application firewall

Download Report

Transcript application firewall

Introduction to F5 Networks
Andreas Guggenbichler
Regional Manager Eastern Europe
June 22nd, 2005
Company
2
Company Snapshot
• Leading provider of technology to secure, optimise and
deliver IP-based applications
• Founded 1996, public 1999, Nasdaq listed (FFIV)
• HQ in Seattle, offices around the globe
• More than 9,000 customers
• Approx. 700 employees
• FY2004 revenue $171M
– 48% year-over-year growth
• More than 30,000
systems shipped
3
Undisputable Leader in Application Delivery
Magic Quadrant for WebEnabled Application
Delivery, 2H04
Source: Gartner Research Note, January 2005
•
“F5 Networks, with the
milestone release of v9.0, has
a strong platform on which to
build additional features.”
•
“The focus on application
delivery and secure access
has been a significant
contributor to F5's success
leading up to the v9.0 release.
F5 is one of the thought
leaders in the market and
offers growing feature
richness. Add F5 to your
shortlist for application
delivery.”
4
Dell’Oro L4-7 Fixed Market
Q1 2005
Dell'Oro L4-7 Fixed Market Share Q1 2005
OTHERS
9.3%
CISCO
5.0%
RADWARE
14.4%
F5 NETWORKS
44.1%
NORTEL
24.6%
FOUNDRY
2.7%
Source:Dell’Oro Q1 2005 Market Share Report
5
True Fixed Market Share
True Fixed Revenue Share Q1 2005
RADWARE
11%
OTHERS
7%
CISCO True Fixed w/
CSS 11503/6
26%
NORTEL
19%
FOUNDRY
2%
F5 NETWORKS
35%
True Fixed includes revenue from Cisco CSS11503/6 that Dell’Oro
classifies as “Modular”
Source:Dell’Oro Q1 2005 Market Share Report
6
SSL VPN Market Leadership
SSL Virtual Private Networks
METAspectrumSM Evaluation
•
“A core group of market leaders
continues to rapidly innovate and
drive increasing degrees of
functionality. Other contenders
must often scramble to keep up.”
•
“SSL VPNs are already capable
of delivering great value to
organizations and have even
further up-side potential going
forward.”
7
SSL Market Share Leader
For 15th Consecutive Quarter (Q3‘04)
Worldwide L4–L7 Switch/Load Balancer with SSL Market Share (Revenue)
Nortel Networks
10%
Other
13%
F5 Networks
49%
Cisco Systems
28%
Source: Infonetics (November 2004)
“F5 released the next generation of their BIG-IP platform, which utilizes a
proxy architecture (called Traffic Management Operating System) to speed
up application performance; some of the highlights include improved SSL
performance, as well as IPv6.”
Matthias Machowinski, Analyst at Infonetics Research
8
F5 Customers in Europe (1 of 2)
Banking,
Financial
Insurance,
Investments
Telco, Service
Providers, Mobile
9
F5 Customers in Europe (2 of 2)
Transport,
Travel
Media, Technology,
Online
Manufact.,
Energy
Governm.,
Other
Health,
Consumer
10
Product and Technology Leadership
BIG-IP
FirePass
TrafficShield
Traffic Management
SSL VPN Remote Access
Application Firewall
Local, Global & Link
Application Traffic
Management
Secure Application Access
Application Firewall
iControl Software Development Kit
iControl Services Manager
Standards Based Interface (SOAP/XML)
Centralised Management for F5 Devices
11
Application Traffic
Management
BIG-IP
12
The A, B, C of Traffic Management
A.
Redundant devices
within the LAN
www.domain.com
ISP A
B.
Redundant connections
to the LAN
Router A
ISP B
Router B
www.domain.com
C.
3. Redundant sites
across the WAN
www.domain.com13
Application Delivery Challenge
Application
Network Administrator
Deploy point solutions
•
•
Faster and centralised fix,
applications are offloaded
Costly, complex and hard to
manage
Application Developer
?
Code fix in the application
•
•
•
Expensive (Code, Manage, Maintain)
Consumes server cycles
Often not possible
14
Result: A Growing Network Problem
Users
Network Point Solutions
Applications
DoS Protection
Mobile Phone
Rate Shaping
SSL Acceleration
SFA
CRM
PDA
ERP
CRM
Server Load Balancer
ERP
Laptop
ERP
Content
Acceleration
Application
Firewall
Connection
Optimisation
Traffic
Compression
CRM
Desktop
SFA
SFA
Custom
Application
Co-location
15
What the Customer Wants
“How do I make my applications run better
without rewriting them, or incurring major
infrastructure cost and adding significant
management overhead?”
“I need to be as optimized as I can be, as simply as
possible and with minimal resource impacts”
-Director of Infrastructure for a major U.S. airline
16
Groundbreaking New Architecture
Users
Unified Network & Application
Infrastructure Services
Applications
CRM
Database
Mobile Phone
Deliver
Siebel
BEA
Legacy
PDA
.NET
Optimise
Secure
SAP
PeopleSoft
Laptop
IBM
Desktop
Traffic Management
Operating System (TM/OS)
ERP
SFA
Custom
Co-location
17
Comprehensive Single Solution
Users
The F5 Solution
Applications
CRM
Database
Mobile Phone
Siebel
BEA
Legacy
PDA
.NET
Laptop
BIG-IP 3400 with
Performance Pack
SAP
PeopleSoft
IBM
ERP
Desktop
SFA
Custom
Co-location
18
An Intelligent and Flexible Solution
iRules
Programmable Network Language
Programmable
Application
Network
GUI-Based Application Profiles
Repeatable Policies
Unified Application Infrastructure Services
Targeted and
Adaptable
Functions
Security
Optimization
Delivery
Universal Inspection Engine (UIE)
New Service
Complete Visibility
and Control of
Application Flows
TM/OS
Fast Application Proxy
Client
Side
Server
Side
19
Secure Optimised Application Delivery
Application performance
optimised by F5:
20
BIG-IP Delivers Applications Faster
100
90
80
Seconds
70
60
50
126%
40
30
55%
20
121%
125%
70%
10
0
IIS 6.0
OWA 2003
SharePoint
Without BIG-IP
Siebel
Weblogic
BIG-IP Optimized
*Percentage of Improvement With BIG-IP Optimizing the Applications
21
Fast Cache – Dramatic Server Offloading
IIS 6.0
Standard Web Content
98%
Siebel
eBusiness Suite Call
Center 7.7
72%
WebLogic
78%
Portal 8.1
22
Real World Performance and Results
350 Million Page Hits in 1 Week
1/3 Reduction in Servers
95% Fewer Connections
114.8
5
Million
Million
1/3 Reduction in Licenses
1/3 Reduction in
Management Time
66%
1.87
621
Terabyte
Gigabytes
3
Seconds
End-to-End
Page Load
Time
Reduction in
Bandwidth
300% Faster
1
Seconds
23
Real World Tests: Gomez
• Gomez Testing Results:
http://www.f5.com/solutions/gomez_testing.pdf
24
Compression Calculator
http://www.f5demo.com/compression/
25
Customer Example: Airline
Customer Problem: Portal Applications are too Slow
•
•
•
•
•
Unusable Web portal applications – 5 to 30+ second page load times, limited
scale, costly infrastructure
Executive level visibility; end-user complaints
Too costly to change the applications
Difficult to manage growing number of point solutions in the network
Need to selectively compress based on client connection, application, and
servers
Market
Pervasiveness:
• $25 billion lost
annually in
e-business due to
poor web
performance
• Over half global
users are still dialup
High Latency
Connection
Dial-UP
Bandwidth
Bottleneck
Fast Connection
and application
Too many Point Solutions
• Internet latency on
average is 2x in
Europe and 4x in
ASIA compared with
the US (91 MS)
• Average Web
application can be
20x chattier than
traditional clientserver application
26
Customer Example: Airline
The BIG-IP Solution: Intelligent and Adaptable Optimization
BIG-IP Features & Functions Utilized
1.
2.
3.
4.
5.
Client-Aware Compression (Patent Pending) – Target compression for
high latency or dial-up users
Application Switching – High availability and cost-effective scale
TCP Offload & Optimization – Client-side & Server-side
Content Transformation – Eliminate need for application proxies
TM/OS & iRules – Unified framework for application services enabling an
integrated approach to consolidation of services
Detect High
TCP Latency
= Compress!
Detected Dial-up
Client = Compress!
Fast Connection
and application
Business
Benefit:
• 10x application
performance
improvement
(20 to 2.5 seconds)
• 70% bandwidth
reduction (thousands of
dollars in Telco
costs per month)
• Lower management
cost
(4 vendors/ Boxes
unified into 1
cohesive solution)
Payback Time,
3 Months
• Organizational
adaptability (can now
easily offer standardized
services across all
application types)
27
SSL VPN
FirePass
28
Remote Access - Requirements
Any Location
Hotel
Kiosk
Hot Spot
Any User
Employee
Partner
Supplier
Any Devices
Laptop
Kiosk
Home PC
PDA/Cell Phone
Secure
Data Privacy
Device Protection
Network Protection
Granular App Access
Any
Application
Web
Client/Server
Legacy
Desktop
Highly Available
Global LB
Stateful Failover
Disaster Recovery
Ease of
Integration
Ease of Use
Clientless
Simple GUI
Detailed Audit Trail
AAA Servers
Directories
Instant Access
29
2003-2007 Forecast
individual
SSL/HTTPS
individual
IPSec/PPTP
site to site
IPSec
(not individual remote access)
2001
2003
2005
2007
Source: Gartner 2003 (Unofficial)
30
SSL VPN Secure Application Access
Ubiquitous Delivery
Laptop
Dynamic Policies
Any Application
HTTPS Transport
Mainframe
Internet
Mobile Device
Kiosk
FirePass Remote
Access Controller
Server
Desktop
31
Dynamic Policy Engine
• User / Device Security
Default Policy
Kiosk Policy
Wireless Policy
Laptop Policy
SSL
Policy
Access Engine
SSL VPN
Connector
AppTunnel
Connector
Webifyer
Desktop
Webifyer
Authentication
LDAP
RADIUS
WIN NT/2K
Web-based
Group
Sales
Financial
Auditors
etc….
– Dynamically adapt user
policy based on device used
• Seamless Integration
– Utilize existing AAA servers
– Automatic user mapping
from directory
• Detailed audit trail
– Application level visibility
Access Rights
Intranet
SAP
Siebel
File Shares
Audit
Usage Reporting
Who accessed
What was accessed
From Where
32
Adaptive Client Security
Kiosk
PDA
Laptop
Kiosk
Policy
Mini Browser
Policy
Corporate
Policy
Firewall / Virus
Check
Cache / Temp File
Cleaner
Terminal
Servers
Files
Intranet
Email
Client/Server
Application
Full Network
33
Customer Example Data Centre
FirePass
Sales Person
High Availability of Servers
with BIG-IP
High Availability for Data
Centres with 3-DNS
Engineers
Consultants
FirePass
Backup
Data Centre
34
Web Application Security
TrafficShield
35
Security’s Gaping Hole
“64% of the 10 million
security incidents tracked
targeted port 80.”
DATA
Information Week
36
TrafficShield Application Firewall
37
TrafficShield Application Firewall
1. Web application firewall
-
Protect web applications against known & unknown attacks
Uses positive security logic – All traffic is illegal unless known to be legal
2. Content scrubbing
-
Prohibit delivery of sensitive data
3. Application cloaking
-
Hide the identity of web applications from outside probing
38
The Application Flow Model
39
The Application Flow Model
<script>
Actions not known
to be legal can now
be blocked
- Wrong page order
- Invalid parameter
- Invalid value
- etc.
40
Protecting Web-based Applications
CONTENT
SCRUBBING
ATTACK
FILTERING
APPLICATION
FIREWALL
Social Security Numbers
Scrubbed
Credit Card Numbers
Blocked
Out-of-box Protection
Included
Scrubbed
Unvalidated Input
Manipulation
Blocked
Account Numbers
Scrubbed
Script Kiddies, Known Worms
& Vulnerabilities
Blocked
Broken Access Control
(Forceful Browsing)
Patient Health ePHI
Scrubbed
Buffer Overflow
Blocked
Requests for Restricted
Object and File Types
Blocked
Phone Numbers
Scrubbed
Cross-Site Scripting
Blocked
Non-RFC-Compliant Traffic
Blocked
Any other identifiable
text pattern
Scrubbed
SQL/OS Injection
Blocked
Illegal HTTP Format, Method
Blocked
Cookie Poisoning
Blocked
Unknown Worms and
Vulnerabilities
Blocked
15 min
Set-Up Time
SSL ACCELERATION &
KEY MANAGEMENT
CLOAKING
NETWORK
FIREWALL
OS and Web Server
Fingerprinting
Blocked
HTTP Error Messages
Blocked
IP/Port Filtering
Included
Application Error Messages
Blocked
Securing TCP/IP Session
Included
Leakage of Server Code
Blocked
Reverse Proxy
Included
SSL Accelerator
Included
Key Management &
Failover Handling
Included
SSL Termination and
Re-encryption to Servers
Included
41
Conclusion
42
App Traffic Management’s Unique Positioning
Intelligent Clients
Network Plumbing
Intelligent Applications
Routers
iControl
Switches
BIG-IP
FirePass
Functionality
Firewalls
TrafficShield
Application Traffic
Management
Application Access
Application Security
43