Beruflich Dokumente
Kultur Dokumente
Radovan Gibala
Senior Field Systems Engineer
F5 Networks
r.gibala@f5.com
The New Perimeter Is An App Perimeter
© F5 Networks, Inc Source: Based on aggregated data from IT Business Edge, Krebs on Security, Security Week, and CSO Online 3
Common attacks on web applications
BIG-IP ASM delivers comprehensive protection against critical web attacks
© F5 Networks, Inc 4
Web Application Protection Strategy
Best
Automated
Practice
& Targeted
Design
Testing
Methods
• Only protects against known Web Done periodically; only as good
vulnerabilities Apps as the last test
• Difficult to enforce; especially with Only checks for known
sub-contracted code vulnerabilities
Does it find everything?
• Only periodic updated; large exposure
window
© F5 Networks, Inc 5
How long it takes to resolve a vulnerability?
Best
Automated
Practice
& Targeted
Design
Testing
Methods
• Only protects against known Web Done periodically; only as good
vulnerabilities Apps as the last test
• Difficult to enforce; especially with Only checks for known
sub-contracted code vulnerabilities
Does it find everything?
• Only periodic updated; large exposure
Web
window
Application
Firewall
Real-time 24 x 7 protection
Enforces Best Practice Methodology
Allows immediate protection against new
vulnerabilities
© F5 Networks, Inc 7
Traditional Security Devices vs. WAF
Network
Firewall IPS WAF
© F5 Networks, Inc 10
Full Proxy Security
Full-proxy architecture
WAF WAF
Data
Slowloris attack
XSS HTTP iRule iRule HTTP leakage
Network
Firewall
© F5 Networks, Inc 12
F5 provides comprehensive application security
© F5 Networks, Inc 13
Encrypted Traffic Is Increasing Rapidly
80% 75%
70%
60%
50%
50%
40% 2016
30% 2019
20%
10%
0%
Encrypted Web Traffic
© F5 Networks, Inc 16
Application Security Manager
BIG-IP® Application Security Manager™
• Provides transparent protection from ever changing threats
• Ensure application availability while under attack
• Deployed as a full proxy or transparent full proxy (bridge mode) Server response
generated
• Minimal impact on application performance
BIG-IP BIG-IP
ASM security
ASM security
• Turn-on with license key or standalone policy checked
policy checked
• Caching, compression and SSL acceleration included in standalone
Request made
Dynamic
Multi-Layered Response
• Drop, blockinspection
or forwardfor
Security errors and leakage of
request
• sensitive information
Application attack filtering
Secure response Vulnerable
delivered & inspection application
BIG-IP ASM applies • SSL , TCP, HTTP DoS
security policy mitigation
BIG-IP Local Traffic Manager
BIG-IP Application Security Manager
© F5 Networks, Inc 18
BIG-IP Application Security Manager
BIG-IP ® ASM™ protects the applications your business relies on most and scales
to meet changing demands.
PARAMETER NAMES
Typical ‘standard’
starting point
OBJECT NAMES
OBJECT TYPES
© F5 Networks, Inc 21
Different ways to build a policy
Security policy
checked
Security policy
applied
© F5 Networks, Inc 22
Identify, virtually patch, mitigate vulnerabilities
• Generic
Scanner
• Qualys
• IBM
• WhiteHat
• Cenzic
Clients
• HP WI
© F5 Networks, Inc 23
NSS Labs
© F5 Networks, Inc 24
ASM Comprehensive Protection
Application attacks are inevitable
Prepare for application attacks
75% of internet threats target web every 23 minutes
servers (2015 Cisco Annual Security Report)
© F5 Networks, Inc 26
Comprehensive Protections
BIG-IP ASM extends protection to more than application vulnerabilities
L7 DDOS
ASM
Geolocation Web bot
blocking identification
XML filtering,
ICAP anti-virus
validation &
Integration
mitigation
© F5 Networks, Inc 27
Different attack/issue types
Application
SSL
DNS
Network
© F5 Networks, Inc 28
DoS is Not a Rocket Science!
© F5 Networks, Inc 29
BotNet Protection
Delivering the most accurate anti-bot, scanner & scraper
protection
• Validate user on initial site access with proactive bot defense
• Differentiate between script and browser
• Inspect user interaction with browser & finger print devices
• Distinguish real-user from bot with client integrity checks and captcha challenge
• Mitigate automated attacks, scanners, botnets and intellectual property scrapers
• Detect a persistent scraper that uses multiple IP addresses or a single request session
ASM Website
Web Bot
Application
Security
User
© F5 Networks, Inc 31
ASM Bot Protection
Defending against automated attacks
ALERT &
BLOCK Client check • Performs a variety of
BOT identified
checks to distinguish
\ /
ASM Website humans from BOTS
Web Bot
• Allows only verified
client requests to
pass through to app
Application server
Security
• Notifies then drops
ASM identifies and blocks automated web scraping and scanning
requests that cannot
• Performs rapid surfing analysis of page changes be verified
• Blocks clients making excessive page requests
• Issues captcha challenge on mitigated threats & initial visits
• Detects previously identified browsers & bad IPs
• Disallow web scraping , table captures, & UA Spoofing ext.
© F5 Networks, Inc 32
ASM Bot Protection
ASM’s unique Proactive Bot defense
Stop automated attacks from ever materializing
© F5 Networks, Inc 34
ASM Bot Protection
ASM Proactive Bot defense: How it Works
• ASM injects a JS challenge with obfuscated
cookie
© F5 Networks, Inc 36
Browser finger printing and device ID
Accurately track good and bad actors wherever they go
© F5 Networks, Inc 37
Browser finger printing and device ID
More accurately prevents webscraping
How it works
• Runs client-side code that collects
various attributes about the client.
• Attributes are summed up to a hash
which we call a fingerprint.
• A cache of those fingerprints is stored
on BIG-IP, and used to persistently
identify clients when preventing from
Web Scraping.
• Activates DeviceID tracking from a check box
when proactive defense is not used
© F5 Networks, Inc 40
Consolidated view of attacks and mitigation
Statistics concerning attack types, violations, and anomalies, traffic summaries
• See real time summary of
Security Overview
active policies & attacks
Screen • Understand ASM Health
and network/traffic stats
• View data by different
criteria in graphical
reports.
• Get top 10 entity reports
TOP 10
ENTITIES
© F5 Networks, Inc 43
Telecom Operator: LB, SSL offload, TV portal protection
Data Center
Advanced LB
STB storm protection
SSL offload
Web Application FW Streaming Servers
Users
BIG-IP
Portal, EPG, …
Solution highlights
• Advanced load-balancing and session stickiness
• iRules for prevention of STB traffic storms (rate
limiting) and SSL vulnerabilities Operator’s Benefits
• SSL offload for application and control plane data • Better user experience due to TCP optimisation
(network latency, throughput increase)
• Web application FW (ASM) for Live TV application
• A solution for prevention of STB authentication storms
protection including brute force login page
protection (against password guessing) – block • Protection of TV portal against attacks
access to login page after x failed attempts for • Consolidated solution load-balancing + Web application
configured period of time, etc. FW on single platform
© F5 Networks, Inc 45
Financial organisation protected by F5 ASM & AFM
Leveraged Compliance & Consolidation
© F5 Networks, Inc 46