Professional Documents
Culture Documents
Isec Infosecurity Guatemala 2017 f5
Isec Infosecurity Guatemala 2017 f5
Isec Infosecurity Guatemala 2017 f5
Carlos Valencia
Sales Engineer - LATAM
c.valencia@f5.com
© 2017 F5 Networks 1
-
-
-
-
-
-
-
© 2017 F5 Networks 2
© 2017 F5 Networks 3
High Performance DNS
The Big Picture DNS
DNS / DNS FW
Next-Generation
Threat Intelligence Feed/IPI Firewall
Corporate Users
L3/L4 DDoS,
Application D/DoS DC Apps
DNS, SIP DDoS
Fraud ASM
Customer
Protection
NGFW Hybrid
Cloud IPS/IDS
Local DDoS WAF
ISP may provide
Partner rudimentary DDoS
L7 DDoS
DDoS Attacker service SSL
(Volumetric attacks) L3/L4 Protection
L5-L7 Protection (CPU Intensive)
Silverline • ICMP flood, UDP Flood, SYN Flood, TCP-state
Cloud-Based floods • GET Flood, Slowloris/slow POST,
Platform recursive POST/GET,
• DOS detection using behavioral analysis
• DOS detection using behavioral
Volumetric • HTTP DOS: GET Flood, Slowloris/slow POST, analysis
Attacks recursive POST/GET (DHD Only)
• OWASP Top 10
• DNS DOS: DNS amplification, query
flood,dictionary attack, DNS poisoning • SQLi/XSS/CSRF/0-day/etc
© 2017 F5 Networks 4
Consistent Policies
Cloud Portability
Top Security
F5 BIG-IP
Visibility Direct Connect
•
•
© 2017 F5 Networks 6
© 2017 F5 Networks 7
© 2016 F5 Networks
8
90%
Fire- Anti
DLP
walls Virus
28%
IDS/ SIEM
IPS
Fire- Anti
DLP
walls Virus
28%
IDS/ APT
IPS
© 2017 F5 Networks 8
© 2016 F5 Networks
9
72%
28
44
Fire- Anti
DLP
walls Virus
IDS/ SIEM
IPS
© 2017 F5 Networks 9
Protection against Web Application vulnerabilities
CSRF Cookie manipulation
OWASP top 10 Brute force attacks
Forceful browsing Buffer overflows
Web scraping Parameter tampering
SQL injections information leakage
Field manipulation Session high jacking
Cross-site scripting Zero-day attacks
Command injection ClickJacking
Bots Business logic flaws
WAF
© 2017 F5 Networks 10
• Examines all traffic for
Traditional Firewall Intrusion Prevention malicious app inputs
Systems • Primarily uses anomalous
and signature-based
detection
• Some stateful protocol
analysis capabilities
• Lacks understanding of
L7 protocol logic
• Doesn’t protect against
all exploitable app
vulnerabilities
SaaS Apps
© 2017 F5 Networks 12
© 2017 F5 Networks 13
©© 2017
2016 F5 Networks
F5 Networks 14
SSL
© 2017 F5 Networks 15
©© 2017
2016 F5 Networks
F5 Networks 16
© 2017 F5 Networks 17
Next-Generation
Firewall Corporate Users
Tier 1 Tier 2
Network attacks:
ICMP flood, SSL attacks:
Financial
UDP flood, SSL renegotiation, Services
Multiple ISP SYN flood SSL flood
strategy
Legitimate
Users
E-
ISPa/b Commerce
Network
and DNS Application
DNS attacks: HTTP attacks:
DDoS DNS amplification, Slowloris,
Attacker query flood, slow POST,
dictionary attack, recursive
DNS poisoning POST/GET Subscriber
Cloud
Scrubbing
Service IPS
ThreatThreat Feed
Feed Intelligence
Intelligence
© 2017 F5 Networks 18
DDoS approach
CLOUD/HOSTED SERVICE ON-PREMISES DEFENSE
STRENGTHS STRENGTHS
• Completely off-premises so DDoS attacks • Direct control over infrastructure
can’t reach you • Immediate mitigation with instant
• Amortized defense across thousands response and reporting
of customers • Solutions can be architected to
• DNS anycast and multiple data centers independently scale of one another
protect you
WEAKNESSES WEAKNESSES
• Customers pay, whether attacked or not • Many point solutions in market, few
• Bound by terms of service agreement comprehensive DDoS solutions
• Solutions focus on specific layers (not all • Can only mitigate up to max inbound
layers) connection size
• Deployments can be costly and complex
© 2017 F5 Networks 19
Hybrid DDOS Protection
Combining the “resilience and scale” of the cloud with the “granularity and always-
on capabilities” of on-premise.
Signaling
Cloud On-Premise
Signaling
Cloud Management
Data Plane
Copied traffic
for inspection
Netflow Netflow
BGP signaling GRE Tunnel
Legitimate Proxy
Users
DDoS IP Reflection
WAF Routing L2VPN Customer
Switching Routing/ACL Proxy
Network Mitigation
(Customer VRF)
Silverline
Mitigation
Volumetric DDoS
DDoS protection, Managed
Attackers Application firewall service,
zero-day threat mitigation
with iRules
Switching mirrors
Ingress Router Network Mitigation Proxy Mitigation Egress Routing
traffic to Inspection
applies ACLs and removes advanced removes L7 returns good traffic
Toolsets and Routing
filters traffic L4 attacks Application attacks back to customer
layer
© 2017 F5 Networks 22
APPLICATION LAYER ATTACKS TRADITIONAL DDOS MITIGATION
90% 60%
82%
80%
77% 50%
70% 40%
60% 54%
30%
50%
20%
40%
30% 25%
“Cybercrime is a 10%
persistent threat in
20%
20% 0%
9%
6%
today’s world and,
10%
0%
DNS is the second most targeted business is immune.” Of the customers that mitigate DDoS
protocol after HTTP. attacks, many choose a technique
Network Solutions that inhibits the ability of DNS to do
DNS DoS techniques range from:
its job
• Flooding requests to a given host
• DNS is based on UDP
• Reflection attacks against DNS
• DNS DDoS often uses spoofed
infrastructure
sources
• Reflect / Amplification attacks
• Using an ACL block legitimate clients
• DNS Cache Poisoning attempts
• DNS attacks use massive volumes of
source addresses, breaking many
© 2017 F5 Networks firewalls. 23
CONVENTIONAL DNS THINKING
Internet
External
Firewall
DNS Load
Balancing
Array of DNS
Servers
Internal
Firewall
Hidden
Master DNS
• Performance = Add DNS
boxes
• Weak DoS/DDoS Protection
• Firewall is THE bottleneck
PARADIGM SHIFT
© 2017 F5 Networks 24
Devices DMZ Data Center
DNS
DNS
Servers
LDNS
Internet
Apps
© 2017 F5 Networks 25
© 2017 F5 Networks 26
Customer Browser
Secured
Data center
Traffic
SIEM Management Leveraging
Browser
WAF NIPS
application
behavior
HTTP/HTTPS • Caching content,
HIPS DLP disk cookies, history
• Add-ons, Plug-ins
Network
firewall
Manipulating Embedding
user actions: malware:
• Social engineering • Keyloggers
• Weak browser • Framegrabbers
settings • Data miners
• Malicious data theft • MITB / MITM
• Inadvertent data • Phishers / Pharmers
loss
© 2017 F5 Networks 27
The malware contains code designed to
This triggers
insert thecontent
specific malware,
to the browser session
which injects additional This information is sent to the
when the user accesses specific sites legitimate webrequests
server as
content to the browser The user theexpected
login
page for Wells Fargo
© 2017 F5 Networks 28
This page is expected to
…… and
and
14six
input
scripts…
fields…
have only four forms…
The inclusion of this additional
input field due to malware will
HTML
now trigger Source
an alert Integrity is based
on the expected number of
forms, input fields, and scripts
© 2017 F5 Networks 29
This triggers to
malware to run
The information is encrypted
and sent to the web server
Password
revealer icon
The victim is infected
with malware
The victim submits The victim enters data
the web form into the web form
Data center
Web application
Sec. Appliance
LTM
© 2017 F5 Networks 31
MY BANK.COM
My Bank.com • Gather client details related to
the transaction
• Run a series of checks to
identify suspicious activity
• Assign risk score to transaction
• Send alert based on score
• Apply L7 encryption to all
communications between client
and server
© 2017 F5 Networks 32
4. Test 1. Copy
spoofed site website
Web
Application
3. Upload copy
to spoofed site
Internet
2. Save copy
Alert at each stage of phishing
to computer site development
© 2017 F5 Networks 33
© 2017 F5 Networks 34
MSP
Native App
Services
Cloud Interconnect
SaaS
Servers Servers Servers
Corporate Datacenter(s)
With Private Cloud
Each Cloud Provides Siloed Native App Services: Basic, Proprietary, and Inconsistent
© 2017 F5 Networks 35
Your cloud strategy should be an extension of your
data center strategy: app-centric
Enable both network and
application security Identity Commerce
Defend against
Deliver high application attacks
Analytics
VPN
Mobile
©©2017
F5 Networks, Inc
F5 Networks 36
36
App-Centric Strategy
Limited control
SaaS
apps
Dev
& test
External
Packaged websites
apps AppsMobile
apps
Custom
LOB apps
(HR, Acct.)
Full control
ERP,
CRM
© 2017 F5 Networks 37
Shared Responsibility in Amazon AWS
The idea behind this is to educate customers that they still need to be responsible for a
large proportion of the services required to deliver applications in the cloud.
AWS Shared Responsibility Model
© 2017 F5 Networks 38
Shared Responsibility in Microsoft Azure
The idea behind this is to educate customers that they still need to be responsible for a large
proportion of the services required to deliver application in the cloud.
Azure Shared Responsibility Model
© 2017 F5 Networks 39
Apps
Apps
Identity Control Platform
Apps
Active
Directory
© 2017 F5 Networks 40
Use Case Seamless
global app
experience
Disaster Recovery
Requirements DNS Orchestration
DNS
L4-L7 Services
• Application availability and performance L4-L7 Services
© 2017 F5 Networks 41
Traditional New
Application Services
© 2017 F5 Networks 42