Securing and Managing Systems within a Flexible IT Environment

Owen ColeTechnical Director

UK, Ireland and Sub Saharan Africa

© F5 Networks

Traditional IT ModelCorporate Employees

LAN & wLAN

Cloud Services Hosted Applications SAAS Apps and Datain the Branch

CorporateData Center

RemoteEmployees

MobileEmployees

Branch EmployeesLAN & wLAN

Customer, Partners, or Suppliers

How do I connect all these applications and services to the right people, at the right

moment in time, using the right amount of resources, meet all my SLAs, ensure security

and save money?

© F5 Networks

What’s Needed

A “Modern” IT Delivery Model

Corporate EmployeesLAN & wLAN

RemoteEmployees

MobileEmployees

Branch EmployeesLAN & wLAN

Customer, Partners, or Suppliers

Cloud Services Hosted Applications SAAS Apps and Datain the Branch

CorporateData Center

© F5 Networks

Refocusing the Infrastructure

Network Centric

Static Data Centers

Traditional Infrastructure

Isolated

Application Centric

Dynamic Services

“Modern” Infrastructure

Shared

?

?

?

Routing

L2/L3/L4

Packets

Basic

Plumbing

TrafficLocked down

Virtual Servers

Low Utilization

ApplicationsDedicated

SilosImprovedUtilization

ServicesMulti-Tenant

Unification

Open Access

Virtual Data Center

SaaS

FederatedResources

Messages

Intelligence

Service Delivery

L4/L7

© F5 Networks

What is Required to Fill the GAP

Context

Visibility

Decision

Action

A “Modern” IT Delivery Model

Corporate EmployeesLAN & wLAN

RemoteEmployees

MobileEmployees

Branch EmployeesLAN & wLAN

Customer, Partners, or Suppliers

Cloud Services Hosted Applications SAAS Apps and Datain the Branch

CorporateData Center

© F5 Networks

Context is Critical

© F5 Networks

Without Context, You Can’t Take Appropriate Action

© F5 Networks

Functions of a Modern IT Delivery Model

Visibility Intercept application and data stream Reporting, notification, trending

Context Put application and data stream in

context Understand user, device, location,

network, application, virtualisation, resource

Decision Relate visibility and content to

predetermined business policy Determine and direct appropriate

response

Action Manipulate infrastructure variables e.g.,

traffic redirection, data placement, security, performance, provisioning

Synchronize distributed points of control

© F5 Networks

• Business– Align IT to Business– Cost, ROI– Security, privacy, compliance– Workforce productivity– New applications / services– Consolidation– Shared resources– Managing change

• Technology– Virtualisation– Legacy application update– Unified networking/

communications– Web 2.0 – Green IT– Identity/access management– Mobile enablement

Sources:Society for Information Management, NASCIO, CIOInsightIndustry Analysts, F5 Analysis

Securing Virtual Applications

© F5 Networks

Web Clients

Frontend

AppServers Virtualization

App. Server App. Server App. Server

Storage Virtualization

Frontends VirtualizationBIG-IP LTM

BIG-IP LTM

Frontend Frontend

Web Clients

iControl

iControl

Mon

itori

ng &

Manag

em

ent

vCenter

+

AppSpeed

Demand ↑ ↑ ↑

F5 Provision

Detection

Automation

VM Provision

Demand ↓ ↓ ↓

VM Deprovision

Detection

Automation

F5 Deprovision

Virtualization - Dynamic Resource Automation

© F5 Networks

Securing Virtual Environments

• Building security INSIDE virtual server devices can be:– Expensive in licenses– High management cost– Not making best use of the devices

• Physical Virtual Servers are servers• Virtualizes hardware in software through the Hypervisor • Maximises impact of SSL, Compression etc on servers.

• What is the effect of a compromise to the VM container?– How can you be sure of the separation between virtual

devices in the same server?

© F5 Networks

The Answer to Securing Virtual Environments

• Deploying External Application Firewalling provides– Obscurity in the Network– Application level protection outside of the container– Protection from Encrypted Attacks

• What is the effect on the VM container?– Proxy Abstraction of users from applications– Offers possible speedy route to application vulnerabilities

• Offload tasks from the Servers– SSL termination, Compresion, Caching etc run external to

server infrastructure increases Server capacity

© F5 Networks

Web Applications

• Web applications are complex entities that involve many components

• Majority of e-commerce applications consist of at least 3 main components: Web server, Application server and Database

• The browser interacts with the web application by sending a HTTP request and receiving a HTML/Java page via an HTTP reply

• Applications interact with other applications by sending predefined XML structures to each other within HTTP.

Web Server

Data

Database server

Backend App Server

Application Server

CGI scripts

HTTP Request HTML/XMLResponse

Browser

© F5 Networks

Well Publicised Attack Methods

Parameters in Application.Attack the visible and hidden information in the web pages

HTTP/XMLAttack the message that carries the information

Authentication/Authorisation.Get access to areas of the site that you are not allowed to enter or use.

Known Vulnerabilities.Stuff you have no control over, but should protect against

Some attacks are specific at one area, some can be targeted at multiple areas

© F5 Networks

Well Publicised Attack Methods

Parameters in Application.

Cross Site Scripting (XSS)SQL InjectionOS InjectionValue TamperingCookie PoisoningBuffer Overflow

HTTP/XML

Structure MalformationBuffer OverflowDirectory TransversalForceful BrowsingBuffer OverflowResponse Splitting

Character Set ManipulationInformation GatheringBrute ForceBroken Session Management

Multi-part Post/PutCharacter Set ManipulationInformation GatheringEmbedded Parameter Attacks (XML)

Authentication/Authorisation.

Broken Session ManagementBroken Access ControlBroken AuthenticationValue TamperingCookie PoisoningSQL Injection

Known Vulnerabilities.

Published OS VulnerabilitiesPublished App VulnerabilitiesDevelopment Tool VulnerabilitiesDoS and DDosDefault InstallsInsecure Storage

© F5 Networks

How Traditional Security Solutions Work

PORT 80

PORT 443

Attacks Look ToExploit Application

VulnerabilitiesPerimeter Security

Is StrongBuffer Overflow

Cross-Site ScriptingSQL/OS Injection

Cookie Poisoning Hidden-Field Manipulation

Parameter Tampering

!InfrastructuralIntelligence

!Non-

compliantInformation

!Forced

Access toInformation

But Is Opento Web Traffic

Without the application context, requests appear legal and pass through traditional defenses, Including Firewall, SSL, Authentication, IDS, IPS, etc.

Attacks simply miss-use the application functionality, or utilise known bugs.

© F5 Networks

The Solution is Simple

1. Only allow access to the application objects a user has authority to use.

2. Block invalid input and malicious content at the entry point of the application.

3. Block sensitive information passing back to the client.

Web Server

Data

Database server

Backend App Server

Application Server

CGI scripts

HTTP Request HTML/XML Response

Browser

CONTEXT

© F5 Networks

• Tight development time-frame and lack of security expertise lead to bugs in code.

• Legacy code relies heavily on client-side validation and disregards security.

• Web applications are relatively easy to attack and the tools required are widely available.

• Attack disguise techniques are commonly used. • Lots of testing is needed.• Applications get less secure over time.

Solution 1 - So….fix the code!

Most companies do not write their own applications, it is outsourced, packages or ASP.

© F5 Networks

Solution 2 - Application Firewall

• Policy-based full proxy with deep inspection• Bi-directional:

– Inbound: protection from generalised & targeted attacks– Outbound: content scrubbing & application cloaking

• Application content & context aware• Positive security augmenting negative security• Selective granularity & flexible behavioural control• High performance, low latency, high availability, high security

SSLVPN

AppFirewall AppUser

LoadBalance

Intelligent Client Network Plumbing Application Infrastructure Application

FirewallIDS-IDP

Anti-Virus

Buffer OverflowCross-Site Scripting

SQL/OS InjectionCookie Poisoning

Hidden-Field ManipulationParameter Tampering

Error MessagesNon-compliant ContentFingerprints

© F5 Networks

!Non-

compliantInformation

Standard Application Security Delivers....

!Unauthorised

Access

!InfrastructuralIntelligence

ASM AllowsLegitimate Requests

And StopsBad

Requests

!Unauthorised

Access

Policy-based full proxy with deep inspectionBi-directional:– Inbound: protection from generalised & targeted attacks– Outbound:content scrubbing & application cloaking

High performance, low latency, high availability, high security

© F5 Networks

Advanced Application Security Delivers....

Allow Only GoodApplication Behaviour

Application content & context awareSelective granularity & flexible behavioural control

Definition of Goodand Bad Behaviour

© F5 Networks

Benefits of Web Application Firewalls

• Provide centralised, consistent protection.

• Provides Protection from known attacks in real time.

• Central point of application security enforcement:

© F5 Networks

Benefits of Advanced Web Application Firewalls• Combines Positive and Negative Security Models.

• Per Application Protection.

• Flexible Deployment– Flexible behavioural control to eliminate false positives and achieve optimum security– Powerful automation to reduce operating costs

• Protect “Selective Flows” and “Dynamic Hidden Parameters”

• Ability to have Programmatically Defined Security Rules

• Underpinned by Advanced ADC Technology.– DDoS protection and Packet Filtering– Advanced Client Authentication– SSL Acceleration– Intelligent Compression

• Consolidated on your Advanced ADC Platform– Combine Application Security, Acceleration and Availability on a single manageable platform.

© F5 Networks

Parting thoughts

• You can’t Virtualise in a Vacuum !!– Virtualisation must cover Hardware, Security and Optimisation

• A holistic, thoughtful approach focuses on forward-looking virtualisation-ready IT infrastructure– Built to be fluid, dynamic, and provisionable– Expects and accepts hundreds or thousands of new servers, new IP

addresses, new routes, new disks, new files, new storage servers – temporary or permanent , virtual or physical

– F5’s vision is to enable an Agile IT Infrastructure with distributed, intelligent, strategic points of control

• More insight and advice at http://www.f5.com/solutions/virtualization