Defending The New Perimeter and Protecting Applications...
Transcript of Defending The New Perimeter and Protecting Applications...
Defending The New Perimeter and Protecting Applications Anywhere
Dennis de Leest
Cloud-based Application Services: F5 Silverline
© F5 Networks, Inc 3
The 21st century application infrastructure
Every application is a
Web application
Cloud and SaaS based applications are being deployed more than, and faster than, ever before
Users are going
Mobile
20% of F5 customers have a cloud first
strategy
The State of Application Delivery, F5 Networks, Jan. 2015
© F5 Networks, Inc 5
App Status in the Cloud
6% 7%
8% 10%
11%
16% 17%
19% 21%
29% 29%
% of respondents
Fina
nce
Serv
ice
Billi
ng
IT
Indu
stry
Mar
ketin
g Au
tom
atio
n
Cus
tom
er In
tera
ctio
n
HR
CRM
Util
ity/S
harin
g
Colla
bora
tion
in cloud NOW
The State of Application Delivery, F5 Networks, Jan. 2015
© F5 Networks, Inc 6
More cloud and SaaS applications are being deployed than ever before, driving the need for more flexible and cost efficient ways to protect web applications and defend against volumetric DDoS attacks across multiple environments without scaling out IT infrastructure and staff.
Securing applications can be complex
Script kiddies
The rise of hacktivism
Cyber war
“86% percent of all websites have at least one serious vulnerability.” SC Magazine - Website Security Stats Report 2015, WhiteHat Security
© F5 Networks, Inc 7
Where can I find WAF policy experts?
How can I drive operational and cost
efficiencies?
How can I scale protection without upfront IT
investments?
How can I protect my business against zero-day attacks and
vulnerabilities?
How can I maintain compliance across hybrid environments?
More cloud and SaaS applications are being deployed than ever before, driving the need for more flexible and cost efficient ways to protect web applications across multiple environments without scaling out IT infrastructure and staff.
Securing applications can be complex
How can I protect cloud and SaaS applications,
quickly?
© F5 Networks, Inc 8
Attack Threats: Pay up or Else!
• DD4BC claims ~400 Gbps
• Extortion demands starting at 25 Bitcoins
• Initially targeted Bitcoin, Payment providers, banks and now moving to other targets
• UDP Amplification Attacks (NTP, SSDP, DNS); TCP SYN Floods; and Layer 7 attacks
April - May of 2015: emails sent to legitimate businesses with the threat of massive DDoS attacks
Sample from actual email
© F5 Networks, Inc 9
Security breach impacts your business
Evolving security threats
Cost of single cyber attack can be well above $1,000,000
Successful attacks per week1 122
1.5M Monitored cyber attacks in US2
Hackers are working around the clock using ever increasing attack tactics to gain access to your sensitive enterprise data through your web applications.
• Damages your brand reputation
• Results in significant downtime and revenue loss
• Compromises sensitive enterprise, employee and customer data
• Breaches compliance required to conduct business online
Source: 1 Penomon Institute, Cost of Cyber Crime Study, 2 IBM Security Services, 2014 Cyber Security Intelligence Index
$1M +
© F5 Networks, Inc 11
F5 Silverline Enterprise-grade application services in minutes
Web Application Firewall
Cloud-based application services
DDoS Protection
24x7x365 Expert Support
Rapidly deploy enterprise-grade application services across hybrid environments with 24x7x365 support from F5 experts.
F5 Silverline
© F5 Networks, Inc 12
F5 Silverline: Key Benefits
Drive operational and cost efficiencies
Deliver app services, anywhere
Cloud based, enterprise-grade
Improve operational efficiency and decrease IT overhead by rapidly deploying Silverline
services in minutes and outsourcing support to F5
experts offering the highest level of 24x7x365 service.
Ensure your applications are available and secure no matter
where they reside. Enable cloud migration by deploying Silverline application services across hybrid environments in
conjunction with existing BIG-IP deployments.
Built on F5’s industry leading BIG-IP solutions, Silverline application services are enterprise-grade, highly
programmable, and can be configured to maintain
consistency with your existing BIG-IP implementations.
© F5 Networks, Inc 13
F5 Silverline Services
Defend against DDoS attacks and keep your business online with the Silverline DDoS Protection cloud-scrubbing service to detect and mitigate even the largest of volumetric DDoS attacks before they reach your network.
Protect web applications and data, and enable compliance, such as PCI DSS, with the Silverline Web Application Firewall service which is built on BIG-IP® Application Security Manager™ (ASM) with expert policy setup and fine-tuning.
Global Coverage
Global Coverage
Fully redundant and globally distributed data centers world wide in each geographic region
• San Jose, CA US • Ashburn, VA US • Frankfurt, DE • Singapore, SG
Industry-Leading Bandwidth
• Attack mitigation bandwidth capacity over 2.0 Tbps
• Scrubbing capacity of over 1.0 Tbps
• Guaranteed bandwidth with Tier 1 carriers
24/7 Support
F5 Security Operations Center (SOC) is available 24x7x365 with security experts ready to respond to DDoS attacks and build WAF policies within minutes
• Seattle, WA US
SOC
© F5 Networks, Inc 15
Access the F5 customer portal to securely setup and manage your services, communicate with F5 experts, and view transparent traffic and attack mitigation reports.
F5 Customer Portal
© F5 Networks, Inc 17
Protect Your Business and Stay Online During a DDoS Attack On-premises and cloud-based services for comprehensive DDoS Protection
• Mitigate mid-volume, SSL, or application targeted attacks on-premises
• Complete infrastructure control
• Advanced L7 attack protections
• Turn on cloud-based service to stop volumetric attacks from ever reaching your network
• Multi-layered L3-L7 DDoS attack protection against all attack vectors
• 24/7 attack support from security experts
F5 SILVERLINE DDOS PROTECTION When under attack
F5 ON-PREMISES DDOS PROTECTION
© F5 Networks, Inc 18
F5 Offers Comprehensive DDoS Protection
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
Legitimate Users
DDoS Attackers
Volumetric attacks: L3-7 DDoS, floods,
known signature attacks
Multiple ISP strategy
Network attacks: ICMP flood, UDP flood, SYN flood
DNS attacks: DNS amplification,
query flood, dictionary attack,
DNS poisoning
IPS
Network and DNS Application HTTP attacks:
Slowloris, slow POST,
recursive POST/GET
Next-Generation Firewall Corporate Users
SSL attacks:
SSL renegotiation, SSL flood
Financial Services
E-Commerce
Subscriber
Strategic Point of Control
CPE Cloud Signaling: Bad Actor IPs, Whitelist/
blacklist data
24/7 expert support: security operations center
F5 Silverline
© F5 Networks, Inc 19
F5 Offers Comprehensive DDoS Protection
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
Legitimate Users
DDoS Attackers
Volumetric attacks: L3-7 DDoS, floods,
known signature attacks
Multiple ISP strategy
Network attacks: ICMP flood, UDP flood, SYN flood
DNS attacks: DNS amplification,
query flood, dictionary attack,
DNS poisoning
IPS
Network and DNS Application HTTP attacks:
Slowloris, slow POST,
recursive POST/GET
Next-Generation Firewall Corporate Users
SSL attacks:
SSL renegotiation, SSL flood
Financial Services
E-Commerce
Subscriber
Strategic Point of Control
CPE Cloud Signaling: Bad Actor IPs, Whitelist/
blacklist data
24/7 expert support: security operations center
F5 Silverline
• L3-L7 volumetric DDoS attack detection and mitigation in the cloud
• 24x7 expert SOC services
• Transparent attack reporting via F5 customer portal
CLOUD KEY FEATURES
© F5 Networks, Inc 20
Defense.net was founded by the pioneers of the commercial DDoS Mitigation industry
Designed to address customer frustrations of legacy cloud-based DDoS providers
Acquired by F5 Networks in 2014 to be the first in a series of F5 Silverline cloud-based service offerings
Enhanced through the addition of BIG-IP technology and an increased global footprint
Full integration between customer BIG-IP on-premises and Silverline DDoS coming soon
The Silverline DDoS Protection Story
© F5 Networks, Inc 21
Hearing Challenges with Current Enterprise Options
Concentration Risk Solution Side Effects Scale per Customer:
False Positives Not Enough Visibility into Attacks
Slow Mitigation Startup
© F5 Networks, Inc 22
F5 Silverline DDoS Protection Cloud-based service customer benefits
F5 Silverline DDoS Protection
Keep your business online during a DDoS Attack
Protect your business
Access to DDoS experts 24/7
Security Operations Center
Protect against the largest of DDoS attacks
Industry-leading attack mitigation bandwidth
per customer
Multi-layered, comprehensive L3-L7 protection
Protect against all DDoS attack vectors
F5 customer portal
Gain attack mitigation insights
© F5 Networks, Inc 23
DDoS Scrubbing Center Architecture
Tier 1
Legitimate Users
DDoS Attackers
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
Strategic Point of Control
Inspection Toolsets
Scrubbing Center
Inspection Plane
Traffic Actioner Route Management
Flow Collection
Portal
Switching Routing/ACL
Switching Proxy and Asymmetric
Mitigation Tier
Routing (Customer VRF)
GRE Tunnel
Proxy
IP Reflection
X-Connect Customer
Data Plane
Netflow Netflow
Copied traffic for inspection
BGP signaling
Signaling
Visibility
Management
F5 Silverline
© F5 Networks, Inc 24
F5 Silverline DDoS Protection - Service Options
Primary protection as the first line of defense
Always On Always Available Primary protection
available on-demand
© F5 Networks, Inc 25
Two Ways to Direct Traffic to Silverline Scrubbing Centers
Multiple Ways to Return Clean Traffic
L2VPN / VIRTUAL ETHERNET SERVICE
IP REFLECTION ™
GRE TUNNELS
PROXY
BGP (BORDER GATEWAY PROTOCOL) ROUTED MODE
DNS PROXY MODE
EQUINIX CLOUD EXCHANGE
© F5 Networks, Inc 26
Unparalleled Visibility and Reporting Before, During, and After a DDoS Attack
Attack Data • Instant inspection on the filters and
countermeasures used for mitigation • Detailed timeline analysis on type, size, origin,
and attack vector Configuration and Provisioning • Configure/ review/ modify settings for both
Proxy and GRE mode through the portal Detailed Communication • Real time attack communications • Detailed events showing attack attributes and
SOC mitigations applied
© F5 Networks, Inc 27
• The F5 DDoS Protection Reference Architecture • https://f5.com/solutions/architectures/ddos-protection • White paper: The F5 DDoS Protection Reference Architecture • Best practices: F5 DDoS Protection – recommended Practices
• The F5 Silverline DDoS Protection Service Overview • https://f5.com/products/platforms/silverline/f5-silverline-ddos-protection
Key Resources
Silverline Web Application Firewall Optional subhead here. Transition slides help break up presentations into separate sections or points, helping orient your audience. Use punctuation in the slide title only if you have more than one complete sentence. Choose blue, green, orange, or grey for your transition slides or a combination of these colors.
© F5 Networks, Inc 29
Organizations need a more operationally and cost efficient way to protect web applications across multiple environments without scaling
out IT infrastructure and staff.
Maintain compliance (PCI DSS)
Defend against Layer 7 attacks
Secure data and web
applications
© F5 Networks, Inc 30
F5 Solution: BIG-IP ASM the leading web application firewall
VIPRION Platform BIG-IP Platform BIG-IP Virtual Edition
Recognized as the most
scalable WAF on the market
Deployed in more
datacenters worldwide than any other WAF
© F5 Networks, Inc 31
Recognized as the most
scalable WAF on the market
Deployed in more
datacenters worldwide than any other WAF
Now available as an enterprise-grade cloud-based service managed
by F5 Security Operations Center (SOC) experts
F5’s web application firewall portfolio Built on BIG-IP Application Security Manager (ASM)
VIPRION Platform BIG-IP Platform BIG-IP Virtual Edition F5 Silverline
WAF
© F5 Networks, Inc 32
Protect web applications and data from layer 7 attacks, and enable compliance, such as PCI DSS, with the Silverline Web Application Firewall service which is built on BIG-IP Application Security Manager and backed by 24x7x365 support from F5 experts.
Silverline Web Application Firewall Proven security effectiveness as a convenient cloud-based service
Legitimate User
L7 Protection: Geolocation attacks, DDoS, SQL
injection, OWASP Top Ten attacks, zero-day threats, AJAX applications, JSON payloads
Public Cloud Hosted Web App
Private Cloud Hosted Web App
VA/DAST Scans
Policy can be built from 3rd Party DAST
Web Application Firewall Services
WAF
Cloud
Physical Hosted Web App
Attackers F5 Silverline
WAF
© F5 Networks, Inc 33
Silverline Web Application Firewall Proven security effectiveness as a convenient cloud-based service
Legitimate User
Web Application Firewall Services
WAF
Attackers F5 Silverline
WAF
VIPRION Platform
Silverline Portal WAF Policy Engine
VA/DAST Scans
Policy can be built from 3rd Party DAST
Violation Logs
Customer Reviews Violations
24x7x365 Policy Management
Attack Escalation
Silverline Cloud
Security Operations Center
© F5 Networks, Inc 34
Key benefits
Reduce operating costs
Protect web apps, anywhere
Leverage proven security effectivness
Rapidly deploy WAF protections and drive operational and cost
efficiencies by outsourcing WAF policy management to F5
security experts.
Protect web apps, no matter where they reside with
consistent policies across hybrid environments in conjunction with BIG-IP
deployments.
Protect against critical web attacks with an enterprise-
grade service built on BIG-IP ASM which is recommended by NSS Labs with 99.89% overall
security effectiveness*.
Source: NSS Labs Web Application Firewall Product Analysis. F5 BIG-IP ASM 10200 V11.4.0. https://interact.f5.com/2015ALLF-NSS-Web-App-Firewall--Analysis-for-BIG-IP-ASM_2---Reg.html
© F5 Networks, Inc 35
recommends BIG-IP ASM Web Application Firewall when compared with competitors:
Overall security effectiveness
% 99.89 Minimal false positives % .124
Enterprise-grade protection against layer 7 geolocation attacks, DDoS, SQL injection, OWASP Top Ten attacks, zero-day threats, AJAX applications, and JSON payloads delivered as a convenient cloud-based service.
Leverage proven security effectiveness An enterprise-grade web application firewall service
Source: NSS Labs Web Application Firewall Product Analysis. F5 BIG-IP ASM 10200 V11.4.0. https://interact.f5.com/2015ALLF-NSS-Web-App-Firewall--Analysis-for-BIG-IP-ASM_2---Reg.html
© F5 Networks, Inc 36
F5 security experts proactively monitor, and fine-tune policies to protect web applications and data from new and emerging threats. • Expert policy setup • Policy fine-tuning • Proactive alert monitoring • False positives tuning • Detection tuning • Whitelist / Blacklist Set up and
monitoring
Availability & Support
Expert Policy Setup and Management
Active Threat Monitoring
Reduce operating costs by outsourcing WAF policy management to F5 SOC experts
F5 Security Operations Center
© F5 Networks, Inc 37
• Securely communicate with Silverline SOC experts
• View centralized attack and threat monitoring reports with details including: • source geo-IP mapping • blocked vs. alerted attacks • blocked traffic and attack types • alerted attack types • Threats* • bandwidth used • hits/sec* • type of traffic and visits (bots v. humans)*
Gain attack insights and intelligence F5 Customer Portal
Customer Portal Visibility &
Compliance Attack Reports
* Limited on initial release
© F5 Networks, Inc 38
• Detailed information provided in Violation logs showing request, SrcIP, all header information, etc
• Simplified workflow • Block (policy is working
as intended) • Allow (policy should be
updated to accept behavior)
WAF Violation Logs
© F5 Networks, Inc 39
• Built on the industry leading purpose-built WAF: BIG-IP ASM - compared to other WAF services built on ModSecurity Open Source technology
• The highest level of service from F5 SOC experts - compared to other WAF services that are mostly self-serve
• Comprehensive protections with the ability to import VA/DAST Scans
• Highly-customizable with iRules and iApps programmability to protect against zero-day threats
• Future integrations with BIG-IP ASM to provide hybrid WAF services and APIs
How Silverline Web Application Firewall is different
© F5 Networks, Inc 40
Resources on F5.com
Product Overview http://www.f5.com/pdf/products/f5-silverline-web-application-firewall-product-overview.pdf
F5 Silverline platform https://f5.com/products/platforms/silverline
F5 BIG-IP ASM https://f5.com/products/modules/application-security-manager
Datasheet http://www.f5.com/pdf/products/f5-silverline-web-application-firewall-datasheet.pdf