NEXT GENERATION APP SECURITYNEXT GENERATION APP SECURITY

Paolo Arcagni Paolo Arcagni –– p.arcagni@f5.comp.arcagni@f5.comgg p g @p g @SE Manager Italy & MaltaSE Manager Italy & Malta

Maintaining Security Is ChallengingMaintaining Security Is ChallengingMaintaining Security Is ChallengingMaintaining Security Is Challenging

Webification of apps Device proliferationpp p

71% of internet experts predict most people will do work via web

95% of workers use at least one personal device for work.

most people will do work via web or mobile by 2020. 130 million enterprises will

use mobile apps by 2014

Evolving security threats Shifting perimeter58% of all e-theft tied 80% of new apps will58% of all e theft tied to activist groups.

81% of breaches involved hacking

80% of new apps will target the cloud.

72% IT leaders have or will move applications to the cloudg move applications to the cloud.

Your Business NeedsYour Business NeedsYour Business NeedsYour Business Needs

T l T T i lifTo scale To secure To simplify

Scale for a work-anywhere / Security for applications and data Simplification of point solutions and ySSL everywhere world.

y ppagainst sustained attacks.

p pcomplex firewall configurations.

The 21The 21stst century application infrastructurecentury application infrastructureThe 21The 21 century application infrastructurecentury application infrastructure

Users are goingMobile

Cloud and SaaSbased applicationsbased applicationsare being deployed more than, and faster than, ever before

Every application is aWeb application

20%20%ff F5F5 ttof of F5 F5 customers customers

have a cloud first have a cloud first strategystrategy

The State of Application Delivery, F5 Networks, Jan. 2015

Attack Threats: Pay up or Else!Attack Threats: Pay up or Else!Attack Threats: Pay up or Else!Attack Threats: Pay up or Else!

•• DD4BC claims 400DD4BC claims 400 GbpsGbps

April April -- May of 2015: May of 2015: emails sent to legitimate businesses with the threat of massive emails sent to legitimate businesses with the threat of massive DDoSDDoSattacksattacks

•• DD4BC claims ~400 DD4BC claims ~400 GbpsGbps

•• Extortion demands starting at 25 Extortion demands starting at 25 BitcoinsBitcoins

•• Initially targetedInitially targeted BitcoinBitcoin PaymentPayment•• Initially targeted Initially targeted BitcoinBitcoin, Payment , Payment providers, banks and now moving to other providers, banks and now moving to other targetstargets

•• UDP Amplification Attacks (NTP SSDPUDP Amplification Attacks (NTP SSDP•• UDP Amplification Attacks (NTP, SSDP, UDP Amplification Attacks (NTP, SSDP, DNS); TCP SYN Floods; and Layer 7 DNS); TCP SYN Floods; and Layer 7 attacksattacks

Sample from actual emailSample from actual email

© F5 Networks, Inc 6

Introducing F5’s Application Delivery FirewallIntroducing F5’s Application Delivery FirewallIntroducing F5 s Application Delivery FirewallIntroducing F5 s Application Delivery FirewallAligning applications with firewall Aligning applications with firewall securitysecurity

One platformOne platform

SSL inspection

Traffic management

DNS security

Access control

Applicationsecurity

Networkfirewall

DDoS mitigation

EAL2+EAL4+ (in process)

Firewall TechnologiesFirewall TechnologiesFirewall TechnologiesFirewall Technologies

A long time ago… and then… present day… and now with F5!

Firewalls started out as i t i i

Stateless filters Stateless filters l t d fi ll b tl t d fi ll b t

StatefulStateful and nextand next--gen gen fi llfi ll dd d itdd d it

F5 F5 brings full proxy back brings full proxy back to firewalls: highestto firewalls: highest

o g t e ago a d t e p ese t day a d o t 5

proxies to maximize security

accelerated firewalls, but accelerated firewalls, but weakened securityweakened security

firewalls firewalls added security added security with deep inspection, but with deep inspection, but still fall short of proxiesstill fall short of proxies

to firewalls: highest to firewalls: highest security matched by a security matched by a highhigh--scale and highscale and high--

performance performance architecturearchitecture

Full Proxy SecurityFull Proxy SecurityFull Proxy SecurityFull Proxy Security

Web applicationWeb application

Client / ServerClient / Server

Application health monitoring and performance anomaly detection Web applicationWeb application

Client / ServerClient / Server

SessionSession

ApplicationApplication

eb app cat oeb app cat o

SSL inspection and SSL DDoS mitigation

HTTP proxy, HTTP DDoS and application security

pp cat o ea t o to g a d pe o a ce a o a y detect o

SessionSession

ApplicationApplication

eb app cat oeb app cat o

NetworkNetwork

SessionSession

PhysicalPhysical

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

SSL inspection and SSL DDoS mitigation

NetworkNetwork

SessionSession

PhysicalPhysicalPhysicalPhysical PhysicalPhysical

Application Delivery FirewallApplication Delivery FirewallApplication Delivery FirewallApplication Delivery Firewall

ProductsProducts

SSL inspection

Traffic management

DNS security

Access control

Applicationsecurity

Networkfirewall

DDoS mitigation

Advanced Firewall Advanced Firewall ManagerManager

•• StatefulStateful fullfull--proxyproxy

Access Policy Access Policy ManagerManager

•• Dynamic identityDynamic identity--

Local Traffic Local Traffic ManagerManager

•• #1#1 applicationapplication

Application Application Security ManagerSecurity Manager

•• Leading webLeading web

Global Traffic Global Traffic Manager & DNSSECManager & DNSSEC

•• Huge scale DNSHuge scale DNS

IP IntelligenceIP Intelligence

•• ContextContext--awareawareStateful Stateful fullfull proxy proxy firewallfirewall

•• Flexible logging Flexible logging and reportingand reporting

•• Native TCPNative TCP SSLSSL

Dynamic, identityDynamic, identitybased access based access controlcontrol

•• Simplified Simplified authentication authentication

#1 #1 application application delivery controllerdelivery controller

•• Application fluencyApplication fluency

•• AppApp--specific health specific health monitoringmonitoring

Leading web Leading web application firewallapplication firewall

•• PCI compliance PCI compliance

•• Virtual patching for Virtual patching for vulnerabilitiesvulnerabilities

Huge scale DNS Huge scale DNS solutionsolution

•• Global server load Global server load balancingbalancing

•• Signed DNSSigned DNS

ContextContext aware aware securitysecurity

•• IP address IP address categorizationcategorization

•• IP addressIP address•• Native TCP, Native TCP, SSL SSL and HTTP proxiesand HTTP proxies

•• Network and Network and Session Session antianti--DDoSDDoS

infrastructureinfrastructure

•• Endpoint security, Endpoint security, secure remote secure remote accessaccess

monitoringmonitoring vulnerabilitiesvulnerabilities

•• HTTP antiHTTP anti--DDoSDDoS

•• IP IP protectionprotection

•• Signed DNS Signed DNS responsesresponses

•• Offload DNS cryptoOffload DNS crypto

IP address IP address geolocationgeolocation

iRules extensibility everywhereiRules extensibility everywhere

PROTECTING THE DATA CENTERPROTECTING THE DATA CENTERPROTECTING THE DATA CENTERPROTECTING THE DATA CENTERUse caseUse case

Before f5Before f5 Network DDoS Web AccessManagement

Application DDoS

Firewall

LoadBalancer

DNS Security Web Application Firewall

LoadBalancer & SSL

with f5with f5

•• Consolidation of Consolidation of firewall, app security, firewall, app security, traffic managementtraffic management

•• Protection for Protection for data data centers and centers and application serversapplication servers

•• High High scale for the scale for the most common most common inbound inbound protocolsprotocols

PROTECTING THE DATA CENTERPROTECTING THE DATA CENTERPROTECTING THE DATA CENTERPROTECTING THE DATA CENTERUse caseUse case

Before f5Before f5 Network DDoS Web AccessManagement

Application DDoS

Firewall

LoadBalancer

DNS Security Web Application Firewall

LoadBalancer & SSL

with f5with f5

•• Consolidation of Consolidation of firewall, app security, firewall, app security, traffic managementtraffic management

•• Protection for Protection for data data centers and centers and application serversapplication servers

•• High High scale for the scale for the most common most common inbound inbound protocolsprotocols

DDoSDDoS MITIGATIONMITIGATIONDDoSDDoS MITIGATIONMITIGATIONUse caseUse case

Application (7)Presentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)

Increasing difficulty of attack detection

OSI stackOSI stack

Application attacksNetwork attacks Session attacks

Slowloris, Slow Post,SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, DNS UDP Floods, DNS Query Floods,

pp ( )( )( )p ( )( )( )y ( )

S o o s, S o ost,HashDos, GET Floods

S ood, Co ect o ood, U ood, us a d C oods,Teardrop, ICMP Floods, Ping Floods and Smurf Attacks

S U oods, S Que y oods,DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation

Tech

nolo

gies

tech

nolo

gies

BIG-IP ASMPositive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection

BIG-IP LTM and GTMHigh-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation

BIG-IP AFMSynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding.

Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above F5

Miti

gatio

n T

F5 m

itiga

tion

t

detectionhardware solution that increases scale by an order of magnitude above software-only solutions.

FF

•• Protect against Protect against DDoSDDoSat all layers at all layers –– 38 vectors 38 vectors coveredcovered

•• Withstand the Withstand the largest attackslargest attacks

•• Gain visibility and Gain visibility and detection of SSL detection of SSL encrypted attacksencrypted attacks

Introducing F5 SilverlineIntroducing F5 Silverline

F5 SilverlineF5 SilverlineF5 SilverlineF5 SilverlineEnterpriseEnterprise--ggrade application services in minutesrade application services in minutes

RRapidly deploy enterpriseapidly deploy enterprise--grade application services acrossgrade application services acrossRRapidly deploy enterpriseapidly deploy enterprise grade application services across grade application services across hybrid environments with 24x7x365 support from F5 experts. hybrid environments with 24x7x365 support from F5 experts.

Web Application Firewall

DDoSProtection

F5 Silverline

Cloud-based application services

24x7x365 Expert Support

F5 Silverline: Key BenefitsF5 Silverline: Key BenefitsF5 Silverline: Key BenefitsF5 Silverline: Key Benefits

Drive operational and cost efficiencies

Deliver app services, anywhere

Cloud based, enterprise-grade

Improve operational efficiency and decrease IT

overhead by rapidly

Ensure your applications are available and secure no

matter where they reside.

Built on F5’s industry leading BIG-IP solutions, Silverline

application services are deploying Silverline services in minutes and outsourcing

support to F5 experts offering th hi h t l l f 24 7 365

Enable cloud migration by deploying Silverline

application services across h b id i t i

enterprise-grade, highly programmable, and can be

configured to maintain i t ith i ti the highest level of 24x7x365

service. hybrid environments in

conjunction with existing BIG-IP deployments.

consistency with your existing BIG-IP implementations.

F5 Silverline ServicesF5 Silverline ServicesF5 Silverline ServicesF5 Silverline Services

Defend against DDoS attacks and keep your businessDefend against DDoS attacks and keep your business online with the Silverline DDoS Protection cloud-scrubbing service to detect and mitigate even the largest of volumetric DDoS attacks before they reachlargest of volumetric DDoS attacks before they reach your network.

Protect web applications and data, and enable compliance such as PCI DSS with the Silverline Webcompliance, such as PCI DSS, with the Silverline Web Application Firewall service which is built on BIG-IP® Application Security Manager™ (ASM) with expert policy setup and fine-tuningpolicy setup and fine tuning.

Global Coverage

SOCSOC

Global Coverage Industry-Leading Bandwidth24/7 Support

Fully redundant and globally distributed data centers world wide in each geographic region

• San Jose CA US

• Attack mitigation bandwidth capacity over 2.0 Tbps

• Scrubbing capacity of over 1.0 Tbps

F5 Security Operations Center (SOC) is available 24x7x365 with security experts ready to respond to DDoS attacks and • San Jose, CA US

• Ashburn, VA US• Frankfurt, DE• Singapore, SG

Tbps• Guaranteed bandwidth with

Tier 1 carriers

respond to DDoS attacks and build WAF policies within minutes

• Seattle, WA US

F5 F5 Offers Comprehensive DDoS Protection Offers Comprehensive DDoS Protection F5 F5 Offers Comprehensive DDoS Protection Offers Comprehensive DDoS Protection Threat Intelligence Feed

Next-Generation

Scanner Anonymous Proxies

Anonymous Requests

Botnet Attackers

Cloud Network Application

Next GenerationFirewall Corporate Users

Network Application

Legitimate

Volumetric attacks: L3-7 DDoS, floods,

known signature attacks

Multiple ISP strategy

Network attacks:ICMP flood,UDP flood,SYN flood

SSL attacks:SSL renegotiation,

SSL floodFinancialServices

LegitimateUsers

DDoSDNS attacks:

DNS amplification,

Networkand DNS ApplicationHTTP attacks:

Slowloris,

E-Commerce

CPE Cloud Signaling:Bad Actor IPs,

Whitelist/blacklist data

F5 Silverline

DDoS Attackers

p ,query flood,

dictionary attack,DNS poisoning

IPS

,slow POST,

recursive POST/GETSubscriber

Strategic Point of Control

24/7 expert support:security operations center

Protect web apps, anywhereProtect web apps, anywherepp , ypp , yEasily extend WAF protections to Easily extend WAF protections to SaaSSaaS and cloud appsand cloud apps

Protect web apps, no matter where they reside with consistent policies and Protect web apps, no matter where they reside with consistent policies and compliance across hybrid environments in conjunction with BIGcompliance across hybrid environments in conjunction with BIG--IPIPcompliance across hybrid environments, in conjunction with BIGcompliance across hybrid environments, in conjunction with BIG--IP IP deployments.deployments.

F5 Delivers to Support Your NeedsF5 Delivers to Support Your NeedsF5 Delivers to Support Your NeedsF5 Delivers to Support Your Needs

Increased scale and performance Higher security Operational efficiency

Industry-leading capacity and Full-proxy security, SSL inspection, Consolidation of functions and an y g p ythroughput.

p y y, p ,and extensibility with iRules. application-centric security model.

www.F5.com