Ganzheitlicher Schutz von Rechenzentren, Web-Servern und Anwendungen

Transcription

1 Ganzheitlicher Schutz von Rechenzentren, Web-Servern und Anwendungen Technical Workshop 2014 ETK networks solution GmbH und CMS IT-Consulting GmbH

2 The evolution of attackers January 2008 Anonymous executes a series of high-profile DDoS attacks against the Church of Scientology. December 2010 WikiLeaks supporters hit PayPal, Visa, Mastercard, and other financial sites with DDoS attacks. April 2011 Attackers use a DDoS attack against Sony to mask the theft of millions of customer records. April 2012 Anonymous knocks down the sites of the U.S. Dept. of Justice, the CIA, and the British Secret Intelligence Service. September 2012 Syrian Cyber Fighters launch Operation Ababil with DDoS attacks on 13 U.S. banks to protest an anti-muslim video Script kiddies The rise of hacktivism Cyber war F5 Networks, Inc 2

3 Attack types and targets are expanding Attack Type Spear Phishing Physical Access XSS Size of circle estimates relative impact of incident in terms of cost to business May June July Aug Sep Oct Nov Dec 2012 F5 Networks, Inc 3

4 Attack types and targets are expanding Non Profit EDU Non Profit Industrial Industrial Auto SVC Non Profit SVC News & Media SVC News & Media Edu Svc Food Svc Telco Consumer Electric News & Media Cnsmr Electric Cnsmr Electric E-comm News & Media Utility Utility News & Media Telco News & Media Telco Svc Software Non- Profit Software News & Media Edu e Edu News & Media Food Service Edu ing Gaming Retail Education Industrial Software Util Telco Gaming Edu Svcs Cnsmr Elec Software Software Software Health News & Media Auto Airport Auto Auto Entnment News & Media Retail News & Media Telco DNS Provider DNS Provider DNS Provider Auto DNS Provider Edu Consumer Electronics Global Delivery DNS Provider Attack Type Spear Phishing Physical Access Unknown Size of circle estimates relative impact of incident in terms of cost to business Jan Feb Mar Apr May Jun 2013 F5 Networks, Inc 4

5 More sophisticated attacks are multi-layer Application SSL DNS Network F5 Networks, Inc 5

6 Application Reconnaissance Goal of layer-7 DDoS reconnaissance Obtain list of site URIs Sort by time-to-complete (CPU cost) Sort list by megabytes (Bandwidth) Spiders for rent on Internet that will do this Though they are often known by security community Can be done with simple wgetscript # wget r wait=1 -nv

7 Sixty-five percent [of surveyed organizations] reported experiencing an average of three DDoS attacks in the past 12 months, with an average downtime of 54 minutes Ponemon Institute Survey F5 Networks, Inc 7

8 The business impact of DDoS The business impact of DDoS Cost of corrective action Reputation management F5 Networks, Inc 8

9 Which DDoS technology to use? CLOUD/HOSTED SERVICE ON-PREMISES DEFENSE Content delivery network Network firewall with SSL inspection Communications service provider Web application firewall Cloud-based DDoS service On-premises DDoS solution Intrusion detection/prevention F5 Networks, Inc 9

10 Which DDoS technology to use? CLOUD/HOSTED SERVICE HYBRID MODEL CLOUD AND ON-PREMISES DEFENSE STRENGTHS STRENGTHS STRENGTHS Completely off-premises so Completely DDoS attacks off-premises so DDoS Direct attacks control over infrastructure. can t reach you can t reach you Immediate mitigation with instant response Amortized defense across Amortized thousands defense across thousands reporting. of customers of customers Solutions can be architected to DNS anycastand multiple DNS data anycastand centers multiple data independently centers scale of one another. protect you protect you WEAKNESSES Direct control over infrastructure. WEAKNESSES Immediate mitigation with instant response Customers pay, whether attacked and reporting. not Many point solutions in market, few Bound by terms of service Solutions agreement can be architected comprehensive to DDoS solutions. independently scale of one Solutions focus on specific layers (not all another. Can only mitigate up to max inbound layers) connection size No other value. Only providing benefit when you get attacked. (excludes F5) F5 Networks, Inc 10

11 How does F5 on-premise protect against DDoS attacks?

12 Security/DDoS Taxonomy Application Application OWASP Top 10 (SQL injection, XSS, CSRF, etc.), Slowloris, Slow POST, HashDos, GET floods Presentation Increasing difficulty Session Transport Network Session Network DNS UDP floods, DNS query floods, DNS NXDOMAIN floods, SSL floods, SSL renegotiation SYN floods, connection floods, UDP floods, PUSH and ACK floods, teardrop, ICMP floods, ping floods, and smurf attacks Data Link Physical

13 As attackers employ ever more sophisticated DDoS techniques it is imperative that organizations rethink their DDoSresponse strategy to provide comprehensive, multi-layer DDoSmitigation F5 Networks, Inc 13

14 DDoS protection reference architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Legitimate Users DDoS Attacker ISPa/b Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 14

15 DDoS reference architecture Next-Generation Firewall Corporate Users TIER 1 KEY FEATURES Legitimate Users DDoS Attacker Multiple ISP strategy ISPa/b Cloud Scrubbing Service Threat Feed Intelligence Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Tier 1 Tier 2 The first tier at the Network and DNS SSL attacks: perimeter is layer 3 SSL renegotiation, SSL flood and 4 network firewall services Simple load balancing Application to a second tier HTTP attacks: Slowloris, slow POST, recursive POST/GET IP reputation database IPS Mitigates volumetric and DNS DDoS attacks Financial E-Commerce Subscriber Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 15

16 DDoS protection reference architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Legitimate Users DDoS Attacker ISPa/b Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 16

17 DDoS reference architecture Next-Generation Firewall Corporate Users TIER 2 KEY FEATURES The second tier is for application-aware, Multiple ISP CPU-intensive defense strategy Legitimate Users SSL termination ISPa/b DDoS Attacker mechanisms Web application firewall Mitigate asymmetric Cloud and Scrubbing SSL-based Service DDoS attacks Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Tier 1 Network and DNS IPS SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Tier 2 Application Financial E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 17

18 How does F5 off-premise protect against DDoS attacks?

19 F5 Solution Mapping Off-prem On-prem Application ASM LTM +irule F5 Silverline Session GTM LTM Network LTM AFM

20 Logical Multilayer Architecture Legitimate Users Multiple ISP strategy ISPa/b Tier 1 Network AFM LTM GTM Next-Generation Firewall Tier 2 Tier 2 Application ASM LTM + irule Corporate Users Financial E-Commerce DDoS Attacker Session Tier 3 IPS Subscriber F5 Silverline

21 TMOS CMP/Proxy/Default Deny IP Intelligence IP Blacklist Feed SYN Check SYN Flood protection (Hardware based >= BIG-IP 5000s Strict TCP Forwarding Mitigates transport layer violations Rate limiting All of the above irules programmability SSL Termination Hardware based Version enforcement Renegotiation Validation Protocol awareness HTTP DNS Express/DNS IP Anycast Globally distribute DNS traffic (Global CMP) IP Intelligence IP Blacklist Feed DNS Express CMP enabled DNS server DNS irules Offensive capability (respond ?) IP Intelligence DAST Integration HTTP DDoS Detection/Mitigation Server performance anomaly detection Tier HTTP 1Rate Limiting Client side defense Network Bot detection AFM LTM GTM F5 Silverline In the Application layer LTM provides functionality by leveraging irules Tier 2 Tier 2 Application ASM LTM + irule Session Tier 3 F5 Acquisition (Defense.net) Cloud based service Always-on or On-demand service Available now Expanding service offerings

22 Good Better Best: Delivering Greater Customer Value Good Better Best Offerings Customer Benefits BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager 4200v System Price Comparison ($K) FLEXIBILITY Make it easier to adopt advanced F5 functionality BIG-IP Application Acceleration Manager BIG-IPAdvancedFirewall Manager SDN Good Better Best 200 M VE Price Comparison ($K) 58 SIMPLICITY Consolidate into fewer common configurations Advanced Routing BIG-IP Access Policy Manager BIG-IP Application Security Manager Good Better Best Bought As Bundle Bought As Components BEST VALUE Save up to 65% lower prices vs. buying as components F5 Networks, Inc 22

23 Logical Multilayer Architecture Legitimate Users Multiple ISP strategy ISPa/b Tier 1 Network AFM F5 BIG-IP IP Better LTM License GTM Next-Generation Firewall Tier 2 Tier 2 Application F5 ASM BIG-IP IP Best LTM License + irule Corporate Users Financial E-Commerce DDoS Attacker Session Tier 3 IPS Subscriber F5 Silverline

24 Conclusion Comprehensive DDoS protections requires a multi-layer approach Your existing F5 products can be leveraged to great effect Small additions (DNS Express, IP Intelligence) have a high return on investment New F5 services allow you to quickly deploy off-prem protection We focused today on DDoS; however this same architecture could be applied to generalized L4-7 application security

25 Key customer benefits Maintain application availability Protect network infrastructure Safeguard your brand reputation Defend against targeted attacks Stay one step ahead Save money for your company ALL BACKED BY WORLD-CLASS SUPPORT AND PROFESSIONAL SERVICES F5 Networks, Inc 25

26 Next steps Participate in information-sharing with your solution providers. Work toward an Open DDOS Protection Alliance (the OWASP for DDoS). Start asking vendors questions about interoperability. Develop an organizational preparedness plan for DDoS. F5 Networks, Inc 26

27 Key Resources DDoS Runbook: 10 Steps to Prep for DDoS to-prepare prepare-yourself yourself-in in- advance-of of-a-ddos ddos-attack/ Best Practices: How to Configure F5 for DDoS Protection protection/ddos- exclusive F5 Networks, Inc 27

28 Explore The F5 DDoS Protection Reference Architecture f5.com/architectures F5 Networks, Inc 28

29

30 Appendix

31 DDoS Protection - SMB data center deployment Next-Generation Firewall Users leverage NGFW for outbound protection Employees Customers DDoS Attack ISPa Protecting L3 7 and DNS Network Firewall + DNS + Web Application Firewall + Compliance Control Partners DDoS Attack ISPb ISP provides volumetric DDoS service BIG-IP Platform BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Access Policy Manager Simplified Business Models GOOD BETTER BEST BIG-IP Application Security Manager F5 Networks, Inc 31

32 DDoS Protection - Enterprise data center deployment Next-Generation Firewall Users leverage NGFW for outbound protection Employees Customers DDoS Attack ISPa Tier 1: Protecting L3 4 and DNS Network Firewall + DNS + Simple Load Balancing to Tier 2 Tier 2: Protecting L7 Web Application Firewall + SSL Termination Partners DDoS Attack ISPb ISP provides volumetric DDoS service BIG-IP Platform + IP Intelligence (IPI) Module Can inspect SSL at either tier BIG-IP Platform Cloud Scrubbing Service BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Access Policy Manager BIG-IP Application Security Manager Simplified Business Models GOOD BETTER BEST + IP Intelligence F5 Networks, Inc 32

33 DDoS protection - Large FSI data center deployment Customers DDoS Attack ISPa Tier 1: Protecting L3 4 and DNS Network Firewall + Simple Load Balancing to Tier 2 AFM LLTM Tier 2: Protecting L7 Web Application Firewall + SSL Termination ASM LTM Partners DDoS Attack ISPb Multiple ISP strategy VIPRION Platform + IP Intelligence (IPI) Module DNS BIG-IP Platform Network HSM (FIPS-140) SSL re-encryption GTM SSL inspection at either tier Cloud Scrubbing Service BIG-IP Platform BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager Simplified Business Models GOOD BETTER BEST BIG-IP Application Security Manager + IP Intelligence F5 Networks, Inc 33

34 DDoS Protection - SMB data center deployment Hybrid platform architecture Next-Generation Firewall Users leverage NGFW for outbound protection Employees Customers DDoS Attack ISPa Protecting L3 4 and DNS Network Firewall + DNS Protecting L7 Virtualized Web Application Firewall provides fault isolation + Compliance Partners ISPb BIG-IP Platform DDoS Attack ISP provides volumetric DDoS service Web Server BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Application Security Manager Simplified Business Models GOOD BETTER BEST Customers can run VE on the existing hypervisors already supporting their app infrastructure F5 Networks, Inc 34

35 DDoS Protection - Enterprise data center deployment Hybrid platform architecture Next-Generation Firewall Users leverage NGFW for outbound protection Employees Customers DDoS Attack ISPa Tier 1: Protecting L3 4 and DNS Network Firewall + DNS + Simple Load Balancing to Tier 2 + SSL Inspection Tier 2: Protecting L7 and apps Protecting L7 Virtualized Web Application Firewall provides fault isolation + Compliance Partners ISPb DDoS Attack ISP provides volumetric DDoS service BIG-IP Platform + IP Intelligence (IPI) Module Web Server Cloud Scrubbing Service BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Application Security Manager Simplified Business Models GOOD BETTER BEST + IP Intelligence Customers can run VE on the existing hypervisors already supporting their app infrastructure F5 Networks, Inc 35