SECURITY TECHTALK THREATS AND MITIGATIONgovernmentvideosolutionsforum.com/pdf/F5-CarahsoftSecurityTechTalk... · 26/04/2013 · [email protected] 732-289-5272 SECURITY TECHTALK THREATS

CONFIDENTIAL

Nilesh MistryField Systems [email protected]

SECURITY TECHTALKTHREATS AND MITIGATION

As Sun Tzu says "one must not rely on the failure of the enemy to attack, but on the ability of oneself to build an invincible defense."

4 © F5 Networks, Inc.

The big problem: The boundaries of the Data Center have disappeared

ENTERPRISEDATA CENTER

DATA CENTER/ PRIVATE CLOUD

CUSTOMER

HACKER

PARTNERS, SUPPLIERS

INTERNETDATA CENTER

CLOUD

ENTERPRISEHEADQUARTERS

ENTERPRISE REMOTE OFFICE

MOBILE USER

BYOD: Multiple devicesBYOD: Multiple devices

Partner | Vendor accessPartner | Vendor access

Application diversityApplication diversity

The cloudThe cloud

Customer accessCustomer access

Global accessGlobal access

Remote accessRemote access

Security is challenging

Webification of apps Device proliferation

Evolving security threats Shifting perimeter

71% of internet experts predict most people will do work via web or mobile by 2020.

95% of workers use at least one personal device for work.

130 million enterprises will use mobile apps by 2014

58% of all e-theft tied to activist groups.

81% of breaches involved hacking

80% of new apps will target the cloud.

72% IT leaders have or will move applications to the cloud.

Cybertheft heists $1 million from Leavenworth hospital

April 26, 2013

Stanford University hacked, becomes latest data breach victim

As a precautionary measure in the wake of an apparent breach in its information technology infrastructure, Stanford University is asking all SUNet

ID holders to update their passwords...

A sophisticated hacker took command of large portions of the University of Washington Medical Center's internal network earlier this year, and

downloaded computerized admissions records for four thousand heart patients, SecurityFocus.com

has learned.

"All the data taken from these computers was taken over the Internet."

U.S. Government Online Security Website HackedHackers under the AntiSec banner appeared to have hacked late Mondaythe website of OnGuardOnline.gov, the U.S. federal government's online

security website, in protest against controversial legislation.

Once limited to only a few, attackers are coming out in record numbers thanks to automated tools.

Pre-Packaged Automated hacking tools are an Increasing Problem

Pre-Packaged: Automated hacking tools are an Increasing Problem

I am not a target: Automation with contextSHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters.

What a compromised PC/Server means to a hacker?

Izz ad-din al Quasam CyberFightersDDoS attacks on various financial institutions.

Peak attacks 75G, including mix of layer 3, 4, 5 and 7 attacks.

Spotlight: Operation Ababil – September 2012

The CyberFighters appeared to have performed extensive network reconnaissanceon data centers for each of the targets.

Network reconnaissance likely included timing information on all available links and database queries.

Cyber Fighter "Insult Metric to Attack Time” Formula/* Based on popularity of “Innocence of Muslims” video */

T = 26546482 /* total views */ L = 73721 /* total likes */ D = 194906 /* total dislikes */ DF = 10 /* coefficient dislike factor */ CF = 100$ /* ransom per each view/like */ C = 30000$ /* Approximate Cost on US banks per each DDoS minute */

TC = (T+L-F*D) * CF = 2,467,114,300$ TM = TC/C = 82237 minutes S = 420 minutes

===> TD = TM/S = 196 days

PD = (6-1+4)*3 = 27 days REM = TD-PD = 169 days ( about 56 weeks or 14 months )

PROBLEM

SOLUTION ?

iRules iControl iApps

Hardware Software

TMOS

Secure

Available

Fast

F5: An Intelligent Services PlatformF5 makes the connected world run better

• Application Delivery Controller• Mobile optimization solution• Application Delivery Firewall• Mobile User and Application

Access Management• WAN Opt and WAN acceleration• DNS Delivery Services• Local and Global Load Balancer

DevCentralUser Community

Programmable/Extensible

Enterprise

Foundation

CustomizableTraffic Management

IntelligentIntegrated

Context aware

Scale

F5 solutions available today:

Intelligent Ecosystem

Users Resources

F5 protects your apps wherever they live

F5 gives you secure access to apps from anywhere

TMOS

Network Firewall

Protocol Security

DDoS Protection

Dynamic Threat Defense

DNS Web Access

Users Resources

• Context based identity control• L3-L7 access control at scale• Fast application performance

• BYOD policy creation & enforcement

• Better compliance & governance

TMOS

Network Firewall

Protocol Security

DDoS Protection


DNS Web Access

Users Resources

• Visibility, speed, and control• Significant consolidation

opportunity• Complete SSL visibility

• Protection against web attacks

• DDoS threats mitigated• Application management

TMOS

Network Firewall

Protocol Security

DDoS Protection


DNS Web Access

Users Resources

F5 provides complete visibility and control across applications and users.

TMOS

Network Firewall

Protocol Security

DDoS Protection


DNS Web Access

Firewall Technologies

Firewalls started out as proxies to maximize

security

Stateless filters accelerated firewalls, but

weakened security

Stateful and next-gen firewalls added security

with deep inspection, but still fall short of proxies

F5 brings full proxy back to firewalls: highest

security matched by a high-scale and high-

performance architecture

A long time ago… and then… present day… and now with F5!

Full Proxy Security

Network

Session

Application

Web application

Physical

Client / Server

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

SSL inspection and SSL DDoS mitigation

HTTP proxy, HTTP DDoS and application security

Application health monitoring and performance anomaly detection

Network

Session

Application

Web application

Physical

Client / Server

Network

Session

Application

Web application

Physical

Client / Server

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

SSL inspection and SSL DDoS mitigation

HTTP proxy, HTTP DDoS and application security

Application health monitoring and performance anomaly detection

Network

Session

Application

Web application

Physical

Client / Server

Full Proxy Security

High-performance HW

iRules

iControl API

F5’s Approach

• TMOS traffic plug-ins• High-performance networking microkernel• Powerful application protocol support

• iControl—External monitoring and control• iRules—Network programming language

IPv4/IPv6

SSL

TCP

HTTP

Optional modules plug in for all F5 products and solutionsAPM

Firewall

… Traffic management microkernel

Proxy

Clientside

Serverside SSL

TCP

OneConnect

HTTP

Superior Performance and ScaleThroughput Connections per second

Sessions Footprint

F5 (VIPRION 4800)

Juniper (SRX 5800)

Cisco (ASA 5585-X)

Check Point (61000)

F5(VIPRION 4800)

Juniper (SRX 5800)

Cisco (ASA 5585-X)

Check Point (61000)

0

100

200

300

400

500

600

700Gbps

0

200

400Millions

0

2

4

6

8Millions

Rack units

0

100

200

4x21x

17x14x

F5 (VIPRION 4800)

Juniper (SRX 5800)

Cisco (ASA 5585-X)

Check Point (61000)

F5(VIPRION 4800)

Juniper (SRX 5800)

Cisco (ASA 5585-X)

Check Point (61000)

Application-Oriented Policies and Reports

Firewall policies and reports oriented around the application

Splunk Integration Application-centric SIEM

F5 reporting to Splunk Start with application-centric views and drill down to

more details At-a-glance visibility and intelligence for ADF’s

context-aware security

HIGH LEVEL

DETAILED

VERY DETAILED

PROTECTING THE DATA CENTERPROTECTING THE DATA CENTERUse case

• Consolidation of firewall, app security, traffic management

• Protection for data centers and application servers

• High scale for the most common inbound protocols

Before f5

with f5

LoadBalancer

DNS Security

Network DDoS

Web Application Firewall

Web AccessManagement

LoadBalancer & SSL

Application DDoS

Firewall

PROTECTING THE DATA CENTERPROTECTING THE DATA CENTERUse case

• Consolidation of firewall, app security, traffic management

• Protection for data centers and application servers

• High scale for the most common inbound protocols

Before f5

with f5

LoadBalancer

DNS Security

Network DDoS


Web AccessManagement

LoadBalancer & SSL

Application DDoS

Firewall

IP INTELLIGENCEIP INTELLIGENCE

IP intelligenceservice

IP address feedupdates every 5 min

Customapplication

Financialapplication

Internally infected devices and servers

Geolocation database

Botnet

Attacker

Anonymous requests

Anonymous proxies

Scanner

Restricted region or country

DDoS MITIGATIONDDoS MITIGATION

Application attacksNetwork attacks Session attacks

Slowloris, Slow Post, HashDos, GET Floods

SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks

BIG-IP ASMPositive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection

DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation

BIG-IP LTM and GTMHigh-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation

BIG-IP AFMSynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding.

Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. F5 Mitigation Technologies

Application (7)Presentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)

Increasing difficulty of attack detection

• Protect against DDoSat all layers – 38 vectors covered

• Withstand the largest attacks

• Gain visibility and detection of SSL encrypted attacks

F5 mitigation technologies

OSI stackOSI stack

Use case

Bandwidth carriers

ISP’s bandwidth Your bandwidth

Many: Thread jam

Memory exhaustion

Many: CPU

Database loadThread jamLog attack

Memory exhaustionConnection flood

State Table:Too many

connections

State Table:TCP Flood.

Negative cachingProxy bypass

State Table:IP’s

Low & slowLayer 7 – RandomLayer 7 – Logical

State Table:ACL Perf. Degrade

Firewall DDoS appliance APP accelerator Load balancer Web servers Database

BANDWIDTH >> PACKET >> CONNECTION >> OS >> HTTP(s) >> APP (PHP/ASP) >>> DB

DDoS Attacks Exhaust Network Resources

Which DDoS mitigation to use?

Content Delivery Network

Carrier Service Provider

Cloud-based DDoS Service

Cloud/Hosted Service

Network firewall with SSL inspection


On-premise DDoS solution

Intrusion Detection/Prevention

On-Premise Defense

The answer:“All of the above”

Why isn’t an anti-DDoS service enough?From attack to

protection, cloud-based scrubbing

involves time-consuming steps

Cloud scrubbers are expensive, and

financial approval for activation takes

up to an hour

Re-routing traffic itself can take up to

2 hours…

…but the average attack lasts only

54 minutes. And 25% of attack

traffic is application based, probably

SSL-encrypted and invisible to the

scrubber

For full-pipe attacks, there is no substitute for a cloud-based or service-provider DDoS service. But how many attacks are full-pipe, and what about encrypted attacks?

?

Introducing the F5 Application Delivery FirewallBringing deep application fluency to firewall security

One platform

SSL inspection

Traffic management

DNS security

Access control

Applicationsecurity

Networkfirewall

EAL2+EAL4+ (in process)

DDoS mitigation

• Send overwhelming amount of network traffic

• Either affects the victim or a device in front of the victim

• Effectively denies service for legitimate traffic

• Can use multiple clients• More difficult to block• Ties up stateful connection mechanisms• Fills up flow tables for stateful

devices that monitor connections

• Attacks rarely fill or exceedthroughput capacity

Network-Based AttacksLayer 2 – Layer 4 attacksIncreasing difficult to detect

Application

Presentation

Session

Transport

Network

Data Link

PhysicalIncreasing risk of service outage

Network-Based AttacksTCP 3-way handshake, used to establish TCP sessions

Client

Server

SYN

SYN/ACK

ACK

SYN = synchronizeACK = acknowledgement

Network-Based AttacksSYN flood – exploits the 3-way handshake

Attacker122.15.29.75

VictimSYN/ACK to2.3.4.5

Half-openTCP connection

SYN/ACK to3.4.5.6

SYN/ACK to4.5.6.7

SYN/ACK to1.2.3.4

SYN/ACK to5.6.7.8

SYN/ACK to6.7.8.9

SYN from 2.3.4.5

?

? ?

?

?

?

A typical TCP connection timeout around 30 seconds

TCP connection table

SYN/ACK to7.8.9.10

?

Increasing difficulty to detect

Application

Presentation

Session

Transport

Network

Data Link

Physical

SSL / TLS AttacksLayer 5 – Layer 6 attacks Increasing risk of service outage

SSL renegotiation | SSL connection floods

SSL / TLS AttacksSSL renegotiation attack

Attacker

VictimHTTPS Web server

1X

15X

SSLSSL

SSLSSL

SSLSSLSSL

Any HTTPS server is vulnerable

SSL Renegotiation: Attempted against a BIG-IP in the field. Mitigated by F5 FSE.

• When DNS is disrupted, all services are affected

• Even attacks not intended to target DNS can bring down DNS servers

• DNS attacks have two characteristics:• They are easy to generate• They are difficult to defend against

• DNS servers will continue to populartargets

DNS Attacks

DNS AttacksNormal DNS communications

www.secureco.com

Local DNS

Query: www.secureco.com?

Response: 20.35.50.65

Internet DNS


cache

?

Response: 20.35.50.65

SYN request www.secureco.com

www.secureco.com:20.35.50.65

DNS AttacksDNS cache poisoning

www.secureco.com

Local DNS


Internet DNS

cache

?

Response: 20.35.50.65

SYN request www.secureco.com

www.secureco.com:20.35.50.65

Query: www.nicebank.com?Attacker

Query: www.nicebank.com?

Internet DNS

Fake responses

www.nicebank.com:100.150.200.250

www.nicebank.com

Query: www.nicebank.com?Response:

100.150.200.250

100.150.200.250

SYN request

TTL, or time-to-live determines how long the entry remains in cache

Increasing difficult to detect

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application-Based AttacksSeveral application-based attack typesIncreasing risk of service outage

Slowloris | Slow POST

Keep Dead | HashDos

| Slow Read

| #RefRef

Application-Based AttacksSlowloris – exploits the idle timeout value

Victim

Attacker

Idle timeout:300 seconds

Partial HTTP request

………….. 299 seconds

Partial HTTP request

Concurrentconnections 12102050200350

394 open connections

Time outvalue?

300 seconds

Application-Based AttacksSlow POST attack

Victim

Attacker

Idle timeout:300 seconds

HTTP POSTContent-Length: 99999

Concurrent connections 12102050200350

Expecting 99999 bytesBytes received: 12

Bytes expected: 99999

HTTP POSTContent-Length: 99999

HashDos“HashDos” vulnerability affects all major web servers and application platforms

VIPRION

Single DevCentral iRule mitigates vulnerability for all back end services

Staff can schedule patches for back-end services on their own timeline

Multiple Security Layers RFC enforcement

• Various HTTP limits enforcement

Profiling of good traffic• Defined list of allowed file types, URIs, parameters

Each parameter is evaluated separately for:• Predefined value• Length• Character set• Attack patterns

• Looking for pattern matching signatures

Responses are checked as well

Start by checking RFC compliance

2 Then check for various length limits in the HTTP

3 Then we can enforce valid types for the application

4 Then we can enforce a list of valid URLs

5 Then we can check for a list of valid parameters

Then for each parameter we will check for max value length

7 Then scan each parameter, the URI, the headers

6

GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n






6Then for each parameter we will check for max value length










6









6









6









6










6

F5 In Action

Documents

SECURITY TECHTALK THREATS AND MITIGATIONgovernmentvideosolutionsforum.com/pdf/F5-CarahsoftSecurityTechTalk... · 26/04/2013 · [email protected] 732-289-5272 SECURITY TECHTALK THREATS