Estrategias de mitigación deamenazas a las aplicaciones.Carlos ValenciaSales Engineer - [email protected] 2017 F5 Networks1

- 2017 F5 Networks2

2017 F5 Networks3

High Performance DNSThe Big PictureDNSDNS / DNS FWNext-GenerationFirewallThreat Intelligence Feed/IPICorporate tAttackersCloud AppsDDoS Attacker (app attacks)CustomerApplication ProtectionNetwork ProtectionRouterL3/L4 DDoS,DNS, SIP DDoSFraudProtectionApplication D/DoSASMNGFWIPS/IDSCloudHybridLocal DDoSL3/L4 ttacks L5-L7 Protection (CPU Intensive)ICMP flood, UDP Flood, SYN Flood, TCP-statefloods GET Flood, Slowloris/slow POST,recursive POST/GET, DOS detection using behavioralanalysis DOS detection using behavioral analysis HTTP DOS: GET Flood, Slowloris/slow POST,recursive POST/GET (DHD Only) OWASP Top 10DNS DOS: DNS amplification, queryflood,dictionary attack, DNS poisoning SQLi/XSS/CSRF/0-day/etcSSL DOS: SSL renegotiation, SSL Flood WAF in general 2017 F5 NetworksWAFL7 DDoSSSLISP may providerudimentary DDoSservicePartnerDDoS Attacker(Volumetric attacks)DC Apps4

Private CloudConsistent PoliciesCloud PortabilityTop SecurityVisibilityLowest TCOF5 BIG-IPDirect ConnectCloud Interconnection /Public CloudTraditional Data Center 2017 F5 Networks5

2017 F5 Networks6

2017 F5 Networks7

2016 F5 lsSIEMAntiVirusDLP28%IDS/IPS 2017 F5 NetworksAPT8

2016 F5 Networks972%2844FirewallsDLPIDS/IPS 2017 F5 NetworksAntiVirusSIEM9

Protection against Web Application vulnerabilitiesCSRFOWASP top 10Forceful browsingWeb scrapingSQL injectionsField manipulationCross-site scriptingCommand injectionBotsCookie manipulationBrute force attacksBuffer overflowsParameter tamperinginformation leakageSession high jackingZero-day attacksClickJackingBusiness logic flawsWAF 2017 F5 Networks10

Traditional FirewallIntrusion PreventionSystems Examines all traffic formalicious app inputs Primarily uses anomalousand signature-baseddetection Some stateful protocolanalysis capabilities Lacks understanding ofL7 protocol logic Doesn’t protect againstall exploitable appvulnerabilitiesLayer 7 security is not addressed by traditional IPS & firewall vendors 2017 F5 Networks11

Secures, federates access to any application, anywhereData CenterPrivate CloudHybrid CloudPublic CloudMulti-factorAuthCorporateuserXYZ Corp.SAMLUsernameIdentityFederationSingle or Multi-PW PINFactor AuthInternetLOGINAppIdentitySTOPSAMLOffice 365Remote users,mobile users,contractors, etc.HackerSalesforceOther SaaSApps User/User Group Endpoint Check Network Location Connection TypeDirectoryServicesAppVDICorporate(L3/L4)Apps MDM/EMM Device PostureSaaS Apps 2017 F5 Networks12

2017 F5 Networks13

F5 Networks 20172016F5 Networks14

SSL 2017 F5 Networks15

F5 Networks 20172016F5 Networks16

2017 F5 Networks17

Next-GenerationFirewallCorporate UsersTier 2Tier 1Network attacks:ICMP flood,UDP flood,SYN floodMultiple ISPstrategyFinancialServicesSSL attacks:SSL renegotiation,SSL floodLegitimateUsersISPa/bDNS attacks:DNS amplification,query flood,dictionary attack,DNS eNetworkand DNSApplicationHTTP attacks:Slowloris,slow tFeed IntelligenceIntelligenceScanner AnonymousProxies 2017 F5 NetworksAnonymousRequestsBotnetAttackersStrategic Point of Control18

DDoS approachCLOUD/HOSTED SERVICEON-PREMISES DEFENSESTRENGTHSSTRENGTHS Completely off-premises so DDoS attackscan’t reach you Amortized defense across thousandsof customers DNS anycast and multiple data centersprotect you Direct control over infrastructure Immediate mitigation with instantresponse and reporting Solutions can be architected toindependently scale of one anotherWEAKNESSESWEAKNESSES Customers pay, whether attacked or not Bound by terms of service agreement Solutions focus on specific layers (not alllayers) Many point solutions in market, fewcomprehensive DDoS solutions Can only mitigate up to max inboundconnection size Deployments can be costly and complex 2017 F5 Networks19

Hybrid DDOS ProtectionCombining the “resilience and scale” of the cloud with the “granularity and alwayson capabilities” of on-premise.Signaling Request for ServiceIP List ManagementCloudOn-PremiseUnified Attack Command Control

DDoS Architecture Scrubbing CenterInspection Toolsprovide input onattacks for TrafficActioner & SOCTraffic Actionerinjects routes andsteers trafficFlow collectionaggregates attackdata from all sourcesScrubbing CenterPortal provides realtime reporting andconfigurationInspection PlaneInspectionToolsetsTraffic ActionerRoute loudManagementData PlaneCopied trafficfor inspectionNetflowNetflowGRE TunnelBGP signalingLegitimateUsersProxyDDoSWAFIP r VRF)L2VPNCustomerVolumetric DDoSprotection, ManagedApplication firewall service,zero-day threat mitigationwith iRulesSwitching mirrorstraffic to InspectionToolsets and RoutinglayerIngress Routerapplies ACLs andfilters trafficNetwork Mitigationremoves advancedL4 attacksProxy Mitigationremoves L7Application attacksEgress Routingreturns good trafficback to customer

2017 F5 Networks22

APPLICATION LAYER ATTACKS90%82%80%TRADITIONAL DDOS 0%9%6%10%0%HTTPDNSHTTPSSMTPSIP/VoIPIRCOtherDNS is the second most targetedprotocol after HTTP.DNS DoS techniques range from: Flooding requests to a given hostReflection attacks against DNSinfrastructureReflect / Amplification attacksDNS Cache Poisoning attempts 2017 F5 Networks“Cybercrime is apersistent threat intoday’s world and,despite best efforts, nobusiness is immune.”Network Solutions20%10%0%Of the customers that mitigate DDoSattacks, many choose a techniquethat inhibits the ability of DNS to doits job DNS is based on UDPDNS DDoS often uses spoofedsourcesUsing an ACL block legitimate clientsDNS attacks use massive volumes ofsource addresses, breaking manyfirewalls.23

CONVENTIONAL DNS THINKINGInternetExternalFirewallDNS LoadBalancingArray of DNSServersInternalFirewallHiddenMaster DNS Performance Add DNSboxes Weak DoS/DDoS Protection Firewall is THE bottleneckPARADIGM SHIFTDNS DELIVERY REIMAGINEDInternetDNSMaster DNSInfrastructureDNS FirewallDNS DDoS ProtectionProtocol ValidationAuthoritative DNSCaching ResolverTransparent CachingHigh Performance DNSSECDNSSEC ValidationIntelligent GSLB 2017 F5 Networks Scalable performance over10M RPS! Strong DoS/DDoS protection Lower CapEx and OpEx24

Data CenterDMZDevicesDNSDNSServersLDNSInternetAppsF5 DNS Firewall Services DNS DDoS mitigation with DNSExpress Protocol inspection and validation DNS record type ACL* Block access to Malicious IPs (DNSFirewall) High performance DNS cache Stateful – Never accepts unsolicitedresponses 2017 F5 Networks ICSA Certified - deployment in the DMZ Scale across devices – IP Anycast Secure responses – DNSSEC DNSSEC responses rate limited Complete DNS control – iRules &Programmability DDoS threshold alerting* DNS logging and reporting Hardened DNS code25

2017 F5 Networks26

Customer BrowserSecuredData rewall 2017 F5 NetworksLeveragingBrowserapplicationbehavior Caching content,disk cookies, history Add-ons, Plug-insHTTP/HTTPSManipulatinguser actions:Embeddingmalware: Social engineering Weak browsersettings Malicious data theft Inadvertent dataloss KeyloggersFramegrabbersData minersMITB / MITMPhishers / Pharmers27

The malware contains code designed toThistriggersthecontentmalware,insertspecificto the browser sessionwhichinjectsadditionalwhen the user accesses specific sitescontent to the browserThis information is sent to thelegitimatewebrequestsserver asThe usertheexpectedloginpage for Wells Fargo*wellsfargo* add field*bankofamerica* add button,replace text*chase* add cc#, pin,remove text send credentialsGeneric malware, such*telebank*asZeus, infects a user’s device*bankquepopulaire* This information is sent tothe configured drop zoneThe user enters the requestedcontent and clicks Go 2017 F5 Networks28

The inclusion of this additionalinput field due to malware willnow triggeran alertHTMLSourceThis page is expected to andand14sixinputscripts fields have only four forms Integrity is basedon the expected number offorms, input fields, and scripts 2017 F5 Networks29

This triggers tomalware to runThe information is encryptedand sent to the web serverThe victim makes a secureconnection to a web sitePasswordrevealer iconThe victim is infectedwith malwareThe victim submitsthe web formThe victim enters datainto the web formThis content canThebe information is also sentto the drop zone in clear textstolen by the malware 2017 F5 Networks30

How HFO Works – FieldWithoutNameHFOObfuscationData centerWeb applicationLTMSec. Appliance 2017 F5 Networks31

MY BANK.COMMy 2017 F5 NetworksGather client details related tothe transactionRun a series of checks toidentify suspicious activityAssign risk score to transactionSend alert based on scoreApply L7 encryption to allcommunications between clientand server32

4. Testspoofed site1. CopywebsiteWebApplicationInternet2. Save copyto computer 2017 F5 Networks3. Upload copyto spoofed siteAlert at each stage of phishingsite development33

2017 F5 Networks34

MSPNative AppServicesServersServersServersCloud InterconnectSaaSServers Servers ServersCorporate Datacenter(s)With Private CloudEach Cloud Provides Siloed Native App Services: Basic, Proprietary, and Inconsistent 2017 F5 Networks35

Your cloud strategy should be an extension of yourdata center strategy: app-centricEnable both network andapplication securityDeliver high applicationavailability; not justinfrastructure availabilityEnsure applicationperformanceCentralize management andorchestration of theapplicationCommerceIdentityDefend againstattacksAnalyticsDatabaseEnsure secureuser accessDeliver ingApplicationGain trafficvisibilityOrchestratetasks centrallyApplicationStreamline app deliveryand security services acrosson-premises and cloudLetting you focus on ensuring availability, security, and performance for each applicationF5 Networks,Inc 2017F5 Networks3636

Limited controlApp-Centric itesDev& testFull controlappsLOB(HR, Acct.)ERP,CRMOn-premises 2017 F5 NetworksCustomappsPublic cloud37

Shared Responsibility in Amazon AWSThe idea behind this is to educate customers that they still need to be responsible for alarge proportion of the services required to deliver applications in the cloud.AWS Shared Responsibility Model 2017 F5 Networks38

Shared Responsibility in Microsoft AzureThe idea behind this is to educate customers that they still need to be responsible for a largeproportion of the services required to deliver application in the cloud.Azure Shared Responsibility Model 2017 F5 Networks39

AppsAppsIdentity Control PlatformAppsActiveDirectory 2017 F5 Networks40

Use CaseDisaster RecoverySeamlessglobal appexperienceRequirements Application availability and performanceDNSOrchestrationDNSL4-L7 ServicesL4-L7 Services Location-based and contextual user accessVPN Active-Active deployment for cost efficiency Insight and visibility into application trafficComputeComputeStorageStorageRecommended application delivery services Local and global load balancing DNSData CenterCloud Provider SSL VPN or IPSec tunnel Access & identityKey benefits: Consistent DevOps Management Tools Seamless customer experience Secured and optimized site to site connectivity Advanced application health monitoring 2017 F5 Networks41

TraditionalNewOn-PremisesServersServersStrategic Control PointCloud InterconnectionPublic/Private CloudServersDistributed Strategic Control PointsApplication ServicesApplicationServices 2017 F5 NetworksVirtual EditionHardwareaaSContainers42

DNS Load Balancing Array of DNS Servers Internal Firewall Hidden Master DNS Authoritative DNS Caching Resolver Transparent Caching DNS Firewall DNS DDoS Protection . Zeus, infects a user’s device The malwa