Upload
vuhanh
View
220
Download
1
Embed Size (px)
Citation preview
NEXT GENERATION APP SECURITYNEXT GENERATION APP SECURITY
Paolo Arcagni Paolo Arcagni –– [email protected]@f5.comgg p g @p g @SE Manager Italy & MaltaSE Manager Italy & Malta
Maintaining Security Is ChallengingMaintaining Security Is ChallengingMaintaining Security Is ChallengingMaintaining Security Is Challenging
Webification of apps Device proliferationpp p
71% of internet experts predict most people will do work via web
95% of workers use at least one personal device for work.
most people will do work via web or mobile by 2020. 130 million enterprises will
use mobile apps by 2014
Evolving security threats Shifting perimeter58% of all e-theft tied 80% of new apps will58% of all e theft tied to activist groups.
81% of breaches involved hacking
80% of new apps will target the cloud.
72% IT leaders have or will move applications to the cloudg move applications to the cloud.
Your Business NeedsYour Business NeedsYour Business NeedsYour Business Needs
T l T T i lifTo scale To secure To simplify
Scale for a work-anywhere / Security for applications and data Simplification of point solutions and ySSL everywhere world.
y ppagainst sustained attacks.
p pcomplex firewall configurations.
The 21The 21stst century application infrastructurecentury application infrastructureThe 21The 21 century application infrastructurecentury application infrastructure
Users are goingMobile
Cloud and SaaSbased applicationsbased applicationsare being deployed more than, and faster than, ever before
Every application is aWeb application
20%20%ff F5F5 ttof of F5 F5 customers customers
have a cloud first have a cloud first strategystrategy
The State of Application Delivery, F5 Networks, Jan. 2015
Attack Threats: Pay up or Else!Attack Threats: Pay up or Else!Attack Threats: Pay up or Else!Attack Threats: Pay up or Else!
•• DD4BC claims 400DD4BC claims 400 GbpsGbps
April April -- May of 2015: May of 2015: emails sent to legitimate businesses with the threat of massive emails sent to legitimate businesses with the threat of massive DDoSDDoSattacksattacks
•• DD4BC claims ~400 DD4BC claims ~400 GbpsGbps
•• Extortion demands starting at 25 Extortion demands starting at 25 BitcoinsBitcoins
•• Initially targetedInitially targeted BitcoinBitcoin PaymentPayment•• Initially targeted Initially targeted BitcoinBitcoin, Payment , Payment providers, banks and now moving to other providers, banks and now moving to other targetstargets
•• UDP Amplification Attacks (NTP SSDPUDP Amplification Attacks (NTP SSDP•• UDP Amplification Attacks (NTP, SSDP, UDP Amplification Attacks (NTP, SSDP, DNS); TCP SYN Floods; and Layer 7 DNS); TCP SYN Floods; and Layer 7 attacksattacks
Sample from actual emailSample from actual email
© F5 Networks, Inc 6
Introducing F5’s Application Delivery FirewallIntroducing F5’s Application Delivery FirewallIntroducing F5 s Application Delivery FirewallIntroducing F5 s Application Delivery FirewallAligning applications with firewall Aligning applications with firewall securitysecurity
One platformOne platform
SSL inspection
Traffic management
DNS security
Access control
Applicationsecurity
Networkfirewall
DDoS mitigation
EAL2+EAL4+ (in process)
Firewall TechnologiesFirewall TechnologiesFirewall TechnologiesFirewall Technologies
A long time ago… and then… present day… and now with F5!
Firewalls started out as i t i i
Stateless filters Stateless filters l t d fi ll b tl t d fi ll b t
StatefulStateful and nextand next--gen gen fi llfi ll dd d itdd d it
F5 F5 brings full proxy back brings full proxy back to firewalls: highestto firewalls: highest
o g t e ago a d t e p ese t day a d o t 5
proxies to maximize security
accelerated firewalls, but accelerated firewalls, but weakened securityweakened security
firewalls firewalls added security added security with deep inspection, but with deep inspection, but still fall short of proxiesstill fall short of proxies
to firewalls: highest to firewalls: highest security matched by a security matched by a highhigh--scale and highscale and high--
performance performance architecturearchitecture
Full Proxy SecurityFull Proxy SecurityFull Proxy SecurityFull Proxy Security
Web applicationWeb application
Client / ServerClient / Server
Application health monitoring and performance anomaly detection Web applicationWeb application
Client / ServerClient / Server
SessionSession
ApplicationApplication
eb app cat oeb app cat o
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
pp cat o ea t o to g a d pe o a ce a o a y detect o
SessionSession
ApplicationApplication
eb app cat oeb app cat o
NetworkNetwork
SessionSession
PhysicalPhysical
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
NetworkNetwork
SessionSession
PhysicalPhysicalPhysicalPhysical PhysicalPhysical
Application Delivery FirewallApplication Delivery FirewallApplication Delivery FirewallApplication Delivery Firewall
ProductsProducts
SSL inspection
Traffic management
DNS security
Access control
Applicationsecurity
Networkfirewall
DDoS mitigation
Advanced Firewall Advanced Firewall ManagerManager
•• StatefulStateful fullfull--proxyproxy
Access Policy Access Policy ManagerManager
•• Dynamic identityDynamic identity--
Local Traffic Local Traffic ManagerManager
•• #1#1 applicationapplication
Application Application Security ManagerSecurity Manager
•• Leading webLeading web
Global Traffic Global Traffic Manager & DNSSECManager & DNSSEC
•• Huge scale DNSHuge scale DNS
IP IntelligenceIP Intelligence
•• ContextContext--awareawareStateful Stateful fullfull proxy proxy firewallfirewall
•• Flexible logging Flexible logging and reportingand reporting
•• Native TCPNative TCP SSLSSL
Dynamic, identityDynamic, identitybased access based access controlcontrol
•• Simplified Simplified authentication authentication
#1 #1 application application delivery controllerdelivery controller
•• Application fluencyApplication fluency
•• AppApp--specific health specific health monitoringmonitoring
Leading web Leading web application firewallapplication firewall
•• PCI compliance PCI compliance
•• Virtual patching for Virtual patching for vulnerabilitiesvulnerabilities
Huge scale DNS Huge scale DNS solutionsolution
•• Global server load Global server load balancingbalancing
•• Signed DNSSigned DNS
ContextContext aware aware securitysecurity
•• IP address IP address categorizationcategorization
•• IP addressIP address•• Native TCP, Native TCP, SSL SSL and HTTP proxiesand HTTP proxies
•• Network and Network and Session Session antianti--DDoSDDoS
infrastructureinfrastructure
•• Endpoint security, Endpoint security, secure remote secure remote accessaccess
monitoringmonitoring vulnerabilitiesvulnerabilities
•• HTTP antiHTTP anti--DDoSDDoS
•• IP IP protectionprotection
•• Signed DNS Signed DNS responsesresponses
•• Offload DNS cryptoOffload DNS crypto
IP address IP address geolocationgeolocation
iRules extensibility everywhereiRules extensibility everywhere
PROTECTING THE DATA CENTERPROTECTING THE DATA CENTERPROTECTING THE DATA CENTERPROTECTING THE DATA CENTERUse caseUse case
Before f5Before f5 Network DDoS Web AccessManagement
Application DDoS
Firewall
LoadBalancer
DNS Security Web Application Firewall
LoadBalancer & SSL
with f5with f5
•• Consolidation of Consolidation of firewall, app security, firewall, app security, traffic managementtraffic management
•• Protection for Protection for data data centers and centers and application serversapplication servers
•• High High scale for the scale for the most common most common inbound inbound protocolsprotocols
PROTECTING THE DATA CENTERPROTECTING THE DATA CENTERPROTECTING THE DATA CENTERPROTECTING THE DATA CENTERUse caseUse case
Before f5Before f5 Network DDoS Web AccessManagement
Application DDoS
Firewall
LoadBalancer
DNS Security Web Application Firewall
LoadBalancer & SSL
with f5with f5
•• Consolidation of Consolidation of firewall, app security, firewall, app security, traffic managementtraffic management
•• Protection for Protection for data data centers and centers and application serversapplication servers
•• High High scale for the scale for the most common most common inbound inbound protocolsprotocols
DDoSDDoS MITIGATIONMITIGATIONDDoSDDoS MITIGATIONMITIGATIONUse caseUse case
Application (7)Presentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)
Increasing difficulty of attack detection
OSI stackOSI stack
Application attacksNetwork attacks Session attacks
Slowloris, Slow Post,SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, DNS UDP Floods, DNS Query Floods,
pp ( )( )( )p ( )( )( )y ( )
S o o s, S o ost,HashDos, GET Floods
S ood, Co ect o ood, U ood, us a d C oods,Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
S U oods, S Que y oods,DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation
Tech
nolo
gies
tech
nolo
gies
BIG-IP ASMPositive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection
BIG-IP LTM and GTMHigh-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation
BIG-IP AFMSynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above F5
Miti
gatio
n T
F5 m
itiga
tion
t
detectionhardware solution that increases scale by an order of magnitude above software-only solutions.
FF
•• Protect against Protect against DDoSDDoSat all layers at all layers –– 38 vectors 38 vectors coveredcovered
•• Withstand the Withstand the largest attackslargest attacks
•• Gain visibility and Gain visibility and detection of SSL detection of SSL encrypted attacksencrypted attacks
F5 SilverlineF5 SilverlineF5 SilverlineF5 SilverlineEnterpriseEnterprise--ggrade application services in minutesrade application services in minutes
RRapidly deploy enterpriseapidly deploy enterprise--grade application services acrossgrade application services acrossRRapidly deploy enterpriseapidly deploy enterprise grade application services across grade application services across hybrid environments with 24x7x365 support from F5 experts. hybrid environments with 24x7x365 support from F5 experts.
Web Application Firewall
DDoSProtection
F5 Silverline
Cloud-based application services
24x7x365 Expert Support
F5 Silverline: Key BenefitsF5 Silverline: Key BenefitsF5 Silverline: Key BenefitsF5 Silverline: Key Benefits
Drive operational and cost efficiencies
Deliver app services, anywhere
Cloud based, enterprise-grade
Improve operational efficiency and decrease IT
overhead by rapidly
Ensure your applications are available and secure no
matter where they reside.
Built on F5’s industry leading BIG-IP solutions, Silverline
application services are deploying Silverline services in minutes and outsourcing
support to F5 experts offering th hi h t l l f 24 7 365
Enable cloud migration by deploying Silverline
application services across h b id i t i
enterprise-grade, highly programmable, and can be
configured to maintain i t ith i ti the highest level of 24x7x365
service. hybrid environments in
conjunction with existing BIG-IP deployments.
consistency with your existing BIG-IP implementations.
F5 Silverline ServicesF5 Silverline ServicesF5 Silverline ServicesF5 Silverline Services
Defend against DDoS attacks and keep your businessDefend against DDoS attacks and keep your business online with the Silverline DDoS Protection cloud-scrubbing service to detect and mitigate even the largest of volumetric DDoS attacks before they reachlargest of volumetric DDoS attacks before they reach your network.
Protect web applications and data, and enable compliance such as PCI DSS with the Silverline Webcompliance, such as PCI DSS, with the Silverline Web Application Firewall service which is built on BIG-IP® Application Security Manager™ (ASM) with expert policy setup and fine-tuningpolicy setup and fine tuning.
Global Coverage
SOCSOC
Global Coverage Industry-Leading Bandwidth24/7 Support
Fully redundant and globally distributed data centers world wide in each geographic region
• San Jose CA US
• Attack mitigation bandwidth capacity over 2.0 Tbps
• Scrubbing capacity of over 1.0 Tbps
F5 Security Operations Center (SOC) is available 24x7x365 with security experts ready to respond to DDoS attacks and • San Jose, CA US
• Ashburn, VA US• Frankfurt, DE• Singapore, SG
Tbps• Guaranteed bandwidth with
Tier 1 carriers
respond to DDoS attacks and build WAF policies within minutes
• Seattle, WA US
F5 F5 Offers Comprehensive DDoS Protection Offers Comprehensive DDoS Protection F5 F5 Offers Comprehensive DDoS Protection Offers Comprehensive DDoS Protection Threat Intelligence Feed
Next-Generation
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Cloud Network Application
Next GenerationFirewall Corporate Users
Network Application
Legitimate
Volumetric attacks: L3-7 DDoS, floods,
known signature attacks
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
SSL attacks:SSL renegotiation,
SSL floodFinancialServices
LegitimateUsers
DDoSDNS attacks:
DNS amplification,
Networkand DNS ApplicationHTTP attacks:
Slowloris,
E-Commerce
CPE Cloud Signaling:Bad Actor IPs,
Whitelist/blacklist data
F5 Silverline
DDoS Attackers
p ,query flood,
dictionary attack,DNS poisoning
IPS
,slow POST,
recursive POST/GETSubscriber
Strategic Point of Control
24/7 expert support:security operations center
Protect web apps, anywhereProtect web apps, anywherepp , ypp , yEasily extend WAF protections to Easily extend WAF protections to SaaSSaaS and cloud appsand cloud apps
Protect web apps, no matter where they reside with consistent policies and Protect web apps, no matter where they reside with consistent policies and compliance across hybrid environments in conjunction with BIGcompliance across hybrid environments in conjunction with BIG--IPIPcompliance across hybrid environments, in conjunction with BIGcompliance across hybrid environments, in conjunction with BIG--IP IP deployments.deployments.
F5 Delivers to Support Your NeedsF5 Delivers to Support Your NeedsF5 Delivers to Support Your NeedsF5 Delivers to Support Your Needs
Increased scale and performance Higher security Operational efficiency
Industry-leading capacity and Full-proxy security, SSL inspection, Consolidation of functions and an y g p ythroughput.
p y y, p ,and extensibility with iRules. application-centric security model.