Dynamic and Intelligent Security

BIG-IP v11.2

Danny Luedke, PMM of Traffic Mgmt./DC Firewall

Jonathan George, PMM of App. Security/Access
Ido Breger, PM of Application Security
Don Laursen, PM of Traffic Management
 2

Agenda

•Security challenges
•Intelligent Network
•Global Delivery Intelligence
•IP Intelligence service
•Fast vulnerability assessment & app. security
•Hardware protection for encrypted material
•Easy access for Java and Chrome technologies
•Performance, Features and Resources

© F5 Networks, Inc.
 3

The Three Threat Vectors

Network Attacks DDoS Attacks Application Attacks

© F5 Networks, Inc.
 4

Security Challenges

54%
A Denial of Service tool…
using SSL/TLS showed the
of hacking breaches potential for an everyday laptop
in larger on an average connection to
organizations occur take down an enterprise web
happen at the web server
application
Anonymous proxies… have
Threat detection today… hinges on two steadily increased, more than
We still see
elements: identifying suspicious activity quadrupling in number as
SQL Injection
among billions of data points, and compared to three years ago.
as a choice point of
entry for attacker refining a large set of suspicious
incidents down to those that matter

The most significant change we saw in 2011 was

the rise of “hacktivism” against larger
organizations worldwide

© F5 Networks, Inc.
 5

Threats are evolving, behaviors are changing

Figure 15 and 16: Verizon 2011 Data Breach Investigations Report

© F5 Networks, Inc.
 6

F5 Networks
Connecting Users to Secure, Fast, and Available Applications
Mobile Security Data Center Security

Mobile Consumer
Employees Applications

Enterprise Manager™

Partner
Headquarters Applications
Employees
LAN / WLAN
BIG-IP® BIG-IP® BIG-IP® BIG-IP® BIG-IP®
BIG-IP®
Local Global Application Access WAN
Web- Data Center
Traffic Traffic Security Policy Optimization
Accelerator Applications
Remote Office Manager Manager Manager Manager Manager
(WA)
Employees (LTM) (GTM) (ASM) (APM) (WOM)
LAN / WLAN
SaaS

iRules®, iApps®, and iControl®

Customer,
Partners, and TMOS® Cloud
Suppliers Applications

© F5 Networks, Inc.
 7

The Shift To The Intelligent Network

We want to leverage the We need to approach Users expect a better

business data security different experience

Business Analytics Personalized

Evolving Threats Experience

© F5 Networks, Inc.
 8

Context leverages information about the

end user to improve the interaction

• Who is the user?

Who
• What devices are requesting access?
What • When are they allowed to access?

• Where are they coming from?

Where
• How did they navigate to the page/site?
When

How

© F5 Networks, Inc.
 9

“
Context-aware technologies will affect $96 billion of
annual consumer spending worldwide by 2015. By
that time, more than 15 percent of all payment card
transactions will be validated using context
information.
-Gartner

© F5 Networks, Inc.
 10

New Subscription Services

Global Delivery Intelligence

Danny Luedke, PMM Traffic Management

Jonathan George, PMM App. Security/ Access

© F5 Networks, Inc.
 11

What’s Required To Build Context

Int • Capture
ell • Analyze
ige • Classify
nc
e
Co
nte
x t
De
liv
• Events ery
• Analysis
• Action © F5 Networks, Inc.
 12
Locate IQ Intelligence

Trust IQ Intelligence

IP Intelligence
Subscription

Free
Location
Free

Today Service

Context

Fast Available Secure

Global Delivery Intelligence

An ecosystem of cloud-based services to make better network decisions.

© F5 Networks, Inc.
 13
Locate IQ Intelligence Site IQ Intelligence

xxx IQ Intelligence
Trust IQ Intelligence

IP Intelligence
Subscription

Free
Location
Free

Today Service Roadmap

Context

Fast Available Secure

Global Delivery Intelligence

An ecosystem of cloud-based services to make better network decisions. © F5 Networks, Inc.

 14

IP Intelligence: Defend Against Malicious

Activity and Web Attacks
Enhance automated application delivery
We need to approach
decisions adding better intelligence and stronger
security different
security based on context.

Layer of IP threat protection delivers context to

identify and block IP threats using a dynamic data
set of high-risk IP addresses.

Visibility into threats from multiple sources

leverages a global threat sensor network

Deliver intelligence in a simple way reveals

inbound and outbound communication

Evolving Threats Real-time updates keep protection at peak

performance refreshing database every five
minutes.

© F5 Networks, Inc.
 15

IP Intelligence

Reputation Scanners
Deny access to infected IPs Probes, scans, brute force

Windows Exploits Denial of Service

Known distributed IPs DoS, DDoS, Syn flood

Web Attacks Phishing Proxies

IPs used for SQL Injection, CSRF Phishing sites host

BotNets Anonymous Proxies

Infected IPs controlled by Bots Anon services, Tor
© F5 Networks, Inc.

IP Intelligence Overview
Service Module
IP Intelligence
• Dynamic Threat IPs
• All BIG-IP appliances
• Near-real-time updates
(up to 5min intervals)
• Dramatically reduces system
loads
• Subscription-based service
16
IP Intelligence Highlights
• Developed from customer-driven demand
• Ever-increasing volume of threats
• Improves security stopping known bad traffic Static
and publicly available Black Lists are insufficient
• Compelling value
• Better appliance efficiency reducing network traffic
• Value-add layer of IP-based security
• Faster threat response with near-real-time updates
• Provisioned across Multiple Threat Types
• Delivering Dynamic Updates in near real-time
© F5 Networks, Inc.
 17

IP Intelligence
How it works
• Fast IP update of malicious activity
• Global sensors capture IP behaviors
• Threat correlation reviews/ blocks/ releases

Key Threats Sensor Techniques IP Intelligence Service:

Threat Correlation

Internet
Semi-open Proxy Farms
Dynamic Threat IPs
Web Attacks
Exploit Honeypots every 5min.
Reputation
Windows Exploits Naïve User Simulation IP Intelligence
Botnets
Web App Honeypots
Scanners
Network Attacks Third-party Sources
DNS
BIG-IP
System
© F5 Networks, Inc.
 18

IP Intelligence Use Cases for BIG-IP

Use Cases Threat Prevention Scenarios Benefits
Malicious Inbound • Rejecting inbound connection attempts from • Improve security and performance
Connection Attempts known Threat IPs • Enhance perimeter security
• Automatically update real-time feeds • Mitigate DoS attacks
• Increase device throughput

Malicious Outbound • Block outbound communications from • Reduce security risk

Communications infected endpoints (i.e., zombies) to botnet • Prevent frauds
networks • Prevent information leakage

Packet Parsing • Reduce processing time (e.g., form input • Increase performance and scalability of
Reduction parsing and validation overhead) by blocking protected applications
sites from known Threat IPs

Anonymization • Block inbound connections from anonymous • Increase security and performance of
Prevention proxies device
• Prevent frauds

Phishing Protection • Protect high-value websites by preventing • Increase availability and performance of
access of site objects by phishing sites, or protected servers/applications
by any non end-user source • Prevent frauds

Botnets • Block botnet C&C channels and infected • Improve security and performance
zombie machine controlled by Bot master for • Enhance perimeter security
DoS and other attacks • Mitigate DoS attacks
• Increase device throughput

© F5 Networks, Inc.
 19

IP Intelligence
Identify and allow or block IP addresses with malicious activity
Botnet IP Intelligence
Service

IP address feed
updates every 5 min
Attacker Custom
Application

Financial
Application
BIG-IP System
Anonymous
requests

? Geolocation database

Anonymous Internally infected

Proxies devices and servers
Scanners
• Use IP intelligence to defend attacks
• Reduce operation and capital expenses © F5 Networks, Inc.
 20

iRules Availability for IP Intelligence

All BIG-IP Systems

© F5 Networks, Inc.
 21

Easily Configure Violation Categories

IP Intelligence Service Management in ASM UI
• Easily manage alarms and blocking in ASM
• Approve desired IPs with Whitelist
• Policy Building enabled for ignoring

© F5 Networks, Inc.
 22

IP Intelligence Violation Reporting

• View and learn the current IP violations in ASM UI

© F5 Networks, Inc.
 23

Graphical Reporting
• Detailed chart path of threats in ASM

© F5 Networks, Inc.
 24

IP Intelligence Subscription-Based SKUs

• Buy: License for 1yr or 3yr
– Price depending on device
• Try: 30 day free trial per box
– Access license via Eval. Reg. Generator

Platform 1 Year 3 Year (USD)

(USD)

Virtual Edition $ 800.00 $ 1919.00

1600 $ 1,800.00 $ 4,319.00

3600 $ 3,000.00 $ 7,199.00

3900 $ 4,000.00 $ 9,599.00

6900 $ 5,500.00 $ 13,199.00

8900/8950 $ 9,000.00 $ 21,599.00

11000/11050 $ 13,000.00 $ 31,199.00

VIPRION 2400 $ 12,999.00 $ 31,197.00

VIPRION
$ 25,499.00 $ 61,197.00
4400/4480
© F5 Networks, Inc.
 25

IP Intelligence: Context-based delivery & protection

• Intelligence-based predicted Threat IPs

– Based on observation, context and statistical modeling
– Aging & correlation of Threat IP data

• Broad-based threat identification

– Global network of sensors addressing diverse use cases
– Threat IPs are catalogued and tracked indefinitely

• Cloud-based architected
– Global Delivery Intelligence: subscription-based service
– Real-time continuous updates

• Available throughout all BIG-IP systems

– Configurable in ASM UI
– Accessible from iRules for all solutions

© F5 Networks, Inc.
 26

Fast Vuln. Assessment and App. Security

Jonathan George, PMM Application Security/ Access

© F5 Networks, Inc.
 27

Unknown Vulnerabilities in Web Apps

• Unable to find or mitigate

vulnerabilities
• Very expensive to fix
by recoding
• Difficult to include scanner
assessments
• Need assurance that app sec.
is deployed properly Web
Application
Vulnerabilities
as a percentage
of all disclosures
in 2011 H1
Web Applications:
37 percent
Others:
63 percent Source: 1BM X-Force Research and Development
© F5 Networks, Inc.
 28

Free App Scan Service to Mitigate Vulnerabilities

• Free application vulnerability scan:

• Cenzic Cloud in ASM UI
• 3 free scans

• Configure vulnerability
Data Center
policy in BIG-IP ASM

• Protection from web app attacks

BIG-IP Application
Security Manager

Web 2.0 Apps

Attacker

Internet Private
BIG-IP Application
Security Manager Cloud Apps
Virtual Edition
Clients

© F5 Networks, Inc.
 29

Benefits of Cenzic Cloud and BIG-IP ASM

• Narrows window of exposure and reduces operational costs:

– Real-time assessments and virtual patching
– Operationalizes admin. and simplifies mitigation
• Assures app security, availability and compliance:
– Assurance no matter vulnerabilities or policies built
– OWASP protection, compliance, geo blocking
• Improves app performance:
– Availability improves cost effectiveness
• Deploys flexibly with increased agility:
– Deployment in virtual and cloud environments
• Easily integrates with SDLC practices:
– Ongoing website security program

© F5 Networks, Inc.
 30

Quick Cenzic Cloud Connection

• 3 free basic scans with “Open Cenzic Cloud Trial Account"

• "Connect with Cenzic Cloud" (for existing users)
• Import vulnerabilities from Cenzic Cloud or load file

© F5 Networks, Inc.
 31

Customer Sign-up and Approval

• Click “Connect with Cenzic Cloud” = login page

• Login and confirm information

© F5 Networks, Inc.
 32

Free Cenzic Cloud Scans with ASM

Find Vulnerabilities and Reduce Exposure

• 3 free application scans directly from ASM/VE UI

• Free scans are limited health check services
• No time limits once signed up
• No other vendors provide free scan in UI

Cenzic Cloud scans test for:

1. Cross-Site Scripting 6. Credit Card Disclosure

2. Application Exception 7. Non-SSL Password
3. SQL Injection 8. Check HTTP Methods
4. Open Redirect 9. Basic Auth over HTTP
5. Password Auto-Complete 10. Directory Browsing
© F5 Networks, Inc.
 33

Free Cenzic Cloud Scans with ASM

Go to market details

• Sales/Resellers need to be authorized by the client to

run 3 free scans
• 1st time users directed to registration page
• Existing users: after authorization; users initiate scans
from BIG-IP
• Next steps for customer?
– Purchase directly from co-branded portal
– Buy full comprehensive scan options http://
www.cenzic.com/products/index.html

© F5 Networks, Inc.
 34

Cenzic and F5 Team Up

Channel and Sales go to market plan – coming soon!
• Process for engagement
– Introduce ASM and Cenzic early in the sales process
– Cenzic free HealthCheck scan from the ASM GUI
– Quickly and easily assess cloud and web applications
– Free HealthCheck vulnerability report in ASM delivers
pinpoint policy selection for virtual patching & assurance

• Opportunities/use cases
– Unable to quickly find or mitigate vulnerabilities
– Very expensive to fix vulnerabilities by recoding
– Difficult to include scanner assessments
– Need assurance that app security is deployed properly
© F5 Networks, Inc.
 35

Vuln. Assessment and App. Sec. Win

Cenzic & ASM Protect Bed, Bath and Beyond Web Apps

• Found vulnerabilities in reverse auction business app. for sourcing

wholesale items. Ariba 3rd party with slow patching
• Cenzic and ASM integration: mitigate vulnerabilities fast,
re-deployed on the internet very quickly
• 2 new ASM 1600 standalones

© F5 Networks, Inc.
 36

Hardware Protection for Encrypted Material

Don Laursen, PM Traffic Management

© F5 Networks, Inc.
 37

Hardware Security Module (HSM)

What is it?
• Hardware Protection for Encrypted
Material
Why do you care?
Because your customers have to…
• Financial/Insurance (PCI)

• Government (FIPS 140-2)

• Healthcare (HIPPA, HHS, ePHI)

© F5 Networks, Inc.
 38

Hardware Security Module (HSM)

BIG-IP and HSMs:

• SecureVault
• FIPS 140-2 Level 2 Certified “F” Series
(6900F, 8900F, 11000/50F)
• New in v11.2! PKCS#11 Support and Network
based HSMs (3rd Party Solutions/Appliances)
• Key Management (3rd party Solutions)

© F5 Networks, Inc.
 39

Easy Access for Java and Chrome Technologies

Jonathan George, PMM Application Security/ Access

© F5 Networks, Inc.
 40

Secure Access for Java Applet Users

Java Rewrite
• Transforms server Java Applets to use SSL over an authentication APM session
• Remote and Mobile users of Java applets easily access apps
• Secure access on Java applet is patched real-time

SSL

Java-supported
BIG-IP Servers
Local Traffic Manager
+ Access Policy Manager

External Users

Directory

Internal Users
Note: If the Applet contains encrypted JAR files, BIG-
IP won’t be able to rewrite the applet
© F5 Networks, Inc.
 41

Secure Access for Mac and Linux

Java RDP client
• Select resource to pass down a Java based applet
• Acts as an RDP client that executes in the client browser

© F5 Networks, Inc.
 42

New browser supported – Google Chrome

• Customizable and localizable list of resources

• Adjusts to mobile devices
• Toolbar, help, and disconnect buttons

© F5 Networks, Inc.
 43

Performance, Features, and Resources

Danny Luedke, PMM Traffic Management

Jonathan George, PMM App. Security/ Access

© F5 Networks, Inc.
 44

Performance with the 4480 (4x B4300)

320 Gbps of throughput

5.6 million connections per second (CPS)
144 million concurrent connections
SSL (1K keys): 600,000 transactions per second (TPS)
DNS query response: 6 million DNS queries per second
(QPS)
Access concurrent connections: 100,000 concurrent
connections
Web Application Firewall: up to 10 million L7 transactions
per second
© F5 Networks, Inc.
 45

Stirling Features
LTM/TMOS
• Analytics: Centralized Analytics, Email and Save Reports, TMSH stats
• Advance Routing support in Multiple Route Domains
• Decapsulate Wild Card Tunnels on BIG-IP
• IP Encapsulation Tunneling - 6in4 and 4in6 support
• Targeted Traffic Group Failover
• iApp prerequisites
• TLS 1.1 (hardware)

ASM
• IP intelligence service – identify IP addresses w/malicious activity
• Vulnerability assessment – free scan w/Cenzic
• Layer a vulnerability policy on existing ASM policy
• “To do list” – recommended list for improving ASM policies
• Quick links – Easily configure and implement security policies

© F5 Networks, Inc.
 46

Stirling Features
APM/EGW
• Java Patching
• Java RDP client
• Chrome Browser support
• Form Based SSO v2 – Fast config.
• TMSH OPSWAT Package Management
• LDAP Password change
• Captive Portal Detection in Edge Client
• Mesh data de-dupe – 100+ sites for Global Access
• Centaur performance – up to 1600 logins per second

© F5 Networks, Inc.
 47

Resources; Call to Action

Mark your calendar for these upcoming Field Calls

April 30 5pm PST
Available: Dynamic DNS Infrastructure
May1st 8am PST

May22 5pm PST

Fast: Application Delivery Optimization
May 23 8am PST

Manageable: Strong Enterprise Management Week of May 29

• EDGE: Solutions and Strategies

– Product Overviews
– Datasheets
– Whitepapers
– Videos
– Presentations
– Recordings
– Competitive
© F5 Networks, Inc.
 48

Resources and Events

11.2 Collateral and Resources Events

• Whiteboard session • Blackhat – July 21 – 26, Vegas
• PCI whitepaper • Agility – July 23 – 26, NYC
• IPS vs WAF doc • RSA – Feb. 2012, was a huge
• DDoS papers (2) success in leads and
awareness
• WAFEC doc updated for 11.1 -
deep dive
• Verizon and IBM docs
• Innovation labs - FW report
• FSI reference architecture

© F5 Networks, Inc.
 49

Questions?
To ask a question:
• Press *1 -or-
• Enter your question in the Q&A pod in the top of the LiveMeeting
screen

© F5 Networks, Inc.
© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS,
and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries