30. Increased Protection from Attack Campaigns
• Threat Campaigns subscription service allows the F5 Security
Response Team (SRT) to identify coordinated attacks associated
with specific malicious actors, attack vectors, or techniques, and
provide a targeted and efficient mitigation directly to F5
customers (Early Access).
• Improved sensitive data masking obfuscates additional values
disclosing personal details about users and credit cards.
• Cyber attacks are becoming more sophisticated, and are often
coordinated by criminal organizations and/or nation states.
• Web application attacks are pervasive, with 53% of data breaches
initially target web apps (F5 Labs: Lessons Learned From a
Decade of Data Breaches).
• Data breach can be devastating to brand, reputation, and the
business.
31.
32.
33. Threat Campaign meta-data
• Campaign Name - a unique name
• Display Name - human readable
• Status - active, inactive
• First Observed, Last Observed, Last updated
• Risk - low, medium, high
• Attack Type – same as ASM signature attack type
• System – same as ASM signature system. Multiple values are possible.
• References, Description, Prevention, Target Information, Payload Analysis, Payload
Tactics, Prevention, Collateral Damage, Threat Actor Name, Threat Actor
Description, Intent, Malwares
34. Threat Campaigns Functionality
• Data plane
• New violation Threat Campaign detected will be raised
• Alarm and Block flags are set by default
• Violation Rating is set to 5 if violation Threat Campaign detected was raised
• Traffic Learning
• PB does not learn from a request with detected Threat Campaign
• Client Reputation of the source IP will be set to MALICIOUS
36. Threat Campaigns Staging
• Staging is supported and disabled by default
• Each threat campaign has a staging flag
• If Enable Campaign Staging is disabled all threat campaigns are not in staging
• If Enable Campaign Staging is enabled threat campaigns that were changed or added by
dynamic update will be put in staging
• Note: previous variant of the updated Threat Campaign will not be enforced
during staging
• Changing Enable Campaign Staging from disabled to enabled does not enable staging on
individual threat campaign if it was enforced before this change
• Staging period is 1 day (by default)
41. ASM::threat_campaign
• ASM::threat_campaign names
• Returns a list with the names of the threat campaigns found in the transaction
• ASM::threat_campaign staged_names
• Returns a list with the names of the staged threat campaigns found in the transaction
• Valid Events
• ASM_REQUEST_DONE, ASM_REQUEST_VIOLATION,
ASM_RESPONSE_VIOLATION, ASM_REQUEST_BLOCKING
42.
43. Clicking on ‘Jacken’ results in request to
URL with positional parameters
/damen/mode/jacken
50. Parameter validation
• Parameter validation is defined
separately
• The wildcard expression in the
positional parameter definition is used
for correct parsing only
67. What are LTM features available on ASM?
Starting with BIG-IP ASM version 13.1.0.1
The following LB capabilities have been added to ASM (with no need for LTM
license)
• Up to 3 Pool Members
• LB Methods Supported
• Round Robin
• Ratio (member)
• Ratio (Node)
68. What are LTM features available on AWAF?
Starting with BIG-IP version 13.1.0.2 the following LTM features are part of
AWAF (Advanced WAF) license:
Load Balancing
• No limit on IP Pool Members number
• LB Methods Supported
• Round Robin
• Ratio (member)
• Least Connections (member)
• Ratio (node)
• Least Connections (node)
• Weighted Least Connection (member)
• Weighted Least Connection (node)
• Ratio Least Connection (member)
• Ratio Least Connection (node)
Persistency
• Cookie Persistency
• Source Address
• Host
• Destination Address
75. 56%
Case by case,
per application
26%
Type of end user
of the application
30%
Determined
by IT
76. 56% Applying consistent security policy
across all company applications
25% Gaining visibility into
application health
34% Optimize the performance
of applications
77.
78. Per-App VE VE#
# of Applications Supported
1 Virtual IP* &
3 virtual servers
No Limit
App Services
• LTM
• WAF
GBB
(all app services)
Throughput Instances 25M, 200M
25M, 200M,
1G, 3G, 5G, 10G
Consumption Models
Subscription, ELA,
Perpetual
Subscription, ELA,
Perpetual, PAYG
Code base (TMOS) Same
Ecosystem Support
(Private Cloud, Container Integration)
Same
(* - 1 wild-card included in Virtual IP)
79.
80. n=2217Q. Think about your applications that are deployed in different types of clouds. How many different providers do you estimate your organization is using?
• Jsou aplikace konsolidované nebo ve více prostředích (on-prem, multi-cloud)?
• Konsolidace do jednoho bodu/DC = multi-app VE nebo appliance
• Distribuované = Cloud Edition
• Je architektonicky výhodnější nasadit ADC+WAF flexibilně tam, kde je aplikace?
Potřebuju aplikace flexibilně přemísťovat?
• V případě CE jde technologie tam, kde je aplikace.
• U klasického multi-app řešení je aplikace tam, kde je instalované ADC&WAF.
• Chci ADC+WAF izolované pro aplikace včetně analytiky a security politik?
• CE vidí aplikace izolovaně
• Multi-app řešení = řešeno na úrovni jednoho boxu/virtuálky
• Chci automatizaci v nasazování a automatické škálování virtuálních strojů.
• CE = přehled o aktivních VM napříč všemi prostředími + deployment templaty a
REST API pro automatizaci
• BIG-IQ Max součástí řešení!
102. New Use Cases Competitive Catch-Up Usability, Visibility and
Automation
103.
104. • UDP Rate Pacing helps service provides provide differentiated
traffic services by limiting the effect of UDP on the network.
• In v14.0 we offer early access of TLS1.3 support which is a
proposed standard that improves transport security and
performance.
• Offering next generation HTML5 and JavaScript based
dashboard that has a modern look and simplifies customization.
• Due to an increase in mobile traffic and the video streaming,
service provides sometimes want to control the usage of UDP-
based traffic on their networks.
• Customers continuously face security challenges and therefore
need products and services that keep pace with new and current
security standards
• Need for better visibility and functionality than Adobe Flash Player
114. • Large Zone Support will allow millions of zones to be hosted with
the possibility of several updates per second.
• EDNS0 Client Subnet option conveys client network information
and lets network admin have more granular control over load
balancing decisions along with providing better end user
experience.
• Enhanced DNS Cache Statistics provides better visibility and
usability and additional stats that help DNS admin keep the cache
running successfully.
• Service Providers need the ability to add millions of zones in DNS
Express with the possibility of several updates per minute.
• Customers currently have difficulty making Global Load Balancing
decisions because the source IP the authoritative name servers
return is not the same as the Client IP.
• The current set of DNS Cache stats are limited, not adequate and
have limited usability.
115.
116. • FIX-LL TurboFLex profile provide low latency and jitter ensuring
there is not even a microsecond delay. This is really useful in high
frequency trading programs.
• New enhancement to security TurboFlex profile where AFM offers
HW accelerated>8
• Local Attestation TPM Chain of Custody provides an automatic
way to detect any tempering by comparing the “Good” value to
the known values every time the system starts.
• Customers in Financial Market need low latency and need it
consistently.
• In security market customers need hardware accelerated
number>8.
• Difficult for customers to check for tempering manually.
117.
118. Customer Challenges
F5 Solution – 1 Boot Location BIG-IP VE Images
• Standard 2 Boot Locations BIG-IP Virtual Edition images require
more disk space (provisioning additional room to facilitate rolling
version upgrades), which is both more costly and slower to spin up
• 1 Boot location BIG-IP VE’s take up considerably less disk (50%)
and therefore can be spun up much faster, reducing total
deployment times
• Available as a BYOL listing on AWS, Azure and Google Cloud
Marketplaces across 2 image types:
• F5 BIG-IP Virtual Edition - LTM and DNS (Supports only
LTM and DNS modules)
• F5 BIG-IP Virtual Edition - All (Runs all supported VE
products, including Advanced WAF, Per-App VE and all core
BIG-IP modules)
119.
120. Continued Reduction of VE Spin Up and Boot Time
• Struggling with auto scale scenarios—specifically having to set low
threshold triggers for VE auto scale burst scenarios
• Current perception is that slow spin up and boot times for Virtual
Editions and Per-App VE (Cloud Edition) equates to a lack of cloud
readiness
• Continuation of 13.0 (Evergreen) release efforts to reduce spin up/boot
time for ASM and LTM VE instances
• ASM:
• ~42% reduction from 13.0.0 to 13.1.0.5
• ~10% incremental reduction from 13.1.0.5 to 13.1.0.8
• LTM:
• ~45% reduction from 13.0.0 to 13.1.0.5
• ~8% incremental reduction from 13.1.0.5 to 13.1.0.8
• Helps customers avoid setting conservative thresholds for VE auto scale
and bursting scenarios
• Some qualitative estimates put VE auto scale at ~50% of public
cloud usage
• Dispels incorrect assumptions about an organizations cloud readiness—
this may help solidify F5 position as “trusted advisor”
121.
122. Stand-Alone Solutions New Use Cases Usability, Visibility and
Automation
Advanced WAF
• Threat Campaigns – protection against targeted
attacks
• Increased Sensitive Data Masking
• Cookie modifications
• Improved single page app support – Cross
Origin Requests
DDoS Hybrid Defender
• Improved Detection and Response Efficiency
• Compliance checks or DNS, FTP, and HTTP
protocols
Access Manager
• VMWare Workspace ONE integration
• Device posture check for MS Office clients
• Authorization server support for OpenID
Connect
SSL Orchestrator
• Inbound traffic inspection and steering
• Explicit proxy auth
• Virtual Clustered Multiprocessing (vCMP)
AFM
• Protocol inspection for DNS, FTP, and HTTP
• New vectors protect against attacks for
NXdomain, SSL (renegotiation, flood, and
incomplete handshake), non-TCP connection rate
limit, and listener mismatch
Advanced WAF
• Differentiated in with ant-bot, layer 7 DoS
defense, and credential protection
DDoS Hybrid Defender
• Automated attack mitigation, layer 4-7
defense, and seamless integration
Access Manager
• Identity-aware access control proxy
SSL Orchestrator
• More than visibility, orchestration with dynamic
traffic steering and policy-based security
chains
AFM
• High performance carrier-class firewall, with
integrated IPS signatures and DoS protection
Advanced WAF / ASM
• Layered Policy Enhancements
• URL Positional Parameters Support
• Disallowed Wildcards
• Expanded health monitoring
• Exporting incidents
• Exporting learning suggestions
• Improved violation details
• Guided configurations
• Expand/collapse panes
• Single click for multi policy applications
DDoS Hybrid Defender
• Updated SOC oriented GUI
• Protected object stress monitoring
• Visual network configuration
Access Manager / APM
• Guided configuration for common access use cases
• Updated dashboard
SSL Orchestrator
• Visual policy editor
• Improved analytics
AFM
• Visual network configuration
• Updated and improved GUI
123.
124. • Combining Workspace ONE and F5 gives customers simple and
secure access to any application on any device.
• Single Sign On (SSO) is available for all apps, including legacy
apps.
• Support for Oauth, Java Web Tokens, mobile and HTML 5
provide investment protection and allows for adoption of
emerging technologies.
• Adoption of VMware Workspace ONE can be challenging for
organizations with many applications and/or legacy applications.
• IT struggles to offer a consistent experience for application access.
• Special considerations are needed for technologies such as mobile
and HTML5.
125.
126. • A re-designed user interface provides better alignment with
security personas.
• Terminology has been simplified for DoS Protection.
• You now configure protected objects (instead of virtual servers)
and protection profiles (instead of DoS profiles).
• DDoS is a specific type of attack with specific considerations.
• Security buyers are not always familiar with NetOps terminology or
ADC configuration.
• Incumbent solutions have standardized on DDoS terminology.