Post on 31-Mar-2018
transcript
F5 Tech Talk: Securing Critical Applications Brian A. McHenry, Security Solutions Architect March 5, 2014
© F5 Networks, Inc 2
F5 Overview
-
50,000
100,000
150,000
200,000
250,000
300,000
350,000
400,000
$ Th
ousa
nds
Publicly traded on NASDAQ
3,300+ employees
Leading provider of application and data delivery networking
IPO in 1999 FY15 revenue: US$1.5B
Our products sit at strategic points of control in any
infrastructure
1,380,000,000
© F5 Networks, Inc 3
Maintaining security is challenging
Webification of apps
Evolving security threats
71% of surveyed experts predict most work will be done via web-based or mobile apps by 2020.
69% of all Americans use web apps.
Single cyber attack costs
$1,000,000 122 Successful attacks per week
© F5 Networks, Inc 4
Changing threats increasing in complexity that requires intelligence and on-
going learning
Scalability and performance
Needed to ensure services are available during the
onset of aggressive attacks
Webification Impossible to build
safeguards into applications in a timely manner
Ownership Challenges with security
team making the dev team fix vulnerabilities
Attack visibility Is often lacking details to
truly track and identify attacks and their source,
and ensure compliance and forensics
Securing applications can be complex
© F5 Networks, Inc 5
BIG-IP® Application Security Manager™
Dynamic Multi-
Layered Security
• Turn-on with license key or standalone • Caching, compression and SSL acceleration included in
standalone
BIG-IP Local Traffic Manager BIG-IP Application Security Manager
Secure response delivered
Request made
BIG-IP ASM security policy checked
Server response generated
BIG-IP ASM applies security policy
Vulnerable application
• Provides transparent protection from ever changing threats • Ensure application availability while under attack • Deployed as a full proxy or transparent full proxy (bridge mode) • Minimal impact on application performance
• Drop, block or forward request
• Application attack filtering & inspection
• SSL , TCP, HTTP DoS mitigation
• Response inspection for errors and leakage of sensitive information
BIG-IP ASM security policy checked
© F5 Networks, Inc 6
Full proxy security
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
© F5 Networks, Inc 7
Common attacks on web applications BIG-IP ASM delivers comprehensive protection against critical web attacks
CSRF Cookie manipulation OWASP top 10 Brute force attacks Forceful browsing Buffer overflows Web scraping Parameter
tampering SQL injections information leakage Field manipulation Session high jacking Cross-site scripting Zero-day attacks Command injection ClickJacking Bots Business logic flaws
© F5 Networks, Inc 8
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
© F5 Networks, Inc 9
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1\r\n Host: foo.com\r\n\r\n Connection: keep-alive\r\n\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n\ Referer: http://172.29.44.44/search.php?q=data\r\n\r\n Accept-Encoding: gzip,deflate,sdch\r\n\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226\r\n
© F5 Networks, Inc 10
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
© F5 Networks, Inc 11
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
© F5 Networks, Inc 12
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
© F5 Networks, Inc 13
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
© F5 Networks, Inc 14
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.asp?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
© F5 Networks, Inc 15
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.do ?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
© F5 Networks, Inc 16
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
© F5 Networks, Inc 17
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /login.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
© F5 Networks, Inc 18
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /logout.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
© F5 Networks, Inc 19
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
© F5 Networks, Inc 20
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
© F5 Networks, Inc 21
How does ASM work? Start by checking RFC compliance 1
Then check for various length limits in the HTTP 2
Then we can enforce valid types for the application 3
Then we can enforce a list of valid URLs 4
Then we can check for a list of valid parameters 5
Then for each parameter we will check for max value length 6
Then scan each parameter, the URI, the headers with attack signatures
7
GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: foo.com\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226
© F5 Networks, Inc 22
BIG-IP Application Security Manager
Multiple deployment options
Visibility and analysis
Comprehensive protections
• Standalone or ADC add-on • Appliance or Virtual edition • Manual or automatic policy
building • 3rd party DAST integration
• Visibility and analysis • High speed customizable syslog • Granular attack details • Expert attack tracking
and profiling • Policy & compliance reporting • Integrates with SIEM software • Full HTTP/S request logging
• Protection from all web app vulnerabilities including DDoS
• Advanced anti-BOT mitigation • Integrated XML firewall
BIG-IP ® ASM™ protects the applications your business relies on most and scales to meet changing demands.
© F5 Networks, Inc 23
L7 DDOS
Web Scraping
Web bot identification
XML filtering, validation & mitigation
ICAP anti-virus Integration
XML Firewall
Geolocation blocking
Comprehensive Protections BIG-IP ASM extends protection to more than application vulnerabilities
ASM
© F5 Networks, Inc 24
Automatic HTTP/S DoS attack detection and protection
• Accurate detection technique—based on latency • Three different mitigation techniques escalated serially
• Focus on higher value productivity while automatic controls intervene
IDENTIFY POTENTIAL ATTACKERS
DROP ONLY THE ATTACKERS
DETECT A DOS CONDITION
© F5 Networks, Inc 25
Highly accurate anti-bot and scanner protection
• Differentiate between script and browser • Inspection of user interaction with browser
• Distinguish real-user from bot
• Mitigate automated attacks, scanners, botnets and intellectual property scrappers • Detect a persistent scrapper that uses multiple ip addresses or a single request
session
ASM Website
Application Security
Web Bot
User
© F5 Networks, Inc 26
IP intelligence service
IP address feed updates every 5 min
Geolocation database
Botnet
Anonymous requests
Anonymous proxies
Scanner
Restricted region or country
Attacker
Custom application
Financial application
Internally infected devices and servers
IP intelligence and geo - location enforcement
© F5 Networks, Inc 27
Detailed logging with actionable reports
At-a-glance PCI compliance reports Drill-down for information on security posture
© F5 Networks, Inc 28
Attack Expert System in ASM
Attack expert system makes responding to vulnerabilities faster and easier: Violations are represented graphically, with a tooltip to explain the violation. The entire HTTP payload of each event is logged.
1. CLICK ON INFO TOOLTIP
© F5 Networks, Inc 29
Protection from Vulnerabilities Enhanced integration: BIG-IP ASM and leading DAST vendors
Customer website
• Vulnerability checking, detection and remediation
• Complete website protection
BIG-IP Application Security Manager • Verify, assess, resolve and retest in one UI
• Automatic or manual creation of policies • Discovery and remediation in minutes • Automatic notification of website changes*
Vulnerability scanner • Finds a vulnerability • Virtual-patching with one-
click on BIG-IP ASM
DAST Solutions • Qualys • IBM • WhiteHa
t • Cenzic
© F5 Networks, Inc 30
Identify, virtually patch, mitigate vulnerabilities
Configure vulnerability policy in BIG-IP ASM
Mitigate web app attacks Scan application with:
Hacker
Clients
Tim
ely
thre
at m
itiga
tion
Assurance
Manual
WAF
Scan
© F5 Networks, Inc 31
Four ways to build a policy
Security policy checked
Security policy applied
DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT POLICIES
Automatic • No knowledge of
the app required • Adjusts policies if
app changes
Manual • Advanced
configuration for custom policies
• Virtual patching with continuous application scanning
• Out-of-the-box • Pre-configure and validated • For mission-critical apps
including: Microsoft, Oracle, PeopleSoft
© F5 Networks, Inc 32
Enhanced visibility and analysis
Statistics collected
URLs Methods
Server/client latency Client IPs and geos
Throughput User agents
Response codes User sessions
Views
Virtual server
Pool member
Response codes
URLs and HTTP methods
Application analytics for assured availability • ASM logs provide deeper intelligence
grouped by application and user • Rules can be applied based on user
behavior • Latency monitoring provides:
• Business intelligence/capacity planning
• Troubleshooting and performance tuning
• Anomalous behavior detection
© F5 Networks, Inc 33
Security TAP Partners
ENDPOINT INSPECT / AV
CERTIFICATES ENCRYPTION SIEM DAST
MULTI-FACTOR AUTHENTICATIO
N WEB ACCESS MANAGEMENT DB FIREWALL
MOBILE OS MOBILE DEVICE MANAGEMENT
SECURITY CHANGE
MANAGEMENT FIPS/HSM SECURITY
DNS SECURITY AND SBS
WEB AND SAAS SECURITY
© F5 Networks, Inc 34
Hardware with a Purpose Best-of-breed application delivery architecture
TMOS is the implementation of software on hardware that includes physical, virtual and hybrid deployments. This creates the most flexible, advanced application delivery.
Physical ADCs + vADCs = F5 dynamic infrastructure Ultimate in flexibility and performance
F5 vCMP or virtual editions vADC or virtual editions provide flexible deployment options for virtual environments
F5 physical ADCs High-performance and specialized hardware
Hybrid ADC is best for: • Complete integrated application
delivery network • Tethered deployments • Symmetric ADC services • Federated authentication
Virtual ADC is best for: • Accelerated deployment • Private and public cloud environments • Application or tenant-based pods • Lab, test and QA deployments • Keep security with application
Physical ADC is best for: • Fastest performance • SSL offload • Workload isolation • Consolidation • Edge and front door services • Edge security speeds and feeds
© F5 Networks, Inc 35
EFFECTIVE APPLICATION PROTECTIONS
SIMPLIFIED AND RAPID POLICY DEPLOYMENT
PCI COMPLIANCE
DETAILED ATTACK INSPECTION AND FILTERING
HIGH SCALABILITY AND PERFORMANCE
ENHANCED VISIBILITY AND ACTIONABLE REPORTING
Advanced application firewall
BIG-IP ASM
BIG –IP PLATFORM SECURITY
BIG-IP AFM BIG-IP ASM All BIG-IP
© F5 Networks, Inc 36
BIG-IP Application Security Manager
BIG-IP ASM protects the applications your business relies on most • Allows the security team to secure a website without
changing the application code • Provides comprehensive protection for all web application
vulnerabilities, including (D)DoS • Logs and reports all application traffic, attacks and
usernames • Educates admin on attack type definitions and examples • Helps ensure PCI compliance
© F5 Networks, Inc 37
What This Means
Users Quickly secure apps against aggressive DDoS attacks and provide rapid application vulnerability patching
Ensure application availability and performance when under attack
Maintain full visibility in to attacks and policy effectiveness
Business Protect your business, customers and partners
Easily mitigate compliance risks
Consolidate resources and reduce operational costs
Improve security posture and corporate reputation
Software as a Service Many organizations are realizing the benefits of adopting cloud-based services rather than deploying and maintaining in-house solutions. Software as a Service (SaaS) providers can deliver niche expertise in a cost-effective, multi-tenancy environment via a ready-to-consume, subscription-based model.
© F5 Networks, Inc 40
SaaS market drivers
Any location Any time Any device Mobility 24x7 workforce Bring your own device
“ © F5 Networks, Inc 41
The SaaS market is expected to grow 16.8%, from $14.3 billion in 2012 to $16.7 billion in 2013, with projections
of $21.3 billion for 2015.
83.0% of all companies expect to adopt SaaS technology.
© F5 Networks, Inc 42
Who’s requesting access?
Employees Partners Customers Administrators
Manage access based on identity
IT is challenged to: • Control access based on user type and roles • Unify access to all applications (mobile, VDI, web, client-server, SaaS) • Provide fast authentication and single sign-on (SSO) • Audit and report access and application metrics
The Problem with SaaS The benefits of adopting a SaaS model often come at the cost of up-to-the-minute access control and reliable security policy enforcement.
© F5 Networks, Inc 45
It’s now a complex matrix
Cloud
More delivery models More endpoints More apps
SaaS
© F5 Networks, Inc 46
The problem with SaaS
IDENTITY AND ACCESS MANAGEMENT SILOS
“For an average of 26 different online accounts, users had only five different passwords.”
—Experian, 2012
“A quarter of the people surveyed admitted to using less secure passwords on mobile devices to save time.”
—Deloitte, 2013
Data Center
Applications Applications
Internet
Identity and Access Management
Physical Virtual
Salesforce Office 365 Concur Google docs
Devices
© F5 Networks, Inc 48
Consistent security across all services
Any Device
Consistent Security Everywhere
Enterprise Resources
External Resources
Scalability
Centralized Management
Single Sign-On
Identity and Access
Management Cloud Federation
Customer Scenarios
Core Functionality
Professional Services and Support
Consistency Integration
IP Reputation
Multi-Factor Authentication Authorization IP
Geolocation Context Services
Device Inspection Analytics
© F5 Networks, Inc 49
F5 Cloud Federation Architecture
Strategic Point of Control
On-Premises Infrastructure
Corporate Applications
Users
Attackers
Access Management
SaaS Providers
Office 365
Google Apps
Salesforce
Directory Services
Corporate Users
Identity federation
SAML Real-time access control
Access policy enforcement
SAML Identity management
Multi-factor authentication
© F5 Networks, Inc 50
On-Premises Infrastructure
BIG-IP Local Traffic Manager
BIG-IP Access Policy Manager
Corporate Applications
LTM APM Users
Attackers BIG-IP Platform
SaaS Providers
Office 365
Google Apps
Salesforce
Application Services + Access Policy Management
Directory Services
Corporate Users
F5 Cloud Federation Architecture
© F5 Networks, Inc 52
Secure Web Gateway in APM
with
SWG
Campus
Web Filtering
Internet
ThreatSeeker Intelligence
Cloud
Data for real-time URL classification & advanced malware detection
HQ
SaaS Apps
• Protects users on-premise • Keeps confidential data
confidential • Identity-based policies • Inbound and outbound
security • Websense ThreatSeeker
backend Servers Servers AD
URL Classification
Advanced Malware Detection
© F5 Networks, Inc 53
• The only solution to offer outbound & inbound access controls
• Inbound: All you have on APM (Access, VPN & SAML etc.)
• Outbound: block dangerous websites or malware infectious web applications
• Enable business for social web media applications in granular fashions based on different job needs (marketing ok to access Facebook etc..)
• Detect and block malware inside a web page
F5 Secure Web Gateway – The best approach
© F5 Networks, Inc 54
BIG-IP APM Use Cases
Accelerated Remote Access
Enterprise Data & Apps
Federation Cloud, SaaS, and Partner
Apps
Internet Secure Web Gateway Internet Apps
Mobile Apps Mobile
Application Management
BIG-IP APM
App Access Management OAM VDI Exchange Sharepoint
© F5 Networks, Inc 56
Next-Generation Firewall
Users leverage NGFW for
outbound protection
Employees
Can inspect SSL at
either tier
Customers
DDoS Attack
Partners
DDoS Attack ISP provides
volumetric DDoS service
Cloud Scrubbing
Service GOOD BETTER BEST
Simplified Business Models
+ IP Intelligence
BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager
BIG-IP Global Traffic Manager BIG-IP Access Policy Manager
BIG-IP Application Security Manager
Application Delivery Firewall infrastructure
ISPa
ISPb
Network Firewall Services + DNS Services
+ Simple Load Balancing to Tier 2
BIG-IP Platform
+ IP Intelligence (IPI) Module
BIG-IP Platform
Web Application Firewall Services
+ SSL Termination
Tier 2: Protecting L7 Tier 1: Protecting L3–4 and DNS
© F5 Networks, Inc 57
Application attacks Network attacks Session attacks
OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection
DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation
BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation
BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions.
F5 m
itiga
tion
tech
nolo
gies
Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)
Increasing difficulty of attack detection
F5 m
itiga
tion
tech
nolo
gies
OSI stack
OSI stack
DDoS MITIGATION