© 2017 F5 Networks 1

Carlos ValenciaSales Engineer - LATAM

c.valencia@f5.com

Estrategias de mitigación de

amenazas a las aplicaciones.

© 2017 F5 Networks 2

-

-

-

-

-

-

-

© 2017 F5 Networks 3

© 2017 F5 Networks 4

The Big Picture

SilverlineCloud-Based

Platform

DDoS Attacker(Volumetric attacks)

DDoS Attacker (app attacks)

Customer

PartnerISP may provide

rudimentary DDoSservice

L3/L4 DDoS,DNS, SIP DDoS

Network Protection

L3/L4 Protection

• ICMP flood, UDP Flood, SYN Flood, TCP-state floods

• DOS detection using behavioral analysis

• HTTP DOS: GET Flood, Slowloris/slow POST, recursive POST/GET (DHD Only)

• DNS DOS: DNS amplification, query flood,dictionary attack, DNS poisoning

• SSL DOS: SSL renegotiation, SSL Flood

Cloud Apps

DC Apps

Hybrid

Local DDoS

Scanner Anonymous Proxies

Anonymous Requests

Botnet Attackers

Threat Intelligence Feed/IPI

Cloud

Application D/DoSASM

Application Protection

L5-L7 Protection (CPU Intensive)

• GET Flood, Slowloris/slow POST, recursive POST/GET,

• DOS detection using behavioral analysis

• OWASP Top 10

• SQLi/XSS/CSRF/0-day/etc

• WAF in general

WAFL7 DDoS

SSL

Router

NGFWIPS/IDS

Next-GenerationFirewall

High Performance DNS

DNS

DNS / DNS FW

Fraud Protection

Volumetric Attacks

Corporate Users

© 2017 F5 Networks 5

Private Cloud

Traditional Data Center

Cloud Interconnection / Public Cloud

Consistent Policies

Cloud Portability

Top Security

Visibility

Lowest TCODirect Connect

F5 BIG-IP

© 2017 F5 Networks 6

•

•

•

•

•

•

© 2017 F5 Networks 7

© 2017 F5 Networks 8

28%

DLPFire-

walls

Anti

Virus

SIEMIDS/

IPS

© 2016 F5 Networks8

DLPFire-

walls

Anti

Virus

APTIDS/

IPS

28%

90%

© 2017 F5 Networks 9

DLPFire-

walls

Anti

Virus

SIEMIDS/

IPS

© 2016 F5 Networks9

28%44%72%

© 2017 F5 Networks 10

Protection against Web Application vulnerabilities

CSRF Cookie manipulation

OWASP top 10 Brute force attacks

Forceful browsing Buffer overflows

Web scraping Parameter tampering

SQL injections information leakage

Field manipulation Session high jacking

Cross-site scripting Zero-day attacks

Command injection ClickJacking

Bots Business logic flaws

WAF

© 2017 F5 Networks 11

Layer 7 security is not addressed by traditional IPS & firewall vendors

Intrusion Prevention

SystemsTraditional Firewall

• Examines all traffic for malicious app inputs

• Primarily uses anomalous and signature-based detection

• Some stateful protocol analysis capabilities

• Lacks understanding of L7 protocol logic

• Doesn’t protect against all exploitable app vulnerabilities

© 2017 F5 Networks 12

Private Cloud Hybrid Cloud Public Cloud

Internet

Remote users,

Office 365

Salesforce

Other SaaS

SaaS Apps

Identity

Corporate

Directory

App

App

VDI

Corporate

Data Center

SAML

SAML

Secures, federates access to any application, anywhere

mobile users, contractors, etc.

Apps

Services

user

Apps

IdentityFederation

Username

PW+PIN

LOGIN

XYZ Corp.

• User/User Group• Endpoint Check

• MDM/EMM Device Posture

• Network• Location• Connection Type

(L3/L4)

Single or Multi-Factor Auth

Multi-factor

Hacker

Auth

STOP

© 2017 F5 Networks 13

© 2017 F5 Networks 14© 2016 F5 Networks

© 2017 F5 Networks 15

SSL

© 2017 F5 Networks 16© 2016 F5 Networks

© 2017 F5 Networks 17

© 2017 F5 Networks 18

LegitimateUsers

Threat Feed

Intelligence

DDoSAttacker

ISPa/b

CloudScrubbing

Service

Scanner AnonymousProxies

AnonymousRequests

Botnet Attackers

Network attacks:ICMP flood,UDP flood,SYN flood

DNS attacks:DNS amplification,

query flood,dictionary attack,DNS poisoning

IPS

Next-Generation Firewall

Tier 2

SSL attacks:SSL renegotiation,

SSL flood

HTTP attacks:Slowloris,

slow POST,recursive

POST/GET

Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2

Threat Feed Intelligence

Strategic Point of Control

Multiple ISP strategy

Network

and DNS

Tier 1

© 2017 F5 Networks 19

DDoS approachCLOUD/HOSTED SERVICE

• Completely off-premises so DDoS attacks can’t reach you

• Amortized defense across thousands of customers

• DNS anycast and multiple data centers protect you

STRENGTHS

ON-PREMISES DEFENSE

• Direct control over infrastructure

• Immediate mitigation with instant response and reporting

• Solutions can be architected to independently scale of one another

STRENGTHS

• Customers pay, whether attacked or not

• Bound by terms of service agreement

• Solutions focus on specific layers (not all layers)

WEAKNESSES

• Many point solutions in market, few comprehensive DDoS solutions

• Can only mitigate up to max inbound connection size

• Deployments can be costly and complex

WEAKNESSES

Hybrid DDOS ProtectionCombining the “resilience and scale” of the cloud with the “granularity and always-on capabilities” of on-premise.

Signaling

Cloud On-Premise

Unified Attack Command | Control

• Request for Service

• IP List Management

InspectionToolsets

Scrubbing Center

Inspection Plane

Traffic ActionerRoute Management

Flow Collection

Portal

Switching Routing/ACLNetwork

Mitigation

Routing(Customer VRF)

GRE Tunnel

Proxy

IP Reflection

L2VPN Customer

Data Plane

Netflow Netflow

Copied trafficfor inspection

BGP signaling

Signaling

Visibility

Management

Proxy Mitigation

Switching mirrors traffic to Inspection

Toolsets and Routing layer

Inspection Tools provide input on attacks for Traffic Actioner & SOC

Traffic Actioner injects routes and

steers traffic

Network Mitigation removes advanced

L4 attacks

Proxy Mitigation removes L7

Application attacks

Flow collection aggregates attack

data from all sources

Egress Routing returns good traffic back to customer

Portal provides real-time reporting and

configuration

Ingress Router applies ACLs and

filters traffic

LegitimateUsers

DDoS Attackers

Volumetric DDoS protection, Managed

Application firewall service, zero-day threat mitigation

with iRules

Silverline

WAF

DDoS

Cloud

DDoS Architecture Scrubbing Center

© 2017 F5 Networks 22

© 2017 F5 Networks 23

“Cybercrime is a

persistent threat in

today’s world and,

despite best efforts, no

business is immune.”

Network Solutions

DNS is the second most targeted protocol after HTTP.

DNS DoS techniques range from:

• Flooding requests to a given host

• Reflection attacks against DNS infrastructure

• Reflect / Amplification attacks

• DNS Cache Poisoning attempts

APPLICATION LAYER ATTACKS TRADITIONAL DDOS MITIGATION

82%77%

54%

25%20%

6%9%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

HTTP DNS HTTPS SMTP SIP/VoIP IRC Other

Of the customers that mitigate DDoS attacks, many choose a technique that inhibits the ability of DNS to do its job

• DNS is based on UDP

• DNS DDoS often uses spoofed sources

• Using an ACL block legitimate clients

• DNS attacks use massive volumes of source addresses, breaking many firewalls.

0%

10%

20%

30%

40%

50%

60%

© 2017 F5 Networks 24

• Performance = Add DNS boxes

• Weak DoS/DDoS Protection

• Firewall is THE bottleneck

• Scalable performance over 10M RPS!

• Strong DoS/DDoS protection

• Lower CapEx and OpEx

CONVENTIONAL DNS THINKING

DNS DELIVERY REIMAGINED

InternetExternal Firewall

DNS Load Balancing

Array of DNS Servers

Internal Firewall

Hidden Master DNS

Authoritative DNSCaching Resolver

Transparent Caching

DNS Firewall

DNS DDoS Protection

Protocol Validation

High Performance DNSSECDNSSEC Validation

Intelligent GSLB

PARADIGM SHIFT

InternetMaster DNS InfrastructureDNS

© 2017 F5 Networks 25

Apps

DNS

Servers

LDNSInternet

Devices DMZ Data Center

• DNS DDoS mitigation with DNS Express

• Protocol inspection and validation

• DNS record type ACL*

• Block access to Malicious IPs (DNS Firewall)

• High performance DNS cache

• Stateful – Never accepts unsolicited responses

• ICSA Certified - deployment in the DMZ

• Scale across devices – IP Anycast

• Secure responses – DNSSEC• DNSSEC responses rate limited

• Complete DNS control – iRules & Programmability

• DDoS threshold alerting*

• DNS logging and reporting

• Hardened DNS code

F5 DNS Firewall Services

DNS

© 2017 F5 Networks 26

© 2017 F5 Networks 27

HTTP/HTTPS

Secured

Data center

WAF

HIPS

Traffic Management

NIPS

DLP

Network firewall

SIEM Leveraging

Browser

application

behavior• Caching content,

disk cookies, history

• Add-ons, Plug-ins

Manipulating

user actions:• Social engineering

• Weak browser

settings

• Malicious data theft

• Inadvertent data

loss

Embedding

malware:• Keyloggers

• Framegrabbers

• Data miners

• MITB / MITM

• Phishers / Pharmers

Customer Browser

© 2017 F5 Networks 28

Drop Zone

Generic malware, such as

Zeus, infects a user’s device

The malware contains code designed to

insert specific content to the browser session

when the user accesses specific sitesThe user requests the login

page for Wells Fargo

This triggers the malware,

which injects additional

content to the browser

This information is sent to the

legitimate web server as expected

This information is sent to

the configured drop zone

*wellsfargo* add field

*bankofamerica* add button,

replace text

*chase* add cc#, pin,

remove text

*telebank* send credentials

*bankquepopulaire* …

The user enters the requested

content and clicks Go

© 2017 F5 Networks 29

This page is expected to

have only four forms…… and 14 input fields…… and six scripts…

The inclusion of this additional

input field due to malware will

now trigger an alertHTML Source Integrity is based on the expected number of

forms, input fields, and scripts

© 2017 F5 Networks 30

The victim is infected

with malware

The victim makes a secure

connection to a web site

This triggers to

malware to run

The victim enters data

into the web form

This content can be

stolen by the malware

The victim submits

the web form

The information is encrypted

and sent to the web server

The information is also sent

to the drop zone in clear text

Password

revealer icon

© 2017 F5 Networks 31

LTMSec. Appliance

Data centerWeb application

How HFO Works – Field Name ObfuscationHow HFO Works – Without HFO

© 2017 F5 Networks 32

MY BANK.COM • Gather client details related to

the transaction

• Run a series of checks to

identify suspicious activity

• Assign risk score to transaction

• Send alert based on score

• Apply L7 encryption to all

communications between client

and server

My Bank.com

© 2017 F5 Networks 33

Internet

Web Application

2. Save copy to computer

3. Upload copy to spoofed site

4. Test spoofed site

1. Copy website

Alert at each stage of phishing

site development

© 2017 F5 Networks 34

© 2017 F5 Networks 35

Cloud Interconnect

Servers Servers Servers

Native App

Services

Each Cloud Provides Siloed Native App Services: Basic, Proprietary, and Inconsistent

SaaS

Corporate Datacenter(s)

Servers Servers Servers

MSP

With Private Cloud

© 2017 F5 Networks 36© F5 Networks, Inc 36

Defend against attacks

Ensure secure user access

Deliver appperformance

Gain trafficvisibility

Orchestrate tasks centrally

Enable both network and application security

Deliver high application availability; not just infrastructure availability

Ensure application performance

Centralize management and orchestration of the application

Streamline app delivery and security services across on-premises and cloud

Your cloud strategy should be an extension of your data center strategy: app-centric

Letting you focus on ensuring availability, security, and performance for each application

Application

Database

DNS

Storage

Mobile

Commerce Identity

Analytics

Website

VPN

LoadBalancing

Application

© 2017 F5 Networks 37

App-Centric Strategy

On-premises Public cloud

Full

contr

ol

Lim

ited c

ontr

ol

SaaS

apps

Dev

& test

Mobile

apps

ERP,

CRM

LOB

(HR, Acct.)

External

websitesPackaged

apps

Custom

apps

Apps

© 2017 F5 Networks 38

Shared Responsibility in Amazon AWS

The idea behind this is to educate customers that they still need to be responsible for a large proportion of the services required to deliver applications in the cloud.

AWS Shared Responsibility Model

© 2017 F5 Networks 39

Shared Responsibility in Microsoft AzureThe idea behind this is to educate customers that they still need to be responsible for a large proportion of the services required to deliver application in the cloud.

Azure Shared Responsibility Model

© 2017 F5 Networks 40

Active Directory

Identity Control Platform

Apps

Apps

Apps

© 2017 F5 Networks 41

Use Case Disaster Recovery

Requirements

• Application availability and performance

• Location-based and contextual user access

• Active-Active deployment for cost efficiency

• Insight and visibility into application traffic

Recommended application delivery services

• Local and global load balancing

• DNS

• SSL VPN or IPSec tunnel

• Access & identity

• Consistent DevOps + Management Tools

Key benefits:

• Seamless customer experience

• Secured and optimized site to site connectivity

• Advanced application health monitoring

L4-L7 Services

VPN

Compute

Storage

Compute

Storage

L4-L7 Services

Cloud ProviderData Center

Seamless global app experience

DNSDNS

Orchestration

© 2017 F5 Networks 42

Traditional

ServersServersServers

Application

Services

Strategic Control Point

New

On-Premises Cloud Interconnection Public/Private Cloud

Distributed Strategic Control Points

Application Services

aaSHardwareVirtual Edition Containers