The F5 Security Blueprint for Extending the Defense Perimeter from On-Premises to the Cloud

Argon LAU Presales Consultant F5 Networks

#CLOUDSEC

© F5 Networks, Inc 2

1

Today’s Attacks are

Complex and

Across the Protocol Stack

© F5 Networks, Inc 3

WEB APPLCIATIONS

© F5 Networks, Inc 4

Generic malware, such as Zeus, infects a user’s device

The malware contains code designed to insert specific content to the browser session when

the user accesses specific sites The user requests the login page for Wells Fargo

This triggers the malware, which injects additional content to the browser

This information is sent to the legitimate web server as expected

This information is sent to the configured drop zone

*wellsfargo* add field *bankofamerica* add button, replace text *chase* add cc#, pin, remove text *telebank* send credentials *bankquepopulaire* …

The user enters the requested content and clicks Go

© F5 Networks, Inc

6

SSL IS SECURITY GAP

© F5 Networks, Inc

… and the FW / IPS / NGFW / UTM vendors do not have a solution.

• Malware Attack • Phishing Attack • Web Defacement • Web Application Attack • SSL Attack • DNS Attack • DDOS Attack

© F5 Networks, Inc 7

IN SECURITY, ARCHITECTURE IS KEY!!!

FULL PROXY

Security Digital Air Gap

(Inherently more secure)

Outside “Untrusted”

Inside “Trusted”

HTTP SSL

HTTP SSL

FULL PROXY

© F5 Networks, Inc

© F5 Networks, Inc 9

2

Today’s Network is

Way

Too Complex!

Anti-DDoS WAF

Server

L3/4 FW

IDS/IPS

APT/ DLP

SSL Decrypter

Load Balancer

SSL Encrypter

A/V

???

???

???

???

Many Different Devices – Increased Risk

Many Hops - Increase latency

Complicated Troubleshooting

Capacity Increase affects All

TODAY’S SECURITY APPROACH

© F5 Networks, Inc

Smart Consolidation is the way to go.

Fill the security gap

holistically using Full Proxy Architecture!

© F5 Networks, Inc

Anti-DDoS WAF

Server

L3/4 FW

IDS/IPS

APT/ DLP

SSL Decrypter

Load Balancer

SSL Encrypter

A/V Anti-DDoS +

L3/4 FW LB +

SSL Offload + WAF

Less Devices to maintain / learn

Less Hops - Decreased latency

Simplier Troubleshooting

Fewer devices – Less Risk

Lower TCO 83%

SECURITY CONSOLIDATION WITH FULL PROXY

© F5 Networks, Inc

© F5 Networks, Inc 13

3

Today’s DDoS Attacks Volume

is

Too Large

Network Time Protocol (NTP) Attacks Zero to Huge in 3 months

NEW ATTACK VECTORS EMERGE:

© F5 Networks, Inc 14

© F5 Networks, Inc 15

• DD4BC claims ~400 Gbps • Extortion demands of 1- 40 Bitcoin • FBI June 26 report – DD4BC Initially targeted at

illegal gaming/gambling, and now moving to legitimate businesses like Payment providers, banks and securities.

• UDP Amplification Attacks (NTP, SSDP, DNS); TCP SYN Floods; and Layer 7 attacks

April - June of 2015: emails sent to legitimate businesses with the threat of massive DDoS attacks

Sample from actual email

ATTACK THREATS: PAY UP OR ELSE!

16

GARTNER ON DDOS – GO HYBRID!

© F5 Networks, Inc

Hybrid DDoS Protection: “Cloud + On-Premise” Makes the most sense.

GO HYBRID

The combination of On-Prem Protection and Off-Prem

Cloud Services will enable organisations to get

Better & more Effective

Protection, Visibility and Control.

© F5 Networks, Inc 17 www.cloudsec.com | #CLOUDSEC

© F5 Networks, Inc 18

HYBRID ARCHITECTURE WITH FULL PROXY SECURITY

Public Clouds

Remote User

Data Center

APPS

WORKER

IDENTITY

SaaS

Silverline • Integrity Services (WAF) • Availability Services (DDOS) SOC

HW/VE

VE

Global Coverage

Fully redundant and globally distributed data centers world wide in each geographic region

– San Jose, CA US – Ashburn, VA US – Frankfurt, DE – Singapore, SG

Industry-Leading Bandwidth

• Attack mitigation bandwidth capacity over 2.0 Tbps

• Scrubbing capacity of over 1.0 Tbps

• Guaranteed bandwidth with Tier 1 carriers

24/7 Support

F5 Security Operations Center (SOC) is available 24/7 with security experts ready to respond to DDoS attacks within minutes

– Seattle, WA US

Frankfurt

Singapore

Ashburn

San Jose

Seattle (SOC)

GLOBAL COVERAGE

© F5 Networks, Inc

Availability & Support

Expert DDoS Mitigation Policy Setup and Management

Active Threat Monitoring

Experts in DDoS Monitoring/Mitigation & WAF policy management

F5 Security Operations Center • Wealth of DDoS Monitoring and Mitigation experience from Defense.net acquisition.

• Experts in WAF Policy Setup, management and Mitigation of Web Application Threats

• Active Monitoring of worldwide threats • 24x7x365 Availability to work alongside with

customers for: – DDoS Mitigation and Remediation – Expert policy setup, Policy fine-tuning – Proactive alert monitoring – False positives tuning, Detection tuning – Whitelist / Blacklist Set up and monitoring

F5 SECURITY OPERATIONS CENTER

© F5 Networks, Inc

© F5 Networks, Inc 21

HYBRID PROTECTION Combining the “resilience and scale” of the cloud with the “granularity and always-on capabilities” of on-premise.

Shun Signaling

Cloud (Silverline)

On-Premise (BIG-IP)

Unified Attack Command | Control

• Request for Service • IP List Management

• Protects own backyard. Not all attacks are Full pipe.

• Protects against slow/low application layer attacks that may not trigger diversion into Cloud-based scrubber.

• Handles SSL or encrypted attacks where organisations may not be allowed to put SSL key in the cloud.

• Attacks are Blended. Protects against Web Application attacks like OWASP Top 10 (SQLi, XSS, CSRF), Zero-day vulnerabilities (Shellshock, POODLE, Heartbleed)

F5 On-Premise • Protects agasint Full Pipe attacks that

congest last mile. • Mitigate Volumetric attacks before

coming in an organisation’s data centre.

• Expertise from F5 SOC to react fast and mitigate effectively.

• Automatic Signalling and attack telemetry exchange between F5 On-premise and Silverline

F5 SilverLine

SUMMARY

© F5 Networks, Inc

View on F5.com

“I just wanted to let you all know how extremely satisfied I am with the deployment procedure, management systems and support I received from… .

I can now surely say that F5 was an great choice for us and I'll gladly help out if you need a reference to onboard customers…

…., thanks for the explanations and looking after us ...thanks for all the detailed explanations that helped me drive my CTO, CEO and President to agree with my decision to go with F5-Silverline.

If you would like to have a quick call tomorrow or next week about our experience, I'd be more than glad to do so.”

-- A satisfied EMEA-based Trading Platform Customer

Key benefits of F5 • Protection against the largest attacks • Advanced and unique DDoS mitigation techniques • Team of industry expert DDoS fighters • Simple installation process

F5 Reference Architectures • Hybrid DDoS Protection

FOREIGN EXCHANGE TRADING PLATFORM

© F5 Networks, Inc

View on F5.com

“The attacks are definitely getting larger and we know that trend will continue as the number of websites we support increases. That is why we are working with F5. When the big attacks come, we’ll be ready.”

Key benefits of F5 • Protection against the largest attacks • Advanced and unique DDoS mitigation techniques • Team of industry expert DDoS fighters • Simple installation process

F5 Reference Architectures • Hybrid DDoS Protection

-- Chris Fanini, Co-Founder and CTO, Weebly

F5 Silverline DDoS Protection

© F5 Networks, Inc

Argon LAU Presales Consultant F5 Networks

#CLOUDSEC