BIG-IP AFM

Philippe Bogaerts
 Maintaining Security Is Challenging

Webification of apps Device proliferation

95% of workers use at least one
71% of internet experts predict personal device for work.
most people will do work via web or
mobile by 2020. 130 million enterprises will use
mobile apps by 2014

Evolving security threats Shifting perimeter

58% of all e-theft tied to 80% of new apps will
activist groups. target the cloud.

81% of breaches 72% IT leaders have or will

involved hacking move applications to the cloud.

© F5 Networks, Inc 2
 Protecting the datacenter can be complex

Attack visibility
Dynamic datacenter Is often lacking details to truly Everything SSL
perimeter track and identify attacks and
their source, and ensure Difficulty with discrete traffic
Requires protection and compliance visibility
policy enforcement that
ensure 24x7 application
availability

Scalability and
performance
Needed to ensure services
Changing threats are available during the onset
increasing in complexity that of aggressive attacks
requires intelligence and on-
going learning

© F5 Networks, Inc 3
 BIG-IP® Advanced Firewall Manager (AFM)
•  Built on the market leading Application Delivery Controller (ADC)
Network DDoS
•  Consolidates multiple appliance to reduce TCO
•  Protects against L2-L4 attacks with the most advanced full proxy architecture
•  Delivers over 100 vectors and more hardware-based DOS vectors than any other
vendor
•  Ensures performance while under attack - scales to 7.5M CPS; 576M CC, 640 Gbps
•  Offers a foundation for an integrated L2-L7 Application delivery firewall platform

DNS Security

Access
Security
Data Center Application 
Firewall App
Security Servers

User
Classic
Server

© F5 Networks, Inc 4
 BIG-IP Application Firewall Manager

The best foundation for a consolidated layered defense

App-centric policy DoS protection Manageability and Visibility

enforcement
•  Application access controls
•  Simplified policy assurance
•  Automatic self-learning & policy
adjustment
•  Extensibility with iRules
•  Secure against L2-L4 D/DOS attacks
•  Advanced resource protection
•  Hardware-based DoS protections
•  Application availability assurance
•  Dynamic IP intelligence
•  High speed customizable syslog
•  Granular attack details
•  Expert attack tracking and profiling
•  Policy & compliance reporting
•  Centralized management

© F5 Networks, Inc 5
 App-centric policy enforcement
Policies written specifically for applications rather than against network traffic.

•  Effective rule life-cycle management

for increased policy efficiency &
effectiveness
•  3-tiered hierarchical policy context
(i.e., mail traffic only subject to mail
rules)
•  HTTP, SMTP, FTP, SIP, DNS Protocol
validation and enforcement on
granular details
•  Protocol conformance with DNS

© F5 Networks, Inc 6
 Full-proxy architecture
WAF WAF
Data
Slowloris attack
XSS HTTP iRule iRule HTTP leakage

SSL renegotiation SSL iRule iRule SSL

SYN flood TCP iRule iRule TCP

ICMP flood

Network
Firewall

© F5 Networks, Inc 7
 DDoS detection and mitigation
Increasing difficulty of attack detection

OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack

Network attacks Session attacks Application attacks

SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, DNS UDP Floods, DNS Query Floods, DNS Slowloris, Slow Post,
ICMP Floods, Ping Floods and Smurf Attacks NXDOMAIN Floods, SSL Floods, SSL HashDos, GET Floods

F5 Mitigation Technologies
F5 mitigation technologies

Renegotiation

BIG-IP AFM BIG-IP LTM and GTM BIG-IP ASM

SynCheck, default-deny posture, high-capacity connection table, full-proxy High-scale performance, DNS Express, Positive and negative policy
traffic visibility, rate-limiting, strict TCP forwarding. SSL termination, iRules, SSL reinforcement, iRules, full
renegotiation validation proxy for HTTP, server
Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware performance anomaly
solution that increases scale by an order of magnitude above software-only detection
solutions.

Withstand
Protect
Gain theDDoS
visibility
against largest
and attacks
detection
at all layers
of
SSL encrypted attacks
•  Protect against DDoS •  Withstand the •  Gain visibility and
at all layers – 38 vectors largest attacks detection of SSL
covered encrypted attacks
© F5 Networks, Inc 8
 DDoS detection and mitigation
Guard your data center against incoming threats that enter the network 

AFM DOS CAPABILITIES

•  The most comprehensive L2-L4 DOS IP intelligence

signature coverage Botnet

Restricted
region or
country
service

•  100+ DoS Vectors

IP address feed
updates every 5 min
Attacker

•  Malformed/Bad, Suspicious, and

Volumetric Attack signatures
•  Stops capacity attacks on the flow/
Custom
application

transaction state tracking structures Anonymous Financial

application
requests
•  Detection & Mitigation Limits –Global
route domain & Per-VS Volumetric
Anonymous Scanner
proxies Geolocation database
Internally infected devices
and servers

© F5 Networks, Inc 9
 DDoS detection and mitigation
Guard your data center against incoming threats that enter the network 

AFM DOS CAPABILITIES

•  The most comprehensive L2-L4 DOS IP intelligence

signature coverage Botnet

Restricted
region or
country
service

IP address feed
updates every 5 min

•  Protects IP infrastructure from Attacker

malformed & malicious traffic at scale

Custom

•  Accelerating over 64 signatures in application

hardware on many platforms, line-rate Anonymous

requests
Financial
application

performance

Anonymous Scanner
proxies Geolocation database
Internally infected devices
and servers

© F5 Networks, Inc 10
 DDoS detection and mitigation
Guard your data center against incoming threats that enter the network 

AFM DOS CAPABILITIES

•  The most comprehensive L2-L4 DOS IP intelligence

signature coverage Botnet

Restricted
region or
country
service

IP address feed

•  Protects IP infrastructure from Attacker

updates every 5 min

malformed & malicious traffic at scale

•  Sweep & Flood IP detection Custom
application

•  Used to identify “bad actor” SrcIP’s and Anonymous

requests
Financial
application

target’ed DstIP servers

Anonymous Scanner
proxies Geolocation database
Internally infected devices
and servers

© F5 Networks, Inc 11
 DDoS detection and mitigation
Guard your data center against incoming threats that enter the network 

AFM DOS CAPABILITIES

•  The most comprehensive L2-L4 DOS IP intelligence

signature coverage Botnet

Restricted
region or
country
service

IP address feed

•  Protects IP infrastructure from Attacker

updates every 5 min

malformed & malicious traffic at scale

•  Sweep & Flood IP detection Custom
application

•  AVR Drill-Down reporting on attackers, targets, Anonymous

requests
Financial
application

geo-analysis
Anonymous Scanner
proxies Geolocation database
Internally infected devices
and servers

© F5 Networks, Inc 12
 DDoS detection and mitigation
Guard your data center against incoming threats that enter the network 

AFM DOS CAPABILITIES

•  The most comprehensive L2-L4 DOS IP intelligence

signature coverage
Restricted service
region or
Botnet country
IP address feed

•  Protects IP infrastructure from Attacker

updates every 5 min

malformed & malicious traffic at scale

•  Sweep & Flood IP detection Custom
application

•  AVR Drill-Down reporting on attackers, targets, Anonymous

requests
Financial
application

geo-analysis
•  Protocol-Aware Detection & Mitigation for Anonymous Scanner

HTTP/S, SMTP, FTP, DNS & SIP

proxies Geolocation database
Internally infected devices
and servers

© F5 Networks, Inc 13
 F5 iRules: Industry’s strongest zero-day threat protection
With iRules customers gain unsurpassed flexibility in protecting against the most sophisticated and
unexpected attacks.

THE POWER OF IRULES KNOWLEDGE IN NUMBER

•  Richer detection capabilities for stateful Community made up of over 100,000 active
attacks on flow table and mitigation of L2-L4 users collaborating and creating custom rules
attacks that mitigate threats
•   Extends customization capabilities
•  Leverages the IP Intelligence services and
AFM statistical traffic subsampling
•  DevCentral user community collectively has
thousands of iRules to draw from
•  Recently, iRules helped customers effectively
mitigate the Heartbleed vulnerability
© F5 Networks, Inc 14
 Dynamically update security logic
Maintain a current IP reputation database & automatically
mitigate traffic from known bad IP addresses.
F5 IP INTELLIGENCE SERVICES
•  Dynamic services feeds updated frequently
•  Policy attached to global, route- domain or
VS contexts
•  Categorize IP/Sub_net by attack type
•  Customizable actions per attack type
category (i.e., Accept, Warn, Alert)
•  Create multiple customizable IP feeds
© F5 Networks, Inc
DYNAMIC IP BLACK LISTS & WHITE LISTS
•  Create IP Black Lists and White Lists that
override IP intelligence services
•  Merge multiple sources into 1 feed or
enforcement policy
•  HTTP/S & FTP polling methods
•  User defined categories
•  Support for IPv6 and IPv4
15
 Dynamically update security logic
Maintain a current IP reputation database that allows you
to automatically mitigate traffic from known bad or
questionable IP addresses.

F5 IP INTELLIGENCE SERVICES DYNAMIC IP BLACK LISTS & WHITE LISTS

•  Dynamic services feeds updated frequently
•  Policy attached to global, route- domain or
VS contexts
•  Categorize IP/Sub_net by attack type
•  Customizable actions per attack type
category (i.e., Accept, Warn, Alert)
•  Create IP Black Lists and White Lists that
override IP intelligence services
•  Merge multiple sources into 1 feed or
enforcement policy
•  HTTP/S & FTP polling methods
•  User defined categories

•  Create multiple customizable IP feeds •  Support for IPv6 and IPv4

© F5 Networks, Inc 16
 SSL traffic termination
Fully terminate SSL traffic to inspect payload, preventing viruses, trojans, or network attacks.

•  Gain visibility and detection SSL

!
of SSL-encrypted attacks SSL

•  Ensure High-scale/high-
performance SSL proxy
•  Off-load SSL to reduce
server load
SSL
SSL

© F5 Networks, Inc 17
 Secure and available DNS
Before f5
65,000 concurrent queries
•  Cache poisoning

?
•  DNS spoofing

•  Man in the middle

•  DDoS
http://www.f5.com

with f5

http://www.f5.com

© F5 Networks, Inc 18
 Secure and available DNS
•  Consolidate
Before f5 Firewall and DNS 65,000 concurrent queries
•  Cache poisoning
•  Ensure high-performance scalable
?
•  DNS spoofing
services •  Man in the middle
•  Secure 10 million concurrent DNS Queries •  DDoS
http://www.f5.com

with f5

Secure and available DNS

http://www.f5.com infrastructure:
10 million concurrent queries

© F5 Networks, Inc 19

Manageability and Visibility
Application-oriented policies and reports
© F5 Networks, Inc
Logging – Generation and Storage of Individual
Security Events
•  Configure local and remote high-speed
network firewall logging
•  Independently controlled Logging for Access
Control, DoS, IP-Intel
•  Log Destinations & Publishers consistent
with BIG-IP logging framework
•  Guaranteed logging with log throttling
Reporting – Visualization of Security Statistics
•  Reporting used for Visualizing Traffic/Attack
Patterns over time
•  Geo & IPFIX & Stale Rules reporting
•  Access-Control & DoS: Drill-Downs by
contexts, IP, Rule, etc.
•  Integration with 3rd party SIEM systems
Report type
•  HIPPA & PCI compliance reporting
•  DDoS attack report
•  IP Enforcer stats
•  SNMP traps & MIB for DoS reporting
20
 Enhanced DDoS logging : Rate limiting
Avoid reduced performance during excessive logging periods

•  Establish rate limits

at granularity of
specific log message
•  Applies to the whole
profile regardless of
message type
•  Global or per Virtual
Server application
•  Aggregate limits on IP
Intelligence
•  Ensure compliance
with PCI data logging
requirements

© F5 Networks, Inc 21
 Enhanced DDoS logging
Activate logging for stateful flow attacks at global, route domain or per-VS level

•  Ensures availability of
security information
via logs, tmstats,
SNMP and AVR
•  # of currently active
flows
•  # of reaped flows
Shot down
•  # of flows dropped
due to flowtable
misses
New section Turn-on logging to query tmstats table •  # of SYN Cookies
and get snapshots of counters every challenges generate,
second, if there is change in stats it passed, failed (DSR/
logs the data. nonDSR modes)

© F5 Networks, Inc 22
 Manageability and Visibility
SIEM INTEGRATION: APPLICATION-CENTRIC LOGGING AND REPORTING

HIGH LEVEL

VERY DETAILED

§  F5 reporting to key SIEM partners: Splunk, Q1, ArcSight

§  Start with application-centric views and drill down to
more details
§  At-a-glance visibility and intelligence for ADF’s context-aware
security
© F5 Networks, Inc 23
 Advanced application firewall

HARDWARE BASED DOS

FULL PROXY FIREWALL BIG-IP AFM PROTECTIONS

APP-CENTRIC POLICY HIGH SCALABILITY, FLEXIBILITY

ENFORCEMENT AND PERFORMANCE

EXPERT TRACKING, LOGGING &

DYNAMIC IP INTELLIGENCE
REPORTING

BIG –IP PLATFORM SECURITY

BIG-IP AFM BIG-IP ASM All BIG-IP

© F5 Networks, Inc 24