Scale your DNS Infrastructure Ensure App and Service Availability. Nigel Ashworth Solution Architect EMEA
|
|
- Jane Bailey
- 8 years ago
- Views:
Transcription
1 Scale your DNS Infrastructure Ensure App and Service Availability Nigel Ashworth Solution Architect EMEA
2 Agenda DNS and F5 Use Cases - The top four Firewall for DNS or a DNS Firewall? DNS Reputational Intelligence Competitive Comparisons DNS Mitigation Test framework Context and DNS F5 Agility
3 DNS and F5
4 F5 DNS GSLB to DNS Delivery 11.1 / VISIBILITY AND REPORTING 10.X COMPREHENSIVE GSLB HIGH PERFORMANCE DNS DELIVERY. HIGH PERFORMANCE CACHING & RESOLVING. F5 Agility
5 F5 DNS Secure High Performance DNS SECURITY AND ELASTIC SCALABILITY. EASE OF USE. EASE OF DEPLOYMENT. SERVICE PROVIDER ENHANCEMENTS. CURRENT RELEASE F5 Agility
6 F5 DNS Secure High Performance DNS 11.4 SECURITY AND ELASTIC SCALABILITY EASE OF USE. EASE OF DEPLOYMENT. SERVICE PROVIDER ENHANCEMENTS. CURRENT RELEASE 11.6 SECURI TY DOS F5 Agility
7 F5 DNS Key Drivers Performance and Consolidation Service Providers need scale to support millions of subscribers. Internet CONVENTIONAL DNS THINKING External Firewall DNS Load Balancing Array of DNS Servers Internal Firewall Hidden Master DNS F5 DNS products have unprecedented scale in virtual, appliances and chassis versions. F5 DNS integrates an ICSA certified firewall into the same footprint. Integrate with other F5 modules running on the same hardware. DMZ Datacenter Security F5 PARADIGM SHIFT DNS Protocol Validation scrubs the incoming DNS queries to only answer valid clients. Massive scale allows BIG-IP to absorb large attacks. Query type filtering and rate limiting features can further protect DNS resources. Flexible GSLB Integrated with LTM Internet BIG-IP Global Traffic Manager Master DNS Infrastructure 30M RPS GTM provides the best answer for DC availability through Intelligent DNS. Base answers on topology, geo-location, health and more. Addresses Key Customer Pain Points, reducing OpEx and CapEx F5 DNS Solutions can scale existing DNS installations. Scale without impacting operations. Optimized Service Provider DNS solutions maximize uptime and match core resources with customer demand. F5 Agility
8 Use Cases The top four
9 1 Local DNS Where is F5 Agility
10 1 Local DNS Where is 2 Authoritative DNS Where is F5 Agility
11 1 Local DNS 3 GSLB DNS Where is Data Center Data Center Where is the closest service 2 Authoritative DNS Where is F5 Agility
12 1 Local DNS 3 GSLB DNS Where is Data Center Data Center Where is the closest service 2 Authoritative DNS 4 GGSN / PGW Mobile Core DNS and GSLB GGSN/ PGW MME Where is (e)node B SGW/ SGSN BIG-IP Platform F5 Agility
13 1 Local DNS! DNS Firewall 3 GSLB DNS Where is Data Center Data Center Where is the closest service 2 Authoritative DNS 4 GGSN / PGW Mobile Core DNS and GSLB GGSN/ PGW MME Where is (e)node B SGW/ SGSN BIG-IP Platform F5 Agility
14 Firewall for DNS or a DNS Firewall?
15 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification F5 Agility
16 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification Clients IPv4 / IPv6 TCP / UDP Protocol Validatio n + ACL DNSSEC irules irules DNSSEC GSLB 6 4 GSLB irules 6 4 DNS Express RPZ /Cache / Resolver DNS Server Pool DNS 6-4 Zone XFR DNS LB Pool Request Response AXFR Request AXFR Response Local BIND Zone XFR F5 Agility
17 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification Performa nce 2x 4x 8x Single Process or SMP TMOS F5 Agility Time
18 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification F5 Agility
19 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification Advanced DNS Analytics Applications Virtual Servers Query Name Query Type Client IP F5 Agility
20 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification RESPONSE POLICY ZONES* MITIGATES THREATS BY FQDN IP INTELLIGENCE MITIGATES THREATS BY FQDN URL FILTERING MITIGATES THREATS BY FQDN POLICY CONTROL BY FQDN Ingress DNS path Screens a DNS request against domain names with a bad reputation. Any IP Protocol with irules Categorize the IP address from the response & make a decision. HTTP, HTTPS and DNS with irules Categorize the FQDN from the request & make a decision. F5 Agility
21 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification Legitimate Users DDoS Attacker Multiple ISP strategy ISPa/b Cloud Scrubbing Service Threat Feed Intelligence Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplificatio n, query flood, dictionary attack, DNS poisoning Tier 1 Network and DNS Next-Generation Firewall IPS SSL attacks: SSL renegotiatio n, SSL flood Access Control, Policy Enforcemen t HTTP attacks: Slowloris, slow POST, recursive POST/GET Tier 2 Applicatio n Corporate Users Financial Services E- Commerce Subscriber Scann er Anonym ous Proxies Anonym ous Request s Botnet Attack ers Strategic Point of Control F5 Agility
22 Anatomy of a DNS Firewall Platforms IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification VIPRION 4800 VIPRION 44xx Chassis VIPRION 2400 Chassis BIG IP 10x00 BIG IP 7x00 BIG IP 5x00 BIG IP 4x00 F5 Agility
23 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification Internet Internet CONVENTIONAL DNS THINKING External Firewall DNS Load Balancing BIG-IP Global Traffic Manager DMZ Array of DNS Servers F5 PARADIGM SHIFT Master DNS Infrastructure Internal Firewall Hidden Master DNS Datacenter 30M RPS F5 Agility
24 Anatomy of a DNS Firewall IP Anycast Pre filter Packet inspection Performance Scaling resolution DNSsec and Validation Reporting and Automation DNS Reputational Intelligence DNS scrubbing Hardware sizing Certification F5 Agility
25 DNS Reputational Intelligence
26 Protecting the Client The internet isn t an altogether safe place MALICIOUS THREATS BotNets Inadvertently downloaded and used to mount distributed attacks. Viruses Once installed, causes malicious activity on end-user device, sometimes for ransom. OS Vulnerabilities Unprotected, unpatched devices are extremely vulnerable. UNDESIRABLE CONTENT Offensive Content may violate HR or local rules. Violation of decency standards. Be age inappropriate. Irrelevant Distractive content incompatible with job function or policy. Illegal content File sharing or sites identified as hosting banned material. DUPING THE USER Phishing scams and Man in the Middle Websites which impersonate real websites, often linked from or a website. Scammers aim to capture credentials. Site redirection DNS traffic is captured and sent to a malicious DNS server serving bad DNS results (such as a compromised CPE). F5 Agility
27 DNS IP and Name Reputation Choices RESPONSE POLICY ZONES* MITIGATES THREATS BY FQDN IP INTELLIGENCE MITIGATES THREATS BY FQDN Ingress DNS path Screens a DNS request against domain names with a bad reputation. Any IP Protocol with irules Categorize the IP address from the response & make a decision. URL FILTERING MITIGATES THREATS BY POLICY FQDN CONTROL BY FQDN HTTP, HTTPS and DNS with irules Categorize the FQDN from the request & make a decision. *Response Policy Zones (RPZ) are a form of DNS firewall in which the rule sets are expressed as specially constructed DNS zones. In this case, using RPZ means subscribing to commercial threat feeds that provide the up-to-date RPZ lists of bad domains. F5 Agility
28 Technical Use Cases Nature of Threat RPZ IP INTELLIGENCE URL FILTERING Protect users from accessing malicious websites. DNS lookup required. Limited to IP address reputation. Protect users from accessing a malicious website by IP address.* No DNS lookup issued No DNS lookup to filter. No URL or FQDN to examine. Social networking Against corp policy. Cover malicious content only. Limited to IP address reputation. *IPI blocks both the bad IP address ( AND the domain name ( mapped to the bad IP address. F5 Agility
29 Use Case Client Protection Prevent subscribers from reaching known bad domains Prevent malware and sites hosting malicious content from ever communicating with a client. Internet activity starts with a DNS request. Inhibit the threat at the earliest opportunity. RPZ feed Updates BIG-IP GTM IPV4/V6 LISTENER PROTOCOL VALIDATION IRULES CACHE REPUTATI ON DATABASE SPECIAL HANDLING RESOLVE R F5 Agility
30 Use Case Parental or Enterprise Behavior Controls Customized DNS decisions based on domain categories Determine subscriber policies and use the icontrol API to furnish these into irules. Classify client traffic by source and retrieve their specific policy for categories and permissions. Block or provide walled garden responses according to subscriber preferences. Provided through the URL Filtering license and DNS irules. URL Feed Subscriber Policy icontrol iquery QUERY: DNS irules SOCIAL PARKED DOMAIN GAMES BUSINESS CACHE RESOLVER SUBSCRIBER DATAGROUPS ALL OTHERS LOG F5 Agility
31 Use Case Layered Client Protection Response Policy Zones (RPZ) filters out and provides NXDOMAIN / Redirect for know bad doma URL Filtering further provides granular policy controls using categories. IP Intelligence blocks based on the resolved IP. It can also be used in the data path for other protocols. Subscriber RPZ Feed IPI Feed URL Feed Policy icontrol iquery QUERY: DNS irules (Request / Response) INGRESS DNS PATH RPZ DNS Request Path URL Filtering irule CACHE RESOLVER DNS Response Path IP Intelligence EGRESS DNS PATH F5 Agility
32 Competitive Comparisons
33 A word on terminology DNS EXPRESS DNS CACHING DNS RESOLVER A high performance Authoritative DNS Slave. Zone transfer from an existing DNS server and get scale and security. Place the F5 BIG-IP in front of a DNS Resolver and massively increase DNS performance by caching responses. Use the high performance DNS resolver in BIG-IP to consolidate all DNS and firewall functions into one platform. F5 Agility
34 DNS Authoritative on F5 BIG-IP Appliances DNS Express is Utilized for BIG-IP Numbers Responses per Second S 2200S 4000S 5000S 4200V 7000S 10000S 5200V 10200V 7200V F5 Agility
35 DNS Authoritative on F5 VIPRION DNS Express is Utilized for BIG-IP Numbers Responses per Second B2150 Blade B2100 Blade B2250 Blade B4200 Blade B4300 Blade 2400 w/b w/b w/b w/b F5 Agility
36 DNS Caching on F5 BIG-IP Appliances Responses per Second M RPS S 2200S 4000S 4200V 10000S 5000S 7000S 10200V 5200V 7200V F5 Agility
37 DNS Caching on F5 VIPRION Responses per Second M RPS B2150 Blade B2100 Blade B4300 Blade B2250 Blade 2400 w/b Chassis 2400 w/b Chassis F5 Agility
38 DNS Caching Cost per 1K RPS F5 versus Infoblox Included Functions Cost in USD based on list Enterprise & SP Caching/Resolving Inc. Authoritative Inc. GSLB Inc. Enterprise Caching/Resolving Inc. Authoritative Inc. SP Caching/Resolving Inc. Authoritative Inc. SP Caching/Resolving Inc. 0 F5 Agility
39 DNS Authoritative Cost per 1K RPS F5 versus Infoblox Included Functions Cost in USD based on list Enterprise & SP Caching/Resolving Inc. Authoritative Inc. GSLB Inc. Enterprise Caching/Resolving Inc. Authoritative Inc. SP Caching/Resolving Inc. Authoritative Inc. SP Caching/Resolving Inc. 0 F5 Agility
40 DNS Cache Performance Infoblox Platform by Platform Comparison with F RPS S Infoblox Trinzic S Infoblox Trinzic S Infoblox Trinzic S Infoblox Trinzic V Infoblox Trinzic 4030 Platforms are grouped by like pricing F5 Agility
41 DNS Authoritative Performance Infoblox Platform by Platform Comparison with F RPS S Infoblox Trinzic S Infoblox Trinzic S Infoblox Trinzic S Infoblox Trinzic V Infoblox Trinzic 4030 Platforms are grouped by like pricing F5 Agility
42 DNS Mitigation Test framework
43 Test Rig Mid platform 2400 Platforms Three major Components Traffic Generation (Internal and External) DNS server Caching Resolver (Mid Platform BIG-IP 2400 loaded with 4 blades) Traffic Responses (External) Traffic Generator 10M DNS requests Traffic generator and Responder 10M DNS requests / responses VIPRION 4800 VIPRION 44xx Chassis VIPRION 2400 Chassis BIG IP 10x00 VIPRION 2400 Chassis 10 / 40 Gb interfaces and network BIG IP 7x00 BIG IP 5x00 BIG IP 4x00 F5 Agility
44 Tests to be performed and Why First what to de Risk? Two areas (they are very different and open to different types of attacks) Cache in a DNS server Resolver in a DNS server Types of attacks Many types Volumetric Bad protocol / Floods / Amplification / Reflective Zero ttl consuming resources DNSsec - Poisoning Functional Malware internal and external RPZ lists Banned lists ACL s against a domain list DNS tunnelling remove free loaders Platforms VIPRION 4800 VIPRION 44xx Chassis VIPRION 2400 Chassis BIG IP 10x00 BIG IP 7x00 BIG IP 5x00 BIG IP 4x00 F5 Agility
45 Traffic Generation for Caching mitigation 10M requests per second as internal user requests, broken down as: 50% Malware (50/50 customer list and feed lists) 20% bad protocol requests 10% Valid users 10% DNS tunnelling 10% Zero TTL on domains (queue protection for the resolver) 10 or 40Gb interfaces for scalability Can be split across multiple sources / servers F5 Agility
46 Traffic Generation for Resolver mitigation Internal Traffic generation and responder on the external side: 200K (Turn cache off so all requests go to the resolver) requests per second as internal user requests as All Valid users going to the internet External Traffic generation: 10M requests per second as attacker requests, broken down as: 10% Bad IP addresses Webroot addresses 40% Reflective attackers 40% Amplification attackers 10% bad protocol requests DNS flood 10 or 40Gb interfaces for scalability Can be split across multiple sources / servers F5 Agility
47 DNS Test Framework? Scanners Response Policy Zone (RPZ) IP Intelligence Service Feed BIG-IP GTM and AFM IPV4/V6 LISTENER PROTOCOL VALIDATION IRULES CACHE RESOLVE R REPUTATION DATABASE IP INTELLIGENC E ACL ON IP FROM AFM SUBSCRIBE R RATE MANAGEME NT IRULES SUBSCRIBE R RATE MANAGEME NT ACL ON IP FROM AFM RESPONSE PAGE SPECIAL HANDLING SPECIAL HANDLING Splunk Logging F5 Agility
48 Outcomes Agree Measurement for: Baseline the users performance and that the DNS is available, confidential and has integrity for Cache and Resolver Measure that the attacks do not affect the users and that the DNS is available, confidential and has integrity, compare to baseline It is about Risk Management to the business while under DNS attack. F5 Agility
49 Context and DNS
50 DNS over UDP doesn t prove Identity UDP is the primary transport mechanism for DNS because it s low latency and fast for client resolution UDP is stateless and trivial to spoof A hacker client often doesn t care about the response A hacker client can choose to use the most expensive response A hacker client can be a random nobody A hacker client can IMPERSONATE legitimate clients Techniques to identify clients utilize too much CPU Big DNS DDoS problem: No easy way to identify good vs bad clients F5 Agility
51 Preventing DNS Abuse DNS Tunneling Prevent it with irules Suspend Threshold Classify the traffic Mobile or fixed. Determine the SLA for RPS and allowed response size. Drop Threshold When a client sends in a query Is the query for a blocked domain? (A tunnel host) Is the query rate above allowed rate? Increment score. Client previously above allowed rate? Increment score. Resolve request and analyze response. - Factor in the response size to the score. QUERY RATE SCORING RESPONSE SIZE SCORING Take an action Is the client above the score threshold? - Drop the request Client A Client B Client C Client D Client E Client F - Suspend DNS service for a period. F5 Agility
52 DNS Service Protection Policing Requests for Fairness and Availability SERVICE PROVIDER Primary Customers CSP Service Providers need to ensure availability of DNS services to customers according to their service level. Intelligent per-client IP Rate Limiting gives SPs the tools to inhibit bad actors including DNS tunneling, without adversely affecting performance. MALICIOUS ACTOR Rate limits Per-client DNS rates ACTION S SUSPEND DNS SERVICE COMPROMISE DCLIENT DNS RATE LIMITER RATE LIMIT CLIENT LOG MALICIOUS IDENTITY CACHE RESOLVE R REGULAR CLIENT F5 Agility
53 PATENTS: Issued Patents US Patent No 8,261,351 Inventors: Lisa Golden; Peter Thornewell Title: DNS Flood Protection Platform for a Network Filed January 22, 2008 Issued September 4, 2012 F5 Agility
54 DNS Reference Architectures
55 DNS and GSLB in CURRENT 1. Cloud Bursting 2. Cloud Migration 3. DDoS Protection 4. Intelligent DNS Scale 5. Network Functions Virt. 6. Security for Service Providers 7. S/GI Network Simplification FUTURE 8. Intelligent DNS for SPs 9. Multi-Hybrid Data Centers F5 Agility
56
F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: p.bogaerts@f5.com Mob.: +32 473 654 689
F5 Intelligent Scale Philippe Bogaerts Senior Field Systems Engineer mailto: p.bogaerts@f5.com Mob.: +32 473 654 689 Intelligent and scalable PROTECTS web properties and brand reputation IMPROVES web application
More informationApplication centric Datacenter Management. Ralf Brünig, F5 Networks GmbH Field Systems Engineer March 2014
Application centric Datacenter Management Ralf Brünig, F5 Networks GmbH Field Systems Engineer March 2014 Index Application Deliver Controller (ADC) Proxy ADC Advanced Feature Application Management Optional:
More informationSoftware Defined everything Internet of Things
F5 Synthesis Advanced threats Software Defined everything Internet of Things SDDC/Cloud HTTP is the new TCP Mobility Quality of experience F5 Networks, Inc 2 Customer Challenges: Applications and Infrastructure
More informationMulti-Layer Security for Multi-Layer Attacks. Preston Hogue Dir, Cloud and Security Marketing Architectures
Multi-Layer Security for Multi-Layer Attacks Preston Hogue Dir, Cloud and Security Marketing Architectures High-Performance Services Fabric Programmability Data Plane Control Plane Management Plane Virtual
More informationHow To Make A Cloud Bursting System Work For A Business
Where will your application be in the future, in the cloud, on premises, off premises? How will you protect them? Nigel Ashworth Solution Architect EMEA Advanced threats Software defined everything SDDC/Cloud
More informationDatacenter Transformation
Datacenter Transformation Consolidation Without Compromising Compliance and Security Joe Poehls Solution Architect, F5 Networks Challenges in the infrastructure I have a DR site, but the ROI on having
More information1 2013 Infoblox Inc. All Rights Reserved. Securing the critical service - DNS
1 2013 Infoblox Inc. All Rights Reserved. Securing the critical service - DNS Dominic Stahl Systems Engineer Central Europe 11.3.2014 Agenda Preface Advanced DNS Protection DDOS DNS Firewall dynamic Blacklisting
More informationThe F5 Intelligent DNS Scale Reference Architecture.
The F5 Intelligent DNS Scale Reference Architecture. End-to-end DNS delivery solutions from F5 maximize the use of organizational resources, while remaining agile and intelligent enough to scale and support
More informationSeguridad ante los Ataques Ciberneticos DNS. ENRIQUE MEDINA e.medina@f5.com
Seguridad ante los Ataques Ciberneticos DNS ENRIQUE MEDINA e.medina@f5.com F5 Networks, Inc 2 F5 Company Snapshot Founded: 1996 IPO: June 1999 Employees: Over: 3,942 Headquarters: Seattle, WA President
More informationThe F5 DDoS Protection Reference Architecture
The F5 DDoS Protection Reference Architecture F5 offers guidance to security and network architects in designing, deploying, and managing architecture to protect against increasingly sophisticated, application-layer
More informationIhr Standort bleibt erreichbar. Ihre Applikationen bleiben erreichbar!
Ihr Standort bleibt erreichbar. Ihre Applikationen bleiben erreichbar! Die hybride DDoS Protection und Application Security Lösung von F5 Networks Arrow Sommerforum München am 16. Juli 2015 e.kampmann@f5.com
More informationGlobal Service Loadbalancing & DNSSEC. Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC
Global Service Loadbalancing & DNSSEC Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC F5 s Integrated Solution Users The F5 Solution Applications Mobile Phone PDA Laptop Desktop Application
More informationGanzheitlicher Schutz von Rechenzentren, Web-Servern und Anwendungen
Ganzheitlicher Schutz von Rechenzentren, Web-Servern und Anwendungen Technical Workshop 2014 ETK networks solution GmbH und CMS IT-Consulting GmbH erwin.kampmann@f5.com The evolution of attackers January
More informationArray Networks NetContinuum. Netli. Fine Ground. StrangeLoop. Akamai. Barracuda. Aptimize. Inkra. Nortel. Juniper. Cisco. Brocade/Foundry.
Array Networks NetContinuum Netli Barracuda StrangeLoop Inkra Fine Ground Aptimize Akamai Cisco Citrix Juniper Zeus Radware Nortel ActivNetworks Brocade/Foundry Swan Labs A10 Redline Coyote Point Crescendo
More informationProtect Your Infrastructure from Multi-Layer DDoS Attacks
Protect Your Infrastructure from Multi-Layer DDoS Attacks F5 EMEA Webinar February 2014 Presenter: Keiron Shepherd Title: Field Systems Engineer Protecting Against DDoS is Challenging Webification of apps
More informationF5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution
F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution As market leaders in the application delivery market and DNS, DHCP, and IP Address Management (DDI) market
More informationHigh-Performance DNS Services in BIG-IP Version 11
F5 White Paper High-Performance DNS Services in BIG-IP Version 11 To provide high-quality user experiences on the Internet, networks must be designed with optimized, secure, highly available, and high-performance
More informationThe F5 DDoS Protection Reference Architecture
The F5 DDoS Protection Reference Architecture F5 offers guidance to security and network architects in designing, deploying, and managing architecture to protect against increasingly sophisticated, application-layer
More information1 2014 2013 Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security
1 2014 2013 Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security Agenda Increasing DNS availability using DNS Anycast Opening the internal DNS Enhancing DNS security DNS traffic
More informationF5 (Security) Web Fraud Detection. Keiron Shepherd Security Systems Engineer
F5 (Security) Web Fraud Detection Keiron Shepherd Security Systems Engineer The 21 st century application infrastructure (Trends) Users are going to access applications Mobile/VDI/XaaS/OS Security goes
More informationWHITEPAPER. Designing a Secure DNS Architecture
WHITEPAPER Designing a Secure DNS Architecture Designing a Secure DNS Architecture In today s networking landscape, it is no longer adequate to have a DNS infrastructure that simply responds to queries.
More informationWeb Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com
Web Application Security Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com Security s Gaping Hole 64% of the 10 million security incidents tracked targeted port 80. Information Week
More informationFortiDDos Size isn t everything
FortiDDos Size isn t everything Martijn Duijm Director Sales Engineering April - 2015 Copyright Fortinet Inc. All rights reserved. Agenda 1. DDoS In The News 2. Drawing the Demarcation Line - Does One
More informationSTOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect
STOPPING LAYER 7 ATTACKS with F5 ASM Sven Müller Security Solution Architect Agenda Who is targeted How do Layer 7 attacks look like How to protect against Layer 7 attacks Building a security policy Layer
More informationSecurity F5 SECURITY SOLUTION GUIDE
F5 SECURITY SOLUTION GUIDE Security Protect your data center and application services, improve user access, optimize performance, and reduce management complexity. 1 WHAT'S INSIDE Data Center Firewall
More informationF5 Applikationsbereitstellung ohne Grenzen
F5 Applikationsbereitstellung ohne Grenzen Profi AG Endkunden-Webcast, 27.11.14 Dino Schmid d.schmid@f5.com Major Channel Account Manager Worum geht es in der IT? F5 Networks, Inc 2 Das wichtigste in der
More informationOptimize Application Delivery Across Your Globally Distributed Data Centers
BIG IP Global Traffic Manager DATASHEET What s Inside: 1 Key Benefits 2 Globally Available Applications 4 Simple Management 5 Secure Applications 6 Network Integration 6 Architecture 7 BIG-IP GTM Platforms
More informationScale and Protect DNS Infrastructure and Optimize Global App Delivery
BIG IP DATASHEET What s Inside 2 Unmatched DNS Performance 2 DNS Caching and Resolving 3 Secure Applications 5 Globally Available Applications 7 Simple Management 10 Network Integration 11 Architecture
More informationCloud Security In Your Contingency Plans
Cloud Security In Your Contingency Plans Jerry Lock Security Sales Lead, Greater China Contingency Plans Avoid data theft and downtime by extending the security perimeter outside the data-center and protect
More information2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer
2012 Infrastructure Security Report 8th Annual Edition Kleber Carriello Consulting Engineer Key Findings in the Survey* Advanced Persistent Threats (APT) a top concern for service providers and enterprises
More informationBusiness Case for a DDoS Consolidated Solution
Business Case for a DDoS Consolidated Solution Executive Summary Distributed denial-of-service (DDoS) attacks are becoming more serious and sophisticated. Attack motivations are increasingly financial
More informationOptimize DNS Services and App Delivery Across Global Data Centers
BIG IP Global Traffic Manager DATASHEET What s Inside 2 Globally Available Applications 4 Unmatched DNS Performance 4 DNS Caching and Resolving 4 Secure Applications 6 Simple Management 8 Network Integration
More informationSecuring Your Business with DNS Servers That Protect Themselves
Summary: The Infoblox DNS security product portfolio mitigates attacks on DNS/DHCP servers by intelligently recognizing various attack types and dropping attack traffic while responding only to legitimate
More informationSecuring Your Business with DNS Servers That Protect Themselves
Product Summary: The Infoblox Secure DNS Solution mitigates attacks on DNS servers by intelligently recognizing various attack types and dropping attack traffic while responding only to legitimate queries.
More informationOptimize Application Delivery Across Your Globally Distributed Data Centers
BIG IP Global Traffic Manager DATASHEET What s Inside: 2 Globally Available Applications 4 Unmatched DNS Performance 4 Secure Applications 5 Simple Management 7 Network Integration 8 Architecture 9 BIG
More informationPresented by Philippe Bogaerts Senior Field Systems Engineer p.bogaerts@f5.com. Securing application delivery in the cloud
Presented by Philippe Bogaerts Senior Field Systems Engineer p.bogaerts@f5.com Securing application delivery in the cloud 2 The Leader in Application Delivery Networking Users Data Center At Home In the
More informationHow To Block A Ddos Attack On A Network With A Firewall
A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial
More informationANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE
ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE ANATOMY OF A DDOS ATTACK AGAINST THE DNS INFRASTRUCTURE The Domain Name System (DNS) is part of the functional infrastructure of the Internet and
More informationOptimize Application Delivery Across Your Globally Distributed Data Centers
BIG IP Global Traffic Manager DATASHEET What s Inside: 2 Globally Available Applications 4 Unmatched DNS Performance 4 Secure Applications 5 Simple Management 7 Network Integration 8 Architecture 10 BIG
More informationFortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.
FortiDDoS DDoS Attack Mitigation Appliances Copyright Fortinet Inc. All rights reserved. What is a DDoS Attack? Flooding attack from compromised PCs run by a Botmaster The Botmaster s motivations may be
More informationOptimize DNS, Secure and Ensure Availability, and Monetize Usage
Service Provider BIG-IP Global Traffic Manager DATASHEET Optimize DNS, Secure and Ensure Availability, and Monetize Usage What s Inside 2 Increasing Services Demand 2 F5 DNS Services in Service Provider
More informationAutomated Mitigation of the Largest and Smartest DDoS Attacks
Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application
More informationSecuring Your Business with DNS Servers That Protect Themselves
Product Summary: The Infoblox DNS security product portfolio mitigates attacks on DNS servers by intelligently recognizing various attack types and dropping attack traffic while responding only to legitimate
More informationDefend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall
Defeat Malware and Botnet Infections with a DNS Firewall By 2020, 30% of Global 2000 companies will have been directly compromised by an independent group of cyberactivists or cybercriminals. How to Select
More informationGetting More Performance and Efficiency in the Application Delivery Network
SOLUTION BRIEF Intel Xeon Processor E5-2600 v2 Product Family Intel Solid-State Drives (Intel SSD) F5* Networks Delivery Controllers (ADCs) Networking and Communications Getting More Performance and Efficiency
More informationF5 and Oracle Database Solution Guide. Solutions to optimize the network for database operations, replication, scalability, and security
F5 and Oracle Database Solution Guide Solutions to optimize the network for database operations, replication, scalability, and security Features >> Improved operations and agility >> Global scaling Use
More informationThe Dynamic DNS Infrastructure
Between the proliferation of mobile devices and the everincreasing amount of content on the web, DNS usage has seen a huge increase in recent years. Meanwhile, DNS continues to be a tempting target for
More informationTDC s perspective on DDoS threats
TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)
More informationReal Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection. Oğuz YILMAZ CTO Labris Networks
Real Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection Oğuz YILMAZ CTO Labris Networks 1 Today Labris Networks L7 Attacks L7 HTTP DDoS Detection Problems Case Study: Deep DDOS Inspection (DDI
More information5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)
5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep) survey says: There are things that go bump in the night, and things that go bump against your DNS security. You probably know
More informationDEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager
DEPLOYMENT GUIDE Version 1.1 DNS Traffic Management using the BIG-IP Local Traffic Manager Table of Contents Table of Contents Introducing DNS server traffic management with the BIG-IP LTM Prerequisites
More informationSecuring Your Business with DNS Servers That Protect Themselves
Product Summary: The Infoblox DNS security product portfolio mitigates attacks on DNS/DHCP servers by intelligently recognizing various attack types and dropping attack traffic while responding only to
More informationBEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE
BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE Your external DNS is a mission critical business resource. Without
More informationSecurityDAM On-demand, Cloud-based DDoS Mitigation
SecurityDAM On-demand, Cloud-based DDoS Mitigation Table of contents Introduction... 3 Why premise-based DDoS solutions are lacking... 3 The problem with ISP-based DDoS solutions... 4 On-demand cloud DDoS
More informationMANAGE SECURE ACCESS TO APPLICATIONS BASED ON USER IDENTITY. EMEA Webinar July 2013
MANAGE SECURE ACCESS TO APPLICATIONS BASED ON USER IDENTITY EMEA Webinar July 2013 Protecting the Enterprise Full Footprint Mobile user Application access management & Application security Enterprise headquarters
More informationF5 fra Lastbalansering til Sikkerhet med Applikasjonene i fokus. Jon Bjørnland F5 Norway j.bjornland@f5.com
F5 fra Lastbalansering til Sikkerhet med Applikasjonene i fokus Jon Bjørnland F5 Norway j.bjornland@f5.com Markedsleder innen Application Delivery Networking Gartner, Feb 2009: Load Balancers Are Dead:
More informationAcquia Cloud Edge Protect Powered by CloudFlare
Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....
More informationPowering the Internet of Things: SDN/NFV Architectures
Powering the Internet of Things: SDN/NFV Architectures 6B Connected Devices 2013 2013 2016 2018 2020 50B Connected Devices Worldwide by 2020 Implications for Service Providers Scaling the Networks End
More informationHow To Attack A Website With An Asymmetric Attack
DEFENDING AGAINST LOW-BANDWIDTH, ASYMMETRIC DENIAL-OF-SERVICE ATTACKS David W. Holmes (@dholmesf5) F5 Networks Session ID: HT-R02 Session Classification: Intermediate AGENDA Introduction Why does this
More informationProtect your network: planning for (DDoS), Distributed Denial of Service attacks
Protect your network: planning for (DDoS), Distributed Denial of Service attacks Nov 19, 2015 2015 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product
More informationArrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015
Arrow ECS University 2015 Radware Hybrid Cloud WAF Service 9 Ottobre 2015 Get to Know Radware 2 Our Track Record Company Growth Over 10,000 Customers USD Millions 200.00 150.00 32% 144.1 16% 167.0 15%
More informationCloudFlare advanced DDoS protection
CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com
More informationGuide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst
INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security
More informationAutomated Mitigation of the Largest and Smartest DDoS Attacks
Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application
More informationReplacing Microsoft Forefront Threat Management Gateway with F5 BIG-IP. Dennis de Leest Sr. Systems Engineer Netherlands
Replacing Microsoft Forefront Threat Management Gateway with F5 BIG-IP Dennis de Leest Sr. Systems Engineer Netherlands Microsoft Forefront Threat Management Gateway (TMG) Microsoft Forefront Threat Management
More informationSTARTER KIT. Infoblox DNS Firewall for FireEye
STARTER KIT Introduction Infoblox DNS Firewall integration with FireEye Malware Protection System delivers a unique and powerful defense against Advanced Persistent Threats (APT) for business networks.
More informationDeploying the BIG-IP System with Microsoft Lync Server 2010 and 2013 for Site Resiliency
Deployment Guide Document Version 1.2 What s inside: 2 Configuration example 5 Configuring the BIG-IP LTM using the Lync 2010 iapp 6 Configuring the BIG-IP GTM 11 Creating a Distributed Application for
More informationFirst Line of Defense
First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Powerful web-based security analytics portal with easy-to-read security dashboards Proactive
More informationDefend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall
Defeat Malware and Botnet Infections with a DNS Firewall By 2020, 30% of Global 2000 companies will have been directly compromised by an independent group of cyberactivists or cybercriminals. How to Select
More informationWeb Application Defence. Architecture Paper
Web Application Defence Architecture Paper June 2014 Glossary BGP Botnet DDoS DMZ DoS HTTP HTTPS IDS IP IPS LOIC NFV NGFW SDN SQL SSL TCP TLS UTM WAF XSS Border Gateway Protocol A group of compromised
More informationIntroducing FortiDDoS. Mar, 2013
Introducing FortiDDoS Mar, 2013 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline
More informationAvailability Acceleration Access Virtualization - Consolidation
Sales Guide straight to the point Availability Acceleration Access Virtualization - Consolidation F5 Battlecard Aligning business strategy and the IT infrastructure F5 provides strategic points of control
More informationArbor s Solution for ISP
Arbor s Solution for ISP Recent Attack Cases DDoS is an Exploding & Evolving Trend More Attack Motivations Geopolitical Burma taken offline by DDOS attack Protests Extortion Visa, PayPal, and MasterCard
More informationGlobal Server Load Balancing
White Paper Overview Many enterprises attempt to scale Web and network capacity by deploying additional servers and increased infrastructure at a single location, but centralized architectures are subject
More informationAKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.
CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE. Threat > The number and size of cyberattacks are increasing rapidly Website availability and rapid performance are critical factors in determining the success
More informationApplication DDoS Mitigation
Application DDoS Mitigation Revision A 2014, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Volumetric vs. Application Denial of Service Attacks... 3 Volumetric DoS Mitigation...
More informationLoad Balancing Security Gateways WHITE PAPER
Load Balancing Security Gateways WHITE PAPER Table of Contents Acceleration and Optimization... 4 High Performance DDoS Protection... 4 Web Application Firewall... 5 DNS Application Firewall... 5 SSL Insight...
More informationBusiness Case for S/Gi Network Simplification
Business Case for S/Gi Network Simplification Executive Summary Mobile broadband traffic growth is driving large cost increases but revenue is failing to keep pace. Service providers, consequently, are
More informationSTATE OF DNS AVAILABILITY REPORT
STATE OF DNS AVAILABILITY REPORT VOLUME 1 ISSUE 1 APRIL 2011 WEB SITES AND OTHER ONLINE SERVICES ARE AMONG THE MOST IMPORTANT OPERATIONAL AND REVENUE GENERATING TOOLS FOR BUSINESSES OF ALL SIZES AND INDUSTRIES.
More informationDDoS Overview and Incident Response Guide. July 2014
DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target
More informationAt dincloud, Cloud Security is Job #1
At dincloud, Cloud Security is Job #1 A set of surveys by the international IT services company, the BT Group revealed a major dilemma facing the IT community concerning cloud and cloud deployments. 79
More informationBusiness Case for Data Center Network Consolidation
Business Case for Data Center Network Consolidation Executive Summary Innovations in cloud, big data, and mobility as well as users expectations for anywhere, anytime, and any device access are defining
More informationZscaler Internet Security Frequently Asked Questions
Zscaler Internet Security Frequently Asked Questions 1 Technical FAQ PRODUCT LICENSING & PRICING How is Zscaler Internet Security Zscaler Internet Security is licensed on number of Cradlepoint devices
More informationProtecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper
Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges
More informationDNSSEC and DNS Proxying
DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare DNS is big 3 CloudFlare DNS is fast 4 CloudFlare DNS is always under attack 5 CloudFlare A secure reverse proxy for
More informationCisco ACI and F5 LTM Integration for accelerated application deployments. Dennis de Leest Sr. Systems Engineer F5
Cisco ACI and F5 LTM Integration for accelerated application deployments Dennis de Leest Sr. Systems Engineer F5 Agenda F5 Networks Who are we and what is Big-IP? F5 Synthesis Software Defined Application
More informationAvailability Digest. www.availabilitydigest.com. Prolexic a DDoS Mitigation Service Provider April 2013
the Availability Digest Prolexic a DDoS Mitigation Service Provider April 2013 Prolexic (www.prolexic.com) is a firm that focuses solely on mitigating Distributed Denial of Service (DDoS) attacks. Headquartered
More informationTop Five DNS Security Attack Risks and How to Avoid Them
WHITEPAPER Top Five DNS Security Attack Risks and How to Avoid Them How to Effectively Scale, Secure, Manage, and Protect Your DNS Table of Contents Executive Overview 2 DNS Attacks Are on the Rise 2 External
More informationHow To Protect A Dns Authority Server From A Flood Attack
the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationDOMAIN NAME SECURITY EXTENSIONS
DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationSecuring External Name Servers
WHITEPAPER Securing External s Cricket Liu, Vice President of Architecture This white paper discusses the critical nature of external name servers and examines the practice of using common makes of name
More informationThe Benefits of SSL Content Inspection ABSTRACT
The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic
More informationFirst Line of Defense
First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Gain comprehensive visibility into DDoS attacks and cyber-threats with easily accessible
More informationDeploying F5 to Replace Microsoft TMG or ISA Server
Deploying F5 to Replace Microsoft TMG or ISA Server Welcome to the F5 deployment guide for configuring the BIG-IP system as a forward and reverse proxy, enabling you to remove or relocate gateway security
More informationApplication Security Manager ASM. David Perodin F5 Engineer
Application Security Manager ASM David Perodin F5 Engineer 3 Overview BIG-IP Application Security Manager (ASM) a type of Web application firewall ASM s advanced application visibility, reporting and analytics
More informationInfrastructure for more security and flexibility to deliver the Next-Generation Data Center
Infrastructure for more security and flexibility to deliver the Next-Generation Data Center Stefan Volmari Manager Systems Engineering Networking & Cloud Today's trends turn into major challenges Cloud
More information