F5 安全解决方案全集-02

F5NETWORKS•INTERNATIONALSALESCONFERENCE•THETIMEISNOWF5networks相关安全解决方案Fredwu2®BREAKOUTSESSION•THETIMEISNOW利用OCSP将客户端撤消BIG-IPusesthecertificateID•hashalgorithmusedtocreateID•hashofcertificateissuer’sdn•hashofissuer’spublickey•clientcert’sserialnumberClientinitiatesSSLconnectionBIG-IPrequestsclientcertificateClientsendscertificateQueryusingcertificateIDReplywithuserinformation(ifuserexists)Ifreplyisgood(userexists)-SSLconnectionisgood-ProcessclientrequestIfreplyisbad(nouser/nomatch)-SSLconnectionisbad-SeverconnectionorredirecttoalternatepoolBIG-IPOCSPResponderClientWebServers*OnlineCertificateStatusProtocolNewin4.5PTF043®BREAKOUTSESSION•THETIMEISNOW利用iRules进行应用过滤及计费1.Checkforappropriatecontentinthepayload2.Ifvalidlogevent.3.Ifnotvalid,“account”forthetransaction.4.Anddiscardit.Itdoesn’tevenhittheback-endsystem.Newin4.54®BREAKOUTSESSION•THETIMEISNOWWebServices(XMLSwitching)•XML开始成为B2B的标准,•很多公司希望通过请求中的XML标签来进行XML的交换•例如:请求中有billing标记的会到采购和付费的系统中,而order就导向到其他的系统中.5®BREAKOUTSESSION•THETIMEISNOW安全系统的高可用性网络安全性设备安全性应用安全性自适应安全性6®BREAKOUTSESSION•THETIMEISNOW设备安全性•Hardened/CustomBIG-IPkernel–Built-inmechanismagainstSYNandACKFloodbylimitingsimultaneousconnectionsandtearingdownunacknowledgedSYN/ACK–Sourcefilesnotaccessible–Stringentsourcefilereview•MD5checksumsoneveryinstallationusingIM•SecureAdministration–SSL–SSH(ProductincludesSSHclientsforWindows/Mac/UNIX)–Configurableadministrationconsoleaddresses–Optionallyallowonlyonout-of-bandinterface–RolesandManagementbeingenhancedbyiControlServicesManager7®BREAKOUTSESSION•THETIMEISNOWAdd-onCardPentiumSubsystem设备安全性:FIPS140-2Level3•UtilizesnCiphertechnology–Hardwarecryptomodule–KeymanagementsoftwareSymmetricCryptoSSLProcessingHTTPProxyTCPTerminationSecretKeysKeyMgmt.AsymmetricCryptoAdd-onCardPentiumSubsystemSymmetricCryptoSSLProcessingHTTPProxyTCPTerminationSecretKeysKeyMgmt.AsymmetricCryptoTamper-proofmoduleNormalBIG-IPSSLGatewayFIPS-140compliantBIG-IPSSLGateway8®BREAKOUTSESSION•THETIMEISNOW安全系统高可用性网络安全性设备安全性应用安全性自适应安全性9®BREAKOUTSESSION•THETIMEISNOW动态安全控制架构Web&ApplicatonServersIntrusionDetectionSystemsSlammerwormdetected.BlockUDPtrafficcontainingh.dllhckkerniControlMessageLoadNewiRule:DropUDPpacketscontainingh.dllhckkernWithBIG-IP:Administrativesavings,proactiveresponseandcoordination10®BREAKOUTSESSION•THETIMEISNOWF5BIG-IP可助您实现安全系统的高可用性网络安全性设备安全性应用安全性自适应安全性11®BREAKOUTSESSION•THETIMEISNOW普通安全性驱动HIPAA(HealthInformationPortabilityandAccountingAct):TheSecurityRules3.技术安全服务1.访问控制-providingcontrolslimitingaccesstohealthinformationtothosewithvalidneedsandauthorization.2.跟踪监视控制-settingupsystemmechanismsthatrecordandmonitoractivity3.授权控制-obtainingandtrackingtheconsentsofpatientsforuseanddisclosureoftheirhealthinformation.4.数据认证-ensuringthatdataisnotaltered,destroyedorinappropriatelyprocessed5.资格认证-employingmechanismssuchasautomaticlogoff,passwords,PINsandbiometrics,whichidentifyauthorizedusersanddenyaccesstounauthorizedusers.12®BREAKOUTSESSION•THETIMEISNOW普通安全性驱动HIPAA:TheSecurityRules4.技术安全机制1.整体控制-internalverificationthatdatathatisbeingstoredortransmittedisvalid.1.信息认证-assurancethatthemessagessentandreceivedarethesamemessages.2.访问控制-EitherAccessControlssuchasdedicated,securecommunicationlines–orEncryption—transformingtextintounintelligibleciphersthruuseofspecialalgorithmprocesses.3.网络控制-Ifusinganetwork,protectionsmustalsoincludeAlarms,AuditTrails,EntityAuthenticationandEventReporting.13®BREAKOUTSESSION•THETIMEISNOWApplicationServersWebServersEnterpriseSystemsInternetSolutionisacoordinatedarchitectureandmanylayersofprotectionVPNs1.普通安全性驱动–HIPAA解决方案IntrusionDetectionVirusScanningApplicationFirewallsLDAPValidationAuthoritySingleSign-OnACL&EncryptionFunctionsEmployed•SSLandFIPS•AAAforclientsandservers•UIE,iRule,andClassListsResult:Avoidanceoffines,regulatorycompliance,maxuptime,customerconfidence14®BREAKOUTSESSION•THETIMEISNOWSlammerWormApplicationServersMicrosoftSQLWebServers2.攻击安全驱动–针对蠕虫病毒的解决方案MobileApplicationsSecuritySystems(IDS,VirusScanning,Firewalls)RULEsql_rule{if(ip_protocol==17){if(server_port==1434){if(substr(udp_content,0,1)==0x04){if(udp_contentcontainsh.dllhel32hkern){logSQLwormdetectedfrom${client_addr}discard}else{logSQLconnectione1from${client_addr}usepoolweb_servers}}else{logSQLconnectione2from${client_addr}usepoolweb_servers}}else{logSQLconnectione3from${client_addr}usepoolweb_servers}}else{logSQLconnectione4from${client_addr}usepoolweb_servers}}FunctionsEmployed•UIE,iRules,Logging,FilteringResult:MinimizeddowntimeandfutureexposureMoreflexiblethanaFirewall.Logfrombigip.log:Feb1914:46:04:RULEsql_rule-SQLwormdetectedfrom68.192.81.3415®BREAKOUTSESSION•THETIMEISNOWBusinessNeeds:AWestCoastmanufacturerwantedtodevelopasecurewebinterfacetotheirsystemsfortheirsupplierstoreplacepaper/fax/phone.Problem:Requiredapplicationstoundergocustomdevelopmenttoprovidesecureaccesstoinformation–est.costwas$2-$3million.3.新技术安全驱动:以前的Web服务解决方案Required11stepprocesstobe‘coded’intoeachapplicationEnterpriseAEnterpriseBOutboundInboundServerServerServerServerEnterpriseC1,2,3,45,6,7,8,9,10,111,2,3,4