Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
The New Security Perimeter: Applications and Identities
Timo Lohenoja, CISSPSystems EngineerF5 [email protected]
© F5 Networks, Inc 2
Applications are Driving Innovation and Massive Growth in Data…
Sources: Forbes, Nielsen, IDC, EMC, Statista
…but also creating an exponential increase in the attack surface
© F5 Networks, Inc 3
…Resulting in an Unprecedented Increase in AttacksSource of data breaches
Sources: IT Business Edge, Krebs on Security, Security Week, CSO Online
© F5 Networks, Inc 4
App Servers
DB Servers
NGFW IPS / IDS DLP
Attackers
Fraudsters
$$$Security Spend
Internal Users
Security Investments Completely Misaligned with Reality
© F5 Networks, Inc 5
Security Investments Completely Misaligned with Reality
Perimeter Security Identity & Application Security
of attacks are focused here
25% of securityinvestment
90% of attacks are focused here
75% of securityinvestment
10%
Source: Gartner
© F5 Networks, Inc 6
Important Trends in Threat Vectors
OF WEBSITES HAVE AT LEAST 1 SERIOUS
VULNERABILITYWhiteHat Security Statistics Report
2015
86%AVERAGE NUMBER OF
VULNERABILITIES PER WEBSITE
WhiteHat Security Statistics Report 2015
56
OF IT PROS ARE CONFIDENT USERS
AVOID PHISHING2015 CyberThreat Defense
20%MALICIOUS IP’S
LAUNCHED EVERYDAYThreat Brief Report, Webroot, May
2015
85,000BOTS ACTIVELY
ATTACKING Symantec Internet Security Report
2014
2.3M
A WEBSITE IS HIT BY A CRITICAL EXPLOIT
F5 Research
23 minEVERY
OF SECURITY PROFESSIONALS
EMPLOY WAF2015 Cisco Annual Security Report
56%
NO CYBER-ATTACK RESPONSE IN PLACEF5 Networks Survey Research 2016
36%
© F5 Networks, Inc 7
Less control over user access and policies do not follow apps
Overwhelming volume ofapplication traffic
Traditional security solutions are blind to SSL traffic
Perimeter approach is no longer adequate
The Traditional Approach to Security is Inadequate
© F5 Networks, Inc 8
NETWORK PERIMETER
App
The New Perimeter is an App PerimeterApps are the gateways to data
SSL
SSL
SSL
APP
PER-APP / PER-USER PERIMETER
NEW PERIMETERTRADITIONAL
✖SSL-visible, Location-independent, Session-based, Continuous trust verification, Strategic
control points, Application availability ✔
IT’S TIME TO RETHINK SECURITY ARCHITECTURES
© F5 Networks, Inc 9
Identity is the Key to Adaptive Authentication and Access
Device type and integrity
Browser Location
Operatingsystem
OS
Authentication
Access method
Network integrity
Network quality and availability
Connection integrity
App type/ version
v3.1
App location App importance and risk
!!!
© F5 Networks, Inc 10
• Silos of identity
• Identity may still be on-premises, but apps and data are moving to the cloud
• Users experiencing “password fatigue”• Leads to password re-use• 3rd-party website hack may affect
your site compromising your data
• Existing solutions require complex infrastructure
Cloud Apps Create Complexity and Reduce Security
Data Center
Applications Applications
Internet
Identity and Access Management
Physical Virtual
Salesforce Office 365 Concur Google docs
Devices
© F5 Networks, Inc 11
• Outsourced applications and infrastructure
• Applications enforcing “authority” over user identity
• Need to provide access to customers and supply chain without manual user account management and password resets
Federating Identity for Cloud Applications
Data Center
Applications Applications
Internet
Identity and Access Management
Physical Virtual
Salesforce Office 365 Concur Google docs
Devices
© F5 Networks, Inc 12
User ID
Location
End point
Device health
Device type
Malware
Sensitive Data
Human
User ID
Location
End point
Device health
Device type
Malware
Sensitive Data
HumanHigh-Value App
Optimising Security with Risk-based Policy ProtectionLow-Value App
North KoreaAllow
Challenge
OTP
Client Cert.
Deny
Allow
Challenge
OTP
Client Cert.
Deny
United Kingdom
© F5 Networks, Inc 13
• Transform one type of authentication into another
• Support various standards-based protocols (SAML, Kerberos, NTLM)
• Enable flexible selection of SSO techniques appropriate to the application
• Allow centralised session control of all applications, including SaaS apps
Identity Federation and SSO Solutions
Users
Certificates
Password
Token
Federation (SAML)
Adaptive Auth
Certificates
Dynamic Forms
Kerberos Delegation
Simple Assertion
SAML Pass-throughApps
Private/Public Cloud
SSO Selection
Endpoint Validation
Step-Up Auth
Fraud Protection
© F5 Networks, Inc 14
Identity Federation and SSO with Adaptive AuthenticationOn-Premises Infrastructure
CorporateApplications
Users
Attackers
SaaS
Office 365
GoogleApps
Salesforce
DirectoryServices
Corporate Users
Identity federation
PublicCloud
PrivateCloud
Corporation
LOGIN
8 3 2 8 4 9
SAMLIdentity management
Multi-factor authentication
SAMLReal-time access control
Access policy enforcement
© F5 Networks, Inc 15
Application Attacks are InevitablePrepare for application attacks
every 23 minutes
95% of breaches through 2018 will be caused by misconfigured firewalls, not vulnerabilities
86% of websites has at least 1 vulnerability and an average of 56 per website
75% of Internet threats target web servers
2.3M bots actively attacking
Sources: Cisco, WhiteHat Security, Gartner, Symantec
© F5 Networks, Inc 16
• Most network architectures are not built for SSL encryption
• SSL on NGFW products impacts performance by 80%
• Malware using SSL to evade network monitoring
• Without security tools to inspect SSL traffic, attacker actions can go undetected
• Trends toward SSL Everywhere, including HTTP/2 and TLS 1.3
Encryption Creates a Blind Spot in Your Network
© F5 Networks, Inc 17
The Right Tool for the Job
BIF
UR
CA
TIO
N O
F FI
REW
ALLS
“Next Generation” Firewall
• Outbound user inspection• 1K users to 10K web sites• Broad but shallow• UserID and AppID• Who is doing what?
Corporate
(users)
Web Application Firewall
Internet Data Center
(servers)
• Inbound application protection• 1M users to 100 apps• Narrow but deep• Application delivery focus• Web specific protocols (HTTP, SSL, etc.)
© F5 Networks, Inc 18
Layer 7 security is not addressed by traditional IPS and firewall products
Intrusion Prevention Systems and Standard Firewalls
Intrusion Prevention Systems
Traditional Firewall • Examines all traffic for malicious app inputs
• Primarily uses anomalous and signature-based detection
• Some stateful protocol analysis capabilities
Encryption Unknowns
???FragmentationObfuscation
• Lacks understanding of L7 protocol logic
• Doesn’t protect against all exploitable app vulnerabilities
© F5 Networks, Inc 19
Web Application Firewall CapabilitiesProtect against layer 7 attacks with granularity
Protects against layer 7 DDoS attacks
DAST/VA integration with extensive
automated and virtual patches
Understands the business logic
behind your web app
Full-proxy protection
against and OWASP top 10
Virtual Edition CloudAppliance
Combines negative and positive security models
Deep understanding of the application, not just generic attacks
WAF
© F5 Networks, Inc 20
Traditional Security Devices vs WAFWAF IPS NGFW
Multiprotocol Security *
IP Reputation *
Web Attack Signatures *
Web Vulnerabilities Signatures *
Automatic Policy Learning *
URL, Parameter, Cookie, and Form Protection *
Leverage Vulnerability Scan Results *
Browser Fingerprinting
Protection against Layer 7 DDoS Attacks
Pro-active Modification of Application Requests/Responses
Advanced Protection for Web Services (SOAP, XML, AJAX)
* Source: Gartner "Web Application Firewalls Are Worth the Investment for Enterprises"
= Good to very good
= Average or fair
= Below average
© F5 Networks, Inc 21
Advanced vs Traditional Web Application Firewall
TRADITIONAL WAF
• Signatures (OWASP Top 10)• DAST integration• Site learning• File/URL/Parameter/Header/Cookie
enforcement• Protocol enforcement• Login enforcement / Session tracking• Data leak prevention• Flow enforcement• IP blacklisting
ADVANCED WAF
• Bot detection• Client fingerprinting• Web scraping prevention• Brute force mitigation• L7 DDoS protection• Heavy URL mitigation • CAPTCHA challenges• HTTP header sanitisation/insertion• Anti-CSRF token insertion• Perfect Forward Secrecy (PFS) ciphers
© F5 Networks, Inc 22
Demystifying the Industry Buzzword: RASPRuntime Application Self-Protection
An agent in the runtime container for each application or server
© F5 Networks, Inc 23
Application Security Options
WAF ‒ Web Application Firewall• Enterprise-grade protection/performance
for all apps
• PCI and regulatory compliance requirements
• DAST integrations for scanning and WAFs for patching all apps
• Most effective against L7 DoS, Brute Force, Web Injection, Scraping, XSS, CSRF
RASP ‒ Runtime Application Self-Protection• Instance of protection for one app
(SQL Injection, XSS)
• Post WAF, IPS protection
• Inside the application or on server
• App language dependent (Java, .NET) and 1-10% range performance reduction
© F5 Networks, Inc 24
Hybrid Protection from Advanced Application Attacks
ON-PREMISES WAF
• Protect core applications in data center
• Virtual patching
• Layer 7 DDoS
• Protect applications in the cloud, co-lo, data center
• Provide flexible application fluency
• App/Dev policy development
• 24/7 attack support from security experts
CLOUD-BASED WAF
PolicyImport/Export
© F5 Networks, Inc 25
Combined Hybrid WAF = No application left unprotected
More Capability Considerations
Considerations On-premWAF
CloudWAF
Have resources to manage WAF?Need to maintain app blocking control?Willing to use professional services ?PCI compliance challengesVA/DAST part of app development/protectionMust protect cloud-based appsMust protect tier 2 appsPrefer outsourcing app securityRequire 3rd party policy creation with 24x7x365 support
Hybrid WAF deployment
© F5 Networks, Inc 26
Application Protection: Cloud-based and On-premises
ISPa/b
Multiple ISP strategy
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Next-GenerationFirewall Corporate Users
Network Application
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Data Center Firewall
WAFHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
SSL attacks:SSL renegotiation,
SSL floodFinancialServices
E-Commerce
Subscriber
Strategic Point of Control
CustomerRouter
Signaling
Hybrid integration with ADC to
synchronise threat information and request service
LegitimateUsers
Attackers Volumetric DDoS protection, Managed
Application firewall service, zero-day threat mitigation
with iRules
WAFDDoS
Cloud
© F5 Networks, Inc 27
Best Practices in Protecting Your Applications
27
© F5 Networks, Inc 28
RemoteAccess
SSL Inspection
Network Firewall
Enterprise Mobility Gateway
Secure Web Gateway
Traffic Management
DDoSProtection
Web FraudProtection
Web AppFirewall
Access Federation
App Access Management
DNS Security
Comprehensive Security Solutions for the New Perimeter
APPLICATION ACCESS APPLICATION PROTECTION
Confidentiality IntegrityAvailability
Risk-Based Policies Intelligence and VisibilityHybrid Delivery
Timo Lohenoja, CISSPSystems Engineer