BIG-IP AFM Philippe Bogaerts Maintaining Security Is Challenging Webification of apps Device proliferation 95% of workers use at least one 71% of internet experts predict most people will do work via web or mobile by 2020. personal device for work. 130 million enterprises will use mobile apps by 2014 Evolving security threats Shifting perimeter 58% of all e-theft tied to 80% of new apps will activist groups. target the cloud. 81% of breaches 72% IT leaders have or will involved hacking © F5 Networks, Inc move applications to the cloud. 2 Protecting the datacenter can be complex Attack visibility Dynamic datacenter perimeter Requires protection and policy enforcement that ensure 24x7 application availability Is often lacking details to truly track and identify attacks and their source, and ensure compliance Everything SSL Difficulty with discrete traffic visibility Scalability and performance Changing threats increasing in complexity that requires intelligence and ongoing learning © F5 Networks, Inc Needed to ensure services are available during the onset of aggressive attacks 3 BIG-IP® Advanced Firewall Manager (AFM) • • • • Built on the market leading Application Delivery Controller (ADC) Network DDoS Consolidates multiple appliance to reduce TCO Protects against L2-L4 attacks with the most advanced full proxy architecture Delivers over 100 vectors and more hardware-based DOS vectors than any other vendor • Ensures performance while under attack - scales to 7.5M CPS; 576M CC, 640 Gbps • Offers a foundation for an integrated L2-L7 Application delivery firewall platform DNS Security Access Security Data Center Firewall Application Security App Servers User Classic Server © F5 Networks, Inc 4 BIG-IP Application Firewall Manager The best foundation for a consolidated layered defense App-centric policy enforcement • Application access controls • Simplified policy assurance • Automatic self-learning & policy adjustment • Extensibility with iRules © F5 Networks, Inc DoS protection Manageability and Visibility • Secure against L2-L4 D/DOS attacks • High speed customizable syslog • Advanced resource protection • Granular attack details • Expert attack tracking and profiling • Hardware-based DoS protections • Application availability assurance • Dynamic IP intelligence • Policy & compliance reporting • Centralized management 5 App-centric policy enforcement Policies written specifically for applications rather than against network traffic. • Effective rule life-cycle management for increased policy efficiency & effectiveness • 3-tiered hierarchical policy context (i.e., mail traffic only subject to mail rules) • HTTP, SMTP, FTP, SIP, DNS Protocol validation and enforcement on granular details • Protocol conformance with DNS © F5 Networks, Inc 6 Full-proxy architecture WAF WAF HTTP iRule iRule HTTP SSL renegotiation SSL iRule iRule SSL SYN flood ICMP flood TCP iRule iRule TCP Slowloris attack XSS Data leakage Network Firewall © F5 Networks, Inc 7 DDoS detection and mitigation Increasing difficulty of attack detection Physical (1) Data Link (2) Network (3) Transport (4) Session (5) F5 mitigation technologies Network attacks Presentation (6) Session attacks Application (7) Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation Slowloris, Slow Post, HashDos, GET Floods BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. OSI stack F5 Mitigation Technologies OSI stack Withstand theDDoS largest attacks Protect Gain visibility against and detection at all layers of SSL encrypted attacks • © F5 Networks, Inc Protect against DDoS • at all layers – 38 vectors covered Withstand the largest attacks • Gain visibility and detection of SSL encrypted attacks 8 DDoS detection and mitigation Guard your data center against incoming threats that enter the network AFM DOS CAPABILITIES • The most comprehensive L2-L4 DOS signature coverage • 100+ DoS Vectors • Malformed/Bad, Suspicious, and Volumetric Attack signatures • Stops capacity attacks on the flow/ transaction state tracking structures • Detection & Mitigation Limits –Global route domain & Per-VS Volumetric Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Attacker Custom application Financial application Anonymous requests Anonymous proxies Scanner Geolocation database Internally infected devices and servers © F5 Networks, Inc 9 DDoS detection and mitigation Guard your data center against incoming threats that enter the network AFM DOS CAPABILITIES • The most comprehensive L2-L4 DOS signature coverage • Protects IP infrastructure from malformed & malicious traffic at scale • Accelerating over 64 signatures in hardware on many platforms, line-rate performance Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Attacker Custom application Financial application Anonymous requests Anonymous proxies Scanner Geolocation database Internally infected devices and servers © F5 Networks, Inc 10 DDoS detection and mitigation Guard your data center against incoming threats that enter the network AFM DOS CAPABILITIES • The most comprehensive L2-L4 DOS signature coverage • Protects IP infrastructure from malformed & malicious traffic at scale Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Attacker • Sweep & Flood IP detection • Used to identify “bad actor” SrcIP’s and target’ed DstIP servers Custom application Financial application Anonymous requests Anonymous proxies Scanner Geolocation database Internally infected devices and servers © F5 Networks, Inc 11 DDoS detection and mitigation Guard your data center against incoming threats that enter the network AFM DOS CAPABILITIES • The most comprehensive L2-L4 DOS signature coverage • Protects IP infrastructure from malformed & malicious traffic at scale Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Attacker • Sweep & Flood IP detection • AVR Drill-Down reporting on attackers, targets, geo-analysis Custom application Financial application Anonymous requests Anonymous proxies Scanner Geolocation database Internally infected devices and servers © F5 Networks, Inc 12 DDoS detection and mitigation Guard your data center against incoming threats that enter the network AFM DOS CAPABILITIES • The most comprehensive L2-L4 DOS signature coverage • Protects IP infrastructure from malformed & malicious traffic at scale Botnet Restricted region or country IP intelligence service IP address feed updates every 5 min Attacker • Sweep & Flood IP detection • AVR Drill-Down reporting on attackers, targets, geo-analysis • Protocol-Aware Detection & Mitigation for HTTP/S, SMTP, FTP, DNS & SIP © F5 Networks, Inc Custom application Financial application Anonymous requests Anonymous proxies Scanner Geolocation database Internally infected devices and servers 13 F5 iRules: Industry’s strongest zero-day threat protection With iRules customers gain unsurpassed flexibility in protecting against the most sophisticated and unexpected attacks. THE POWER OF IRULES • Richer detection capabilities for stateful attacks on flow table and mitigation of L2-L4 attacks KNOWLEDGE IN NUMBER Community made up of over 100,000 active users collaborating and creating custom rules that mitigate threats • Extends customization capabilities • Leverages the IP Intelligence services and AFM statistical traffic subsampling • DevCentral user community collectively has thousands of iRules to draw from • Recently, iRules helped customers effectively mitigate the Heartbleed vulnerability © F5 Networks, Inc 14 Dynamically update security logic Maintain a current IP reputation database & automatically mitigate traffic from known bad IP addresses. F5 IP INTELLIGENCE SERVICES • Dynamic services feeds updated frequently • Policy attached to global, route- domain or VS contexts • Categorize IP/Sub_net by attack type DYNAMIC IP BLACK LISTS & WHITE LISTS • Create IP Black Lists and White Lists that override IP intelligence services • Merge multiple sources into 1 feed or enforcement policy • HTTP/S & FTP polling methods • Customizable actions per attack type category (i.e., Accept, Warn, Alert) • User defined categories • Create multiple customizable IP feeds • Support for IPv6 and IPv4 © F5 Networks, Inc 15 Dynamically update security logic Maintain a current IP reputation database that allows you to automatically mitigate traffic from known bad or questionable IP addresses. F5 IP INTELLIGENCE SERVICES • Dynamic services feeds updated frequently • Policy attached to global, route- domain or VS contexts • Categorize IP/Sub_net by attack type DYNAMIC IP BLACK LISTS & WHITE LISTS • Create IP Black Lists and White Lists that override IP intelligence services • Merge multiple sources into 1 feed or enforcement policy • HTTP/S & FTP polling methods • Customizable actions per attack type category (i.e., Accept, Warn, Alert) • User defined categories • Create multiple customizable IP feeds • Support for IPv6 and IPv4 © F5 Networks, Inc 16 SSL traffic termination Fully terminate SSL traffic to inspect payload, preventing viruses, trojans, or network attacks. • Gain visibility and detection of SSL-encrypted attacks ! SSL SSL • Ensure High-scale/highperformance SSL proxy • Off-load SSL to reduce server load SSL SSL © F5 Networks, Inc 17 Secure and available DNS Before f5 ? 65,000 concurrent queries • Cache poisoning • DNS spoofing • Man in the middle • DDoS http://www.f5.com with f5 http://www.f5.com © F5 Networks, Inc 18 Secure and available DNS Before f5 • Consolidate Firewall and DNS 65,000 concurrent queries • Cache poisoning • Ensure high-performance scalable services • DNS spoofing • Man in the middle • Secure 10 million concurrent DNS Queries • DDoS ? http://www.f5.com with f5 http://www.f5.com © F5 Networks, Inc Secure and available DNS infrastructure: 10 million concurrent queries 19 Manageability and Visibility Application-oriented policies and reports Logging – Generation and Storage of Individual Security Events • Configure local and remote high-speed network firewall logging • Independently controlled Logging for Access Control, DoS, IP-Intel • Log Destinations & Publishers consistent with BIG-IP logging framework • Guaranteed logging with log throttling Reporting – Visualization of Security Statistics • Reporting used for Visualizing Traffic/Attack Patterns over time • Geo & IPFIX & Stale Rules reporting • Access-Control & DoS: Drill-Downs by contexts, IP, Rule, etc. • Integration with 3rd party SIEM systems Report type • HIPPA & PCI compliance reporting • DDoS attack report • IP Enforcer stats • SNMP traps & MIB for DoS reporting © F5 Networks, Inc 20 Enhanced DDoS logging : Rate limiting Avoid reduced performance during excessive logging periods • • • • • © F5 Networks, Inc Establish rate limits at granularity of specific log message Applies to the whole profile regardless of message type Global or per Virtual Server application Aggregate limits on IP Intelligence Ensure compliance with PCI data logging requirements 21 Enhanced DDoS logging Activate logging for stateful flow attacks at global, route domain or per-VS level • • • • New section Turn-on logging to query tmstats table and get snapshots of counters every second, if there is change in stats it logs the data. © F5 Networks, Inc • Ensures availability of security information via logs, tmstats, SNMP and AVR # of currently active flows # of reaped flows Shot down # of flows dropped due to flowtable misses # of SYN Cookies challenges generate, passed, failed (DSR/ nonDSR modes) 22 Manageability and Visibility SIEM INTEGRATION: APPLICATION-CENTRIC LOGGING AND REPORTING HIGH LEVEL VERY DETAILED § F5 reporting to key SIEM partners: Splunk, Q1, ArcSight § Start with application-centric views and drill down to more details § At-a-glance visibility and intelligence for ADF’s context-aware security © F5 Networks, Inc 23 Advanced application firewall FULL PROXY FIREWALL HARDWARE BASED DOS PROTECTIONS BIG-IP AFM APP-CENTRIC POLICY ENFORCEMENT HIGH SCALABILITY, FLEXIBILITY AND PERFORMANCE EXPERT TRACKING, LOGGING & REPORTING DYNAMIC IP INTELLIGENCE BIG –IP PLATFORM SECURITY BIG-IP AFM © F5 Networks, Inc BIG-IP ASM All BIG-IP 24
© Copyright 2024