SSL - Security Day´14

advertisement
DATACENTER SECURITY
Turo Siira
System Engineer, F5 Networks
Maintaining Security Today Is Challenging
Webification of apps
Device proliferation
95% of workers use at least
71% of internet
experts predict
most people will do work via web
or mobile by 2020.
one personal device for work.
130 million enterprises will
use mobile apps by 2014
Evolving security threats
Shifting perimeter
58% of all e-theft tied
80% of new apps will
to activist groups.
target the cloud.
81% of breaches
72% IT leaders have or will
involved hacking
move applications to the cloud.
Datacenter Security Needs
To scale
Scale for a work-anywhere /
SSL everywhere world.
To secure
Security for applications and data
against sustained attacks.
To simplify
Simplification of point solutions and
complex firewall configurations.
DDOS MITIGATION
Increasing difficulty of attack detection
Physical (1)
Data Link (2)
Network (3)
Transport (4)
F5 mitigation technologies
Network attacks
Session (5)
Presentation (6)
Session attacks
Application (7)
Application attacks
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods,
Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
DNS UDP Floods, DNS Query Floods,
DNS NXDOMAIN Floods, SSL Floods,
SSL Renegotiation
Slowloris, Slow Post,
HashDos, GET Floods
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding.
BIG-IP LTM and GTM
High-scale performance, DNS Express,
SSL termination, iRules, SSL
renegotiation validation
BIG-IP ASM
Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection
Packet Velocity Accelerator (PVA) is a purpose-built, customized
hardware solution that increases scale by an order of magnitude above
software-only solutions.
OSI stack
F5 Mitigation Technologies
OSI stack
Protecting the datacenter
Use case
Network DDoS
Before f5
Application DDoS
Firewall
Load
Balancer & SSL
Load
Balancer
DNS Security
with f5
Web Application Firewall
Web Access
Management
Protecting the datacenter
Network DDoS
Before f5
Application DDoS
Firewall
Load
Balancer & SSL
Load
Balancer
DNS Security
Web Application Firewall
with f5
•
Consolidation of
•
firewall, app security,
traffic management
Protection for data
centers and
application servers
•
High scale for the
most common inbound
protocols
Web Access
Management
SSL Inspection
!
SSL
SSL
SSL
SSL
•
Gain visibility and
detection of SSLencrypted attacks
•
Achieve high•
scale/high-performance
SSL proxy
Offload SSL—reduce
load on application
servers
iRules with Security: HashDos—Post of Doom
“HashDos—Post of Doom” vulnerability affects all major web
servers and application platforms.
VIPRION
Single DevCentral iRule mitigates vulnerability for all
back-end services.
Staff can schedule patches for back-end services
on their own timeline.
iRules with Security:
Prioritize connection based on country
SSL
SSL
https://devcentral.f5.com/wiki/irules.whereis.ashx
Security at the Strategic Point of Control
Physical
Virtual
Clients
Network
Firewall
Total Application Delivery Networking
Remote
SSL
APP
DNS
Services
Access
VPN
Firewall
Security
Cloud
Storage
DNS Seurity
The Dynamics of the DNS Market
DNS Demand from Internet growth, 4G/LTE, DDoS Protection and Availability
Average Daily Load for DNS (TLD)
Queries in Billions
Typical for a single web page to consume
100+ DNS queries from active content,
advertising and analytics
Global mobile data (4G/LTE) is driving
the need for fast, available DNS
‘08
‘09
77
50
43
39
57
18X Growth
2011-2016
‘10
4G LTE
2.4GB/mo
Non-4G LTE
‘11
86MB/mo
‘12
New ICANN TLDs will create new
demands for scale
Attacks on DNS becoming more common
DNS Services must be robust
Cache poisoning attacks
Reflection / Amplification DDoS
Drive for DNSSEC adoption
Distributed Available, High Performance
GSLB for multiple Datacenters
Total Service Availability
Geographically dispersed DCs
DNS Capacity Close to Subscribers
DNS the F5 Way
Conventional DNS Thinking
• Adding performance = DNS boxes
Internet
External
Firewall
DNS Load
Balancing
Array of
DNS Servers
DMZ
Internal
Firewall
Hidden
Master DNS
• Weak DoS/DDoS Protection
Datacenter
F5 Paradigm Shift
F5 DNS Delivery Reimagined
DNS Firewall
Internet
Master DNS
Infrastructure
DNS DDoS Protection
Protocol Validation
Authoritative DNS
Caching Resolver
Transparent Caching
High Performance DNSSEC
DNSSEC Validation
Intelligent GSLB
• Massive performance over 10M RPS!
• Best DoS / DDoS Protection
• Simplified management (partner)
• Less CAPEX and OPEX
Network Firewall
Advanced Firewall Manager
BIG-IP Advanced Firewall Manager (AFM)
• Packaging
• SW license
• Supported on all platforms (BIG-IP VE, BIG-IP Appliances and VIPRION)
• Standalone or add to LTM
• Features
•
•
•
•
L4 stateful full proxy firewall
IPsec, NAT, adv routing, full SSL, AVR, Protocol Security
DDoS (TCP, UDP, DNS, floods, HTTP): Over 80 attack types
GUIs for configure rules, logging, etc
• All under a new Security tab
AFM GUI Configuration
• Main configuration under the Security
AFM GUI Configuration
• Main configuration under the new Security tab
• Context aware rules can be configured at the object level
AFM DOS protection
• Security > DoS Protection > Device Configuration
•
Applied globally
 L2-L4 DoS attack vectors
detection and
thresholding in
hardware on platform
using HSBe2 FPGA
 BIG-IP 5000 series
 BIG-IP 7000 series
 BIG-IP 10000 series
 VIPRION B4300 blade
 VIPRION B2100 blade
IP Intelligence
Identify and allow or block IP addresses with malicious activity
IP Intelligence
Service
?
Internally infected
devices and servers
Scanners
• Use IP intelligence to defend attacks
• Reduce operation and capital expenses
Easily Configure Violation Categories
IP Intelligence Service Management in BIG-IP ASM UI
•
•
•
Easily manage alarms and blocking in ASM
Approve desired IPs with Whitelist
Policy Building enabled for ignoring
Web Application Security
Who Is Responsible for Application Security?
Infrastructure
Clients
Applications
Engineering
services
Network security
Storage
Developers
DBA
What Is ASM?
• Allows the security team to secure a website without changing the
application code
• Provides comprehensive protection for all web application
vulnerabilities, including (D)DoS
• Logs and reports all application traffic, attacks and usernames
• Educates admin on attack type definitions and examples
• PCI compliance
How Does It Work?
Security at application, protocol and network level
Request made
Security policy
checked
Content scrubbing
Application cloaking
Enforcement
Response
delivered
Server
response
Security policy
applied
Actions:
Log, block, allow
BIG-IP enabled us to improve security instead of having to
invest time and money to develop a new, more secure application.
Multiple Security Layers
RFC enforcement
• Various HTTP limits enforcement
Profiling of good traffic
• Defined list of allowed file types, URIs, parameters
Each parameter is evaluated separately for:
•
•
•
•
Predefined value
Length
Character set
Attack patterns
•
Looking for pattern matching signatures
Responses are checked as well
Start by checking RFC
compliance
2
Then check for various length
limits in the HTTP
3
Then we can enforce valid
types for the application
4
Then we can enforce a list of
valid URLs
5
Then we can check for a list of
valid parameters
6
Then for each parameter we will
check
will
check
for max
for max
value
value
length
length
7
Then scan each parameter, the
URI, the headers
GET /search.php?name=Acme’s&admin=1 HTTP/1.1
Host: 172.29.44.44\r\n
Connection: keep-alive\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n
Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n
Referer: http://172.29.44.44/search.php?q=data\r\n
Accept-Encoding: gzip,deflate,sdch\r\n
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n
Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n
Streamline Deployment Options
Prebuilt app policy
For mission-critical applications:
Rapid deployment policy
Any custom application:
HR
APPS
Finance
APPS
Sales
APPS
Marketing
APPS
Out-of-the-box protection
Immediate security with 80% of events
Prebuilt, preconfigured and validated policies
Minimal configuration time and starting point for
more advanced policy creation
Three Ways to Build a Policy
Security policy
checked
Security policy
applied
Dynamic policy builder
Automatic –
• No knowledge of the app required
• Adjusts policies if app changes
Integration with app scanners
Manual –
• Advanced configuration for custom
policies
•
Virtual patching with continuous
application scanning
Attack Expert System in ASM
1. Click on info tooltip
Attack expert system makes responding to vulnerabilities
faster and easier: Violations are represented graphically, with a tooltip to
explain the violation. The entire HTTP payload of each event is logged.
Detailed Logging with Actionable Reports
At-a-glance PCI compliance reports
Drill-down for information on security posture
Computational DoS mitigation in HTTP
L7 – Application Security Manager
Transaction Per Seconds (TPS) based anomaly
detection
TPS-based anomaly detection allows you to detect and
mitigate DoS attacks based on the client side.
Latency based anomaly detection
Latency-based anomaly detection allows you to detect
and mitigate attacks based on the behavior of the
server side.
Unified Access
Enabled simplified application access
SharePoint
OWA
Cloud
Users
BIG-IP Local Traffic Manager
+ Access Policy Manager
Hosted virtual
desktop
APP
OS
APP
OS
APP
OS
APP
OS
Directory
Web servers
App 1
App n
ENHANCING WEB ACCESS MANAGEMENT
Create policy
Administrator
832849
HR
Corporate domain
AAA
server
Latest AV software
Current O/S
User = HR
•
Proxy the web applications to
provide authentication,
authorization, endpoint inspection,
and more – all typing into Layer 4-7
ACLS through F5’s Visual Policy
Editor
Access Policy using SMS token
APM SAML How it Works
Domain user makes a SAML-supported request for a resource.
Data center 1
Login.example.com
Portal.example.com
Active Directory
ADFS
End user
Public/private
Data center 2
OWA.example.com
Business Partners
Business Partners
Sharepoint.example.com
ADFS
Apache/Tomcat App
APM SAML How it Works
An SP-initiated post is sent back to the client in the form of a
redirect to https://login.example.com.
Data center 1
Login.example.com
Portal.example.com
Active Directory
ADFS
End user
Public/private
Data center 2
OWA.example.com
Business partners
Business partners
Sharepoint.example.com
ADFS
Apache/Tomcat App
APM SAML How it Works
Client posts credentials to login… credentials are validated with
Active Directory.
Data center 1
Login.example.com
Portal.example.com
Active Directory
ADFS
End user
Public/private
A SAML assertion is generated, passed back to the client with
a redirect to the requested application.
Data center 2
OWA.example.com
Business partners
Business partners
Sharepoint.example.com
ADFS
Apache/Tomcat App
APM SAML How it Works
Client successfully logs on to application with SAML assertion.
Data center 1
Login.example.com
Portal.example.com
Active Directory
ADFS
End user
Public/private
Data center 2
OWA.example.com
Business partners
Business partners
Sharepoint.example.com
ADFS
Apache/Tomcat App
TMOS and Platform
Full Proxy Security
Client / Server
Client / Server
Web application
Web application
Application
Application
SSL inspection and SSL DDoS mitigation
Session
Session
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
Network
Network
Physical
Physical
Application health monitoring and performance anomaly detection
HTTP proxy, HTTP DDoS and application security
F5’s Purpose-Built Design
Performance and Scalability
Optimized hardware utilizing custom Field
Programmable Gate Array (FPGA) technology
tightly integrated with TMOS and software
Embedded Packet Velocity Acceleration (ePVA)
FPGA delivers:
• Linear scaling of performance
Example of unique F5 VIPRION architecture
• High performance interconnect between Ethernet
ports and CPU’s
• High L4 throughput and reduce load on cpu
• Integrated hardware and software DDoS
protection against large scale attacks
• Predictable performance for low latency protocols
(FIX)
Platform Overview
Platform
Throughput
(Gbs)
Max Conc.
Conns
L4 Connection/s
(CPS)
SSL TPS
(2K keys)
HW SYN cookies/s
VIPRION 4800
8 blade (B4340)
640
576,000,000
8,000,000
240,000
640,000,000
VIPRION 4480
4 blade (B4340)
320
288,000,000
4,400,000
120,000
320,000,000
VIPRION 4480
1 blade (B4340)
80
72,000,000
1,100,000
30,000
80,000,000
VIPRION 2400
4 blade (B2100)
160
VIPRION 4800
VIPRION 44xx Chassis
48,000,000
1,600,000
40,000
160,000,000
VIPRION 2400
1 blade (B2100)
40
12,000,000
400,000
10,000
40,000,000
BIG-IP 10200
80
36,000,000
1,000,000
75,000
80,000,000
BIG-IP 7200
40
24,000,000
775,000
25,000
40,000,000
BIG-IP 5200
30
24,000,000
700,000
21,000
40,000,000
BIG-IP 5x00
BIG-IP 4200
10
10,000,000
300,000
9,000
N/A
BIG-IP 4x00
BIG-IP 2200
5
5,000,000
150,000
4,000
N/A
BIG-IP 2x00 Series
VIPRION 2400 Chassis
BIG-IP 10x00
BIG-IP 7x00
F5 BIG-IP delivers
ICSA-certified
firewall
Access
control
BYOD 2.0
DDoS
mitigation
Application
delivery controller
Application
security
SSL
inspection
DNS
security
Web and WAN optimization
Products
Advanced Firewall
Manager
•
Stateful full-proxy
firewall
•
On-box logging and
reporting
•
Native TCP, SSL and
HTTP proxies
•
Network and Session
anti-DDoS
Access Policy
Manager
•
Dynamic, identity-based
access control
•
Local Traffic
Manager
Global Traffic
Manager and
DNSSEC
Application
Security Manager
Application
Acceleration
•
#1 application
delivery controller
•
Leading web
application firewall
•
Huge scale DNS
solution
•
Front End
Optimization
Simplified authentication,
consolidated infrastructure
•
Application fluency
•
PCI compliance
•
•
Server offload
•
Strong endpoint security and
secure remote access
•
•
Virtual patching for
vulnerabilities
•
Network optimization
•
App-specific health
monitoring
Global server load
balancing
•
High performance and
scalability
•
Mobile acceleration
Application Offload
•
Signed DNS
responses
•
Offload DNS crypto
•
HTTP2.0 / SPDY
gateway
•
BYOD 2.0 integration (SaaS)
•
VDI integration (ICA, PCoIP)
•
•
Streamlined app.
deployment
•
HTTP anti-DDoS
IP protection
ONE PLATFORM (HW/SW)
” F5 data center firewall aces performance test ”
By David Newman, Network World
July 22, 2013 06:05 AM ET
http://www.networkworld.com/reviews/2013/072213-firewall-test-271877.html
Download