Application Security Manager ASM David Perodin F5 Engineer
3 Overview BIG-IP Application Security Manager (ASM) a type of Web application firewall ASM s advanced application visibility, reporting and analytics Vulnerability assessment and mitigation with well-known third-party partners (WhiteHat Sentinel, Oracle, Splunk)
4 Organizations Worldwide Trust F5 F5 Customer highlights 43 of the Fortune 50 companies 1 15 of the top 15 US commercial banks 1 6 of the 6 top US airlines 1 10 of the top 10 US insurance companies - property and casualty 1 5 of the top 6 healthcare: pharmacy and other services 1 14 of the 15 executive branch departments of the US federal government 2 10 of the top 10 fixed AND mobile global service providers 3 9 of the top 10 US online video brands 4 4 of the top 5 US Internet search providers 5 17 of 20 cloud infrastructure and Web hosting companies 6 Sources: 1 Fortune 2010; 2 USA.gov Web site listing 3 Q310 Ovum Market share, by revenue, global; 4 Nielson NetRatings September 2010; 5 Comscore November 2010; 6 Gartner Magic Quadrant Cloud Infrastructure as a Service and Web Hosting (On Demand, December 2010)
5 F5 Application Delivery Networking
6 Attacks are Moving Up the Stack Network Threats Application Threats 90% of security investment focused here 75% of attacks focused here Source: Gartner
7 Mobile Apps are consuming more of Web
8 Almost every web application is vulnerable! 97% of websites at immediate risk of being hacked due to vulnerabilities! 69% of vulnerabilities are client side-attacks 8 out of 10 websites vulnerable to attack - Web Application Security Consortium - WhiteHat security report 75 percent of hacks happen at the application. - Gartner Security at the Application Level 64 percent of developers are not confident in their ability to write secure applications. - Microsoft Developer Research
9 How long to resolve a vulnerability? Website Security Statistics Report
10 BIG-IP Application Security Manager Powerful Adaptable Solution Provides comprehensive protection for all web application vulnerabilities, including (D)DoS Logs and reports all application traffic and attacks Educates admin. on attack type definitions and examples Enables L2->L7 protection Unifies security, access control and application delivery Sees application level performance Provides On-Demand scaling
11 Anonymous Attack Anonymous targeted customer with bots Traffic attack melted legacy systems Solution: Implement BIG-IP BIG-IP Attack Protection: Greater connection management LTM to mitigate network DDoS ASM to mitigate application DDoS irules for agility and extensibility
12 Quickly Resolve Application Vulnerabilities Request made BIG-IP ASM security policy checked Server response Enforcement Secure response delivered BIG-IP ASM applies security policy Vulnerable application Maintain security at application, protocol, and network levels Launch secure applications protected from vulnerabilities
13 Automatic DOS Attack Detection and Protection Accurate detection technique based on latency 3 different mitigation techniques escalated serially Focus on higher value productivity while automatic controls intervene Detect a DOS condition Identify potential attackers Drop only the attackers
14 Creating an ASM Policy
15 BIG-IP ASM Configuration Policy Configuration Step 1
16 BIG-IP ASM Configuration Policy Configuration Step 2
17 BIG-IP ASM Configuration Policy Configuration Step 3
18 BIG-IP ASM Configuration Policy Configuration Step 4
19 BIG-IP ASM Configuration Policy Enforcement Mode
20 BIG-IP ASM Configuration Policy Blocking Settings
21 BIG-IP ASM Configuration File Type Configuration
22 BIG-IP ASM Configuration URL Configuration
23 BIG-IP ASM Configuration Content Profile Configuration
24 BIG-IP ASM Configuration Parameter Configuration
25 BIG-IP ASM Configuration Parameter Configuration JSON Parser
26 BIG-IP ASM Configuration AJAX Response Page
27 ASM and the Software Development Lifecycle Policy Tuning Pen tests Performance Tests WAF offload features: Cookies Brute Force DDOS Web Scraping SSL, Caching, Compression Final Policy Tuning Pen Tests Incorporate vulnerability assessment into the SDLC Use business logic to address known vulnerabilities Allow resources to create value
28 Reporting
29 Application visibility and reporting Monitor URIs for server latency Troubleshoot server code that causes latency
30 See the BIG Picture: From Violations to An Incident Automatically correlate multiple violations which share a common denominator into a single incident Correlation is based Source IP, and URL/ Parameter
31 Attack Expert System in ASM 1. Click on info tooltip
32 Centralized Advanced Reporting with Splunk Centralized reporting with Splunk s large-scale, high-speed indexing and search solution Packaged 15 different ASM specific reports Provide visibility into attack trends and traffic trends Identify unanticipated threats before exposure occurs http://www.f5.com/solutions/technol ogy-alliances/security/splunk.html
33 Application Analytics Stats grouped by application and user Provides Business Intelligence ROI Reporting Capacity Planning Troubleshooting Performance Stats Collected URLs Server Latency Client-Side Latency Throughput Response Codes Methods Client IPs Client Geographic User Agent User Sessions Views Virtual Server Pool Member Response Codes URL HTTP Methods
34 Automation and Integration
35 The Real Problem Attacks have been operationalized but mitigation has not Attacks are persistent Discovery of Vulnerabilities and attacks are easily automated Operational gap between discovery and mitigation
36 The Result Organizations are consistently vulnerable An organizations web application presence is, on average, free from vulnerabilities for only 30 days during the year. 4 Years and 4 Thousand Websites Worth of Vulnerability Assessments: What Have We Learned? (WhiteHat Security)
37 The Result Organizations are highly vulnerable Simple vulnerabilities have a significant percentage chance of resulting in a breach
The Solution Operationalize web application security 38 Automatically close the gap between discovery and mitigation
Persistent Threat Management Applying the 80-20 rule to web application security 39 80% 20% 80% of attacks can be prevented by applying common, standardized mitigation rules Immediately reduces window of opportunity for exploitation 20% of vulnerabilities require developer or vendor attention Leverage programmability in the network to temporarily mitigate
40 Persistent Threat Management Leveraging automation and integration to operationalize security
41 Persistent Threat Management The New Security Operational Model
42 Protection from Vulnerabilities Enhanced Integration: BIG-IP ASM and WhiteHat Sentinel Customer Website Finds a vulnerability Virtual-patching with one-click on BIG-IP ASM White Hat Sentinel Vulnerability checking, detection and remediation Complete website protection BIG-IP Application Security Manager Verify, assess, resolve and retest in one UI Automatic or manual creation of policies Discovery and remediation in minutes
43 Configuration
44 Configuration
45 Importing Vulnerabilities
46 Service Options F5 BIG-IP ASM Vulnerability Mitigation Assessment Scan finding data collected Findings imported into ASM Report Creation Deliverables Vulnerability Mitigation Roadmap F5 BIG-IP ASM Vulnerability Mitigation Subscription Performed periodically and remotely Findings imported into ASM Report Creation Deliverables Vulnerability Mitigation Report 4 hours tuning ASM to remediate findings AVAILABLE AUGUST 2012
Jon Teunis and David Perodin 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, icontrol, irules, TMOS, and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries