IP Expo 2009 - Securing the Virtual World


Published on

Virtualisation is taking the IT industry by storm but do you have a security strategy tailored to your virtual environment? This session will look at virtual firewall technology and explain how this will secure your network in the new virtual world.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Bridging the gap from traditional to modern infrastructure requires decoupling the traditional tight connection-centric binding between users and resources, and replacing it with an intelligent fabric that not only connects, but ensures optimal interaction between users and resources. This fabric must have visibility to the interactions, understand the context which they occur, be capable of making intelligent real-time decisions, and then taking action to optimize a variety of factors related to the interaction.Lets look into these elements of the faDynamic FluidApp/User CentricUnknown UsersUnknown ResourcesUnknown ApplicationsWhat’s required? A new paradigm in data center and networking design that allows the customer, on their terms, to add, remove, grow, and shrink application and data/storage services on-demand.The type of network that can understand the context of the user, location, situation, device, & application & dynamically adjust to those conditions. It’s the type of network which can be provisioned in hours not weeks or months to support new business applications.It’s the type of network where it’s not just application fluent but can serve as a centralized computational engine to more rapidly deliver services in support of the users, applications, and data and do it more cost-effectively than any other alternative.
  • This new intelligent fabric must intercept the stream of interactions between users and resources without impacting performance or availability. It provides an important new vantage point to see and report on these interactions.It must understand a vast array of variables that put the interactions in context – user profile, location, interface device, application, file meta-data, etc.It must be able to apply business policies to the interaction – determining that a particular user/application combination should be afforded enhanced QoS, for exampleFinally, it must be able to affect changes to enforce these decisions – routing traffic, rate shaping, replicating files, blocking DoS attackers, etc.
  • IP Expo 2009 - Securing the Virtual World

    1. 1. Securing and Managing Systems within a Flexible IT Environment<br />Owen Cole<br />Technical Director<br />UK, Ireland and Sub Saharan Africa<br />
    2. 2. Traditional IT Model<br />Corporate Employees<br />LAN & wLAN<br />Remote<br />Employees<br />Mobile<br />Employees<br />Branch Employees<br />LAN & wLAN<br />Customer, Partners, or Suppliers<br />How do I connect all these applications and services to the right people, at the right moment in time, using the right amount of resources, meet all my SLAs, ensure security and save money?<br />Cloud Services<br />Hosted Applications<br />SAAS<br />Apps and Data<br />in the Branch<br />Corporate<br />Data Center<br />
    3. 3. What’s Needed<br />Corporate Employees<br />LAN & wLAN<br />Remote<br />Employees<br />Mobile<br />Employees<br />Branch Employees<br />LAN & wLAN<br />Customer, Partners, or Suppliers<br />A “Modern” IT Delivery Model<br />Cloud Services<br />Hosted Applications<br />SAAS<br />Apps and Data<br />in the Branch<br />Corporate<br />Data Center<br />
    4. 4. Refocusing the Infrastructure<br />Traditional Infrastructure<br />“Modern” Infrastructure<br />Network Centric<br />Application Centric<br />?<br />Routing<br />Packets<br />L2/L3/L4<br />Basic<br />Messages<br />Service Delivery<br />Intelligence<br />L4/L7<br />Static Data Centers<br />Dynamic Services<br />?<br />Open Access<br />SaaS<br />Locked down<br />Traffic<br />Virtual Data Center<br />Federated<br />Resources<br />Virtual Servers<br />Plumbing<br />Isolated<br />Shared<br />?<br />Multi-Tenant<br />Services<br />Dedicated<br />Applications<br />Improved<br />Utilization<br />Unification<br />Silos<br />Low Utilization<br />
    5. 5. What is Required to Fill the GAP<br />Corporate Employees<br />LAN & wLAN<br />Remote<br />Employees<br />Mobile<br />Employees<br />Branch Employees<br />LAN & wLAN<br />Customer, Partners, or Suppliers<br />Visibility<br />Context<br />Decision<br />A “Modern” IT Delivery Model<br />Action<br />Cloud Services<br />Hosted Applications<br />SAAS<br />Apps and Data<br />in the Branch<br />Corporate<br />Data Center<br />
    6. 6. Context is Critical<br />
    7. 7. Without Context, You Can’t Take Appropriate Action<br />
    8. 8. Functions of a Modern IT Delivery Model <br />Visibility<br />Context<br /><ul><li>Intercept application and data stream
    9. 9. Reporting, notification, trending
    10. 10. Put application and data stream in context
    11. 11. Understand user, device, location, network, application, virtualisation, resource</li></ul>Decision<br />Action<br /><ul><li>Relate visibility and content to predetermined business policy
    12. 12. Determine and direct appropriate response
    13. 13. Manipulate infrastructure variables e.g., traffic redirection, data placement, security, performance, provisioning
    14. 14. Synchronize distributed points of control</li></li></ul><li>Business<br />Align IT to Business<br />Cost, ROI<br />Security, privacy, compliance<br />Workforce productivity<br />New applications / services<br />Consolidation<br />Shared resources<br />Managing change<br />Technology<br />Virtualisation<br />Legacy application update<br />Unified networking/ communications<br />Web 2.0 <br />Green IT<br />Identity/access management<br />Mobile enablement<br />Securing Virtual Applications<br />Sources:<br />Society for Information Management, NASCIO, CIOInsight<br />Industry Analysts, F5 Analysis<br />
    15. 15. Virtualization - Dynamic Resource Automation<br />Demand ↑ ↑ ↑<br />Web Clients<br />Web Clients <br />Monitoring & Management<br />Frontends Virtualization<br />Detection<br />BIG-IP LTM<br />iControl<br />Automation<br />VM Provision<br />Frontend<br />Frontend<br />Frontend<br />vCenter<br />+<br />AppSpeed<br />F5 Provision<br />AppServers Virtualization<br />BIG-IP LTM<br />iControl<br />Demand ↓ ↓ ↓<br />Detection<br />App. Server<br />App. Server<br />App. Server<br />Storage Virtualization<br />Automation<br />F5 Deprovision<br />VM Deprovision<br />
    16. 16. Securing Virtual Environments<br />Building security INSIDE virtual server devices can be:<br />Expensive in licenses<br />High management cost<br />Not making best use of the devices<br />Physical Virtual Servers are servers<br />Virtualizes hardware in software through the Hypervisor <br />Maximises impact of SSL, Compression etc on servers.<br />What is the effect of a compromise to the VM container?<br />How can you be sure of the separation between virtual devices in the same server?<br />
    17. 17. The Answer to Securing Virtual Environments<br />Deploying External Application Firewalling provides<br />Obscurity in the Network<br />Application level protection outside of the container<br />Protection from Encrypted Attacks<br />What is the effect on the VM container?<br />Proxy Abstraction of users from applications<br />Offers possible speedy route to application vulnerabilities<br />Offload tasks from the Servers<br />SSL termination, Compresion, Caching etc run external to server infrastructure increases Server capacity<br />
    18. 18. Data<br />Database server<br />Backend App Server<br />Application Server<br />CGI scripts<br />Web Server<br />HTML/XML<br />Response<br />HTTP Request<br />Browser<br />Web Applications<br />Web applications are complex entities that involve many components<br />Majority of e-commerce applications consist of at least 3 main components: Web server, Application server and Database<br />The browser interacts with the web application by sending a HTTP request and receiving a HTML/Java page via an HTTP reply<br />Applications interact with other applications by sending predefined XML structures to each other within HTTP.<br />
    19. 19. Some attacks are specific at one area, some can be targeted at multiple areas<br />Well Publicised Attack Methods <br />Parameters in Application.<br />Attack the visible and hidden information in the web pages<br />HTTP/XML<br />Attack the message that carries the information<br />Authentication/Authorisation.<br />Get access to areas of the site that you are not allowed to enter or use.<br />Known Vulnerabilities.<br />Stuff you have no control over, but should protect against<br />
    20. 20. Well Publicised Attack Methods <br />Authentication/Authorisation.<br />Broken Session Management<br />Broken Access Control<br />Broken Authentication<br />Value Tampering<br />Cookie Poisoning<br />SQL Injection<br />Known Vulnerabilities.<br />Published OS Vulnerabilities<br />Published App Vulnerabilities<br />Development Tool Vulnerabilities<br />DoS and DDos<br />Default Installs<br />Insecure Storage<br />Parameters in Application.<br />Cross Site Scripting (XSS)<br />SQL Injection<br />OS Injection<br />Value Tampering<br />Cookie Poisoning<br />Buffer Overflow<br />HTTP/XML<br />Structure Malformation<br />Buffer Overflow<br />Directory Transversal<br />Forceful Browsing<br />Buffer Overflow<br />Response Splitting<br />Character Set Manipulation<br />Information Gathering<br />Brute Force<br />Broken Session Management<br />Multi-part Post/Put<br />Character Set Manipulation<br />Information Gathering<br />Embedded Parameter Attacks (XML)<br />
    21. 21. !<br />!<br />!<br />Infrastructural<br />Intelligence<br />Non-compliant<br />Information<br />Forced<br />Access to<br />Information<br />Buffer Overflow<br />Cross-Site Scripting<br />SQL/OS Injection<br />Cookie Poisoning <br />Hidden-Field Manipulation<br />Parameter Tampering<br />How Traditional Security Solutions Work<br />Attacks Look To<br />Exploit Application<br />Vulnerabilities<br />Perimeter Security<br />Is Strong<br />PORT 80<br />PORT 443<br />But Is Open<br />to Web Traffic<br />Without the application context, requests appear legal and pass through traditional defenses, Including Firewall, SSL, Authentication, IDS, IPS, etc.<br />Attacks simply miss-use the application functionality, or utilise known bugs.<br />
    22. 22. Data<br />Database server<br />Backend App Server<br />Application Server<br />CGI scripts<br />Web Server<br />HTTP Request<br />HTML/XML Response<br />Browser<br />The Solution is Simple<br />1. Only allow access to the application objects a user has authority to use.<br />2. Block invalid input and malicious content at the entry point of the application.<br />3. Block sensitive information passing back to the client.<br />CONTEXT<br />
    23. 23. Most companies do not write their own applications, it <br />is outsourced, packages or ASP. <br />Solution 1 - So….fix the code!<br />Tight development time-frame and lack of security expertise lead to bugs in code.<br />Legacy code relies heavily on client-side validation and disregards security.<br />Web applications are relatively easy to attack and the tools required are widely available.<br />Attack disguise techniques are commonly used. <br />Lots of testing is needed.<br />Applications get less secure over time.<br />
    24. 24. Buffer Overflow<br />Cross-Site Scripting<br />SQL/OS Injection<br />Cookie Poisoning <br />Hidden-Field Manipulation<br />Parameter Tampering<br />Error Messages<br />Non-compliant Content<br />Fingerprints<br />Solution 2 - Application Firewall<br />Intelligent Client<br />Network Plumbing<br />Application Infrastructure<br />Application<br />SSL<br />VPN<br />App<br />Firewall<br />App<br />User<br />Load<br />Balance<br />Firewall<br />IDS-IDP<br />Anti-Virus<br />Policy-based full proxy with deep inspection<br />Bi-directional:<br />Inbound: protection from generalised & targeted attacks<br />Outbound: content scrubbing & application cloaking<br />Application content & context aware<br />Positive security augmenting negative security<br />Selective granularity & flexible behavioural control<br />High performance, low latency, high availability, high security <br />
    25. 25. !<br />!<br />!<br />!<br />Non-compliant<br />Information<br />Unauthorised<br />Access<br />Infrastructural<br />Intelligence<br />Unauthorised<br />Access<br />Standard Application Security Delivers....<br />And Stops<br />Bad<br />Requests<br />ASM Allows<br />Legitimate Requests<br />Policy-based full proxy with deep inspection<br />Bi-directional:<br /><ul><li>Inbound: protection from generalised & targeted attacks
    26. 26. Outbound: content scrubbing & application cloaking</li></ul>High performance, low latency, high availability, high security <br />
    27. 27. Advanced Application Security Delivers....<br />Allow Only Good<br />Application Behaviour<br />Definition of Good<br />and Bad Behaviour<br />Application content & context aware<br />Selective granularity & flexible behavioural control<br />
    28. 28. Benefits of Web Application Firewalls<br />Provide centralised, consistent protection.<br />Provides Protection from known attacks in real time.<br />Central point of application security enforcement:<br />
    29. 29. Benefits of Advanced Web Application Firewalls<br />Combines Positive and Negative Security Models. <br />Per Application Protection.<br />Flexible Deployment<br />Flexible behavioural control to eliminate false positives and achieve optimum security<br />Powerful automation to reduce operating costs<br />Protect “Selective Flows” and “Dynamic Hidden Parameters”<br />Ability to have Programmatically Defined Security Rules<br />Underpinned by Advanced ADC Technology.<br />DDoS protection and Packet Filtering<br />Advanced Client Authentication<br />SSL Acceleration<br />Intelligent Compression<br />Consolidated on your Advanced ADC Platform<br />Combine Application Security, Acceleration and Availability on a single manageable platform.<br />
    30. 30. Parting thoughts<br />You can’t Virtualise in a Vacuum !!<br />Virtualisation must cover Hardware, Security and Optimisation<br />A holistic, thoughtful approach focuses on forward-looking virtualisation-ready IT infrastructure<br />Built to be fluid, dynamic, and provisionable<br />Expects and accepts hundreds or thousands of new servers, new IP addresses, new routes, new disks, new files, new storage servers – temporary or permanent , virtual or physical<br />F5’s vision is to enable an Agile IT Infrastructure with distributed, intelligent, strategic points of control<br />More insight and advice at http://www.f5.com/solutions/virtualization<br />