Aktuelle Bedrohungsszenarien für Anwendungen und RZ · Cloud Scrubbing Service Scanner Anonymous...

Aktuelle Bedrohungsszenarien für Anwendungen und RZ

- Rethinking Security

Peter Held

[email protected]

mailto:[email protected]

© F5 Networks, Inc 2

Mobility

SDDC/Cloud

Advanced threats

Internet ofThings

“Software defined”everything

HTTP is the new TCP


May June July Aug Sep Oct Nov Dec

2012

Physical Access

XSS

Attack Type

Size of circle estimates relative impact of incident in terms of cost to business

Attack types and targets are expanding

Unknown

Spear Phishing


BankBank

Bank

NonProfit

NonProfit

Bank

Bank

BankGov

Industrial

OnlineSVC

NonProfit

Gov

Auto

OnlineServices

GovGov

OnlineServices

OnlineSVC

OnlineServices

Industrial

EDU

Bank

Bank Bank

Gov

OnlineServices

OnlineSVC

GovOnline

Services

OnlineServices

News & Media

Edu

Telco

CnsmrElectric

CnsmrElectric

Bank

Telco

OnlineServices

OnlineServices

Education

FoodSvc

OnlineServices

Bank

News & Media Gov

Soft-ware

Bank

Telco

Non-Profit

E-commUtility

News & Media

Edu

Bank

OnlineServices

Bank

BankOnline

Services

OnlineServices

Bank

FoodService

BankingGaming

Gov

GovAuto

Soft-ware

News &Media

OnlineServices

ConsumerElectric

OnlineServices

Gov

Util

HealthSoft-ware

OnlineServices

GovCnsmrElec

OnlineSvcs

GovRetail

Bank

Bank

OnlineServices

Soft-ware

Bank

EduNews &Media

OnlineServices

OnlineServices

OnlineServices

OnlineServices

Gov

Gov

Indu-strial

Airport Retail

News &Media

Auto

Telco

Gov

Edu

DNSProvider

DNSProvider

GlobalDelivery

Auto

Gov

DNSProvider

DNSProvider

DNSProvider

Gov

ConsumerElectronics

Gove

Bank

Bank

BankGov

OnlineSvc

Software

OnlineGaming

Telco

News &Media

Edu

Soft-ware

News &Media

Edu

News &Media

OnlineServices

Gov

Auto

Entnment

Gov

Utility

News &Media

OnlineSvc

News &Media

Spear Phishing

Physical Access

Unknown

Attack Type

Size of circle estimates relative impact of incident in terms of cost to business

Jan Feb Mar Apr May Jun

2013

Attack types and targets are expanding


Does Your Data Center Firewall Deliver?

Perform at high speeds

See all traffic including SSL

Protect against network and Application

layer DDoS

Protect against application layer attacks

React quickly to zero day threats

F5 provides an entirely new, significantly better,

and surprisingly less expensive approach for

defending public-facing web properties and

DNS services from malicious attack.


Introducing F5’s Application Delivery FirewallAligning applications with firewall security

One platform

SSL

inspection

Traffic

management

DNS

security

Access

control

Application

security

Network

firewall

EAL2+

EAL4+ (in process)

DDoS

mitigation


BIF

UR

CATIO

N O

F F

IRE

WA

LLS

“Next generation” firewall

Characteristics

• Outbound user inspection

• UserID and AppID

• Who is doing what?

• 1K users to 10K web sites

• Broad but shallow

Corporate

(users)

F5 Application Delivery Firewall

Internet Datacenter

(servers)

Characteristics

• Inbound application protection

• Application delivery focus

• 1M users to 100 apps

• Narrow but deep

• 12 protocols (HTTP, SSL, etc.)


PROTECTING THE DATA CENTERUse case

• Consolidation of

firewall, app security,

traffic management

• Protection for data

centers and

application servers

• High scale for the

most common

inbound protocols

Before f5

with f5

Load

Balancer

DNS Security

Network DDoS

Web Application Firewall

Web Access

Management

Load

Balancer & SSL

Application DDoS

Firewall


PROTECTING THE DATA CENTERUse case

• Consolidation of

firewall, app security,

traffic management

• Protection for data

centers and

application servers

• High scale for the

most common

inbound protocols

Before f5

with f5

Load

Balancer

DNS Security

Network DDoS

Web Application Firewall

Web Access

Management

Load

Balancer & SSL

Application DDoS

Firewall


One Solution for Hacking Protection

Network

Session

Presentation

Application

Physical

Client / Server

Network

Session

Presentation

Application

Physical

Client / Server

Protocol Protocol

Data Link Data Link

Pro

gra

mm

ab

le P

latf

orm

Sta

nd

ard

Se

t o

f A

PIs

Hack Examples

DNS Poisoning, DNS Spoof

IP spoof,

MAC spoof, VLAN hoping

XSS, CSRF, SQL Injection,

Form attack, Parameter change, Data obj. ref.

SSL/TLS BEAST


Leading Web Attack Protection BIG-IP Application Security Manager

• Protect from latest web threats

• Meet PCI compliance

• Out-of-the-box deployment

• Quickly resolve vulnerabilities

• Improve site performance

Big-IP - Local Traffic Manager

Big-IP – Application Delivery Firewall


Customer Website

Integrated Vulnerability ScanningEnhanced Integration: BIG-IP ASM and Vulnerability Scanner

Vulnerability Scanner

• Finds a vulnerability

• Virtual-patching with one-click on BIG-IP ASM

BIG-IP Application Security Manager

• Verify, assess, resolve and retest in one UI

• Automatic or manual creation of policies

• Discovery and remediation in minutes

• Vulnerability checking, detection and remediation

• Complete website protection

• Qualys• IBM• WhiteHat• Cenzic• HP WebInspect


AnswerDNS

Query

AnswerDNS

Query

AnswerDNS

Query

AnswerDNS

Query

AnswerDNS

Query

Efficient DNS - DNS Express

• Delivers high-speed response and DDoS protection with in-memory DNS

• Provides authoritative DNS serving out of RAM

• Supports configuration size for tens of millions of records

• Scale and consolidate DNS servers

• Answer millions of DNS Requests per Second (Viprion 6 Mil. qps)

Clients

Internet

DNS Express in BIG-IP GTM

DNS Server

OSAdminAuthRoles

NICDynamic

DNSDHCP

ManageDNS

Records


• High Performance DNS – Multicore GTM

• Scalable DNS up to 10x- DNS Express

• Spread the load across devices - IP Anycast

• Secure DNS Queries - DNSSEC

• Route based on nearest Datacenter - Geolocation

• Complete DNS control – DNS iRules

Complete DNS Services and Protection BIG-IP Global Traffic Manager

LDNS

Data Center

F5 DNS Services

company.com

BIG-IP GTM


VIPRION

iRules with Security: Example - HashDos—Post of Doom- React quickly to zero day threats

“HashDos—Post of Doom” vulnerability affects all major web

servers and application platforms.

Single DevCentral iRule mitigates vulnerability for all

back-end services.

Staff can schedule patches for back-end services on

their own timeline.


Enable Simplified Application Accesswith BIG-IP Access Policy Manager (APM) SaaS resources


One Access Solution – BIG-IP APM

All Access

Use Cases

BIG-IP

Access Policy Manager

Web Access Management:• Proxy to HTTP apps

– Outlook Web Access

– SharePoint

– Custom

– Single Sign On

– Internal Applications

– SaaS Applications (SAML)

Remote Access: • SSL VPN

– Network Access

– App Tunnels

– Portal Access

– Edge Client

– Windows, Mac, Linux

– SmartPhones

– Tablets

Application Access Control:• Proxy to Non-HTTP apps

– VDI

– Citrix (ICA Proxy)

– VMware View (PCoIP)

– MS Terminal Services/RDS

– Exchange

– ActiveSync

– Outlook Anywhere

Security:– Endpoint Scanning

– Endpoint Cleanup

– Multi-factor authentication with several

directories and methods


IP INTELLIGENCE

IP intelligence

service

IP address feed

updates every 5 min

Custom

application

Financial

application

Internally infected devices and

servers

Geolocation database

Botnet

Attacker

Anonymous

requests

Anonymous

proxies

Scanner

Restricted

region or

country


Sehr geehrte Damen und Herren,

wir fordern von ihnen 1.000€ wenn sie die nicht zahlen folgt eine DDOS Attacke mit 150 Gbit/s somit wäre ihr Online Shop für einige

Tage für Kunden nicht erreichbar.

Da der Server damit überfordert ist und das Rechenzentrum ebenfalls somit folgt meist eine Server sperre und ein Providerwechsel ist

notwendig.

Sollten sie damit zur Polizei gehen und die Zahlung verweigern ist ihr Online Shop solange nicht mehr erreichbar bis wir das Geld haben…


One Solution for DDOS Protection

Network

Session

Presentation

Application

Physical

Client / Server

Network

Session

Presentation

Application

Physical

Client / Server

Protocol Protocol

Data Link Data Link

Pro

gra

mm

ab

le P

latf

orm

Sta

nd

ard

Se

t o

f A

PIs

Syn, ICMP, TCP, UDP Fragmentation (LOIC)

SynFlood, IP flood,

ARP, MAC flood

SLOW POST/GET, HTTP FLOOD, Large POST,

Slowloris, XML DTD, External Ent., JSON

SSL Re-negotiation

DOS, DDOS, DDDOS Examples

L3, L4 DOS – CONFIGURATION 11.4 ~ 60 DIFFERENT TYPES


DDoS protection reference architecture

LegitimateUsers

Threat Feed Intelligence

DDoSAttacker

ISPa/b

CloudScrubbing

Service

Scanner AnonymousProxies

AnonymousRequests

Botnet Attackers

Network attacks:ICMP flood,UDP flood,SYN flood

DNS attacks:DNS amplification,

query flood,dictionary attack,

DNS poisoning

IPS

Next-Generation Firewall

Tier 2

SSL attacks:SSL renegotiation,

SSL flood

HTTP attacks:Slowloris,

slow POST,recursive POST/GET

Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2


Strategic Point of Control

Multiple ISP strategy

Network

and DNS

Tier 1


DDoS reference architecture

LegitimateUsers


DDoSAttacker

ISPa/b

CloudScrubbing

Service


AnonymousRequests

Botnet Attackers




DNS poisoning

IPS


Tier 2


SSL flood



Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2




Network

and DNS

Tier 1 • The first tier at the perimeter is layer 3 and 4 network firewall services

• Simple load balancing to a second tier

• IP reputation database

• Mitigates volumetric and DNS DDoS attacks

TIER 1 KEY FEATURES


DDoS reference architecture

LegitimateUsers


DDoSAttacker

ISPa/b

CloudScrubbing

Service


AnonymousRequests

Botnet Attackers




DNS poisoning

IPS


Tier 2


SSL flood



Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2




Network

and DNS

Tier 1• The second tier is for application-aware, CPU-intensive defense mechanisms

• SSL termination

• Web application firewall

• Mitigate asymmetric and SSL-based DDoS attacks

TIER 2 KEY FEATURES


DDoS protection reference architecture

LegitimateUsers


DDoSAttacker

ISPa/b

CloudScrubbing

Service


AnonymousRequests

Botnet Attackers




DNS poisoning

IPS


Tier 2


SSL flood



Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2




Network

and DNS

Tier 1


DDoS Protection - SMB data center deployment

Network Firewall Services+ DNS Services

+ Web Application Firewall Services + Compliance Control

BIG-IP Platform


Users leverage NGFW foroutbound protection

Customers

DDoS Attack

ISPa

Partners

DDoS Attack

ISPb

ISP providesvolumetric DDoS

service

Employees

Protecting L3–7 and DNS

GOOD BETTER BEST

Simplified Business Models

BIG-IP Advanced Firewall Manager

BIG-IP Local Traffic Manager

BIG-IP Global Traffic Manager

BIG-IP Access Policy Manager

BIG-IP Application Security Manager

F5 DDoS Protection - Recommended Practices

[email protected]

mailto:[email protected]


Application Delivery Firewall

iRules extensibility everywhere

Products

Advanced Firewall

Manager

• Stateful full-proxy

firewall

• Flexible logging and

reporting

• Native TCP, SSL and

HTTP proxies

• Network and

Session anti-DDoS

Access Policy

Manager

• Dynamic, identity-

based access

control

• Simplified

authentication

infrastructure

• Endpoint security,

secure remote

access

Local Traffic

Manager

• #1 application

delivery controller

• Application fluency

• App-specific health

monitoring

Application Security

Manager

• Leading web

application firewall

• PCI compliance

• Virtual patching for

vulnerabilities

• HTTP anti-DDoS

• IP protection

Global Traffic Manager

& DNSSEC

• Huge scale DNS

solution

• Global server load

balancing

• Signed DNS

responses

• Offload DNS crypto

IP Intelligence

• Context-aware

security

• IP address

categorization

• IP address

geolocation

SSL

inspection

Traffic

management

DNS

security

Access

control

Application

security

Network

firewall

DDoS

mitigation


We’re built for speed

Throughput 320 Gbps

Connections

per second 5.6 million

Concurrent connections 192 million

100KConcurrent user sessions

Concurrent

logins 1,500/second

SSL (1K keys) 600,000/second

DNS query response 6 million/second


Networkworld- F5 Firewall test

http://www.networkworld.com/reviews/2013/072213-firewall-test-271877.html

http://www.networkworld.com/reviews/2013/072213-firewall-test-271877.html

Key customer benefits

ALL BACKED BY WORLD-CLASS SUPPORT AND PROFESSIONAL SERVICES

Maintain application

availability

Save money for

your company

Protect network

infrastructure

Safeguard your

brand reputation

Defend against

targeted attacks

Stay one

step ahead


DDoS MITIGATION

Application attacksNetwork attacks Session attacks

Slowloris, Slow Post,

HashDos, GET Floods

SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop,

ICMP Floods, Ping Floods and Smurf Attacks

BIG-IP ASM

Positive and negative policy

reinforcement, iRules, full

proxy for HTTP, server

performance anomaly

detection

DNS UDP Floods, DNS Query Floods, DNS

NXDOMAIN Floods, SSL Floods, SSL

Renegotiation

BIG-IP LTM and GTM

High-scale performance, DNS Express,

SSL termination, iRules, SSL

renegotiation validation

BIG-IP AFM

SynCheck, default-deny posture, high-capacity connection table, full-proxy

traffic visibility, rate-limiting, strict TCP forwarding.

Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware

solution that increases scale by an order of magnitude above software-only

solutions.

F5

Mit

iga

tio

n T

ech

no

logie

s

Application (7)Presentation (6)Session (5)Transport (4)Network (3)Data Link (2)Physical (1)

Increasing difficulty of attack detection

• Protect against DDoS

at all layers – 38 vectors

covered

• Withstand the

largest attacks

• Gain visibility and

detection of SSL

encrypted attacks

F5

mit

iga

tio

n t

ech

no

logie

s

OSI stackOSI stack

Use case

Date post:	22-May-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

Aktuelle Bedrohungsszenarien für Anwendungen und RZ · Cloud Scrubbing Service Scanner Anonymous...

Documents