Shulou(Shulou.com)06/01 Report--

Today, a large number of traditional stateful security devices located at the edge of the data center are facing increasingly complex, frequent, and diverse networks. The new data center architecture based on the firewall services provided by the F5 BIG-IP LTM local traffic manager can not only effectively resist the modern *, but also save a lot of construction costs (CapEx).

Brief introduction

In most enterprises, firewalls are the first line of defense of network and application services. Firewall has always been the primary foundation for the construction of traditional network security architecture. The effective protection of critical business services is mainly accomplished through the access control carried out by the data center firewall, a simple and powerful access control tool.

Traditional architecture has matured, so many security standards require the deployment of certified firewalls. For example, any data center that processes credit card numbers must comply with the payment Card Industry (PCI) standard, which requires the installation of a network firewall. The accepted standard referenced by PCI industry auditors is the network firewall standard of the International computer Security Association (ICSA), which defines a small number of firewalls that can be used to process credit cards. This compliance requirement emphasizes the importance of using a mature data center firewall architecture.

But maturity means longer use, and data center firewalls have begun to show their limitations in detecting and defending against modern. Targeting the application layer or network layer is causing these expensive stateful firewalls to fail, and the number of such firewalls is increasing.

These firewall failures are all the more worrying if you take into account the favorable circumstances faced by the public. Although anonymous * * and LulzSec*** have been closely watched by the industry and need to be planned in advance, many * now do not need such preparation, because * users can use the huge resource pool created to * * their selected targets. In the absence of strong legal oversight, emerging technology powers such as China and India have built a large number of botnets that can be rented at any time. Until a consensus is reached between countries and companies to ban these networks through litigation, people will continue to use these resource pools to initiate more.

Now, the frequency of firewall failures caused by these increasingly diverse and involving multiple layers of network stack is alarming. Therefore, only the deployment of traditional firewall services can no longer effectively detect * * and prevent business interruption. It is necessary to give the application layer the ability to block * (using the protocols and behaviors of the application layer).

Restrictions on firewalls

Traditionally, factors to consider when choosing a data center firewall include certification, cost, and performance. Certification standards may require the deployment of specific firewalls to comply with the regulations, which limits the selection of devices. When it comes to equipment, the buyer will measure the other two factors: price and performance. However, through a new analysis of these parameters, we have found a new pattern.

Firewalls are divided according to data throughput, such as 1Gbps or 4Gbps, which makes it easy to ensure that the purchase is consistent with the size of the inbound line. However, it is not accurate to take the higher data throughput as the measure. In distributed denial of Service (DDoS), not only high data throughput is critical, but also how the device handles concurrent connections and the number of connections per second. For example, a typical traditional firewall priced at $50000 requires the throughput of 10Gbps, which should be sufficient for small and medium-sized firewalls. However, this type of firewall can only handle 1 million to 2 million concurrent connections. As we all know, WikiLeaks (WikiLeaks) suffered a massive attack in 2010, when people easily generated more than 2 million concurrent connections using a single botnet, bypassing firewalls across the United States. Traditional firewalls with high concurrent connection performance (4 million to 10 million connections per second) are also more expensive, costing between $100000 and $150000.

The same is true of connections per second. Traditional firewalls will affect the performance of establishing each TCP session when doing stateful checking. This limits the performance of the firewall in handling inbound connections. A typical traditional firewall priced at $50000 can handle 50 to 100000 new connections per second.

* * people are well aware of these firewall restrictions, and modern * is done by taking advantage of these restrictions. Unfortunately, industry analysts point out that the resulting firewall failures are not uncommon. In fact, these failures are likely to be the reason why only 8% of the respondents in the September 2011 security survey said that traditional security measures such as firewalls were not sufficient to ensure network security. As a result, more and more enterprises are uninstalling data center firewalls, while more enterprises choose to depreciate directly rather than update them.

Another limitation of the traditional firewall deployment architecture is that it cannot cope with such a wide range of threats that involve the entire network and application ecosystem. In the past, solutions to mitigate these threats have been deployed separately, using specific technologies to address * in logical groups such as applications, networks, and DDoS***. These unrelated solutions from multiple vendors increase the overall complexity of management and, of course, significantly increase capital and operating expenses.

When considering the boundaries of modern data centers, customers often question whether traditional firewalls are worth buying, because what traditional firewalls do is transport traffic over port 80, which increases latency and costs and risks. Flexible enterprises, especially startups and those without PCI requirements, have been operating without traditional firewalls for some time.

Enterprises that rely on Web2.0 and other data center transactions are increasingly benefiting from new data center architectures based on integrated security appliances.

New data center architecture

F5 Networks handles firewall issues by integrating security services into a set of application delivery controllers (ADC) located at the edge of the data center.

F5 BIG-IP ®local traffic manager ™(LTM) in 1. 1. ICSA network firewall authentication is provided in version 1. The significance of this critical certification is that BIG-IP ®LT M, BIG-IP ®GTM WAN Traffic Manager ™, and BIG-IP ®ASM Application Security Manager ™are properly placed at the edge of the data center for the first time, while still maintaining security posture and compliance throughout the enterprise.

The importance of this change is evident in the latest changes in the well-known "firewall sandwich" architecture. The old "sandwich" architecture required the installation of traditional firewalls, but due to the limited capacity of traditional firewalls, they had to be deployed in parallel with a set of BIG-IP LTM devices to achieve load balancing of inbound connections. Traffic passing through the firewall is returned to the same BIG-IP LTM device (or another device, the metaphor for sandwiches) for proper application delivery control. Because BIG-IP LTM itself is ICSA certified, parallel firewalls (meat in sandwiches) can be depreciated and eliminated, significantly reducing the number of devices while maintaining the same overall capabilities, compliance, and defense capabilities.

BIG-IP LTM's local firewall service provides much higher connectivity than the network layer protection of traditional firewalls, which makes this architecture possible. BIG-IP LTM can handle up to 48 million connections, which can be managed through different timeout behaviors, buffer sizes, and other security-related options. This capability allows BIG-IP LTM to perform port-and IP-based access control services (typically provided by stateful firewalls) while managing traffic shocks.

Fluency of Native Application Protocol

In addition, BIG-IP LT M can help block all kinds of protocols and behaviors that take advantage of the application layer. Because of its ability to run smoothly in application protocols, BIG-IP LT M can also monitor and respond to behavior, not just specifications and standards. BIG-IP LTM can decode Pv4, IPv6, TCP, HTTP, SI P, DNS, SMTP, FTP, Diameter and RADIUS communications, supporting more complex analysis based on protocols and payloads. This allows BIG-IP LT M to detect abnormal behavior that indicates that * * is in progress and take appropriate action. For example, BIG-IP LT M can detect the number of connections per client in layer 7 per second and implement various speed limit schemes that are effective in alleviating layer 7 *.

The fluency of this local protocol also helps to ensure protocol compliance and mitigates attempts to exploit loopholes caused by lax interpretation of the protocol. The combination of protocol compliance and F5 full agent architecture creates a unique DDoS mitigation solution.

Local enforcement of protocol compliance is of great significance. The programming capabilities of the F5 iRules ®scripting language provide a flexible way to perform protocol functions on standard and emerging or custom protocols. Protocol compliance, speed limits, response injection (response injection), traffic orientation, and related actions can be performed by using iRules,BIG-IPLTM. Security teams have found that the flexibility of iRules can help them solve a variety of security solutions:

With iRules,BIG-IP LT M, you can help build a fingerprint invisible (fingerprint-cloaking) file for an application server by obfuscating server and operating system headers and rewriting outbound HTTP response codes such as 301,401 and 501 errors.

In terms of transport layer security, iRules can reach the SSL / TLS protocol stack, thus alleviating various protocols, such as the SSL renegotiation vulnerability in 2010 (using only one handheld device to * a secure server).

By using iRules, enterprises can quickly respond to various application vulnerabilities that have not yet been patched. IRules for mitigation can be developed in-house, available from F5's global DevCentral ™development community, or even released from F5 product development. For example, the Apache Killer vulnerability was resolved through iRule developed by the F5 security team a few weeks before Apache Server Foundation released the official solution.

Advanced DNS Protection

Due to the limitation of BIG-IP LTM to DNS protection, BIG-IP GTM adds iRules support, which enhances the local fluency and compliance protection capability of DNS protocol. BIG-IP GTM is the first commercial WAN traffic manager to support Domain name system Security extension (DNSSEC), which can resist cache poisoning and man-in-the-middle. Adding the DNS Express ™feature of BIG-IP GTM protects important DNS services from denial of service (DoS).

Advanced Web Application Protection

In terms of advanced Web application security, the integrated BIG-IP ASM module provides Web Application Firewall (WAF) to control OWASP10 major risks, such as cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection. BIG-IP ASM is the only web application firewall with a learning mode that understands the normal input parameters of an application and rejects those that do not conform to the normal traffic pattern. BIG-IP ASM also meets the important WAF requirements of the PCI 2.0 specification.

Web access Management

BIG- IP ®access Policy Manager ™(APM) is the last component of the new data center firewall model. Many Web applications need to restrict access to specific users, and BIG-IP APM supports this requirement through multi-factor authentication, authorization, and single sign-on (SSO) services. Dynamic access control in the data center is accomplished using layer 4 and layer 7 access control lists (ACL) derived from environmental information such as user identity, endpoint detection results, geographic location, and any attributes taken from the directory store. By performing ACL at forward speeds of up to 72 Gbps, supporting thousands of logins per second, and scaling to 100,000 concurrent users on a single platform, BIG-IP APM performs a variety of tasks extremely well.

Cumulative income

The cumulative effect of these benefits (performance, protocol compliance, full-agent architecture, access control, and iRules flexibility) is an overall reduction. Fewer devices and higher capacity mean fewer configurations and ultimately fewer problems to be addressed in * *. IT personnel can focus on defense with a single control point, rather than rebooting when individual devices in the security stack fail. Today's * has not only the traditional network *, but also complex DDoS*** and layer 7 vulnerabilities. This method of reducing the scope of the threat is to narrow the scope of the threat.

The F5 approach integrates multiple security services to protect against all three types of security (network, DDoS, and applications) in a full-agent architecture, which no traditional stateful firewall can do.

Summary

Over the past 25 years, stateful firewalls have been used to protect core applications for data center boundary security. However, with the use of new technologies and global botnets, this former defense shield has gradually become a flaw, and the traditional firewall-based architecture has begun to crack-just when we need defense tools most. Over time, the scope of threats has expanded significantly; traditional firewalls can alleviate simple networks, and so-called "new generation" firewalls can deal with outbound vulnerabilities in enterprise data centers. But only the new F5-based data center firewall architecture can significantly reduce capital expenditure by eliminating firewall devices and upgrades and maximizing other data center resources while ensuring standards-based compliance. This new data center firewall architecture has a fully proxy, highly connected ADC at the network boundary.

Flexible enterprises are responding to three main factors of modern data center threats by adding security services:

1. Traditional network *

2. Complex DDoS*** on HTTP and DNS

3. Application-level vulnerabilities

The new data center firewall model addresses each of these factors with a comprehensive, integrated solution. Traffic management and network firewall services are managed by BIG-IP LTM. DNSSEC and DNS Express can be executed by deploying BIG-IP GTM to protect key DNS services from DDoS and hijacking * *; Web application firewall services for top 10 OWA SP*** can be provided by deploying BIG-IP ASM; and finally, secure Web access management and application-oriented SSO can be provided by deploying BIG-IP APM to ensure the integrity of the solution. Therefore, BIG-IP LTM is a modern threat mitigation platform that can provide comprehensive protection for the network stack.

F5 product-centric security solutions enable enterprises to implement a comprehensive and scalable security strategy that helps mitigate today's most challenging challenges while maintaining sufficient flexibility to deal with those that will emerge in the future.

About F5 Networks

F5 Networks (NASDAQ: FFIV) makes the connected world work better. With the rapid growth of voice, data, video traffic, mobile workers, and applications, F5 helps companies and organizations capture huge potential opportunities-including data centers, networks, and clouds-while meeting their IT needs. Large enterprises, service providers, government agencies, and consumer brands around the world rely on the intelligent service architecture provided by F5 to deliver and protect applications and services for people in a connected world. For more information, please visit www.f5.com.cn

If you want to know more about F5, please click on the link to register and we will inform you of the latest F5 information and promotional information on a regular basis. Thank you for your attention and support to F5!

F5 official website registration link:

Http://interact.f5.com/2013Q2PPCADCSEMandHotlineCNJan-Mar_RegistrationPage.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.