Estrategias de mitigación de

amenazas a las aplicaciones.

Carlos Valencia
Sales Engineer - LATAM
c.valencia@f5.com

© 2017 F5 Networks 1
-
-
-
-
-
-
-

© 2017 F5 Networks 2
© 2017 F5 Networks 3
 High Performance DNS
The Big Picture DNS
DNS / DNS FW
Next-Generation
Threat Intelligence Feed/IPI Firewall
Corporate Users

Scanner Anonymous Anonymous Botnet Attackers

Proxies Requests
Cloud Apps
DDoS Attacker (app attacks)

Network Protection Application Protection

Router

L3/L4 DDoS,
Application D/DoS DC Apps
DNS, SIP DDoS
Fraud ASM
Customer
Protection
NGFW Hybrid
Cloud IPS/IDS
Local DDoS WAF
ISP may provide
Partner rudimentary DDoS
L7 DDoS
DDoS Attacker service SSL
(Volumetric attacks) L3/L4 Protection
L5-L7 Protection (CPU Intensive)
Silverline • ICMP flood, UDP Flood, SYN Flood, TCP-state
Cloud-Based floods • GET Flood, Slowloris/slow POST,
Platform recursive POST/GET,
• DOS detection using behavioral analysis
• DOS detection using behavioral
Volumetric • HTTP DOS: GET Flood, Slowloris/slow POST, analysis
Attacks recursive POST/GET (DHD Only)
• OWASP Top 10
• DNS DOS: DNS amplification, query
flood,dictionary attack, DNS poisoning • SQLi/XSS/CSRF/0-day/etc

• SSL DOS: SSL renegotiation, SSL Flood • WAF in general

© 2017 F5 Networks 4
 Consistent Policies
Cloud Portability
Top Security
F5 BIG-IP
Visibility Direct Connect

Private Cloud Lowest TCO Cloud Interconnection /

Public Cloud

Traditional Data Center

© 2017 F5 Networks 5
•
•
•
•

•
•

© 2017 F5 Networks 6
© 2017 F5 Networks 7
© 2016 F5 Networks
8

90%

Fire- Anti
DLP
walls Virus

28%
IDS/ SIEM
IPS

Fire- Anti
DLP
walls Virus

28%
IDS/ APT
IPS

© 2017 F5 Networks 8
© 2016 F5 Networks
9

72%
28
44
Fire- Anti
DLP
walls Virus

IDS/ SIEM
IPS

© 2017 F5 Networks 9
Protection against Web Application vulnerabilities
CSRF Cookie manipulation
OWASP top 10 Brute force attacks
Forceful browsing Buffer overflows
Web scraping Parameter tampering
SQL injections information leakage
Field manipulation Session high jacking
Cross-site scripting Zero-day attacks
Command injection ClickJacking
Bots Business logic flaws

WAF

© 2017 F5 Networks 10
 • Examines all traffic for
Traditional Firewall Intrusion Prevention malicious app inputs
Systems • Primarily uses anomalous
and signature-based
detection
• Some stateful protocol
analysis capabilities
• Lacks understanding of
L7 protocol logic
• Doesn’t protect against
all exploitable app
vulnerabilities

Layer 7 security is not addressed by traditional IPS & firewall vendors

© 2017 F5 Networks 11
 Secures, federates access to any application, anywhere
Data Center
Private Cloud Hybrid Cloud Public Cloud
Multi-factor Corporate
Auth user
XYZ Corp.

Username SAML Identity

Federation
PW+PIN Single or Multi-
Factor Auth Identity App
LOGIN
Internet
STOP
SAML App
Directory
Services
• User/User Group
Office 365 • Endpoint Check VDI
• Network
Remote users, • Location
mobile users, Salesforce
contractors, etc. • Connection Type Corporate
(L3/L4) Apps
Other SaaS
Apps • MDM/EMM Device Posture
Hacker

SaaS Apps
© 2017 F5 Networks 12
© 2017 F5 Networks 13
©© 2017
2016 F5 Networks
F5 Networks 14
 SSL

© 2017 F5 Networks 15
©© 2017
2016 F5 Networks
F5 Networks 16
© 2017 F5 Networks 17
 Next-Generation
Firewall Corporate Users

Tier 1 Tier 2
Network attacks:
ICMP flood, SSL attacks:
Financial
UDP flood, SSL renegotiation, Services
Multiple ISP SYN flood SSL flood
strategy

Legitimate
Users
E-
ISPa/b Commerce
Network
and DNS Application
DNS attacks: HTTP attacks:
DDoS DNS amplification, Slowloris,
Attacker query flood, slow POST,
dictionary attack, recursive
DNS poisoning POST/GET Subscriber
Cloud
Scrubbing
Service IPS

ThreatThreat Feed
Feed Intelligence
Intelligence

Scanner Anonymous Anonymous Botnet Attackers Strategic Point of Control

Proxies Requests

© 2017 F5 Networks 18
 DDoS approach
CLOUD/HOSTED SERVICE ON-PREMISES DEFENSE

STRENGTHS
• Completely off-premises so DDoS attacks
can’t reach you
• Amortized defense across thousands
of customers
• DNS anycast and multiple data centers
protect you
WEAKNESSES
• Customers pay, whether attacked or not
• Bound by terms of service agreement
• Solutions focus on specific layers (not all
layers)
STRENGTHS
• Direct control over infrastructure
• Immediate mitigation with instant
response and reporting
• Solutions can be architected to
independently scale of one another
WEAKNESSES
• Many point solutions in market, few
comprehensive DDoS solutions
• Can only mitigate up to max inbound
connection size
• Deployments can be costly and complex

© 2017 F5 Networks 19
Hybrid DDOS Protection
Combining the “resilience and scale” of the cloud with the “granularity and always-
on capabilities” of on-premise.

Signaling

• Request for Service

• IP List Management

Cloud On-Premise

Unified Attack Command | Control

 DDoS Architecture Scrubbing Center
Flow collection Portal provides real-
Traffic Actioner aggregates attack time reporting and
injects routes and Scrubbing Center data from all sources configuration
Inspection Tools steers traffic
provide input on Inspection Plane
attacks for Traffic
Actioner & SOC Inspection Traffic Actioner Flow Portal
Toolsets Route Management Collection
Visibility

Signaling
Cloud Management

Data Plane
Copied traffic
for inspection
Netflow Netflow
BGP signaling GRE Tunnel
Legitimate Proxy
Users
DDoS IP Reflection
WAF Routing L2VPN Customer
Switching Routing/ACL Proxy
Network Mitigation
(Customer VRF)
Silverline
Mitigation
Volumetric DDoS
DDoS protection, Managed
Attackers Application firewall service,
zero-day threat mitigation
with iRules

Switching mirrors
Ingress Router Network Mitigation Proxy Mitigation Egress Routing
traffic to Inspection
applies ACLs and removes advanced removes L7 returns good traffic
Toolsets and Routing
filters traffic L4 attacks Application attacks back to customer
layer
© 2017 F5 Networks 22
 APPLICATION LAYER ATTACKS TRADITIONAL DDOS MITIGATION
90% 60%
82%
80%
77% 50%
70% 40%
60% 54%
30%
50%
20%
40%
30% 25%
“Cybercrime is a 10%

persistent threat in
20%
20% 0%
9%
6%
today’s world and,
10%
0%

despite best efforts, no

HTTP DNS HTTPS SMTP SIP/VoIP IRC Other

DNS is the second most targeted business is immune.” Of the customers that mitigate DDoS
protocol after HTTP. attacks, many choose a technique
Network Solutions that inhibits the ability of DNS to do
DNS DoS techniques range from:
its job
• Flooding requests to a given host
• DNS is based on UDP
• Reflection attacks against DNS
• DNS DDoS often uses spoofed
infrastructure
sources
• Reflect / Amplification attacks
• Using an ACL block legitimate clients
• DNS Cache Poisoning attempts
• DNS attacks use massive volumes of
source addresses, breaking many
© 2017 F5 Networks firewalls. 23
 CONVENTIONAL DNS THINKING

Internet
External
Firewall
DNS Load
Balancing
Array of DNS
Servers
Internal
Firewall
Hidden
Master DNS
• Performance = Add DNS
boxes
• Weak DoS/DDoS Protection
• Firewall is THE bottleneck

PARADIGM SHIFT

DNS DELIVERY REIMAGINED

DNS Firewall • Scalable performance over

Master DNS
Internet
DNS Infrastructure
DNS DDoS Protection
Protocol Validation
10M RPS!
Authoritative DNS
Caching Resolver • Strong DoS/DDoS protection
Transparent Caching
High Performance DNSSEC • Lower CapEx and OpEx
DNSSEC Validation
Intelligent GSLB

© 2017 F5 Networks 24
 Devices DMZ Data Center

DNS
DNS
Servers
LDNS
Internet
Apps

F5 DNS Firewall Services

• DNS DDoS mitigation with DNS
Express
• Protocol inspection and validation
• DNS record type ACL*
• Block access to Malicious IPs (DNS
Firewall)
• High performance DNS cache
• Stateful – Never accepts unsolicited
responses
• ICSA Certified - deployment in the DMZ
• Scale across devices – IP Anycast
• Secure responses – DNSSEC
• DNSSEC responses rate limited
• Complete DNS control – iRules &
Programmability
• DDoS threshold alerting*
• DNS logging and reporting
• Hardened DNS code

© 2017 F5 Networks 25
© 2017 F5 Networks 26
 Customer Browser
Secured
Data center
Traffic
SIEM Management Leveraging
Browser
WAF NIPS
application
behavior
HTTP/HTTPS • Caching content,
HIPS DLP disk cookies, history
• Add-ons, Plug-ins
Network
firewall
Manipulating Embedding
user actions: malware:
• Social engineering • Keyloggers
• Weak browser • Framegrabbers
settings • Data miners
• Malicious data theft • MITB / MITM
• Inadvertent data • Phishers / Pharmers
loss

© 2017 F5 Networks 27
 The malware contains code designed to
This triggers
insert thecontent
specific malware,
to the browser session
which injects additional This information is sent to the
when the user accesses specific sites legitimate webrequests
server as
content to the browser The user theexpected
login
page for Wells Fargo

*wellsfargo*  add field

*bankofamerica*  add button,

replace text

*chase*  add cc#, pin,

remove text

Generic malware, such*telebank*

as  send credentials
Zeus, infects a user’s device
*bankquepopulaire*  … This information is sent to
the configured drop zone
The user enters the requested
content and clicks Go

© 2017 F5 Networks 28
 This page is expected to
…… and
and
14six
input
scripts…
fields…
have only four forms…
The inclusion of this additional
input field due to malware will
HTML
now trigger Source
an alert Integrity is based
on the expected number of
forms, input fields, and scripts

© 2017 F5 Networks 29
 This triggers to
malware to run
The information is encrypted
and sent to the web server

The victim makes a secure

connection to a web site

Password
revealer icon
The victim is infected
with malware
The victim submits The victim enters data
the web form into the web form

This content canThe

be information is also sent
to the drop zone in clear text
stolen by the malware
© 2017 F5 Networks 30
How HFO Works – Field
Without
Name
HFOObfuscation

Data center
Web application

Sec. Appliance
LTM

© 2017 F5 Networks 31
 MY BANK.COM
My Bank.com • Gather client details related to
the transaction
• Run a series of checks to
identify suspicious activity
• Assign risk score to transaction
• Send alert based on score
• Apply L7 encryption to all
communications between client
and server

© 2017 F5 Networks 32
 4. Test 1. Copy
spoofed site website

Web
Application

3. Upload copy
to spoofed site
Internet

2. Save copy
Alert at each stage of phishing
to computer site development

© 2017 F5 Networks 33
© 2017 F5 Networks 34
 MSP

Native App
Services

Servers Servers Servers

Cloud Interconnect
SaaS
Servers Servers Servers

Corporate Datacenter(s)
With Private Cloud

Each Cloud Provides Siloed Native App Services: Basic, Proprietary, and Inconsistent
© 2017 F5 Networks 35
 Your cloud strategy should be an extension of your
data center strategy: app-centric
Enable both network and
application security Identity Commerce

Defend against
Deliver high application attacks
Analytics
VPN
Mobile

availability; not just Database

Website Storage
infrastructure availability Ensure secure
Load
user access DNS Balancing
Ensure application Deliver app Application
performance performance

Centralize management and Gain traffic

visibility
orchestration of the
application Orchestrate
tasks centrally
Streamline app delivery Application
and security services across
on-premises and cloud
Letting you focus on ensuring availability, security, and performance for each application

©©2017
F5 Networks, Inc
F5 Networks 36
36
 App-Centric Strategy

Limited control
SaaS
apps

Dev
& test
External
Packaged websites
apps AppsMobile
apps

Custom
LOB apps
(HR, Acct.)
Full control

ERP,
CRM

On-premises Public cloud

© 2017 F5 Networks 37
Shared Responsibility in Amazon AWS
The idea behind this is to educate customers that they still need to be responsible for a
large proportion of the services required to deliver applications in the cloud.
AWS Shared Responsibility Model

© 2017 F5 Networks 38
Shared Responsibility in Microsoft Azure
The idea behind this is to educate customers that they still need to be responsible for a large
proportion of the services required to deliver application in the cloud.
Azure Shared Responsibility Model

© 2017 F5 Networks 39
 Apps

Apps
Identity Control Platform

Apps
Active
Directory
© 2017 F5 Networks 40
Use Case Seamless
global app
experience

Disaster Recovery
Requirements DNS Orchestration
DNS
L4-L7 Services
• Application availability and performance L4-L7 Services

• Location-based and contextual user access VPN

• Active-Active deployment for cost efficiency

• Insight and visibility into application traffic Compute Compute

Recommended application delivery services

Storage
• Local and global load balancing Storage

Data Center Cloud Provider

• DNS
• SSL VPN or IPSec tunnel
• Access & identity Key benefits:
• Consistent DevOps + Management Tools • Seamless customer experience
• Secured and optimized site to site connectivity
• Advanced application health monitoring

© 2017 F5 Networks 41
Traditional New

On-Premises Cloud Interconnection Public/Private Cloud

Servers Servers Servers

Strategic Control Point Distributed Strategic Control Points

Application Services

Application Virtual Edition Hardware aaS Containers

Services

© 2017 F5 Networks 42