big-ip afm - westconbe.security.westcon.com/documents/55263/f5_afm_presentation.pdf · © f5...
TRANSCRIPT
BIG-IP AFM Philippe Bogaerts
© F5 Networks, Inc 2
Maintaining Security Is Challenging
Webification of apps Device proliferation
Evolving security threats Shifting perimeter
71% of internet experts predict most people will do work via web or mobile by 2020.
95% of workers use at least one personal device for work.
130 million enterprises will use mobile apps by 2014
58% of all e-theft tied to activist groups. 81% of breaches involved hacking
80% of new apps will target the cloud.
72% IT leaders have or will move applications to the cloud.
© F5 Networks, Inc 3
Changing threats increasing in complexity that requires intelligence and on-
going learning
Scalability and performance
Needed to ensure services are available during the onset
of aggressive attacks
Everything SSL Difficulty with discrete traffic
visibility
Dynamic datacenter perimeter
Requires protection and policy enforcement that ensure 24x7 application
availability
Attack visibility Is often lacking details to truly track and identify attacks and
their source, and ensure compliance
Protecting the datacenter can be complex
© F5 Networks, Inc 4
BIG-IP® Advanced Firewall Manager (AFM)
Application Security
Data Center Firewall
Access Security
User
App Servers
Classic Server
DNS Security
Network DDoS • Built on the market leading Application Delivery Controller (ADC) • Consolidates multiple appliance to reduce TCO • Protects against L2-L4 attacks with the most advanced full proxy architecture • Delivers over 100 vectors and more hardware-based DOS vectors than any other
vendor • Ensures performance while under attack - scales to 7.5M CPS; 576M CC, 640 Gbps • Offers a foundation for an integrated L2-L7 Application delivery firewall platform
© F5 Networks, Inc 5
BIG-IP Application Firewall Manager
The best foundation for a consolidated layered defense
DoS protection
• Secure against L2-L4 D/DOS attacks
• Advanced resource protection
• Hardware-based DoS protections • Application availability assurance • Dynamic IP intelligence
App-centric policy enforcement
• Application access controls • Simplified policy assurance • Automatic self-learning & policy
adjustment • Extensibility with iRules
Manageability and Visibility • High speed customizable syslog • Granular attack details • Expert attack tracking and profiling • Policy & compliance reporting • Centralized management
© F5 Networks, Inc 6
App-centric policy enforcement
• Effective rule life-cycle management for increased policy efficiency & effectiveness
• 3-tiered hierarchical policy context (i.e., mail traffic only subject to mail rules)
• HTTP, SMTP, FTP, SIP, DNS Protocol validation and enforcement on granular details
• Protocol conformance with DNS
Policies written specifically for applications rather than against network traffic.
© F5 Networks, Inc 7
Full-proxy architecture
iRule
iRule
iRule
TCP
SSL
HTTP
TCP
SSL
HTTP
iRule
iRule
iRule
ICMP flood SYN flood
SSL renegotiation
Data leakage Slowloris attack XSS
Network Firewall
WAF WAF
© F5 Networks, Inc 8
Application attacks Network attacks Session attacks
Slowloris, Slow Post, HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection
DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation
BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation
BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions.
F5 M
itiga
tion
Tech
nolo
gies
Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)
Increasing difficulty of attack detection
• Protect against DDoS at all layers – 38 vectors covered
• Withstand the largest attacks
• Gain visibility and detection of SSL encrypted attacks
F5 m
itiga
tion
tech
nolo
gies
OSI stack OSI stack
DDoS detection and mitigation
Protect against DDoS at all layers Withstand the largest attacks Gain visibility and detection of SSL encrypted attacks
© F5 Networks, Inc 9
DDoS detection and mitigation
AFM DOS CAPABILITIES
Guard your data center against incoming threats that enter the network
• 100+ DoS Vectors • Malformed/Bad, Suspicious, and
Volumetric Attack signatures • Stops capacity attacks on the flow/
transaction state tracking structures • Detection & Mitigation Limits –Global
route domain & Per-VS Volumetric
• The most comprehensive L2-L4 DOS signature coverage Botnet
Restricted region or country
IP intelligenceservice
IP address feedupdates every 5 min
Customapplication
Financialapplication
Internally infected devices and servers
Geolocation database
Attacker
Anonymous requests
Anonymous proxies
Scanner
© F5 Networks, Inc 10
DDoS detection and mitigation
AFM DOS CAPABILITIES
Guard your data center against incoming threats that enter the network
• The most comprehensive L2-L4 DOS signature coverage
• Protects IP infrastructure from malformed & malicious traffic at scale
• Accelerating over 64 signatures in hardware on many platforms, line-rate performance
Botnet
Restricted region or country
IP intelligenceservice
IP address feedupdates every 5 min
Customapplication
Financialapplication
Internally infected devices and servers
Geolocation database
Attacker
Anonymous requests
Anonymous proxies
Scanner
© F5 Networks, Inc 11
DDoS detection and mitigation
AFM DOS CAPABILITIES
Guard your data center against incoming threats that enter the network
• The most comprehensive L2-L4 DOS signature coverage
• Protects IP infrastructure from malformed & malicious traffic at scale
• Sweep & Flood IP detection • Used to identify “bad actor” SrcIP’s and
target’ed DstIP servers
Botnet
Restricted region or country
IP intelligenceservice
IP address feedupdates every 5 min
Customapplication
Financialapplication
Internally infected devices and servers
Geolocation database
Attacker
Anonymous requests
Anonymous proxies
Scanner
© F5 Networks, Inc 12
DDoS detection and mitigation
AFM DOS CAPABILITIES
Guard your data center against incoming threats that enter the network
• The most comprehensive L2-L4 DOS signature coverage
• Protects IP infrastructure from malformed & malicious traffic at scale
• Sweep & Flood IP detection
• AVR Drill-Down reporting on attackers, targets, geo-analysis
Botnet
Restricted region or country
IP intelligenceservice
IP address feedupdates every 5 min
Customapplication
Financialapplication
Internally infected devices and servers
Geolocation database
Attacker
Anonymous requests
Anonymous proxies
Scanner
© F5 Networks, Inc 13
DDoS detection and mitigation
AFM DOS CAPABILITIES
Guard your data center against incoming threats that enter the network
• The most comprehensive L2-L4 DOS signature coverage
• Protects IP infrastructure from malformed & malicious traffic at scale
• Sweep & Flood IP detection
• AVR Drill-Down reporting on attackers, targets, geo-analysis
• Protocol-Aware Detection & Mitigation for HTTP/S, SMTP, FTP, DNS & SIP
Botnet
Restricted region or country
IP intelligenceservice
IP address feedupdates every 5 min
Customapplication
Financialapplication
Internally infected devices and servers
Geolocation database
Attacker
Anonymous requests
Anonymous proxies
Scanner
© F5 Networks, Inc 14
F5 iRules: Industry’s strongest zero-day threat protection
THE POWER OF IRULES
• Richer detection capabilities for stateful attacks on flow table and mitigation of L2-L4 attacks
• Extends customization capabilities
• Leverages the IP Intelligence services and AFM statistical traffic subsampling
• DevCentral user community collectively has thousands of iRules to draw from
• Recently, iRules helped customers effectively mitigate the Heartbleed vulnerability
KNOWLEDGE IN NUMBER
Community made up of over 100,000 active users collaborating and creating custom rules
that mitigate threats
With iRules customers gain unsurpassed flexibility in protecting against the most sophisticated and unexpected attacks.
© F5 Networks, Inc 15
Dynamically update security logic
F5 IP INTELLIGENCE SERVICES
• Dynamic services feeds updated frequently
• Policy attached to global, route- domain or VS contexts
• Categorize IP/Sub_net by attack type
• Customizable actions per attack type category (i.e., Accept, Warn, Alert)
• Create multiple customizable IP feeds
DYNAMIC IP BLACK LISTS & WHITE LISTS
• Create IP Black Lists and White Lists that override IP intelligence services
• Merge multiple sources into 1 feed or enforcement policy
• HTTP/S & FTP polling methods
• User defined categories
• Support for IPv6 and IPv4
Maintain a current IP reputation database & automatically mitigate traffic from known bad IP addresses.
© F5 Networks, Inc 16
Dynamically update security logic
F5 IP INTELLIGENCE SERVICES
• Dynamic services feeds updated frequently
• Policy attached to global, route- domain or VS contexts
• Categorize IP/Sub_net by attack type
• Customizable actions per attack type category (i.e., Accept, Warn, Alert)
• Create multiple customizable IP feeds
DYNAMIC IP BLACK LISTS & WHITE LISTS
• Create IP Black Lists and White Lists that override IP intelligence services
• Merge multiple sources into 1 feed or enforcement policy
• HTTP/S & FTP polling methods
• User defined categories
• Support for IPv6 and IPv4
Maintain a current IP reputation database that allows you to automatically mitigate traffic from known bad or questionable IP addresses.
© F5 Networks, Inc 17
SSL !
SSL
SSL
SSL
SSL traffic termination
• Gain visibility and detection of SSL-encrypted attacks
• Ensure High-scale/high-performance SSL proxy
• Off-load SSL to reduce server load
Fully terminate SSL traffic to inspect payload, preventing viruses, trojans, or network attacks.
© F5 Networks, Inc 18
with f5
Before f5 65,000 concurrent queries
? http://www.f5.com
http://www.f5.com
• Cache poisoning
• DNS spoofing
• Man in the middle
• DDoS
Secure and available DNS
© F5 Networks, Inc 19
with f5
Before f5 65,000 concurrent queries
? http://www.f5.com
http://www.f5.com
• Cache poisoning
• DNS spoofing
• Man in the middle
• DDoS
Secure and available DNS infrastructure: 10 million concurrent queries
• Consolidate Firewall and DNS
• Ensure high-performance scalable services
• Secure 10 million concurrent DNS Queries
Secure and available DNS
© F5 Networks, Inc 20
Manageability and Visibility Application-oriented policies and reports
Logging – Generation and Storage of Individual Security Events • Configure local and remote high-speed
network firewall logging • Independently controlled Logging for Access
Control, DoS, IP-Intel • Log Destinations & Publishers consistent
with BIG-IP logging framework • Guaranteed logging with log throttling
Reporting – Visualization of Security Statistics • Reporting used for Visualizing Traffic/Attack
Patterns over time • Geo & IPFIX & Stale Rules reporting • Access-Control & DoS: Drill-Downs by
contexts, IP, Rule, etc. • Integration with 3rd party SIEM systems
Report type • HIPPA & PCI compliance reporting • DDoS attack report • IP Enforcer stats • SNMP traps & MIB for DoS reporting
© F5 Networks, Inc 21
Enhanced DDoS logging : Rate limiting Avoid reduced performance during excessive logging periods
• Establish rate limits at granularity of specific log message
• Applies to the whole profile regardless of message type
• Global or per Virtual Server application
• Aggregate limits on IP Intelligence
• Ensure compliance with PCI data logging requirements
© F5 Networks, Inc 22
Enhanced DDoS logging Activate logging for stateful flow attacks at global, route domain or per-VS level
Turn-on logging to query tmstats table and get snapshots of counters every second, if there is change in stats it logs the data.
• Ensures availability of security information via logs, tmstats, SNMP and AVR
• # of currently active flows
• # of reaped flows Shot down
• # of flows dropped due to flowtable misses
• # of SYN Cookies challenges generate, passed, failed (DSR/nonDSR modes)
New section
© F5 Networks, Inc 23
Manageability and Visibility
§ F5 reporting to key SIEM partners: Splunk, Q1, ArcSight § Start with application-centric views and drill down to
more details § At-a-glance visibility and intelligence for ADF’s context-aware
security
HIGH LEVEL
VERY DETAILED
SIEM INTEGRATION: APPLICATION-CENTRIC LOGGING AND REPORTING
© F5 Networks, Inc 24
FULL PROXY FIREWALL
APP-CENTRIC POLICY ENFORCEMENT
EXPERT TRACKING, LOGGING & REPORTING
HARDWARE BASED DOS PROTECTIONS
HIGH SCALABILITY, FLEXIBILITY AND PERFORMANCE
DYNAMIC IP INTELLIGENCE
Advanced application firewall
BIG-IP AFM
BIG –IP PLATFORM SECURITY
BIG-IP AFM BIG-IP ASM All BIG-IP