ip expo 2009 - securing the virtual world
TRANSCRIPT
Securing and Managing Systems within a Flexible IT Environment
Owen ColeTechnical Director
UK, Ireland and Sub Saharan Africa
© F5 Networks
Traditional IT ModelCorporate Employees
LAN & wLAN
Cloud Services Hosted Applications SAAS Apps and Datain the Branch
CorporateData Center
RemoteEmployees
MobileEmployees
Branch EmployeesLAN & wLAN
Customer, Partners, or Suppliers
How do I connect all these applications and services to the right people, at the right
moment in time, using the right amount of resources, meet all my SLAs, ensure security
and save money?
© F5 Networks
What’s Needed
A “Modern” IT Delivery Model
Corporate EmployeesLAN & wLAN
RemoteEmployees
MobileEmployees
Branch EmployeesLAN & wLAN
Customer, Partners, or Suppliers
Cloud Services Hosted Applications SAAS Apps and Datain the Branch
CorporateData Center
© F5 Networks
Refocusing the Infrastructure
Network Centric
Static Data Centers
Traditional Infrastructure
Isolated
Application Centric
Dynamic Services
“Modern” Infrastructure
Shared
?
?
?
Routing
L2/L3/L4
Packets
Basic
Plumbing
TrafficLocked down
Virtual Servers
Low Utilization
ApplicationsDedicated
SilosImprovedUtilization
ServicesMulti-Tenant
Unification
Open Access
Virtual Data Center
SaaS
FederatedResources
Messages
Intelligence
Service Delivery
L4/L7
© F5 Networks
What is Required to Fill the GAP
Context
Visibility
Decision
Action
A “Modern” IT Delivery Model
Corporate EmployeesLAN & wLAN
RemoteEmployees
MobileEmployees
Branch EmployeesLAN & wLAN
Customer, Partners, or Suppliers
Cloud Services Hosted Applications SAAS Apps and Datain the Branch
CorporateData Center
© F5 Networks
Context is Critical
© F5 Networks
Without Context, You Can’t Take Appropriate Action
© F5 Networks
Functions of a Modern IT Delivery Model
Visibility Intercept application and data stream Reporting, notification, trending
Context Put application and data stream in
context Understand user, device, location,
network, application, virtualisation, resource
Decision Relate visibility and content to
predetermined business policy Determine and direct appropriate
response
Action Manipulate infrastructure variables e.g.,
traffic redirection, data placement, security, performance, provisioning
Synchronize distributed points of control
© F5 Networks
• Business– Align IT to Business– Cost, ROI– Security, privacy, compliance– Workforce productivity– New applications / services– Consolidation– Shared resources– Managing change
• Technology– Virtualisation– Legacy application update– Unified networking/
communications– Web 2.0 – Green IT– Identity/access management– Mobile enablement
Sources:Society for Information Management, NASCIO, CIOInsightIndustry Analysts, F5 Analysis
Securing Virtual Applications
© F5 Networks
Web Clients
Frontend
AppServers Virtualization
App. Server App. Server App. Server
Storage Virtualization
Frontends VirtualizationBIG-IP LTM
BIG-IP LTM
Frontend Frontend
Web Clients
iControl
iControl
Mon
itori
ng &
Manag
em
ent
vCenter
+
AppSpeed
Demand ↑ ↑ ↑
F5 Provision
Detection
Automation
VM Provision
Demand ↓ ↓ ↓
VM Deprovision
Detection
Automation
F5 Deprovision
Virtualization - Dynamic Resource Automation
© F5 Networks
Securing Virtual Environments
• Building security INSIDE virtual server devices can be:– Expensive in licenses– High management cost– Not making best use of the devices
• Physical Virtual Servers are servers• Virtualizes hardware in software through the Hypervisor • Maximises impact of SSL, Compression etc on servers.
• What is the effect of a compromise to the VM container?– How can you be sure of the separation between virtual
devices in the same server?
© F5 Networks
The Answer to Securing Virtual Environments
• Deploying External Application Firewalling provides– Obscurity in the Network– Application level protection outside of the container– Protection from Encrypted Attacks
• What is the effect on the VM container?– Proxy Abstraction of users from applications– Offers possible speedy route to application vulnerabilities
• Offload tasks from the Servers– SSL termination, Compresion, Caching etc run external to
server infrastructure increases Server capacity
© F5 Networks
Web Applications
• Web applications are complex entities that involve many components
• Majority of e-commerce applications consist of at least 3 main components: Web server, Application server and Database
• The browser interacts with the web application by sending a HTTP request and receiving a HTML/Java page via an HTTP reply
• Applications interact with other applications by sending predefined XML structures to each other within HTTP.
Web Server
Data
Database server
Backend App Server
Application Server
CGI scripts
HTTP Request HTML/XMLResponse
Browser
© F5 Networks
Well Publicised Attack Methods
Parameters in Application.Attack the visible and hidden information in the web pages
HTTP/XMLAttack the message that carries the information
Authentication/Authorisation.Get access to areas of the site that you are not allowed to enter or use.
Known Vulnerabilities.Stuff you have no control over, but should protect against
Some attacks are specific at one area, some can be targeted at multiple areas
© F5 Networks
Well Publicised Attack Methods
Parameters in Application.
Cross Site Scripting (XSS)SQL InjectionOS InjectionValue TamperingCookie PoisoningBuffer Overflow
HTTP/XML
Structure MalformationBuffer OverflowDirectory TransversalForceful BrowsingBuffer OverflowResponse Splitting
Character Set ManipulationInformation GatheringBrute ForceBroken Session Management
Multi-part Post/PutCharacter Set ManipulationInformation GatheringEmbedded Parameter Attacks (XML)
Authentication/Authorisation.
Broken Session ManagementBroken Access ControlBroken AuthenticationValue TamperingCookie PoisoningSQL Injection
Known Vulnerabilities.
Published OS VulnerabilitiesPublished App VulnerabilitiesDevelopment Tool VulnerabilitiesDoS and DDosDefault InstallsInsecure Storage
© F5 Networks
How Traditional Security Solutions Work
PORT 80
PORT 443
Attacks Look ToExploit Application
VulnerabilitiesPerimeter Security
Is StrongBuffer Overflow
Cross-Site ScriptingSQL/OS Injection
Cookie Poisoning Hidden-Field Manipulation
Parameter Tampering
!InfrastructuralIntelligence
!Non-
compliantInformation
!Forced
Access toInformation
But Is Opento Web Traffic
Without the application context, requests appear legal and pass through traditional defenses, Including Firewall, SSL, Authentication, IDS, IPS, etc.
Attacks simply miss-use the application functionality, or utilise known bugs.
© F5 Networks
The Solution is Simple
1. Only allow access to the application objects a user has authority to use.
2. Block invalid input and malicious content at the entry point of the application.
3. Block sensitive information passing back to the client.
Web Server
Data
Database server
Backend App Server
Application Server
CGI scripts
HTTP Request HTML/XML Response
Browser
CONTEXT
© F5 Networks
• Tight development time-frame and lack of security expertise lead to bugs in code.
• Legacy code relies heavily on client-side validation and disregards security.
• Web applications are relatively easy to attack and the tools required are widely available.
• Attack disguise techniques are commonly used. • Lots of testing is needed.• Applications get less secure over time.
Solution 1 - So….fix the code!
Most companies do not write their own applications, it is outsourced, packages or ASP.
© F5 Networks
Solution 2 - Application Firewall
• Policy-based full proxy with deep inspection• Bi-directional:
– Inbound: protection from generalised & targeted attacks– Outbound: content scrubbing & application cloaking
• Application content & context aware• Positive security augmenting negative security• Selective granularity & flexible behavioural control• High performance, low latency, high availability, high security
SSLVPN
AppFirewall AppUser
LoadBalance
Intelligent Client Network Plumbing Application Infrastructure Application
FirewallIDS-IDP
Anti-Virus
Buffer OverflowCross-Site Scripting
SQL/OS InjectionCookie Poisoning
Hidden-Field ManipulationParameter Tampering
Error MessagesNon-compliant ContentFingerprints
© F5 Networks
!Non-
compliantInformation
Standard Application Security Delivers....
!Unauthorised
Access
!InfrastructuralIntelligence
ASM AllowsLegitimate Requests
And StopsBad
Requests
!Unauthorised
Access
Policy-based full proxy with deep inspectionBi-directional:– Inbound: protection from generalised & targeted attacks– Outbound:content scrubbing & application cloaking
High performance, low latency, high availability, high security
© F5 Networks
Advanced Application Security Delivers....
Allow Only GoodApplication Behaviour
Application content & context awareSelective granularity & flexible behavioural control
Definition of Goodand Bad Behaviour
© F5 Networks
Benefits of Web Application Firewalls
• Provide centralised, consistent protection.
• Provides Protection from known attacks in real time.
• Central point of application security enforcement:
© F5 Networks
Benefits of Advanced Web Application Firewalls• Combines Positive and Negative Security Models.
• Per Application Protection.
• Flexible Deployment– Flexible behavioural control to eliminate false positives and achieve optimum security– Powerful automation to reduce operating costs
• Protect “Selective Flows” and “Dynamic Hidden Parameters”
• Ability to have Programmatically Defined Security Rules
• Underpinned by Advanced ADC Technology.– DDoS protection and Packet Filtering– Advanced Client Authentication– SSL Acceleration– Intelligent Compression
• Consolidated on your Advanced ADC Platform– Combine Application Security, Acceleration and Availability on a single manageable platform.
© F5 Networks
Parting thoughts
• You can’t Virtualise in a Vacuum !!– Virtualisation must cover Hardware, Security and Optimisation
• A holistic, thoughtful approach focuses on forward-looking virtualisation-ready IT infrastructure– Built to be fluid, dynamic, and provisionable– Expects and accepts hundreds or thousands of new servers, new IP
addresses, new routes, new disks, new files, new storage servers – temporary or permanent , virtual or physical
– F5’s vision is to enable an Agile IT Infrastructure with distributed, intelligent, strategic points of control
• More insight and advice at http://www.f5.com/solutions/virtualization