ICSA Certified Network Firewall for Data Centers
The BIG-IP platform is now ICSA Certified as a Network Firewall. Internet threats are widely varied and multi-layered. Although applications and their data are attackers’ primary targets, many attackers gain entry at the network layer. Internet data centers and public-facing web properties are constant targets for large-scale attacks by hacker/hactivist communities and others looking to grab intellectual property or cause a service outage. Organizations must prepare for the normal influx of users, but they also must defend their infrastructure from the daily barrage of malicious users. Security administrators who manage large web properties are struggling with security because traditional firewalls are not meeting their fundamental performance needs. Dynamic and layered attacks that necessitate multiple-box solutions, add to IT distress. Traditional firewalls can be overwhelmed by their limited ability to scale under a DDoS attack while keeping peak connection performance for valid users, which renders not only the firewalls themselves unresponsive, but the web sites they are supposed to protect. Additionally, traditional firewalls’ limited capacity to interpret context means they may be unable to make an intelligent decision about how to deliver the application while also keeping services available for valid requests during a DDoS attack. Traditional firewalls also lack specialized capabilities like SSL offload, which not only helps reduce the load on the web servers, but enables inspection, re-encryption, and certificate storage. Most traditional firewalls lack the agility to react quickly to changes and emerging threats, and many have only limited ability to provide new services such as IP geolocation, traffic redirection, traffic manipulation, content scrubbing, and connection limiting. An organization’s inability to respond to these threats dynamically, and to minimize the exposure window, means the risk to the overall business is massive. There are several point solutions in the market that concentrate on specific problem areas; but this creates security silos that only make management and maintenance more costly, more cumbersome, and less effective. The BIG-IP platform provides a unified view of layer 3 through 7 for both general and ICSA required reporting and alerts, as well as integration with SIEM vendors. BIG-IP Local Traffic Manager offers native, high-performance firewall services to protect the entire infrastructure. BIG-IP LTM is a purpose-built, high-performance Application Delivery Controller designed to protect Internet data centers. In many instances, BIG-IP LTM can replace an existing firewall while also offering scale, performance, and persistence. Performance: BIG-IP LTM manages up to 48 million concurrent connections and 72 Gbps of throughput with various timeout behaviors, buffer sizes, and more when under attack. Protocol security: The BIG-IP system natively decodes IPv4, IPv6, TCP, HTTP, SIP, DNS, SMTP, FTP, Diameter, and RADIUS. Organizations can control almost every element of the protocols they’re deploying. DDoS prevention capabilities: An integrated architecture enables organizations to combine traditional firewall layers 3 and 4 with application layers 5 through 7. DDoS mitigations: The BIG-IP system protects UDP, TCP, SIP, DNS, HTTP, SSL, and other network attack targets while delivering uninterrupted service for legitimate connections. SSL termination: Offload computationally intensive SSL to the BIG-IP system and gain visibility into potentially harmful encrypted payloads. Dynamic threat mitigation: iRules provide a flexible way to enforce protocol functions on both standard and emerging or custom protocols. With iRules, organizations can create a zero day dynamic security context to react to vulnerabilities for which an associated patch has not yet been released. Resource cloaking and content security: Prevent leaks of error codes and sensitive content. F5 BIG-IP LTM has numerous security features so Internet data centers can deliver applications while protecting the infrastructure that supports their clients and, BIG-IP is now ICSA Certified as a Network Firewall. ps Resources: F5’s Certified Firewall Protects Against Large-Scale Cyber Attacks on Public-Facing Websites F5 BIG-IP Data Center Firewall – Overview BIG-IP Data Center Firewall Solution – SlideShare Presentation High Performance Firewall for Data Centers – Solution Profile The New Data Center Firewall Paradigm – White Paper Vulnerability Assessment with Application Security – White Paper Challenging the Firewall Data Center Dogma Technorati Tags: F5, big-ip, virtualization, cloud computing, Pete Silva, security, icsa, iApp, compliance, network firewall, internet, TMOS, big-ip, vCMPIn 5 Minutes or Less: BIG-IP ASM & Cenzic Scanner
I show you in this special extended edition of In 5 Minutes or Less, how BIG-IP ASM is integrated with Cenzic Hailstorm Scanner for complete website protection. From vulnerability checking to detection to remediation, With a few clicks, you can instantly patch vulnerabilities. ps Resources: BIG-IP Application Security Manager F5 and Cenzic partnership In 5 Minutes or Less Series (22 videos – over 2 hours of In 5 Fun) F5 YouTube ChannelIn 5 Minutes or Less Video - IP Intelligence Service
I show you how to configure the IP Intelligence Service available on BIG-IP v11.2, in 5 Minutes or Less. By identifying relevant IP addresses and leveraging intelligence from cloud-context security solutions, F5's new IP Intelligence service combines valuable information on the latest threats with the unified policy enforcement capabilities of the BIG-IP application delivery platform. Deployed as part of the BIG-IP system, F5’s IP Intelligence service leverages data from multiple sources to effectively gather real-time IP threat information and block connections with those addresses. The service reveals both inbound and outbound communication with malicious IP addresses to enable granular threat reporting and automated blocking, helping IT teams create more effective security policies to protect their infrastructures. ";" alt="" /> In 5 Minutes or Less - IP Intelligence Service A free 30 day evaluation of the IP intelligence service is available. psThe Exec-Disconnect on IT Security
Different Chiefs give Different Security Stories. A recent survey shows that there is a wide gap between CEOs and Chief Security Officers when it comes to the origin and seriousness of security threats. They differ on how they view threats to IT Infrastructure and remain far apart on how to best address an issue that according to analyst reports, costs organizations more than $30 billion annually. The survey of 100 CEOs and 100 CISO (or other C-levels with security responsibility), shows that the discrepancy is often due to lack of communication. 36% of CEOs said that they never get a security report from their CISO and only 27% receive updates on a regular basis. Is it the CISO that doesn’t report back or the CEO that is not interested? Let’s look at some more data. The CISO felt that the biggest threat was from internal (their employees) due to lack of education and attention while the CEO felt that the biggest threat was from the outside, such as phishing attacks. Thus, 61% of CEOs said they did have enough time and resources to adequately train the staff on how to mitigate threats while Only 27% of CISOs felt the same. It’s opposite day. When asked if their IT systems were ‘definitely’ or ‘probably’ under attack without their knowledge, 58% of CISOs said yes while only 26% of CEOs agreeing. The chasm grows. What percentage of each, do you think, said they were very concerned about their IT systems getting hacked? 30 seconds on the clock, please. Don’t peek. Only 15% of CEOs and ‘only’ 62% of CISOs are anxious about breaches. 15%? That’s it? Maybe they have great confidence in their security team…or, they don’t have the information. 65% of CEOs admitted to not having the sufficient data needed to interpret how security threats translate to overall business risk. Wow, the very day-to-day operations. Granted, the CEO is further removed from the specific threats and how they are handled but there is clearly a distance between how each views threats and the company’s ability to successfully mitigate them. Lack of interest or lack of understanding/information? Probably both. An old adage was that a great boss hired people who were good at the things he/she wasn’t so good at. Surround yourself with those who know their areas better. Or maybe there is a culture that you don’t alert the top unless it’s dire, critical or unstoppable. Communication or interest, it is evident that the C-suite isn’t really talking about these critical business issues especially when 3 times as many CEOs worried about losing their jobs following an attack than did CISOs. ps References SECURITY: A LACK OF CEO INSIGHT OR CEO INTEREST? CEOs Lack Visibility Into Origin and Seriousness of Security Threats Talking About Security Bores the Boss, Survey Shows Myth or Fact? Debunking 15 of the Biggest Information Security Myths The CEO/CISO Disconnect InfographicThe Changing Security Threat Landscape Infographic
In conjunction with a new video and a security white paper, this F5 infographic validates the need for organizations to rethink security practices. The global security threat landscape is rapidly evolving and has changed dramatically in ways unfathomable just a few years ago. Due to this growing complexity and the rise of many unknown forces in the battle for information and causes, customers must rethink how they protect their network, applications, and data from ever-changing threats. (you can reuse within your own blogs, etc) ps Resources: F5 Networks Launches Informational Video on the Changing Security Threat Landscape The Changing Threat Landscape – F5 Security Video The Changing Threat Landscape – Infographic A New Firewall for the Data Center – Infonetics Research Paper F5 Security Vignette Series F5 Security Solutions2011 Telly Award Winner - The F5 Dynamic Data Center
Founded in 1978 to honor excellence in local, regional, cable TV commercials along with non-broadcast video and TV programs, The Telly Awards is the premier award honoring the finest film and video productions, groundbreaking web commercials, videos and films, and outstanding local, regional, and cable TV commercials and programs. Produced in conjunction with Connect Marketing, we are proud to share that F5’s video, The Dynamic Data Center, is a Silver Winner for the 32nd Annual Telly Awards. This video sets the stage for IT having to manage multiple networking challenges when faced with a natural disaster causing their data center to shut down. With careful planning, the evolution of the network and application delivery allows the single point of control to automate, provision and secure their virtual and cloud environments. ";" alt="" /> The F5 Dynamic Data Center ps Resources: 32nd Annual Telly Awards - 2011 Silver Winners Telly Awards F5 Security Vignette: Proactive Security F5 Security Vignette: DNSSEC Wrapping F5 Security Vignette: Hacktivism Attack F5 Security Vignette: SSL Renegotiation F5 Security Vignette: Credit Card iRule F5 Security Vignette: Apache HTTP RANGE Vulnerability F5 Security Vignette: iHealth Security is our Job F5 YouTube Feed Technorati Tags: F5, F5 News, dynamic data center, security, performance, availability, video, Telly Award, youtube5 Stages of a Data Breach
One thing I’ve noticed over the last couple years is that there are 5 Stages of a Data Breach: Denial: We do not believe these attacks breached our critical servers. Anger: We want to make it clear that we take security seriously! Bargaining: We’d like to offer our affected customers a credit monitoring service. Depression: We wish we could have done things differently. Acceptance: Well, it just shows that no one is safe from hackers. ps Technorati Tags: F5, cyber-crime, trojan, Pete Silva, security, business, education, 5 stages, cyber war, hackers, breach, verisign, internet, security, privacy,IPS or WAF Dilemma
As they endeavor to secure their systems from malicious intrusion attempts, many companies face the same decision: whether to use a web application firewall (WAF) or an intrusion detection or prevention system (IDS/IPS). But this notion that only one or the other is the solution is faulty. Attacks occur at different layers of the OSI model and they often penetrate multiple layers of either the stack or the actual system infrastructure. Attacks are also evolving—what once was only a network layer attack has shifted into a multi-layer network and application attack. For example, malicious intruders may start with a network-based attack, like denial of service (DoS), and once that takes hold, quickly launch another wave of attacks targeted at layer 7 (the application). Ultimately, this should not be an either/or discussion. Sound security means not only providing the best security at one layer, but at all layers. Otherwise organizations have a closed gate with no fence around it. Often, IDS and IPS devices are deployed as perimeter defense mechanisms, with an IPS placed in line to monitor network traffic as packets pass through. The IPS tries to match data in the packets to data in a signature database, and it may look for anomalies in the traffic. IPSs can also take action based on what it has detected, for instance by blocking or stopping the traffic. IPSs are designed to block the types of traffic that they identify as threatening, but they do not understand web application protocol logic and cannot decipher if a web application request is normal or malicious. So if the IPS does not have a signature for a new attack type, it could let that attack through without detection or prevention. With millions of websites and innumerable exploitable vulnerabilities available to attackers, IPSs fail when web application protection is required. They may identify false positives, which can delay response to actual attacks. And actual attacks might also be accepted as normal traffic if they happen frequently enough since an analyst may not be able to review every anomaly. WAFs have greatly matured since the early days. They can create a highly customized security policy for a specific web application. WAFs can not only reference signature databases, but use rules that describe what good traffic should look like with generic attack signatures to give web application firewalls the strongest mitigation possible. WAFs are designed to protect web applications and block the majority of the most common and dangerous web application attacks. They are deployed inline as a proxy, bridge, or a mirror port out of band and can even be deployed on the web server itself, where they can audit traffic to and from the web servers and applications, and analyze web application logic. They can also manipulate responses and requests and hide the TCP stack of the web server. Instead of matching traffic against a signature or anomaly file, they watch the behavior of the web requests and responses. IPSs and WAFs are similar in that they analyze traffic; but WAFs can protect against web-based threats like SQL injections, session hijacking, XSS, parameter tampering, and other threats identified in the OWASP Top 10. Some WAFs may contain signatures to block well-known attacks, but they also understand the web application logic. In addition to protecting the web application from known attacks, WAFs can also detect and potentially prevent unknown attacks. For instance, a WAF may observe an unusually large amount of traffic coming from the web application. The WAF can flag it as unusual or unexpected traffic, and can block that data. A signature-based IPS has very little understanding of the underlying application. It cannot protect URLs or parameters. It does not know if an attacker is web-scraping, and it cannot mask sensitive information like credit cards and Social Security numbers. It could protect against specific SQL injections, but it would have to match the signatures perfectly to trigger a response, and it does not normalize or decode obfuscated traffic. One advantage of IPSs is that they can protect the most commonly used Internet protocols, such as DNS, SMTP, SSH, Telnet, and FTP. The best security implementation will likely involve both an IPS and a WAF, but organizations should also consider which attack vectors are getting traction in the malicious hacking community. An IDS or IPS has only one solution to those problems: signatures. Signatures alone can’t protect against zero-day attacks for example; proactive URLs, parameters, allowed methods, and deep application knowledge are essential to this task. And if a zero-day attack does occur, an IPS’s signatures can’t offer any protection. However if a zero-day attack occurs that a WAF doesn’t detect, it can still be virtually patched using F5’s iRules until a there’s a permanent fix. A security conversation should be about how to provide the best layered defense. Web application firewalls like BIG-IP ASM protects traffic at multiple levels, using several techniques and mechanisms. IPS just reads the stream of data, hoping that traffic matches its one technique: signatures. Web application firewalls are unique in that they can detect and prevent attacks against a web application. They provide an in-depth inspection of web traffic and can protect against many of the same vulnerabilities that IPSs look for. They are not designed, however, to purely inspect network traffic like an IPS. If an organization already has an IPS as part of the infrastructure, the ideal secure infrastructure would include a WAF to enhance the capabilities offered with an IPS. This is a best practice of layered defenses. The WAF provides yet another layer of protection within an organization’s infrastructure and can protect against many attacks that would sail through an IPS. If an organization has neither, the WAF would provide the best application protection overall. ps Related: 3 reasons you need a WAF even if your code is (you think) secure Web App Attacks Rise, Disclosed Bugs Decline Next-Gen Firewalls Make Old Arguments New Again Why Developers Should Demand Web App Firewalls. Too Dangerous to Enter? Asian IT security study finds enterprises revising strategy to accommodate new IT trends Protecting the navigation layer from cyber attacks OWASP Top Ten Project F5 Case Study: WhiteHat Security Technorati Tags: F5, PCI DSS, waf, owasp, Pete Silva, security, ips, vulnerabilities, compliance, web, internet, cybercrime, web application, identity theftSecurity’s Rough Ride
1 if by land, 2 of by sea, 0 if by IP I know I’ve said this before but it sure seems like almost daily there is a security breach somewhere. Over the years, the thought process has changed from prevent all attacks to, it is inevitable that we will be breached. The massive number of attacks occurring daily makes it a statistical reality. Now organizations are looking for the right solution (both technology and practice) to quickly detect a breach, stop it, identify what occurred and what data may have been compromised. Over the last couple of days various entities have had their security breached. As you are probably already aware either due to the headlines or a direct note in your email inbox, Zappos, a popular online shoe site, was compromised exposing information on 24 million customers. While a good bit of info was taken, like usernames, passwords, addresses, email and other identifiable information, Zappos claims that the stored credit card information was apparently spared due to being encrypted. There are still many details that are unknown like how it occurred and how long it had been exposed but all users are being required to change their passwords immediately. Users might also want to change similar passwords on other websites since I’m sure the criminals are already trying those stolen passwords around the web. These days it's entirely too easy to use information from one hack in many others. It doesn't even matter if passwords were compromised. Your can change your password, but the make and model of your first car, and your mother's maiden name can't be changed. Yet, online service providers continue to rely on these relatively weak forms of secondary authentication. The interesting thing is Zappos is/was apparently PCI-DSS compliant, proving once again, PCI compliance is a first step, not the goal. Being PCI compliance does not mean that one is secure and this also underscores importance of using WAF like BIG-IP ASM. And if it was not a web app that was owned on the server in Kentucky, then Section 6.6 is irrelevant. But again, all the details are still to be uncovered and as far as I know, no-one has claimed responsibility. Overseas, there is an ongoing cyber-war between a Saudi (reported) hacker and Israel. 0xOmar, as news articles have identified him, claims to have posted details of 400,000 Israeli-owned credit cards and Israel’s main credit card companies have admitted that 20,000 cards have been exposed. Along the way, he has also attacked the Tel Aviv Stock Exchange and Bank Massad. In an interesting and potentially scary turn of events, a group of Israeli hackers, IDF-Team, took down the Saudi Stock Exchange (Tadawul) and the Abu Dhabi Securities Exchange (ADX) as a counter-attack. Another Israeli hacker going by Hannibal claims to have 30 million Arab e-mail addresses, complete with passwords (including Facebook passwords), and says he’s received e-mails not only from potential victims but from officials in France and other countries asking him to stop. This cyber-conflict is escalating. In a very different type of breach, you’ve probably also seen the cruise ship laying on it’s side a mere 200 yards from the Italian shore. While not necessarily a data security story, it is still a human security story that, so far, has been attributed to human error – like many data security breaches. Like many data breach victims, people put their trust in another entity. Their internal risk-analysis tells them that it is relatively safe and the probability of disaster is low. But when people make bad decisions which seems the case in this situation, many others are put at greater risk. Put on your virtual life vests, 2012 is gonna be a ride. ps References: Zappos Hacked: What You Need to Know 10 Security Trends To Watch In 2012 Hackers swipe Zappos data; customers should change password Zappos Hack Exposes Passwords Zappos Hacked: Internal Systems Breached in Cyber Attack Delivering Unhappiness Alleged Saudi hacker discloses more Israeli credit card numbers Israeli hackers bring down Saudi, UAE stock exchange websites Cruise disaster: captain neared rocks in Facebook stunt for friend's family Technorati Tags: F5, cyber-crime, trojan, Pete Silva, security, business, education, technology, application delivery, cruise, cyber war, ddos, hackers, iPhone, web, internet, security, breach, privacy, PCI-DSS,F5 Security Vignette Series
Over the last couple weeks, we’ve been rolling out a series of short Security Vignette videos about various IT security challenges. We’ve posted them to the F5News blog account but also wanted to share in case you missed them. If we were going to sum up the role of security in corporate IT today we'd have to say it's to "be prepared." This series looks at many of those security concerns which can be addressed proactively, before they are exploited or become a fire drill. F5 Security Vignette: Proactive Security - The F5 Security Vignette series looks at various security concerns, vulnerabilities and attacks which can cause headaches for Corporate IT and the business integrity overall. This video covers SSL Certificates. F5 Security Vignette: DNSSEC Wrapping - The dirty little secret of the Internet is how insecure DNS really is. The good news is, there's a solution -- DNSSEC. It secures the DNS query and response process. F5 Security Vignette: Hacktivism Attack – DDoS and other targeted attacks. F5 Security Vignette: SSL Renegotiation - The premise of the SSL Renegotiation DOS attack is simple: "An SSL/TLS handshake requires at least 10 times more processing power on the server than on the client". If a client machine and server machine were equal in RSA processing power, the client could overwhelm the server by sending ten times as many SSL handshake requests as the server could service. The counter measure against the attacks was to write an iRule to limit renegotiation requests to 5 per minute per session. F5 Security Vignette: Credit Card iRule - The consequences of exposing hundreds of thousands of customer credit card numbers is unthinkable. Fines, lawsuits, damaged brand -- the effects can be catastrophic. Even if it was accidental, the effect would be the same. F5 Security Vignette: Apache HTTP RANGE Vulnerability - When we hear about an Apache vulnerability, it gets our attention. In this case the issue was the way Apache handles HTTP RANGE headers, which are used to request individual sub-ranges of a given response, instead of the entire response. The problem is that responding to an HTTP RANGE request is computationally expensive. A simple iRule fixes this. F5 Security Vignette: iHealth - Security is a never ending battle. The bad guys advance, we counter, they cross over ... you're just never done. To give our side an edge we do a lot of research. Security is our Job F5 YouTube Feed ps Technorati Tags: F5, cyber security, predictions, 2012, Pete Silva, security, mobile, vulnerabilities, crime, social media, hacks, internet, identity theft, F5 News, security, web application security, apache, HTTP, threat mitigation, video
