F5 Networks is a leading provider of application delivery and security solutions with over $1.38 billion in revenue in 2012. They have over 3,000 employees globally including 120+ in Israel. Their products provide load balancing, traffic management, and proxy-based security. They can offload SSL processing and provide web application firewall capabilities. F5 also offers solutions for single sign-on and access control through their BIG-IP Access Policy Manager product which supports SAML for federated authentication. BIG-IP APM can consolidate authentication infrastructure and simplify remote access policies for organizations adopting cloud applications.
3. Local Snapshot
Israel:
• 120+ Local Employees
• Increasing country presence
• 2012 – Acquired Traffix Systems
• Strong regional channel
• Over 400 IL Customers
4. Full Proxy Security
Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
5. Network
Session
Application
Web application
Physical
Client / Server
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
SSL inspection and SSL DDoS mitigation
HTTP proxy, HTTP DDoS and application security
Application health monitoring and performance anomaly detection
Network
Session
Application
Web application
Physical
Client / Server
Full Proxy Security
High-performance HW
iRules
iControl API
F5’s Approach
• TMOS traffic plug-ins
• High-performance networking microkernel
• Powerful application protocol support
• iControl—External monitoring and control
• iRules—Network programming language
IPv4/IPv6
SSL
TCP
HTTP
Optional modules plug in for all F5 products and solutions
APM
Firewall
…
Traffic management microkernel
Proxy
Client
side
Server
side
SSL
TCP
OneConnect
HTTP
6. Maintaining Security Is Challenging
Webification of apps Device proliferation
Evolving security threats Shifting perimeter
71% of internet experts predict
most people will do work via web
or mobile by 2020.
95%of workers use at least
one personal device for work.
130 millionenterprises will
use mobile apps by 2014
58% of all e-theft tied
to activist groups.
81% of breaches
involved hacking
80% of new apps will
target the cloud.
72% IT leaders have or will
move applications to the cloud.
7. Who’s Requesting Access?
IT challenged to:
• Control access based on user-type and role
• Unify access to all applications
• Provide fast authentication and SSO
• Audit and report access and application metrics
Manage access based on identity
Employees Partner Customer Administrator
8. BIG-IP® APM features:
• Centralizes single sign-on and access control services
• Full proxy L4 – L7 access control at BIG-IP speeds
• Adds endpoint inspection to the access policy
• Visual Policy Editor (VPE) provides policy-based access control
• VPE Rules—programmatic interface for custom access policies
• Supports IPv6
BIG-IP® APM ROI benefits:
• Scales to 100K users on a single device
• Consolidates auth. infrastructure
• Simplifies remote, web and application access
control
*AAA = Authentication, authorization and accounting (or auditing)
BIG-IP Access Policy Manager (APM)
Unified access and control for BIG-IP
10. What is the problem?
• Users authenticate to their enterprise, but more and more
resources are hosted elsewhere….
• How do we maintain control of those credentials, policies
and their lifecycle?
11. What is SAML?
• Security Assertion Markup Language
• Solid standard current version 2.0 (March 2005)
• Strong commercial and open source support
• An XML-based open standard data format for exchanging
authentication and authorization data between parties, in
particular, between an identity provider (iDP) and a
service provider (SP).”
12. What is SAML? Now in English
• Its ‘Internet/Web’ SSO
• Eliminates Need for Multiple Passwords/Password
Databases in Multiple Locations
• Enables Enterprise in the ‘Cloud’
14. • Dramatically reduce
infrastructure costs;
increase productivity
• Provides seamless
access to all web
resources
• Integrated with
common applications
Use case
CONSOLIDATING APP AUTHENTICATION (SSO)
AAA
server
Corporate
managed device
Latest AV software
Expense
report app
Finance
User = Finance
15. Load Balancing AD FS Infrastructure with BIG-IP
Of f i ce 365
Shar ePoi nt Onl i ne
Exchange Onl i ne
Lync Onl i ne
Cor por at e Net wor k
AD FS Far m
Act i ve
Di r ect or y
Per i met er Net wor k
AD FS Pr oxy Far m
Cor por at e
User s
• Local Traffic Manager
• Intelligent traffic management
• Advanced L7 health monitoring – (Ensures the AD FS service is responding)
• Cookie-based persistence
16. Cor por at e Net wor k
AD FS Far m
Act i ve
Di r ect or y
Cor por at e
User s
Of f i ce 365
Shar ePoi nt Onl i ne
Exchange Onl i ne
Lync Onl i ne
Load Balancing AD FS with Local Traffic Manager
Per i met er Net wor k
AD FS Pr oxy Far m
17. Publishing AD FS with Access Policy Manager
Cor por at e Net wor k
AD FS Far m
Act i ve
Di r ect or y
Cor por at e
User s
Of f i ce 365
Shar ePoi nt Onl i ne
Exchange Onl i ne
Lync Onl i ne
Load Balancing AD FS with Local Traffic Manager
Replacing the AD FS Proxy farm with APM provides:
• Enhanced Security
• Variety of authentication methods
• Client endpoint inspection
• Multi-factor authentication
• Improved User Experience
• SSO across on-premise and cloud-based
applications
• Single-URL access for hybrid deployments
• Simplified Architecture
• Removes the AD FS proxy farm layer as well as
the need to load balance the proxy farm
18. Federating with Access Policy Manager and SAML
• Available with version 11.3, APM includes full SAML support
• Ability to act as IDP, (Identity Provider) for access to external claims-based resources including
Office 365
• Act as service provider, (SP) to facilitate federated access to on-premise applications
• Streamlined architecture, (no need for the AD FS architecture)
• Simplified iApp deployment
Cor por at e Net wor k
Act i ve Di r ect or y
Cor por at e
User s
Of f i ce 365
Shar ePoi nt Onl i ne
Exchange Onl i ne
Lync Onl i ne
tzoori@f5.com
Editor's Notes
F5 is the global leader in Application Delivery Networking, and continues to be a solid provider and customer ally as we continue to grow and expand the entire ADC market.
So one of F5's key differentiators and value-add with regard to security is the fact that we provide it on a full proxy architecture. And the value of a full proxy architecture for those who are not familiar can be analogous to the role that an escrow agent or an escrow officer might play in a real estate transaction. The reason for the escrow officer is to protect the buyer from the seller and the seller from the buyer by acting as an independent third party or a neutral third party to protect the buyer and the seller. And the role of this officer is also to inspect all elements of the transaction before allowing the transaction to be completed, safely and securely. And much in the same way F5's full proxy security looks and examines all elements within the OSI stack, because we are located at strategic points in the network and we are by nature inspecting that traffic, it allows us to understand what's happening and take action on that traffic, from an application perspective, from a session perspective and from a network session perspective, all throughout the stack. {NOTE TO SPEAKER: F5 Mitigation Technologies:Application: BIG-IP ASM:Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detectionSession: BIG-IP LTM and GTM: high scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validationNetwork: BIG-IP LTM: SynCheck, default-deny posture, high-capacity connection table, full proxy traffic visibility, rate-limiting, strict TCP forwarding. Network layer bullets:L4 Stateful firewall – including TCP checksum checks, fragmentation and reassemblyDDoS mitigationSession layer:SSL inspectionSSL DDoS attacksApplication Layer:OWASP top 10Application content scrubbing (S -> C)}
Because we are located in strategic points of the network, and because we do take a full proxy approach, performance is absolutely critical, because you can imagine all of the traffic traveling through this point being inspected. It must be done at very, very high rates of speed. Because F5 combines purpose-built software with purpose-built hardware, we're able to achieve and add multiple services on our intelligent services platform with minimal performance degradation, and we're able to do these at scale much higher, at a scale much higher than can be traditionally done with existing security solutions.
Webification of AppsDemands on scale/performance beyond what traditional networks can handleS&P measured in L4 sessions – new metric (based on L7) is requiredBYOD: Consumerization of IT forcing businesses to provide access by personal devicesBusinesses need to secure corporate data and applications on personal devicesEmployees don’t want enterprise controlling their personal devicesBusinesses don’t want personal apps and data traversing the networkHybrid CloudMoving away from model where all apps live in the corporate data centerAccess to SAAS or IAAS is currently backhauled through a single enterprise chokepointProvisioning and deprovisioning of SAAS access decoupled from DC appsEvolving Security ThreatsAdditional security infrastructure needed to deal with sophisticated attacks from organized hacktivist groupsMultiple instances of security devices needed to deal with HTTP/S at scaleComplexity comes with weak interoperability of multiple disparate devicesSpecific orgs are being specifically targetedSources:Webification of apps:71% of surveyed Internet technology and social experts predict most work will be done via web-based or mobile apps by 2020: “The future of cloud computing” by Janna Anderson and Lee Rainie, Pew Internet & American Life Project, online: http://pewinternet.org/Reports/2010/The-future-of-cloud-computing.aspxDevice Proliferation:95% of information workers report that they use at least one self-purchased device for work.: IDC/Unisys, August, 2010: online: http://www.unisys.com/unisys/news/detail.jsp?id=1120000970004210162The number of enterprise customers using mobile-based applications will rise to more than 130 million by 2014.: Juniper Research, March 2010: online: http://www.juniperresearch.com/viewpressrelease.php?pr=181Evolving security threats:58% of all electronic breaches tied to activist groups.: “2012 Data Breach Investigations Report,” Verizon Business, online: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf81% of data breaches involved some form of hacking – often the result of weeks of reconnaissance: ibid.Shifting Perimeter:80% of net new apps will target the cloud: IDC, December, 2011. Online: http://www.idc.com/getdoc.jsp?containerId=prUS23177411Over 72% of IT decision makers cited that they have or will in the next year move email, web services, storage and collaboration solutions to the public or private cloud.: Cisco Systems, May, 2012: online: http://www.cisco.com/en/US/solutions/ns1015/2012_Cisco_Global_Cloud_Networking_Survey_Results.pdf
Add-On Module for BIG-IP Family (For new BIG-IP platforms, e.g. 3600, 3900, 6900, 6900 FIPS, 8900, 8950 and 11050. Available as an add-on module for BIG-IP LTM.)Access Profile for Local Traffic Virtual Servers (Very simple configuration to add an Access Policy to an LTM Virtual. Just select an Access Profile from the pulldown menu under the LTM Virtual configuration page. The rest of the Access Policy is configured under the Access Control left-hand menu, where AAA servers are configured, ACLs and ACEs are defined, and VPE is used to create the visual policy.)APM Policy Engine (This is the advanced policy engine behind APM add-on for BIG-IP)Industry Leading Visual Policy Editor (VPE) (See screenshot. Next generation of visual policy editor which has been a big selling point for FirePass. Others, e.g. Cisco, and started trying to copy, but years behind in this area).VPE Rules (TCL-based) for Advanced Policies (Ability to edit the iRules-like TCL rules behind the VPE directly, for advanced configurations, or to create all new rules for custom deployments. Tight integration between the VPE rules and TMM iRules – e.g. ability to drive Access Policies via TMM iRules, Access Policy creating new iRules events, etc.).Endpoint SecurityMore than a dozen different endpoint security checks available (Large number of agents available, e.g. Virtual Keyboard, AV and firewall checks, process, file, and registry checks, extended Windows info, client and machine certificates, etc.)Manage endpoints via Group Policy enforcement and Protected Workspace (Endpoint remediation capabilities like Protected Workspace and Full Armor-based AD Policy enforcement, in addition to Cache Cleaner, redirects to remediation pages, and message and decision boxes).Authentication and AuthorizationFlexible authentication and authorization capabilities via client cert, AD, LDAP, RADIUS, RSA SecurID agents (Broad array of authentication, authorization, and accounting capabilities – including RADIUS accounting).Access ControlHigh-Performance Dynamic Layer 4 and Layer 7 (HTTP/HTTPS) ACLs (Role/User-based Access Control engine built directly into TMM, via hudfilters. Supports dynamic assignment and enforcement of layer 4 ACL/firewall capabilities, as well as now supporting dynamic layer-7 HTTP/HTTPS URL-based access controls. High-performance as built directly into dataplane.)
Single sign-on (SSO) – users login to BIG-IP once and enjoy seamless access to all web resources, leveraging a variety of SSO methods (SAML, Credential Caching, Kerberos) to integrate with common applications. This allows system administrators to provision and de-provision application to applications uniformly, even when apps live in the cloudF5 HelpsDramatically reduce infrastructure costs; increase productivityProvides seamless access to all web resourcesIntegrated with common applications