bezpečnostní architektura f5
TRANSCRIPT
1
Agenda
2
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
Full proxy security
High-performance HW
iRules
iControl API
F5’s Approach
• TMOS traffic plug-ins
• High-performance networking microkernel
• Powerful application protocol support
• iControl—External monitoring and control
• iRules—Network programming language
IPv4
/IP
v6
SS
L
TC
P
HT
TP
Optional modules plug in for all F5 products and solutions
AP
M
Fir
ew
all
… Traffic management microkernel
Proxy
Client
side
Server
side SS
L
TC
P
On
eC
on
nec
t
HT
TP
3
Full proxy security
iRule
iRule
iRule
TCP
SSL
HTTP
TCP
SSL
HTTP
iRule
iRule
iRule
ICMP floodSYN flood
SSL renegotiation
DataleakageSlowloris attackXSS
NetworkFirewall
WAF WAF
4
ApplicationAccess
NetworkAccess
NetworkFirewall
Network DDoSProtection
SSL DDoSProtection
DNS DDoSProtection
Application
DDoS Protection
Web ApplicationFirewall
FraudProtection
F5 provides comprehensive application security
Virtual
Patching
5
F5 Security Architecture
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
LegitimateUsers
DDoS Attackers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Networkand DNS
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
Next-GenerationFirewall Corporate Users
SSL attacks:SSL renegotiation,
SSL floodFinancialServices
E-Commerce
Subscriber
Strategic Point of Control
6
F5 Security Architecture
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
LegitimateUsers
DDoS Attackers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Networkand DNS
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
Next-GenerationFirewall Corporate Users
SSL attacks:SSL renegotiation,
SSL floodFinancialServices
E-Commerce
Subscriber
Strategic Point of Control
• The network tier at the perimeter is layer 3 and 4 network firewall services
• Simple load balancing to a second tier
• IP reputation database
• Mitigates transient and low-volume attacks
NETWORK KEY FEATURES
7
BIG-IP® Advanced Firewall Manager (AFM)
Application
Security
Data Center
Firewall
Access
Security
User
App Servers
ClassicServer
DNS Security
Network DDoS
• Built on the market leading Application Delivery Controller (ADC)
• Consolidates multiple appliance to reduce TCO
• Protects against L2-L4 attacks with the most advanced full proxy architecture
• Delivers over 100 vectors and more hardware-based DOS vectors than any
other vendor
• Ensures performance while under attack - scales to 7.5M CPS; 576M CC, 640
Gbps
• Offers a foundation for an integrated L2-L7 Application delivery firewall platform
8
F5 Security Architecture
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
LegitimateUsers
DDoS Attackers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Networkand DNS
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
Next-GenerationFirewall Corporate Users
SSL attacks:SSL renegotiation,
SSL floodFinancialServices
E-Commerce
Subscriber
Strategic Point of Control
9
F5 Security Architecture
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
LegitimateUsers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Networkand DNS
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
Next-GenerationFirewall Corporate Users
SSL attacks:SSL renegotiation,
SSL floodFinancialServices
E-Commerce
Subscriber
Strategic Point of Control
DDoS Attackers
• Real-time Volumetric DDoS attack detection and mitigation in the cloud
• Multi-layered L3-L7 DDoSattack protection
• 24x7 expert SOC services
• Transparent attack reporting via F5 customer portal
CLOUD KEY FEATURES
Global Coverage
Global Coverage
Fully redundant and globally
distributed data centers world
wide in each geographic region
– San Jose, CA US
– Ashburn, VA US
– Frankfurt, DE
– Singapore, SG
Industry-Leading Bandwidth
• Attack mitigation bandwidth
capacity over 2.0 Tbps
• Scrubbing capacity of over 1.0
Tbps
• Guaranteed bandwidth with
Tier 1 carriers
24/7 Support
F5 Security Operations Center
(SOC) is available 24/7 with
security experts ready to
respond to DDoS attacks within
minutes
– Seattle, WA US
– Warsaw, Poland
SOC
11
DDoS Scrubbing Center Architecture
Tier 1
LegitimateUsers
DDoS Attackers
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
Strategic Point of Control
InspectionToolsets
Scrubbing Center
Inspection Plane
Traffic ActionerRoute Management
Flow Collection
Portal
Switching Routing/ACL
SwitchingProxy and Asymmetric
Mitigation Tier
Routing(Customer VRF)
GRE Tunnel
Proxy
IP Reflection
X-Connect Customer
Data Plane
Netflow Netflow
Copied trafficfor inspection
BGP signaling
Signaling
Visibility
Management
F5 Silverline
12
Routed Configuration F5 Silverline DDoS Protection Engaged
Data Center
TCP Connection: SYNSRC: 86.75.30.9:27182DST: 1.2.3.4:80
86.75.30.9
F5 SilverlineDDoS Protection
TCP Connection:SRC: 69.86.73.76:4243DST: 1.2.3.4:80
69.86.73.76
ISP Router
Customer/ISP Transit Network
F5 Router
Internet
GRE Tunnel
Customer Admin
BGP Configuration Change:withdraw advertisement for 1.2.3.0/24
BGP Route Advertisement:F5 route for 1.2.3.0/24 becomes preferred
F5 Router Customer Router
1.2.3.4
1.2.3.5
1.2.3.6
1.2.3.7
TCP Connection: SYN-ACKSRC: 1.2.3.4:80DST: 86.75.30.9:27182
Clean traffic is returned via GRE Tunnel to customer’s data center
13
Routed Configuration BGP Peering Detail
Clean traffic is returned via GRE Tunnel to customer’s data center
GRE Tunnel
ISP Router
Customer/ISP Transit
NetworkInternetF5 Router Customer
Router
BGP Configuration Change:withdraw advertisement for 1.2.3.0/24
14
Routed Configuration Anycast / Route Advertisement Detail
F5 SilverlineDDoS Protection
TCP Connection: SYNSRC: 86.75.30.9:27182DST: 1.2.3.4:80
86.75.30.9
TCP Connection:SRC: 69.86.73.76:4243DST: 1.2.3.4:80
69.86.73.76
F5 Router
BGP Route Advertisement:F5 route for 1.2.3.0/24 becomes preferred
15
Routed Configuration Return Traffic Detail
86.75.30.9
1.2.3.4
Data Center
Customer Router
TCP Connection: SYN-ACKSRC: 1.2.3.4:80DST: 86.75.30.9:27182
16
Two Flavors:
• “Request For Service”
• BIG-IP device identifies that a threshold has been crossed; notifies Silverline for action
• Typical customer action will be a SOC call-back to the customer to advise
• “IP List Management”
• BIG-IP device identifies a bad-actor IP address & notifies Silverline
• Pre-Stages mitigation policy before traffic activation
• Refines mitigation if additional bad IPs are detected after traffic diversion
CPE Signaling iApp
17
Proxy Configuration F5 Silverline DDoS Protection Engaged
Data CenterDNS Query: www.abc.com
DNS Query:www.abc.com DNS Query: www.abc.com
DNS Response: www.abc.com 5.6.7.8
DNS Response:www.abc.com
5.6.7.8
Local DNS Public DNSServers
5.6.7.8 Proxy
1.2.3.4
DNS Response:www.abc.com
5.6.7.8
TCP Connection:SRC: 86.75.30.9:27182DST: 5.6.7.8:80
86.75.30.9
TCP Connection:SRC: 9.9.9.18:31415DST: 1.2.3.4:80
NAT Pool9.9.9.0/24
Customer Router
F5 SilverlineDDoS Protection
Customer Admin
TCP Connection:SRC: 69.86.73.76:4243DST: 1.2.3.4:80
ISP Router ACLpermit: 9.9.9.0/24 1.2.3.4/32deny: any 1.2.3.4/32
DNS Configuration Change#www.abc.com 1.2.3.4www.abc.com 5.6.7.8
Authoritative
DNS
TCP Connection:SRC: 69.86.73.76:4243DST: 5.6.7.8:80
69.86.73.76
ISP Router
18
Proxy Configuration DNS
DNS Response:www.abc.com
5.6.7.8
DNS Configuration Change#www.abc.com 1.2.3.4www.abc.com 5.6.7.8
Data CenterDNS Query: www.abc.com
DNS Query:www.abc.com DNS Query: www.abc.com
DNS Response: www.abc.com 5.6.7.8
Local DNS Public DNSServers
DNS Response:www.abc.com
5.6.7.8
Authoritative
DNS
19
Proxy Configuration Proxy & NAT Detail
5.6.7.8 Proxy
1.2.3.4
TCP Connection:SRC: 86.75.30.9:27182DST: 5.6.7.8:80
86.75.30.9
TCP Connection:SRC: 9.9.9.18:31415DST: 1.2.3.4:80
NAT Pool9.9.9.0/24
Customer Router
F5 SilverlineDDoS Protection
ISP Router
20
Proxy Configuration Traffic Filtering and ISP ACL Detail
TCP Connection:SRC: 69.86.73.76:4243DST: 1.2.3.4:80
ISP Router ACLpermit: 9.9.9.0/24 1.2.3.4/32deny: any 1.2.3.4/32
TCP Connection:SRC: 69.86.73.76:4243DST: 5.6.7.8:80
69.86.73.76
ISP Router
21
F5 Silverline AttackView PortalUnprecedented Transparency
Attack Data
• Instant inspection on the filters and countermeasures used for mitigation
• Detailed timeline analysis on type, size, origin, and attack vector
Configuration and Provisioning
• Configure/ review/ modify settings for both Proxy and GRE mode through the portal
Detailed Communication
• Real time attack communications
• Detailed events showing attack attributes and SOC mitigations applied
22
Portal: Timeline of EventsTimeline of events
Event Detail
23
Portal: Real-Time Information
Directly chat with the F5
SOC
Application Fluency &
Detail
Application View:• Protocol inspection and statistics• Mitigation actions• Flagged annotations of SOC communications
SOC Chat:
• Coordinate directly with the F5 SOC
• Share attack details
• Define exact mitigations needed
24
Portal: Configuration and Provisioning
25
F5 Security Architecture
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
LegitimateUsers
DDoS Attackers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Networkand DNS
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
Next-GenerationFirewall Corporate Users
SSL attacks:SSL renegotiation,
SSL floodFinancialServices
E-Commerce
Subscriber
Strategic Point of Control
26
F5 Security Architecture
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network
LegitimateUsers
DDoS Attackers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Networkand DNS
Next-GenerationFirewall Corporate Users
FinancialServices
E-Commerce
Subscriber
Strategic Point of Control
Application
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
SSL attacks:SSL renegotiation,
SSL flood
APPLICATION KEY FEATURES
• Application-aware, CPU-intensive defense mechanisms
• SSL termination
• Web application firewall
• Access Control
• Mitigate asymmetric and SSL-based DDoS attacks
27
EFFECTIVE APPLICATION PROTECTIONS
SIMPLIFIED AND RAPID POLICY DEPLOYMENT
PCI COMPLIANCE
DETAILED ATTACK INSPECTION AND FILTERING
HIGH SCALABILITY AND PERFORMANCE
ENHANCED VISIBILITY AND ACTIONABLE REPORTING
BIG-IP ASM
Advanced Web
Application
Firewall
RELIABLE PLATFORM SECURITY
AFM DDoS protection
ASM WAF Security
ADC technology
APM Access Management
F5 Silverline
28
Defending against automated attacks
ASM Website
Application
Security
Web Bot
/\
Client check
BOT identified
ALERT &
BLOCK
• Performs a variety
of checks to
distinguish humans
from BOTS
• Allows only verified
client requests to
pass through to app
server
• Notifies then drops
requests that
cannot be verified
ASM identifies and blocks automated webscrapping and
scanning
• Performs rapid surfing analysis of page changes
• Blocks clients making excessive page requests
• Issues captcha challenge on mitigated threats & initial visits
• Detects previously identified browsers & bad IPs
• Disallow webscrapping , table captures, & UA Spoofing ext.
Detection and mitigation in action.
BIG-IP view:
Attack started in 06:35
“Incomplete” part shows not mitigated requests that were failed due to the deny of service (max-connect
limitation or server congestion).
“DoS Slow Blocked” shows mitigated requests that were slowed down till the death (by inactivity timeout).
“DoS Slow” shows mitigated requests that were slowed down.
“Passthrough” – good ones or bad ones which were not be touched since server health was ok.
30
Silverline Web Application Firewall Proven security effectiveness as a convenient cloud-based service
Legitimate
User
L7 Protection:
Geolocation attacks, DDoS,
SQL injection, OWASP Top
Ten attacks, zero-day threats,
AJAX applications, JSON
payloads
Public Cloud Hosted Web
App
Private Cloud Hosted Web
App
VA/DAST Scans
Policy can be built from 3rd Party
DAST
Web Application Firewall Services
WAF
Cloud
Physical Hosted Web App
Attackers F5 Silverline
WAF
31
Silverline Web Application Firewall Proven security effectiveness as a convenient cloud-based service
LegitimateUser
Web Application Firewall Services
WAF
AttackersF5 Silverline
WAF
VIPRION Platform
Silverline Portal WAF Policy Engine
VA/DAST Scans
Policy can be built from 3rd Party
DAST
Violation Logs
Customer Reviews Violations
24x7x365
Policy Management
Attack Escalation
Silverline Cloud
Security Operations Center
32
F5 Security Architecture
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
LegitimateUsers
DDoS Attackers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Networkand DNS
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
Next-GenerationFirewall Corporate Users
SSL attacks:SSL renegotiation,
SSL floodFinancialServices
E-Commerce
Subscriber
Strategic Point of Control
33
F5 Security Architecture
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network
LegitimateUsers
DDoS Attackers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Networkand DNS
Next-GenerationFirewall Corporate Users
FinancialServices
E-Commerce
Subscriber
Strategic Point of Control
Application
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
SSL attacks:SSL renegotiation,
SSL flood
APPLICATION KEY FEATURES
• Application-aware, CPU-intensive defense mechanisms
• SSL termination
• Web application firewall
• Mitigate asymmetric and SSL-based DDoS attacks
34
SSL visibility and inspectionPassive mode or “tap” visibility
Client
Proxy Tier
IPS
DLP ICAP
IDS
Fe
ed
ba
ck
SSL VisibilityIntelligent Traffic ControlSecurity + Performance
BIG-IP Platform
LOCAL TRAFFIC MANAGER
35
Next Generation IPS Reference Architecture
2GOOD BETTER BEST
Untrusted
Networks
Partner
Extranets,
Internet
ADC NG-IPS ADC
Protected
Networks/
Resources
BIG-IP Local Traffic Manager
BIG-IP System
SSL (En/De)cryption+ Load Balancing
Control iRule
Protect iRule
Remediation API
BIG-IP System
IPSSignature-Based Threat Detection
LegitimateUsers
Malicious Attackers
Malicious attacker is identified and blocked by NG-IPS
NG-IPS sends blacklisted IP information from remediation API to ADC
ADC begins blocking malicious attacker
Next-Generation IPS-Integrated ADC Infrastructure
Simplified Business Models1
2
3
32
1
Carrier/SPData Center
EnterpriseData Center
MSSPData Center
SSL (En/De)cryption+ Load Balancing
36
F5 Security Architecture
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed
Cloud Network Application
LegitimateUsers
DDoS Attackers
CloudScrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks
ISPa/b
Multiple ISP strategy
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,DNS poisoning
IPS
Networkand DNS
ApplicationHTTP attacks:
Slowloris,slow POST,
recursive POST/GET
Next-GenerationFirewall Corporate Users
SSL attacks:SSL renegotiation,
SSL floodFinancialServices
E-Commerce
Subscriber
Strategic Point of Control
