DATACENTER SECURITY Turo Siira System Engineer, F5 Networks Maintaining Security Today Is Challenging Webification of apps Device proliferation 95% of workers use at least 71% of internet experts predict most people will do work via web or mobile by 2020. one personal device for work. 130 million enterprises will use mobile apps by 2014 Evolving security threats Shifting perimeter 58% of all e-theft tied 80% of new apps will to activist groups. target the cloud. 81% of breaches 72% IT leaders have or will involved hacking move applications to the cloud. Datacenter Security Needs To scale Scale for a work-anywhere / SSL everywhere world. To secure Security for applications and data against sustained attacks. To simplify Simplification of point solutions and complex firewall configurations. DDOS MITIGATION Increasing difficulty of attack detection Physical (1) Data Link (2) Network (3) Transport (4) F5 mitigation technologies Network attacks Session (5) Presentation (6) Session attacks Application (7) Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation Slowloris, Slow Post, HashDos, GET Floods BIG-IP AFM SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. OSI stack F5 Mitigation Technologies OSI stack Protecting the datacenter Use case Network DDoS Before f5 Application DDoS Firewall Load Balancer & SSL Load Balancer DNS Security with f5 Web Application Firewall Web Access Management Protecting the datacenter Network DDoS Before f5 Application DDoS Firewall Load Balancer & SSL Load Balancer DNS Security Web Application Firewall with f5 • Consolidation of • firewall, app security, traffic management Protection for data centers and application servers • High scale for the most common inbound protocols Web Access Management SSL Inspection ! SSL SSL SSL SSL • Gain visibility and detection of SSLencrypted attacks • Achieve high• scale/high-performance SSL proxy Offload SSL—reduce load on application servers iRules with Security: HashDos—Post of Doom “HashDos—Post of Doom” vulnerability affects all major web servers and application platforms. VIPRION Single DevCentral iRule mitigates vulnerability for all back-end services. Staff can schedule patches for back-end services on their own timeline. iRules with Security: Prioritize connection based on country SSL SSL https://devcentral.f5.com/wiki/irules.whereis.ashx Security at the Strategic Point of Control Physical Virtual Clients Network Firewall Total Application Delivery Networking Remote SSL APP DNS Services Access VPN Firewall Security Cloud Storage DNS Seurity The Dynamics of the DNS Market DNS Demand from Internet growth, 4G/LTE, DDoS Protection and Availability Average Daily Load for DNS (TLD) Queries in Billions Typical for a single web page to consume 100+ DNS queries from active content, advertising and analytics Global mobile data (4G/LTE) is driving the need for fast, available DNS ‘08 ‘09 77 50 43 39 57 18X Growth 2011-2016 ‘10 4G LTE 2.4GB/mo Non-4G LTE ‘11 86MB/mo ‘12 New ICANN TLDs will create new demands for scale Attacks on DNS becoming more common DNS Services must be robust Cache poisoning attacks Reflection / Amplification DDoS Drive for DNSSEC adoption Distributed Available, High Performance GSLB for multiple Datacenters Total Service Availability Geographically dispersed DCs DNS Capacity Close to Subscribers DNS the F5 Way Conventional DNS Thinking • Adding performance = DNS boxes Internet External Firewall DNS Load Balancing Array of DNS Servers DMZ Internal Firewall Hidden Master DNS • Weak DoS/DDoS Protection Datacenter F5 Paradigm Shift F5 DNS Delivery Reimagined DNS Firewall Internet Master DNS Infrastructure DNS DDoS Protection Protocol Validation Authoritative DNS Caching Resolver Transparent Caching High Performance DNSSEC DNSSEC Validation Intelligent GSLB • Massive performance over 10M RPS! • Best DoS / DDoS Protection • Simplified management (partner) • Less CAPEX and OPEX Network Firewall Advanced Firewall Manager BIG-IP Advanced Firewall Manager (AFM) • Packaging • SW license • Supported on all platforms (BIG-IP VE, BIG-IP Appliances and VIPRION) • Standalone or add to LTM • Features • • • • L4 stateful full proxy firewall IPsec, NAT, adv routing, full SSL, AVR, Protocol Security DDoS (TCP, UDP, DNS, floods, HTTP): Over 80 attack types GUIs for configure rules, logging, etc • All under a new Security tab AFM GUI Configuration • Main configuration under the Security AFM GUI Configuration • Main configuration under the new Security tab • Context aware rules can be configured at the object level AFM DOS protection • Security > DoS Protection > Device Configuration • Applied globally L2-L4 DoS attack vectors detection and thresholding in hardware on platform using HSBe2 FPGA BIG-IP 5000 series BIG-IP 7000 series BIG-IP 10000 series VIPRION B4300 blade VIPRION B2100 blade IP Intelligence Identify and allow or block IP addresses with malicious activity IP Intelligence Service ? Internally infected devices and servers Scanners • Use IP intelligence to defend attacks • Reduce operation and capital expenses Easily Configure Violation Categories IP Intelligence Service Management in BIG-IP ASM UI • • • Easily manage alarms and blocking in ASM Approve desired IPs with Whitelist Policy Building enabled for ignoring Web Application Security Who Is Responsible for Application Security? Infrastructure Clients Applications Engineering services Network security Storage Developers DBA What Is ASM? • Allows the security team to secure a website without changing the application code • Provides comprehensive protection for all web application vulnerabilities, including (D)DoS • Logs and reports all application traffic, attacks and usernames • Educates admin on attack type definitions and examples • PCI compliance How Does It Work? Security at application, protocol and network level Request made Security policy checked Content scrubbing Application cloaking Enforcement Response delivered Server response Security policy applied Actions: Log, block, allow BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application. Multiple Security Layers RFC enforcement • Various HTTP limits enforcement Profiling of good traffic • Defined list of allowed file types, URIs, parameters Each parameter is evaluated separately for: • • • • Predefined value Length Character set Attack patterns • Looking for pattern matching signatures Responses are checked as well Start by checking RFC compliance 2 Then check for various length limits in the HTTP 3 Then we can enforce valid types for the application 4 Then we can enforce a list of valid URLs 5 Then we can check for a list of valid parameters 6 Then for each parameter we will check will check for max for max value value length length 7 Then scan each parameter, the URI, the headers GET /search.php?name=Acme’s&admin=1 HTTP/1.1 Host: 172.29.44.44\r\n Connection: keep-alive\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1)\r\n Accept:text/html,application/xhtml+xml,application/xml;q=0.9\r\n Referer: http://172.29.44.44/search.php?q=data\r\n Accept-Encoding: gzip,deflate,sdch\r\n Accept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n Cookie: SESSION=0af2ec985d6ed5354918a339ffef9226; \r\n Streamline Deployment Options Prebuilt app policy For mission-critical applications: Rapid deployment policy Any custom application: HR APPS Finance APPS Sales APPS Marketing APPS Out-of-the-box protection Immediate security with 80% of events Prebuilt, preconfigured and validated policies Minimal configuration time and starting point for more advanced policy creation Three Ways to Build a Policy Security policy checked Security policy applied Dynamic policy builder Automatic – • No knowledge of the app required • Adjusts policies if app changes Integration with app scanners Manual – • Advanced configuration for custom policies • Virtual patching with continuous application scanning Attack Expert System in ASM 1. Click on info tooltip Attack expert system makes responding to vulnerabilities faster and easier: Violations are represented graphically, with a tooltip to explain the violation. The entire HTTP payload of each event is logged. Detailed Logging with Actionable Reports At-a-glance PCI compliance reports Drill-down for information on security posture Computational DoS mitigation in HTTP L7 – Application Security Manager Transaction Per Seconds (TPS) based anomaly detection TPS-based anomaly detection allows you to detect and mitigate DoS attacks based on the client side. Latency based anomaly detection Latency-based anomaly detection allows you to detect and mitigate attacks based on the behavior of the server side. Unified Access Enabled simplified application access SharePoint OWA Cloud Users BIG-IP Local Traffic Manager + Access Policy Manager Hosted virtual desktop APP OS APP OS APP OS APP OS Directory Web servers App 1 App n ENHANCING WEB ACCESS MANAGEMENT Create policy Administrator 832849 HR Corporate domain AAA server Latest AV software Current O/S User = HR • Proxy the web applications to provide authentication, authorization, endpoint inspection, and more – all typing into Layer 4-7 ACLS through F5’s Visual Policy Editor Access Policy using SMS token APM SAML How it Works Domain user makes a SAML-supported request for a resource. Data center 1 Login.example.com Portal.example.com Active Directory ADFS End user Public/private Data center 2 OWA.example.com Business Partners Business Partners Sharepoint.example.com ADFS Apache/Tomcat App APM SAML How it Works An SP-initiated post is sent back to the client in the form of a redirect to https://login.example.com. Data center 1 Login.example.com Portal.example.com Active Directory ADFS End user Public/private Data center 2 OWA.example.com Business partners Business partners Sharepoint.example.com ADFS Apache/Tomcat App APM SAML How it Works Client posts credentials to login… credentials are validated with Active Directory. Data center 1 Login.example.com Portal.example.com Active Directory ADFS End user Public/private A SAML assertion is generated, passed back to the client with a redirect to the requested application. Data center 2 OWA.example.com Business partners Business partners Sharepoint.example.com ADFS Apache/Tomcat App APM SAML How it Works Client successfully logs on to application with SAML assertion. Data center 1 Login.example.com Portal.example.com Active Directory ADFS End user Public/private Data center 2 OWA.example.com Business partners Business partners Sharepoint.example.com ADFS Apache/Tomcat App TMOS and Platform Full Proxy Security Client / Server Client / Server Web application Web application Application Application SSL inspection and SSL DDoS mitigation Session Session L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation Network Network Physical Physical Application health monitoring and performance anomaly detection HTTP proxy, HTTP DDoS and application security F5’s Purpose-Built Design Performance and Scalability Optimized hardware utilizing custom Field Programmable Gate Array (FPGA) technology tightly integrated with TMOS and software Embedded Packet Velocity Acceleration (ePVA) FPGA delivers: • Linear scaling of performance Example of unique F5 VIPRION architecture • High performance interconnect between Ethernet ports and CPU’s • High L4 throughput and reduce load on cpu • Integrated hardware and software DDoS protection against large scale attacks • Predictable performance for low latency protocols (FIX) Platform Overview Platform Throughput (Gbs) Max Conc. Conns L4 Connection/s (CPS) SSL TPS (2K keys) HW SYN cookies/s VIPRION 4800 8 blade (B4340) 640 576,000,000 8,000,000 240,000 640,000,000 VIPRION 4480 4 blade (B4340) 320 288,000,000 4,400,000 120,000 320,000,000 VIPRION 4480 1 blade (B4340) 80 72,000,000 1,100,000 30,000 80,000,000 VIPRION 2400 4 blade (B2100) 160 VIPRION 4800 VIPRION 44xx Chassis 48,000,000 1,600,000 40,000 160,000,000 VIPRION 2400 1 blade (B2100) 40 12,000,000 400,000 10,000 40,000,000 BIG-IP 10200 80 36,000,000 1,000,000 75,000 80,000,000 BIG-IP 7200 40 24,000,000 775,000 25,000 40,000,000 BIG-IP 5200 30 24,000,000 700,000 21,000 40,000,000 BIG-IP 5x00 BIG-IP 4200 10 10,000,000 300,000 9,000 N/A BIG-IP 4x00 BIG-IP 2200 5 5,000,000 150,000 4,000 N/A BIG-IP 2x00 Series VIPRION 2400 Chassis BIG-IP 10x00 BIG-IP 7x00 F5 BIG-IP delivers ICSA-certified firewall Access control BYOD 2.0 DDoS mitigation Application delivery controller Application security SSL inspection DNS security Web and WAN optimization Products Advanced Firewall Manager • Stateful full-proxy firewall • On-box logging and reporting • Native TCP, SSL and HTTP proxies • Network and Session anti-DDoS Access Policy Manager • Dynamic, identity-based access control • Local Traffic Manager Global Traffic Manager and DNSSEC Application Security Manager Application Acceleration • #1 application delivery controller • Leading web application firewall • Huge scale DNS solution • Front End Optimization Simplified authentication, consolidated infrastructure • Application fluency • PCI compliance • • Server offload • Strong endpoint security and secure remote access • • Virtual patching for vulnerabilities • Network optimization • App-specific health monitoring Global server load balancing • High performance and scalability • Mobile acceleration Application Offload • Signed DNS responses • Offload DNS crypto • HTTP2.0 / SPDY gateway • BYOD 2.0 integration (SaaS) • VDI integration (ICA, PCoIP) • • Streamlined app. deployment • HTTP anti-DDoS IP protection ONE PLATFORM (HW/SW) ” F5 data center firewall aces performance test ” By David Newman, Network World July 22, 2013 06:05 AM ET http://www.networkworld.com/reviews/2013/072213-firewall-test-271877.html