• Save
F5 GOV Round Table - Application Centeric Security
Upcoming SlideShare
Loading in...5
×
 

F5 GOV Round Table - Application Centeric Security

on

  • 393 views

 

Statistics

Views

Total Views
393
Views on SlideShare
393
Embed Views
0

Actions

Likes
1
Downloads
0
Comments
1

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • email me ur ppt kazihusain@hotmail.com
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  •  So one of F5's key differentiators and value-add with regard to security is the fact that we provide it on a full proxy architecture. And the value of a full proxy architecture for those who are not familiar can be analogous to the role that an escrow agent or an escrow officer might play in a real estate transaction. The reason for the escrow officer is to protect the buyer from the seller and the seller from the buyer by acting as an independent third party or a neutral third party to protect the buyer and the seller. And the role of this officer is also to inspect all elements of the transaction before allowing the transaction to be completed, safely and securely. And much in the same way F5's full proxy security looks and examines all elements within the OSI stack, because we are located at strategic points in the network and we are by nature inspecting that traffic, it allows us to understand what's happening and take action on that traffic, from an application perspective, from a session perspective and from a network session perspective, all throughout the stack. {NOTE TO SPEAKER: F5 Mitigation Technologies:Application: BIG-IP ASM:Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detectionSession: BIG-IP LTM and GTM: high scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validationNetwork: BIG-IP LTM: SynCheck, default-deny posture, high-capacity connection table, full proxy traffic visibility, rate-limiting, strict TCP forwarding. Network layer bullets:L4 Stateful firewall – including TCP checksum checks, fragmentation and reassemblyDDoS mitigationSession layer:SSL inspectionSSL DDoS attacksApplication Layer:OWASP top 10Application content scrubbing (S -> C)}
  • Because we are located in strategic points of the network, and because we do take a full proxy approach, performance is absolutely critical, because you can imagine all of the traffic traveling through this point being inspected. It must be done at very, very high rates of speed. Because F5 combines purpose-built software with purpose-built hardware, we're able to achieve and add multiple services on our intelligent services platform with minimal performance degradation, and we're able to do these at scale much higher, at a scale much higher than can be traditionally done with existing security solutions.
  • Unable to secure disperse web appsNo virtual WAF option for private cloud apps Replication of production environment complicated and cost-prohibitiveNeed to block app requests from countries or regions due to compliance restrictionsLimiting app. access based on location is a good practice to quickly reduce the attack sourcesScanner scans applications to identify vulnerabilities and directly configures BIG-IP ASM policies to implement a virtual patch that blocks web app attacksBIG-IP ASM is now importing vulnerabilities – not patches – (in v11), it effectively becomes a Vulnerability Management Tool along with being WAF.  Obviously, the net effect is enabling very rapid response, particularly in the instance where you're waiting for the third-party vendor to patch the vulnerability.
  • If a client connection attempts to renegotiate more than five times in any 60 second period, that client connection is silently dropped.By silently dropping the client connection, the iRule causes the attack tool to stall for long periods of time, fully negating the attack.  There should be no false-positives dropped, either, as there are very few valid use cases for renegotiating more than once a minute.The tool itself is about 700 lines of readable C code. Actually, it looks better than your typical hack-tool so I have to give “The Hacker’s Choice” props on their craftmanship. The attack tool ramps up to 400 open connections and attempts to do as many renegotiations on each connection as it can. On my dedicated test client, it comes out to 800 handshakes per second (or 2 per connection per second).Moment of IronyWhen you first run the tool against your BIG-IP virtual server, it might say “Server does not support SSL Renegotiation.” That’s because everyone, including F5, is still recovering from last year’s SSL renegotiation vulnerability and by default our recent versions disable SSL renegotiation. So in order to do any testing at all, you have to re-enable renegotiation. But this also means that by default, virtual servers (on 10.x) are already not vulnerable unless they’ve explicitly re-enabled renegotiation. The irony is that the last critical SSL vulnerability provides some protection against this new SSL vulnerability. The iRule CountermeasureEnter DevCentral. After setting up the attack lab, we asked Jason Rahm (blog) for his assistance. He put together a beautiful little iRule that elegantly defeats the attack. Its premise is simple:If a client connection attempts to renegotiate more than five times in any 60 second period, that client connection is silently dropped.By silently dropping the client connection, the iRule causes the attack tool to stall for long periods of time, fully negating the attack. There should be no false-positives dropped, either, as there are very few valid use cases for renegotiating more than once a minute.The iRulewhen RULE_INIT { set static::maxquery 5 set static::seconds 60 } when CLIENT_ACCEPTED { set rand [expr { int(10000000 * rand()) }] } when CLIENTSSL_HANDSHAKE { set reqno [table incr "reqs$rand"] table set -subtable "reqrate:$rand" $reqno "ignored" indefinite $static::seconds if { [table keys -count -subtable "reqrate:$rand"] > $static::maxquery } { after 5000 drop } } when CLIENT_CLOSED { table delete reqs$rand table delete –subtable reqrate:$rand –all } With the iRule in place, you can see its effect within a few seconds of the test restarting.Handshakes 2000 [0.00 h/s], 400 Conn, 0 Err Handshakes 2000 [0.00 h/s], 400 Conn, 0 Err Handshakes 2000 [0.00 h/s], 400 Conn, 0 Err Handshakes 2000 [0.00 h/s], 400 Conn, 0 Err Handshakes 2000 [0.00 h/s], 400 Conn, 0 ErrThe 400 connections each get their five renegotiations and then the iRule waits five seconds (to ack any outstanding client data) before silently dropping the connection. The attack tool believes the connection is still open, so it stalls. Note that the test had to be restarted, because the iRule doesn’t apply to existing connections when it’s attached to a virtual server. Take that into account if you are already under attack.Its understandable if you are thinking “that’s the coolest 20-line iRule I’ve ever seen, I wish I understood it better.” Jason also provided a visual workflow to elucidate its mechanics.iRule DDOS countermeasure workflowConclusionAt a meeting earlier this year here in Seattle we were talking about the previous Renegotiation flaw. The question was posed “What is the next vulnerability that we’re all going to slap our foreheads about?” This particular attack falls into that category. Its a simple attack against a known property of the protocol. Fortunately, BIG-IP can leverage its hardware-offload or use countermeasures like this iRule to counter the attack. There are two take-aways here: first, even long-established and reviewed protocols like SSL/TLS can be used against you and second, iRules are pretty sweet!And thanks again, to Jason Rahm for his invaluable assistance!

F5 GOV Round Table - Application Centeric Security F5 GOV Round Table - Application Centeric Security Presentation Transcript

  • APPLICATION CENTRIC SECURITY Tzoori Tamam tzoori@f5.com
  • Why do HaCkErz Attack? • Politics • Money • Fame • Boredom • Plain Evil • Training
  • What Do HaCkErZ Attack? • THEY GO FOR YOUR APPLICATIONS! • Availability • Responsiveness • Reputation View slide
  • How Do HaCkErz Attack? View slide
  • Enters F5 Networks…
  • Full Proxy Security Network Session Application Web application Physical Client / Server L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation SSL inspection and SSL DDoS mitigation HTTP proxy, HTTP DDoS and application security Application health monitoring and performance anomaly detection Network Session Application Web application Physical Client / Server
  • Network Session Application Web application Physical Client / Server L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation SSL inspection and SSL DDoS mitigation HTTP proxy, HTTP DDoS and application security Application health monitoring and performance anomaly detection Network Session Application Web application Physical Client / Server Full Proxy Security High-performance HW iRules iControl API F5’s Approach • TMOS traffic plug-ins • High-performance networking microkernel • Powerful application protocol support • iControl—External monitoring and control • iRules—Network programming language IPv4/IPv6 SSL TCP HTTP Optional modules plug in for all F5 products and solutions APM Firewall … Traffic management microkernel Proxy Client side Server side SSL TCP OneConnect HTTP
  • CONSOLIDATE NETWORK AND SECURITY FUNCTIONS Use case • Consolidation of firewall, app security, traffic management • Protection for data centers and application servers • High scale for the most common inbound protocols Before f5 with f5 Load Balancer DNS Security Network DDoS Web Application Firewall Web Access Management Load Balancer & SSL Application DDoS Firewall
  • CONSOLIDATE NETWORK AND SECURITY FUNCTIONS Use case • Consolidation of firewall, app security, traffic • Protection for data centers and application servers most common inbound protocols Before f5 with f5 Load Balancer DNS Security Network DDoS Web Application Firewall Web Access Management Load Balancer & SSL Application DDoS Firewall
  • Introducing F5’s Application Delivery Firewall Aligning applications with firewall security One platform SSL inspection Traffic management DNS security Access control Application security Network firewall EAL2+ EAL4+ (in process) DDoS mitigation
  • • Provides comprehensive protection for all web application vulnerabilities • Delivers out of the box security • Enables L2->L7 protection • Unifies security and application delivery • Logs and reports all application traffic and attacks • Educates admin. on attack type definitions and examples • Sees application level performance • XML FW, L7 DOS, BruteForce and Web Scraping • Application visibility and reporting • FREE Vulnerability Scanning from Cenzic/WhiteHat BIG-IP Application Security Manager Powerful Adaptable Solution
  • Advanced Firewall Manager - AFM Firewall policies and reports oriented around the application
  • DDoS MITIGATION Application attacksNetwork attacks Session attacks Slowloris, Slow Post, HashDos, GET Floods SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full- proxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. F5MitigationTechnologies Application (7)Presentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1) Increasing difficulty of attack detection • Protect against DDoS at all layers – 38 vectors covered • Withstand the largest attacks • Gain visibility and detection of SSL encrypted attacks F5mitigationtechnologies OSI stackOSI stack Use case
  • DNS Security • DNS Flooding • UDP Flooding • DNS Cache Poisoning • DNS Spoofing • DNS Tunneling • Reflective DNS Attack
  • • Consolidated firewall and DNS Service • High performance, scalable DNS • Secure DNS queries DNS Security Use case with f5 Before f5 65,000 concurrent queries ? http://www.f5.com http://www.f5.com • Cache poisoning • DNS spoofing • Man in the middle • DDoS
  • • Consolidated firewall and DNS Service • High performance, scalable DNS • Secure DNS queries DNS Security Use case with f5 Before f5 65,000 concurrent queries ? http://www.f5.com http://www.f5.com • Cache poisoning • DNS spoofing • Man in the middle • DDoS Secure and available DNS infrastructure: 8 million concurrent queries
  • IP INTELLIGENCE IP intelligence service IP address feed updates every 5 min Custom application Financial application Internally infected devices and servers Geolocation database Botnet Attacker Anonymous requests Anonymous proxies Scanner Restricted region or country
  • Protect Against Newly Published Vulnerabilities That Do Not Have a Patch
  • Purpose Built and Carrier Grade Reliability ScaleN Enabled BIG-IP Appliances Lineup BIG-IP 4000s 425K L7 RPS 150K L4 CPS 10G L7/L4 TPUT BIG-IP 4200v 850K L7 RPS 300K L4 RPS BIG-IP 5000s 750K L7 RPS 350K L4 RPS 15/30G L7/L4 TPUT BIG-IP 5200v 1.5M L7 RPS 700K L4 CPS BIG-IP 7200v 1.6M L7 RPS 775K L4 CPS BIG-IP 7000s 800K L7 RPS 390K L4 CPS 20/40G L7/L4 TPUT BIG-IP 1600 100k L7 RPS 60K L4 CPS 1G L7/L4 TPUT BIG-IP 3600 135k L7 RPS 115K L4 CPS 2G L7/L4 TPUT BIG-IP 3900 400k L7 RPS 175K L4 CPS 4G L7/L4 TPUT BIG-IP 6900 600k L7 RPS 220K L4 CPS 6G L7/L4 TPUT BIG-IP 8900/8950 1.9M L7 RPS 800K L4 CPS Up to 20G TPUT BIG-IP 11000/11050 2.5M L7 RPS 1M L4 CPS Up to 42G TPUT BIG-IP 2000s 212K L7 RPS 75K L4 CPS 5G L7/L4 TPUT BIG-IP 2200s 425K L7 RPS 150K L4 CPS On- Demand Scaling BIG-IP 10000s 1M L7 RPS 500K L4 CPS 40/80G L7/L4 TPUT BIG-IP 10200v 2M L7 RPS 1M L4 CPS 2 x 10G + 8 x 1G 2 x 10G + 8 x 1G 8 x 10G + 4 x 1G 8 x 10G + 4 x 1G 2x 40G + 8x 1G On- Demand Scaling On- Demand Scaling On- Demand Scaling On- Demand Scaling
  • How Does F5 Protect Your Apps? Layer3 – Layer7 Application Centric Security Solution
  • What’s Next?