Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
-
Upload
checkitinbox -
Category
Documents
-
view
218 -
download
0
Transcript of Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
1/30
Securing and Accelerating the InteropNOC withF5 Networks
Joe Wojcik - Consultant II - [email protected] Bocchino - Principal Systems Architect [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected] -
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
2/30
Agenda
Overview of F5 SPDY (Pronounced Speedy) Application Firewall Manager Application Security Manager
Access Policy Manager Questions
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
3/30
InteropNET Architecture Overview
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
4/30
F5 Technologies Used in the Network
ADC Application Delivery Controller LTM Local Traffic Manager GTM Global Traffic Manager AFM Advanced Firewall Manager
ASM Application Security Manager AAM Application Acceleration Manager APM Access Policy Manager
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
5/30
The Basics - LTM
Profiles applied to the virtual serallows for protocol parsing
Monitoring of pool members ensalways available services
Virtual
Server
Pool
PoolMember
PoolMember
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
6/30
The Basics - GTM
Wide IPs define FQDNs Pool of data center virtual IPs
ensures global availability Monitoring of pool members ens
always available services
WideIP
Pool
DC1
VirtualServer
DC2VirtualServer
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
7/30
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Ne
Se
Appl
Web applica
Phy
Client
F5 Architecture Overview
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
8/30
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Ne
Se
Appl
Web applica
Phy
Client
High-performance HW
iRules
iControl API
F5s Approach
TMOS traffic plug-ins High-performance networking microkernel Powerful application protocol support
iControl External monitoring and control iRules Network programming language
I P v 4
/ I P v 6
S S L
T C P
H T T P
Optional modules plug in for all F5 products and solutions
A P M
F i r e w a l
l
Traffic management microkernel
Proxy
Clientside
Serverside
S S L
T C P
O n e C o n n e c t
H T T P
F5 Architecture Overview
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
9/30
SPDY Overview
Google produced 1 st Internet-Draft in 2009 Several major website already use it (Google, Twitter, Facebook, etc.) Supported in updated versions of Chrome, Firefox, Internet Explorer, Opera Kindle Fire Silk browser uses SPDY to internet sites and Amazon AWS cloud
HTTP has several built-in assumptions that affect latency Single request per connection. Exclusively client-initiated requests. Uncompressed request and response headers. Redundant headers Optional data compression
SPDY is designed to reduce application layer latency Many HTTP requests per TCP connection. Compress headers and eliminating unnecessary headers. Easy to implement and server-efficient Always on SSL for a more secure web Enable server initiated communications to the client
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
10/30
SPDY Overview Cont.
SPDY doesnt replace HTTP SPDY still has HTTP methods, headers,
response codes, and other HTTP elements Basic features of SPDY
Multiplexed streams - Allows unlimited concurrentstreams over a single TCP connection
Request prioritization Assign priority to multiple requests to combat bandwidthlimitations
HTTP header compression - compresses request/response HTTP headers Server-initiated streams
Speed up connections by sending content or hints without the client specificallyrequesting the resource. Server push - servers push data to clients via the X-Associated-Content header.
Useful for initial-page downloads Server hint - servers suggest resources to the client via the X-Subresources
header.
Draft located at http://www.chromium. org/spdy/spdy-protocol/spdy-protocol-draft1
http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft1http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft1http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft1 -
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
11/30
SPDY & F5
F5 provides production level SPDY support in BIG-IP LTM 11.4.0
BIG-IP Local Traffic Manager (LTM) uses a SPDY service profile to provide SPDYendpoint and translation to backside HTTP. With everything handled on the F5 LTM nobackend changes are required to support SPDY.
The HTTP virtual server handles the initial request as a standard HTTP request, andinserts an HTTP header into the response (to inform the client that a SPDY virtualserver is available to handle SPDY requests). The response is also compressesed andcached.
A SPDY capable client uses SSL TLS (with NPN) to send SPDY requests to the BIG-IPsystem, the SPDY virtual server receives the request on port 443, converts the SPDYrequest into an HTTP request before sending it to the appropriate server.
When the server provides a response, the BIG-IP system converts the HTTP responseinto an appropriate SPDY response, compresses and caches it, and sends theresponse to the client.
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
12/30
SPDY Example www.interop.com
Multiplexed requests
Request priority
Stream ID
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
13/30
SPDY Some Numbers
These numbers are from Googles testing and are posted on the Chromium
project page.
Individual performance will be based on page complexity, domain use,static/dynamic pages, and more.
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
14/30
AFM: High Level Capabilities Access Control Policy
Stateful Firewalling - Policies, Rules, Address Lists Application Access Control (DNS, HTTP, FTP, SMTP)
DOS Detection & Mitigation L2-L4 Attack Mitigation, Resource Protection Protocol Specific DOS (DNS, SIP, SSL)
Dynamic Endpoint Visibility & Enforcement NGFW, Botnet Defense IP Intelligence Profiles
Manageability & Visibility Flexible & Powerful High Speed Logging Network, Protocol & DOS Reporting (AVR)
Encrypted Traffic Handling Site-to-Site IPsec VPN tunnels High Scale SSL Termination
Advanced Firewall M
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
15/30
I/O
L2
L3 Flow lookup
Ephemerallistener
Globalrules
Routedomain
rules
ListenerLookup
No flow exists
Flow create
HUD ChainLTM + ASM + APM + GTM
Exact match for ALG Rules processed in order Listener selectedwith LMF
Flowtable
Query /Response
Match
NoMatch Accept
Default Accept Default Accept
Rules processed in order
Acceptdecisively path
Accept pathAccept
Accept
decisively
Accept decisively
Ru
Match
Install flow
Match
A
GlobalNW DoS
DROP or NO MATCH = Silently discardREJECT = If TCP, send RST; else DROP
Drop/RejectDrop/Reject No Match Drop/Reject
Accept decisively: allows matching packets topass without further rule processingLMF: longest match first
If TCP & Non-SYNthen Drop here
HW Accelerated*
*Some Vectors not HW accelerated
AFM: Access Control Policy
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
16/30
Flow Classification Criteria Time Based Protocol Source Address Source Port Source VLAN Destination Address Destination Port
Rule Lists Grouping of rules Global rules that can be used
anywhere in the policy Can be referenced in multiple
policies on multiple firewalls
Primary Actions Drop: Silently Discard Reject: Drop and Inform Sender Accept: Permit Accept Decisively: Permit and skip
processing at subsequent contexts
Co
AFM: Access Control Policy
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
17/30
F5 reporting to key SIEM partners: Splunk, Q1, ArcSight
Start with application-centric views and drill down tomore details
At-a- glance visibility and intelligence for ADFs context -awaresecurity
HIGH LEVEL
AFM: Visibility in the NOC
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
18/30
ApplicatioNetwork attacks Session attacks
OWASP Top Injection, XSSSlowloris, SloHashDos, GE
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods,Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASMPositive and n
policy reinforiRules, full prserver performanomaly detec
DNS UDP Floods, DNS Query Floods,DNS NXDOMAIN Floods, SSL Floods,SSL Renegotiation
BIG-IP LTM and GTMHigh-scale performance, DNS
Express, SSL termination, iRules, SSLrenegotiation validation
BIG-IP AFMSynCheck, default-deny posture, high-capacity connection table, full-
proxy traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customizedhardware solution that increases scale by an order of magnitudeabove software-only solutions.
APresentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)
Increasing difficulty of attack detection
F 5 m i t i g a t i o n t e c h n o
l o g i e s
OSI stack
DDoS MITIGATION
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
19/30
Automatic HTTP/S DoS attack detection and protection
Accurate detection technique based on latency
Three different mitigation techniques escalated serially Focus on higher value productivity while automatic controls intervene
IDENTIFY POTENT
DROP ONLY THE A
DETECT A DOS CO
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
20/30
DDoS protection reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:
ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:
SSL renegotiation,SSL flood
HTTP attacks:
Slowloris,slow POST,
recursive POST/GET
Application
Tier 2
Threat Feed Intelligence
Multiple ISP strategy
Network andDNS
Tier 1
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
21/30
DDoS protection reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:
ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:
SSL renegotiation,SSL flood
HTTP attacks:
Slowloris,
slow POST,recursive POST/GET
Application
Tier 2
Threat Feed Intelligence
Multiple ISP strategy
Network andDNS
Tier 1 The first tier at the perimeter layer 3and 4 network firewall servic
Simple load balancingto a second tier
IP reputation database
Mitigates volumetric and DN
attacks
TIER 1 KEY FEATURES
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
22/30
DDoS protection reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:
ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:
SSL renegotiation,SSL flood
HTTP attacks:
Slowloris,
slow POST,recursive POST/GET
Application
Tier 2
Threat Feed Intelligence
Multiple ISP strategy
Network andDNS
Tier 1
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
23/30
DDoS reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:
ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:
SSL renegotiation,SSL flood
HTTP attacks:
Slowloris,
slow POST,recursive POST/GET
Application
Tier 2
Threat Feed Intelligence
Multiple ISP strategy
Network andDNS
Tier 1 The second tier is for application-aware,CPU-intensive defense mechanisms
SSL termination
Web application firewall
Mitigate asymmetric and SSL-basedDDoS attacks
TIER 2 KEY FEATURES
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
24/30
DDoS Protection Interop NOC
Network Firewall Services+ DNS Services
+ Web Application Firewall Services+ Compliance Control
BIG-IP Platform
Customers
DDoS Attack
ISPa
Partners
DDoS Attack
ISPb
ISP providesvolumetric DDoS
service
Protecting L3 7 and DNS
BIG-IP Advanced Firewall Manager
BIG-IP Local Traffic Manager
BIG-IP Global Traffic Manager
BIG-IP Access Policy Manager
BIG-IP Application Security Manager
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
25/30
L7 DDOS
Web Scraping
Web botidentification
XML filtering,validation & mitigation
ICAP anti-virusIntegration
XML Firewall
Geolocationblocking
Comprehensive ProtectionsBIG-IP ASM extends protection to more than application vulnerabilities
ASM
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
26/30
Four ways to build a policy
Security policychecked
Security policyapplied
DYNAMIC POLICY BUILDER INTEGRATION WITH APP SCANNERS PRE-BUILT PO
Automatic No knowledge of the
app required Adjusts policies if app
changes
Manual Advanced
configuration forcustom policies
Virtual patching with continuousapplication scanning
Out-of-the-bo Pre-configure For mission-cr
including: MicPeopleSoft
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
27/30
Provide unified global access to your applications Simplified and consolidated management of your application security policies
Single Sign-On (SSO) across multiple domains/authentication types
Simplified access for virtual application environments Citrix XenApp/XenDesktop VMWare Horizon View
Unifies security, access control and application delivery
Advanced Visual Policy Editor
SSL Application or VPN Tunnels for full range of user access
Secure Web Gateway /w URL filtering and real-time intelligence
Advanced reporting
Splunk, Syslog, ArcSight, etc..
BIG-IP Access Policy ManagerSECURE IDENTITY AND ACCESS MANAGEMENT
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
28/30
Provides client-sideand server-sidechecking ( Antivirus,Firewall, OS Version, etc.)
Multiple AAA serversupport (RADIUS,
Active Directory,LDAP, SecureID,Oracle, SAML,HTTP, LocalDB,TACACS+, CRLDP,
OCSP, and more) Easy L4 and L7 ACLmanagement
BIG-IP Access Policy Manager
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
29/30
At Interop weprovide NOCsponsors IPv4 andIPv6 VPN access to
the NOC networkservices NOC users can VPN
securely into theirapplications anddevices locally or inour other InteropDatacenters
Providing loggingand accessinformation to theScienceLogic,PathSolutions, andSplunk servers
BIG-IP Access Policy Manager
Denver Colo
Sunnyvale Co
Las Vegas NOC
-
8/10/2019 Wojcik Securing and Accelerating the InteropNOC With F5 Networks v0.2
30/30
F5 Networks Website http://www.f5.com/
F5 Networks Support Site
http://support.f5.com/ F5 Networks INTEROP Show Site
http://f5.enet.interop.net/
Chromium Project SPDY http://www.chromium.o rg/spdy
F5 DDoS Recommended Practices http://f5.enet.i nterop.net/interop/F5%20DDoS%20Recommended%20Practices.pdf
Additional Resources
http://www.f5.com/http://www.f5.com/http://support.f5.com/http://support.f5.com/http://f5.enet.interop.net/http://f5.enet.interop.net/http://www.chromium.org/spdyhttp://www.chromium.org/spdyhttp://www.chromium.org/spdyhttp://f5.enet.interop.net/interop/F5%20DDoS%20Recommended%20Practices.pdfhttp://f5.enet.interop.net/interop/F5%20DDoS%20Recommended%20Practices.pdfhttp://f5.enet.interop.net/interop/F5%20DDoS%20Recommended%20Practices.pdfhttp://f5.enet.interop.net/interop/F5%20DDoS%20Recommended%20Practices.pdfhttp://www.chromium.org/spdyhttp://f5.enet.interop.net/http://support.f5.com/http://www.f5.com/