600 likes | 845 Views
Datacenter security. Turo Siira System Engineer, F5 Networks. Maintaining Security Today Is Challenging. Webification of apps. Device proliferation. 95% of workers use at least one personal device for work .
E N D
Datacenter security Turo Siira System Engineer, F5 Networks
Maintaining Security Today Is Challenging Webification of apps Device proliferation • 95%of workers use at least one personal device for work. 71% of internet experts predict most people will do work via web or mobile by 2020. • 130 millionenterprises will use mobile apps by 2014 Shiftingperimeter Evolving security threats • 58%of all e-theft tied to activist groups. • 81%of breaches involved hacking 80%of new apps will target the cloud. 72%IT leaders have or will move applications to the cloud.
Datacenter Security Needs To scale To secure To simplify Simplification of point solutions and complex firewall configurations. Security for applications and data against sustained attacks. Scale for a work-anywhere / SSL everywhere world.
DDOS MITIGATION Increasing difficulty of attack detection OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack Network attacks Session attacks Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation Slowloris, Slow Post, HashDos, GET Floods F5 mitigation technologies F5 Mitigation Technologies BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection
Use case Protecting the datacenter Network DDoS Application DDoS Web Access Management Before f5 Firewall Load Balancer & SSL Load Balancer Web Application Firewall DNSSecurity with f5
Protecting the datacenter Network DDoS Application DDoS Web Access Management Before f5 Firewall Load Balancer & SSL Load Balancer Web Application Firewall DNSSecurity with f5 • Consolidation of firewall, app security, traffic management • Protection for data centers and application servers • High scale for the most common inbound protocols
SSL Inspection SSL ! SSL SSL SSL • Gain visibility and detection of SSL-encrypted attacks • Achieve high-scale/high-performance SSL proxy • Offload SSL—reduce load on application servers
iRules with Security: HashDos—Post of Doom • “HashDos—Post of Doom” vulnerability affects all major web servers and application platforms. VIPRION • Single DevCentral iRule mitigates vulnerability for all back-end services. • Staff can schedule patches for back-end services on their own timeline.
iRules with Security: Prioritize connection based on country SSL SSL https://devcentral.f5.com/wiki/irules.whereis.ashx
Security at the Strategic Point of Control Physical Storage Virtual Total Application Delivery Networking Services DNS Security NetworkFirewall Remote Access SSLVPN APPFirewall Clients Cloud
The Dynamics of the DNS Market DNS Demand from Internet growth, 4G/LTE, DDoS Protection and Availability Global mobile data (4G/LTE) is driving the need for fast, available DNS Typical for a single web page to consume 100+ DNS queries from active content, advertising and analytics Average Daily Load for DNS (TLD) Queries in Billions 18X Growth 2011-2016 • 4G LTE 77 57 50 43 39 • 2.4GB/mo ‘08 ‘09 ‘10 ‘11 ‘12 • Non-4G LTE New ICANN TLDs will create new demands for scale Attacks on DNS becoming more common DNS Services must be robust Distributed Available, High Performance GSLB for multiple Datacenters Cache poisoning attacks Total Service Availability • 86MB/mo Reflection / Amplification DDoS Geographically dispersed DCs Drive for DNSSEC adoption DNS Capacity Close to Subscribers
DNS the F5 Way Conventional DNS Thinking • Adding performance = DNS boxes • Weak DoS/DDoSProtection DNS Load Balancing Internal Firewall Hidden Master DNS External Firewall Array of DNS Servers Internet Datacenter DMZ F5 Paradigm Shift F5 DNS Delivery Reimagined • Massive performance over 10M RPS! • Best DoS / DDoS Protection • Simplified management (partner) • Less CAPEX and OPEX DNS Firewall DNS DDoS Protection Master DNS Infrastructure Internet Protocol Validation Authoritative DNS Caching Resolver Transparent Caching High Performance DNSSEC DNSSEC Validation Intelligent GSLB
BIG-IP Advanced Firewall Manager (AFM) • Packaging • SW license • Supported on all platforms (BIG-IP VE, BIG-IP Appliances and VIPRION) • Standalone or add to LTM • Features • L4 stateful full proxy firewall • IPsec, NAT, adv routing, full SSL, AVR, Protocol Security • DDoS (TCP, UDP, DNS, floods, HTTP): Over 80 attack types • GUIs for configure rules, logging, etc • All under a new Security tab
Main configuration under the Security AFM GUI Configuration
Main configuration under the new Security tab Context aware rules can be configured at the object level AFM GUI Configuration
Security > DoS Protection > Device Configuration Applied globally AFM DOS protection • L2-L4 DoS attack vectors detection and thresholdingin hardware on platform using HSBe2 FPGA • BIG-IP 5000 series • BIG-IP 7000 series • BIG-IP 10000 series • VIPRION B4300 blade • VIPRION B2100 blade
IP IntelligenceIdentify and allow or block IP addresses with malicious activity Botnet IP address feed updates every 5 min IP Intelligence Service Financial Application CustomApplication Attacker Anonymous Proxies Scanners BIG-IP System Anonymous requests ? Geolocation database Internally infected devices and servers • Use IP intelligence to defend attacks • Reduce operation and capital expenses
Easily Configure Violation Categories IP Intelligence Service Management in BIG-IP ASM UI Easily manage alarms and blocking in ASM Approve desired IPs with Whitelist Policy Building enabled for ignoring
Who Is Responsible for Application Security? Storage Applications Infrastructure Clients Engineering services Developers DBA Network security
What Is ASM? • Allows the security team to secure a website without changing the application code • Provides comprehensive protection for all web application vulnerabilities, including (D)DoS • Logs and reports all application traffic, attacks and usernames • Educates admin on attack type definitions and examples • PCI compliance
How Does It Work?Security at application, protocol and network level Request made Security policy checked Server response Content scrubbing Application cloaking Enforcement Response delivered Security policy applied Actions: Log, block, allow BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application.
Multiple Security Layers RFC enforcement • Various HTTP limits enforcement Profiling of good traffic • Defined list of allowed file types, URIs, parameters Each parameter is evaluated separately for: • Predefined value • Length • Character set • Attack patterns • Looking for pattern matching signatures Responses are checked as well
Start by checking RFC compliance Start by checking RFC compliance Start by checking RFC compliance Start by checking RFC compliance Start by checking RFC compliance Start by checking RFC compliance Start by checking RFC compliance 1 1 1 1 1 1 1 Then check for various length limits in the HTTP Then check for various length limits in the HTTP Then check for various length limits in the HTTP Then check for various length limits in the HTTP Then check for various length limits in the HTTP Then check for various length limits in the HTTP Then check for various length limits in the HTTP 2 2 2 2 2 2 2 GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n GET /search.php?name=Acme’s&admin=1 HTTP/1.1Host: 172.29.44.44\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1)\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9\r\nReferer: http://172.29.44.44/search.php?q=data\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\nCookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n Then we can enforce valid types for the application Then we can enforce valid types for the application Then we can enforce valid types for the application Then we can enforce valid types for the application Then we can enforce valid types for the application Then we can enforce valid types for the application Then we can enforce valid types for the application 3 3 3 3 3 3 3 Then we can enforce a list of valid URLs Then we can enforce a list of valid URLs Then we can enforce a list of valid URLs Then we can enforce a list of valid URLs Then we can enforce a list of valid URLs Then we can enforce a list of valid URLs Then we can enforce a list of valid URLs 4 4 4 4 4 4 4 Then we can check for a list of valid parameters Then we can check for a list of valid parameters Then we can check for a list of valid parameters Then we can check for a list of valid parameters Then we can check for a list of valid parameters Then we can check for a list of valid parameters Then we can check for a list of valid parameters 5 5 5 5 5 5 5 Then for each parameter we will check for max value length Then for each parameter we will check for max value length Then for each parameter we will check for max value length Then for each parameter we will check for max value length Then for each parameter we will check for max value length Then for each parameter we will check for max value length Then for each parameter we will check for max value length 6 6 6 6 6 6 6 Then scan each parameter, the URI, the headers Then scan each parameter, the URI, the headers Then scan each parameter, the URI, the headers Then scan each parameter, the URI, the headers Then scan each parameter, the URI, the headers Then scan each parameter, the URI, the headers Then scan each parameter, the URI, the headers 7 7 7 7 7 7 7
Streamline Deployment Options Prebuilt app policy Rapid deployment policy • For mission-critical applications: • Any custom application: • Out-of-the-box protection • Immediate security with 80% of events • Minimal configuration time and starting point for more advanced policy creation • Prebuilt, preconfigured and validated policies HR APPS Finance APPS Sales APPS Marketing APPS
Three Ways to Build a Policy Security policy checked Integration with app scanners • Virtual patching with continuous application scanning Security policy applied Dynamic policy builder • Automatic – • No knowledge of the app required • Adjusts policies if app changes • Manual – • Advanced configuration for custom policies
Attack Expert System in ASM 1. Click on info tooltip Attack expert system makes responding to vulnerabilities faster and easier:Violations are represented graphically, with a tooltip to explain the violation. The entire HTTP payload of each event is logged.
Detailed Logging with Actionable Reports At-a-glance PCI compliance reports Drill-down for information on security posture
Computational DoS mitigation in HTTPL7 – Application Security Manager Transaction Per Seconds (TPS) based anomaly detection TPS-based anomaly detection allows you to detect and mitigate DoS attacks based on the client side. Latency based anomaly detection Latency-based anomaly detection allows you to detect and mitigate attacks based on the behavior of the server side.
Enabled simplified application access SharePoint OWA Cloud BIG-IP Local Traffic Manager + Access Policy Manager Users Hosted virtual desktop APP APP APP APP OS OS OS OS Directory Web servers App 1 App n
ENHANCING WEB ACCESS MANAGEMENT Create policy Administrator 832849 HR Corporate domain AAA server Latest AV software User = HR • Proxy the web applications to provide authentication, authorization, endpoint inspection, and more – all typing into Layer 4-7 ACLS through F5’s Visual Policy Editor Current O/S
APM SAML How it Works Domain user makes a SAML-supported request for a resource. Data center 1 Login.example.com Portal.example.com Active Directory ADFS End user Public/private Data center 2 OWA.example.com Business Partners Business Partners Sharepoint.example.com ADFS Apache/Tomcat App
APM SAML How it Works An SP-initiated post is sent back to the client in the form of a redirect to https://login.example.com. Data center 1 Login.example.com Portal.example.com ActiveDirectory ADFS End user Public/private Data center 2 OWA.example.com Business partners Business partners Sharepoint.example.com ADFS Apache/Tomcat App
APM SAML How it Works Client posts credentials to login… credentials are validated with Active Directory. Data center 1 Login.example.com Portal.example.com Active Directory ADFS End user Public/private Data center 2 A SAML assertion is generated, passed back to the client with a redirect to the requested application. OWA.example.com Business partners Business partners Sharepoint.example.com ADFS Apache/Tomcat App
APM SAML How it Works Client successfully logs on to application with SAML assertion. Data center 1 Login.example.com Portal.example.com Active Directory ADFS End user Public/private Data center 2 OWA.example.com Business partners Business partners Sharepoint.example.com ADFS Apache/TomcatApp
Full Proxy Security Client / Server Client / Server Application health monitoring and performance anomaly detection Web application Web application HTTP proxy, HTTP DDoS and application security Application Application SSL inspection and SSL DDoS mitigation Session Session L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Network Physical Physical
F5’s Purpose-Built DesignPerformance and Scalability • Optimized hardware utilizing custom Field Programmable Gate Array (FPGA) technology tightly integrated with TMOS and software • Embedded Packet Velocity Acceleration (ePVA) FPGA delivers: • Linear scaling of performance • High performance interconnect between Ethernet ports and CPU’s • High L4 throughput and reduce load on cpu • Integrated hardware and software DDoS protection against large scale attacks • Predictable performance for low latency protocols (FIX) Example of unique F5 VIPRION architecture
F5 BIG-IP delivers ICSA-certified firewall Access control DDoS mitigation Application security SSL inspection DNS security Application delivery controller BYOD 2.0 Web and WAN optimization Products Advanced Firewall Manager Access Policy Manager Local Traffic Manager Application Security Manager Global Traffic Manager and DNSSEC Application Acceleration • Stateful full-proxy firewall • On-box logging and reporting • Native TCP, SSL and HTTP proxies • Network and Session anti-DDoS • Dynamic, identity-based access control • Simplified authentication, consolidated infrastructure • Strong endpoint security and secure remote access • High performance and scalability • BYOD 2.0 integration (SaaS) • VDI integration (ICA, PCoIP) • #1 application delivery controller • Application fluency • App-specific health monitoring • Application Offload • Streamlined app. deployment • Leading web application firewall • PCI compliance • Virtual patching for vulnerabilities • HTTP anti-DDoS • IP protection • Huge scale DNS solution • Global server load balancing • Signed DNS responses • Offload DNS crypto • Front End Optimization • Server offload • Network optimization • Mobile acceleration • HTTP2.0 / SPDY gateway ONEPLATFORM (HW/SW)
” F5 data center firewall aces performance test ” By David Newman, Network World July 22, 2013 06:05 AM ET http://www.networkworld.com/reviews/2013/072213-firewall-test-271877.html