LOCKING DOWN CLOUD ACCESS WITH F5'S FULL PROXY SECURITY
•
1 like•608 views
F5 Networks is a leading provider of application delivery and security solutions with over $1.38 billion in revenue in 2012. They have over 3,000 employees globally including 120+ in Israel. Their products provide load balancing, traffic management, and proxy-based security. They can offload SSL processing and provide web application firewall capabilities. F5 also offers solutions for single sign-on and access control through their BIG-IP Access Policy Manager product which supports SAML for federated authentication. BIG-IP APM can consolidate authentication infrastructure and simplify remote access policies for organizations adopting cloud applications.
Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Viewers also liked
Viewers also liked (16)
Similar to LOCKING DOWN CLOUD ACCESS WITH F5'S FULL PROXY SECURITY
Similar to LOCKING DOWN CLOUD ACCESS WITH F5'S FULL PROXY SECURITY (20)
LOCKING DOWN CLOUD ACCESS WITH F5'S FULL PROXY SECURITY
- 1. LOCKING THE DOOR IN THE CLOUDS Tzoori Tamam Sr. Field Sales Engineer tzoori@f5.com
- 2. F5 Overview - 50,000 100,000 150,000 200,000 250,000 300,000 350,000 400,000 $Thousands Publicly traded on NASDAQ 3,000+ employees IPO in 1999 F5 Networks is the leading provider of application and data delivery networking Our products sit at strategic points of control in any infrastructure Fiscal Year 2012 Revenue US$1.38B 1,380,000,000
- 3. Local Snapshot Israel: • 120+ Local Employees • Increasing country presence • 2012 – Acquired Traffix Systems • Strong regional channel • Over 400 IL Customers
- 4. Full Proxy Security Network Session Application Web application Physical Client / Server L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation SSL inspection and SSL DDoS mitigation HTTP proxy, HTTP DDoS and application security Application health monitoring and performance anomaly detection Network Session Application Web application Physical Client / Server
- 5. Network Session Application Web application Physical Client / Server L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation SSL inspection and SSL DDoS mitigation HTTP proxy, HTTP DDoS and application security Application health monitoring and performance anomaly detection Network Session Application Web application Physical Client / Server Full Proxy Security High-performance HW iRules iControl API F5’s Approach • TMOS traffic plug-ins • High-performance networking microkernel • Powerful application protocol support • iControl—External monitoring and control • iRules—Network programming language IPv4/IPv6 SSL TCP HTTP Optional modules plug in for all F5 products and solutions APM Firewall … Traffic management microkernel Proxy Client side Server side SSL TCP OneConnect HTTP
- 6. Maintaining Security Is Challenging Webification of apps Device proliferation Evolving security threats Shifting perimeter 71% of internet experts predict most people will do work via web or mobile by 2020. 95%of workers use at least one personal device for work. 130 millionenterprises will use mobile apps by 2014 58% of all e-theft tied to activist groups. 81% of breaches involved hacking 80% of new apps will target the cloud. 72% IT leaders have or will move applications to the cloud.
- 7. Who’s Requesting Access? IT challenged to: • Control access based on user-type and role • Unify access to all applications • Provide fast authentication and SSO • Audit and report access and application metrics Manage access based on identity Employees Partner Customer Administrator
- 8. BIG-IP® APM features: • Centralizes single sign-on and access control services • Full proxy L4 – L7 access control at BIG-IP speeds • Adds endpoint inspection to the access policy • Visual Policy Editor (VPE) provides policy-based access control • VPE Rules—programmatic interface for custom access policies • Supports IPv6 BIG-IP® APM ROI benefits: • Scales to 100K users on a single device • Consolidates auth. infrastructure • Simplifies remote, web and application access control *AAA = Authentication, authorization and accounting (or auditing) BIG-IP Access Policy Manager (APM) Unified access and control for BIG-IP
- 9. BIG-IP APM Use Cases • SSL VPN • SSO • Organization • Cloud • Websites • Strong Authentication (N Factor) • VDI
- 10. What is the problem? • Users authenticate to their enterprise, but more and more resources are hosted elsewhere…. • How do we maintain control of those credentials, policies and their lifecycle?
- 11. What is SAML? • Security Assertion Markup Language • Solid standard current version 2.0 (March 2005) • Strong commercial and open source support • An XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider (iDP) and a service provider (SP).”
- 12. What is SAML? Now in English • Its ‘Internet/Web’ SSO • Eliminates Need for Multiple Passwords/Password Databases in Multiple Locations • Enables Enterprise in the ‘Cloud’
- 13. SAML – SSO Redirect Post
- 14. • Dramatically reduce infrastructure costs; increase productivity • Provides seamless access to all web resources • Integrated with common applications Use case CONSOLIDATING APP AUTHENTICATION (SSO) AAA server Corporate managed device Latest AV software Expense report app Finance User = Finance
- 15. Load Balancing AD FS Infrastructure with BIG-IP Of f i ce 365 Shar ePoi nt Onl i ne Exchange Onl i ne Lync Onl i ne Cor por at e Net wor k AD FS Far m Act i ve Di r ect or y Per i met er Net wor k AD FS Pr oxy Far m Cor por at e User s • Local Traffic Manager • Intelligent traffic management • Advanced L7 health monitoring – (Ensures the AD FS service is responding) • Cookie-based persistence
- 16. Cor por at e Net wor k AD FS Far m Act i ve Di r ect or y Cor por at e User s Of f i ce 365 Shar ePoi nt Onl i ne Exchange Onl i ne Lync Onl i ne Load Balancing AD FS with Local Traffic Manager Per i met er Net wor k AD FS Pr oxy Far m
- 17. Publishing AD FS with Access Policy Manager Cor por at e Net wor k AD FS Far m Act i ve Di r ect or y Cor por at e User s Of f i ce 365 Shar ePoi nt Onl i ne Exchange Onl i ne Lync Onl i ne Load Balancing AD FS with Local Traffic Manager Replacing the AD FS Proxy farm with APM provides: • Enhanced Security • Variety of authentication methods • Client endpoint inspection • Multi-factor authentication • Improved User Experience • SSO across on-premise and cloud-based applications • Single-URL access for hybrid deployments • Simplified Architecture • Removes the AD FS proxy farm layer as well as the need to load balance the proxy farm
- 18. Federating with Access Policy Manager and SAML • Available with version 11.3, APM includes full SAML support • Ability to act as IDP, (Identity Provider) for access to external claims-based resources including Office 365 • Act as service provider, (SP) to facilitate federated access to on-premise applications • Streamlined architecture, (no need for the AD FS architecture) • Simplified iApp deployment Cor por at e Net wor k Act i ve Di r ect or y Cor por at e User s Of f i ce 365 Shar ePoi nt Onl i ne Exchange Onl i ne Lync Onl i ne tzoori@f5.com
Editor's Notes
- F5 is the global leader in Application Delivery Networking, and continues to be a solid provider and customer ally as we continue to grow and expand the entire ADC market.
- So one of F5's key differentiators and value-add with regard to security is the fact that we provide it on a full proxy architecture. And the value of a full proxy architecture for those who are not familiar can be analogous to the role that an escrow agent or an escrow officer might play in a real estate transaction. The reason for the escrow officer is to protect the buyer from the seller and the seller from the buyer by acting as an independent third party or a neutral third party to protect the buyer and the seller. And the role of this officer is also to inspect all elements of the transaction before allowing the transaction to be completed, safely and securely. And much in the same way F5's full proxy security looks and examines all elements within the OSI stack, because we are located at strategic points in the network and we are by nature inspecting that traffic, it allows us to understand what's happening and take action on that traffic, from an application perspective, from a session perspective and from a network session perspective, all throughout the stack. {NOTE TO SPEAKER: F5 Mitigation Technologies:Application: BIG-IP ASM:Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detectionSession: BIG-IP LTM and GTM: high scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validationNetwork: BIG-IP LTM: SynCheck, default-deny posture, high-capacity connection table, full proxy traffic visibility, rate-limiting, strict TCP forwarding. Network layer bullets:L4 Stateful firewall – including TCP checksum checks, fragmentation and reassemblyDDoS mitigationSession layer:SSL inspectionSSL DDoS attacksApplication Layer:OWASP top 10Application content scrubbing (S -> C)}
- Because we are located in strategic points of the network, and because we do take a full proxy approach, performance is absolutely critical, because you can imagine all of the traffic traveling through this point being inspected. It must be done at very, very high rates of speed. Because F5 combines purpose-built software with purpose-built hardware, we're able to achieve and add multiple services on our intelligent services platform with minimal performance degradation, and we're able to do these at scale much higher, at a scale much higher than can be traditionally done with existing security solutions.
- Webification of AppsDemands on scale/performance beyond what traditional networks can handleS&P measured in L4 sessions – new metric (based on L7) is requiredBYOD: Consumerization of IT forcing businesses to provide access by personal devicesBusinesses need to secure corporate data and applications on personal devicesEmployees don’t want enterprise controlling their personal devicesBusinesses don’t want personal apps and data traversing the networkHybrid CloudMoving away from model where all apps live in the corporate data centerAccess to SAAS or IAAS is currently backhauled through a single enterprise chokepointProvisioning and deprovisioning of SAAS access decoupled from DC appsEvolving Security ThreatsAdditional security infrastructure needed to deal with sophisticated attacks from organized hacktivist groupsMultiple instances of security devices needed to deal with HTTP/S at scaleComplexity comes with weak interoperability of multiple disparate devicesSpecific orgs are being specifically targetedSources:Webification of apps:71% of surveyed Internet technology and social experts predict most work will be done via web-based or mobile apps by 2020: “The future of cloud computing” by Janna Anderson and Lee Rainie, Pew Internet & American Life Project, online: http://pewinternet.org/Reports/2010/The-future-of-cloud-computing.aspxDevice Proliferation:95% of information workers report that they use at least one self-purchased device for work.: IDC/Unisys, August, 2010: online: http://www.unisys.com/unisys/news/detail.jsp?id=1120000970004210162The number of enterprise customers using mobile-based applications will rise to more than 130 million by 2014.: Juniper Research, March 2010: online: http://www.juniperresearch.com/viewpressrelease.php?pr=181Evolving security threats:58% of all electronic breaches tied to activist groups.: “2012 Data Breach Investigations Report,” Verizon Business, online: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf81% of data breaches involved some form of hacking – often the result of weeks of reconnaissance: ibid.Shifting Perimeter:80% of net new apps will target the cloud: IDC, December, 2011. Online: http://www.idc.com/getdoc.jsp?containerId=prUS23177411Over 72% of IT decision makers cited that they have or will in the next year move email, web services, storage and collaboration solutions to the public or private cloud.: Cisco Systems, May, 2012: online: http://www.cisco.com/en/US/solutions/ns1015/2012_Cisco_Global_Cloud_Networking_Survey_Results.pdf
- Add-On Module for BIG-IP Family (For new BIG-IP platforms, e.g. 3600, 3900, 6900, 6900 FIPS, 8900, 8950 and 11050. Available as an add-on module for BIG-IP LTM.)Access Profile for Local Traffic Virtual Servers (Very simple configuration to add an Access Policy to an LTM Virtual. Just select an Access Profile from the pulldown menu under the LTM Virtual configuration page. The rest of the Access Policy is configured under the Access Control left-hand menu, where AAA servers are configured, ACLs and ACEs are defined, and VPE is used to create the visual policy.)APM Policy Engine (This is the advanced policy engine behind APM add-on for BIG-IP)Industry Leading Visual Policy Editor (VPE) (See screenshot. Next generation of visual policy editor which has been a big selling point for FirePass. Others, e.g. Cisco, and started trying to copy, but years behind in this area).VPE Rules (TCL-based) for Advanced Policies (Ability to edit the iRules-like TCL rules behind the VPE directly, for advanced configurations, or to create all new rules for custom deployments. Tight integration between the VPE rules and TMM iRules – e.g. ability to drive Access Policies via TMM iRules, Access Policy creating new iRules events, etc.).Endpoint SecurityMore than a dozen different endpoint security checks available (Large number of agents available, e.g. Virtual Keyboard, AV and firewall checks, process, file, and registry checks, extended Windows info, client and machine certificates, etc.)Manage endpoints via Group Policy enforcement and Protected Workspace (Endpoint remediation capabilities like Protected Workspace and Full Armor-based AD Policy enforcement, in addition to Cache Cleaner, redirects to remediation pages, and message and decision boxes).Authentication and AuthorizationFlexible authentication and authorization capabilities via client cert, AD, LDAP, RADIUS, RSA SecurID agents (Broad array of authentication, authorization, and accounting capabilities – including RADIUS accounting).Access ControlHigh-Performance Dynamic Layer 4 and Layer 7 (HTTP/HTTPS) ACLs (Role/User-based Access Control engine built directly into TMM, via hudfilters. Supports dynamic assignment and enforcement of layer 4 ACL/firewall capabilities, as well as now supporting dynamic layer-7 HTTP/HTTPS URL-based access controls. High-performance as built directly into dataplane.)
- Single sign-on (SSO) – users login to BIG-IP once and enjoy seamless access to all web resources, leveraging a variety of SSO methods (SAML, Credential Caching, Kerberos) to integrate with common applications. This allows system administrators to provision and de-provision application to applications uniformly, even when apps live in the cloudF5 HelpsDramatically reduce infrastructure costs; increase productivityProvides seamless access to all web resourcesIntegrated with common applications