f5 security strategy - alef · osi and f5 modules network attacks session attacks application...
TRANSCRIPT
F5 Security Strategy
Luboš Klokner, F5 System Engineer23.11.15
© F5 Networks, Inc 2
OSI and F5 modules
Application attacksNetwork attacks Session attacks
Slowloris, Slow Post, HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASMPositive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection
DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation
BIG-IP LTM and GTMHigh-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation
BIG-IP AFMSynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions.
F5 M
itiga
tion
Tech
nolo
gies
Application (7)Presentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)
Increasing difficulty of attack detection
• Protect against DDoSat all layers – 38 vectors covered
• Withstand the largest attacks
• Gain visibility and detection of SSL encrypted attacks
F5 m
itiga
tion
tech
nolo
gies
OSI stackOSI stack
DoS
DNS
UAC
WAFAcceleration
ADC
VDI WEBAPPS
• Default Deny• Full Proxy• SSL Offload /
Visibility
FW• ICSA Certified• ACL’s• IP Intelligence• IP Lists• DoS Protections
DNS• Business Continuity• GSLB• DNS Security
WAF• L7 Firewall• BOT Detection• Web Scraping• Data Leakage• L7 DoS Mitigation• PCI Compliance
UAC• Remote Access• Pre-Authentitacion• Multi-factor/SSO/Federation• End Point Inspection
ADC• SLB• Application Awareness• Persistence
Acceleration• TCP Optimisation• Caching/Compression• End User Experience• HTTP/2
FW
Users Customers Attackers Client• Encryption• Phishing• Malware• Automated Transactions
DNS
UAC
WAFAcceleration
ADC
VDI WEBAPPS
FW
Users Customers Attackers
BIG-IPVE VIPRION
High Performance Services Fabric
Platform• Flexibility• Scalability• Multi-tenancy• Programmability• Custom HW
DNS
UAC
WAFAcceleration
ADC
VDI WEBAPPS
FW
Users Customers Attackers
BIG-IPVE VIPRION
High Performance Services Fabric
• iRules• iControl• iCall• iApps
BIG-IQIntelligent Services Orchestration
DNS
UAC
WAFAcceleration
ADC
VDI WEBAPPS
FW
Users Customers Attackers
BIG-IPVE VIPRION
High Performance Services Fabric
• iRules• iControl• iCall• iApps
BIG-IQIntelligent Services Orchestration
AAAHSM
ICAPIPS