46. pe·rim·e·ter
1.the continuous line forming the boundary of a closed geometric figure.
"the perimeter of a rectangle"
synonyms: circumference, outside, outer edge
"the perimeter of a circle"
the outermost parts or boundary of an area or object.
"the perimeter of the garden"
synonyms: boundary, border, limits, bounds, confines, edge, margin, fringe(s),
periphery, borderline, verge; More
a defended boundary of a military position or base.
In Networking we call it…DMZ
48. Defense in depth
The principle of defense-in-depth is that layered security
mechanisms increase security of the system as a whole. If an
attack causes one security mechanism to fail, other mechanisms
may still provide the necessary security to protect the system……
Implementing a defense-in-depth strategy can add to the
complexity of an application, which runs counter to the “simplicity”
principle often practiced in security. That is, one could argue that
adding new protection functionality adds additional complexity that
might bring new risks with it.
https://www.owasp.org/index.php/Defense_in_depth
50. Perimeter Security Technologies
A long time ago… and then… present day… and now with F5!
Firewalls started out as
proxies
Stateless filters
accelerated firewalls, but
weakened security
Stateful firewalls added
security with deep
inspection, but still fall
short of proxies
F5 brings full proxy back
to firewalls: highest
security matched by a
high-scale and high-performance
architecture
F5 Agility 2014 50
51. Protecting against Threats is challenging
Webification of apps Device proliferation
71% of internet experts predict
most people will do work via web
or mobile by 2020.
95% of workers use at least
one personal device for work.
130 million enterprises will
use mobile apps by 2014
Evolving security threats Shifting perimeter
58% of all e-theft tied
to activist groups.
81% of breaches
involved hacking
80% of new apps will
target the cloud.
72% IT leaders have or will
move applications to the cloud.
F5 Agility 2014 51
55. BIG-IP Application Security Manager
BIG-IP ® ASM™ protects the applications your business relies on most and scales
to meet changing demands.
Multiple deployment
options
Visibility and
analysis
Comprehensive
protections
• Standalone or ADC add-on
• Appliance or Virtual edition
• Manual or automatic policy
building
• 3rd party DAST integration
• Visibility and analysis
• High speed customizable syslog
• Granular attack details
• Expert attack tracking
and profiling
• Policy & compliance reporting
• Integrates with SIEM software
• Full HTTP/S request logging
• Granular rules on every HTTP
element
• Client side parameter
manipulation protection
• Response checks for error &
data leakage
• AV integrations
F5 Agility 2014 55
56. Comprehensive Protections
BIG-IP ASM extends protection to more than application vulnerabilities
L7 DDOS
Web Scraping
Web bot
identification
XML filtering,
validation &
mitigation
XML Firewall
Geolocation
blocking
ICAP anti-virus
Integration
ASM
F5 Agility 2014 56
57. Network Threats Application
Threats
90% of security investment focused here Yet 75% of attacks are focused here
Attack Vectors
TCP SYN Flood
TCP Conn Flood
DNS Flood
HTTP GET Flood
Attack Vectors
HTTP Slow Loris
DNS Cache Poison
SQL Injection
Cross Site Scripting
F5 Agility 2014 57
60. Who’s Requesting Access?
Employees Partner Customer Administrator
Manage access based on identity
IT challenged to:
• Control access based on user-type and role
• Unify access to all applications (mobile, VDI, Web, client-server, SaaS)
• Provide fast authentication and SSO
• Audit and report access and application metrics
F5 Agility 2014 60
61. Security at the Critical Point in the Network
Physical
Virtual
Cloud
Storage
Total Application Delivery Networking
Services
Clients Remote
access
SSL
VPN
APP
firewall
F5 Agility 2014 61
62. BIG-IP APM Use Cases
Internet Secure Web Gateway
Accelerated Remote
Access
Internet Apps
Enterprise Data
& Apps
Federation
Cloud, SaaS,
and Partner
Apps
App Access Management
BIG-IP APM
OAM
VDI
Exchange
Sharepoint
F5 Agility 2014 62
63. Which Threat mitigation to use?
Content Delivery Network
Carrier Service Provider
Cloud-based DDoS Service
Cloud/Hosted Service
Network firewall with SSL inspection
Web Application Firewall
On-premise DDoS solution
Intrusion Detection/Prevention
On-Premise Defense
F5 Agility 2014 63
65. Full Proxy Security
Client / Server
Web application
Application
Session
Network
Physical
Application health monitoring and performance anomaly detection
HTTP proxy, HTTP DDoS and application security
SSL inspection and SSL DDoS mitigation
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
Client / Server
Web application
Application
Session
Network
Physical
F5 Agility 2014 65
66. F5 Provides Complete Visibility and Control
Across Applications and Users
DNS Web Access
Intelligent
Services
Platform
Users
Securing access to applications
from anywhere
Resources
Protecting your applications
regardless of where they live
Dynamic Threat Defense
DDoS Protection
Protocol Security
Network Firewall
TMOS
F5 Agility 2014 66
67. PROTECTING THE DATA CENTER
Use case
Load
Balancer
Firewall/VPN
• Consolidation of
firewall, app security,
traffic management
Network DDoS
DNS Security
Balancer & SSL
• Protection for data
centers and
application servers
Application DDoS
Web Application Firewall
Load
• High scale for the
most common
inbound protocols
Before f5
with f5
Web Access
Management
F5 Agility 2014 67
68. F5 Bringing deep application fluency to Perimeter security
One platform
SSL
inspection
Traffic
management
DNS
security
Access
control
Application
security
Network
firewall
EAL2+
EAL4+ (in process)
DDoS
mitigation
F5 Agility 2014 68
69. How do I implement
perimeter Security with
F5?
70. Reference Architectures
DDoS
Protection
S/Gi Network
Simplification
Security for
Service
Providers
Application
Services
LTE
Roaming
Migration
to Cloud
DevOps
Secure
Mobility
DNS
Cloud
Federation
Cloud
Bursting
F5 Agility 2014 70
71. Increasing difficulty of attack detection
DDoS MITIGATION
Presentation Application (7)
Physical (1) Data Link (2) Network (3) Transport (4) Session (5) (6)
Network attacks Session attacks Application attacks
OWASP Top 10 (SQL
Injection, XSS, CSRF,
etc.), Slowloris, Slow
Post, HashDos, GET
Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK
Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASM
Positive and negative
policy reinforcement,
iRules, full proxy for
HTTP, server
performance anomaly
detection
DNS UDP Floods, DNS Query
Floods, DNS NXDOMAIN Floods,
SSL Floods, SSL Renegotiation
BIG-IP LTM and GTM
High-scale performance, DNS
Express, SSL termination, iRules,
SSL renegotiation validation
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection
table, full-proxy traffic visibility, rate-limiting, strict TCP
forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built,
customized hardware solution that increases scale by an order
of magnitude above software-only solutions.
OSI
stack
F5 mitigation technologies
OSI
stack
F5 mitigation technologies
F5 Agility 2014 71