BIG-IP Application Security Manager v11.2 Customer Presentation

1
Dynamic Data Center App. Security

BIG-IP ASM v11.2
Presenter
© F5 Networks, Inc.
2
How the Static Data Center Falls Short
• It started simple
• More user types, services

Complexity is
• Application issues
the Enemy
• Security woes …
• What’s the answer?

of Good Security
3
Dynamic Data Center
• Reconfigure dynamically
• Manage applications, not

objects
• Context-aware policies
• ADC manages application

services
4
Threats are evolving, behaviors are changing
Figure 15 and 16: Verizon 2011 Data Breach Investigations Report

5
Cyber-attacks in the News for 2011
IBM X-Force 2011 Trend and Risk Report March 2012 © F5 Networks, Inc.
6
Most web applications are vulnerable!
• “Most websites were exposed to at least one serious* vulnerability every day of
2010.”
• “Only 16% of websites were vulnerable less than 30 days of the year overall. ”
• “During 2010, the average website had 230 serious* vulnerabilities.”
• “On the average, 50% of organizations require 116 days or less to remediate
their
serious* vulnerabilities.”
- WhiteHat Website Security Stats Report
• “97% of websites at immediate risk of being hacked due to vulnerabilities!

69% of vulnerabilities are client side-attacks”
- Web Application Security Consortium
• “64 percent of developers are not confident in their ability to write secure
applications.”
- Microsoft Developer Research
7
Top Vulnerabilities and Avg. Vuln. by

Industry
Figure 3 and 4: 11th Website Security Statistics Report (Winter 2011)

8
Recent Application and Network Attacks
• And the hits keep coming:
Source: http://spectrum.ieee.org/static/hacker-matrix © F5 Networks, Inc.

9
Defend Against Cyberattacks
• Ongoing storm of cyberattacks is preventable, experts say

• Preventable with technology that exists today!
• Need to educate all IT organizations how to protect networks
• Many are blind to Layer 7 attacks
• Experts note that network firewalls are not enough
• Need dynamic layered network and application security

architecture unique to F5
10
“Anonymous” Attack
• Anonymous targeted customer with bots
• Traffic attack melted legacy systems
• Solution: Implement BIG-IP
BIG-IP Attack Protection:

• Greater connection management
• LTM to mitigate network DDoS
• ASM to mitigate application DDoS
• iRules for agility and extensibility
11
Protect Applications from Threats

Adaptive and unique attack protection
• Block latest web threats automatically and protect revenue
• Improve application availability and end-user performance
• A medium-size online company would lose $220,000 per

hour of service disruption from a denial-of-service attack*
12
Optimize Traffic Management and Offload

Application Server
with BIG-IP Local Traffic Manager (LTM)
BIG-IP LTM Physical
Virtual
Public or
private
cloud
OPTIMIZED APPLICATIONS & DATA SECURE APPLICATIONS & DATA

• Application • Intelligent • Application Proxy
Intelligence Compressing • Transaction Assurance
• Load Balancing • Health • Resource Cloaking
• TCP Monitoring • Secure Network Address Translation
Optimization • SSL offload • Port Mapping
• Rate Shaping • Session • Selective Content Encryption
• Server Offload Persistence • Denial of Service (DoS) protection
13
Secure Applications and Data

SECURE APPLICATIONS & DATA
• Application Proxy
• Transaction Assurance
• Resource Cloaking
• Network and protocol attack
protection BIG-IP LTM
• Secure Network Address Translation
• Port Mapping
• Selective Content Encryption
• Denial of Service attack protection
Security at the network, protocol, and application levels

• Data center firewall solution
• Meet compliance requirements (PCI, HIPAA, etc.)
• Protect data without interrupting legitimate traffic
14
TMOS Architecture
The foundation of BIG-IP LTM and a unified system
for application delivery
15
Leading Web Attack Protection

BIG-IP Application Security Manager
• Protect from latest web threats • Quickly resolve vulnerabilities

• Meet PCI compliance • Improve site performance
• Out-of-the-box deployment
16

Powerful Adaptable Solution
• Provides comprehensive protection for all web application

vulnerabilities, including (D)DoS
• Logs and reports all application traffic and attacks
• Educates admin. on attack type definitions and examples
• Enables L2->L7 protection
• Unifies security, access control and application delivery
• Sees application level performance
• Provides On-Demand scaling
17
Quickly Resolve Application Vulnerabilities
BIG-IP ASM security

Request made Server response
policy checked
Enforcement
Secure response BIG-IP ASM applies Vulnerable

delivered security policy application
• Maintain security at application, protocol, and network levels

• Launch secure applications protected from vulnerabilities
18
“
F5 BIG-IP products enabled us to improve
security for an existing application instead of
having to invest time and money into developing
a new, more secure application.
Application Manager,
Global 500 Media and Entertainment Company
TechValidate 0C0-126-2FB
19
Automatic DOS Attack Detection and

Protection
• Accurate detection technique – based on latency
• 3 different mitigation techniques escalated serially
• Focus on higher value productivity while automatic controls intervene
Detect a DOS
condition
Identify potential
attackers
Drop only the

attackers
20
Protect Applications from Threats

Adaptive and unique attack protection
Gain visibility Understand Take action

into application session context and mitigate
sessions and apply policy offending clients
21
Unable to Secure Latest Web Apps
• Support AJAX apps or JSON payloads
• Unable to parse and secure JSON

payloads
• Same attack vectors as http apps
• Policy violation renders no blocking

signal
Example: www.stockfacts.com
22
Easily Secure JSON Payloads

• Protect from JSON threats
• Render unique blocking message

for AJAX widgets
• User informs admin with support ID

for resolution
Display a Blocking
Message in AJAX Widget
Example: www.stockfacts.com
23
Securing Disperse Web Applications
• Unable to secure disperse web apps

• No virtual WAF option for private cloud apps
• Replication of production environment complicated
and cost-prohibitive
Data Center
Security?
Hacker
Load Balancer Web 2.0 Apps
Internet
Security?
Private
Clients
Cloud Apps
24
F5 Innovative Protection for Web 2.0 Apps

• Secure all applications
• Automatically share policies between devices
• Quickly deploy BIG-IP ASM VE in virtual
environments or private clouds
Data Center
BIG-IP Application
Security Manager
Hacker
Web 2.0 Apps
Internet BIG-IP Application

Security Manager
Private
Cloud Apps
Clients
25
Unknown Vulnerabilities in Web Apps
• Unable to find or mitigate

vulnerabilities
• Very expensive to fix
by recoding
• Difficult to include scanner
assessments
• Need assurance that app sec.
is deployed properly Web
Application
Vulnerabilities
as a percentage
of all disclosures
in 2011 H1
Web Applications:
37 percent
Others:
63 percent Source: 1BM X-Force Research and Development
26
Identify, Virtually Patch, and Mitigate Vulnerabilities

• Scan applications with:
– Cenzic Hailstorm
– QualysGuard Web App. Scanning
– IBM Rational AppScan
– WhiteHat Sentinel
• Configure vulnerability policy in BIG-IP ASM
• Mitigate web app. attacks
Data Center
BIG-IP Application
Hacker Security Manager
Web 2.0 Apps
Internet BIG-IP Application

Security Manager
Private
Clients Cloud Apps
27
Protection from Vulnerabilities

Enhanced Integration: BIG-IP ASM and WhiteHat Sentinel
Customer Website White Hat Sentinel
• Finds a vulnerability
• Virtual-patching with
one-click on BIG-IP ASM
• Vulnerability checking,
detection and remediation
• Complete website BIG-IP Application Security Manager
protection
• Verify, assess, resolve and retest in one UI

• Automatic or manual creation of policies
• Discovery and remediation in minutes © F5 Networks, Inc.
28
Fast Vulnerability Mitigation Solution

BIG-IP ASM integrations with App. Sec. Testing
• Multiple vulnerability scanner assessments in one UI

• Discovery and remediation within minutes from central location
• Easy implementation for fast assessment and policy creation
• Dynamically configure policies in real-time during assessment
• Mitigate unknown application vulnerabilities reducing info/data loss © F5 Networks, Inc.
29
Free App Scan Service to Mitigate Vulnerabilities
• Free application vulnerability scan:

• Cenzic Cloud in ASM UI
• 3 free scans
• Configure vulnerability
Data Center
policy in BIG-IP ASM
• Protection from web app attacks

BIG-IP Application
Security Manager
Web 2.0 Apps
Attacker
Internet Private
BIG-IP Application
Security Manager Cloud Apps
Virtual Edition
Clients
30
Quick Cenzic Cloud Connection
• 3 free basic scans with “Open Cenzic Cloud Trial Account"

• "Connect with Cenzic Cloud" (for existing users)
• Import vulnerabilities from Cenzic Cloud or load file
31
Free Cenzic Cloud Scans with ASM

Find Vulnerabilities and Reduce Exposure
• 3 free application scans directly from ASM/VE UI

• Free scans are limited health check services
• No time limits once signed up
• No other vendors provide free scan in UI
Cenzic Cloud scans test for:
1. Cross-Site Scripting 6. Credit Card Disclosure

2. Application Exception 7. Non-SSL Password
3. SQL Injection 8. Check HTTP Methods
4. Open Redirect 9. Basic Auth over HTTP
5. Password Auto-Complete 10. Directory Browsing
32
Benefits of Cenzic Cloud and BIG-IP ASM
• Narrows window of exposure and reduces operational costs:

– Real-time assessments and virtual patching
– Operationalizes admin. and simplifies mitigation
• Assures app security, availability and compliance:
– Assurance no matter vulnerabilities or policies built
– OWASP protection, compliance, geo blocking
• Improves app performance:
– Availability improves cost effectiveness
• Deploys flexibly with increased agility:
– Deployment in virtual and cloud environments
• Easily integrates with SDLC practices:
– Ongoing website security program
33
ASM and the Software Development

Lifecycle
• Policy Tuning
• Pen tests
• Performance Tests
• WAF “offload” features:

• Cookies
• Brute Force
• DDOS
• Web Scraping
• SSL, Caching,
Compression
• Final Policy Tuning

• Pen Tests
• Incorporate vulnerability assessment into the SDLC

• Use business logic to address known vulnerabilities
• Allow resources to create value
34
Logging: Lack of User Context and Control
• Hard to see the big picture – requires manual analysis
• Some users are potential attackers

• Need violation logs w/user sessions and user name
Data Center
Users?
User Internet
Load Balancer Web 2.0 Apps

Clients
Hacker
35
Track and Control User Behavior

Session Awareness
User BIG-IP Application

Security Manager and
Access Policy Manager
Hacker
Associate the username with

the app session
• Integrate user context within ASM Logs
• Rules can be applied based on user behavior
• Tight Access Control layering with BIG-IP APM

36
Limiting App. Access Based On Location
• Need to block app requests from countries or regions due to

compliance restrictions
• Limiting app. access based on location is a good practice to

quickly reduce the attack sources
37
Easy Geolocation Application Enforcement
• Enable easy geolocation-based enforcement (instead of iRules)
• Block unwanted location and allow approved regions
• Comply with government, industry, political regulations

38
Difficult to Understand the High Level

Picture with Violations
• Need faster process for violation correlation and visibility

• Unable to automatically correlate violations
• Seeking a common denominator or common criteria to
reference
• Requires manual analysis and hard to see the big picture
39
See the BIG Picture: From Violations to An

Incident
• Automatically correlate multiple violations which share a

common denominator into a single incident
• Correlation is based Source IP, and URL/ Parameter, this hints
for a F/P or an attack © F5 Networks, Inc.
40
Meet PCI Compliance

Easily comply with audits
PCI reporting provides:

• Requirements with details
• Current compliancy state
• Steps to become compliant
41
42
“
Our F5 BIG-IP solution has made a major
contribution to our PCI compliance and ability to
process credit card data in the most secure manner.
IT Manager,
Medium Enterprise Consumer Products Company
TVID: 2FA-797-31A
43
Protection From Top Web App. Vulnerabilities

(Open Web Application Security Project)
OWASP Top 10 Web Application Security Risks:
1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards
Source: www.owasp.org © F5 Networks, Inc.

44
Example: OWASP Top 5 - CSRF Attack
CSRF Attack example

1. Mobile user logs in to a
trusted site
Trusted Web
2. Session is authenticated
Encrypted Site
Trusted Action
3. User opens a new tab e.g.,
chat
4. Hacker embeds a request in
the chat
5. The trusted link asks the
browser to send a request to
the hacked site
45
Attack Protection from Rogue Users
•Easy checkbox functionality

• Approved URL list
46
Improve Site Performance
CASE STUDY
Challenge:
• Third-party network solution unstable
• Keeping people out of network “The improvement in
• Difficult to pinpoint app security problems functionality, performance,
• Poor performance led to downtime security, and support with
F5 has been outstanding.”
Benefits of BIG-IP LTM and ASM:
Brad Tran kina,
• Improved site performance by 2–3×
Director of Network and
• Cut downtime from 4 hours per week to 0 hours Information Systems,
• Fewer false positives, more legitimate traffic Human Kinetics
• Eliminated 8 hours per week in support calls
47
Secure and Accelerate Web Applications

with BIG-IP ASM
Combined architecture and integrated benefits
• Web application security

• Web app. acceleration
• Access policy enforcement
• Scaling and high availability
• Database monitoring and blocking
• Enterprise Architecture
48
Secure Apps. for all throughput demands
11000 8900 6900 3900 , 3600

VIPRION
and 1600
4400 and 2400 Virtual Edition
Hardware and virtualized designed solutions for app. sec.

• High-end Enterprise Datacenter WAF – VIPRION and 11000 series
• Industry’s best performance for low end with 1600
• Low throughput Web Application Firewall for budget conscious buyer
• App. sec. on hypervisor infrastructure* with BIG-IP ASM VE
• Cost-effective scale and attack mitigation
49
ASM Platform Availability
• Available as a module with BIG-IP LTM

• 1600/3600/3900/6400/6800/6900
• 8400/8800/8900/8950/11000/11050
• VIPRION 4400 and 2400
• LTM Virtual Edition (VE)
• Standalone ASM on TMOS

• 1600, 3600, 3900, 6900, 8900, 11000, ASM VE
• Ability to Test or Add BIG-IP APM for Access Control
• APM Lite included with ASM standalone
• Safety tip: View product matrix
50
Adaptive Protection for Critical Applications

BIG-IP ASM integrated architecture with attack protection
Dynamic datacenter secures all Web apps
Innovative vulnerability protection
Track and control user behavior
Fast PCI compliance
51
© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS,
and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries
52
Security Challenges
54%
A Denial of Service tool…
using SSL/TLS showed the
of hacking breaches potential for an everyday laptop
in larger on an average connection to
organizations occur take down an enterprise web
happen at the web server
application
Anonymous proxies… have
Threat detection today… hinges on two steadily increased, more than
We still see
elements: identifying suspicious activity quadrupling in number as
SQL Injection
among billions of data points, and compared to three years ago.
as a choice point of
entry for attacker refining a large set of suspicious
incidents down to those that matter
The most significant change we saw in 2011 was

the rise of “hacktivism” against larger
organizations worldwide
53
The Shift To The Intelligent Network
We want to leverage the We need to approach Users expect a better

business data security different experience
Business Analytics Personalized

Evolving Threats Experience
54
New Subscription Services

Global Delivery Intelligence
Presenter
55
What’s Required To Build Context
Int • Capture
ell • Analyze
ige • Classify
nc
e
Co
nte
x t
De
liv
• Events ery
• Analysis
• Action © F5 Networks, Inc.
56
Locate IQ Intelligence
Trust IQ Intelligence
IP Intelligence
Subscription
Free
Location
Free
Today Service
Context
Fast Available Secure

An ecosystem of cloud-based services to make better network decisions.

57
Locate IQ Intelligence xxx IQ Intelligence
xxx IQ Intelligence
Trust IQ Intelligence
IP Intelligence
Subscription
Free
Location
Free
Today Service Roadmap
Context
Fast Available Secure

An ecosystem of cloud-based services to make better network decisions. © F5 Networks, Inc.

58
IP Intelligence: Defend Against Malicious

Activity and Web Attacks
Enhance automated application delivery
We need to approach
decisions adding better intelligence and stronger
security different
security based on context.
Layer of IP threat protection delivers context to

identify and block IP threats using a dynamic data
set of high-risk IP addresses.
Visibility into threats from multiple sources

leverages a global threat sensor network
Deliver intelligence in a simple way reveals

inbound and outbound communication
Evolving Threats Real-time updates keep protection at peak

performance refreshing database every five
minutes.
59
Security Landscape
Network-based Threats Security Implications
• Web-based attacks • Changing threat landscape
– Anonymization: click fraud, – Proliferation of malware, hacking,
malware, scraping and hacking virus
– Zombies hired for DOS attacks – Malicious ecosystem growing
– Website vulnerability probing
• Evolving attack motivations
• Windows exploits – Evolved from notoriety to profit
– High volume of exploiters, – Profit leads to sophisticated attacks
probers
• Enterprises have limited visibility &
• Scanners constraints
– Probing across TCP ports and – Each has view on threat landscape
sensors – Existing infrastructure under severe
operational pressure
• Botnets
– Command and Control
• Threat landscape requires
– Zombie behavior – Increase security posture
– Malware
– Reduce appliance processing time
– Appliance leverages added layer of
security intelligence
60
IP Intelligence Categories
Reputation Scanners
Deny access to infected IPs Probes, scans, brute force
Windows Exploits Denial of Service

Known distributed IPs DoS, DDoS, Syn flood
Web Attacks Phishing Proxies

IPs used for SQL Injection, CSRF Phishing sites host
BotNets Anonymous Proxies

Infected IPs controlled by Bots Anon services, Tor
61
Threat Categories - IP Intelligence Protection

Categories Exploits
Windows exploit category includes active IP Address offering or distributing malware, shell
Windows Exploits code, rootkits, worms or viruses
Web attacks category includes cross site scripting, iFrame injection, SQL injection, cross
Web Attacks domain injection or domain password bruteforce
Botnet category includes Botnet C&C channels and infected zombie machine controlled by
Botnets Bot master
Scanners category includes all reconnaissance such as probes, host scan, domain scan and
Scanners password bruteforce
Denial of Services category includes DOS, DDOS, anomalous syn flood, anomalous traffic
Denial of Service detection
Deny access from IP addresses currently known to be infected with malware. This category
also includes IPs with average low Webroot Reputation Index score. Enabling this category
Reputation will prevent access from sources identified to contact malware distribution points
Phishing category includes IP addresses hosting phishing sites, other kind of fraud activities
Phishing such as Ad Click Fraud or Gaming fraud
Proxy category includes IP addresses providing proxy and anonymization services. This
Proxy category also includes TOR anonymizer IP addresses
62
IP Intelligence Overview
Service Module IP Intelligence Highlights
• Developed from customer-driven demand
IP Intelligence • Ever-increasing volume of threats
• Dynamic Threat IPs • Improves security stopping known bad traffic Static
and publicly available Black Lists are insufficient
• All BIG-IP appliances
• Near-real-time updates • Compelling value
(up to 5min intervals) • Better appliance efficiency reducing network traffic
• Value-add layer of IP-based security
• Dramatically reduces system • Faster threat response with near-real-time updates
loads
• Provisioned across Multiple Threat Types
• Subscription-based service
• Delivering Dynamic Updates in near real-time
63
IP Intelligence
How it works
• Fast IP update of malicious activity
• Global sensors capture IP behaviors
• Threat correlation reviews/ blocks/ releases
Key Threats Sensor Techniques IP Intelligence Service:

Threat Correlation
Internet
Semi-open Proxy Farms
Dynamic Threat IPs
Web Attacks
Exploit Honeypots every 5min.
Reputation
Windows Exploits Naïve User Simulation IP Intelligence
Botnets
Web App Honeypots
Scanners
Network Attacks Third-party Sources
DNS
BIG-IP
System
64
IP Intelligence Use Cases for BIG-IP

Use Cases Threat Prevention Scenarios Benefits
Malicious Inbound • Rejecting inbound connection attempts from • Improve security and performance
Connection Attempts known Threat IPs • Enhance perimeter security
• Automatically update real-time feeds • Mitigate DoS attacks
• Increase device throughput
Malicious Outbound • Block outbound communications from • Reduce security risk

Communications infected endpoints (i.e., zombies) to botnet • Prevent frauds
networks • Prevent information leakage
Packet Parsing • Reduce processing time (e.g., form input • Increase performance and scalability of
Reduction parsing and validation overhead) by blocking protected applications
sites from known Threat IPs
Anonymization • Block inbound connections from anonymous • Increase security and performance of
Prevention proxies device
• Prevent frauds
Phishing Protection • Protect high-value websites by preventing • Increase availability and performance of
access of site objects by phishing sites, or protected servers/applications
by any non end-user source • Prevent frauds
Botnets • Block botnet C&C channels and infected • Improve security and performance
zombie machine controlled by Bot master for • Enhance perimeter security
DoS and other attacks • Mitigate DoS attacks
• Increase device throughput
65
IP Intelligence
Identify and allow or block IP addresses with malicious activity
Botnet IP Intelligence
Service
IP address feed
updates every 5 min
Attacker Custom
Application
Financial
Application
BIG-IP System
Anonymous
requests
? Geolocation database
Anonymous Internally infected

Proxies devices and servers
Scanners
• Use IP intelligence to defend attacks
• Reduce operation and capital expenses © F5 Networks, Inc.
66
Easily Configure Violation Categories

IP Intelligence Service Management in ASM UI
• Easily manage alarms and blocking in ASM
• Approve desired IPs with Whitelist
• Policy Building enabled for ignoring
67
IP Intelligence Violation Reporting

• View and learn the current IP violations in ASM UI
68
Graphical Reporting
• Detailed chart path of threats in ASM
69
IP Intelligence Database and Limitations

• Database is refreshed as frequent as every 5 min
• Status is available in ASM UI
Current Limitations:
• IPv6 is not supported
70
IP Intelligence Subscription-Based SKUs

• Buy: License for 1yr or 3yr
– Price depending on device
• Try: 30 day free trial per box
– Access license via Eval. Reg. Generator
Platform 1 Year 3 Year

(USD) (USD)
Virtual Edition $ 800.00 $ 1919.00
1600 $ 1,800.00 $ 4,319.00
3600 $ 3,000.00 $ 7,199.00
3900 $ 4,000.00 $ 9,599.00
6900 $ 5,500.00 $ 13,199.00
8900/8950 $ 9,000.00 $ 21,599.00
11000/11050 $ 13,000.00 $ 31,199.00
VIPRION 2400 $ 12,999.00 $ 31,197.00
VIPRION
$ 25,499.00 $ 61,197.00
4400/4480
71
IP Intelligence: Context-based delivery & protection
• Intelligence-based predicted Threat IPs

– Based on observation, context and statistical modeling
– Aging & correlation of Threat IP data
• Broad-based threat identification

– Global network of sensors addressing diverse use cases
– Threat IPs are catalogued and tracked indefinitely
• Cloud-based architected
– Global Delivery Intelligence: subscription-based service
– Real-time continuous updates
• Available throughout all BIG-IP systems

– Configurable in ASM UI
– Accessible from iRules for all solutions
72
F5’s BIG-IP Application Security Manager

Winner of the SC Magazine Reader Trust Award
Best Web Application Security Solution 2010
http://www.scmagazineus.com/best-web-application-security-solution/article/164135/ © F5 Networks, Inc.

73
Plan for Growth and Avoid Downtime

It starts with load balancing
Dynamic load
High-performance Application health
balancing
hardware monitoring
methods
BIG-IP LTM Transaction Session

assurance persistence
BIG-IP LTM load balances at the application level to:

• Ensure the best resources are always selected
• Provide deep visibility into application health
• Proactively inspect and respond to errors
Eliminate downtime and scale the application

74
Increase application Server Capacity and

better utilize Bandwidth
OPTIMIZED APPLICATIONS & DATA
• Connection Management
(One Connect™)
• RAM Cache
• Compression offload
• SSL offload
BIG-IP LTM
• Increase server capacity

 60% with OneConnect™
 9x with RAM Cache
 20% with Compression offload
 30% with SSL offload
• Reduce costs with centralize SSL key management © F5 Networks, Inc.
75
Web applications are at risk
• SANS report
• Focused on patching
Operating Systems
• 80% of vulnerabilities are in

web apps
• 60% of the attack vectors

are web based
76
“
At the time of deployment, we can secure critical
applications proactively and rapidly, directly
through BIG‑IP ASM, which saves us a lot in
terms of rollout time and resources.
Philippe Bossut,
Network System Manager, Crédit Coopératif
77
Reporting
78
Application Analytics
• Stats grouped by application and user

• Provides
̶ Business Intelligence
̶ ROI Reporting
̶ Capacity Planning
̶ Troubleshooting Stats Collected Views
• URLs • Virtual Server
̶ Performance • Server Latency • Pool Member
• Client-Side Latency • Response Codes
• Throughput • URL
• Response Codes • HTTP Methods
• Methods
• Client IPs
• Client Geographic
• User Agent
• User Sessions
79
Application visibility and reporting

Monitor URIs for server latency
• Troubleshoot server code that causes latency
80
Fail Open Solutions Always Vulnerable
• Web sites exposed is open to constant attacks
• Vulnerabilities happen anywhere
• Any WAF solution meant to fail open is easily hacked as not

using a WAF at all
81
Problem: Takes Time to Repair Vulnerabilities
• Security team unable to control dev. team priorities
• Each vulnerability takes time to fix and test making sure fix
isn’t introducing new problems
• Very expensive manual process
• Sometimes vulnerabilities are impossible to fix

– Due to 3rd party code or library
– Vulnerabilities found in web server call or OS call
– Old application with dev. team
82
Solution: Mitigate Vulnerabilities with BIG-

IP ASM
• Mitigate vulnerabilities in minutes
• Security team obtains control of web applications
• Development team support is not required!!
• Protect against discovered and undiscovered vulnerabilities
• Default configuration blocks any scanner’s ability to detect

security issues
83
Problem: Lack of Visibility
• No comprehensive logging for http requests

– Web server logs do not contain http headers, post data or query
strings
– Without full logging, attacks sent over post data are not visible
– Alternative logging solutions are challenged to log SSL traffic
(e.g. IPS)
• Without full logging, impossible to run forensics

– Need full logging to enable forensic analysis
– Desire automated way to see malicious traffic
84
Solution: Full Visibility with BIG-IP ASM
• Logs the full http message
• Terminates and logs https traffic
• Capable to identify and log all web application attacks
• Equipped with high speed and customized syslog logging
• Able to log all http transactions: enabling forensics
• Integrates with leading SIEM vendors such as ArcSight,

Splunk, RSA Envision, Nitro Security, and more
• Logs all requests that created web server errors
– Easy to deliver to application team for troubleshooting
85
Problem: Point Solutions

Application Security with no ADC
• Added network complexity

• Negatively effects network performance
• Additional point of failure
• Low efficiency:
– Power consumption
– Rack density
• Requires management layer
• New vendor learning curve
86
Solution: Integrated ADC Security

• Simplifies and streamlines network topology

• Unifies app. security and deliver for full L2 to L7 protection
BIG-IP LTM + ASM
SECURE APPLICATIONS & DATA PROTECT WEB APPLICATIONS
• Application Proxy • Layer 7 Web app. protection

• Transaction Assurance • Secures latest interactive apps.
• Resource Cloaking • Quickly resolves vulnerabilities
• Network and protocol attack • Protects from OWASP Top 10+
prevention
• Educates admin. on attack type
• Secure Network Address
Translation • Logs and reports all traffic
• Port Mapping • Meets PCI Compliance
• Selective Content Encryption • Out-of-the-box deployment © F5 Networks, Inc.
87
Problem: Testing App. Sec. with Hardware

is Expensive
High Costs Lab infrastructure
BIG-IP ASM testing in lab
BIG-IP LTM and ASM

Mobile and Remote Users
Internet
LAN Users
High testing costs

Slow testing speed
Expensive infrastructure
88
Application Security for Virtualized Environments

BIG-IP ASM Virtual Edition
• Flexible App. Security running on VMware ESX Server

• Cost reduction for lab environments
• Fast implementation for virtualized environments
BIG-IP ASM VE testing in lab
BIG-IP LTM + ASM

Mobile and Remote Users
Internet
BIG-IP® ASM VE
LAN Users
Cloud
Standalone or
LTM VE + ASM Lower testing costs
Private Public
Increase testing speed
Most flexible infrastructure
89
Consolidate Multiple ADC/WAF Instances
Participate in virtual CMP for max. resource utility

Leverage purpose-built hardware
Web Servers
App 1
BIG-IP LTM
ASM App n
• Separate groups provisioning

• Efficient mgmt. = lower costs
• Consolidate multiple depts. & apps.
90
Integrated Vulnerability Assessment in UI

BIG-IP ASM + WhiteHat Sentinel Integration
• Discovery and remediation within minutes

• Dynamically configure policies in real-time
• Mitigate unknown application vulnerabilities © F5 Networks, Inc.
91
Vuln. Assessment w/IBM Rational AppScan

and App. Sec.

• Mitigate unknown application vulnerabilities
92
Vuln. Assessment w/QualysGuard WAS

and App. Sec.

• Mitigate unknown application vulnerabilities © F5 Networks, Inc.
93
ICAP support for SOAP Attachments
• Extract every file upload and send to Antivirus scan over

Internet Content Adaptation Protocol (ICAP)
• Includes SOAP attachments
• Every file upload within multi-part request is sent
94
Attack Expert System in ASM
1. Click on info tooltip
95
HPP hack behavior on various platforms
96
HPP mitigation
97
Automated scanner and BOT programs

Remote users
Dublin datacenter Frankfurt datacenter
IT Staff IT Staff
Automated
scraper
Web Domino Network

Legitimate user and
Scraping a public web scraping traffic
page or requesting copying or
private data behind Web Domino Network requesting data
login page ADC
ADC
Problem
• Entire web site is being scraped of valuable IP information
• Scrapers fail to provide company’s terms and updates
• Sites copying content end up ranking above company’s for keywords
• Need logging and reporting on Web scraping
98
Airline Inventory Vulnerable to Web Scraping

• Ryanair – Forbids screen-scraping as commercial use. Major business problem
• Unister online travel site: Dusseldorf to London

– Ryanair 93.25 Euros vs. Unister 111.86 Euros, a 20% increase in price
• easyJet warns Expedia: 'Hands off our flights‘

– Tried to block IP address but Expedia uses millions of IP addresses
• Alternatives: Litigation and legal letters

– Ryanair sent cease and desist letters to 300 sites
– Ryanair wins injunction against Vtours GmBH
99
Protection from Web Scraping

Legitimate users see
data while scrapers
Remote users
are remediated
Dublin Datacenter Frankfurt Datacenter
IT Staff IT Staff
Automated
scraper
Web Domino Network
Web Domino Network

Detect requests BIG-IP 8900 BIG-IP 6900 Comprehensive
and determine web
reporting on
site is being LTM/ASM LTM/ASM
scraping attacks
scraped
Solution
• Protects valuable intellectual property
• Prices are controlled and users see airline approved inventory
• Integrated scrape reporting for PCI compliance
• Avoid litigation drastically reducing legal costs
100
Control Over BOTs and Scanners

Protection from Web Scraping
Defaults are pre-

configured for
detection, blocking
and re-checking
Add IP addresses
to Whitelist for
allowable BOTs
101
Healthcare Organization Example

Need application security with SharePoint
Remote Users
Kansas City Data Center
Medical Staff
IT Staff IT Staff IT Staff
Web Exchange Network
Hacker
BIG-IP 8900
Columbus Branch
IT Staff IT Staff
Problems Medical Staff

Web Exchange
Availability and security
• Uploading test results into ftp folders, via email,
etc.
• Web application traffic needs security
• Current network firewall unable to view attacks BIG-IP 6900
• No one assigned to web application security
102
Healthcare Organization Example

Fast web application security implementation Remote Users
Kansas City Data Center
Medical Staff
IT Staff IT Staff IT Staff IT Staff
Polices: attack
protection - L7 DoS
Policy templates and Brute Force
Web SharePoint Exchange Network
deployed SharePoint
in minutes
Hacker
BIG-IP 8900 Cost-effective data center

platform
LTM/ASM Columbus Branch
View application
layer to IT Staff
IT Staff
see what's
Solution transpiring
Medical Staff
Easy security and availability Web Exchange
• Unwanted clients are remediated
• Desired clients are serviced
• Fast SharePoint deployment
Application visibility
• Pre-configured application security policies BIG-IP 6900
and reporting:
• View how SharePoint is accessed and signatures,
behaving
violations, URIs
LTM/ASM
• Rapid rollout within compliance © F5 Networks, Inc.
103
EMEA Customer Website
Cape Town Data Center
IT Staff
Users
Web Linux Network
Attacker
ADC
Problems
• Unaware of attacks nor ability to block them
• End user performance is declining
• Current network firewall unable to view attacks
• Separate solutions for acceleration and security
were difficult to manage
104
EMEA Customer with ASM and WebAccelerator

“We didn’t even know we were being attacked…”

IT Staff
Aware of attacks
Web Linux Network
Users BIG-IP 6900
LTM Attackers
WA ASM Availability, security and

acceleration on one
platform
Solution
Unified application delivery
• 10x user performance increase
• 50% bandwidth reduction
• Attack and threat protection (SQL Injection, signatures)
• Visibility into attacks
• Provisioning resources to ASM during large attacks
105
EMEA Customer with ASM and WebAccelerator

Fast and secure

IT Staff
Attacks mitigated
Attacker
Web Linux Network
BIG-IP 6900
Users
LTM
Automatically adjusts
WAWA ASM
ASM between CPUs loads for
cluster multi processing
Solution
On Demand service provisioning
• Allocate resources to other application delivery services
• Attack and threat protection (SQL Injection, signatures)
• Burst and accelerate applications to meet user demands
• Dynamic Content Caching 80 - 90% of page loads
• ASM and WA pre-configured policies
106
Most Scalable Application Security
/ A S M
LTM
Leading Value
• On-demand scalability
• Advanced security
• Integrated security performance
• Application insight/visibility
Better security  2x+ performance

107
The Most Comprehensive App. Security
Features F5 Barracuda Breach* Citrix Imperva

Violation correlation ü X X X X
Virtualization and multi-tenancy ü X X X X
Staging area for new signatures ü X X X X
AJAX/JSON protection w/blocking page ü X X X X
Session awareness (reporting and enforcement) ü X X X X
Network DDoS attack protection (LTM) ü X X ü X
Integration with 4 Vulnerability Scanners (1 UI) ü X X ü ü(1)
Data center security in one unit ü X X X X
Network and App. Security Analytics ü X X X ü
Web scraping protection ü X ü X X
Programmatic Control (iRules, iControl, iApps) ü X X X X
IPv6 ready ü X X X ü
Geolocation reporting and blocking ü X X X ü(4)
Layer 7 DoS attack protection ü X X ü(5) ü
CSRF checkbox attack protection ü X ü(3) ü(6) ü
Access control and app. security ü X X ü X (7) Inc.
© F5 Networks,
108
Proxy vs Bridge Mode ?
Bridge Proxy
Risk Transference Flexible + Scale

– “Offload” to Up - Unified
traditional defence defense Front Line
Visibility + Control –
Passive listener – Identify/Mediate in
Reactive response Real time
109
Proxy vs Bridge Mode
Proxy Macro Strategy

Bridge
Proactive +
Resilient –
Layered
Resistance to Proxied Edge (Resist
ongoing attacks spreading attack)
Risk Transferenc
e Flexible + Scale
– “Offload” to
traditional defenc Up - Unified
e defense Front Lin Proxied Network
e
(Resist
Passive listener Visibility + Contr concentrated
– ol – attack)
Reactive respon Identify/Mediate
se in
Real time
Carrier Grade Platform Proxied Infra pts
(Resist scaling
attack)
Micro Strategy © F5 Networks, Inc.

110
Traditional Security Devices vs. WAF
Network
Firewall IPS ASM
Known Web Worms Limited  

Limited
Unknown Web Worms 
X
Limited
Known Web Vulnerabilities Partial

Unknown Web Vulnerabilities X Limited

Illegal Access to Web-server files Limited X 
Forceful Browsing X X 
File/Directory Enumerations X Limited 
Buffer Overflow Limited Limited 
Cross-Site Scripting Limited Limited 
SQL/OS Injection X Limited 
Cookie Poisoning X X 
Hidden-Field Manipulation X X 
Parameter Tampering X X 
Layer 7 DoS Attacks X X 
Brute Force Login Attacks X X 
App. Security and Acceleration X X 
111
BIG-IP ASM v11.2 Enhancements

Free vulnerability assessment, tightened policies, and IP
Intelligence service
• Vulnerability assessment – free scan w/Cenzic Cloud
• Layer a vulnerability policy on existing ASM policy
• “To do list” – recommended list for improving ASM policies
• Quick links – Easily configure and implement security policies
• IP intelligence service (optional) – identify IP addresses w/malicious
activity
112
BIG-IP ASM v11.1 Enhancements
• Improve Granular Web Application • Fast Geolocation App. Protection

Visibility: – Geolocation based blocking (down to
– Session based enforcement and state or region)
reporting (Session Awareness)
– Group of violations with Violation • Infrastructure Enhancements
Correlation – ASM 64 bit support – 64bit OS support
– View requests as valid or attack with – IPv6 ASM support – correctly manage
Response Capturing and protect IPv6 traffic
– Troubleshoot performance and capacity – Route Domains support – aligning ASM
issues with Virtual Server CPU statistics with Route Domains
• Greater Vulnerability Assessment and •

GUI enhancements
Application Protection
– Deployment wizard to secure a Virtual
– Advanced vulnerability assessment and Server
application protection (new vuln.
– Dynamic reports definition: (e.g. top
scanners)
attacked URL out of top websites)
• IBM Rational AppScan
– Colors highlight different severities
• Cenzic Hailstorm
• Qualys’ QualysGuard WAS
• WhiteHat Sentinel (Available since
v10.1)
113
ASM v11.0 Enhancements

Adaptive Protection for Critical Applications
Secure latest Web 2.0 applications

• Support for AJAX widgets and JSON payloads
New platforms for All IT Environments

• BIG-IP ASM VE in virtual and private cloud
• Isolated resource allocation: vCMP support for ASM
• BIG-IP ASM on 11000 = high throughput; 1600 = budget conscious
Enhance management and reporting

• Vulnerability assessment and mitigation in the SDLC w/ WhiteHat
• Auto policy sync between devices
• iApp for integrated security services
114
ASM v10.2.1 Enhancements
• Scalable TCP connections with no hard limits
• Exported policies with signature sets
• Export/import policies add iControl command
• Easy Policy Builder configuration; learn from responses
115
Scalable Connections with App Security
Applications
BIG-IP® LTM +
ASM or PSM
15K Connections
60KHard
No (9.x)
(10.x)
Limits (10.2.1)
116
ASM v10.2 Features
• Easy-to-implement, checkbox configuration protection from dangerous Cross-

Site Request Forgery (CSRF) attacks.
• Consolidate Web Services encryption and decryption plus Digital Signature

signing and validation on BIG-IP.
• Support for the antivirus security protocol ICAP for sending and receiving
uploaded files for scanning
• VIPRION supports recent ASM features: DoS, Brute Force, CSRF, and Web
Scraping protection. Web Services Encryption/Decryption and Digital Signature
plus Policy Builder 2.0 are supported
• HPP Mitigation – HTTP parameter pollution protection: WAF bypass protection

from illegal parameters that are separated into consumable requests. HPP =
HTTP parameter pollution
• Policy Builder 2.0 – This updated version brings easy to explain rules and
configuration, integration with staging, and supports up to 10 websites in parallel
(for policy building) © F5 Networks, Inc.
117
Policy Builder in v10.2
• Easy explainable rules
• Using the BD parsing outcome
• Integrated with staging
• Continues mode when enabled
• Supports up to 10 websites in parallel (for policy building)
118
ASM v10.1 Features

• New Platforms • WhiteHat Integration
• Detect and mitigate more
• Better Protection
vulnerabilities
• Web Scraping
• Support ongoing maintenance in
• IP Penalty Enforcement non-blocking mode
• Improve Compliance • Integration
• Logging and Reporting • ASM events in iRules
• PCI Reporting • Fast Cache integration
• Human readable policies
• Remote audit
• Reporting
• Manageability / Usability
• Attack Map Reporting
• Attack Expert System
• Policy staging
• ActiveSync policy template
• WebSphere signature set
• Arcsight format support
119
ASM business benefits
Innovative Application Protection and Compliance:

• Reduce costs
– Reduce the expenses of meeting PCI security compliance requirements
– Consolidation and integration
• Improve workforce efficiency
– Leading attack protection with PCI compliance reporting
• Streamline application delivery
– Smarter security and acceleration
• Application visibility and reporting
• Handle changing threats with greater agility
120
Centralized Advanced Reporting with

Splunk
Centralized reporting with
Splunk’s large-scale, high-
speed indexing and search
solution
Packaged 15 different ASM

specific reports
Provide visibility into attack

trends and traffic trends
Identify unanticipated threats

before exposure occurs
http://www.f5.com/solutions/techn
ology-alliances/security/splunk.ht
ml © F5 Networks, Inc.
121
Sample Reports with Splunk

• Top violations
• Top violations by protocol (HTTP, FTP, SMTP)
• Top HTTP violations by web application
• Top attackers
• Top attackers by protocol (HTTP, FTP, SMTP)
• Top web applications attacked, alerted or blocked
• Top web applications alerted by IP address
• Attacks by location
• Top response codes by web application
• Top alerted or blocked web application requests by time period
• Web application requests by method
• Custom ASM forensics filtering & search
122
Splunk Reports for Top Attackers and Events
123
Splunk Reports for Brute Force and DoS
124
Splunk Reports for DoS URLs and Time of Events
125
Web Scraping requests and Web App.

Stats

BIG-IP Application Security Manager v11.2 Customer Presentation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BIG-IP Application Security Manager v11.2 Customer Presentation

Uploaded by

Copyright:

Available Formats

1

Dynamic Data Center App. Security

How the Static Data Center Falls Short

• More user types, services

• What’s the answer?

Dynamic Data Center

• Manage applications, not

• ADC manages application

Threats are evolving, behaviors are changing

Figure 15 and 16: Verizon 2011 Data Breach Investigations Report

Cyber-attacks in the News for 2011

Most web applications are vulnerable!

• “During 2010, the average website had 230 serious* vulnerabilities.”

• “97% of websites at immediate risk of being hacked due to vulnerabilities!

Top Vulnerabilities and Avg. Vuln. by

Figure 3 and 4: 11th Website Security Statistics Report (Winter 2011)

Recent Application and Network Attacks

• And the hits keep coming:

Source: http://spectrum.ieee.org/static/hacker-matrix © F5 Networks, Inc.

Defend Against Cyberattacks

• Ongoing storm of cyberattacks is preventable, experts say

• Need dynamic layered network and application security

• Anonymous targeted customer with bots

• Traffic attack melted legacy systems

• Solution: Implement BIG-IP

BIG-IP Attack Protection:

Protect Applications from Threats

• Block latest web threats automatically and protect revenue

• Improve application availability and end-user performance

• A medium-size online company would lose $220,000 per

Optimize Traffic Management and Offload

BIG-IP LTM Physical

OPTIMIZED APPLICATIONS & DATA SECURE APPLICATIONS & DATA

Secure Applications and Data

SECURE APPLICATIONS & DATA

Security at the network, protocol, and application levels

Leading Web Attack Protection

• Protect from latest web threats • Quickly resolve vulnerabilities

BIG-IP Application Security Manager

• Provides comprehensive protection for all web application

Quickly Resolve Application Vulnerabilities

BIG-IP ASM security

Secure response BIG-IP ASM applies Vulnerable

• Maintain security at application, protocol, and network levels

Automatic DOS Attack Detection and

Drop only the

Protect Applications from Threats

Gain visibility Understand Take action

Unable to Secure Latest Web Apps

• Support AJAX apps or JSON payloads

• Unable to parse and secure JSON

• Same attack vectors as http apps

• Policy violation renders no blocking

Easily Secure JSON Payloads

• Protect from JSON threats

• Render unique blocking message

• User informs admin with support ID

Securing Disperse Web Applications

• Unable to secure disperse web apps

Load Balancer Web 2.0 Apps

F5 Innovative Protection for Web 2.0 Apps

Web 2.0 Apps

Internet BIG-IP Application

Unknown Vulnerabilities in Web Apps