F5 Whiteboarding

Luboš Klokner

F5 Field System Engineer

l.klokner@f5.com

+421 908 755152

@lklokner

DNS

UAC

WAF

Acceleration

ADC

VDI WEB APPS

• Default Deny • Full Proxy • SSL Offload /

Visibility

FW • ICSA Certified • ACL’s • IP Intelligence • IP Lists • DoS Protections

DNS • Business Continuity • GSLB • DNS Security / Services • DNS Firewall

WAF • L7 Firewall • BOT Detection • Web Scraping • Client Fingerprinting • L7 DoS Mitigation • PCI Compliance

UAC • Remote Access • Pre-Authentitacion • Multi-factor/SSO/Federation • End Point Inspection

ADC • SLB • Application Awareness • Persistence

Acceleration • TCP Optimisation • Caching/Compression • End User Experience • HTTP/2

FW

Users Customers Client • Encryption • Phishing • Malware • Automated Transactions

Attackers

DNS

UAC

WAF

Acceleration

ADC

VDI WEB APPS

FW

BIG-IP VE VIPRION

High Performance Services Fabric Platform • Flexibility • Scalability • Multi-tenancy • Programmability • Custom HW • TMOS

Silverline Silverline • Cloud based DDoS

mitigation • Mitigation of volumetric

attacks • Cloud WAF as a Service

Users Customers Attackers

DNS

UAC

WAF

Acceleration

ADC

VDI WEB APPS

FW

BIG-IP VE VIPRION

High Performance Services Fabric

BIG-IQ • iRules • iControl • iCall • iApps • SDx • Cloud

Int

ellig

ent

Serv

ices

Orc

hest

rati

on

Users Customers Attackers

Silverline

DNS

UAC

WAF

Acceleration

ADC

VDI WEB APPS

FW

BIG-IP VE VIPRION

High Performance Services Fabric

AAA

HSM

ICAP

IPS

Users Customers Attackers

Silverline

Int

ellig

ent

Serv

ices

Orc

hest

rati

on

DNS

UAC

WAF

Acceleration

ADC

VDI WEB APPS

FW

BIG-IP VE VIPRION

High Performance Services Fabric

AAA

HSM

ICAP

IPS

Users Customers Attackers

Silverline

Int

ellig

ent

Serv

ices

Orc

hest

rati

on

F5 Story Full proxy, best of bread SSL, iRules, WAF, Anti-Fraud

© F5 Networks, Inc 9

F5 Security Solutions

EAL2+

EAL4+ (in process)

Network Firewall

One Platform

Traffic Management

Application Security

DNS Security

SSL Access Control

DDoS Protection

Web-Fraud, Anti-Phishing

Consolidating security on a single platform

© F5 Networks, Inc 10

OSI and F5 modules

Application attacks Network attacks Session attacks

Slowloris, Slow Post,

HashDos, GET Floods

SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods,

Teardrop, ICMP Floods, Ping Floods and Smurf Attacks

BIG-IP ASM

Positive and negative policy

reinforcement, iRules, full

proxy for HTTP, server

performance anomaly

detection

DNS UDP Floods, DNS Query Floods,

DNS NXDOMAIN Floods, SSL Floods,

SSL Renegotiation

BIG-IP LTM and GTM

High-scale performance, DNS Express,

SSL termination, iRules, SSL

renegotiation validation

BIG-IP AFM

SynCheck, default-deny posture, high-capacity connection table, full-

proxy traffic visibility, rate-limiting, strict TCP forwarding.

Packet Velocity Accelerator (PVA) is a purpose-built, customized

hardware solution that increases scale by an order of magnitude above

software-only solutions.

F5 M

itig

ati

on

Te

ch

no

log

ies

Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)

Increasing difficulty of attack detection

F5 m

itig

ati

on

te

ch

no

log

ies

OSI stack OSI stack

© F5 Networks, Inc 11

F5 Full Proxy Architecture

iRule

iRule

iRule

TCP

SSL

HTTP

TCP

SSL

HTTP

iRule

iRule

iRule

ICMP flood SYN flood

SSL renegotiation

Data leakage Slowloris attack XSS

Network Firewall

WAF WAF

© F5 Networks, Inc 12

F5 Comprehensive Application Security

Application Access

Network Access

Network Firewall

Network DDoS Protection

SSL DDoS Protection

DNS DDoS Protection

Application

DDoS Protection

Web Application Firewall

Fraud Protection

Virtual

Patching