Dynamic Attack Protection and Access Control

Security Revolution: F5 BIG-IP Dynamic Attack Protection and Access Control

2 How the Static Data Center Falls Short It started simple More user types, services Application issues Security woes What s the answer?

3 Dynamic Data Center Reconfigure dynamically Manage applications, not objects Context-aware policies ADC manages application services

4 Dynamic Attack Protection and Access Control Adaptive Protection for Web 2.0 Applications across All IT Environments Advanced Dynamic Services for Unified Access Control Scalable and Controlled DNS Infrastructure with DDoS Attack Mitigation

5 BIG-IP Advanced Acceleration Overview Adaptive Protection for Web 2.0 Applications

Hackers Attacking Websites With DDoS 6 60% of (orgs.) respondents rely on their websites for at least 25% of their annual revenue. Merrill Research, 2011

Recent Application and Network Attacks 7 And the hits keep coming: Indeed in today s world, acts of terror could come not only from a few extremist in suicide vests but from a few key strokes on the computer... Barack Obama, President of the USA Source: http://spectrum.ieee.org/static/hacker-matrix

8 Defend Against Cyberattacks Ongoing storm of cyberattacks is preventable, experts say Preventable with technology that exists today! Need to educate all IT organizations how to protect networks Many are blind to Layer 7 attacks Experts note that network firewalls are not enough Need comprehensive layered network and application security architecture unique to F5

9 Anonymous Attack Anonymous targeted customer with bots Traffic attack melted legacy systems Solution: Implement BIG-IP BIG-IP Attack Protection: Greater connection management LTM to mitigate network DDoS ASM to mitigate application DDoS irules for agility and extensibility

Optimize Traffic Management and Offload Application Server with BIG-IP Local Traffic Manager (LTM) 10 BIG-IP LTM Physical Virtual Public or private cloud OPTIMIZED APPLICATIONS & DATA Application Intelligence Load Balancing TCP Optimization Rate Shaping Server Offload RAM Caching Intelligent Compressing Health Monitoring SSL offload Session Persistence SECURE APPLICATIONS & DATA Application Proxy Transaction Assurance Resource Cloaking Secure Network Address Translation Port Mapping Selective Content Encryption Denial of Service (DoS) protection

11 Secure Applications and Data with BIG-IP Local Traffic Manager (LTM) SECURE APPLICATIONS & DATA Application Proxy Transaction Assurance Resource Cloaking Network and protocol attack protection Secure Network Address Translation Port Mapping Selective Content Encryption Denial of Service attack protection BIG-IP LTM Security at the application, protocol, and network levels Meet compliance requirements (PCI, HIPAA, etc.) Protect data without interrupting legitimate traffic

12 Leading Web Attack Protection BIG-IP Application Security Manager Protect from latest web threats Meet PCI compliance Out-of-the-box deployment Quickly resolve vulnerabilities Improve site performance

13 Quickly Resolve Application Vulnerabilities Request made BIG-IP ASM security policy checked Server response Enforcement Secure response delivered BIG-IP ASM applies security policy Vulnerable application Maintain security at application, protocol, and network levels Launch secure applications protected from vulnerabilities

Protection From Top Web App. Vulnerabilities (Open Web Application Security Project) OWASP Top 10 Web Application Security Risks: 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards 14 Source: www.owasp.org

15 Meet PCI Compliance Easily comply with audits PCI reporting provides: Requirements with details Current compliancy state Steps to become compliant

16

Securing Disperse Web Applications 17 No virtual WAF option for private cloud apps Replication of production environment complicated and cost-prohibitive Data Center

18 F5 Innovative Protection for Web 2.0 Apps Automatically share policies between devices Quickly deploy BIG-IP ASM VE in private clouds Data Center

19 Unable to Secure Latest Web Apps Support AJAX apps or JSON payloads Unable to parse and secure JSON payloads Same attack vectors as http apps Policy violation renders no blocking signal Example: www.stockfacts.com

20 Easily Secure JSON Payloads BIG-IP Application Security Manager Protect from JSON threats Render unique blocking message for AJAX widgets User informs admin with support ID for resolution Display a Blocking Message in AJAX Widget Example: www.stockfacts.com

Protection from Vulnerabilities Enhanced Integration: BIG-IP ASM and WhiteHat Sentinel 21 Customer Website Finds a vulnerability Virtual-patching with one-click on BIG-IP ASM WhiteHat Sentinel Vulnerability checking, detection and remediation Complete website protection BIG-IP Application Security Manager Verify, assess, resolve and retest in one UI Automatic or manual creation of policies Discovery and remediation in minutes

Improve Site Performance and Security CASE STUDY 22 Challenge: Third-party network solution unstable Keeping people out of network Difficult to pinpoint app security problems Poor performance led to downtime Benefits of BIG-IP LTM and ASM: Improved site performance by 2 3 Cut downtime from 4 hours per week to 0 hours Fewer false positives, more legitimate traffic Eliminated 8 hours per week in support calls The improvement in functionality, performance, security, and support with F5 has been outstanding. Brad Tran kina, Director of Network and Information Systems, Human Kinetics

23 Adaptive Protection for Critical Applications BIG-IP Application Security Manager Secure latest Web 2.0 applications Support for AJAX widgets and JSON payloads New platforms for All IT Environments BIG-IP ASM VE in virtual and private cloud Isolated resource allocation: vcmp support for ASM F5 s BIG-IP Application Security Manager Winner of the SC Magazine Reader Trust Award Best Web Application Security Solution 2010 BIG-IP ASM on 11000 = high throughput; 1600 = budget conscious Enhance management and reporting Vulnerability assessment and mitigation in the SDLC w/ WhiteHat Auto policy sync between devices iapp for integrated security services

24 BIG-IP Advanced Acceleration Overview Advanced Dynamic Services for Unified Access Control

25 Problem: Who, What, Where? What devices are requesting access? Who is accessing? What applications were accessed? Where did the user navigate?

26 Context = Access Control BIG-IP Access Policy Manager v11 Unify All Access Fast Authentication and Manage Access Single Sign On Based on Context Powerful Custom and Built-in Reporting Access and Application Analytics

27 Enable Simplified Application Access with BIG-IP Access Policy Manager (APM)

28 Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager Dramatically reduce infrastructure costs; increase productivity = BIG-IP v11

29 Auto-Connect to the VPN At Home (wireless) Auto-Connect! On the Way to Work (Aircard) Always Connected Application Access In the Office (docked LAN connection) In the Cafe (wireless) Presenting (corporate wireless)

BIG-IP Edge Client Web-Delivered and Standalone Client Mac, Windows, Linux iphone, ipad, itouch, Android Drive Security Endpoint inspection Full SSL VPN 30 Enable Mobility Smart connection roaming Uninterrupted application sessions Accelerate Access Adaptive compression Client-side cache Client-side QoS

Easily Design Access for ipad BIG-IP Edge Client Connection, Statistics and Settings 31

32 Configure ios Access to Applications with BIG-IP Edge Portal

33 Secure, Accelerated Remote Access with BIG-IP APM in Edge Gateway Edge Gateway includes: Access Control, Web Acceleration, WAN Optimization

34 BIG-IP Edge Gateway Secures and Accelerates Access to Applications Next generation remote access solution Converges SSL VPN access security, application acceleration and availability Optimize access for mobile users and remote offices BIG-IP Solution for the Network Edge Multiple Platforms: 1600, 3600, 3900, 6900, 8900, 11000 (Licensed concurrently) Includes BIG-IP Edge Client solution Exponential Performance, Capacity, and Scalability Up to 10 Gbps, 600 log-ins per second, 60,000 users

BIG-IP Edge Gateway will Power New Managed Services 35 Access Requirements Easy / cost effective access scaling Advanced, secure VPN with fast deployment Custom look and feel per customer Virtualized solution to maximize investment Enable secure collaboration between 3 rd parties BIG-IP Edge Gateway Delivered Superior scalability @ Lowest cost Acceleration technology with LAN speed performance Improved manageability and security with unified access Customized domains for personalized experience Virtual routing services with lower opex

Advanced Dynamic Services for Unified Access Control: BIG-IP APM 36 IPsec optimized site-to-site tunnels Dynamic Webtop: with Application Tunnels Access: External Dynamic ACLs, Flash patching, Oracle Access Manager 11g Hosted VDI: Microsoft Remote Desktops, Expanded Citrix VDI support (Proxy and Portal mode) EndPoint Inspection: Protected Workspace, Machine Info Inspector Powerful reporting/analytics: Custom & built-in reports, Access and Application Analytics for remote access solution Scale for Global enterprise: 11000 Series: ^60k users, w/1.2 TB of storage SSO enhancements: SSO across multiple domains, Kerberos auth. (CAC cards, etc)

37 BIG-IP Advanced Acceleration Overview Scalable, Adaptive and Secure DNS infrastructure

38 xxxxxx 888888 Nr.000000 Network Solutions hit 6/2011. D o m a i n R e g i s t r a r Network Solutions hit with a large denial of service attack targeting their DNS servers. Large DNS DoS attacks. World News DNS DoS Attacks continues to cost businesses millions of dollars each year G o G r i d, T h e P l a n e t, Register. com, UltraDNS, Network Solutions were all hit during March/April 2009 causing websites to be offline a n d c o s t i n g c u s t o m e r s DoS Attack Affects Global DNS Service inc. Amazon

39 DNS Attacks Are Common

Cost of No DNS-based Attack Protection 40

Scale and Consolidate Your DNS Fast ROI with F5 Solutions 41 10x DNS Express BIG-IP GTM 70%

42 F5 Solution: Easily Handle All DNS Requests F5 BIG-IP GTM Scalability CMP Enabled, 130K qps per core (~ 6 Million on VIPRION) F5 DNS Express Authoritative DNS in Memory, 10 s of Millions of Records F5 IP Anycast Integration Obscures DNS Servers and Distributes Load DNS Express in GTM Queries in Millions 6 Answer 3 DNS Query 0 Answer Low Query DNS Query Answer DNS Query Answer Query DNS Growth Query Query Spike DNS Server Exponential DNS performance Answer survives attack DNS Query OS Query Decline NIC Manage DNS Records Max DNS Admin Auth Roles DNS Queries w/ddos Valid DNS Queries Dynamic DNS DHCP

Secure Your DNS Infrastructure 43 Simple DNSSEC compliance: Implement BIG-IP GTM in front of existing DNS servers Ensure trusted DNS queries with dynamically signed responses Reduce management costs

DNS Infrastructure with DDoS Attack Mitigation BIG-IP Global Traffic Manager Deliver high speed "DNS Offload and Secure DNS DNS Express and DNSSEC 44 Maximum capacity DNS Geographically distribute to nearest GTM (IP Anycast Integration) Support both IPv6 and IPv4 hybrid environments DNS v6 to v4 translation and gateway Deliver industry leading, scalable, and flexible performance GTM on 11050 and VIPRION (CMP and vcmp) Cost effective, virtualized and globally dispersed datacenters GTM Virtual Edition GTM Standalone and module on LTM 1600

45 F5 Integrated Security No other vendor has a comprehensive solution Application Presentation Session Transport Network Data Link Physical XSS, SQL Injection, Data Leaks, SPAM SSL, XML Encryption, Images Sockets, RPC, NetBIOS Auth, SNMP SYN/ACK Attacks, Port Scans, MitM Port filters, IP Frag, Spoofing, Smurfs VLANs, ARP Poisoning Management Interface Segmentation

46 Delivers Dynamic Attack Protection and Access Control Adaptive Protection for Web 2.0 Applications Unified Access Control Scalable, Adaptable and Secure DNS

47 Q & A

2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, icontrol, irules, TMOS, and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries

TMOS Architecture The foundation of BIG-IP LTM and a unified system for application delivery 49