Professional Documents
Culture Documents
BIG-IP Application Security Manager v11.2 Customer Presentation
BIG-IP Application Security Manager v11.2 Customer Presentation
Presenter
© F5 Networks, Inc.
2
• It started simple
the Enemy
• Security woes …
© F5 Networks, Inc.
3
• Reconfigure dynamically
© F5 Networks, Inc.
4
IBM X-Force 2011 Trend and Risk Report March 2012 © F5 Networks, Inc.
6
• “Most websites were exposed to at least one serious* vulnerability every day of
2010.”
• “Only 16% of websites were vulnerable less than 30 days of the year overall. ”
• “On the average, 50% of organizations require 116 days or less to remediate
their
serious* vulnerabilities.”
- WhiteHat Website Security Stats Report
• “64 percent of developers are not confident in their ability to write secure
applications.”
© F5 Networks, Inc.
- Microsoft Developer Research
7
© F5 Networks, Inc.
10
“Anonymous” Attack
© F5 Networks, Inc.
11
© F5 Networks, Inc.
12
Virtual
Public or
private
cloud
• Application Proxy
• Transaction Assurance
• Resource Cloaking
• Network and protocol attack
protection BIG-IP LTM
• Secure Network Address Translation
• Port Mapping
• Selective Content Encryption
• Denial of Service attack protection
TMOS Architecture
The foundation of BIG-IP LTM and a unified system
for application delivery
© F5 Networks, Inc.
15
© F5 Networks, Inc.
17
Enforcement
© F5 Networks, Inc.
18
“
F5 BIG-IP products enabled us to improve
security for an existing application instead of
having to invest time and money into developing
a new, more secure application.
Application Manager,
Global 500 Media and Entertainment Company
TechValidate 0C0-126-2FB
© F5 Networks, Inc.
19
Detect a DOS
condition
Identify potential
attackers
© F5 Networks, Inc.
21
Example: www.stockfacts.com
© F5 Networks, Inc.
22
Display a Blocking
Message in AJAX Widget
Example: www.stockfacts.com
© F5 Networks, Inc.
23
Hacker
Internet
Security?
Private
Clients
Cloud Apps
© F5 Networks, Inc.
24
BIG-IP Application
Security Manager
Hacker
Private
Cloud Apps
Clients
© F5 Networks, Inc.
25
Data Center
BIG-IP Application
Hacker Security Manager
Private
Clients Cloud Apps
© F5 Networks, Inc.
27
• Vulnerability checking,
detection and remediation
• Complete website BIG-IP Application Security Manager
protection
• Configure vulnerability
Data Center
policy in BIG-IP ASM
Attacker
Internet Private
BIG-IP Application
Security Manager Cloud Apps
Virtual Edition
Clients
© F5 Networks, Inc.
30
© F5 Networks, Inc.
31
© F5 Networks, Inc.
33
Data Center
Users?
User Internet
Hacker
© F5 Networks, Inc.
39
© F5 Networks, Inc.
41
© F5 Networks, Inc.
42
“
Our F5 BIG-IP solution has made a major
contribution to our PCI compliance and ability to
process credit card data in the most secure manner.
IT Manager,
Medium Enterprise Consumer Products Company
TVID: 2FA-797-31A
© F5 Networks, Inc.
43
© F5 Networks, Inc.
45
© F5 Networks, Inc.
46
CASE STUDY
Challenge:
• Third-party network solution unstable
• Keeping people out of network “The improvement in
• Difficult to pinpoint app security problems functionality, performance,
• Poor performance led to downtime security, and support with
F5 has been outstanding.”
Benefits of BIG-IP LTM and ASM:
Brad Tran kina,
• Improved site performance by 2–3×
Director of Network and
• Cut downtime from 4 hours per week to 0 hours Information Systems,
• Fewer false positives, more legitimate traffic Human Kinetics
• Eliminated 8 hours per week in support calls
© F5 Networks, Inc.
47
© F5 Networks, Inc.
48
© F5 Networks, Inc.
50
© F5 Networks, Inc.
51
© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS,
and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries
© F5 Networks, Inc.
52
Security Challenges
54%
A Denial of Service tool…
using SSL/TLS showed the
of hacking breaches potential for an everyday laptop
in larger on an average connection to
organizations occur take down an enterprise web
happen at the web server
application
Anonymous proxies… have
Threat detection today… hinges on two steadily increased, more than
We still see
elements: identifying suspicious activity quadrupling in number as
SQL Injection
among billions of data points, and compared to three years ago.
as a choice point of
entry for attacker refining a large set of suspicious
incidents down to those that matter
© F5 Networks, Inc.
53
© F5 Networks, Inc.
54
Presenter
© F5 Networks, Inc.
55
Int • Capture
ell • Analyze
ige • Classify
nc
e
Co
nte
x t
De
liv
• Events ery
• Analysis
• Action © F5 Networks, Inc.
56
Locate IQ Intelligence
Trust IQ Intelligence
IP Intelligence
Subscription
Free
Location
Free
Today Service
Context
xxx IQ Intelligence
Trust IQ Intelligence
IP Intelligence
Subscription
Free
Location
Free
Context
© F5 Networks, Inc.
59
Security Landscape
Network-based Threats Security Implications
• Web-based attacks • Changing threat landscape
– Anonymization: click fraud, – Proliferation of malware, hacking,
malware, scraping and hacking virus
– Zombies hired for DOS attacks – Malicious ecosystem growing
– Website vulnerability probing
• Evolving attack motivations
• Windows exploits – Evolved from notoriety to profit
– High volume of exploiters, – Profit leads to sophisticated attacks
probers
• Enterprises have limited visibility &
• Scanners constraints
– Probing across TCP ports and – Each has view on threat landscape
sensors – Existing infrastructure under severe
operational pressure
• Botnets
– Command and Control
• Threat landscape requires
– Zombie behavior – Increase security posture
– Malware
– Reduce appliance processing time
– Appliance leverages added layer of
security intelligence
© F5 Networks, Inc.
60
IP Intelligence Categories
Reputation Scanners
Deny access to infected IPs Probes, scans, brute force
Web attacks category includes cross site scripting, iFrame injection, SQL injection, cross
Web Attacks domain injection or domain password bruteforce
Botnet category includes Botnet C&C channels and infected zombie machine controlled by
Botnets Bot master
Scanners category includes all reconnaissance such as probes, host scan, domain scan and
Scanners password bruteforce
Denial of Services category includes DOS, DDOS, anomalous syn flood, anomalous traffic
Denial of Service detection
Deny access from IP addresses currently known to be infected with malware. This category
also includes IPs with average low Webroot Reputation Index score. Enabling this category
Reputation will prevent access from sources identified to contact malware distribution points
Phishing category includes IP addresses hosting phishing sites, other kind of fraud activities
Phishing such as Ad Click Fraud or Gaming fraud
Proxy category includes IP addresses providing proxy and anonymization services. This
Proxy category also includes TOR anonymizer IP addresses
© F5 Networks, Inc.
62
IP Intelligence Overview
Service Module IP Intelligence Highlights
• Developed from customer-driven demand
IP Intelligence • Ever-increasing volume of threats
• Dynamic Threat IPs • Improves security stopping known bad traffic Static
and publicly available Black Lists are insufficient
• All BIG-IP appliances
• Near-real-time updates • Compelling value
(up to 5min intervals) • Better appliance efficiency reducing network traffic
• Value-add layer of IP-based security
• Dramatically reduces system • Faster threat response with near-real-time updates
loads
• Provisioned across Multiple Threat Types
• Subscription-based service
• Delivering Dynamic Updates in near real-time
© F5 Networks, Inc.
63
IP Intelligence
How it works
• Fast IP update of malicious activity
• Global sensors capture IP behaviors
• Threat correlation reviews/ blocks/ releases
Internet
Semi-open Proxy Farms
Dynamic Threat IPs
Web Attacks
Exploit Honeypots every 5min.
Reputation
Windows Exploits Naïve User Simulation IP Intelligence
Botnets
Web App Honeypots
Scanners
Network Attacks Third-party Sources
DNS
BIG-IP
System
© F5 Networks, Inc.
64
Packet Parsing • Reduce processing time (e.g., form input • Increase performance and scalability of
Reduction parsing and validation overhead) by blocking protected applications
sites from known Threat IPs
Anonymization • Block inbound connections from anonymous • Increase security and performance of
Prevention proxies device
• Prevent frauds
Phishing Protection • Protect high-value websites by preventing • Increase availability and performance of
access of site objects by phishing sites, or protected servers/applications
by any non end-user source • Prevent frauds
Botnets • Block botnet C&C channels and infected • Improve security and performance
zombie machine controlled by Bot master for • Enhance perimeter security
DoS and other attacks • Mitigate DoS attacks
• Increase device throughput
© F5 Networks, Inc.
65
IP Intelligence
Identify and allow or block IP addresses with malicious activity
Botnet IP Intelligence
Service
IP address feed
updates every 5 min
Attacker Custom
Application
Financial
Application
BIG-IP System
Anonymous
requests
? Geolocation database
© F5 Networks, Inc.
67
© F5 Networks, Inc.
68
Graphical Reporting
• Detailed chart path of threats in ASM
© F5 Networks, Inc.
69
Current Limitations:
• IPv6 is not supported
© F5 Networks, Inc.
70
VIPRION
$ 25,499.00 $ 61,197.00
4400/4480
© F5 Networks, Inc.
71
• Cloud-based architected
– Global Delivery Intelligence: subscription-based service
– Real-time continuous updates
© F5 Networks, Inc.
72
• Connection Management
(One Connect™)
• RAM Cache
• Compression offload
• SSL offload
BIG-IP LTM
• SANS report
• Focused on patching
Operating Systems
© F5 Networks, Inc.
76
“
At the time of deployment, we can secure critical
applications proactively and rapidly, directly
through BIG‑IP ASM, which saves us a lot in
terms of rollout time and resources.
Philippe Bossut,
Network System Manager, Crédit Coopératif
© F5 Networks, Inc.
77
Reporting
© F5 Networks, Inc.
78
Application Analytics
© F5 Networks, Inc.
79
© F5 Networks, Inc.
80
© F5 Networks, Inc.
81
• Each vulnerability takes time to fix and test making sure fix
isn’t introducing new problems
• Very expensive manual process
© F5 Networks, Inc.
82
© F5 Networks, Inc.
83
© F5 Networks, Inc.
84
© F5 Networks, Inc.
85
© F5 Networks, Inc.
86
LAN Users
BIG-IP® ASM VE
LAN Users
Cloud
Standalone or
LTM VE + ASM Lower testing costs
Private Public
Increase testing speed
Most flexible infrastructure
© F5 Networks, Inc.
89
Web Servers
App 1
BIG-IP LTM
ASM App n
© F5 Networks, Inc.
94
© F5 Networks, Inc.
95
© F5 Networks, Inc.
96
HPP mitigation
© F5 Networks, Inc.
97
IT Staff IT Staff
Automated
scraper
Problem
• Entire web site is being scraped of valuable IP information
• Scrapers fail to provide company’s terms and updates
• Sites copying content end up ranking above company’s for keywords
• Need logging and reporting on Web scraping
© F5 Networks, Inc.
98
© F5 Networks, Inc.
99
IT Staff IT Staff
Automated
scraper
Web Domino Network
Solution
• Protects valuable intellectual property
• Prices are controlled and users see airline approved inventory
• Integrated scrape reporting for PCI compliance
• Avoid litigation drastically reducing legal costs
© F5 Networks, Inc.
100
Add IP addresses
to Whitelist for
allowable BOTs
© F5 Networks, Inc.
101
Hacker
BIG-IP 8900
Columbus Branch
IT Staff IT Staff
Polices: attack
protection - L7 DoS
Policy templates and Brute Force
Web SharePoint Exchange Network
deployed SharePoint
in minutes
Hacker
IT Staff
Users
Web Linux Network
Attacker
ADC
Problems
• Unaware of attacks nor ability to block them
• End user performance is declining
• Current network firewall unable to view attacks
• Separate solutions for acceleration and security
were difficult to manage
© F5 Networks, Inc.
104
Aware of attacks
LTM Attackers
Solution
Unified application delivery
• 10x user performance increase
• 50% bandwidth reduction
• Attack and threat protection (SQL Injection, signatures)
• Visibility into attacks
• Provisioning resources to ASM during large attacks
© F5 Networks, Inc.
105
Attacks mitigated
Attacker
BIG-IP 6900
Users
LTM
Automatically adjusts
WAWA ASM
ASM between CPUs loads for
cluster multi processing
Solution
On Demand service provisioning
• Allocate resources to other application delivery services
• Attack and threat protection (SQL Injection, signatures)
• Burst and accelerate applications to meet user demands
• Dynamic Content Caching 80 - 90% of page loads
• ASM and WA pre-configured policies
© F5 Networks, Inc.
106
/ A S M
LTM
Leading Value
• On-demand scalability
• Advanced security
• Integrated security performance
• Application insight/visibility
Bridge Proxy
Visibility + Control –
Passive listener – Identify/Mediate in
Reactive response Real time
© F5 Networks, Inc.
109
Network
Firewall IPS ASM
© F5 Networks, Inc.
112
© F5 Networks, Inc.
114
© F5 Networks, Inc.
115
Applications
BIG-IP® LTM +
ASM or PSM
15K Connections
60KHard
No (9.x)
(10.x)
Limits (10.2.1)
© F5 Networks, Inc.
116
• Support for the antivirus security protocol ICAP for sending and receiving
uploaded files for scanning
• VIPRION supports recent ASM features: DoS, Brute Force, CSRF, and Web
Scraping protection. Web Services Encryption/Decryption and Digital Signature
plus Policy Builder 2.0 are supported
• Policy Builder 2.0 – This updated version brings easy to explain rules and
configuration, integration with staging, and supports up to 10 websites in parallel
(for policy building) © F5 Networks, Inc.
117
© F5 Networks, Inc.
118
© F5 Networks, Inc.
120
© F5 Networks, Inc.
122
© F5 Networks, Inc.
123
© F5 Networks, Inc.
124
© F5 Networks, Inc.
125
© F5 Networks, Inc.