F5 Datacenter Virtualization & Application Security

1 F5 Datacenter Virtualization & Application Security Łukasz Formas Field Systems Engineer l.formas@f5.com +48 695 157 277 18th of Dec 2008

Datacenter Virtualization 2

3 Traffic on classic datacenter design Cell phone NetApp PC - Home App. Server MS SQL Server EMC Laptop coffee shot App. Server PC - LAN Oracle Windows file storage App. Server PC - WAN App. Server mysql Server Windows file storage

4 8 steps to vitrualization Operating system virtualization Application virtualization Application server virtualization Management virtualization Network virtualization Hardware virtualization Storage virtualization Service virtualization

5 Operating system virtualization Modular architecture of TMOS Support for virtualization products (VMware, MS Hyper-V) icontrol

6 Application virtualization R E M O T E Supplier Employee Internet Internet Quarantine Quarantine network network SSL W I R E L E S S WLAN WLAN segment 2 segment 2 SSL/TLS User directory I N T E R N A L Corporate Desktop Internal Internal LAN LAN segment 1 segment 1 Network, portal, app access Support all client types Centralized Access Control Simplified policy management Integrated endpoint security

7 Application server virtualization Users The F5 Solution Applications Mobile Phone PDA Laptop Desktop Application Delivery Network TMOS CRM Database Siebel BEA Legacy.NET SAP PeopleSoft IBM ERP SFA Custom Co-location

8 Management virtualization Management domains VLAN, admins, partitions Resource provisioning (v10) Enterprise Manager

9 Network virtualization Since 2004 LTM functionality Virtual servers, SNAT, VLANs, one:many Link aggregation Rate shaping Policies

10 Hardware virtualization Virtual Machines Servers Physical Server Servers Virtual Machines Automatic addition of power No need to overprovision Fixed and predictable OpEx Servers Physical Server

11 Storage virtualization Decouples access from physical file location Presents a Global Namespace view of the data a federation of the underlying file systems Masks changes to underlying storage systems from users and applications Automates common storage management tasks Migration Storage Tiering Load Balancing These tasks now take place without affecting access to the file data or requiring client re-configuration

12 Service virtualization Site and application availability and performance Client geo-based resolution Enterprise s business rules Optimized WAN load balancing methods Support of SOA rollup of services under FQDN L-DNS Client Site 1 (Primary) BIG-IP GTM Router Site 2 (Standby or Active/Active)) BIG-IP GTM Router Corporate Servers Corporate Servers

F5 Data Center Virtualisation 13 Mobile PC - Home Remote - WAN PC - LAN WLAN Data Center & Link Virtualisation GTM & LC Virtualisation LTM Application Server Virtualisation LTM File Storage Virtualisation App. Server App. Server App. Server App. Server App. Server App. Server App. Server App. Server App. Server App. Server App. Server App. Server App. Server App. Server App. Server App. Server App. Server App. Server App. Server App. Server ARX NetApp EMC Windows file storage Windows file storage

14 F5 Products Deployments F5 TMOS Branch Office FirePass WANJet Enterprise Manager DMZ WANJet BIG-IP Link Controller Remote Users FirePass Firewalls BIG-IP Global Traffic Manager Internet or WAN BIG-IP Application Security Manager BIG-IP WebAccelerator BIG-IP Local Traffic Manager Disaster Recovery DMZ FirePass BIG-IP Global Traffic Manager WANJet BIG-IP Link Controller Firewalls Oracle Portal Oracle 10g App Servers OFM Applications Oracle Database BIG-IP Local Traffic Manager F5 TMOS Headquarters Oracle Portal Oracle 10g App Servers OFM Oracle Applications Database F5 TMOS

Business Business Continuity Continuity HA HA Disaster Disaster Recovery Recovery 15 App Security & Data Integrity User Experience & App Performance Managing Scale & Consolidation Unified Security Enforcement & Access Control

Business Continuity HA Disaster Recovery 16 App Security & Data Integrity User Experience & App Performance People Apps Data Managing Scale & Consolidation Storage Growth Unified Security Enforcement & Access Control

Business Continuity HA Disaster Recovery 17 App Security & Data Integrity User Experience & App Performance People Apps Data Managing Scale & Consolidation Storage Growth Unified Security Enforcement & Access Control

Business Continuity HA Disaster Recovery 18 App Security & Data Integrity Managing Scale & Consolidation AAA Data Protection Transaction Validation Virtualized App & Infrastructure Server & App Offload Load Balancing WAN Virtualization File Virtualization DC to DC Acceleration Virtualized VPN Access People People Apps Apps Data Data Remote, WLAN & LAN Central Policy Enforcement End-Point Security Encryption AAA Asymmetric & Symmetric Acceleration Server Offload Load Balancing Virtualization Migration Tiering Load Balancing User Experience & App Performance Storage Growth Unified Security Enforcement & Access Control

Application Delivery Network Business Continuity HA Disaster Recovery BIG-IP LTM GTM LC WA FirePass ARX WJ 19 BIG-IP LTM ASM FirePass App Security & Data Integrity AAA Data Protection Transaction Validation WAN Virtualization File Virtualization DC to DC Acceleration Virtualized VPN Access People Asymmetric & Symmetric Acceleration Server Offload Load Balancing User Experience & App Performance BIG-IP LTM GTM WA ARX WJ Apps Data BIG-IP LTM GTM LC WA FirePass ARX WJ Managing Scale & Consolidation Virtualized App & Infrastructure Server & App Offload Load Balancing Remote, WLAN & LAN Central Policy Enforcement End-Point Security Encryption AAA Virtualization Migration Tiering Load Balancing Storage Growth ARX BIG-IP GTM Unified Security Enforcement & Access Control FirePass BIG-IP LTM GTM

20 How To Achieve the Requirements? Multiple Point Solutions More Bandwidth Application Network Administrator Application Developer Add More Infrastructure? Hire an Army of Developers?

21 F5 s Integrated Solution Users The F5 Solution Applications Mobile Phone PDA Laptop Desktop Application Delivery Network TMOS CRM Database Siebel BEA Legacy.NET SAP PeopleSoft IBM ERP SFA Custom Co-location

The entire solution is built on top of the TMOS operating system that integrates all the tools 22 irules and icontrol Programmable Network Language GUI-Based Application Profiles Repeatable Policies Unified Application Infrastructure Services Programmable Application Network Targeted and Adaptable Functions Security Optimisation Delivery New Service Universal Inspection Engine (UIE) Complete Visibility and Control of Application Flows TMOS Fast Application Proxy Client Side Server Side

Application Networking (ADN) Architecture Enabling Organization and Business Success 23 International Data Center Policy-based, centralized AND Management Users Intelligent & policy-based DNS; support virtualization & SOA components Bi-directional applicationaware multihoming & QoS Services Symmetric WAN optimization & application acceleration Services Universal client and system application & network VPN Services Application & server virtualization, SOA component support, application loadbalancing, switching, filtering Asymmetric application acceleration Bi-directional application firewall services Applications Open SOAP/XML API & SDK IP Proxy O/S Business Goal: Achieve these objectives in the most operationally efficient manner

Application Networking (ADN) Architecture Enabling Organization and Business Success 24 International Data Center Policy-based, centralized AND Management Users Intelligent & policy-based DNS; support virtualization & SOA components Bi-directional applicationaware multihoming & QoS Services Symmetric WAN optimization & application acceleration Services Universal client and system application & network VPN Services Application & server virtualization, SOA component support, application loadbalancing, switching, filtering Asymmetric application acceleration Bidirectional application firewall services Applications Open SOAP/XML API & SDK IP Proxy O/S Business Goal: Achieve these objectives in the most operationally efficient manner

25 Application Security F5 Application Security Manager

26 Security s Gaping Hole 64% of the 10 million security incidents tracked targeted port 80. Information Week DATA

27 Web Application Security! Noncompliant Information! Infrastructural Intelligence Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Perimeter Security Is Strong PORT 80 PORT 443 But Is Open to Web Traffic! Forced Access to Information Attacks Now Look To Exploit Application Vulnerabilities High Information Density = High Value Attack

28 Why Are Web Applications Vulnerable? New code written to best-practice methodology, but not tested properly New type of attack not protected by current methodology New code written in a hurry due to business pressures Code written by third parties; badly documented, poorly tested third party not available Flaws in third party infrastructure elements Developers focused on funcionality

29 Application Security with a WAF! Unauthorised Access And Stops Bad Requests! Noncompliant Information Browser! Unauthorised Access WAF Allows Legitimate Requests! Infrastructural Intelligence Bi-directional: Inbound: protection from generalised & targeted attacks Outbound: content scrubbing & application cloaking Application content & context aware High performance, low latency, high availability, high security Policy-based full proxy with deep inspection & Java support Positive security augmenting negative security Central point of application security enforcement

30 Application Security with a WAF Intelligent Decisions Allow Only Good Application Behaviour; Positive Security Browser Definition of Good and Bad Behaviour

31 Negative vs. Positive Security Model Negative Security Model Lock Known Attacks Everything else is Allowed Patches implementation is quick and easy (Protection against Day Zero Attacks) Positive Security Model (Automatic) Analysis of Web Application Allow wanted Transactions Everything else is Denied Implicit Security against New, yet Unknown Attacks (Day Zero Attacks)

Support of dynamic values 32

33 Example: SAP Application Protect the session information in the URI https://saptest.xyz.de/sap(bd1kzszjptaxma==)/... Protect dynamic parameter names and values &Tdokfilter_subdok_dokstrukturK2_Y123456789103459 185=F

34 Selective Application Flow Enforcement! ALLOWED Username From Acc. $ Amount Should this be a violation? The user may have bookmarked the page! Unnecessarily enforcing flow can lead to false positives.? Password! VIOLATION To Acc.! VIOLATION Transfer This part of the site is a financial transaction that requires authentication; we should enforce strict flow and parameter validation

35 XML Firewall Well formatted validation Schema/WSDL validation Methods selection Attack signatures for XML platforms Backend Parser protection XML islands application protection Full request Logging

36 Flexible Deployment Options Tighter Security Posture Typical standard starting point OBJECT FLOWS PARAMETER VALUES PARAMETER NAMES OBJECT NAMES OBJECT TYPES POLICY TIGHTENING SUGGESTIONS Policy-Building Tools Trusted IP Learning Live Traffic Learning Crawler Negative RegEx Template

37 Flexible Policy Granularity Generic Policies - Policy per object type Low number of policies Quick to implement Requires little change management Can t take application flow into account Optimum policy is often a hybrid Specific Policies Policy per object High number of policies More time to implement Requires change management policy Can enforce application flow Tightest possible security Protects dynamic values

Traditional Security Doesn t Protect Web Applications Looking at the wrong thing in the wrong place 38 Known Web Worms Unknown Web Worms Known Web Vulnerabilities Unknown Web Vulnerabilities Illegal Access to Web-server files Forceful Browsing File/Directory Enumerations Buffer Overflow Cross-Site Scripting SQL/OS Injection Cookie Poisoning Hidden-Field Manipulation Parameter Tampering Application Firewall Network Firewall Present Present Present Present Present Present Present Present Present Present X X X IPS Present Present Present Present Present Present Present Present Present Present X X X

Secerno 39

Whitehat Sentinel 40

Application Networking (ADN) Architecture Enabling Organization and Business Success 41 International Data Center Enterprise Manager Users BIG-IP Global Traffic Manager BIG-IP Link Controller WANJet FirePass BIG-IP Local Traffic Manager Web Accelerator Application Security Manager Applications icontrol TMOS Business Goal: Achieve these objectives in the most operationally efficient manner

42 Virtualize and Unify Network Services and Offload the Application Network BIG-IP W W A Database System A SECURE DoS and SYN Flood Protection Network Address/Port Translation Application Attack Filtering Certificate Management Resource Cloaking Advanced Client Authentication Firewall - Packet Filtering Selective Content Encryption Cookie Encryption Content Protection Protocol Sanitization Application Security Module FAST SSL Acceleration Quality of Service Connection Pooling Intelligent Compression L7 Rate Shaping Content Spooling/Buffering TCP Optimization Content Transformation Caching AVAILABLE Comprehensive Load Balancing Advanced Application Switching Customized Health Monitoring Intelligent Network Address Translation Intelligent Port Mirroring Universal Persistence Response Error Handling Session / Flow Switching IPv6 Gateway Advanced Routing

43 Company Snapshot Facts Position References

44 F5 is the Global Leader in Application Delivery Networking Users Data Centre At Home In the Office On the Road Application Delivery Network SAP Microsoft Oracle Business goal: Achieve these objectives in the most operationally efficient manner

45 Analyst Leadership Position Challengers Leaders Ability to Execute Cisco Systems Foundry Networks Nortel Networks Niche Players Completeness of Vision Citrix Systems Visionaries F5 Networks Akamai Technologies Cresendo Radware Juniper Coyote Point Zeus NetContinuum Array Networks Magic Quadrant for Application Delivery Products, 2007 F5 Strengths Offers the most feature-rich AP ADC, combined with excellent performance and programmability via irules and a broad product line. Strong focus on applications, including long-term relationships with major application vendors, including Microsoft, Oracle and SAP. Strong balance sheet and cohesive management team with a solid track record for delivering the right products at the right time. Strong underlying platform allows easy extensibility to add features. Support of an increasingly loyal and large group of active developers tuning their applications environments specifically with F5 infrastructure. Source: Gartner, January 2007

46 F5 Customers in EMEA (1 of 2) Banking, Insurance, Telco,, Service Financial Investments Providers, Mobile

47 F5 Customers in EMEA (2 of 2) Transport, Media, Technology, Manufact., Governm., Travel Online Energy Other Health, Consumer

Thank You 48