SSL

hipshorseheadsΔιακομιστές

17 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

105 εμφανίσεις

Turo Siira

System Engineer, F5 Networks

DATACENTER
SECURITY

Maintaining Security Today Is Challenging

Webification of
apps

Device
proliferation

Evolving
security threats

Shifting

perimeter

71%
of internet experts predict
most people will do work via web
or
mobile
by 2020.

95%

of workers use
at least
one
personal device
for work
.

130 million

enterprises will
use mobile apps by 2014

58%

of all e
-
theft tied
to activist groups.


81%

of breaches
involved hacking

80%

of
new
apps will
target
the
cloud
.

72
%

IT leaders have
or will

move applications to the cloud.

Datacenter Security Needs

To scale

To secure

To simplify

Scale for a work
-
anywhere /

SSL
everywhere world.

Security
for applications and data
against
sustained
attacks
.

Simplification of point solutions and
complex firewall configurations.

Application attacks

Network attacks

Session attacks

Slowloris
, Slow Post,
HashDos, GET Floods

SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods,
Teardrop, ICMP Floods, Ping
Floods
and Smurf Attacks

BIG
-
IP ASM

Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection

DNS UDP Floods, DNS Query Floods,
DNS NXDOMAIN Floods, SSL Floods,
SSL
Renegotiation

BIG
-
IP LTM and GTM

High
-
scale
performance, DNS Express,
SSL termination, iRules, SSL
renegotiation validation

BIG
-
IP
AFM

SynCheck, default
-
deny posture, high
-
capacity connection table,
full
-
proxy
traffic visibility, rate
-
limiting, strict TCP forwarding.


Packet Velocity Accelerator (PVA) is a purpose
-
built, customized
hardware solution
that increases scale by an order of magnitude above
software
-
only solutions.

F5 Mitigation Technologies

Application (7)

Presentation (6)

Session (5)

Transport (4)

Network (3)

Data Link (2)

Physical (1)

Increasing difficulty of attack detection

F5 mitigation technologies

OSI stack

OSI stack

DDOS MITIGATION

Use case

Before f5

with f5

Load

Balancer

DNS

Security

Network
D
DoS

Web Application Firewall

Web Access

Management

Load

Balancer & SSL

Application DDoS

Firewall

Protecting the datacenter


Consolidation of
firewall, app security,
traffic management


Protection for
data
centers and
application servers


High
scale for the
most common
inbound
protocols

Before f5

with f5

Load

Balancer

DNS

Security

Network
D
DoS

Web Application Firewall

Web Access

Management

Load

Balancer & SSL

Application DDoS

Firewall

Protecting the datacenter

SSL

!

SSL


Gain visibility and
detection of
SSL
-
encrypted attacks



Achieve
high
-
scale/high
-
performance
SSL
proxy



Offload SSL

reduce
load on application
servers

SSL

SSL

SSL Inspection

VIPRION

iRules with Security: HashDos

Post of Doom

“HashDos

Post of Doom”
vulnerability affects all major web
servers and application platforms.

Single DevCentral iRule mitigates vulnerability for all
back
-
end services.

Staff can schedule patches for back
-
end services
on their own timeline.

SSL

SSL

iRules

with Security:

Prioritize connection based on country

https://devcentral.f5.com/wiki/irules.whereis.ashx

Security at the Strategic Point of Control

Virtual

Physical

Cloud

Storage

Total Application Delivery Networking
Services

Clients

Remote

Access

SSL

VPN

APP

Firewall

Network

Firewall

DNS
Security

DNS
Seurity

The Dynamics of the DNS Market

DNS Demand from Internet growth, 4G/LTE, DDoS Protection and Availability

Average Daily Load for DNS (TLD)

Queries in Billions

‘12

‘11

‘10

‘09

‘08

77

57

39

43

50

Typical for a single web page to consume
100+ DNS queries from active content,
advertising and analytics

Global mobile data (4G/LTE) is driving
the need for fast, available DNS

86MB/mo

Non
-
4G LTE

4G LTE

2.4GB/mo

18X Growth
2011
-
2016

New ICANN TLDs will create new
demands for scale

Attacks on DNS becoming more common

DNS Services must be robust

Distributed Available, High Performance
GSLB for multiple Datacenters

Cache poisoning attacks

Reflection / Amplification DDoS

Drive for DNSSEC adoption

Geographically dispersed DCs

DNS Capacity Close to Subscribers

Total Service Availability


DNS the F5 Way

External
Firewall

DNS Load
Balancing

Array of
DNS Servers

Hidden
Master DNS

Internal
Firewall

Internet

DMZ

Master DNS
Infrastructure

Internet


Massive

performance over 10M RPS!


Best DoS / DDoS Protection


Simplified management (partner)


Less CAPEX and OPEX


Adding performance = DNS boxes


Weak
DoS
/
DDoS

Protection

Datacenter

F5 DNS Delivery Reimagined

Conventional DNS Thinking

DNS Firewall

DNS DDoS Protection

Protocol Validation

Authoritative DNS

Caching Resolver

Transparent Caching

High Performance DNSSEC

DNSSEC Validation

Intelligent GSLB

F5 Paradigm Shift

Network Firewall

Advanced Firewall Manager

BIG
-
IP Advanced Firewall Manager (AFM)


Packaging


SW license


Supported on all platforms
(BIG
-
IP VE, BIG
-
IP Appliances and VIPRION)


Standalone or add
to
LTM



Features


L4
stateful

full proxy firewall


IPsec, NAT,
adv

routing, full SSL, AVR, Protocol Security


DDoS

(TCP, UDP, DNS, floods, HTTP): Over 80 attack types


GUIs for configure rules, logging,
etc


All under a new Security tab


AFM GUI Configuration


Main configuration under the Security

AFM GUI Configuration


Main configuration under the new Security tab


Context aware rules can be configured at the object level

AFM DOS protection


Security >
DoS

Protection > Device Configuration


Applied globally



L2
-
L4
DoS

attack vectors
detection and
thresholding

in
hardware on platform
using HSBe2
FPGA



BIG
-
IP 5000
series


BIG
-
IP 7000
series


BIG
-
IP 10000 series


VIPRION B4300 blade


VIPRION B2100
blade

IP Intelligence

Identify and allow or block IP addresses with malicious activity


Use IP intelligence to defend attacks


Reduce operation and capital expenses

?



Scanners

IP Intelligence
Service

Internally infected
devices and servers


Easily manage alarms and blocking in ASM


Approve desired IPs with Whitelist


Policy Building enabled for ignoring

Easily Configure Violation Categories

IP Intelligence Service Management in BIG
-
IP ASM UI

Web Application Security

Who Is Responsible for Application Security?

Clients

Applications

Infrastructure

Storage

Developers

Engineering
services

DBA

Network security

What Is ASM?


Allows the security team to secure a website without changing the
application code


Provides comprehensive protection for all web application
vulnerabilities, including (D)DoS


Logs and reports all application traffic, attacks and usernames


Educates admin on attack type definitions and examples


PCI compliance


How D
oes It Work
?

Security at
application
,
protocol
and
network level


Request made

Enforcement


Content
scrubbing

Application
cloaking

Security
policy
checked

Server
response

Response
delivered

Security policy
applied

BIG
-
IP enabled us to improve security instead of having to

invest time and money to develop a new, more secure application.

Actions:

Log, block, allow

Multiple Security Layers

RFC enforcement


Various HTTP limits enforcement

Profiling of good traffic


Defined list of allowed file types, URIs, parameters

Each parameter is evaluated separately for:


Predefined value


Length


Character set


Attack patterns


L
ooking for pattern matching signatures

Responses are checked as well


Start by checking RFC
compliance

2

Then check for various length
limits in the HTTP

3

Then we can enforce valid
types for the application

4

Then we can enforce a list of
valid URLs

5

Then we can check for a list of
valid parameters

Then for each parameter we
will check for max value length

7

Then scan each parameter, the
URI, the headers

6

GET /search.php?name
=
Acme’s
&
admin
=1 HTTP/1.1

Host: 172.29.44.44
\
r
\
n

Connection: keep
-
alive
\
r
\
n

User
-
Agent: Mozilla/5.0 (Windows NT 6.1)
\
r
\
n

Accept:text/html,application/xhtml+xml,application/xml;q=0.9
\
r
\
n

Referer: http://172.29.44.44/search.php?q=data
\
r
\
n

Accept
-
Encoding: gzip,deflate,sdch
\
r
\
n

Accept
-
Language: en
-
GB,en
-
US;q=0.8,en;q=0.6
\
r
\
n

Accept
-
Charset: ISO
-
8859
-
1,utf
-
8;q=0.7,*;q=0.3
\
r
\
n

Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226;
\
r
\
n

Start by checking RFC
compliance

2

Then check for various length
limits in the HTTP

3

Then we can enforce valid
types for the application

4

Then we can enforce a list of
valid URLs

5

Then we can check for a list of
valid parameters

6

Then for each parameter we will
check for max value length

7

Then scan each parameter, the
URI, the headers

GET /search.php?name
=
Acme’s&
admin
=
1

HTTP/1.1

Host: 172.29.44.44
\
r
\
n

Connection: keep
-
alive
\
r
\
n

User
-
Agent: Mozilla/5.0 (Windows NT 6.1)
\
r
\
n

Accept:text/html,application/xhtml+xml,application/xml;q=0.9
\
r
\
n

Referer: http://172.29.44.44/search.php?q=data
\
r
\
n

Accept
-
Encoding: gzip,deflate,sdch
\
r
\
n

Accept
-
Language: en
-
GB,en
-
US;q=0.8,en;q=0.6
\
r
\
n

Accept
-
Charset: ISO
-
8859
-
1,utf
-
8;q=0.7,*;q=0.3
\
r
\
n

Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226;
\
r
\
n

Start by checking RFC
compliance

2

Then check for various length
limits in the HTTP

3

Then we can enforce valid
types for the application

4

Then we can enforce a list of
valid URLs

5

Then we can check for a list of
valid parameters

Then for each parameter we
will check for max value length

7

Then scan each parameter, the
URI, the headers

6

GET /search.php?
name
=
Acme’s
&
admin
=1 HTTP/1.1

Host: 172.29.44.44
\
r
\
n

Connection: keep
-
alive
\
r
\
n

User
-
Agent: Mozilla/5.0 (Windows NT 6.1)
\
r
\
n

Accept:text/html,application/xhtml+xml,application/xml;q=0.9
\
r
\
n

Referer: http://172.29.44.44/search.php?q=data
\
r
\
n

Accept
-
Encoding: gzip,deflate,sdch
\
r
\
n

Accept
-
Language: en
-
GB,en
-
US;q=0.8,en;q=0.6
\
r
\
n

Accept
-
Charset: ISO
-
8859
-
1,utf
-
8;q=0.7,*;q=0.3
\
r
\
n

Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226;
\
r
\
n

Start by checking RFC
compliance

2

Then check for various length
limits in the HTTP

3

Then we can enforce valid
types for the application

4

Then we can enforce a list of
valid URLs

5

Then we can check for a list of
valid parameters

Then for each parameter we
will check for max value length

7

Then scan each parameter, the
URI, the headers

6

GET
/search.php
?name
=
Acme’s&
admin
=1 HTTP/1.1

Host: 172.29.44.44
\
r
\
n

Connection: keep
-
alive
\
r
\
n

User
-
Agent: Mozilla/5.0 (Windows NT 6.1)
\
r
\
n

Accept:text/html,application/xhtml+xml,application/xml;q=0.9
\
r
\
n

Referer: http://172.29.44.44
/search.php
?q=data
\
r
\
n

Accept
-
Encoding: gzip,deflate,sdch
\
r
\
n

Accept
-
Language: en
-
GB,en
-
US;q=0.8,en;q=0.6
\
r
\
n

Accept
-
Charset: ISO
-
8859
-
1,utf
-
8;q=0.7,*;q=0.3
\
r
\
n

Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226;
\
r
\
n

Start by checking RFC
compliance

2

Then check for various length
limits in the HTTP

3

Then we can enforce valid
types for the application

4

Then we can enforce a list of
valid URLs

5

Then we can check for a list of
valid parameters

Then for each parameter we
will check for max value length

7

Then scan each parameter, the
URI, the headers

6

GET /search.
php
?name
=
Acme’s
&
admin
=1 HTTP/1.1

Host: 172.29.44.44
\
r
\
n

Connection: keep
-
alive
\
r
\
n

User
-
Agent: Mozilla/5.0 (Windows NT 6.1)
\
r
\
n

Accept:text/html,application/xhtml+xml,application/xml;q=0.9
\
r
\
n

Referer: http://172.29.44.44/search.
php
?q=data
\
r
\
n

Accept
-
Encoding: gzip,deflate,sdch
\
r
\
n

Accept
-
Language: en
-
GB,en
-
US;q=0.8,en;q=0.6
\
r
\
n

Accept
-
Charset: ISO
-
8859
-
1,utf
-
8;q=0.7,*;q=0.3
\
r
\
n

Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226;
\
r
\
n

Start by checking RFC
compliance

2

Then check for various length
limits in the HTTP

3

Then we can enforce valid
types for the application

4

Then we can enforce a list of
valid URLs

5

Then we can check for a list of
valid parameters

Then for each parameter we
will check for max value length

7

Then scan each parameter, the
URI, the headers

6

GET /search.php?
name
=
Acme’s
&
admin
=1 HTTP/1.1

Host: 172.29.44.44
\
r
\
n

Connection: keep
-
alive
\
r
\
n

User
-
Agent: Mozilla/5.0 (Windows NT 6.1)
\
r
\
n

Accept:text/html,application/xhtml+xml,application/xml;q=0.9
\
r
\
n

Referer: http://172.29.44.44/search.php?q=data
\
r
\
n

Accept
-
Encoding: gzip,deflate,sdch
\
r
\
n

Accept
-
Language: en
-
GB,en
-
US;q=0.8,en;q=0.6
\
r
\
n

Accept
-
Charset: ISO
-
8859
-
1,utf
-
8;q=0.7,*;q=0.3
\
r
\
n

Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226;
\
r
\
n

GET /search.php?name
=
Acme’s
&
admin
=1 HTTP/1.1

Host: 172.29.44.44
\
r
\
n

Connection: keep
-
alive
\
r
\
n

User
-
Agent: Mozilla/5.0 (Windows NT 6.1)
\
r
\
n

Accept:text/html,application/xhtml+xml,application/xml;q=0.9
\
r
\
n

Referer: http://172.29.44.44/search.php?q=data
\
r
\
n

Accept
-
Encoding: gzip,deflate,sdch
\
r
\
n

Accept
-
Language: en
-
GB,en
-
US;q=0.8,en;q=0.6
\
r
\
n

Accept
-
Charset: ISO
-
8859
-
1,utf
-
8;q=0.7,*;q=0.3
\
r
\
n

Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226;

\
r
\
n

Start by checking RFC
compliance

2

Then check for various length
limits in the HTTP

3

Then we can enforce valid
types for the application

4

Then we can enforce a list of
valid URLs

5

Then we can check for a list of
valid parameters

Then for each parameter we
will check for max value length

7

Then scan each parameter, the
URI, the headers

6

For
mission
-
critical
applications:

Any custom
application:

HR

APPS

Finance

APPS

Sales

APPS

Marketing

APPS

Streamline Deployment Options

Prebuilt app policy

Rapid
deployment policy

Out
-
of
-
the
-
box protection

Prebuilt
,
preconfigured and
validated policies

Immediate security with 80% of events

Minimal
configuration time and starting point for
more advanced policy creation

Three Ways to Build a Policy

Dynamic
policy builder

Automatic




No knowledge of the app required


Adjusts policies if app
changes

Manual




Advanced configuration for custom
policies

Integration with app scanners


Virtual patching with continuous
application scanning

Security
policy
checked

Security policy
applied

Attack Expert System in ASM

1. Click on info tooltip

Attack
expert system
makes responding to vulnerabilities

faster
and
easier:

Violations
are represented graphically, with a tooltip to
explain the
violation. The
entire HTTP payload of each event is
logged.

Detailed Logging with Actionable Reports

At
-
a
-
glance PCI compliance reports

Drill
-
down for information on security posture

Computational
DoS

mitigation in HTTP

L7


Application Security Manager

Transaction Per Seconds (TPS) based anomaly
detection

TPS
-
based anomaly detection allows you to detect and
mitigate
DoS

attacks based on the client side.

Latency based anomaly detection

Latency
-
based anomaly detection allows you to detect
and mitigate attacks based on the behavior of the
server side
.

Unified Access

BIG
-
IP Local Traffic Manager
+ Access Policy Manager

Directory

SharePoint

OWA

Cloud

Web servers

App 1

App n

APP

OS

APP

OS

APP

OS

APP

OS

Hosted virtual

desktop

Users

Enabled simplified application access

Create policy

Corporate
domain

Latest AV software

Current O/S

Administrator

User = HR

HR

AAA

server


Proxy
the

web applications
to
provide authentication
,
authorization,
endpoint
inspection,
and more


all typing into Layer 4
-
7
ACLS through
F5’s Visual
Policy
Editor

8 3 2 8 4 9

ENHANCING WEB ACCESS MANAGEMENT


Access Policy
using SMS token

Domain user makes a SAML
-
supported request for a resource.

Business Partners

Business Partners

ADFS

End user

Public/private

Login.example.com

Sharepoint.example.com

OWA.example.com

Portal.example.com

Active Directory

ADFS

Apache/Tomcat App

Data center 1

Data center 2

APM SAML How it
Works

Business partners

Business partners

ADFS

End user

Public/private

Login.example.com

Sharepoint.example.com

OWA.example.com

Portal.example.com

Active

Directory

ADFS

Apache/Tomcat App

Data center 1

Data center 2

An SP
-
initiated post is sent back to the client in the form of a
redirect to https://login.example.com.

APM SAML How it Works


Client posts credentials to login… credentials are validated with
Active Directory.

A SAML assertion is generated, passed back to the client with

a redirect to the requested application.

Business partners

Business partners

ADFS

End user

Public/private

Login.example.com

Sharepoint.example.com

OWA.example.com

Portal.example.com

Active Directory

ADFS

Apache/Tomcat App

Data center 1

Data center 2

APM SAML How it Works


Client successfully logs on to application with SAML assertion.

Business partners

Business partners

ADFS

End user

Public/private

Login.example.com

Sharepoint.example.com

OWA.example.com

Portal.example.com

Active Directory

ADFS

Apache/Tomcat

App

Data center 1

Data center 2

APM SAML How it Works


TMOS and Platform

Full Proxy Security

Network

Session

Application

Web application

Physical

Client / Server

L4 Firewall:
Full
stateful policy enforcement and TCP DDoS mitigation

SSL inspection
and
SSL DDoS mitigation

HTTP proxy, HTTP
DDoS
and
application security

Application health monitoring and performance anomaly detection

Network

Session

Application

Web application

Physical

Client / Server

F5’s Purpose
-
Built Design

Performance and Scalability

Optimized hardware
utilizing custom Field
Programmable Gate Array (FPGA) technology
tightly
integrated with
TMOS and software


Embedded Packet Velocity Acceleration (
ePVA
)
FPGA delivers:



Linear
scaling of
performance


High performance interconnect between Ethernet
ports and CPU’s


High L4 throughput and reduce load on
cpu


Integrated hardware and software
DDoS

protection against large scale attacks


Predictable performance for low latency protocols
(FIX)

Example of unique F5 VIPRION architecture

Platform Overview

Platform

Throughput
(
Gbs
)

Max Conc.
Conns

L4

Connection/s

(CPS)

SSL

TPS

(
2K keys)

HW

SYN cookies/s

VIPRION 4800

8 blade (B4340)

640

576,000,000

8,000,000

240,000

640,000,000

VIPRION 4480

4 blade (B4340)

320

288,000,000

4,400,000

120,000

320,000,000

VIPRION 4480

1

blade (B4340)

80

72,000,000

1,100,000

30,000

80,000,000

VIPRION 2400

4

blade (B2100)

160

48,000,000

1,600,000

40,000

160,000,000

VIPRION 2400

1

blade (B2100)

40

12,000,000

400,000

10,000

40,000,000

BIG
-
IP 10200

80

36,000,000

1,000,000

75,000

80,000,000

BIG
-
IP 7200

40

24,000,000

775,000

25,000

40,000,000

BIG
-
IP 5200

30

24,000,000

700,000

21,000

40,000,000

BIG
-
IP 4200

10

10,000,000

300,000

9,000

N/A

BIG
-
IP

2200

5

5,000,000

150,000

4,000

N/A

VIPRION
4800
VIPRION
44
xx Chassis
VIPRION
2400
Chassis
BIG
-
IP
10
x
00
BIG
-
IP
7
x
00
BIG
-
IP
5
x
00
BIG
-
IP
4
x
00
BIG
-
IP
2
x
00
Series
F5 BIG
-
IP delivers

ONE

PLATFORM (HW/SW)

Products

ICSA
-
certified

firewall

Application

d
elivery controller

Application

security

Access

c
ontrol

DDoS

mitigation

SSL

i
nspection

DNS

s
ecurity

Access Policy

Manager

Local Traffic

Manager

Application
Security Manager

Global Traffic
Manager and
DNSSEC


Stateful
full
-
proxy
firewall


On
-
box logging and
reporting


Native TCP,
SSL
and
HTTP proxies


Network and Session
anti
-
DDoS



Dynamic
, identity
-
based
access
control


Simplified authentication,
consolidated
infrastructure


Strong endpoint security and
secure remote access


High performance and
scalability


BYOD 2.0 integration (
SaaS
)


VDI integration (ICA,
PCoIP
)


#1
application
delivery controller


Application fluency


App
-
specific health
monitoring


Application Offload


Streamlined app.
deployment


Leading web
application
firewall


PCI compliance


Virtual patching for
vulnerabilities


HTTP anti
-
DDoS


IP
protection


Huge scale DNS
solution


Global server load
balancing


Signed DNS
responses


Offload DNS crypto

Advanced Firewall

Manager

Application
Acceleration


Front End
Optimization


Server offload


Network optimization


Mobile acceleration


HTTP2.0 / SPDY
gateway

BYOD 2.0

Web and WAN optimization



F5
data center firewall aces performance
test


By David Newman, Network World

July 22, 2013 06:05 AM ET

http
://www.networkworld.com/reviews/2013/072213
-
firewall
-
test
-
271877.html