Upload
vuongthien
View
219
Download
2
Embed Size (px)
Citation preview
As Sun Tzu says "one must not rely on the failure of the enemy to attack, but on the ability of oneself to build an invincible defense."
4 © F5 Networks, Inc.
The big problem: The boundaries of the Data Center have disappeared
ENTERPRISEDATA CENTER
DATA CENTER/ PRIVATE CLOUD
CUSTOMER
HACKER
PARTNERS, SUPPLIERS
INTERNETDATA CENTER
CLOUD
ENTERPRISEHEADQUARTERS
ENTERPRISE REMOTE OFFICE
MOBILE USER
BYOD: Multiple devicesBYOD: Multiple devices
Partner | Vendor accessPartner | Vendor access
Application diversityApplication diversity
The cloudThe cloud
Customer accessCustomer access
Global accessGlobal access
Remote accessRemote access
Security is challenging
Webification of apps Device proliferation
Evolving security threats Shifting perimeter
71% of internet experts predict most people will do work via web or mobile by 2020.
95% of workers use at least one personal device for work.
130 million enterprises will use mobile apps by 2014
58% of all e-theft tied to activist groups.
81% of breaches involved hacking
80% of new apps will target the cloud.
72% IT leaders have or will move applications to the cloud.
Cybertheft heists $1 million from Leavenworth hospital
April 26, 2013
Stanford University hacked, becomes latest data breach victim
As a precautionary measure in the wake of an apparent breach in its information technology infrastructure, Stanford University is asking all SUNet
ID holders to update their passwords...
A sophisticated hacker took command of large portions of the University of Washington Medical Center's internal network earlier this year, and
downloaded computerized admissions records for four thousand heart patients, SecurityFocus.com
has learned.
"All the data taken from these computers was taken over the Internet."
U.S. Government Online Security Website HackedHackers under the AntiSec banner appeared to have hacked late Mondaythe website of OnGuardOnline.gov, the U.S. federal government's online
security website, in protest against controversial legislation.
Once limited to only a few, attackers are coming out in record numbers thanks to automated tools.
Pre-Packaged Automated hacking tools are an Increasing Problem
Pre-Packaged: Automated hacking tools are an Increasing Problem
I am not a target: Automation with contextSHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters.
What a compromised PC/Server means to a hacker?
Izz ad-din al Quasam CyberFightersDDoS attacks on various financial institutions.
Peak attacks 75G, including mix of layer 3, 4, 5 and 7 attacks.
Spotlight: Operation Ababil – September 2012
The CyberFighters appeared to have performed extensive network reconnaissanceon data centers for each of the targets.
Network reconnaissance likely included timing information on all available links and database queries.
Cyber Fighter "Insult Metric to Attack Time” Formula/* Based on popularity of “Innocence of Muslims” video */
T = 26546482 /* total views */ L = 73721 /* total likes */ D = 194906 /* total dislikes */ DF = 10 /* coefficient dislike factor */ CF = 100$ /* ransom per each view/like */ C = 30000$ /* Approximate Cost on US banks per each DDoS minute */
TC = (T+L-F*D) * CF = 2,467,114,300$ TM = TC/C = 82237 minutes S = 420 minutes
===> TD = TM/S = 196 days
PD = (6-1+4)*3 = 27 days REM = TD-PD = 169 days ( about 56 weeks or 14 months )
PROBLEM
SOLUTION ?
iRules iControl iApps
Hardware Software
TMOS
Secure
Available
Fast
F5: An Intelligent Services PlatformF5 makes the connected world run better
• Application Delivery Controller• Mobile optimization solution• Application Delivery Firewall• Mobile User and Application
Access Management• WAN Opt and WAN acceleration• DNS Delivery Services• Local and Global Load Balancer
DevCentralUser Community
Programmable/Extensible
Enterprise
Foundation
CustomizableTraffic Management
IntelligentIntegrated
Context aware
Scale
F5 solutions available today:
Intelligent Ecosystem
Users Resources
F5 protects your apps wherever they live
F5 gives you secure access to apps from anywhere
TMOS
Network Firewall
Protocol Security
DDoS Protection
Dynamic Threat Defense
DNS Web Access
Users Resources
• Context based identity control• L3-L7 access control at scale• Fast application performance
• BYOD policy creation & enforcement
• Better compliance & governance
TMOS
Network Firewall
Protocol Security
DDoS Protection
Dynamic Threat Defense
DNS Web Access
Users Resources
• Visibility, speed, and control• Significant consolidation
opportunity• Complete SSL visibility
• Protection against web attacks
• DDoS threats mitigated• Application management
TMOS
Network Firewall
Protocol Security
DDoS Protection
Dynamic Threat Defense
DNS Web Access
Users Resources
F5 provides complete visibility and control across applications and users.
TMOS
Network Firewall
Protocol Security
DDoS Protection
Dynamic Threat Defense
DNS Web Access
Firewall Technologies
Firewalls started out as proxies to maximize
security
Stateless filters accelerated firewalls, but
weakened security
Stateful and next-gen firewalls added security
with deep inspection, but still fall short of proxies
F5 brings full proxy back to firewalls: highest
security matched by a high-scale and high-
performance architecture
A long time ago… and then… present day… and now with F5!
Full Proxy Security
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
Full Proxy Security
High-performance HW
iRules
iControl API
F5’s Approach
• TMOS traffic plug-ins• High-performance networking microkernel• Powerful application protocol support
• iControl—External monitoring and control• iRules—Network programming language
IPv4/IPv6
SSL
TCP
HTTP
Optional modules plug in for all F5 products and solutionsAPM
Firewall
… Traffic management microkernel
Proxy
Clientside
Serverside SSL
TCP
OneConnect
HTTP
Superior Performance and ScaleThroughput Connections per second
Sessions Footprint
F5 (VIPRION 4800)
Juniper (SRX 5800)
Cisco (ASA 5585-X)
Check Point (61000)
F5(VIPRION 4800)
Juniper (SRX 5800)
Cisco (ASA 5585-X)
Check Point (61000)
0
100
200
300
400
500
600
700Gbps
0
200
400Millions
0
2
4
6
8Millions
Rack units
0
100
200
4x21x
17x14x
F5 (VIPRION 4800)
Juniper (SRX 5800)
Cisco (ASA 5585-X)
Check Point (61000)
F5(VIPRION 4800)
Juniper (SRX 5800)
Cisco (ASA 5585-X)
Check Point (61000)
Application-Oriented Policies and Reports
Firewall policies and reports oriented around the application
Splunk Integration Application-centric SIEM
F5 reporting to Splunk Start with application-centric views and drill down to
more details At-a-glance visibility and intelligence for ADF’s
context-aware security
HIGH LEVEL
DETAILED
VERY DETAILED
PROTECTING THE DATA CENTERPROTECTING THE DATA CENTERUse case
• Consolidation of firewall, app security, traffic management
• Protection for data centers and application servers
• High scale for the most common inbound protocols
Before f5
with f5
LoadBalancer
DNS Security
Network DDoS
Web Application Firewall
Web AccessManagement
LoadBalancer & SSL
Application DDoS
Firewall
PROTECTING THE DATA CENTERPROTECTING THE DATA CENTERUse case
• Consolidation of firewall, app security, traffic management
• Protection for data centers and application servers
• High scale for the most common inbound protocols
Before f5
with f5
LoadBalancer
DNS Security
Network DDoS
Web Application Firewall
Web AccessManagement
LoadBalancer & SSL
Application DDoS
Firewall
IP INTELLIGENCEIP INTELLIGENCE
IP intelligenceservice
IP address feedupdates every 5 min
Customapplication
Financialapplication
Internally infected devices and servers
Geolocation database
Botnet
Attacker
Anonymous requests
Anonymous proxies
Scanner
Restricted region or country
DDoS MITIGATIONDDoS MITIGATION
Application attacksNetwork attacks Session attacks
Slowloris, Slow Post, HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASMPositive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection
DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation
BIG-IP LTM and GTMHigh-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation
BIG-IP AFMSynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. F5 Mitigation Technologies
Application (7)Presentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)
Increasing difficulty of attack detection
• Protect against DDoSat all layers – 38 vectors covered
• Withstand the largest attacks
• Gain visibility and detection of SSL encrypted attacks
F5 mitigation technologies
OSI stackOSI stack
Use case
Bandwidth carriers
ISP’s bandwidth Your bandwidth
Many: Thread jam
Memory exhaustion
Many: CPU
Database loadThread jamLog attack
Memory exhaustionConnection flood
State Table:Too many
connections
State Table:TCP Flood.
Negative cachingProxy bypass
State Table:IP’s
Low & slowLayer 7 – RandomLayer 7 – Logical
State Table:ACL Perf. Degrade
Firewall DDoS appliance APP accelerator Load balancer Web servers Database
BANDWIDTH >> PACKET >> CONNECTION >> OS >> HTTP(s) >> APP (PHP/ASP) >>> DB
DDoS Attacks Exhaust Network Resources
Which DDoS mitigation to use?
Content Delivery Network
Carrier Service Provider
Cloud-based DDoS Service
Cloud/Hosted Service
Network firewall with SSL inspection
Web Application Firewall
On-premise DDoS solution
Intrusion Detection/Prevention
On-Premise Defense
The answer:“All of the above”
Why isn’t an anti-DDoS service enough?From attack to
protection, cloud-based scrubbing
involves time-consuming steps
Cloud scrubbers are expensive, and
financial approval for activation takes
up to an hour
Re-routing traffic itself can take up to
2 hours…
…but the average attack lasts only
54 minutes. And 25% of attack
traffic is application based, probably
SSL-encrypted and invisible to the
scrubber
For full-pipe attacks, there is no substitute for a cloud-based or service-provider DDoS service. But how many attacks are full-pipe, and what about encrypted attacks?
?
Introducing the F5 Application Delivery FirewallBringing deep application fluency to firewall security
One platform
SSL inspection
Traffic management
DNS security
Access control
Applicationsecurity
Networkfirewall
EAL2+EAL4+ (in process)
DDoS mitigation
• Send overwhelming amount of network traffic
• Either affects the victim or a device in front of the victim
• Effectively denies service for legitimate traffic
• Can use multiple clients• More difficult to block• Ties up stateful connection mechanisms• Fills up flow tables for stateful
devices that monitor connections
• Attacks rarely fill or exceedthroughput capacity
Network-Based AttacksLayer 2 – Layer 4 attacksIncreasing difficult to detect
Application
Presentation
Session
Transport
Network
Data Link
PhysicalIncreasing risk of service outage
Network-Based AttacksTCP 3-way handshake, used to establish TCP sessions
Client
Server
SYN
SYN/ACK
ACK
SYN = synchronizeACK = acknowledgement
Network-Based AttacksSYN flood – exploits the 3-way handshake
Attacker122.15.29.75
VictimSYN/ACK to2.3.4.5
Half-openTCP connection
SYN/ACK to3.4.5.6
SYN/ACK to4.5.6.7
SYN/ACK to1.2.3.4
SYN/ACK to5.6.7.8
SYN/ACK to6.7.8.9
SYN from 2.3.4.5
?
? ?
?
?
?
A typical TCP connection timeout around 30 seconds
TCP connection table
SYN/ACK to7.8.9.10
?
Increasing difficulty to detect
Application
Presentation
Session
Transport
Network
Data Link
Physical
SSL / TLS AttacksLayer 5 – Layer 6 attacks Increasing risk of service outage
SSL renegotiation | SSL connection floods
SSL / TLS AttacksSSL renegotiation attack
Attacker
VictimHTTPS Web server
1X
15X
SSLSSL
SSLSSL
SSLSSLSSL
Any HTTPS server is vulnerable
SSL Renegotiation: Attempted against a BIG-IP in the field. Mitigated by F5 FSE.
• When DNS is disrupted, all services are affected
• Even attacks not intended to target DNS can bring down DNS servers
• DNS attacks have two characteristics:• They are easy to generate• They are difficult to defend against
• DNS servers will continue to populartargets
DNS Attacks
DNS AttacksNormal DNS communications
www.secureco.com
Local DNS
Query: www.secureco.com?
Response: 20.35.50.65
Internet DNS
Query: www.secureco.com?
cache
?
Response: 20.35.50.65
SYN request www.secureco.com
www.secureco.com:20.35.50.65
DNS AttacksDNS cache poisoning
www.secureco.com
Local DNS
Query: www.secureco.com?
Internet DNS
cache
?
Response: 20.35.50.65
SYN request www.secureco.com
www.secureco.com:20.35.50.65
Query: www.nicebank.com?Attacker
Query: www.nicebank.com?
Internet DNS
Fake responses
www.nicebank.com:100.150.200.250
www.nicebank.com
Query: www.nicebank.com?Response:
100.150.200.250
100.150.200.250
SYN request
TTL, or time-to-live determines how long the entry remains in cache
Increasing difficult to detect
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application-Based AttacksSeveral application-based attack typesIncreasing risk of service outage
Slowloris | Slow POST
Keep Dead | HashDos
| Slow Read
| #RefRef
Application-Based AttacksSlowloris – exploits the idle timeout value
Victim
Attacker
Idle timeout:300 seconds
Partial HTTP request
………….. 299 seconds
Partial HTTP request
Concurrentconnections 12102050200350
394 open connections
Time outvalue?
300 seconds
Application-Based AttacksSlow POST attack
Victim
Attacker
Idle timeout:300 seconds
HTTP POSTContent-Length: 99999
Concurrent connections 12102050200350
Expecting 99999 bytesBytes received: 12
Bytes expected: 99999
HTTP POSTContent-Length: 99999
HashDos“HashDos” vulnerability affects all major web servers and application platforms
VIPRION
Single DevCentral iRule mitigates vulnerability for all back end services
Staff can schedule patches for back-end services on their own timeline
Multiple Security Layers RFC enforcement
• Various HTTP limits enforcement
Profiling of good traffic• Defined list of allowed file types, URIs, parameters
Each parameter is evaluated separately for:• Predefined value• Length• Character set• Attack patterns
• Looking for pattern matching signatures
Responses are checked as well
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
6Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
6
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Start by checking RFC compliance
2 Then check for various length limits in the HTTP
3 Then we can enforce valid types for the application
4 Then we can enforce a list of valid URLs
5 Then we can check for a list of valid parameters
Then for each parameter we will check for max value length
7 Then scan each parameter, the URI, the headers
6
F5 In Action