APPLICATION CENTRICSECURITYTzoori TamamSr. Field Sales Engineertzoori@f5.com
Why do HaCkErz Attack?• Money• Fame• Training• Politics• Boredom• Plain Evil
What do HaCkErz Attack?
What Do HaCkErZ Attack?• THEY GO FOR YOUR APPLICATIONS!• Availability• Responsiveness• Reputation
How Do HaCkErz Attack?
Enters F5 Networks…
F5 Overview-50,000100,000150,000200,000250,000300,000350,000400,000$ThousandsPublicly traded on NASDAQ3,000+ employeesIPO ...
Local SnapshotIsrael:• 120+ Local Employees• Increasing country presence• 2012 – Acquired Traffix Systems• Strong regional...
Gartner Magic Quadrant for ADCGartner does not endorse any vendor, product or service depicted in its research publication...
F5 in Worldwide Advanced Platform ADCMarket for 2Q’12• Market share leaders• F5: 59.1%, Citrix: 17.5%, Radware: 9.2%• Mark...
Introducing F5’s Application Delivery FirewallAligning applications with firewall securityOne platformSSLinspectionTraffic...
Full Proxy SecurityNetworkSessionApplicationWeb applicationPhysicalClient / ServerL4 Firewall: Full stateful policy enforc...
NetworkSessionApplicationWeb applicationPhysicalClient / ServerL4 Firewall: Full stateful policy enforcement and TCP DDoS ...
CONSOLIDATE NETWORK AND SECURITY FUNCTIONSUse case• Consolidation offirewall, appsecurity, traffic• Protection for datacen...
CONSOLIDATE NETWORK AND SECURITY FUNCTIONSUse case• Consolidation offirewall, appsecurity, traffic• Protection for datacen...
• Provides comprehensive protection for all webapplication vulnerabilities• Delivers out of the box security• Enables L2->...
• Consolidated firewalland DNS Service• Highperformance, scalableDNS• Secure queries withDNSSECSECURE DNSUse casewith f5Be...
• Consolidated firewalland DNS Service• Highperformance, scalableDNS• Secure queries withDNSSECwith f5Before f565,000 conc...
SSL INSPECTIONSSL!SSL• Gain visibility anddetection of SSL-encrypted attacks• Achieve high-scale/high-performanceSSL proxy...
Protect Against Newly PublishedVulnerabilities That Do Not Have a Patch
Hardware Refresh - BIG-IP Platforms Line UpNewBIG-IP 11000• 2.5M L7 RPS• 20K SSL TPS (2K key)• 1M L4 CPS• 24 Gbps L7 TPUT•...
How Does F5 Protects Your Apps?tzoori@f5.comLayer3 – Layer7 Application Centric Security Solution
F5 Infosec Israel  2013 Application Centric Security
F5 Infosec Israel  2013 Application Centric Security
Upcoming SlideShare
Loading in...5
×

F5 Infosec Israel 2013 Application Centric Security

252

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
252
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Source: IBM X-Force 2011 Trend and Risk Report March 2012{NOTE TO SPEAKER: The key points to get across on this slide really are around the fact -- and this can be conveyed and leveraged in multiple different ways. What I like to articulate here is really that if you look at the attack types, you know, major attack types that exist here are application type attacks and web attacks. In addition to that, you can see here that the key thing is every single one of these customers in themselves had a firewall, and it was most likely a next generation firewall. And the reality of the situation is once again due to the fact that they leverage a piece of technology that was not designed to protect their data center, the resulting effect was that they weren't protected and they were exploited. And it's important that the individual conveying the slide, if you're talking to a partner, that you can articulate that you do not want your customers to be one of the next large bubbles or bubbles that exist on this eye chart. Or if you happen to be a customer the last thing that you want is the company that you're working for or protecting to be on this eye chart.}
  • F5 is the global leader in Application Delivery Networking, and continues to be a solid provider and customer ally as we continue to grow and expand the entire ADC market.
  • This PPT representation complies with Gartner’s Copyright & Policy as of Nov-08-12. Although the slide may be modified for style & visual consistency, no element should be added, deleted or hidden without contacting r.curran@f5.com
  •  So one of F5's key differentiators and value-add with regard to security is the fact that we provide it on a full proxy architecture. And the value of a full proxy architecture for those who are not familiar can be analogous to the role that an escrow agent or an escrow officer might play in a real estate transaction. The reason for the escrow officer is to protect the buyer from the seller and the seller from the buyer by acting as an independent third party or a neutral third party to protect the buyer and the seller. And the role of this officer is also to inspect all elements of the transaction before allowing the transaction to be completed, safely and securely. And much in the same way F5's full proxy security looks and examines all elements within the OSI stack, because we are located at strategic points in the network and we are by nature inspecting that traffic, it allows us to understand what's happening and take action on that traffic, from an application perspective, from a session perspective and from a network session perspective, all throughout the stack. {NOTE TO SPEAKER: F5 Mitigation Technologies:Application: BIG-IP ASM:Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detectionSession: BIG-IP LTM and GTM: high scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validationNetwork: BIG-IP LTM: SynCheck, default-deny posture, high-capacity connection table, full proxy traffic visibility, rate-limiting, strict TCP forwarding. Network layer bullets:L4 Stateful firewall – including TCP checksum checks, fragmentation and reassemblyDDoS mitigationSession layer:SSL inspectionSSL DDoS attacksApplication Layer:OWASP top 10Application content scrubbing (S -> C)}
  • Because we are located in strategic points of the network, and because we do take a full proxy approach, performance is absolutely critical, because you can imagine all of the traffic traveling through this point being inspected. It must be done at very, very high rates of speed. Because F5 combines purpose-built software with purpose-built hardware, we're able to achieve and add multiple services on our intelligent services platform with minimal performance degradation, and we're able to do these at scale much higher, at a scale much higher than can be traditionally done with existing security solutions.
  • One of the additional functions of the ADF solution is the ability to secure DNS infrastructure. The Application Delivery Firewall with the BIG-IP GTM and DNSSEC module achieves this in a couple of ways. One of the problems or one of the weaknesses of traditional DNS infrastructure is the fact that most DNS infrastructure doesn't have the scale that's necessary to deal with large scale potential attacks in the form of DNS floods or DNS -- in terms of DNS floods. And a typical DNS server might be able to handle say 65,000 concurrent queries. If you start to overwhelm that DNS server, what ends up happening is that an attacker can start to maliciously inject responses for DNS queries. This can result in a number of things such as cache poisoning, DNS spoofing, and generally what it results in is problems for the end website. And it has a real follow-on effect to the brand integrity.  Think about it this way. If you're trying to reach a particular website like www.bank.com, and bank.com is undergoing a DNS attack, if the correct -- is undergoing a DNS denial of service attack, if the correct IP address is not returned and instead it's redirected to a malicious site, that is a real -- that bears a real problem for bank.com's brand and their integrity. Now, our Application Delivery Firewall solves this problem in a couple of ways. The first and foremost is just the sheer scale and ability to handle up to 10 million concurrent queries. So we have this massive scale of DNS -- being able to be a DNS server. The other thing that the ADF can do is also sign DNS queries. This is DNS SEC. What this means is that responses to DNS queries are cryptographically signed so they can't be spoofed. This is a particularly interesting use case for certain federal agencies who have to comply with DNS SEC requirements.
  • Traditional firewalls are often incapable of looking into SSL traffic. And what this means is that attacks could be embedded within SSL, either in the form of malforms, payloads, or in the case of certain types of denial of service attacks such as slowloris or slowpost. Those attacks could be embedded within encrypted channels. And if the firewall is not looking into the encrypted channel, then those attacks are passed directly to the server, which could then basically fall over. And it's important to note that it's not the case that firewalls can't look into SSL traffic. In fact, today, many if not most of them do have that ability. But the limiting factor is their scale. And most existing firewalls today have a significant performance penalty when they enable SSL inspection, which means that most administrators end up not enabling this. And so in reality what ends up happening is that most firewalls that are deployed end up passing through SSL encrypted traffic. By contrast, the F5 Application Delivery Firewall has a really high performing SSL inspection, and what that means is that as a full proxy and as a full SSL proxy the ADF will be able to decrypt the incoming SSL connections, inspect them for any possible threats, and then forward them on to the application servers. So we're able to block any malicious packets that would be going through. This has a secondary effect, and that's what we call SSL offload, and namely that since we're using the F5 ADF to do the SSL decryption, then we can pass the unencrypted traffic to the application server, which significantly reduces the load on the app servers.
  • If a client connection attempts to renegotiate more than five times in any 60 second period, that client connection is silently dropped.By silently dropping the client connection, the iRule causes the attack tool to stall for long periods of time, fully negating the attack.  There should be no false-positives dropped, either, as there are very few valid use cases for renegotiating more than once a minute.The tool itself is about 700 lines of readable C code. Actually, it looks better than your typical hack-tool so I have to give “The Hacker’s Choice” props on their craftmanship. The attack tool ramps up to 400 open connections and attempts to do as many renegotiations on each connection as it can. On my dedicated test client, it comes out to 800 handshakes per second (or 2 per connection per second).Moment of IronyWhen you first run the tool against your BIG-IP virtual server, it might say “Server does not support SSL Renegotiation.” That’s because everyone, including F5, is still recovering from last year’s SSL renegotiation vulnerability and by default our recent versions disable SSL renegotiation. So in order to do any testing at all, you have to re-enable renegotiation. But this also means that by default, virtual servers (on 10.x) are already not vulnerable unless they’ve explicitly re-enabled renegotiation. The irony is that the last critical SSL vulnerability provides some protection against this new SSL vulnerability. The iRule CountermeasureEnter DevCentral. After setting up the attack lab, we asked Jason Rahm (blog) for his assistance. He put together a beautiful little iRule that elegantly defeats the attack. Its premise is simple:If a client connection attempts to renegotiate more than five times in any 60 second period, that client connection is silently dropped.By silently dropping the client connection, the iRule causes the attack tool to stall for long periods of time, fully negating the attack. There should be no false-positives dropped, either, as there are very few valid use cases for renegotiating more than once a minute.The iRulewhen RULE_INIT { set static::maxquery 5 set static::seconds 60 } when CLIENT_ACCEPTED { set rand [expr { int(10000000 * rand()) }] } when CLIENTSSL_HANDSHAKE { set reqno [table incr "reqs$rand"] table set -subtable "reqrate:$rand" $reqno "ignored" indefinite $static::seconds if { [table keys -count -subtable "reqrate:$rand"] > $static::maxquery } { after 5000 drop } } when CLIENT_CLOSED { table delete reqs$rand table delete –subtable reqrate:$rand –all } With the iRule in place, you can see its effect within a few seconds of the test restarting.Handshakes 2000 [0.00 h/s], 400 Conn, 0 Err Handshakes 2000 [0.00 h/s], 400 Conn, 0 Err Handshakes 2000 [0.00 h/s], 400 Conn, 0 Err Handshakes 2000 [0.00 h/s], 400 Conn, 0 Err Handshakes 2000 [0.00 h/s], 400 Conn, 0 ErrThe 400 connections each get their five renegotiations and then the iRule waits five seconds (to ack any outstanding client data) before silently dropping the connection. The attack tool believes the connection is still open, so it stalls. Note that the test had to be restarted, because the iRule doesn’t apply to existing connections when it’s attached to a virtual server. Take that into account if you are already under attack.Its understandable if you are thinking “that’s the coolest 20-line iRule I’ve ever seen, I wish I understood it better.” Jason also provided a visual workflow to elucidate its mechanics.iRule DDOS countermeasure workflowConclusionAt a meeting earlier this year here in Seattle we were talking about the previous Renegotiation flaw. The question was posed “What is the next vulnerability that we’re all going to slap our foreheads about?” This particular attack falls into that category. Its a simple attack against a known property of the protocol. Fortunately, BIG-IP can leverage its hardware-offload or use countermeasures like this iRule to counter the attack. There are two take-aways here: first, even long-established and reviewed protocols like SSL/TLS can be used against you and second, iRules are pretty sweet!And thanks again, to Jason Rahm for his invaluable assistance!
  • Use this slide with new customers
  • F5 Infosec Israel 2013 Application Centric Security

    1. 1. APPLICATION CENTRICSECURITYTzoori TamamSr. Field Sales Engineertzoori@f5.com
    2. 2. Why do HaCkErz Attack?• Money• Fame• Training• Politics• Boredom• Plain Evil
    3. 3. What do HaCkErz Attack?
    4. 4. What Do HaCkErZ Attack?• THEY GO FOR YOUR APPLICATIONS!• Availability• Responsiveness• Reputation
    5. 5. How Do HaCkErz Attack?
    6. 6. Enters F5 Networks…
    7. 7. F5 Overview-50,000100,000150,000200,000250,000300,000350,000400,000$ThousandsPublicly traded on NASDAQ3,000+ employeesIPO in 1999F5 Networks is the leadingprovider of application and datadelivery networkingOur products sit at strategicpoints of control in anyinfrastructureFiscal Year 2012 RevenueUS$1.38B1,380,000,000
    8. 8. Local SnapshotIsrael:• 120+ Local Employees• Increasing country presence• 2012 – Acquired Traffix Systems• Strong regional channel• Over 400 IL Customers
    9. 9. Gartner Magic Quadrant for ADCGartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to selectonly those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartners research organization andshould not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, includingany warranties of merchantability or fitness for a particular purpose.This graphic was publishedby Gartner, Inc. as part of alarger research documentand should be evaluated inthe context of the entiredocument. The Gartnerdocument is available uponrequest from F5 Networks.Magic Quadrant for Application DeliveryControllers
    10. 10. F5 in Worldwide Advanced Platform ADCMarket for 2Q’12• Market share leaders• F5: 59.1%, Citrix: 17.5%, Radware: 9.2%• Market share revenue leaders• F5: $186.2M, Citrix: $55.2M, Radware: $29.0M• Q/Q revenue growth• F5: 3.9%, Citrix: 12.1%, Radware: 1.3%• Total market numbers• Revenue: $315M• Q/Q revenue growth: 3.2%• Y/Y revenue growth: 21.5%*ADC segment includes: Server load balancing/Layers 4-7 switching and advanced (integrated) platforms.Graphic created by F5 based on Gartner data.2Q12 Gartner Advanced Platform ADC*Market Share:Gartner, Inc. Market Share: Application Acceleration Equipment, Worldwide, CYQ212, Joe Skorupa, Nhat Pham, Sept 2012
    11. 11. Introducing F5’s Application Delivery FirewallAligning applications with firewall securityOne platformSSLinspectionTrafficmanagementDNSsecurityAccesscontrolApplicationsecurityNetworkfirewallEAL2+EAL4+ (in process)DDoSmitigation
    12. 12. Full Proxy SecurityNetworkSessionApplicationWeb applicationPhysicalClient / ServerL4 Firewall: Full stateful policy enforcement and TCP DDoS mitigationSSL inspection and SSL DDoS mitigationHTTP proxy, HTTP DDoS and application securityApplication health monitoring and performance anomaly detectionNetworkSessionApplicationWeb applicationPhysicalClient / Server
    13. 13. NetworkSessionApplicationWeb applicationPhysicalClient / ServerL4 Firewall: Full stateful policy enforcement and TCP DDoS mitigationSSL inspection and SSL DDoS mitigationHTTP proxy, HTTP DDoS and application securityApplication health monitoring and performance anomaly detectionNetworkSessionApplicationWeb applicationPhysicalClient / ServerFull Proxy SecurityHigh-performance HWiRulesiControl APIF5’s Approach• TMOS traffic plug-ins• High-performance networking microkernel• Powerful application protocol support• iControl—External monitoring and control• iRules—Network programming languageIPv4/IPv6SSLTCPHTTPOptional modules plug in for all F5 products and solutionsAPMFirewall…Traffic management microkernelProxyClientsideServersideSSLTCPOneConnectHTTP
    14. 14. CONSOLIDATE NETWORK AND SECURITY FUNCTIONSUse case• Consolidation offirewall, appsecurity, traffic• Protection for datacenters andapplication serversmost common inboundprotocolsBefore f5with f5LoadBalancerDNS SecurityNetwork DDoSWeb Application FirewallWeb AccessManagementLoadBalancer & SSLApplication DDoSFirewall
    15. 15. CONSOLIDATE NETWORK AND SECURITY FUNCTIONSUse case• Consolidation offirewall, appsecurity, traffic• Protection for datacenters andapplication serversmost common inboundprotocolsBefore f5with f5LoadBalancerDNS SecurityNetwork DDoSWeb Application FirewallWeb AccessManagementLoadBalancer & SSLApplication DDoSFirewall
    16. 16. • Provides comprehensive protection for all webapplication vulnerabilities• Delivers out of the box security• Enables L2->L7 protection• Unifies security and application delivery• Logs and reports all application traffic and attacks• Educates admin. on attack type definitions and examples• Sees application level performance• XML FW, L7 DOS, BruteForce and Web Scraping• Application visibility and reporting• FREE Vulnerability Scanning from Cenzic/WhiteHatBIG-IP Application Security ManagerPowerful Adaptable Solution
    17. 17. • Consolidated firewalland DNS Service• Highperformance, scalableDNS• Secure queries withDNSSECSECURE DNSUse casewith f5Before f565,000 concurrent queries?http://www.f5.comhttp://www.f5.com• Cache poisoning• DNS spoofing• Man in the middle• DDoS
    18. 18. • Consolidated firewalland DNS Service• Highperformance, scalableDNS• Secure queries withDNSSECwith f5Before f565,000 concurrent queries?http://www.f5.comhttp://www.f5.com• Cache poisoning• DNS spoofing• Man in the middle• DDoSSecure and available DNSinfrastructure:Up to 10 million concurrent queriesSECURE DNSUse case
    19. 19. SSL INSPECTIONSSL!SSL• Gain visibility anddetection of SSL-encrypted attacks• Achieve high-scale/high-performanceSSL proxy• Offload SSL—reduceload on applicationserversUse caseSSLSSL
    20. 20. Protect Against Newly PublishedVulnerabilities That Do Not Have a Patch
    21. 21. Hardware Refresh - BIG-IP Platforms Line UpNewBIG-IP 11000• 2.5M L7 RPS• 20K SSL TPS (2K key)• 1M L4 CPS• 24 Gbps L7 TPUT• 10 10 Gigabit FiberPorts (SFP+)BIG-IP 10200v• 2M L7 RPS• 42K SSL TPS (2K key)• 1M L4 CPS• 40G L7 TPUT• 16 10 Gigabit FiberPorts (SFP+)• 2 40 Gigabit FiberPorts (QSFP+)VIPRION 2400 / 4 x 2100 Blade• 4M L7 RPS• 40K SSL TPS (2K key)• 1.6M L4 CPS• 72 Gbps L7 TPUT• 32 10 Gigabit Fiber Ports (SFP+)VIPRION 4480 / 4 x 4300 Blade• 10M L7 RPS• 120K SSL TPS (2K key)• 5.6M L4 CPS• 160G L7 TPUT• 32 10 Gigabit Fiber Ports (SFP+)• 8 40 Gigabit Fiber Ports (QSFP+)BIP-IP 2000s• 212K L7 RPS• 2K SSL TPS (2K key)• 75K L4 CPS• 5 Gbps L7 TPUT• 2 10 Gigabit FiberPorts (SFP+)• 8 Gigabit EthernetCU portsBIG-IP 2200s• 425K L7 RPS• 4K SSL TPS (2K key)• 150K L4 CPS• 5 Gbps L7 TPUT• 2 10 Gigabit FiberPorts (SFP+)• 8 Gigabit EthernetCU portsBIG-IP 4200v• 850K L7 RPS• 9K SSL TPS (2K key)• 300K L4 CPS• 10 Gbps L7 TPUT• 2 10 Gigabit FiberPorts (SFP+)• 8 Gigabit Ethernet CUports:BIG-IP 11050• 2.5M L7 RPS• 20K SSL TPS (2K key)• 1M L4 CPS• 40 Gbps L7 TPUT• 10 10 Gigabit FiberPorts (SFP+)VIPRION 4800 / 8 x 4300 Blade• 20M L7 RPS• 240K SSL TPS (2K key)• 10M L4 CPS• 320G L7 TPUT• 64 10 Gigabit Fiber Ports (SFP+)• 16 40 Gigabit Fiber Ports (QSFP+)BIG-IP 4000s• 425K L7 RPS• 4.5K SSL TPS (2K key)• 150K L4 CPS• 10 Gbps L7 TPUT• 2 10 Gigabit Fiber Ports(SFP+)• 8 Gigabit Ethernet CUports
    22. 22. How Does F5 Protects Your Apps?tzoori@f5.comLayer3 – Layer7 Application Centric Security Solution

    ×