Professional Documents
Culture Documents
Big-Ip Afm: Philippe Bogaerts
Big-Ip Afm: Philippe Bogaerts
Philippe Bogaerts
Maintaining Security Is Challenging
© F5 Networks, Inc 2
Protecting the datacenter can be complex
Attack visibility
Dynamic datacenter Is often lacking details to truly Everything SSL
perimeter track and identify attacks and
their source, and ensure Difficulty with discrete traffic
Requires protection and compliance visibility
policy enforcement that
ensure 24x7 application
availability
Scalability and
performance
Needed to ensure services
Changing threats are available during the onset
increasing in complexity that of aggressive attacks
requires intelligence and on-
going learning
© F5 Networks, Inc 3
BIG-IP® Advanced Firewall Manager (AFM)
• Built on the market leading Application Delivery Controller (ADC)
Network DDoS
• Consolidates multiple appliance to reduce TCO
• Protects against L2-L4 attacks with the most advanced full proxy architecture
• Delivers over 100 vectors and more hardware-based DOS vectors than any other
vendor
• Ensures performance while under attack - scales to 7.5M CPS; 576M CC, 640 Gbps
• Offers a foundation for an integrated L2-L7 Application delivery firewall platform
DNS Security
Access
Security
Data Center Application
Firewall App
Security Servers
User
Classic
Server
© F5 Networks, Inc 4
BIG-IP Application Firewall Manager
© F5 Networks, Inc 5
App-centric policy enforcement
Policies written specifically for applications rather than against network traffic.
© F5 Networks, Inc 6
Full-proxy architecture
WAF WAF
Data
Slowloris attack
XSS HTTP iRule iRule HTTP leakage
Network
Firewall
© F5 Networks, Inc 7
DDoS detection and mitigation
Increasing difficulty of attack detection
OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, DNS UDP Floods, DNS Query Floods, DNS Slowloris, Slow Post,
ICMP Floods, Ping Floods and Smurf Attacks NXDOMAIN Floods, SSL Floods, SSL HashDos, GET Floods
F5 Mitigation Technologies
F5 mitigation technologies
Renegotiation
Withstand
Protect
Gain theDDoS
visibility
against largest
and attacks
detection
at all layers
of
SSL encrypted attacks
• Protect against DDoS • Withstand the • Gain visibility and
at all layers – 38 vectors largest attacks detection of SSL
covered encrypted attacks
© F5 Networks, Inc 8
DDoS detection and mitigation
Guard your data center against incoming threats that enter the network
© F5 Networks, Inc 9
DDoS detection and mitigation
Guard your data center against incoming threats that enter the network
IP address feed
updates every 5 min
performance
Anonymous Scanner
proxies Geolocation database
Internally infected devices
and servers
© F5 Networks, Inc 10
DDoS detection and mitigation
Guard your data center against incoming threats that enter the network
IP address feed
Anonymous Scanner
proxies Geolocation database
Internally infected devices
and servers
© F5 Networks, Inc 11
DDoS detection and mitigation
Guard your data center against incoming threats that enter the network
IP address feed
geo-analysis
Anonymous Scanner
proxies Geolocation database
Internally infected devices
and servers
© F5 Networks, Inc 12
DDoS detection and mitigation
Guard your data center against incoming threats that enter the network
signature coverage
Restricted service
region or
Botnet country
IP address feed
geo-analysis
• Protocol-Aware Detection & Mitigation for Anonymous Scanner
© F5 Networks, Inc 13
F5 iRules: Industry’s strongest zero-day threat protection
With iRules customers gain unsurpassed flexibility in protecting against the most sophisticated and
unexpected attacks.
• Richer detection capabilities for stateful Community made up of over 100,000 active
attacks on flow table and mitigation of L2-L4 users collaborating and creating custom rules
attacks that mitigate threats
• Extends customization capabilities
• Leverages the IP Intelligence services and
AFM statistical traffic subsampling
• DevCentral user community collectively has
thousands of iRules to draw from
• Recently, iRules helped customers effectively
mitigate the Heartbleed vulnerability
© F5 Networks, Inc 14
Dynamically update security logic
Maintain a current IP reputation database & automatically
mitigate traffic from known bad IP addresses.
• Dynamic services feeds updated frequently • Create IP Black Lists and White Lists that
override IP intelligence services
• Policy attached to global, route- domain or
VS contexts • Merge multiple sources into 1 feed or
enforcement policy
• Categorize IP/Sub_net by attack type
• HTTP/S & FTP polling methods
• Customizable actions per attack type
category (i.e., Accept, Warn, Alert) • User defined categories
© F5 Networks, Inc 15
Dynamically update security logic
Maintain a current IP reputation database that allows you
to automatically mitigate traffic from known bad or
questionable IP addresses.
• Dynamic services feeds updated frequently • Create IP Black Lists and White Lists that
override IP intelligence services
• Policy attached to global, route- domain or
VS contexts • Merge multiple sources into 1 feed or
enforcement policy
• Categorize IP/Sub_net by attack type
• HTTP/S & FTP polling methods
• Customizable actions per attack type
category (i.e., Accept, Warn, Alert) • User defined categories
© F5 Networks, Inc 16
SSL traffic termination
Fully terminate SSL traffic to inspect payload, preventing viruses, trojans, or network attacks.
• Ensure High-scale/high-
performance SSL proxy
• Off-load SSL to reduce
server load
SSL
SSL
© F5 Networks, Inc 17
Secure and available DNS
Before f5
65,000 concurrent queries
• Cache poisoning
?
• DNS spoofing
• DDoS
http://www.f5.com
with f5
http://www.f5.com
© F5 Networks, Inc 18
Secure and available DNS
• Consolidate
Before f5 Firewall and DNS 65,000 concurrent queries
• Cache poisoning
• Ensure high-performance scalable
?
• DNS spoofing
services • Man in the middle
• Secure 10 million concurrent DNS Queries • DDoS
http://www.f5.com
with f5
© F5 Networks, Inc 19
Logging – Generation and Storage of Individual
Manageability and Visibility Security Events
• Configure local and remote high-speed
Application-oriented policies and reports
network firewall logging
• Independently controlled Logging for Access
Control, DoS, IP-Intel
• Log Destinations & Publishers consistent
with BIG-IP logging framework
• Guaranteed logging with log throttling
Report type
• HIPPA & PCI compliance reporting
• DDoS attack report
• IP Enforcer stats
• SNMP traps & MIB for DoS reporting
© F5 Networks, Inc 20
Enhanced DDoS logging : Rate limiting
Avoid reduced performance during excessive logging periods
© F5 Networks, Inc 21
Enhanced DDoS logging
Activate logging for stateful flow attacks at global, route domain or per-VS level
• Ensures availability of
security information
via logs, tmstats,
SNMP and AVR
• # of currently active
flows
• # of reaped flows
Shot down
• # of flows dropped
due to flowtable
misses
New section Turn-on logging to query tmstats table • # of SYN Cookies
and get snapshots of counters every challenges generate,
second, if there is change in stats it passed, failed (DSR/
logs the data. nonDSR modes)
© F5 Networks, Inc 22
Manageability and Visibility
SIEM INTEGRATION: APPLICATION-CENTRIC LOGGING AND REPORTING
HIGH LEVEL
VERY DETAILED
© F5 Networks, Inc 24