security - westcon-comstornz.westcon.com/documents/40583/security solutions brochure .pdf · with...
TRANSCRIPT
Security
Protect your network and applications, improve user access, optimize performance, and reduce management complexity.
F5 SOLUTION GUIDE
F E AT U R ES
Guard against intrusions and protect sensitive data
Simplify access control, application security, and compliance management
Increase productivity with automatic access and higher performance
Lower costs through consolidation and streamlined security management
>>
>>
>>
>>
F5 Security Solutions:
Flexible, Efficient,
Cost-EffectiveKeeping your network secure, fast, and available is crucial for business
success. Security breaches can result in lost productivity, missed
opportunities, and higher costs for your organization. These harmful
situations can also damage your organization’s reputation and
deteriorate customer trust.
With F5 security solutions, you can provide secure remote access,
protect email, and simplify web access control, all while enhancing
network and application performance. Your organization will have the
tailored security it needs, and your users will enjoy the reliable, flexible
access they demand.
Protect the network-based
applications that power
your business
Many network-level security threats are directly related to the improper
use of the same protocols your applications depend on to transmit data
over the wire. To secure your applications, you can try to trace and patch
apparent vulnerabilities. You can also deploy point solutions whose sole
purpose is to protect applications, but which do nothing to enhance
performance or simplify control.
Net
wor
k Se
curit
y
T H E C H A L L E N G E
K E Y B E N E F I T S
· Mitigate malicious attacks while supporting legitimate users
· Prevent sensitive information and communications from being compromised
· Boost productivity with highly available applications
The F5® BIG-IP® Local Traffic Manager™ (LTM) Application Delivery Controller
helps you secure your network-based applications and your data, while
providing a strategic point of control and elevating application performance.
From powerful network- and protocol-level security to application attack
filtering, BIG-IP LTM offers a suite of security services to protect your business
applications.
BIG-IP LTM acts as a security proxy to guard against network-based SYN
floods and other network denial-of-service (DoS) and distributed denial-of-
service (DDoS) attacks, and it provides controls to define and enforce L4 based
filtering rules to improve network protection.
With industry-leading encryption, BIG-IP LTM also enables you to selectively
encrypt data to secure and optimize your organization’s communications.
With support for advanced encryption standard algorithms, using the most
powerful Secure Sockets Layer (SSL) encryption available, bit encryption,
and 4096 key lengths, BIG-IP LTM is the gatekeeper to your business-critical
resources. BIG-IP LTM is available on a flexible, multi-solution appliance
platform or as a virtual edition.
BIG-IPLocal Traffic Manager
FIG. 1: BIG-IP Local Traffic Manager enables high availability and protects against network-based attacks via a physical platform or virtual edition.
T H E S O L U T I O N
Provide access to networks
and applications while
ensuring security
Providing access to networks and applications is essential to increasing
worker productivity and delivering valuable customer services. To provide
users with easy access to essential web applications such as time-tracking
software for employees or Internet browsing access for hotel guests,
many organizations create minimum security networks. While these
systems may automatically log users’ IP addresses, this is no failsafe
determination of identity, and surely no guarantee of security.
Network administrators need more visibility and control over the
increasing number of users accessing applications over the network.
However, this requirement can add complexity to your IT infrastructure
and prove difficult and expensive to scale.
Web
Acc
ess
Man
agem
ent
T H E C H A L L E N G E
K E Y B E N E F I T S
· Drive identity and dynamic access control into your network
· Ensure strong endpoint security
· Simplify authentication, consolidate infrastructure, and reduce costs
· Deliver high performance, scalability, and flexibility
BIG-IP® Access Policy Manager™ (APM) is a flexible, high-performance
access and security solution that provides policy-based, context-aware access
to users while simplifying authentication, authorization, and accounting
(AAA) management. With AAA control directly on the BIG-IP system,
you can consolidate your access infrastructure, reduce authentication and
authorization costs, and support thousands of users simultaneously while
delivering hundreds of logins per second. BIG-IP APM is available as a product
module on the flexible, multi-solution BIG-IP LTM and BIG-IP LTM Virtual
Edition platforms.
FIG. 2: The BIG-IP Visual Policy Editor facilitates the creation of access policies
T H E S O L U T I O N
Achieve regulatory
compliance with high
performance
As more application traffic moves over the web, sensitive data is exposed
to attacks that target vulnerabilities in enterprise applications. The resulting
financial hit—from recovery processes, legal fees, and loss to intellectual
data—can be significant. Many administrators think their networks are
safe because they have firewalls in place, but hackers are more likely to
attack the application layer, where greater vulnerability exists.
Recent studies show:
· 75 percent of hacks happen at the application layer1
· 96.85 percent of websites have vulnerabilities that present immediate risk of attack2
· Once a breach occurs, the total average cost of a data breach is $202 per record compromised and $225 for malicious insiders or former workers3
App
licat
ion
Secu
rity
T H E C H A L L E N G E
K E Y B E N E F I T S
· Improve security while reducing the cost of compliance
· Ensure application availability and boost performance
· Get out-of-the-box application security policies with minimal configuration
· Handle changing threats with greater agility
BIG-IP® Application Security Manager™ (ASM) is an advanced web application
firewall that significantly reduces and mitigates the risk of loss or damage
to data, intellectual property, and web applications. BIG-IP ASM provides
unmatched application and website attack protection–such as protection
from the latest web threats like layer 7 DDoS. In addition, BIG-IP ASM gives
you a complete attack expert system, and it ensures compliance for key
regulatory mandates.
With BIG-IP ASM, your organization benefits from a complete solution
that reduces the need for multiple appliances, lowers maintenance and
management costs, and increases the confidentiality, availability, and integrity
of your critical business applications and processes. BIG-IP ASM is available as
a product module on the flexible, multi-solution BIG-IP LTM platform or as a
standalone device.
T H E S O L U T I O N
Internet
BIG-IP ApplicationSecurity Manager
Web ApplicationClients
Web ApplicationServers
Data
Botnet/Hacker
Firewall
FIG. 3: BIG-IP ASM provides comprehensive web application attack protection
1 Theresa Lanowitz, Gartner Inc., Security at the Application Level, http://www.gartner.com/DisplayDocument?ref=g_search&id=487227 (December 2005)
2Web Application Security Consortium, http://www.webappsec.org/projects/statistics/ (2008)
3 Robert Westervelt, Data breach costs continue to rise in 2009, Ponemon study finds, http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1379486,00.html (January 2010)
Powerful BIG-IP security
services for HTTP(s), SMTP,
and FTP
If your environment requires more than layer 3 and layer 4 inspection
services, the expertise and management you need to deploy a full-
featured web application firewall might not be available.
As an alternative, protocol security services provide powerful protection
for HTTP(s), SMTP, and FTP protocols and configuration is minimal.
Prot
ocol
Enf
orce
men
t Se
rvic
es
T H E C H A L L E N G E
K E Y B E N E F I T S
· Broad protection from HTTP attacks
· Spam-blocking SMTP security
· Centralized FTP security management
BIG-IP® Protocol Security Module™ (PSM) is aptly suited for environments
that require inspection services, where the overhead needed to deploy a full-
featured web application firewall isn’t available, or there is a need to secure
other protocols. Protocol enforcement services can be implemented on a per-
virtual-server basis and configured within a matter of minutes. By enforcing
protocol checks for HTTP(s), FTP, and SMTP, this service prevents attacks that
use protocol manipulation techniques.
T H E S O L U T I O N
HTTP(s)Protocol
FTPProtocol
SMTPProtocol
Botnet/Hacker
HTTP(s)Protocol
FTPProtocol
SMTPProtocol
BIG-IPProtocol Security Module
FIG. 4: BIG-IP Protocol Security Module provides powerful security services for HTTP(s), SMTP, and FTP protocols
Deliver secure and
accelerated remote access
to applications
IT departments must support ever-increasing numbers of mobile workers.
Ensuring that these users have secure and seamless access to applications
and data from different devices and locations becomes increasingly
challenging. IT departments might deploy point solutions from different
vendors to promote access, acceleration, and optimization.
But as the number of users grows, this siloed approach proves complex,
inflexible, and difficult to manage. It also becomes increasingly difficult to
prevent unauthorized access and attacks, as new threats are continually
evolving. This costly, error-prone environment inhibits successful remote
access and hinders business growth.
Acc
eler
ated
Rem
ote
Acc
ess
T H E C H A L L E N G E
K E Y B E N E F I T S
· Gain superior scalability for a growing mobile workforce
· Improve manageability and reduce costs
· Accelerate application performance through network optimization
· Increase productivity with anywhere client access
· Ensure security with strong endpoint protection and granular access control
BIG-IP® Edge Gateway™ is an enterprise access solution that brings together
SSL virtual private network (VPN) remote access, security, application
acceleration, and availability services for remote users. BIG-IP Edge Gateway
drives identity into the network to provide context-aware, policy-controlled,
secure remote access to applications at LAN speed.
As the industry’s most secure and accelerated access solution, BIG-IP Edge
Gateway can help your organization deliver peak performance levels to users
accessing the applications and networks that are critical to your business. With
BIG-IP Edge Gateway, customers easily deliver accelerated remote access to
enterprise applications and data for users over any network or mobile device
(including Apple iPhone, Apple iPad, Andriod, Windows Mobile, and Windows
Phone devices).
T H E S O L U T I O N
InternetBIG-IP Edge Gateway
Internal LANVLAN1
Internal LANVLAN2
Data CenterResources
Mobile Users
BIG-IP Edge Client
BIG-IP Edge Client
Branch Office Users
BIG-IP Edge Client
LAN Users
Wireless Users
BIG-IP Edge Client User Directories
DMZ
Data Center
Firewall
Firewall
Firewall
FIG. 5: BIG-IP Edge Gateway unifies access services on a single, easy-to-manage, and optimized network device
Streamline DNSSEC and
ensure high availability
for globally distributed
applications
Domain Name System (DNS) provides one of the most basic but critical
functions on the Internet. If DNS isn’t working, then it’s likely your
business isn’t working either. DNS cache poisoning and other DNS attacks
can compromise local DNS servers and make it possible for hackers to
hijack DNS responses, redirect clients to malicious sites, and access private
information. Secure your business and web presence with Domain Name
System Security (DNSSEC).
DN
S Se
curit
y
T H E C H A L L E N G E
K E Y B E N E F I T S
· Strong DNS security
· Compliance with government DNSSEC regulations
· Optional FIPS key security
· Simplified implementation and reduced management costs through network optimization
· High availability and performance
BIG-IP® Global Traffic Manager™ (GTM) with the DNSSEC feature provides
the following:
· Origin authentication of DNS data. Resolvers can verify that data has originated from authoritative sources.
· Data integrity. Resolvers can verify that responses are not modified in flight.
· Authenticated denial of existence. When there is no data for a query,
authoritative servers can provide a response that proves no data exists.
DNSSEC from F5 ensures that the answer your customers receive when asking
for name resolution comes from a trusted name server. Implementing the BIG-IP
GTM DNSSEC feature can greatly enhance your DNS security. BIG-IP GTM helps
you comply with federal DNSSEC mandates and protects your valuable domain
name and web properties from rogue servers sending invalid responses.
F5 takes the only approach to DNS security that enables organizations to
deploy DNSSEC quickly and easily into an existing global server load balancing
environment. BIG-IP GTM with the DNSSEC feature provides a scalable,
manageable, and secure DNS infrastructure that is equipped to withstand
DNS attacks.
T H E S O L U T I O N
example.com
Hacker
example.com
123.123.123.123+ public key
123.123.123.123+ public key
BIG-IPGlobal Traffic Manager
with DNSSEC
LDNS
DNS ServersClient
Data Center
example.com
FIG. 6: BIG-IP Global Traffic Manager with the DNSSEC feature enables secure and dynamic DNS responses
Extend protection for
enterprise email to the edge
of the corporate network
Each unwanted email message that crosses your organization’s corporate
gateway consumes costly bandwidth and server resources, and can be
a potential threat to security. When system capacity is strained, and
security threats increase, it becomes harder for IT departments to ensure
business continuity. Organizations often react by adding additional mail
security gateways, firewalls, and mail servers to the infrastructure, and
paying for more bandwidth to keep pace with email volume. For these
reasons, keeping messaging costs within budget is challenging.
Prot
ectio
n fo
r En
terp
rise
Emai
l
T H E C H A L L E N G E
K E Y B E N E F I T S
· Drastically reduce unwanted email and spam—by as much as 70 percent
· Base policies on real-time lookup of sender reputation
· Reduce overall infrastructure costs
T H E S O L U T I O N
Source SMTP Server
Spam ~ 70%
Internet
BIG-IP MSM
Queryfor Score
Responsewith Score
Email ServersExisting Quarantine
and Spam Inspection
TrustedSource™ IPReputation Database
Spam ~ 10%
FIG. 7: BIG-IP MSM solves message security concerns by identifying spam using IP reputation
The BIG-IP® Message Security Module™ (MSM) is a network-edge solution
that adds security intelligence to manage and filter inbound email traffic
by considering the sender’s reputation when making traffic management
decisions. BIG-IP MSM is the industry’s first reputation-based, network edge
security module.
BIG-IP MSM takes advantage of data from Secure Computing’s TrustedSource
multi-identity reputation engine to extend protection for enterprise email
to the edge of the corporate network. The solution gives organizations an
extremely powerful and efficient tool for dealing with a growing volume of
unwanted email.
L E A R N M O R E
To learn more about F5 security solutions, search for the following product and solutions pages on f5.com.
BIG-IP Local Traffic Manager
BIG-IP Access Policy Manager
BIG-IP Application Security Manager
BIG-IP Protocol Security Module
BIG-IP Edge Gateway
BIG-IP Global Traffic Manager
DNS Security (DNSSEC) Solutions
BIG-IP Message Security Module
" All in all, we can now offer
customers a highly reliable
and secure web platform,
which is an important factor
for future success."
– Steven Opstaele, Chief Infrastucture Architect at NorthgateArinso
F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com
All other product and company names herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed.
© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS, and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. CS18-00007 0211