F5_AFM_presentation

BIG-IP AFM
Philippe Bogaerts
Maintaining Security Is Challenging
Webification of apps
Device proliferation
95% of workers use at least one
71% of internet
experts predict
most people will do work via web or
mobile by 2020.
personal device for work.
130 million enterprises will use
mobile apps by 2014
Evolving security threats
Shifting perimeter
58% of all e-theft tied to
80% of new apps will
activist groups.
target the cloud.
81% of breaches
72% IT leaders have or will
involved hacking
© F5 Networks, Inc
move applications to the cloud.
2
Protecting the datacenter can be complex
Attack visibility
Dynamic datacenter
perimeter
Requires protection and
policy enforcement that
ensure 24x7 application
availability
Is often lacking details to truly
track and identify attacks and
their source, and ensure
compliance
Everything SSL
Difficulty with discrete traffic
visibility
Scalability and
performance
Changing threats
increasing in complexity that
requires intelligence and ongoing learning
© F5 Networks, Inc
Needed to ensure services
are available during the onset
of aggressive attacks
3
BIG-IP® Advanced Firewall Manager (AFM)
• 
• 
• 
• 
Built on the market leading Application Delivery Controller (ADC)
Network DDoS
Consolidates multiple appliance to reduce TCO
Protects against L2-L4 attacks with the most advanced full proxy architecture
Delivers over 100 vectors and more hardware-based DOS vectors than any other
vendor
•  Ensures performance while under attack - scales to 7.5M CPS; 576M CC, 640 Gbps
•  Offers a foundation for an integrated L2-L7 Application delivery firewall platform
DNS Security
Access
Security
Data Center
Firewall
Application Security
App
Servers
User
Classic
Server
© F5 Networks, Inc
4
BIG-IP Application Firewall Manager
The best foundation for a consolidated layered defense
App-centric policy
enforcement
•  Application access controls
•  Simplified policy assurance
•  Automatic self-learning & policy
adjustment
•  Extensibility with iRules
© F5 Networks, Inc
DoS protection
Manageability and Visibility
•  Secure against L2-L4 D/DOS attacks
•  High speed customizable syslog
•  Advanced resource protection
•  Granular attack details
•  Expert attack tracking and profiling
•  Hardware-based DoS protections
•  Application availability assurance
•  Dynamic IP intelligence
•  Policy & compliance reporting
•  Centralized management
5
App-centric policy enforcement
Policies written specifically for applications rather than against network traffic.
•  Effective rule life-cycle management
for increased policy efficiency &
effectiveness
•  3-tiered hierarchical policy context
(i.e., mail traffic only subject to mail
rules)
•  HTTP, SMTP, FTP, SIP, DNS Protocol
validation and enforcement on
granular details
•  Protocol conformance with DNS
© F5 Networks, Inc
6
Full-proxy architecture
WAF
WAF
HTTP
iRule
iRule
HTTP
SSL renegotiation
SSL
iRule
iRule
SSL
SYN flood
ICMP flood
TCP
iRule
iRule
TCP
Slowloris attack
XSS
Data
leakage
Network
Firewall
© F5 Networks, Inc
7
DDoS detection and mitigation
Increasing difficulty of attack detection
Physical (1)
Data Link (2)
Network (3)
Transport (4)
Session (5)
F5 mitigation technologies
Network attacks
Presentation (6)
Session attacks
Application (7)
Application attacks
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop,
ICMP Floods, Ping Floods and Smurf Attacks
DNS UDP Floods, DNS Query Floods, DNS
NXDOMAIN Floods, SSL Floods, SSL
Renegotiation
Slowloris, Slow Post,
HashDos, GET Floods
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, full-proxy
traffic visibility, rate-limiting, strict TCP forwarding.
BIG-IP LTM and GTM
High-scale performance, DNS Express,
SSL termination, iRules, SSL
renegotiation validation
BIG-IP ASM
Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection
Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware
solution that increases scale by an order of magnitude above software-only
solutions.
OSI stack
F5 Mitigation Technologies
OSI stack
Withstand
theDDoS
largest
attacks
Protect
Gain
visibility
against
and
detection
at all
layers
of
SSL encrypted attacks
• 
© F5 Networks, Inc
Protect against DDoS
• 
at all layers – 38 vectors
covered
Withstand the
largest attacks
• 
Gain visibility and
detection of SSL
encrypted attacks
8
DDoS detection and mitigation
Guard your data center against incoming threats that enter the network AFM DOS CAPABILITIES
•  The most comprehensive L2-L4 DOS
signature coverage
•  100+ DoS Vectors
•  Malformed/Bad, Suspicious, and
Volumetric Attack signatures
•  Stops capacity attacks on the flow/
transaction state tracking structures
•  Detection & Mitigation Limits –Global
route domain & Per-VS Volumetric
Botnet
Restricted
region or
country
IP intelligence
service
IP address feed
updates every 5 min
Attacker
Custom
application
Financial
application
Anonymous
requests
Anonymous
proxies
Scanner
Geolocation database
Internally infected devices
and servers
© F5 Networks, Inc
9
DDoS detection and mitigation
Guard your data center against incoming threats that enter the network AFM DOS CAPABILITIES
•  The most comprehensive L2-L4 DOS
signature coverage
•  Protects IP infrastructure from
malformed & malicious traffic at scale
•  Accelerating over 64 signatures in
hardware on many platforms, line-rate
performance
Botnet
Restricted
region or
country
IP intelligence
service
IP address feed
updates every 5 min
Attacker
Custom
application
Financial
application
Anonymous
requests
Anonymous
proxies
Scanner
Geolocation database
Internally infected devices
and servers
© F5 Networks, Inc
10
DDoS detection and mitigation
Guard your data center against incoming threats that enter the network AFM DOS CAPABILITIES
•  The most comprehensive L2-L4 DOS
signature coverage
•  Protects IP infrastructure from
malformed & malicious traffic at scale
Botnet
Restricted
region or
country
IP intelligence
service
IP address feed
updates every 5 min
Attacker
•  Sweep & Flood IP detection
•  Used to identify “bad actor” SrcIP’s and
target’ed DstIP servers
Custom
application
Financial
application
Anonymous
requests
Anonymous
proxies
Scanner
Geolocation database
Internally infected devices
and servers
© F5 Networks, Inc
11
DDoS detection and mitigation
Guard your data center against incoming threats that enter the network AFM DOS CAPABILITIES
•  The most comprehensive L2-L4 DOS
signature coverage
•  Protects IP infrastructure from
malformed & malicious traffic at scale
Botnet
Restricted
region or
country
IP intelligence
service
IP address feed
updates every 5 min
Attacker
•  Sweep & Flood IP detection
•  AVR Drill-Down reporting on attackers, targets,
geo-analysis
Custom
application
Financial
application
Anonymous
requests
Anonymous
proxies
Scanner
Geolocation database
Internally infected devices
and servers
© F5 Networks, Inc
12
DDoS detection and mitigation
Guard your data center against incoming threats that enter the network AFM DOS CAPABILITIES
•  The most comprehensive L2-L4 DOS
signature coverage
•  Protects IP infrastructure from
malformed & malicious traffic at scale
Botnet
Restricted
region or
country
IP intelligence
service
IP address feed
updates every 5 min
Attacker
•  Sweep & Flood IP detection
•  AVR Drill-Down reporting on attackers, targets,
geo-analysis
•  Protocol-Aware Detection & Mitigation for
HTTP/S, SMTP, FTP, DNS & SIP
© F5 Networks, Inc
Custom
application
Financial
application
Anonymous
requests
Anonymous
proxies
Scanner
Geolocation database
Internally infected devices
and servers
13
F5 iRules: Industry’s strongest zero-day threat protection
With iRules customers gain unsurpassed flexibility in protecting against the most sophisticated and
unexpected attacks.
THE POWER OF IRULES
•  Richer detection capabilities for stateful
attacks on flow table and mitigation of L2-L4
attacks
KNOWLEDGE IN NUMBER
Community made up of over 100,000 active
users collaborating and creating custom rules
that mitigate threats
•  Extends customization capabilities
•  Leverages the IP Intelligence services and
AFM statistical traffic subsampling
•  DevCentral user community collectively has
thousands of iRules to draw from
•  Recently, iRules helped customers effectively
mitigate the Heartbleed vulnerability
© F5 Networks, Inc
14
Dynamically update security logic
Maintain a current IP reputation database & automatically
mitigate traffic from known bad IP addresses.
F5 IP INTELLIGENCE SERVICES
•  Dynamic services feeds updated frequently
•  Policy attached to global, route- domain or
VS contexts
•  Categorize IP/Sub_net by attack type
DYNAMIC IP BLACK LISTS & WHITE LISTS
•  Create IP Black Lists and White Lists that
override IP intelligence services
•  Merge multiple sources into 1 feed or
enforcement policy
•  HTTP/S & FTP polling methods
•  Customizable actions per attack type
category (i.e., Accept, Warn, Alert)
•  User defined categories
•  Create multiple customizable IP feeds
•  Support for IPv6 and IPv4
© F5 Networks, Inc
15
Dynamically update security logic
Maintain a current IP reputation database that allows you
to automatically mitigate traffic from known bad or
questionable IP addresses.
F5 IP INTELLIGENCE SERVICES
•  Dynamic services feeds updated frequently
•  Policy attached to global, route- domain or
VS contexts
•  Categorize IP/Sub_net by attack type
DYNAMIC IP BLACK LISTS & WHITE LISTS
•  Create IP Black Lists and White Lists that
override IP intelligence services
•  Merge multiple sources into 1 feed or
enforcement policy
•  HTTP/S & FTP polling methods
•  Customizable actions per attack type
category (i.e., Accept, Warn, Alert)
•  User defined categories
•  Create multiple customizable IP feeds
•  Support for IPv6 and IPv4
© F5 Networks, Inc
16
SSL traffic termination
Fully terminate SSL traffic to inspect payload, preventing viruses, trojans, or network attacks.
•  Gain visibility and detection
of SSL-encrypted attacks
!
SSL
SSL
•  Ensure High-scale/highperformance SSL proxy
•  Off-load SSL to reduce
server load
SSL
SSL
© F5 Networks, Inc
17
Secure and available DNS
Before f5
?
65,000 concurrent queries
• 
Cache poisoning
• 
DNS spoofing
• 
Man in the middle
• 
DDoS
http://www.f5.com
with f5
http://www.f5.com
© F5 Networks, Inc
18
Secure and available DNS
Before f5
•  Consolidate
Firewall and DNS
65,000 concurrent queries
• 
Cache poisoning
•  Ensure high-performance scalable
services
• 
DNS spoofing
• 
Man in the middle
•  Secure 10 million concurrent DNS Queries
• 
DDoS
?
http://www.f5.com
with f5
http://www.f5.com
© F5 Networks, Inc
Secure and available DNS
infrastructure:
10 million concurrent queries
19
Manageability and Visibility
Application-oriented policies and reports
Logging – Generation and Storage of Individual
Security Events
•  Configure local and remote high-speed
network firewall logging
•  Independently controlled Logging for Access
Control, DoS, IP-Intel
•  Log Destinations & Publishers consistent
with BIG-IP logging framework
•  Guaranteed logging with log throttling
Reporting – Visualization of Security Statistics
•  Reporting used for Visualizing Traffic/Attack
Patterns over time
•  Geo & IPFIX & Stale Rules reporting
•  Access-Control & DoS: Drill-Downs by
contexts, IP, Rule, etc.
•  Integration with 3rd party SIEM systems
Report type
•  HIPPA & PCI compliance reporting
•  DDoS attack report
•  IP Enforcer stats
•  SNMP traps & MIB for DoS reporting
© F5 Networks, Inc
20
Enhanced DDoS logging : Rate limiting
Avoid reduced performance during excessive logging periods
• 
• 
• 
• 
• 
© F5 Networks, Inc
Establish rate limits
at granularity of
specific log message
Applies to the whole
profile regardless of
message type
Global or per Virtual
Server application
Aggregate limits on IP
Intelligence
Ensure compliance
with PCI data logging
requirements
21
Enhanced DDoS logging
Activate logging for stateful flow attacks at global, route domain or per-VS level
• 
• 
• 
• 
New section Turn-on logging to query tmstats table
and get snapshots of counters every
second, if there is change in stats it
logs the data.
© F5 Networks, Inc
• 
Ensures availability of
security information
via logs, tmstats,
SNMP and AVR
# of currently active
flows
# of reaped flows
Shot down
# of flows dropped
due to flowtable
misses
# of SYN Cookies
challenges generate,
passed, failed (DSR/
nonDSR modes)
22
Manageability and Visibility
SIEM INTEGRATION: APPLICATION-CENTRIC LOGGING AND REPORTING
HIGH LEVEL
VERY DETAILED
§ 
F5 reporting to key SIEM partners: Splunk, Q1, ArcSight
§ 
Start with application-centric views and drill down to
more details
§ 
At-a-glance visibility and intelligence for ADF’s context-aware
security
© F5 Networks, Inc
23
Advanced application firewall
FULL PROXY FIREWALL
HARDWARE BASED DOS
PROTECTIONS
BIG-IP AFM
APP-CENTRIC POLICY
ENFORCEMENT
HIGH SCALABILITY, FLEXIBILITY
AND PERFORMANCE
EXPERT TRACKING, LOGGING &
REPORTING
DYNAMIC IP INTELLIGENCE
BIG –IP PLATFORM SECURITY
BIG-IP AFM
© F5 Networks, Inc
BIG-IP ASM
All BIG-IP
24