View
217
Download
2
Category
Preview:
Citation preview
New generation of security solutions for Service
Providers
Grzegorz Kornacki – F5 Field Systems Engineer
Krystian Baniak – Infradata Senior Security Consultant
© F5 Networks, Inc 2
The security environment is also challenging
Explosive data growth
Worldwide mobile data to grow 13 times by
2018
Total mobile subscriptions to reach 9.1 billion
by 2018
Security attacks
A DDoS attack occurs on the web every 2
minutes
Attacks over 10 Gbps have increased nearly
50%
Network innovation
213 4G LTE networks have launched in 81
countries
More than 50% of leading operators plan to
deploy SDN and NFV by 2014
New VAS services
40% of global YouTube traffic is mobile, up from
6% in 2011
Facebook has over 800 million monthly mobile
users, up 150% since 2011
© F5 Networks, Inc 3
Evolving threats to mobile networks
Device
Battery drain attacks
Mobile malware and bots
Network
RAN resource exhaustion
Revenue leakage—weak APN controls
Terms and conditions violations
Application
Server-side malware
Application DDoS
PCRF
HSS
MRF
CSCF
SGW
MME
PCEF
Subscribers
Hacker
eNodeB
© F5 Networks, Inc 4
Problem with security in the network
No comprehensive security solution
Data center firewallDNS
security
Network DDoS
protection
S/Gi
firewallDiameter security Load balancing
Application
DDoS protection
Vendor A Vendor B Vendor C Vendor A Vendor D Vendor E Vendor F
Easy to have 5 or more different vendors
with point products to provide security across the network
© F5 Networks, Inc 5
Consequences of complexity
Significantly higher
cost structureLower network quality
Significantly more time and
resources to deployLower customer satisfaction Damaged brand reputation
B R
a n d
© F5 Networks, Inc 6
Key security needs
Data center firewall S/Gi network firewall DNS securityDiameter signaling
protection
Site-to-site
VPN traffic protection
Market-
leading ADC
Dynamic multi-layered security at industry-leading scale
and performance to simplify and reduce costs
© F5 Networks, Inc 7
F5 can helpWith dynamic multi-layered security solutions for the device, network, and data center
Mobile Users
Fixed Users
Applications/Enterprise
Data Center
Internet/Cloud
S/Gi
Firewall
DDoS
Mitigation
DNS
Security
Data Center
Firewall
Application
Firewall
Diameter
Security
Application VisibilityFull Proxy
Massive
Scalability
30+ DDoS
Vectors
Unified Platform Dynamic
and FlexibleNFV Ready
Centralized Management
Security for
Service Providers
Customer Scenarios
Core Functionality
Professional Services and Support
© F5 Networks, Inc 8
Platform consolidation: happening now
Network function consolidation
L2 switching
MPLS L2 PE
L3 routing
MPLS L3 PE
BRAS/BNG
Full Proxy
(TCP opt, HHE)
Firewall
L3/L4
Steering
Policy Enforcement
CGNAT
TCP OPTIM
DPI/PCEF
L7 STEERING
FW/CGN
HTTP HE
2010–20142005–2010 L2–L3 L4–L7
IP Routing
MPLS L2 PE
MPLS L3 PE
BRAS/BNG
Multi-service
router
Dedicated platforms,
different vendors
Single platform,
L2–L3 consolidation
Dedicated platforms,
different vendors
Unified platform,
L4–L7 consolidation
© F5 Networks, Inc 9
F5 Network Services
A unified platform and single management framework
Intelligent traffic managementCGNAT and
IPv6 migration
ICSA certified
network firewall
Policy
enforcement
Header enrichment and TCP
optimization
Local
DNS
URL
filtering
© F5 Networks, Inc 10
F5 can helpWith dynamic multi-layered security solutions for the device, network, and data center
iRules extensibility everywhere
Products
Advanced firewall managerAccess policy
manager
Local traffic
managerApplication security manager Global traffic manager and DNSSEC
• Stateful full-proxy firewall
• On-box logging and reporting
• Native TCP, SSL and HTTP proxies
• Network and Session anti-DDoS
• Dynamic, identity-based access control
• Simplified authentication, consolidated
infrastructure
• Strong endpoint security and secure remote
access
• High performance and scalability
• #1 application delivery controller
• Application fluency
• App-specific health monitoring
• Leading web application firewall
• PCI compliance
• Virtual patching for vulnerabilities
• HTTP anti-DDoS
• IP protection
• Huge scale DNS solution
• Global server load balancing
• Signed DNS responses
• Offload DNS crypto
ICSA-certified
firewall
Application
delivery cont.
Application
security
Access
control
DDoS
mitigation
SSL
inspection
DNS
security
© F5 Networks, Inc 11
Key F5 capability details
Massive scalability, capacity,
and performance
• 640 Gbps throughput
• 288 million concurrent sessions
• 8 million connections
per second
Dedicated hardware– and software-enabled virtual
editions
• Portfolio of appliances and chassis
• Software-enabled virtual editions
• F5 ScaleN vertical and horizontal scaling
Unified platform
and management
• Any service on any blade or virtual editions that
are software-enabled
• BIG-IQ platform: intuitive, flexible, and scalable
services management
SDN– and NFV–ready
• Virtual editions
• Unmatched hypervisor support
• Open APIs
• Abstraction
Full-proxy architecture
• L4-L7 visibility and control
• Terminate, inspect, and manipulate sessions
• Per-subscriber and per-application control
Extensibility and flexibility
with iRules/iControl
• iRules scripting language to customize traffic
policies and control
• iControl open API to integrate to third-party
systems for orchestration
• 130,000+ developer community
© F5 Networks, Inc 12
Question 1: What is the maximum Packets per second a 1 Gbit/s link can handle?
Answer:
~1.488.096 Packets per Second per Gbit Link
© F5 Networks, Inc 13
Question 1: What is the maximum Packets per second a 1 Gbit/s link can handle?
[1,000,000,000 b/s / (84 B * 8 b/B)] == 1,488,096 f/s (maximum rate)
Frame Part Minimum Frame Size
Inter Frame Gap (9.6 ms) 12 bytes
MAC Preamble (+ SFD) 8 bytes
MAC Destination Address 6 bytes
MAC Source Address 6 bytes
MAC Type (or length) 2 bytes
Payload (Network PDU) 46 bytes
Check Sequence (CRC) 4 bytes
Total Frame Physical Size 84 bytes
© F5 Networks, Inc 14
Question 2: What is the maximum CPS that can be established via a 1 Gig link?
Answer:
~1.488.096 Connections per Second
Because every packet can be a Connection establishment (SYN Packet, first UDP in flow)
© F5 Networks, Inc 15
Question 3: What is the maximum CPS F5 Firewall can handle?
Connections per second
0
2
4
6
8
Mill
ion
s
Juniper
(SRX 5800)
Cisco
(ASA 5585-X)
Check Point (61000)
350k400k600k
21x
F5
(VIPRION 4800)
8M
© F5 Networks, Inc 16
Extending the intelligent services frameworkTMOS programmability
iRules
Intercept, inspect, transform, direct, and make decisions based
on inbound and outbound application traffic.
iApps iControl
Define and tie all related application availability, security, and
optimization services to the application. Deploy these services
with optimum, application-specific configurations in only a few
minutes.
Intercept, inspect, transform, direct, and make decisions based
on inbound and outbound application traffic.
79% of F5 customers
deploy iRules on production
BIG-IP devices.
iRules contain ~600
application traffic
management commands
84%
faster
deploy time
90%
accuracy
of configuration
Over 5,500
management API calls=
Dev Central: A community of 105,000+ developers in 191 countries publishing and engaging in real-time app delivery solutions. You never have
to wait for us.
© F5 Networks, Inc 17
Agenda
• SP Firewall scenario (F5 AFM)
• Web Application Firewall scenario (F5 ASM)
New Generation Security Solutions for SP
Practical Presentation
© F5 Networks, Inc 18
Practical Scenario
Lab ArchitectureF5 VE 11.5.0
AFM/ASM/LTM
F5 VE 11.5.0
BIG-IQ Orchestrator
ClientServer hosting
Web Applications
(Hack-It)
Web Application TeamSecurity Team
Configure LTM
Security Requirements
WAF policy
Configure AFM/ASM
Izz ad-din al Quassam CyberFighters
DDoS attacks on Bank of America, NYSE, Wells Fargo, PNC, Chase, SunTrust, Capital One and others.
Peak attacks 75G, including mix of layer 3, 4, 5 and 7 attacks.
Anti-DDoS scrubbers used for network attacks. F5 for Layer 7.
Spotlight: Operation Ababil – September 2012
The CyberFighters appeared to have performed extensive network reconnaissance on data centers for each of the targets.
Network reconnaissance likely included timing information on all available links and database queries.
© F5 Networks, Inc 21
Consolidating mobile policy and securityUse case
Protection for networks
and applicationsFewer devices translates to lower latency for subscribers
Consolidation of firewall, application security, and traffic
management
Before f5
with f5
Load
Balancer
Firewall
DNS Security
Network DDoS
Load
Balancer & SSL
Application DDoS
Web Application Firewall
Web Access
Management
Chain is as strong as its weakest link
© F5 Networks, Inc 22
Consolidating mobile policy and securityUse case
Protection for networks
and applicationsFewer devices translates to lower latency for subscribers
Consolidation of firewall, application security, and traffic
management
Before f5
with f5
Load
Balancer
Firewall
DNS Security
Network DDoS
Load
Balancer & SSL
Application DDoS
Web Application Firewall
Web Access
Management
© F5 Networks, Inc 23
Take a phased approach to this architecture: examples
DNS
Security
at Scale
S/Gi
Network
Security
at Scale
DDoS
Protection
in Data
Center
DC FW
1
DNS
2
S/Gi FW
3
NFV
4
HE
5
S/Gi FW
1
CGNAT
2
NFV
3
DNS
4
DNS
1
S/Gi FW
2
NFV
3
CGNAT
4
Immediate
pain pointImplementation phase
Next-Gen
Network
F5 provides you with unmatched flexibility and extensibility
that future-proofs your network
Recommended