Transcript HOW F5 CAN HELP YOU

APPLICATION SECURITY
TECH TALK
Paul Deakin
Federal Field Systems Engineer
Welcome!
• Overview
• Introduction
• What does F5 have to do with Security?
• Audience Participation is ENCOURAGED!
• Ask questions, I’ll do my best to answer them
What’s Our Motivation?
What is a Web Application vulnerability?
“A vulnerability is a weakness or hole in the application, which can be a design
flaw or an implementation bug, that allows an attacker to cause harm to the
stakeholders of an application.”
- owasp.org
Application Layer Attacks
• OWASP Top 10
•
•
•
•
•
•
•
•
•
•
Injection
Cross Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object References
Cross Site Request Forgery
Security Misconfiguration
Insecure Cryptographic Storage
Failure To Restrict URL Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards
Web Application Security Concepts
• Term “Vulnerability” often used too loosely, should be distinguished from:
• Threats: Worms, Viruses, Bots, Trojans, Sniffers, Key Loggers, Back Doors
• Attacks: SQL Injection, XSS, CSRF, DOS, Command Injection
• Counter-Measures: Detect, Deter, Deny – Authentication, Access Control,
Session Management, Input Validation, Error Handling, Logging,
Cryptography
HOW F5 CAN HELP YOU
Want to go deeper?
HOW F5 CAN HELP YOU
• OWASP Top 10 compliant
• Integration with vulnerability assessment vendors WhiteHat and Cenzic
enable custom ASM policies based on findings.
• Both signature and non-signature (zero day) based security. WhiteHat
Sentinel integrated for further signature based protection.
• Support for Positive (whitelist) and Negative (blacklist) security models.
• A/V Scan capable via integrated ICAP client for file uploads.
• Learning mode allows transparent observation of Web App to distinguish
actual violations from false positives.
HOW F5 CAN HELP YOU
• PCI compliant (with integrated checklist)
• ASM DataGuard blocks SS/CC numbers and features custom pattern
matching
• Enforces limits: URL/I lengths, message length, query-string length, char set
• Police fields for inputs and output, both legal and illegal.
• ASM eliminates the need for expensive re-coding of the Web App to patch
urgent vulnerabilities.
Have you been hacked?
• Tell me about it…
• What does “Hacked” mean to you?
• The best Security Analysis teams in the world often find
inconclusively.
• Real-Time monitoring is paramount.
• Real-Time alerting is critical.
HOW F5 CAN HELP YOU
Logging
HOW F5 CAN HELP YOU
SNMP Alerting
Email Alerting
So where do we sit in the network?
DDOS: Are you ready?
• Tell me about it…
• Denial of Service attacks ARE NOT always malicious.
• Traditionally DOS attacks have taken place at L3/L4.
• L7 DOS attacks much harder to ID.
DDOS: Are you ready?
• Must be careful mitigating L7 DOS attacks by simple source IP
• To properly mitigate L7 DOS attacks, need to inspect either
request frequency rate or server response time and take a close
look at Latency.
• As many DOS attacks are scripted, can inject a small amount of
code (Java Script) in the server response via BIG-IP ASM.
DDOS: Are you ready?
• Can protect back-end Web App by throttling request per second
(RPS) to an object or number
• Can set criteria for response latency and TPS.
• The key is combining multiple L7 DOS prevention methods
• Reporting page for DOS engine will provide values detected
HOW F5 CAN HELP YOU
• F5 BIG-IP Local Traffic Manager (LTM) L3/4 DOS prevention
• F5 BIG-IP Application Security Manager (ASM) provides customizable
multifaceted L7 DOS prevention .
• F5 BIG-IP Global Traffic Manager (GTM) with DNS Express provides DNS
DDOS prevention
• Deploy many GTMs using a single IP address and single namespace to
mitigate DNS DDOS attacks using IP Anycast.
A closer look…
HOW F5 CAN HELP YOU
• VDI is still a server based computing (SBC) model susceptible to DOS.
• Multiple VDIs can be placed behind BIG-IP for intrinsic resource cloaking
and advanced network access control (e.g., subnet, geo-location).
• Allow remote VDI clients access to VDIs based on context (e.g., AD
username/group).
• F5 has partnered with mulitple MDM vendors to pair APM network access
control with MDM security.
HOW F5 CAN HELP YOU
• Secure FAT clients with APM end-point inspection.
• Windows FAT clients can be placed into “Windows Protected Workspace”
restricting USB, CD-ROM, VOLUME, and APP access.
• Can secure VMware View Security Server from unauthorized access.
• TLS security to View client for enhanced security and performance (DTLS
UDP transport vs encapsulated UDP into TCP as with SSL)
• Centralized AAA to multiple auth realms for multiple VDIs. Support CAC
w/XenApp as Citrix AGEE solution.
HOW F5 CAN HELP YOU
APM Visual Policy Editor (VPE)
Do you know your users?
• Enterprises still face numerous challenges with end-point compliance
(disparate clients, data leakage, OS Patch level).
• End-points often not updated to the latest personal security signatures
(firewall, AV, Spyware, etc).
• Anonymous proxies cloak the true source IP of the client, networks continue
to struggle with this.
• Guest/contractor access difficult to establish without end-point inspection.
HOW F5 CAN HELP YOU
• Inspect system registry to determine if client is a corporate asset.
• Grant access based on AD context (username/security group).
• Enforce Windows Protected Workspace for Windows clients; lockdown
access to USB ports, HDD Volumes, Optical Drives, and Applications.
• Extend GPOs to any client (does not have to be a member of an AD domain)
with GPAnywhere.
• Allow/Deny access based on AV signature version (support for over 100+
personal security clients)
• Erase all session related data upon session termination (browser history,
forms, cookies, etc)
HOW F5 CAN HELP YOU
• Enforce CAPTCHA support on logon to mitigate script based brute force
attacks.
• SSL VPN soft virtual interface and route table wiped upon session
termination.
• On systems where clean-up controls can’t be enforced, block access to all
file downloads to avoid temporary internet files from being stored or data
leakage.
• Combine end-point inspection with ASM and iRules to block access to file
types based on extension and block access to sensitive information such as
Social Security Numbers and Credit Card Numbers.
HOW F5 CAN HELP YOU
HOW F5 CAN HELP YOU
• Network Access Control (NAC) limits clients to specific subnets.
• Client soft virtual interface and route table entries are wiped upon session
termination.
• Support for split tunnel VPN
• APM Dynamic Webtop provides client context based resource assignments
• APM AAA provides central point of authentication (AD, LDAP, Radius,
SecureID, OAM) and certificate authentication (CAC/PIV, OCSP/CRLDP).
• APM provides advanced Kerberos authentication (KPT, KCD).
THANK YOU