You are on page 1of 43

Estrategias de mitigación de

amenazas a las aplicaciones.

Carlos Valencia
Sales Engineer - LATAM
c.valencia@f5.com

© 2017 F5 Networks 1
-
-
-
-
-
-
-

© 2017 F5 Networks 2
© 2017 F5 Networks 3
High Performance DNS
The Big Picture DNS
DNS / DNS FW
Next-Generation
Threat Intelligence Feed/IPI Firewall
Corporate Users

Scanner Anonymous Anonymous Botnet Attackers


Proxies Requests
Cloud Apps
DDoS Attacker (app attacks)

Network Protection Application Protection


Router

L3/L4 DDoS,
Application D/DoS DC Apps
DNS, SIP DDoS
Fraud ASM
Customer
Protection
NGFW Hybrid
Cloud IPS/IDS
Local DDoS WAF
ISP may provide
Partner rudimentary DDoS
L7 DDoS
DDoS Attacker service SSL
(Volumetric attacks) L3/L4 Protection
L5-L7 Protection (CPU Intensive)
Silverline • ICMP flood, UDP Flood, SYN Flood, TCP-state
Cloud-Based floods • GET Flood, Slowloris/slow POST,
Platform recursive POST/GET,
• DOS detection using behavioral analysis
• DOS detection using behavioral
Volumetric • HTTP DOS: GET Flood, Slowloris/slow POST, analysis
Attacks recursive POST/GET (DHD Only)
• OWASP Top 10
• DNS DOS: DNS amplification, query
flood,dictionary attack, DNS poisoning • SQLi/XSS/CSRF/0-day/etc

• SSL DOS: SSL renegotiation, SSL Flood • WAF in general

© 2017 F5 Networks 4
Consistent Policies
Cloud Portability
Top Security
F5 BIG-IP
Visibility Direct Connect

Private Cloud Lowest TCO Cloud Interconnection /


Public Cloud

Traditional Data Center


© 2017 F5 Networks 5




© 2017 F5 Networks 6
© 2017 F5 Networks 7
© 2016 F5 Networks
8

90%

Fire- Anti
DLP
walls Virus

28%
IDS/ SIEM
IPS

Fire- Anti
DLP
walls Virus

28%
IDS/ APT
IPS

© 2017 F5 Networks 8
© 2016 F5 Networks
9

72%
28
44
Fire- Anti
DLP
walls Virus

IDS/ SIEM
IPS

© 2017 F5 Networks 9
Protection against Web Application vulnerabilities
CSRF Cookie manipulation
OWASP top 10 Brute force attacks
Forceful browsing Buffer overflows
Web scraping Parameter tampering
SQL injections information leakage
Field manipulation Session high jacking
Cross-site scripting Zero-day attacks
Command injection ClickJacking
Bots Business logic flaws

WAF

© 2017 F5 Networks 10
• Examines all traffic for
Traditional Firewall Intrusion Prevention malicious app inputs
Systems • Primarily uses anomalous
and signature-based
detection
• Some stateful protocol
analysis capabilities
• Lacks understanding of
L7 protocol logic
• Doesn’t protect against
all exploitable app
vulnerabilities

Layer 7 security is not addressed by traditional IPS & firewall vendors


© 2017 F5 Networks 11
Secures, federates access to any application, anywhere
Data Center
Private Cloud Hybrid Cloud Public Cloud
Multi-factor Corporate
Auth user
XYZ Corp.

Username SAML Identity


Federation
PW+PIN Single or Multi-
Factor Auth Identity App
LOGIN
Internet
STOP
SAML App
Directory
Services
• User/User Group
Office 365 • Endpoint Check VDI
• Network
Remote users, • Location
mobile users, Salesforce
contractors, etc. • Connection Type Corporate
(L3/L4) Apps
Other SaaS
Apps • MDM/EMM Device Posture
Hacker

SaaS Apps
© 2017 F5 Networks 12
© 2017 F5 Networks 13
©© 2017
2016 F5 Networks
F5 Networks 14
SSL

© 2017 F5 Networks 15
©© 2017
2016 F5 Networks
F5 Networks 16
© 2017 F5 Networks 17
Next-Generation
Firewall Corporate Users

Tier 1 Tier 2
Network attacks:
ICMP flood, SSL attacks:
Financial
UDP flood, SSL renegotiation, Services
Multiple ISP SYN flood SSL flood
strategy

Legitimate
Users
E-
ISPa/b Commerce
Network
and DNS Application
DNS attacks: HTTP attacks:
DDoS DNS amplification, Slowloris,
Attacker query flood, slow POST,
dictionary attack, recursive
DNS poisoning POST/GET Subscriber
Cloud
Scrubbing
Service IPS

ThreatThreat Feed
Feed Intelligence
Intelligence

Scanner Anonymous Anonymous Botnet Attackers Strategic Point of Control


Proxies Requests

© 2017 F5 Networks 18
DDoS approach
CLOUD/HOSTED SERVICE ON-PREMISES DEFENSE

STRENGTHS STRENGTHS
• Completely off-premises so DDoS attacks • Direct control over infrastructure
can’t reach you • Immediate mitigation with instant
• Amortized defense across thousands response and reporting
of customers • Solutions can be architected to
• DNS anycast and multiple data centers independently scale of one another
protect you
WEAKNESSES WEAKNESSES
• Customers pay, whether attacked or not • Many point solutions in market, few
• Bound by terms of service agreement comprehensive DDoS solutions
• Solutions focus on specific layers (not all • Can only mitigate up to max inbound
layers) connection size
• Deployments can be costly and complex

© 2017 F5 Networks 19
Hybrid DDOS Protection
Combining the “resilience and scale” of the cloud with the “granularity and always-
on capabilities” of on-premise.

Signaling

• Request for Service


• IP List Management

Cloud On-Premise

Unified Attack Command | Control


DDoS Architecture Scrubbing Center
Flow collection Portal provides real-
Traffic Actioner aggregates attack time reporting and
injects routes and Scrubbing Center data from all sources configuration
Inspection Tools steers traffic
provide input on Inspection Plane
attacks for Traffic
Actioner & SOC Inspection Traffic Actioner Flow Portal
Toolsets Route Management Collection
Visibility

Signaling
Cloud Management

Data Plane
Copied traffic
for inspection
Netflow Netflow
BGP signaling GRE Tunnel
Legitimate Proxy
Users
DDoS IP Reflection
WAF Routing L2VPN Customer
Switching Routing/ACL Proxy
Network Mitigation
(Customer VRF)
Silverline
Mitigation
Volumetric DDoS
DDoS protection, Managed
Attackers Application firewall service,
zero-day threat mitigation
with iRules

Switching mirrors
Ingress Router Network Mitigation Proxy Mitigation Egress Routing
traffic to Inspection
applies ACLs and removes advanced removes L7 returns good traffic
Toolsets and Routing
filters traffic L4 attacks Application attacks back to customer
layer
© 2017 F5 Networks 22
APPLICATION LAYER ATTACKS TRADITIONAL DDOS MITIGATION
90% 60%
82%
80%
77% 50%
70% 40%
60% 54%
30%
50%
20%
40%
30% 25%
“Cybercrime is a 10%

persistent threat in
20%
20% 0%
9%
6%
today’s world and,
10%
0%

despite best efforts, no


HTTP DNS HTTPS SMTP SIP/VoIP IRC Other

DNS is the second most targeted business is immune.” Of the customers that mitigate DDoS
protocol after HTTP. attacks, many choose a technique
Network Solutions that inhibits the ability of DNS to do
DNS DoS techniques range from:
its job
• Flooding requests to a given host
• DNS is based on UDP
• Reflection attacks against DNS
• DNS DDoS often uses spoofed
infrastructure
sources
• Reflect / Amplification attacks
• Using an ACL block legitimate clients
• DNS Cache Poisoning attempts
• DNS attacks use massive volumes of
source addresses, breaking many
© 2017 F5 Networks firewalls. 23
CONVENTIONAL DNS THINKING

Internet
External
Firewall
DNS Load
Balancing
Array of DNS
Servers
Internal
Firewall
Hidden
Master DNS
• Performance = Add DNS
boxes
• Weak DoS/DDoS Protection
• Firewall is THE bottleneck

PARADIGM SHIFT

DNS DELIVERY REIMAGINED

DNS Firewall • Scalable performance over


Master DNS
Internet
DNS Infrastructure
DNS DDoS Protection
Protocol Validation
10M RPS!
Authoritative DNS
Caching Resolver • Strong DoS/DDoS protection
Transparent Caching
High Performance DNSSEC • Lower CapEx and OpEx
DNSSEC Validation
Intelligent GSLB

© 2017 F5 Networks 24
Devices DMZ Data Center

DNS
DNS
Servers
LDNS
Internet
Apps

F5 DNS Firewall Services


• DNS DDoS mitigation with DNS • ICSA Certified - deployment in the DMZ
Express • Scale across devices – IP Anycast
• Protocol inspection and validation • Secure responses – DNSSEC
• DNS record type ACL* • DNSSEC responses rate limited
• Block access to Malicious IPs (DNS • Complete DNS control – iRules &
Firewall) Programmability
• High performance DNS cache • DDoS threshold alerting*
• Stateful – Never accepts unsolicited • DNS logging and reporting
responses • Hardened DNS code

© 2017 F5 Networks 25
© 2017 F5 Networks 26
Customer Browser
Secured
Data center
Traffic
SIEM Management Leveraging
Browser
WAF NIPS
application
behavior
HTTP/HTTPS • Caching content,
HIPS DLP disk cookies, history
• Add-ons, Plug-ins
Network
firewall
Manipulating Embedding
user actions: malware:
• Social engineering • Keyloggers
• Weak browser • Framegrabbers
settings • Data miners
• Malicious data theft • MITB / MITM
• Inadvertent data • Phishers / Pharmers
loss

© 2017 F5 Networks 27
The malware contains code designed to
This triggers
insert thecontent
specific malware,
to the browser session
which injects additional This information is sent to the
when the user accesses specific sites legitimate webrequests
server as
content to the browser The user theexpected
login
page for Wells Fargo

*wellsfargo*  add field

*bankofamerica*  add button,


replace text

*chase*  add cc#, pin,


remove text

Generic malware, such*telebank*


as  send credentials
Zeus, infects a user’s device
*bankquepopulaire*  … This information is sent to
the configured drop zone
The user enters the requested
content and clicks Go

© 2017 F5 Networks 28
This page is expected to
…… and
and
14six
input
scripts…
fields…
have only four forms…
The inclusion of this additional
input field due to malware will
HTML
now trigger Source
an alert Integrity is based
on the expected number of
forms, input fields, and scripts

© 2017 F5 Networks 29
This triggers to
malware to run
The information is encrypted
and sent to the web server

The victim makes a secure


connection to a web site

Password
revealer icon
The victim is infected
with malware
The victim submits The victim enters data
the web form into the web form

This content canThe


be information is also sent
to the drop zone in clear text
stolen by the malware
© 2017 F5 Networks 30
How HFO Works – Field
Without
Name
HFOObfuscation

Data center
Web application

Sec. Appliance
LTM

© 2017 F5 Networks 31
MY BANK.COM
My Bank.com • Gather client details related to
the transaction
• Run a series of checks to
identify suspicious activity
• Assign risk score to transaction
• Send alert based on score
• Apply L7 encryption to all
communications between client
and server

© 2017 F5 Networks 32
4. Test 1. Copy
spoofed site website

Web
Application

3. Upload copy
to spoofed site
Internet

2. Save copy
Alert at each stage of phishing
to computer site development

© 2017 F5 Networks 33
© 2017 F5 Networks 34
MSP

Native App
Services

Servers Servers Servers

Cloud Interconnect
SaaS
Servers Servers Servers

Corporate Datacenter(s)
With Private Cloud

Each Cloud Provides Siloed Native App Services: Basic, Proprietary, and Inconsistent
© 2017 F5 Networks 35
Your cloud strategy should be an extension of your
data center strategy: app-centric
Enable both network and
application security Identity Commerce

Defend against
Deliver high application attacks
Analytics
VPN
Mobile

availability; not just Database


Website Storage
infrastructure availability Ensure secure
Load
user access DNS Balancing
Ensure application Deliver app Application
performance performance

Centralize management and Gain traffic


visibility
orchestration of the
application Orchestrate
tasks centrally
Streamline app delivery Application
and security services across
on-premises and cloud
Letting you focus on ensuring availability, security, and performance for each application

©©2017
F5 Networks, Inc
F5 Networks 36
36
App-Centric Strategy

Limited control
SaaS
apps

Dev
& test
External
Packaged websites
apps AppsMobile
apps

Custom
LOB apps
(HR, Acct.)
Full control

ERP,
CRM

On-premises Public cloud

© 2017 F5 Networks 37
Shared Responsibility in Amazon AWS
The idea behind this is to educate customers that they still need to be responsible for a
large proportion of the services required to deliver applications in the cloud.
AWS Shared Responsibility Model

© 2017 F5 Networks 38
Shared Responsibility in Microsoft Azure
The idea behind this is to educate customers that they still need to be responsible for a large
proportion of the services required to deliver application in the cloud.
Azure Shared Responsibility Model

© 2017 F5 Networks 39
Apps

Apps
Identity Control Platform

Apps
Active
Directory
© 2017 F5 Networks 40
Use Case Seamless
global app
experience

Disaster Recovery
Requirements DNS Orchestration
DNS
L4-L7 Services
• Application availability and performance L4-L7 Services

• Location-based and contextual user access VPN

• Active-Active deployment for cost efficiency


• Insight and visibility into application traffic Compute Compute

Recommended application delivery services


Storage
• Local and global load balancing Storage

Data Center Cloud Provider


• DNS
• SSL VPN or IPSec tunnel
• Access & identity Key benefits:
• Consistent DevOps + Management Tools • Seamless customer experience
• Secured and optimized site to site connectivity
• Advanced application health monitoring

© 2017 F5 Networks 41
Traditional New

On-Premises Cloud Interconnection Public/Private Cloud


Servers Servers Servers

Strategic Control Point Distributed Strategic Control Points

Application Services

Application Virtual Edition Hardware aaS Containers


Services

© 2017 F5 Networks 42