F5 Novinky: Zabezpečení aplikací proti hrozbám

Novinky F5
12. září, Praha, Vinohradský pivovar
Filip Kolář, Sales Manager F5, ČR
Radovan Gibala, Presales Engineer F5, ČR

The business
The reason people
use the Internet
The gateway
to DATA
the target
APPLICATIONS ARE

765Average # of
Apps in use per
enterprise
6 min
before it's scanned
If vulnerable, you
could be PWND in
<2 hours
1/3Mission critical

58%
56%
6%
4%
3%
2%
2%
1%
1%
PHP
SQL
Exchweb
Comments
Cart
Betablock
Admin
Affiliates
Login
Injection → PHP & SQL

2013 OWASP Top 10
1. Injection
2. Broken authentication and session
management
3. Cross-site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-site request forgery (CSRF)
9. Using components with known
vulnerabilities
10. Unvalidated redirects and forwards
2017 OWASP Top 10
1. Injection
2. Broken authentication
4. XML external entities (XXE)
5. Broken access control
8. Insecure deserialization
vulnerabilities
10. Insufficient logging
and monitoring
2013 OWASP Top 10
1. Injection
2. Broken authentication and session
management
4. Insecure direct object references
7. Missing function level access control
8. Cross-site request forgery (CSRF)
vulnerabilities
10. Unvalidated redirects and forwards
2017 OWASP Top 10
1. Injection
2. Broken authentication
4. XML external entities (XXE)
5. Broken access control
8. Insecure deserialization
vulnerabilities
10. Insufficient logging
and monitoring

Affected Devices
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
7Bots
SORA
OWARI
UPnPProxy
OMNI
RoamingMantis
Wicked
VPNFilter
1Bot
Brickerbot
2Bots
WireX
Reaper
3Bots
Mirai
BigBrother
Rediation
1Bot
Remaiten
1Bot
Moon
1Bot
Aidra
1Bot
Hydra
3Bots
Satori Fam
Amnesia
Persirai
6Bots
Masuta
PureMasuta
Hide ‘N Seek
JenX
OMG
DoubleDoor
1Bot
Crash
override
1Bot
Gafgyt
Family
2Bots
Darlloz
Marcher
1Bot
Psyb0t
4Bots
Hajime
Trickbot
IRC Telnet
Annie
CCTV
DVRs
WAPs
Set-Top Boxes
Media Center
Android
Wireless Chipsets
NVR Surveillance
Busybox Platforms
Smart TVs
VoIP Devices
Cable Modems
ICS
74%Discovered
in last 2 years
SOHO routers
iOS
IP Cameras

Thingbot Attack Type
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
7Bots
SORA
OWARI
UPnPProxy
OMNI
RoamingMantis
Wicked
VPNFilter
1Bot
Brickerbot
2Bots
WireX
Reaper
3Bots
Mirai
BigBrother
Rediation
1Bot
Remaiten
1Bot
Moon
1Bot
Aidra
1Bot
Hydra
3Bots
Satori Fam
Amnesia
Persirai
6Bots
Masuta
PureMasuta
Hide ‘N Seek
JenX
OMG
DoubleDoor
1Bot
Crash
override
1Bot
Gafgyt
Family
2Bots
Darlloz
Marcher
1Bot
Psyb0t
4Bots
Hajime
Trickbot
IRC Telnet
Annie
DNS Hijack
DDoS
PDoS
Proxy Servers
Unknown…
Rent-a-bot
Install-a-bot
Multi-purpose Bot
Fraud trojan
ICS protocol monitoring
Tor Node
Sniffer
Credential Collector
Shifting from primarily
DDoS to multi-purpose
Crypto-miner

Articles Threat Blog
CISO to CISO
Thought Leadership Blog
General Threat Trends Phishing Encryption IoT (Attacker Hunt Series)

© 2016 F5 Networks 13
Gartner Magic Quadrant pro WAF 2018
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon
request from F5 Networks. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors
with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact.
Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
2017 2018

© F5 Networks, Inc 15
What Are Today’s Common Threats?
DDoS Attacks
Ransomware
Web Fraud
Credential Stuffing
Malware
Phishing
Malicious Bots

Bots, Bots, and More Bots
of Internet traffic
is automated
of 2016 web application
breaches involved
the use of bots
98.6M bots observed
Source: Internet Security Threat Report, Symantec, April 2017

Bots Client-Side Attacks
Malware
Ransomware
Man-in-the-browser
Session hijacking
Cross-site request forgery
Cross-site scripting
DDoS Attacks
SYN, UDP, and HTTP floods
SSL renegotiation
DNS amplification
Heavy URL
App Infrastructure Attacks
Man-in-the-middle
Key disclosure
Eavesdropping
DNS cache poisoning
DNS spoofing
DNS hijacking
Protocol abuse
Dictionary attacks
Web Application Attacks
API attacks
Injection
Cross-site request forgery
Malware
Abuse of functionality
Man-in-the-middle
Credential theft
Credential stuffing
Phishing
Certificate spoofing
Protocol abuse
Acommon
source of
many threat
vectors
Malware
Ransomware
Man-in-the-browser
Dictionary attacks
SYN, UDP, and HTTP floods
SSL renegotiation
DNS amplication
Heavy URL
API attacks
Injection
Malware
Abuse of functionality
Credential stuffing
Phishing

Web Scraping
Protection
Pro-Active Bot
Prevention
L7 DoS WAF
Proactive Bot Defense
SOLUTION
PROBLEM
Behavioural analysis to
identify malicious bots

SDK Integration - Appdome Overview
• “Fuses” within minutes SDK into
any App binary
• F5 account provides unlimited
apps fusion
• On-top defense to the SDK:
• anti-reverse engineering
• anti-debugging
• anti-tampering
Appdome: Integrate Apps with F5 Anti-Bot Mobile SDK

70
MILLION
427
MILLION
150
MILLION
3
BILLION
In the last 8 years more than 7.1 billion identities have been exposed in data breaches1
Major Credential Breaches
1) Symantec Internet Security Threat Report, April 2017
2) Password Statistics: The Bad, the Worse and the Ugly, Entrepreneur Media
117
MILLION
“Nearly 3 out of 4 consumers use duplicate passwords,
many of which have not been changed in five years or more”2
3 out of 4

Breached Credential
Database Comparison
WAF
Credential Stuffing Mitigation
SOLUTION
PROBLEM
Distributed brute
force protection

Source: Securelist, Kaspersky Lab, March 2017
DDoS for Hire
Low sophistication, high accessibility
• Accessible
Booters/stressers easy to find
• Lucrative
Profit margins of up to 95%
• Effective
Many DDoS victims pay up

Rate Limit to Protect the Server
Detect and Block Bots and Bad Actors
Create and Enforce Dynamic Signatures
Analyze Application Stress and
Continually Tune Mitigations.
Start of Attack
Identify Attackers
Advanced Attacks
Persistent Attacks
Multiple Layers
of Protection
Even basic attacks can take an unprotected
server down quickly.
Persistent attackers will adjust tools, targets,
sources and attack volume to defeat static
DOS defenses.
The f5 approach protects the server from the first moment
of the attack and then analyzes the attack tools, sources
and patterns to refine mitigations.
These sophisticated protections maximize application
availability while minimizing false positives.

WAF
Man-in-the-Browser malware
Online users
Credential Theft Using Malware
SOLUTION
PROBLEM

Increased Protection from Attack Campaigns
• Threat Campaigns subscription service allows the F5 Security
Response Team (SRT) to identify coordinated attacks associated
with specific malicious actors, attack vectors, or techniques, and
provide a targeted and efficient mitigation directly to F5
customers (Early Access).
• Improved sensitive data masking obfuscates additional values
disclosing personal details about users and credit cards.
• Cyber attacks are becoming more sophisticated, and are often
coordinated by criminal organizations and/or nation states.
• Web application attacks are pervasive, with 53% of data breaches
initially target web apps (F5 Labs: Lessons Learned From a
Decade of Data Breaches).
• Data breach can be devastating to brand, reputation, and the
business.

Threat Campaign meta-data
• Campaign Name - a unique name
• Display Name - human readable
• Status - active, inactive
• First Observed, Last Observed, Last updated
• Risk - low, medium, high
• Attack Type – same as ASM signature attack type
• System – same as ASM signature system. Multiple values are possible.
• References, Description, Prevention, Target Information, Payload Analysis, Payload
Tactics, Prevention, Collateral Damage, Threat Actor Name, Threat Actor
Description, Intent, Malwares

Threat Campaigns Functionality
• Data plane
• New violation Threat Campaign detected will be raised
• Alarm and Block flags are set by default
• Violation Rating is set to 5 if violation Threat Campaign detected was raised
• Traffic Learning
• PB does not learn from a request with detected Threat Campaign
• Client Reputation of the source IP will be set to MALICIOUS

Threat Campaigns Staging
• Staging is supported and disabled by default
• Each threat campaign has a staging flag
• If Enable Campaign Staging is disabled all threat campaigns are not in staging
• If Enable Campaign Staging is enabled threat campaigns that were changed or added by
dynamic update will be put in staging
• Note: previous variant of the updated Threat Campaign will not be enforced
during staging
• Changing Enable Campaign Staging from disabled to enabled does not enable staging on
individual threat campaign if it was enforced before this change
• Staging period is 1 day (by default)

Threat Campaigns Enforcement Readiness

Dynamic Update of Threat Campaigns

ASM::threat_campaign
• ASM::threat_campaign names
• Returns a list with the names of the threat campaigns found in the transaction
• ASM::threat_campaign staged_names
• Returns a list with the names of the staged threat campaigns found in the transaction
• Valid Events
• ASM_REQUEST_DONE, ASM_REQUEST_VIOLATION,
ASM_RESPONSE_VIOLATION, ASM_REQUEST_BLOCKING

Clicking on ‘Jacken’ results in request to
URL with positional parameters
/damen/mode/jacken

URL positional parameter examples
• /p/adidas-originals-shorts-492376302/
• /p/adidas-performance-essentials-linear-tee-t-shirt-491431832/
• /kindermode/maedchen/jacken/
• /kindermode/jungen/jacken/
• /committobasket/PRODUCTID/something

URL with Positional Parameters
• Positional parameters
• Positional parameters are global parameters embedded in URL

Link to parameter prod_id in policy

Parameter validation
• Parameter validation is defined
separately
• The wildcard expression in the
positional parameter definition is used
for correct parsing only

Positional parameter inspection

Positional parameter masked in logs

List of improvements
• Bad actors are shown Event Logs
• Improvements in log filtering
• Brute Force attack reporting improvements
• Apply policy for multiple policies
• Export learning suggestion
• Export incidents
• Policy properties page merged into policy list screen
• Violation details redesign

Filter Brute Force attacks by login URL

Apply policy for multiple policies

14.0.0 ASM Guided Configuration

14.0.0 ASM Policy Create, GUI improved for Server
Technology
v13.1.0 v14.0.0

14.0.0 ASM Policy summary
APM Policy properties moved to Policy List
v13.1.0 v14.0.0

14.0.0 ASM Policy edit, learning mode displayed in gui
header
v13.1.0 v14.0.0

14.0.0 ASM DoS Protection
v13.1.0 v14.0.0

14.0.0 ASM, DoS Protected Objects

14.0.0 ASM Reporting ASM Alerts

What are LTM features available on ASM?
Starting with BIG-IP ASM version 13.1.0.1
The following LB capabilities have been added to ASM (with no need for LTM
license)
• Up to 3 Pool Members
• LB Methods Supported
• Round Robin
• Ratio (member)
• Ratio (Node)

What are LTM features available on AWAF?
Starting with BIG-IP version 13.1.0.2 the following LTM features are part of
AWAF (Advanced WAF) license:
Load Balancing
• No limit on IP Pool Members number
• LB Methods Supported
• Round Robin
• Ratio (member)
• Least Connections (member)
• Ratio (node)
• Least Connections (node)
• Weighted Least Connection (member)
• Weighted Least Connection (node)
• Ratio Least Connection (member)
• Ratio Least Connection (node)
Persistency
• Cookie Persistency
• Source Address
• Host
• Destination Address

BIG-IP Advanced Web Application Firewall Module for i5X00 F5-ADD-BIG-AWF-I5XXX
47,245.00
36,220.00
18,895.00
BIG-IP Application Security Manager Module for i5X00 F5-ADD-BIG-ASM-I5XXX
31,495.00
24,145.00
12,595.00

ANTI-
DDoS
APP INFRASTRUCTURE
ANTI-DDoS
DNSTLS/SSL
ADVANCED WEB APPLICATION FIREWALL
Web Application
Attacks
App Infrastructure
Attacks
DDoS
Attacks
Client-Side
Attacks
ANTI-DDoS
BOT
DEFENSE
CREDENTIAL
PROTECTION
WEB ACCESS
MANAGEMENT WAF
IDENTITY
ACCESS
MGMT
IAM
DDoS Hybrid
Defender
Advanced
WAF
Access
Management
App Protection Framework
SSL
Orchestrator

8%13% 11% 68%
More than 100 (internal IT) 1 2-10

56%
Case by case,
per application
26%
Type of end user
of the application
30%
Determined
by IT

56% Applying consistent security policy
across all company applications
25% Gaining visibility into
application health
34% Optimize the performance
of applications

Per-App VE VE#
# of Applications Supported
1 Virtual IP* &
3 virtual servers
No Limit
App Services
• LTM
• WAF
GBB
(all app services)
Throughput Instances 25M, 200M
25M, 200M,
1G, 3G, 5G, 10G
Consumption Models
Subscription, ELA,
Perpetual
Subscription, ELA,
Perpetual, PAYG
Code base (TMOS) Same
Ecosystem Support
(Private Cloud, Container Integration)
Same
(* - 1 wild-card included in Virtual IP)

n=2217Q. Think about your applications that are deployed in different types of clouds. How many different providers do you estimate your organization is using?
• Jsou aplikace konsolidované nebo ve více prostředích (on-prem, multi-cloud)?
• Konsolidace do jednoho bodu/DC = multi-app VE nebo appliance
• Distribuované = Cloud Edition
• Je architektonicky výhodnější nasadit ADC+WAF flexibilně tam, kde je aplikace?
Potřebuju aplikace flexibilně přemísťovat?
• V případě CE jde technologie tam, kde je aplikace.
• U klasického multi-app řešení je aplikace tam, kde je instalované ADC&WAF.
• Chci ADC+WAF izolované pro aplikace včetně analytiky a security politik?
• CE vidí aplikace izolovaně
• Multi-app řešení = řešeno na úrovni jednoho boxu/virtuálky
• Chci automatizaci v nasazování a automatické škálování virtuálních strojů.
• CE = přehled o aktivních VM napříč všemi prostředími + deployment templaty a
REST API pro automatizaci
• BIG-IQ Max součástí řešení!

•
•
•
•
•
• App N
App 2
App 1
VE
VE
VE

Advanced Protection For More Applications
•
•
•
•
•
•
•

Self-service provisioning in seconds
•
•
•
•
© F5 Networks | CONFIDENTIAL

91© F5 Networks | CONFIDENTIAL
•
•
•
Per-App

93© F5 Networks | CONFIDENTIAL
•
•
•
*Additional environments planned

App N
App 2
App 1
NetOps
Application
Owners
SecOps BIG-IQ
6.0.1
App
Templates
VE
VE
VE

BIG-IP Cloud Edition Availability In Public/Private Clouds
Private Cloud
Public Cloud
*
#
*Full enablement of CE lifecycle management. Other clouds planned. | # ACI Unmanaged Mode.
#

ELA / Subscription / PAYG Perpetual
 
 
 
 
 

Balíček Cloud Edition se skládá:
• Min 20 ks Per-App virtuálních edic
• BIG-IQ v HA pro komponentu BIG-IQ a Service Scaling (funkce Autoscale a automatické upgrady)

Balíček Cloud Edition se skládá:
• Alespoň 20 ks Per-App virtuálních edic
• BIG-IQ v HA pro komponentu Service Scaling (funkce Autoscale a automatické upgrady)
• Součástí předplatného je technická podpora 24x7

New Use Cases Competitive Catch-Up Usability, Visibility and
Automation

• UDP Rate Pacing helps service provides provide differentiated
traffic services by limiting the effect of UDP on the network.
• In v14.0 we offer early access of TLS1.3 support which is a
proposed standard that improves transport security and
performance.
• Offering next generation HTML5 and JavaScript based
dashboard that has a modern look and simplifies customization.
• Due to an increase in mobile traffic and the video streaming,
service provides sometimes want to control the usage of UDP-
based traffic on their networks.
• Customers continuously face security challenges and therefore
need products and services that keep pace with new and current
security standards
• Need for better visibility and functionality than Adobe Flash Player

14.0.0 Dashboard (HTML)

14.0.0 Dashboard Customization

14.0.0 Profile, FTP
v13.1.0 v14.0.0

14.0.0 Profiles, ClientSSL, TLS1.3

14.0.0 Cipher Rules, Rule Audit
v13.1.0 v14.0.0

14.0.0 ServerSSL Profile, CRL and CRL File
v13.1.0 v14.0.0
CRL - Specifies the SSL client certificate constrained delegation
CRL object that the BIG-IP system's SSL should use. You can
click the + icon to open the create-new CRL object screen.
CRL File - Specifies the name of a file containing a list of
revoked server certificates.

14.0.0 System Service, Internal Proxies
Internal Proxies
Name - Displays the internal proxy name. You can click a name to open the properties screen for the internal
proxy.
DNS Resolver - Specifies the internal DNS resolver the BIG-IP system uses to fetch the internal proxy response.
Proxy Server Pool - Specifies the proxy server pool the BIG-IP system uses to fetch the internal proxy.
Route Domain - Specifies the route domain for fetching an internal proxy using HTTP forward proxy.
Port - Specifies the port.

14.0.0 System Platform, secondary management ip address

• Large Zone Support will allow millions of zones to be hosted with
the possibility of several updates per second.
• EDNS0 Client Subnet option conveys client network information
and lets network admin have more granular control over load
balancing decisions along with providing better end user
experience.
• Enhanced DNS Cache Statistics provides better visibility and
usability and additional stats that help DNS admin keep the cache
running successfully.
• Service Providers need the ability to add millions of zones in DNS
Express with the possibility of several updates per minute.
• Customers currently have difficulty making Global Load Balancing
decisions because the source IP the authoritative name servers
return is not the same as the Client IP.
• The current set of DNS Cache stats are limited, not adequate and
have limited usability.

• FIX-LL TurboFLex profile provide low latency and jitter ensuring
there is not even a microsecond delay. This is really useful in high
frequency trading programs.
• New enhancement to security TurboFlex profile where AFM offers
HW accelerated>8
• Local Attestation TPM Chain of Custody provides an automatic
way to detect any tempering by comparing the “Good” value to
the known values every time the system starts.
• Customers in Financial Market need low latency and need it
consistently.
• In security market customers need hardware accelerated
number>8.
• Difficult for customers to check for tempering manually.

Customer Challenges
F5 Solution – 1 Boot Location BIG-IP VE Images
• Standard 2 Boot Locations BIG-IP Virtual Edition images require
more disk space (provisioning additional room to facilitate rolling
version upgrades), which is both more costly and slower to spin up
• 1 Boot location BIG-IP VE’s take up considerably less disk (50%)
and therefore can be spun up much faster, reducing total
deployment times
• Available as a BYOL listing on AWS, Azure and Google Cloud
Marketplaces across 2 image types:
• F5 BIG-IP Virtual Edition - LTM and DNS (Supports only
LTM and DNS modules)
• F5 BIG-IP Virtual Edition - All (Runs all supported VE
products, including Advanced WAF, Per-App VE and all core
BIG-IP modules)

Continued Reduction of VE Spin Up and Boot Time
• Struggling with auto scale scenarios—specifically having to set low
threshold triggers for VE auto scale burst scenarios
• Current perception is that slow spin up and boot times for Virtual
Editions and Per-App VE (Cloud Edition) equates to a lack of cloud
readiness
• Continuation of 13.0 (Evergreen) release efforts to reduce spin up/boot
time for ASM and LTM VE instances
• ASM:
• ~42% reduction from 13.0.0 to 13.1.0.5
• ~10% incremental reduction from 13.1.0.5 to 13.1.0.8
• LTM:
• ~45% reduction from 13.0.0 to 13.1.0.5
• ~8% incremental reduction from 13.1.0.5 to 13.1.0.8
• Helps customers avoid setting conservative thresholds for VE auto scale
and bursting scenarios
• Some qualitative estimates put VE auto scale at ~50% of public
cloud usage
• Dispels incorrect assumptions about an organizations cloud readiness—
this may help solidify F5 position as “trusted advisor”

Stand-Alone Solutions New Use Cases Usability, Visibility and
Automation
Advanced WAF
• Threat Campaigns – protection against targeted
attacks
• Increased Sensitive Data Masking
• Cookie modifications
• Improved single page app support – Cross
Origin Requests
DDoS Hybrid Defender
• Improved Detection and Response Efficiency
• Compliance checks or DNS, FTP, and HTTP
protocols
Access Manager
• VMWare Workspace ONE integration
• Device posture check for MS Office clients
• Authorization server support for OpenID
Connect
SSL Orchestrator
• Inbound traffic inspection and steering
• Explicit proxy auth
• Virtual Clustered Multiprocessing (vCMP)
AFM
• Protocol inspection for DNS, FTP, and HTTP
• New vectors protect against attacks for
NXdomain, SSL (renegotiation, flood, and
incomplete handshake), non-TCP connection rate
limit, and listener mismatch
Advanced WAF
• Differentiated in with ant-bot, layer 7 DoS
defense, and credential protection
• Automated attack mitigation, layer 4-7
defense, and seamless integration
Access Manager
• Identity-aware access control proxy
SSL Orchestrator
• More than visibility, orchestration with dynamic
traffic steering and policy-based security
chains
AFM
• High performance carrier-class firewall, with
integrated IPS signatures and DoS protection
Advanced WAF / ASM
• Layered Policy Enhancements
• URL Positional Parameters Support
• Disallowed Wildcards
• Expanded health monitoring
• Exporting incidents
• Exporting learning suggestions
• Improved violation details
• Guided configurations
• Expand/collapse panes
• Single click for multi policy applications
• Updated SOC oriented GUI
• Protected object stress monitoring
• Visual network configuration
Access Manager / APM
• Guided configuration for common access use cases
• Updated dashboard
SSL Orchestrator
• Visual policy editor
• Improved analytics
AFM
• Visual network configuration
• Updated and improved GUI

• Combining Workspace ONE and F5 gives customers simple and
secure access to any application on any device.
• Single Sign On (SSO) is available for all apps, including legacy
apps.
• Support for Oauth, Java Web Tokens, mobile and HTML 5
provide investment protection and allows for adoption of
emerging technologies.
• Adoption of VMware Workspace ONE can be challenging for
organizations with many applications and/or legacy applications.
• IT struggles to offer a consistent experience for application access.
• Special considerations are needed for technologies such as mobile
and HTML5.

• A re-designed user interface provides better alignment with
security personas.
• Terminology has been simplified for DoS Protection.
• You now configure protected objects (instead of virtual servers)
and protection profiles (instead of DoS profiles).
• DDoS is a specific type of attack with specific considerations.
• Security buyers are not always familiar with NetOps terminology or
ADC configuration.
• Incumbent solutions have standardized on DDoS terminology.

14.0.0 AFM, Protocol Security Inspection Dashboard

14.0.0 Protocol Security Inspection update

14.0.0 AFM Address List and Port list moved to Shared Objects
v13.1.0 v14.0.0

14.0.0 DoS, Device Configuration
v13.1.0 v14.0.0

14.0.0 Reporting Network address translation

F5 Novinky: Zabezpečení aplikací proti hrozbám

F5 Novinky: Zabezpečení aplikací proti hrozbám

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to F5 Novinky: Zabezpečení aplikací proti hrozbám

Similar to F5 Novinky: Zabezpečení aplikací proti hrozbám (20)

More from MarketingArrowECS_CZ

More from MarketingArrowECS_CZ (20)

Recently uploaded

Recently uploaded (20)

F5 Novinky: Zabezpečení aplikací proti hrozbám