aktuelle bedrohungsszenarien für anwendungen und rz · cloud scrubbing service scanner anonymous...
Post on 22-May-2020
5 Views
Preview:
TRANSCRIPT
Aktuelle Bedrohungsszenarien für Anwendungen und RZ
- Rethinking Security
Peter Held
P.Held@F5.com
© F5 Networks, Inc 2
Mobility
SDDC/Cloud
Advanced threats
Internet ofThings
“Software defined”everything
HTTP is the new TCP
© F5 Networks, Inc 3
May June July Aug Sep Oct Nov Dec
2012
Physical Access
XSS
Attack Type
Size of circle estimates relative impact of incident in terms of cost to business
Attack types and targets are expanding
Unknown
Spear Phishing
© F5 Networks, Inc 4
BankBank
Bank
NonProfit
NonProfit
Bank
Bank
BankGov
Industrial
OnlineSVC
NonProfit
Gov
Auto
OnlineServices
GovGov
OnlineServices
OnlineSVC
OnlineServices
Industrial
EDU
Bank
Bank Bank
Gov
OnlineServices
OnlineSVC
GovOnline
Services
OnlineServices
News & Media
Edu
Telco
CnsmrElectric
CnsmrElectric
Bank
Telco
OnlineServices
OnlineServices
Education
FoodSvc
OnlineServices
Bank
News & Media Gov
Soft-ware
Bank
Telco
Non-Profit
E-commUtility
News & Media
Edu
Bank
OnlineServices
Bank
BankOnline
Services
OnlineServices
Bank
FoodService
BankingGaming
Gov
GovAuto
Soft-ware
News &Media
OnlineServices
ConsumerElectric
OnlineServices
Gov
Util
HealthSoft-ware
OnlineServices
GovCnsmrElec
OnlineSvcs
GovRetail
Bank
Bank
OnlineServices
Soft-ware
Bank
EduNews &Media
OnlineServices
OnlineServices
OnlineServices
OnlineServices
Gov
Gov
Indu-strial
Airport Retail
News &Media
Auto
Telco
Gov
Edu
DNSProvider
DNSProvider
GlobalDelivery
Auto
Gov
DNSProvider
DNSProvider
DNSProvider
Gov
ConsumerElectronics
Gove
Bank
Bank
BankGov
OnlineSvc
Software
OnlineGaming
Telco
News &Media
Edu
Soft-ware
News &Media
Edu
News &Media
OnlineServices
Gov
Auto
Entnment
Gov
Utility
News &Media
OnlineSvc
News &Media
Spear Phishing
Physical Access
Unknown
Attack Type
Size of circle estimates relative impact of incident in terms of cost to business
Jan Feb Mar Apr May Jun
2013
Attack types and targets are expanding
© F5 Networks, Inc 6
Does Your Data Center Firewall Deliver?
Perform at high speeds
See all traffic including SSL
Protect against network and Application
layer DDoS
Protect against application layer attacks
React quickly to zero day threats
F5 provides an entirely new, significantly better,
and surprisingly less expensive approach for
defending public-facing web properties and
DNS services from malicious attack.
© F5 Networks, Inc 7
Introducing F5’s Application Delivery FirewallAligning applications with firewall security
One platform
SSL
inspection
Traffic
management
DNS
security
Access
control
Application
security
Network
firewall
EAL2+
EAL4+ (in process)
DDoS
mitigation
© F5 Networks, Inc 8
BIF
UR
CATIO
N O
F F
IRE
WA
LLS
“Next generation” firewall
Characteristics
• Outbound user inspection
• UserID and AppID
• Who is doing what?
• 1K users to 10K web sites
• Broad but shallow
Corporate
(users)
F5 Application Delivery Firewall
Internet Datacenter
(servers)
Characteristics
• Inbound application protection
• Application delivery focus
• 1M users to 100 apps
• Narrow but deep
• 12 protocols (HTTP, SSL, etc.)
© F5 Networks, Inc 9
PROTECTING THE DATA CENTERUse case
• Consolidation of
firewall, app security,
traffic management
• Protection for data
centers and
application servers
• High scale for the
most common
inbound protocols
Before f5
with f5
Load
Balancer
DNS Security
Network DDoS
Web Application Firewall
Web Access
Management
Load
Balancer & SSL
Application DDoS
Firewall
© F5 Networks, Inc 10
PROTECTING THE DATA CENTERUse case
• Consolidation of
firewall, app security,
traffic management
• Protection for data
centers and
application servers
• High scale for the
most common
inbound protocols
Before f5
with f5
Load
Balancer
DNS Security
Network DDoS
Web Application Firewall
Web Access
Management
Load
Balancer & SSL
Application DDoS
Firewall
© F5 Networks, Inc 11
One Solution for Hacking Protection
Network
Session
Presentation
Application
Physical
Client / Server
Network
Session
Presentation
Application
Physical
Client / Server
Protocol Protocol
Data Link Data Link
Pro
gra
mm
ab
le P
latf
orm
Sta
nd
ard
Se
t o
f A
PIs
Hack Examples
DNS Poisoning, DNS Spoof
IP spoof,
MAC spoof, VLAN hoping
XSS, CSRF, SQL Injection,
Form attack, Parameter change, Data obj. ref.
SSL/TLS BEAST
© F5 Networks, Inc 12
Leading Web Attack Protection BIG-IP Application Security Manager
• Protect from latest web threats
• Meet PCI compliance
• Out-of-the-box deployment
• Quickly resolve vulnerabilities
• Improve site performance
Big-IP - Local Traffic Manager
Big-IP – Application Delivery Firewall
© F5 Networks, Inc 13
Customer Website
Integrated Vulnerability ScanningEnhanced Integration: BIG-IP ASM and Vulnerability Scanner
Vulnerability Scanner
• Finds a vulnerability
• Virtual-patching with one-click on BIG-IP ASM
BIG-IP Application Security Manager
• Verify, assess, resolve and retest in one UI
• Automatic or manual creation of policies
• Discovery and remediation in minutes
• Vulnerability checking, detection and remediation
• Complete website protection
• Qualys• IBM• WhiteHat• Cenzic• HP WebInspect
© F5 Networks, Inc 14
AnswerDNS
Query
AnswerDNS
Query
AnswerDNS
Query
AnswerDNS
Query
AnswerDNS
Query
Efficient DNS - DNS Express
• Delivers high-speed response and DDoS protection with in-memory DNS
• Provides authoritative DNS serving out of RAM
• Supports configuration size for tens of millions of records
• Scale and consolidate DNS servers
• Answer millions of DNS Requests per Second (Viprion 6 Mil. qps)
Clients
Internet
DNS Express in BIG-IP GTM
DNS Server
OSAdminAuthRoles
NICDynamic
DNSDHCP
ManageDNS
Records
© F5 Networks, Inc 15
• High Performance DNS – Multicore GTM
• Scalable DNS up to 10x- DNS Express
• Spread the load across devices - IP Anycast
• Secure DNS Queries - DNSSEC
• Route based on nearest Datacenter - Geolocation
• Complete DNS control – DNS iRules
Complete DNS Services and Protection BIG-IP Global Traffic Manager
LDNS
Data Center
F5 DNS Services
company.com
BIG-IP GTM
© F5 Networks, Inc 16
VIPRION
iRules with Security: Example - HashDos—Post of Doom- React quickly to zero day threats
“HashDos—Post of Doom” vulnerability affects all major web
servers and application platforms.
Single DevCentral iRule mitigates vulnerability for all
back-end services.
Staff can schedule patches for back-end services on
their own timeline.
© F5 Networks, Inc 17
Enable Simplified Application Accesswith BIG-IP Access Policy Manager (APM) SaaS resources
© F5 Networks, Inc 18
One Access Solution – BIG-IP APM
All Access
Use Cases
BIG-IP
Access Policy Manager
Web Access Management:• Proxy to HTTP apps
– Outlook Web Access
– SharePoint
– Custom
– Single Sign On
– Internal Applications
– SaaS Applications (SAML)
Remote Access: • SSL VPN
– Network Access
– App Tunnels
– Portal Access
– Edge Client
– Windows, Mac, Linux
– SmartPhones
– Tablets
Application Access Control:• Proxy to Non-HTTP apps
– VDI
– Citrix (ICA Proxy)
– VMware View (PCoIP)
– MS Terminal Services/RDS
– Exchange
– ActiveSync
– Outlook Anywhere
Security:– Endpoint Scanning
– Endpoint Cleanup
– Multi-factor authentication with several
directories and methods
© F5 Networks, Inc 20
IP INTELLIGENCE
IP intelligence
service
IP address feed
updates every 5 min
Custom
application
Financial
application
Internally infected devices and
servers
Geolocation database
Botnet
Attacker
Anonymous
requests
Anonymous
proxies
Scanner
Restricted
region or
country
© F5 Networks, Inc 22
Sehr geehrte Damen und Herren,
wir fordern von ihnen 1.000€ wenn sie die nicht zahlen folgt eine DDOS Attacke mit 150 Gbit/s somit wäre ihr Online Shop für einige
Tage für Kunden nicht erreichbar.
Da der Server damit überfordert ist und das Rechenzentrum ebenfalls somit folgt meist eine Server sperre und ein Providerwechsel ist
notwendig.
Sollten sie damit zur Polizei gehen und die Zahlung verweigern ist ihr Online Shop solange nicht mehr erreichbar bis wir das Geld haben…
© F5 Networks, Inc 23
One Solution for DDOS Protection
Network
Session
Presentation
Application
Physical
Client / Server
Network
Session
Presentation
Application
Physical
Client / Server
Protocol Protocol
Data Link Data Link
Pro
gra
mm
ab
le P
latf
orm
Sta
nd
ard
Se
t o
f A
PIs
Syn, ICMP, TCP, UDP Fragmentation (LOIC)
SynFlood, IP flood,
ARP, MAC flood
SLOW POST/GET, HTTP FLOOD, Large POST,
Slowloris, XML DTD, External Ent., JSON
SSL Re-negotiation
DOS, DDOS, DDDOS Examples
L3, L4 DOS – CONFIGURATION 11.4 ~ 60 DIFFERENT TYPES
© F5 Networks, Inc 25
DDoS protection reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL renegotiation,
SSL flood
HTTP attacks:Slowloris,
slow POST,recursive POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network
and DNS
Tier 1
© F5 Networks, Inc 26
DDoS reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL renegotiation,
SSL flood
HTTP attacks:Slowloris,
slow POST,recursive POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network
and DNS
Tier 1 • The first tier at the perimeter is layer 3 and 4 network firewall services
• Simple load balancing to a second tier
• IP reputation database
• Mitigates volumetric and DNS DDoS attacks
TIER 1 KEY FEATURES
© F5 Networks, Inc 27
DDoS reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL renegotiation,
SSL flood
HTTP attacks:Slowloris,
slow POST,recursive POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network
and DNS
Tier 1• The second tier is for application-aware, CPU-intensive defense mechanisms
• SSL termination
• Web application firewall
• Mitigate asymmetric and SSL-based DDoS attacks
TIER 2 KEY FEATURES
© F5 Networks, Inc 28
DDoS protection reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL renegotiation,
SSL flood
HTTP attacks:Slowloris,
slow POST,recursive POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network
and DNS
Tier 1
© F5 Networks, Inc 29
DDoS Protection - SMB data center deployment
Network Firewall Services+ DNS Services
+ Web Application Firewall Services + Compliance Control
BIG-IP Platform
Next-Generation Firewall
Users leverage NGFW foroutbound protection
Customers
DDoS Attack
ISPa
Partners
DDoS Attack
ISPb
ISP providesvolumetric DDoS
service
Employees
Protecting L3–7 and DNS
GOOD BETTER BEST
Simplified Business Models
BIG-IP Advanced Firewall Manager
BIG-IP Local Traffic Manager
BIG-IP Global Traffic Manager
BIG-IP Access Policy Manager
BIG-IP Application Security Manager
© F5 Networks, Inc 31
Application Delivery Firewall
iRules extensibility everywhere
Products
Advanced Firewall
Manager
• Stateful full-proxy
firewall
• Flexible logging and
reporting
• Native TCP, SSL and
HTTP proxies
• Network and
Session anti-DDoS
Access Policy
Manager
• Dynamic, identity-
based access
control
• Simplified
authentication
infrastructure
• Endpoint security,
secure remote
access
Local Traffic
Manager
• #1 application
delivery controller
• Application fluency
• App-specific health
monitoring
Application Security
Manager
• Leading web
application firewall
• PCI compliance
• Virtual patching for
vulnerabilities
• HTTP anti-DDoS
• IP protection
Global Traffic Manager
& DNSSEC
• Huge scale DNS
solution
• Global server load
balancing
• Signed DNS
responses
• Offload DNS crypto
IP Intelligence
• Context-aware
security
• IP address
categorization
• IP address
geolocation
SSL
inspection
Traffic
management
DNS
security
Access
control
Application
security
Network
firewall
DDoS
mitigation
© F5 Networks, Inc 32
We’re built for speed
Throughput 320 Gbps
Connections
per second 5.6 million
Concurrent connections 192 million
100KConcurrent user sessions
Concurrent
logins 1,500/second
SSL (1K keys) 600,000/second
DNS query response 6 million/second
© F5 Networks, Inc 33
Networkworld- F5 Firewall test
http://www.networkworld.com/reviews/2013/072213-firewall-test-271877.html
Key customer benefits
ALL BACKED BY WORLD-CLASS SUPPORT AND PROFESSIONAL SERVICES
Maintain application
availability
Save money for
your company
Protect network
infrastructure
Safeguard your
brand reputation
Defend against
targeted attacks
Stay one
step ahead
© F5 Networks, Inc 36
DDoS MITIGATION
Application attacksNetwork attacks Session attacks
Slowloris, Slow Post,
HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop,
ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASM
Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection
DNS UDP Floods, DNS Query Floods, DNS
NXDOMAIN Floods, SSL Floods, SSL
Renegotiation
BIG-IP LTM and GTM
High-scale performance, DNS Express,
SSL termination, iRules, SSL
renegotiation validation
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, full-proxy
traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware
solution that increases scale by an order of magnitude above software-only
solutions.
F5
Mit
iga
tio
n T
ech
no
logie
s
Application (7)Presentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)
Increasing difficulty of attack detection
• Protect against DDoS
at all layers – 38 vectors
covered
• Withstand the
largest attacks
• Gain visibility and
detection of SSL
encrypted attacks
F5
mit
iga
tio
n t
ech
no
logie
s
OSI stackOSI stack
Use case
top related