big-ip afm - westconbe.security.westcon.com/documents/55263/f5_afm_presentation.pdf · © f5...

BIG-IP AFM Philippe Bogaerts

© F5 Networks, Inc 2

Maintaining Security Is Challenging

Webification of apps Device proliferation

Evolving security threats Shifting perimeter

71% of internet experts predict most people will do work via web or mobile by 2020.

95% of workers use at least one personal device for work.

130 million enterprises will use mobile apps by 2014

58% of all e-theft tied to activist groups. 81% of breaches involved hacking

80% of new apps will target the cloud.

72% IT leaders have or will move applications to the cloud.


Changing threats increasing in complexity that requires intelligence and on-

going learning

Scalability and performance

Needed to ensure services are available during the onset

of aggressive attacks

Everything SSL Difficulty with discrete traffic

visibility

Dynamic datacenter perimeter

Requires protection and policy enforcement that ensure 24x7 application

availability

Attack visibility Is often lacking details to truly track and identify attacks and

their source, and ensure compliance

Protecting the datacenter can be complex


BIG-IP® Advanced Firewall Manager (AFM)

Application Security

Data Center Firewall

Access Security

User

App Servers

Classic Server

DNS Security

Network DDoS •  Built on the market leading Application Delivery Controller (ADC) •  Consolidates multiple appliance to reduce TCO •  Protects against L2-L4 attacks with the most advanced full proxy architecture •  Delivers over 100 vectors and more hardware-based DOS vectors than any other

vendor •  Ensures performance while under attack - scales to 7.5M CPS; 576M CC, 640 Gbps •  Offers a foundation for an integrated L2-L7 Application delivery firewall platform


BIG-IP Application Firewall Manager

The best foundation for a consolidated layered defense

DoS protection

•  Secure against L2-L4 D/DOS attacks

•  Advanced resource protection

•  Hardware-based DoS protections •  Application availability assurance •  Dynamic IP intelligence

App-centric policy enforcement

•  Application access controls •  Simplified policy assurance •  Automatic self-learning & policy

adjustment •  Extensibility with iRules

Manageability and Visibility •  High speed customizable syslog •  Granular attack details •  Expert attack tracking and profiling •  Policy & compliance reporting •  Centralized management


App-centric policy enforcement

•  Effective rule life-cycle management for increased policy efficiency & effectiveness

•  3-tiered hierarchical policy context (i.e., mail traffic only subject to mail rules)

•  HTTP, SMTP, FTP, SIP, DNS Protocol validation and enforcement on granular details

•  Protocol conformance with DNS

Policies written specifically for applications rather than against network traffic.


Full-proxy architecture

iRule

iRule

iRule

TCP

SSL

HTTP

TCP

SSL

HTTP

iRule

iRule

iRule

ICMP flood SYN flood

SSL renegotiation

Data leakage Slowloris attack XSS

Network Firewall

WAF WAF


Application attacks Network attacks Session attacks

Slowloris, Slow Post, HashDos, GET Floods

SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks

BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection

DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation

BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation

BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions.

F5 M

itiga

tion

Tech

nolo

gies

Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)

Increasing difficulty of attack detection

•  Protect against DDoS at all layers – 38 vectors covered

•  Withstand the largest attacks

•  Gain visibility and detection of SSL encrypted attacks

F5 m

itiga

tion

tech

nolo

gies

OSI stack OSI stack

DDoS detection and mitigation

Protect against DDoS at all layers Withstand the largest attacks Gain visibility and detection of SSL encrypted attacks



AFM DOS CAPABILITIES

Guard your data center against incoming threats that enter the network

•  100+ DoS Vectors •  Malformed/Bad, Suspicious, and

Volumetric Attack signatures •  Stops capacity attacks on the flow/

transaction state tracking structures •  Detection & Mitigation Limits –Global

route domain & Per-VS Volumetric

•  The most comprehensive L2-L4 DOS signature coverage Botnet

Restricted region or country

IP intelligenceservice

IP address feedupdates every 5 min

Customapplication

Financialapplication

Internally infected devices and servers

Geolocation database

Attacker

Anonymous requests

Anonymous proxies

Scanner





•  The most comprehensive L2-L4 DOS signature coverage

•  Protects IP infrastructure from malformed & malicious traffic at scale

•  Accelerating over 64 signatures in hardware on many platforms, line-rate performance

Botnet




Customapplication




Attacker

Anonymous requests

Anonymous proxies

Scanner







•  Sweep & Flood IP detection •  Used to identify “bad actor” SrcIP’s and

target’ed DstIP servers

Botnet




Customapplication




Attacker

Anonymous requests

Anonymous proxies

Scanner







•  Sweep & Flood IP detection

•  AVR Drill-Down reporting on attackers, targets, geo-analysis

Botnet




Customapplication




Attacker

Anonymous requests

Anonymous proxies

Scanner







•  Sweep & Flood IP detection

•  AVR Drill-Down reporting on attackers, targets, geo-analysis

•  Protocol-Aware Detection & Mitigation for HTTP/S, SMTP, FTP, DNS & SIP

Botnet




Customapplication




Attacker

Anonymous requests

Anonymous proxies

Scanner


F5 iRules: Industry’s strongest zero-day threat protection

THE POWER OF IRULES

•  Richer detection capabilities for stateful attacks on flow table and mitigation of L2-L4 attacks

•  Extends customization capabilities

•  Leverages the IP Intelligence services and AFM statistical traffic subsampling

•  DevCentral user community collectively has thousands of iRules to draw from

•  Recently, iRules helped customers effectively mitigate the Heartbleed vulnerability

KNOWLEDGE IN NUMBER

Community made up of over 100,000 active users collaborating and creating custom rules

that mitigate threats

With iRules customers gain unsurpassed flexibility in protecting against the most sophisticated and unexpected attacks.


Dynamically update security logic

F5 IP INTELLIGENCE SERVICES

•  Dynamic services feeds updated frequently

•  Policy attached to global, route- domain or VS contexts

•  Categorize IP/Sub_net by attack type

•  Customizable actions per attack type category (i.e., Accept, Warn, Alert)

•  Create multiple customizable IP feeds

DYNAMIC IP BLACK LISTS & WHITE LISTS

•  Create IP Black Lists and White Lists that override IP intelligence services

•  Merge multiple sources into 1 feed or enforcement policy

•  HTTP/S & FTP polling methods

•  User defined categories

•  Support for IPv6 and IPv4

Maintain a current IP reputation database & automatically mitigate traffic from known bad IP addresses.


Dynamically update security logic

F5 IP INTELLIGENCE SERVICES

•  Dynamic services feeds updated frequently

•  Policy attached to global, route- domain or VS contexts

•  Categorize IP/Sub_net by attack type

•  Customizable actions per attack type category (i.e., Accept, Warn, Alert)

•  Create multiple customizable IP feeds

DYNAMIC IP BLACK LISTS & WHITE LISTS

•  Create IP Black Lists and White Lists that override IP intelligence services

•  Merge multiple sources into 1 feed or enforcement policy

•  HTTP/S & FTP polling methods

•  User defined categories

•  Support for IPv6 and IPv4

Maintain a current IP reputation database that allows you to automatically mitigate traffic from known bad or questionable IP addresses.


SSL !

SSL

SSL

SSL

SSL traffic termination

•  Gain visibility and detection of SSL-encrypted attacks

•  Ensure High-scale/high-performance SSL proxy

•  Off-load SSL to reduce server load

Fully terminate SSL traffic to inspect payload, preventing viruses, trojans, or network attacks.


with f5

Before f5 65,000 concurrent queries

? http://www.f5.com

http://www.f5.com

•  Cache poisoning

•  DNS spoofing

•  Man in the middle

•  DDoS

Secure and available DNS


with f5

Before f5 65,000 concurrent queries

? http://www.f5.com

http://www.f5.com

•  Cache poisoning

•  DNS spoofing

•  Man in the middle

•  DDoS

Secure and available DNS infrastructure: 10 million concurrent queries

•  Consolidate Firewall and DNS

•  Ensure high-performance scalable services

•  Secure 10 million concurrent DNS Queries

Secure and available DNS


Manageability and Visibility Application-oriented policies and reports

Logging – Generation and Storage of Individual Security Events •  Configure local and remote high-speed

network firewall logging •  Independently controlled Logging for Access

Control, DoS, IP-Intel •  Log Destinations & Publishers consistent

with BIG-IP logging framework •  Guaranteed logging with log throttling

Reporting – Visualization of Security Statistics •  Reporting used for Visualizing Traffic/Attack

Patterns over time •  Geo & IPFIX & Stale Rules reporting •  Access-Control & DoS: Drill-Downs by

contexts, IP, Rule, etc. •  Integration with 3rd party SIEM systems

Report type •  HIPPA & PCI compliance reporting •  DDoS attack report •  IP Enforcer stats •  SNMP traps & MIB for DoS reporting


Enhanced DDoS logging : Rate limiting Avoid reduced performance during excessive logging periods

•  Establish rate limits at granularity of specific log message

•  Applies to the whole profile regardless of message type

•  Global or per Virtual Server application

•  Aggregate limits on IP Intelligence

•  Ensure compliance with PCI data logging requirements


Enhanced DDoS logging Activate logging for stateful flow attacks at global, route domain or per-VS level

Turn-on logging to query tmstats table and get snapshots of counters every second, if there is change in stats it logs the data.

•  Ensures availability of security information via logs, tmstats, SNMP and AVR

•  # of currently active flows

•  # of reaped flows Shot down

•  # of flows dropped due to flowtable misses

•  # of SYN Cookies challenges generate, passed, failed (DSR/nonDSR modes)

New section


Manageability and Visibility

§  F5 reporting to key SIEM partners: Splunk, Q1, ArcSight §  Start with application-centric views and drill down to

more details §  At-a-glance visibility and intelligence for ADF’s context-aware

security

HIGH LEVEL

VERY DETAILED

SIEM INTEGRATION: APPLICATION-CENTRIC LOGGING AND REPORTING


FULL PROXY FIREWALL

APP-CENTRIC POLICY ENFORCEMENT

EXPERT TRACKING, LOGGING & REPORTING

HARDWARE BASED DOS PROTECTIONS

HIGH SCALABILITY, FLEXIBILITY AND PERFORMANCE

DYNAMIC IP INTELLIGENCE

Advanced application firewall

BIG-IP AFM

BIG –IP PLATFORM SECURITY

BIG-IP AFM BIG-IP ASM All BIG-IP

big-ip afm - westconbe.security.westcon.com/documents/55263/f5_afm_presentation.pdf · © f5...

Documents