F5 - The New Security Perimeter Applications and Identities

The New Security Perimeter: Applications and Identities

Timo Lohenoja, CISSPSystems EngineerF5 [email protected]

© F5 Networks, Inc 2

Applications are Driving Innovation and Massive Growth in Data…

Sources: Forbes, Nielsen, IDC, EMC, Statista

…but also creating an exponential increase in the attack surface


…Resulting in an Unprecedented Increase in AttacksSource of data breaches

Sources: IT Business Edge, Krebs on Security, Security Week, CSO Online


App Servers

DB Servers

NGFW IPS / IDS DLP

Attackers

Fraudsters

$$$Security Spend

Internal Users

Security Investments Completely Misaligned with Reality


Security Investments Completely Misaligned with Reality

Perimeter Security Identity & Application Security

of attacks are focused here

25% of securityinvestment

90% of attacks are focused here

75% of securityinvestment

10%

Source: Gartner


Important Trends in Threat Vectors

OF WEBSITES HAVE AT LEAST 1 SERIOUS

VULNERABILITYWhiteHat Security Statistics Report

2015

86%AVERAGE NUMBER OF

VULNERABILITIES PER WEBSITE

WhiteHat Security Statistics Report 2015

56

OF IT PROS ARE CONFIDENT USERS

AVOID PHISHING2015 CyberThreat Defense

20%MALICIOUS IP’S

LAUNCHED EVERYDAYThreat Brief Report, Webroot, May

2015

85,000BOTS ACTIVELY

ATTACKING Symantec Internet Security Report

2014

2.3M

A WEBSITE IS HIT BY A CRITICAL EXPLOIT

F5 Research

23 minEVERY

OF SECURITY PROFESSIONALS

EMPLOY WAF2015 Cisco Annual Security Report

56%

NO CYBER-ATTACK RESPONSE IN PLACEF5 Networks Survey Research 2016

36%


Less control over user access and policies do not follow apps

Overwhelming volume ofapplication traffic

Traditional security solutions are blind to SSL traffic

Perimeter approach is no longer adequate

The Traditional Approach to Security is Inadequate


NETWORK PERIMETER

App

The New Perimeter is an App PerimeterApps are the gateways to data

SSL

SSL

SSL

APP

PER-APP / PER-USER PERIMETER

NEW PERIMETERTRADITIONAL

✖SSL-visible, Location-independent, Session-based, Continuous trust verification, Strategic

control points, Application availability ✔

IT’S TIME TO RETHINK SECURITY ARCHITECTURES


Identity is the Key to Adaptive Authentication and Access

Device type and integrity

Browser Location

Operatingsystem

OS

Authentication

Access method

Network integrity

Network quality and availability

Connection integrity

App type/ version

v3.1

App location App importance and risk

!!!


• Silos of identity

• Identity may still be on-premises, but apps and data are moving to the cloud

• Users experiencing “password fatigue”• Leads to password re-use• 3rd-party website hack may affect

your site compromising your data

• Existing solutions require complex infrastructure

Cloud Apps Create Complexity and Reduce Security

Data Center

Applications Applications

Internet

Identity and Access Management

Physical Virtual

Salesforce Office 365 Concur Google docs

Devices


• Outsourced applications and infrastructure

• Applications enforcing “authority” over user identity

• Need to provide access to customers and supply chain without manual user account management and password resets

Federating Identity for Cloud Applications

Data Center

Applications Applications

Internet

Identity and Access Management

Physical Virtual

Salesforce Office 365 Concur Google docs

Devices


User ID

Location

End point

Device health

Device type

Malware

Sensitive Data

Human

User ID

Location

End point

Device health

Device type

Malware

Sensitive Data

HumanHigh-Value App

Optimising Security with Risk-based Policy ProtectionLow-Value App

North KoreaAllow

Challenge

OTP

Client Cert.

Deny

Allow

Challenge

OTP

Client Cert.

Deny

United Kingdom


• Transform one type of authentication into another

• Support various standards-based protocols (SAML, Kerberos, NTLM)

• Enable flexible selection of SSO techniques appropriate to the application

• Allow centralised session control of all applications, including SaaS apps

Identity Federation and SSO Solutions

Users

Certificates

Password

Token

Federation (SAML)

Adaptive Auth

Certificates

Dynamic Forms

Kerberos Delegation

Simple Assertion

SAML Pass-throughApps

Private/Public Cloud

SSO Selection

Endpoint Validation

Step-Up Auth

Fraud Protection


Identity Federation and SSO with Adaptive AuthenticationOn-Premises Infrastructure

CorporateApplications

Users

Attackers

SaaS

Office 365

GoogleApps

Salesforce

DirectoryServices

Corporate Users

Identity federation

PublicCloud

PrivateCloud

Corporation

LOGIN

8 3 2 8 4 9

SAMLIdentity management

Multi-factor authentication

SAMLReal-time access control

Access policy enforcement


Application Attacks are InevitablePrepare for application attacks

every 23 minutes

95% of breaches through 2018 will be caused by misconfigured firewalls, not vulnerabilities

86% of websites has at least 1 vulnerability and an average of 56 per website

75% of Internet threats target web servers

2.3M bots actively attacking

Sources: Cisco, WhiteHat Security, Gartner, Symantec


• Most network architectures are not built for SSL encryption

• SSL on NGFW products impacts performance by 80%

• Malware using SSL to evade network monitoring

• Without security tools to inspect SSL traffic, attacker actions can go undetected

• Trends toward SSL Everywhere, including HTTP/2 and TLS 1.3

Encryption Creates a Blind Spot in Your Network


The Right Tool for the Job

BIF

UR

CA

TIO

N O

F FI

REW

ALLS

“Next Generation” Firewall

• Outbound user inspection• 1K users to 10K web sites• Broad but shallow• UserID and AppID• Who is doing what?

Corporate

(users)

Web Application Firewall

Internet Data Center

(servers)

• Inbound application protection• 1M users to 100 apps• Narrow but deep• Application delivery focus• Web specific protocols (HTTP, SSL, etc.)


Layer 7 security is not addressed by traditional IPS and firewall products

Intrusion Prevention Systems and Standard Firewalls

Intrusion Prevention Systems

Traditional Firewall • Examines all traffic for malicious app inputs

• Primarily uses anomalous and signature-based detection

• Some stateful protocol analysis capabilities

Encryption Unknowns

???FragmentationObfuscation

• Lacks understanding of L7 protocol logic

• Doesn’t protect against all exploitable app vulnerabilities


Web Application Firewall CapabilitiesProtect against layer 7 attacks with granularity

Protects against layer 7 DDoS attacks

DAST/VA integration with extensive

automated and virtual patches

Understands the business logic

behind your web app

Full-proxy protection

against and OWASP top 10

Virtual Edition CloudAppliance

Combines negative and positive security models

Deep understanding of the application, not just generic attacks

WAF


Traditional Security Devices vs WAFWAF IPS NGFW

Multiprotocol Security *

IP Reputation *

Web Attack Signatures *

Web Vulnerabilities Signatures *

Automatic Policy Learning *

URL, Parameter, Cookie, and Form Protection *

Leverage Vulnerability Scan Results *

Browser Fingerprinting

Protection against Layer 7 DDoS Attacks

Pro-active Modification of Application Requests/Responses

Advanced Protection for Web Services (SOAP, XML, AJAX)

* Source: Gartner "Web Application Firewalls Are Worth the Investment for Enterprises"

= Good to very good

= Average or fair

= Below average


Advanced vs Traditional Web Application Firewall

TRADITIONAL WAF

• Signatures (OWASP Top 10)• DAST integration• Site learning• File/URL/Parameter/Header/Cookie

enforcement• Protocol enforcement• Login enforcement / Session tracking• Data leak prevention• Flow enforcement• IP blacklisting

ADVANCED WAF

• Bot detection• Client fingerprinting• Web scraping prevention• Brute force mitigation• L7 DDoS protection• Heavy URL mitigation • CAPTCHA challenges• HTTP header sanitisation/insertion• Anti-CSRF token insertion• Perfect Forward Secrecy (PFS) ciphers


Demystifying the Industry Buzzword: RASPRuntime Application Self-Protection

An agent in the runtime container for each application or server


Application Security Options

WAF ‒ Web Application Firewall• Enterprise-grade protection/performance

for all apps

• PCI and regulatory compliance requirements

• DAST integrations for scanning and WAFs for patching all apps

• Most effective against L7 DoS, Brute Force, Web Injection, Scraping, XSS, CSRF

RASP ‒ Runtime Application Self-Protection• Instance of protection for one app

(SQL Injection, XSS)

• Post WAF, IPS protection

• Inside the application or on server

• App language dependent (Java, .NET) and 1-10% range performance reduction


Hybrid Protection from Advanced Application Attacks

ON-PREMISES WAF

• Protect core applications in data center

• Virtual patching

• Layer 7 DDoS

• Protect applications in the cloud, co-lo, data center

• Provide flexible application fluency

• App/Dev policy development

• 24/7 attack support from security experts

CLOUD-BASED WAF

PolicyImport/Export


Combined Hybrid WAF = No application left unprotected

More Capability Considerations

Considerations On-premWAF

CloudWAF

Have resources to manage WAF?Need to maintain app blocking control?Willing to use professional services ?PCI compliance challengesVA/DAST part of app development/protectionMust protect cloud-based appsMust protect tier 2 appsPrefer outsourcing app securityRequire 3rd party policy creation with 24x7x365 support

Hybrid WAF deployment


Application Protection: Cloud-based and On-premises

ISPa/b

Multiple ISP strategy

Scanner Anonymous Proxies

Anonymous Requests

Botnet Attackers

Threat Intelligence Feed

Next-GenerationFirewall Corporate Users

Network Application

Network attacks:ICMP flood,UDP flood,SYN flood

DNS attacks:DNS amplification,

query flood,dictionary attack,DNS poisoning

IPS

Data Center Firewall

WAFHTTP attacks:

Slowloris,slow POST,

recursive POST/GET

SSL attacks:SSL renegotiation,

SSL floodFinancialServices

E-Commerce

Subscriber

Strategic Point of Control

CustomerRouter

Signaling

Hybrid integration with ADC to

synchronise threat information and request service

LegitimateUsers

Attackers Volumetric DDoS protection, Managed

Application firewall service, zero-day threat mitigation

with iRules

WAFDDoS

Cloud


Best Practices in Protecting Your Applications

27


RemoteAccess

SSL Inspection

Network Firewall

Enterprise Mobility Gateway

Secure Web Gateway

Traffic Management

DDoSProtection

Web FraudProtection

Web AppFirewall

Access Federation

App Access Management

DNS Security

Comprehensive Security Solutions for the New Perimeter

APPLICATION ACCESS APPLICATION PROTECTION

Confidentiality IntegrityAvailability

Risk-Based Policies Intelligence and VisibilityHybrid Delivery

Timo Lohenoja, CISSPSystems Engineer

F5 [email protected]

F5 - The New Security Perimeter Applications and Identities

Documents