS Services21 © F5 Networks, Inc.
  22. 22. Authoritative DNS Security Basic GSLB Securing DNS Servers DelegationOverview•  Traditional firewall•  DNS server farm•  Global Server Load Balancing DNS ServersLimitations•  Vunerable to DNS Attacks•  No response validation•  Inability to scale GTM 22 © F5 Networks, Inc.
  23. 23. Authoritative DNS Security GTM Inline or Securing DNS Infrastructure slaveOverview•  Consolidated Device•  Firewall Service•  DNS Service•  Anycast DNS ServerBenefits•  High Performance DNS•  Scalable DNS GTM•  Dynamic DNSec Signing•  DDoS Resistent23 © F5 Networks, Inc.
  24. 24. DNSSec Wrapping http://youtu.be/566EmH3H32A24 © F5 Networks, Inc.
  25. 25. Context Based Access Control For Mobility And BYOD25 © F5 Networks, Inc.
  26. 26. Context leverages information about the end user to improve the interaction Who •  Who is the user? What •  What devices are requesting access? Where •  Where are they coming from? •  When are they allowed to access? When •  How did they navigate to the page/site? How26 © F5 Networks, Inc.
  27. 27. Securely Manage Access The image cannot be displayed. Your computer may not have enough memory to open the image, or the DMZ image may have been corrupted. The image F5 Access Policy Manager Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and canno then insert it again. t be displa yed. Your comp Hypervisor 4,000 Remote Users Internet Virtual Desktops The image cannot be displayed. The image cannot Your computer be displayed. may not have Your computer enough memory may not have enough memory to open the image, or the image may have The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and The image cannot be 1,000 Wireless Users then open the file again. If the red x still appears, you may have to delete the image and then insert it again. displayed. Your computer may The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your Internal LAN The image computer, and then open the file again. If cannot be VLAN 1 the red x still appears, displayed. Your The computer may image not have cannot enough be memory to displayed open the . Your image, or the compute image may r may have been not have corrupted. enough memory Utilize existing user directory15,000 Corporate Users Internal LAN •  High performance – 26,000 users at $7+ per user VLAN 2 The •  Scale up to 100,000 users Th imag ee im cann ag ot be •  Flexible and centralized security policy management displ ayed. Your •  Integrated endpoint security checking6,000 Corporate Branch Users •  Secure Single Sign-on 27 © F5 Networks, Inc.
  28. 28. BYOD Trust Model •  The trust level of a mobile device is dynamic •  Identify and evaluate the risk of personal devices •  Review the value of apps and data •  Define remediation options •  Notifications •  Access control •  Quarantine •  Selective wipe •  Set a tiered policy28 © F5 Networks, Inc.
  29. 29. Use Case Access with baseline security, no MDM APM/ASM Kerberos SSO þ Certificate Resources Check þ UUID Check Request ticket Exchange Active Directory29 © F5 Networks, Inc.
  30. 30. Use Case Normal access with MDM, VPN on-demand two-factor authentication APM/ASM Kerberos SSO þ Certificate Check þ UUID Check Request ticket Active Directory Two factors: •  Pin •  Certificate MDM (Mobile Device Management) (Mobile Iron, Airwatch, Silverback and Zenprise)30 © F5 Networks, Inc.
  31. 31. Use Case Managed and BYOD access combines UUID check with ACLs ACLs APM/ASM Unmanaged devices get limited access þ Certificate Check ý UUID Check Managed devices get full access MDM Active Directory31 © F5 Networks, Inc.
  32. 32. Use Case – BBC (BYOD Project) First access with MDM, new enrollment with self-service APM/ASM Verify credentials ý Certificate Check AAA þ Username/ SSO Password Device data When cert check fails, APM Optional OTP Certificate will proxy access to MDM’s (One Time Password) registration registration page Provisioning OTP sent via SMS or email; •  Apps MDM adds two-factor security •  Certificates (Mobile Device •  Profiles Management) Provisioning via MDM “phone home”32 © F5 Networks, Inc.
  33. 33. Vulnerability Assessment and Web Application Security33 © F5 Networks, Inc.
  34. 34. IP Intelligence Reputation Scanners Deny access to infected IPs Probes, scans, brute force Windows Exploits Denial of Service Known distributed IPs DoS, DDoS, Syn flood Web Attacks Phishing Proxies IPs used for SQL Injection, CSRF Phishing sites host BotNets Anonymous Proxies Infected IPs controlled by Bots Anon services, Tor34 © F5 Networks, Inc.
  35. 35. IP Intelligence: Defend Against Malicious Activity and Web Attacks Enhance automated application delivery We need to approach decisions adding better intelligence and stronger security different security based on context. Layer of IP threat protection delivers context to identify and block IP threats using a dynamic data set of high-risk IP addresses. Visibility into threats from multiple sources leverages a global threat sensor network Deliver intelligence in a simple way reveals inbound and outbound communication Evolving Threats Real-time updates keep protection at peak performance refreshing database every five minutes.35 © F5 Networks, Inc.
  36. 36. IP Intelligence •  Fast IP update of malicious activity •  Global sensors capture IP behaviors •  Threat correlation reviews/ blocks/ releases Key Threats Sensor Techniques IP Intelligence Service: Threat Correlation Internet Semi-open Proxy Farms Dynamic Threat IPs Web Attacks every 5min. Exploit Honeypots Reputation Windows Exploits Naïve User Simulation IP Intelligence Botnets Web App Honeypots Scanners Network Attacks Third-party Sources DNS BIG-IP System36 © F5 Networks, Inc.
  37. 37. IP Intelligence Botnet IP Intelligence Service IP address feed updates every 5 min Attacker Custom Application Financial Application BIG-IP System Anonymous requests ? Geolocation database Anonymous Internally infected Proxies devices and servers Scanners •  Use IP intelligence to defend attacks37 •  Reduce operation and capital expenses © F5 Networks, Inc.
  38. 38. Unknown Vulnerabilities in Web Apps •  Unable to find or mitigate vulnerabilities •  Very expensive to fix by recoding •  Difficult to include scanner assessments •  Need assurance that app sec. is deployed properly Web Application Vulnerabilities as a percentage of all disclosures in 2011 H1 Web Applications: 37 percent Others: 63 percent Source: 1BM X-Force Research and Development38 © F5 Networks, Inc.
  39. 39. Leading Web Application Attack Protection BIG-IP Application Security Manager Users o  Protect from latest web threats Web Application o  DDoS, SlowLoris, & more BIG-IP ASM Security o  Quickly resolve vulnerabilities o  Meeting PCI compliance Web Applications Private Public Physical Virtual Multi-Site DCs Cloud39 © F5 Networks, Inc.
  40. 40. Protect Applications from Threats Adaptive and unique attack protection Gain visibility Understand Take action into application session context and mitigate sessions and apply policy offending clients40 © F5 Networks, Inc.
  41. 41. Automatic DOS Attack Detection and Protection o  Accurate detection technique – based on latency o  3 different mitigation techniques escalated serially o  Focus on higher value productivity while automatic controls intervene Detect a DOS condition Identify potential attackers Drop only the attackers41 © F5 Networks, Inc.
  42. 42. Open Web Application Security Project (OWASP) OWASP Top 10 Web Application Security Risks: 1.  Injection 2.  Cross-Site Scripting (XSS) 3.  Broken Authentication and Session Management 4.  Insecure Direct Object References 5.  Cross-Site Request Forgery (CSRF) 6.  Security Misconfiguration 7.  Insecure Cryptographic Storage 8.  Failure to Restrict URL Access 9.  Insufficient Transport Layer Protection 10.  Unvalidated Redirects and Forwards42Source: www.owasp.org © F5 Networks, Inc.
  43. 43. Out-of-the-Box Deployment No false positives Fast web application Learning mode implementation •  Gradual deployment •  Rapid deployment •  Transparent or semi- policy transparent •  Pre-configured •  Manual or automatic application policies •  Full blocking policies43 © F5 Networks, Inc.
  44. 44. Meet PCI Compliance Easily comply with audits PCI reporting provides: •  Requirements with details •  Current compliancy state •  Steps to become compliant44 © F5 Networks, Inc.
  45. 45. 45 © F5 Networks, Inc.
  46. 46. Solution: Quickly Resolve Application Vulnerabilities Request made BIG-IP ASM security policy checked Server response Enforcement Sensitive information, application cloaking Secure response BIG-IP ASM applies Vulnerable delivered security policy application •  Maintain security at application, protocol, and network levels •  Launch secure applications protected from vulnerabilities46 © F5 Networks, Inc.
  47. 47. “ F5 BIG-IP products enabled us to improve security for an existing application instead of having to invest time and money into developing a new, more secure application. Application Manager, Global 500 Media and Entertainment Company TechValidate 0C0-126-2FB47 © F5 Networks, Inc.
  48. 48. Integrated Vulnerability Scanning Customer  Website   Vulnerability  Scanner   •   Finds  a  vulnerability   •   Virtual-­‐patching  with          one-­‐click  on  BIG-­‐IP  ASM  •  Vulnerability  checking,     detecDon  and  remediaDon   BIG-­‐IP  ApplicaAon  Security  Manager  •  Complete  website  protecDon   • Qualys   • IBM   • WhiteHat   • Cenzic   •   Verify,  assess,  resolve  and  retest  in  one  UI   •   AutomaDc  or  manual  creaDon  of  policies   •   Discovery  and  remediaDon  in  minutes    48 © F5 Networks, Inc.
  49. 49. Free App Scan Service to Mitigate Vulnerabilities •  Free application vulnerability scan: •  Cenzic Cloud in ASM UI •  3 free scans •  Configure vulnerability Data Center policy in BIG-IP ASM •  Protection from web app attacks BIG-IP Application Security Manager Web 2.0 Apps Attacker Internet Private BIG-IP Application Security Manager Cloud Apps Virtual Edition Clients49 © F5 Networks, Inc.
  50. 50. The most flexible solution50 © F5 Networks, Inc.
  51. 51. F5 Value to FSI Employ Using F5’s intelligent approach to IT as a Service application delivery Simplify your infrastructure through F5’s ability to streamline and automate existing network investments. Reduce threats and simplify security by taking advantage of F5’s unified security capabilities. Get world-class business continuity through Transform IT F5’s built-in disaster recovery and high availability capabilities Secure51 Agility © F5 Networks, Inc.
  52. 52. Call to action The load balancer is dead - leverage your ADC as a strategic Point of Control http://youtu.be/Sh8mNjeuyV452 © F5 Networks, Inc.
  53. 53. © 2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5.
  54. 54. 54 © F5 Networks, Inc.