f5 whiteboarding - pcworld.bgidg.bg/idgevents/idgevents/2016/1019175820-16.00-16.20_f5.pdff5...
TRANSCRIPT
F5 Whiteboarding
Luboš Klokner
F5 Field System Engineer
+421 908 755152
@lklokner
DNS
UAC
WAF
Acceleration
ADC
VDI WEB APPS
• Default Deny • Full Proxy • SSL Offload /
Visibility
FW • ICSA Certified • ACL’s • IP Intelligence • IP Lists • DoS Protections
DNS • Business Continuity • GSLB • DNS Security / Services • DNS Firewall
WAF • L7 Firewall • BOT Detection • Web Scraping • Client Fingerprinting • L7 DoS Mitigation • PCI Compliance
UAC • Remote Access • Pre-Authentitacion • Multi-factor/SSO/Federation • End Point Inspection
ADC • SLB • Application Awareness • Persistence
Acceleration • TCP Optimisation • Caching/Compression • End User Experience • HTTP/2
FW
Users Customers Client • Encryption • Phishing • Malware • Automated Transactions
Attackers
DNS
UAC
WAF
Acceleration
ADC
VDI WEB APPS
FW
BIG-IP VE VIPRION
High Performance Services Fabric Platform • Flexibility • Scalability • Multi-tenancy • Programmability • Custom HW • TMOS
Silverline Silverline • Cloud based DDoS
mitigation • Mitigation of volumetric
attacks • Cloud WAF as a Service
Users Customers Attackers
DNS
UAC
WAF
Acceleration
ADC
VDI WEB APPS
FW
BIG-IP VE VIPRION
High Performance Services Fabric
BIG-IQ • iRules • iControl • iCall • iApps • SDx • Cloud
Int
ellig
ent
Serv
ices
Orc
hest
rati
on
Users Customers Attackers
Silverline
DNS
UAC
WAF
Acceleration
ADC
VDI WEB APPS
FW
BIG-IP VE VIPRION
High Performance Services Fabric
AAA
HSM
ICAP
IPS
Users Customers Attackers
Silverline
Int
ellig
ent
Serv
ices
Orc
hest
rati
on
DNS
UAC
WAF
Acceleration
ADC
VDI WEB APPS
FW
BIG-IP VE VIPRION
High Performance Services Fabric
AAA
HSM
ICAP
IPS
Users Customers Attackers
Silverline
Int
ellig
ent
Serv
ices
Orc
hest
rati
on
F5 Story Full proxy, best of bread SSL, iRules, WAF, Anti-Fraud
© F5 Networks, Inc 9
F5 Security Solutions
EAL2+
EAL4+ (in process)
Network Firewall
One Platform
Traffic Management
Application Security
DNS Security
SSL Access Control
DDoS Protection
Web-Fraud, Anti-Phishing
Consolidating security on a single platform
© F5 Networks, Inc 10
OSI and F5 modules
Application attacks Network attacks Session attacks
Slowloris, Slow Post,
HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods,
Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASM
Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection
DNS UDP Floods, DNS Query Floods,
DNS NXDOMAIN Floods, SSL Floods,
SSL Renegotiation
BIG-IP LTM and GTM
High-scale performance, DNS Express,
SSL termination, iRules, SSL
renegotiation validation
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, full-
proxy traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customized
hardware solution that increases scale by an order of magnitude above
software-only solutions.
F5 M
itig
ati
on
Te
ch
no
log
ies
Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)
Increasing difficulty of attack detection
F5 m
itig
ati
on
te
ch
no
log
ies
OSI stack OSI stack
© F5 Networks, Inc 11
F5 Full Proxy Architecture
iRule
iRule
iRule
TCP
SSL
HTTP
TCP
SSL
HTTP
iRule
iRule
iRule
ICMP flood SYN flood
SSL renegotiation
Data leakage Slowloris attack XSS
Network Firewall
WAF WAF
© F5 Networks, Inc 12
F5 Comprehensive Application Security
Application Access
Network Access
Network Firewall
Network DDoS Protection
SSL DDoS Protection
DNS DDoS Protection
Application
DDoS Protection
Web Application Firewall
Fraud Protection
Virtual
Patching