the Presentation
Download
Report
Transcript the Presentation
Data Connectors - Presentation!
A Layered Approach to Web & Application Security
Todays Presenter
Rich Harrison, CISSP
Regional Sales Manager
[email protected]
201-750-9459
Array Networks at-a-glance
Founded
Market
Segments
2000
Application Delivery & Security
Enterprise, Service Provider, Public Sector
Headquarters
Products
Technology
Milpitas, CA, USA
Application Delivery Controllers (ADC)
30+ Patents
Employees
Secure Access Gateways (SSL VPN)
Customers
400+
WAN Optimization Controllers (WOC)
5000+ Worldwide
Web Application Firewalls (WAF)
Meeting Enterprise-Class Requirements For Over 10 Years
Today’s agenda
Why take a multi-layered approach?
Example multi-layer security architecture
Multi-layer application delivery controller security
Multi-layer SSL VPN security
About Array Networks Solutions
iSECURE & Array Networks Customer Reference
Q&A
Why a multi-layer approach?
Why a multi-layer approach?
A proven model for keepings things out and keeping things in
Banks, maximum security, fortifications, etc.
Delivers multiple advantages as a network security strategy…
1.
Exponential increase in security – One attack vector or vulnerability may be intentionally
or unintentionally compromised without exposing the network or compromising data
2.
Early warning – In the event applications, networks or devices are attacked, multi-layer
security stalls malicious activity and provides time for shoring up defenses
3.
Scalable security – A first line of defense significantly reduces the burden on deeper-level
inspection functions, enabling security that doesn’t compromise performance
Why a multi-layer approach? (cont.)
Encryption creates the need for at least two levels of security
SSL (HTTPS) traffic passes directly through traditional firewalls, bypassing rules, policies
and inspection
SSL traffic on the rise, used for both remote and mobile access and for an ever increasing
number of Web sites and applications
SSL
Why a multi-layer approach?
Heartbleed
HTTPS sessions connect to servers, load balancers or ADCs
Understanding how products and vendors use OpenSSL is key to
reducing exposure to Heartbleed and future vulnerabilities
Live Traffic
Admin Traffic
SSL Versions
Performance
Servers
OpenSSL – Vulnerable
OpenSSL – Vulnerable
Many Versions –
Complex Remediation
Software SSL –
Poor
SLB & ADCs
OpenSSL – Vulnerable
OpenSSL –
Limited Vulnerability
Multiple Versions –
Higher Remediation Cost
Hardware SSL –
Good
Array
ADCs
Proprietary SSL –
Not Vulnerable
Open SSL –
Not Vulnerable
One Version –
Simple Remediation
Optimized HW SSL –
Superior
Why a multi-layer approach?
Security Challenges Changing the way we view Network Access
Employees using personal devices present new challenges
Layer 3 is Not practical and presents network security challenges
Most users do not need full access to the network
Newer Access Gateways provides Multiple Access Methods
Limit Direct Network Access and Direct Access to Applications…
Multi-layer security architecture (cont.)
Firewall perimeter security
The first line of defense, rules-based network level packet filtering; no visibility to SSL
SSL termination and traffic inspection
Traffic from secure applications are terminated on ADCs, decrypted and inspected traffic
may be sent to servers or to advanced security appliances for further inspection
Traffic from remote access users are terminated on SSL VPNs, decrypted and inspected
traffic may be sent to servers or to advanced security appliances
Advanced security appliances
Further inspection of smaller volume of pre-screened traffic
Multi-layer security architecture
External
& Remote
Users
ADC
HTTP/S Web
App Traffic
Firewall
Perimeter
Security
SSL VPN
HTTPS Remote
Access Traffic
IPS/IDS
ATP
Malware
Networks
Apps
Data
Multi-layer security architecture (cont.)
Layer-3 stateful packet filtering
Per-customer interface (VLAN/MNET), ingress packet filtering (source/destination IP, port,
protocol), 1000 ACLs, packet deny/drop log, dynamic access list, permit-only network access
Layer-4 TCP stateful inspection
TCP stateful inspection, L4 packet sanitization, reverse proxy (client packet does not touch
server), syn-cookie protection against TCP syn floods and DOS attacks
Layer-7 content filtering, WAF & DDoS
URL filtering, configurable access control (limit connections per port to prevent DDoS attack),
application session control, HTTP protocol validation and policy filtering, attack signature
filtering, input validation, XSS prevention, virtual patching
Multi-layer security architecture (cont.)
Security
SSL encryption, WAF, Web proxy
Application-level data protection
Acceleration
SSL offloading, compression,
caching, traffic shaping, etc.
10x better server efficiency
and application performance
External
Users
High availability
Server load balancing, GSLB, link load balancing
24/7 application uptime
Storage
Internal
Users
Application
Servers
SSL VPN secure remote and mobile access
Any resource, any access method, any device, anywhere
Mobile Workers on
Smart Phones & Tablets
Remote Networks
& Infrastructure
Remote Workers &
Road Warriors
on Laptops
Web
Applications
Home & Small Office
Workers on PCs
Improves productivity
Limits network exposure and
guards against data leakage
File Sharing
Client Server &
Mobile Apps
Physical & Virtual
Desktops
SSL VPN multi-layer security
End-point security
Scan for personal firewalls, anti-virus software, browsers, operating systems, service packs,
patches – apply adaptable remediation options for non-compliant clients
Advanced authentication, authorization and auditing
LDAP, Microsoft Active Directory, RADIUS, RSA SecurID, LocalDB, SSL client certificates, multifactor authentication including RSA, Duo, Swivel, Syferlock and others
Deep packet inspection and WRM
Buffer overflow protection, syn-flood protection, URL filtering, configurable access control
(limit connections per port to prevent DDoS attack), Web resource mapping with payload
inspection and HTTP NATing
Multi-layer security for SSL traffic (Array)
APV Series Application Delivery Controllers
AG Series SSL VPNs
Security Hardened OS & Platform
Security & Performance-Tuned Proprietary SSL Stack
Layer-3 Stateful Packet Filtering
End-Point Security
Layer-4 TCP Stateful Inspection
Advanced AAA
Layer-7 Content Filtering, WAF & DDoS
Deep Packet Inspection & WRM
Security-hardened OS and platform
Only exposes service ports – no backdoors
Secured network management – SSL and HTTPS
Explicit disallows Telnet due to security risk of account/password sniffing
Tested and hardened against a range of network attacks
Hacking tools from eEye (ncx.exe, iishack.exe)
Nessus scan
NMAP
Filters malformed packets such as Smurf attach and local broadcast attacks
High-availability and cluster capability
Proprietary secured SSL stack
Used for all production traffic, proven immune to Heartbleed, Bash,
Shellshock and other recent vulnerabilities
Customers did not need to patch or remediate any Array products
Bought time for remediation and patching of backend servers as
necessary
Delivers both better security and higher levels of performance
Pared-back, buttoned-down design runs faster and presents fewer attack vectors
Cannot guarantee 100% immune for all potential vulnerabilities, but has proven provide a
higher level of security and immunity vs. OpenSSL
Array multi-layer security protects against…
DoS (Deny Of Service)
Security Exploitation (Port scan)
Tear Drop Attack
Cross Site Scripting
High Bit Shellcode Protection
Buffer Overflow Attack
Back Doors
Flash Events
Heartbleed
Parser Evasion Attacks
Unreachable Host Attack
Web Exploitation& Defacing
Ping Attack
SQL Injection
SynFlood Attack
Land Attack
Code Red
Directory Traversal Attack
Impersonation & Breach of Privacy
Hardware and software portfolio
APV Series
aCelera
AG Series
Application Delivery
Controllers
WAN Optimization
Controllers
Secure Access
Gateways
Availability, scalability, performance, control
and security for applications, Web sites,
online transactions and cloud services
Mitigates network congestion and lowbandwidth connections to improve data
transfer and application performance
Secure access to business applications
from any remote or mobile device for any
user anywhere
Load balancing, SSL offloading, caching,
compression, application security, L7
scripting and other network functions
De-duplication, compression, caching,
application blueprints, traffic shaping,
SSL and performance monitoring
SSL VPN virtual portals, L3 – L7 access,
AAA, end-point security, single sign-on,
Web firewall and dual-factor authentication
Achieves ROI by improving application
performance and server efficiency
Achieves ROI by reducing application
latency and improving bandwidth utilization
Achieves ROI by increasing productivity and
mitigating business disruptions
Flexible appliance options
Dedicated, multi-tenant and virtual ADC appliances
Enables IaaS providers to offer customers a full range of load balancing service
options optimized either for flexibility or performance
vAPV
AVX10650
APV Series
Virtual ADC
Multi-Tenant ADC
Dedicated ADCs
•
VMware, XenServer,
OpenXen and KVM
•
Up to 8 vAPV ADC
instances
•
Scalable from 2Gbps
to 120Mbps
•
Scalable from
10Mbps to 4Gbps
•
Dedicated SSL, I/O,
compute resources
•
Proven cloud track
record
Flexibility
Performance
Q&A
A Layered Approach to Web & Application Security