F5 Infosec Israel 2013 Locking the Door in the Clouds


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • F5 is the global leader in Application Delivery Networking, and continues to be a solid provider and customer ally as we continue to grow and expand the entire ADC market.
  •  So one of F5's key differentiators and value-add with regard to security is the fact that we provide it on a full proxy architecture. And the value of a full proxy architecture for those who are not familiar can be analogous to the role that an escrow agent or an escrow officer might play in a real estate transaction. The reason for the escrow officer is to protect the buyer from the seller and the seller from the buyer by acting as an independent third party or a neutral third party to protect the buyer and the seller. And the role of this officer is also to inspect all elements of the transaction before allowing the transaction to be completed, safely and securely. And much in the same way F5's full proxy security looks and examines all elements within the OSI stack, because we are located at strategic points in the network and we are by nature inspecting that traffic, it allows us to understand what's happening and take action on that traffic, from an application perspective, from a session perspective and from a network session perspective, all throughout the stack. {NOTE TO SPEAKER: F5 Mitigation Technologies:Application: BIG-IP ASM:Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detectionSession: BIG-IP LTM and GTM: high scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validationNetwork: BIG-IP LTM: SynCheck, default-deny posture, high-capacity connection table, full proxy traffic visibility, rate-limiting, strict TCP forwarding. Network layer bullets:L4 Stateful firewall – including TCP checksum checks, fragmentation and reassemblyDDoS mitigationSession layer:SSL inspectionSSL DDoS attacksApplication Layer:OWASP top 10Application content scrubbing (S -> C)}
  • Because we are located in strategic points of the network, and because we do take a full proxy approach, performance is absolutely critical, because you can imagine all of the traffic traveling through this point being inspected. It must be done at very, very high rates of speed. Because F5 combines purpose-built software with purpose-built hardware, we're able to achieve and add multiple services on our intelligent services platform with minimal performance degradation, and we're able to do these at scale much higher, at a scale much higher than can be traditionally done with existing security solutions.
  • Webification of AppsDemands on scale/performance beyond what traditional networks can handleS&P measured in L4 sessions – new metric (based on L7) is requiredBYOD: Consumerization of IT forcing businesses to provide access by personal devicesBusinesses need to secure corporate data and applications on personal devicesEmployees don’t want enterprise controlling their personal devicesBusinesses don’t want personal apps and data traversing the networkHybrid CloudMoving away from model where all apps live in the corporate data centerAccess to SAAS or IAAS is currently backhauled through a single enterprise chokepointProvisioning and deprovisioning of SAAS access decoupled from DC appsEvolving Security ThreatsAdditional security infrastructure needed to deal with sophisticated attacks from organized hacktivist groupsMultiple instances of security devices needed to deal with HTTP/S at scaleComplexity comes with weak interoperability of multiple disparate devicesSpecific orgs are being specifically targetedSources:Webification of apps:71% of surveyed Internet technology and social experts predict most work will be done via web-based or mobile apps by 2020: “The future of cloud computing” by Janna Anderson and Lee Rainie, Pew Internet & American Life Project, online: http://pewinternet.org/Reports/2010/The-future-of-cloud-computing.aspxDevice Proliferation:95% of information workers report that they use at least one self-purchased device for work.: IDC/Unisys, August, 2010: online: http://www.unisys.com/unisys/news/detail.jsp?id=1120000970004210162The number of enterprise customers using mobile-based applications will rise to more than 130 million by 2014.: Juniper Research, March 2010: online: http://www.juniperresearch.com/viewpressrelease.php?pr=181Evolving security threats:58% of all electronic breaches tied to activist groups.: “2012 Data Breach Investigations Report,” Verizon Business, online: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf81% of data breaches involved some form of hacking – often the result of weeks of reconnaissance: ibid.Shifting Perimeter:80% of net new apps will target the cloud: IDC, December, 2011. Online: http://www.idc.com/getdoc.jsp?containerId=prUS23177411Over 72% of IT decision makers cited that they have or will in the next year move email, web services, storage and collaboration solutions to the public or private cloud.: Cisco Systems, May, 2012: online: http://www.cisco.com/en/US/solutions/ns1015/2012_Cisco_Global_Cloud_Networking_Survey_Results.pdf
  • Add-On Module for BIG-IP Family (For new BIG-IP platforms, e.g. 3600, 3900, 6900, 6900 FIPS, 8900, 8950 and 11050. Available as an add-on module for BIG-IP LTM.)Access Profile for Local Traffic Virtual Servers (Very simple configuration to add an Access Policy to an LTM Virtual. Just select an Access Profile from the pulldown menu under the LTM Virtual configuration page. The rest of the Access Policy is configured under the Access Control left-hand menu, where AAA servers are configured, ACLs and ACEs are defined, and VPE is used to create the visual policy.)APM Policy Engine (This is the advanced policy engine behind APM add-on for BIG-IP)Industry Leading Visual Policy Editor (VPE) (See screenshot. Next generation of visual policy editor which has been a big selling point for FirePass. Others, e.g. Cisco, and started trying to copy, but years behind in this area).VPE Rules (TCL-based) for Advanced Policies (Ability to edit the iRules-like TCL rules behind the VPE directly, for advanced configurations, or to create all new rules for custom deployments. Tight integration between the VPE rules and TMM iRules – e.g. ability to drive Access Policies via TMM iRules, Access Policy creating new iRules events, etc.).Endpoint SecurityMore than a dozen different endpoint security checks available (Large number of agents available, e.g. Virtual Keyboard, AV and firewall checks, process, file, and registry checks, extended Windows info, client and machine certificates, etc.)Manage endpoints via Group Policy enforcement and Protected Workspace (Endpoint remediation capabilities like Protected Workspace and Full Armor-based AD Policy enforcement, in addition to Cache Cleaner, redirects to remediation pages, and message and decision boxes).Authentication and AuthorizationFlexible authentication and authorization capabilities via client cert, AD, LDAP, RADIUS, RSA SecurID agents (Broad array of authentication, authorization, and accounting capabilities – including RADIUS accounting).Access ControlHigh-Performance Dynamic Layer 4 and Layer 7 (HTTP/HTTPS) ACLs (Role/User-based Access Control engine built directly into TMM, via hudfilters. Supports dynamic assignment and enforcement of layer 4 ACL/firewall capabilities, as well as now supporting dynamic layer-7 HTTP/HTTPS URL-based access controls. High-performance as built directly into dataplane.)
  • Single sign-on (SSO) – users login to BIG-IP once and enjoy seamless access to all web resources, leveraging a variety of SSO methods (SAML, Credential Caching, Kerberos) to integrate with common applications. This allows system administrators to provision and de-provision application to applications uniformly, even when apps live in the cloudF5 HelpsDramatically reduce infrastructure costs; increase productivityProvides seamless access to all web resourcesIntegrated with common applications
  • F5 Infosec Israel 2013 Locking the Door in the Clouds

    1. 1. LOCKING THE DOOR IN THECLOUDSTzoori TamamSr. Field Sales Engineertzoori@f5.com
    2. 2. F5 Overview-50,000100,000150,000200,000250,000300,000350,000400,000$ThousandsPublicly traded on NASDAQ3,000+ employeesIPO in 1999F5 Networks is the leadingprovider of application and datadelivery networkingOur products sit at strategicpoints of control in anyinfrastructureFiscal Year 2012 RevenueUS$1.38B1,380,000,000
    3. 3. Local SnapshotIsrael:• 120+ Local Employees• Increasing country presence• 2012 – Acquired Traffix Systems• Strong regional channel• Over 400 IL Customers
    4. 4. Full Proxy SecurityNetworkSessionApplicationWeb applicationPhysicalClient / ServerL4 Firewall: Full stateful policy enforcement and TCP DDoS mitigationSSL inspection and SSL DDoS mitigationHTTP proxy, HTTP DDoS and application securityApplication health monitoring and performance anomaly detectionNetworkSessionApplicationWeb applicationPhysicalClient / Server
    5. 5. NetworkSessionApplicationWeb applicationPhysicalClient / ServerL4 Firewall: Full stateful policy enforcement and TCP DDoS mitigationSSL inspection and SSL DDoS mitigationHTTP proxy, HTTP DDoS and application securityApplication health monitoring and performance anomaly detectionNetworkSessionApplicationWeb applicationPhysicalClient / ServerFull Proxy SecurityHigh-performance HWiRulesiControl APIF5’s Approach• TMOS traffic plug-ins• High-performance networking microkernel• Powerful application protocol support• iControl—External monitoring and control• iRules—Network programming languageIPv4/IPv6SSLTCPHTTPOptional modules plug in for all F5 products and solutionsAPMFirewall…Traffic management microkernelProxyClientsideServersideSSLTCPOneConnectHTTP
    6. 6. Maintaining Security Is ChallengingWebification of apps Device proliferationEvolving security threats Shifting perimeter71% of internet experts predictmost people will do work via webor mobile by 2020.95%of workers use at leastone personal device for work.130 millionenterprises willuse mobile apps by 201458% of all e-theft tiedto activist groups.81% of breachesinvolved hacking80% of new apps willtarget the cloud.72% IT leaders have or willmove applications to the cloud.
    7. 7. Who’s Requesting Access?IT challenged to:• Control access based on user-type and role• Unify access to all applications• Provide fast authentication and SSO• Audit and report access and application metricsManage access based on identityEmployees Partner Customer Administrator
    8. 8. BIG-IP® APM features:• Centralizes single sign-on and access control services• Full proxy L4 – L7 access control at BIG-IP speeds• Adds endpoint inspection to the access policy• Visual Policy Editor (VPE) provides policy-based access control• VPE Rules—programmatic interface for custom access policies• Supports IPv6BIG-IP® APM ROI benefits:• Scales to 100K users on a single device• Consolidates auth. infrastructure• Simplifies remote, web and application accesscontrol*AAA = Authentication, authorization and accounting (or auditing)BIG-IP Access Policy Manager (APM)Unified access and control for BIG-IP
    9. 9. BIG-IP APM Use Cases• SSL VPN• SSO• Organization• Cloud• Websites• Strong Authentication (N Factor)• VDI
    10. 10. What is the problem?• Users authenticate to their enterprise, but more and moreresources are hosted elsewhere….• How do we maintain control of those credentials, policiesand their lifecycle?
    11. 11. What is SAML?• Security Assertion Markup Language• Solid standard current version 2.0 (March 2005)• Strong commercial and open source support• An XML-based open standard data format for exchangingauthentication and authorization data between parties, inparticular, between an identity provider (iDP) and aservice provider (SP).”
    12. 12. What is SAML? Now in English• Its ‘Internet/Web’ SSO• Eliminates Need for Multiple Passwords/PasswordDatabases in Multiple Locations• Enables Enterprise in the ‘Cloud’
    13. 13. SAML – SSO Redirect Post
    14. 14. • Dramatically reduceinfrastructure costs;increase productivity• Provides seamlessaccess to all webresources• Integrated withcommon applicationsUse caseCONSOLIDATING APP AUTHENTICATION (SSO)AAAserverCorporatemanaged deviceLatest AV softwareExpensereport appFinanceUser = Finance
    15. 15. Load Balancing AD FS Infrastructure with BIG-IPOf f i ce 365Shar ePoi nt Onl i neExchange Onl i neLync Onl i neCor por at e Net wor kAD FS Far mAct i veDi r ect or yPer i met er Net wor kAD FS Pr oxy Far mCor por at eUser s• Local Traffic Manager• Intelligent traffic management• Advanced L7 health monitoring – (Ensures the AD FS service is responding)• Cookie-based persistence
    16. 16. Cor por at e Net wor kAD FS Far mAct i veDi r ect or yCor por at eUser sOf f i ce 365Shar ePoi nt Onl i neExchange Onl i neLync Onl i neLoad Balancing AD FS with Local Traffic ManagerPer i met er Net wor kAD FS Pr oxy Far m
    17. 17. Publishing AD FS with Access Policy ManagerCor por at e Net wor kAD FS Far mAct i veDi r ect or yCor por at eUser sOf f i ce 365Shar ePoi nt Onl i neExchange Onl i neLync Onl i neLoad Balancing AD FS with Local Traffic ManagerReplacing the AD FS Proxy farm with APM provides:• Enhanced Security• Variety of authentication methods• Client endpoint inspection• Multi-factor authentication• Improved User Experience• SSO across on-premise and cloud-basedapplications• Single-URL access for hybrid deployments• Simplified Architecture• Removes the AD FS proxy farm layer as well asthe need to load balance the proxy farm
    18. 18. Federating with Access Policy Manager and SAML• Available with version 11.3, APM includes full SAML support• Ability to act as IDP, (Identity Provider) for access to external claims-based resources includingOffice 365• Act as service provider, (SP) to facilitate federated access to on-premise applications• Streamlined architecture, (no need for the AD FS architecture)• Simplified iApp deploymentCor por at e Net wor kAct i ve Di r ect or yCor por at eUser sOf f i ce 365Shar ePoi nt Onl i neExchange Onl i neLync Onl i netzoori@f5.com