Professional Documents
Culture Documents
Field Call Dynamic and Intelligent Security BIG-IP v11.2 (Slides)
Field Call Dynamic and Intelligent Security BIG-IP v11.2 (Slides)
BIG-IP v11.2
Agenda
•Security challenges
•Intelligent Network
•Global Delivery Intelligence
•IP Intelligence service
•Fast vulnerability assessment & app. security
•Hardware protection for encrypted material
•Easy access for Java and Chrome technologies
•Performance, Features and Resources
© F5 Networks, Inc.
3
© F5 Networks, Inc.
4
Security Challenges
54%
A Denial of Service tool…
using SSL/TLS showed the
of hacking breaches potential for an everyday laptop
in larger on an average connection to
organizations occur take down an enterprise web
happen at the web server
application
Anonymous proxies… have
Threat detection today… hinges on two steadily increased, more than
We still see
elements: identifying suspicious activity quadrupling in number as
SQL Injection
among billions of data points, and compared to three years ago.
as a choice point of
entry for attacker refining a large set of suspicious
incidents down to those that matter
© F5 Networks, Inc.
5
F5 Networks
Connecting Users to Secure, Fast, and Available Applications
Mobile Security Data Center Security
Mobile Consumer
Employees Applications
Enterprise Manager™
Partner
Headquarters Applications
Employees
LAN / WLAN
BIG-IP® BIG-IP® BIG-IP® BIG-IP® BIG-IP®
BIG-IP®
Local Global Application Access WAN
Web- Data Center
Traffic Traffic Security Policy Optimization
Accelerator Applications
Remote Office Manager Manager Manager Manager Manager
(WA)
Employees (LTM) (GTM) (ASM) (APM) (WOM)
LAN / WLAN
SaaS
© F5 Networks, Inc.
7
© F5 Networks, Inc.
8
How
© F5 Networks, Inc.
9
“
Context-aware technologies will affect $96 billion of
annual consumer spending worldwide by 2015. By
that time, more than 15 percent of all payment card
transactions will be validated using context
information.
-Gartner
© F5 Networks, Inc.
10
© F5 Networks, Inc.
11
Int • Capture
ell • Analyze
ige • Classify
nc
e
Co
nte
x t
De
liv
• Events ery
• Analysis
• Action © F5 Networks, Inc.
12
Locate IQ Intelligence
Trust IQ Intelligence
IP Intelligence
Subscription
Free
Location
Free
Today Service
Context
xxx IQ Intelligence
Trust IQ Intelligence
IP Intelligence
Subscription
Free
Location
Free
Context
© F5 Networks, Inc.
15
IP Intelligence
Reputation Scanners
Deny access to infected IPs Probes, scans, brute force
IP Intelligence Overview
Service Module IP Intelligence Highlights
• Developed from customer-driven demand
IP Intelligence • Ever-increasing volume of threats
• Dynamic Threat IPs • Improves security stopping known bad traffic Static
and publicly available Black Lists are insufficient
• All BIG-IP appliances
• Near-real-time updates • Compelling value
(up to 5min intervals) • Better appliance efficiency reducing network traffic
• Value-add layer of IP-based security
• Dramatically reduces system • Faster threat response with near-real-time updates
loads
• Provisioned across Multiple Threat Types
• Subscription-based service
• Delivering Dynamic Updates in near real-time
© F5 Networks, Inc.
17
IP Intelligence
How it works
• Fast IP update of malicious activity
• Global sensors capture IP behaviors
• Threat correlation reviews/ blocks/ releases
Internet
Semi-open Proxy Farms
Dynamic Threat IPs
Web Attacks
Exploit Honeypots every 5min.
Reputation
Windows Exploits Naïve User Simulation IP Intelligence
Botnets
Web App Honeypots
Scanners
Network Attacks Third-party Sources
DNS
BIG-IP
System
© F5 Networks, Inc.
18
Packet Parsing • Reduce processing time (e.g., form input • Increase performance and scalability of
Reduction parsing and validation overhead) by blocking protected applications
sites from known Threat IPs
Anonymization • Block inbound connections from anonymous • Increase security and performance of
Prevention proxies device
• Prevent frauds
Phishing Protection • Protect high-value websites by preventing • Increase availability and performance of
access of site objects by phishing sites, or protected servers/applications
by any non end-user source • Prevent frauds
Botnets • Block botnet C&C channels and infected • Improve security and performance
zombie machine controlled by Bot master for • Enhance perimeter security
DoS and other attacks • Mitigate DoS attacks
• Increase device throughput
© F5 Networks, Inc.
19
IP Intelligence
Identify and allow or block IP addresses with malicious activity
Botnet IP Intelligence
Service
IP address feed
updates every 5 min
Attacker Custom
Application
Financial
Application
BIG-IP System
Anonymous
requests
? Geolocation database
© F5 Networks, Inc.
21
© F5 Networks, Inc.
22
© F5 Networks, Inc.
23
Graphical Reporting
• Detailed chart path of threats in ASM
© F5 Networks, Inc.
24
VIPRION
$ 25,499.00 $ 61,197.00
4400/4480
© F5 Networks, Inc.
25
• Cloud-based architected
– Global Delivery Intelligence: subscription-based service
– Real-time continuous updates
© F5 Networks, Inc.
26
© F5 Networks, Inc.
27
• Configure vulnerability
Data Center
policy in BIG-IP ASM
Attacker
Internet Private
BIG-IP Application
Security Manager Cloud Apps
Virtual Edition
Clients
© F5 Networks, Inc.
29
© F5 Networks, Inc.
30
© F5 Networks, Inc.
31
© F5 Networks, Inc.
32
© F5 Networks, Inc.
34
• Opportunities/use cases
– Unable to quickly find or mitigate vulnerabilities
– Very expensive to fix vulnerabilities by recoding
– Difficult to include scanner assessments
– Need assurance that app security is deployed properly
© F5 Networks, Inc.
35
© F5 Networks, Inc.
36
© F5 Networks, Inc.
37
What is it?
• Hardware Protection for Encrypted
Material
Why do you care?
Because your customers have to…
• Financial/Insurance (PCI)
© F5 Networks, Inc.
38
© F5 Networks, Inc.
39
© F5 Networks, Inc.
40
SSL
Java-supported
BIG-IP Servers
Local Traffic Manager
+ Access Policy Manager
External Users
Directory
Internal Users
Note: If the Applet contains encrypted JAR files, BIG-
IP won’t be able to rewrite the applet
© F5 Networks, Inc.
41
© F5 Networks, Inc.
42
© F5 Networks, Inc.
43
© F5 Networks, Inc.
44
Stirling Features
LTM/TMOS
• Analytics: Centralized Analytics, Email and Save Reports, TMSH stats
• Advance Routing support in Multiple Route Domains
• Decapsulate Wild Card Tunnels on BIG-IP
• IP Encapsulation Tunneling - 6in4 and 4in6 support
• Targeted Traffic Group Failover
• iApp prerequisites
• TLS 1.1 (hardware)
ASM
• IP intelligence service – identify IP addresses w/malicious activity
• Vulnerability assessment – free scan w/Cenzic
• Layer a vulnerability policy on existing ASM policy
• “To do list” – recommended list for improving ASM policies
• Quick links – Easily configure and implement security policies
© F5 Networks, Inc.
46
Stirling Features
APM/EGW
• Java Patching
• Java RDP client
• Chrome Browser support
• Form Based SSO v2 – Fast config.
• TMSH OPSWAT Package Management
• LDAP Password change
• Captive Portal Detection in Edge Client
• Mesh data de-dupe – 100+ sites for Global Access
• Centaur performance – up to 1600 logins per second
© F5 Networks, Inc.
47
© F5 Networks, Inc.
49
Questions?
To ask a question:
• Press *1 -or-
• Enter your question in the Q&A pod in the top of the LiveMeeting
screen
© F5 Networks, Inc.
© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS,
and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries