estrategias de mitigación de amenazas a las aplicaciones bancarias… · 2017-05-31 ·...
Post on 22-May-2020
1 Views
Preview:
TRANSCRIPT
© 2017 F5 Networks 1
Carlos Valencia Sales Engineer - LATAM
c.valencia@f5.com
Estrategias de mitigación de
amenazas a las aplicaciones
bancarias.
© 2017 F5 Networks 2
-
-
-
-
-
-
-
© 2017 F5 Networks 3
© 2017 F5 Networks 4
The Big Picture
Silverline Cloud-Based
Platform
DDoS Attacker (Volumetric attacks)
DDoS Attacker (app attacks)
Customer
Partner ISP may provide
rudimentary DDoS service
L3/L4 DDoS, DNS, SIP DDoS
Network Protection
L3/L4 Protection
• ICMP flood, UDP Flood, SYN Flood, TCP-state
floods • DOS detection using behavioral analysis • HTTP DOS: GET Flood, Slowloris/slow POST,
recursive POST/GET (DHD Only) • DNS DOS: DNS amplification, query
flood,dictionary attack, DNS poisoning • SSL DOS: SSL renegotiation, SSL Flood
Cloud Apps
DC Apps
Hybrid
Local DDoS
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Threat Intelligence Feed/IPI
Cloud
Application D/DoS ASM
Application Protection
L5-L7 Protection (CPU Intensive)
• GET Flood, Slowloris/slow POST, recursive POST/GET,
• DOS detection using behavioral analysis
• OWASP Top 10
• SQLi/XSS/CSRF/0-day/etc
• WAF in general
WAF L7 DDoS
SSL
Router
NGFW IPS/IDS
Next-Generation Firewall
High Performance DNS
DNS
DNS / DNS FW
Fraud Protection
Volumetric Attacks
Corporate Users
© 2017 F5 Networks 5
Private Cloud
Traditional Data Center
Cloud Interconnection / Public Cloud
Consistent Policies
Cloud Portability
Top Security
Visibility
Lowest TCO
Direct Connect
F5 BIG-IP
© 2017 F5 Networks 6
•
•
•
•
•
•
© 2017 F5 Networks 7
© 2017 F5 Networks 8
28%
DLP Fire-
walls
Anti
Virus
SIEM IDS/
IPS
DLP Fire-
walls
Anti
Virus
APT IDS/
IPS
28%
90%
© 2017 F5 Networks 9
DLP Fire-
walls
Anti
Virus
SIEM IDS/
IPS
28% 44% 72%
© 2017 F5 Networks 10
Protection against Web Application vulnerabilities
CSRF Cookie manipulation
OWASP top 10 Brute force attacks
Forceful browsing Buffer overflows
Web scraping Parameter tampering
SQL injections information leakage
Field manipulation Session high jacking
Cross-site scripting Zero-day attacks
Command injection ClickJacking
Bots Business logic flaws
WAF
© 2017 F5 Networks 11
Layer 7 security is not addressed by traditional IPS & firewall vendors
Intrusion Prevention
Systems Traditional Firewall
• Examines all traffic for malicious app inputs
• Primarily uses anomalous and signature-based detection
• Some stateful protocol analysis capabilities
• Lacks understanding of L7 protocol logic
• Doesn’t protect against all exploitable app vulnerabilities
© 2017 F5 Networks 12
Private
Cloud
Hybrid Cloud Public
Cloud
Internet
Remote users,
Office 365
Salesforce
Other SaaS
SaaS Apps
Identity
Corporate
Directory
App
App
VDI
Corporate
Data Center
SAML
SAML
Secures, federates access to any application, anywhere
mobile users, contractors, etc.
Apps
Services
user
Apps
Identity Federation
Username
PW+PIN
LOGIN
XYZ Corp.
• User/User Group
• Endpoint Check
• MDM/EMM Device Posture
• Network • Location • Connection Type
(L3/L4)
Single or Multi- Factor Auth
Multi-factor
Hacker
Auth
STOP
© 2017 F5 Networks 13
© 2017 F5 Networks 14 © 2016 F5 Networks
© 2017 F5 Networks 15
SSL
© 2017 F5 Networks 16 © 2016 F5 Networks
© 2017 F5 Networks 17
© 2017 F5 Networks 18
Legitimate Users
Threat Feed
Intelligence
DDoS Attacker
ISPa/b
Cloud Scrubbing
Service
Scanner Anonymous Proxies
Anonymous Requests
Botnet Attackers
Network attacks: ICMP flood, UDP flood, SYN flood
DNS attacks: DNS amplification,
query flood, dictionary attack, DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks: SSL renegotiation,
SSL flood
HTTP attacks: Slowloris,
slow POST, recursive
POST/GET
Application
Corporate Users
Financial Services
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network
and DNS
Tier 1
© 2017 F5 Networks 19
DDoS approach CLOUD/HOSTED SERVICE
• Completely off-premises so DDoS attacks can’t reach you
• Amortized defense across thousands of customers
• DNS anycast and multiple data centers protect you
STRENGTHS
ON-PREMISES DEFENSE
• Direct control over infrastructure
• Immediate mitigation with instant response and reporting
• Solutions can be architected to independently scale of one another
STRENGTHS
• Customers pay, whether attacked or not
• Bound by terms of service agreement
• Solutions focus on specific layers (not all layers)
WEAKNESSES
• Many point solutions in market, few comprehensive DDoS solutions
• Can only mitigate up to max inbound connection size
• Deployments can be costly and complex
WEAKNESSES
Hybrid DDOS Protection Combining the “resilience and scale” of the cloud with the “granularity and always-on capabilities” of on-premise.
Signaling
Cloud On-Premise
Unified Attack Command | Control
• Request for Service
• IP List Management
Inspection Toolsets
Scrubbing Center
Inspection Plane
Traffic Actioner Route Management
Flow Collection
Portal
Switching Routing/ACL Network
Mitigation
Routing (Customer VRF)
GRE Tunnel
Proxy
IP Reflection
L2VPN Customer
Data Plane
Netflow Netflow
Copied traffic for inspection
BGP signaling
Signaling
Visibility
Management
Proxy Mitigation
Switching mirrors traffic to Inspection
Toolsets and Routing layer
Inspection Tools provide input on attacks for Traffic Actioner & SOC
Traffic Actioner injects routes and
steers traffic
Network Mitigation removes advanced
L4 attacks
Proxy Mitigation removes L7
Application attacks
Flow collection aggregates attack
data from all sources
Egress Routing returns good traffic back to customer
Portal provides real-time reporting and
configuration
Ingress Router applies ACLs and
filters traffic
Legitimate Users
DDoS Attackers
Volumetric DDoS protection, Managed
Application firewall service, zero-day threat mitigation
with iRules
Silverline
WAF
DDoS
Cloud
DDoS Architecture Scrubbing Center
© 2017 F5 Networks 22
© 2017 F5 Networks 23
“Cybercrime is a
persistent threat in
today’s world and,
despite best efforts, no
business is immune.”
Network Solutions
DNS is the second most targeted protocol after HTTP.
DNS DoS techniques range from:
• Flooding requests to a given host
• Reflection attacks against DNS infrastructure
• Reflect / Amplification attacks
• DNS Cache Poisoning attempts
APPLICATION LAYER ATTACKS TRADITIONAL DDOS MITIGATION
82% 77%
54%
25% 20%
6% 9%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
HTTP DNS HTTPS SMTP SIP/VoIP IRC Other
Of the customers that mitigate DDoS attacks, many choose a technique that inhibits the ability of DNS to do its job
• DNS is based on UDP
• DNS DDoS often uses spoofed sources
• Using an ACL block legitimate clients
• DNS attacks use massive volumes of source addresses, breaking many firewalls.
0%
10%
20%
30%
40%
50%
60%
© 2017 F5 Networks 24
• Performance = Add DNS boxes
• Weak DoS/DDoS Protection
• Firewall is THE bottleneck
• Scalable performance over 10M RPS!
• Strong DoS/DDoS protection
• Lower CapEx and OpEx
CONVENTIONAL DNS THINKING
DNS DELIVERY REIMAGINED
Internet External Firewall
DNS Load Balancing
Array of DNS Servers
Internal Firewall
Hidden Master DNS
Authoritative DNS Caching Resolver
Transparent Caching
DNS Firewall
DNS DDoS Protection
Protocol Validation
High Performance DNSSEC DNSSEC Validation
Intelligent GSLB
PARADIGM SHIFT
Internet Master DNS Infrastructure DNS
© 2017 F5 Networks 25
Apps
DNS
Servers
LDNS
Internet
Devices DMZ Data Center
• DNS DDoS mitigation with DNS Express
• Protocol inspection and validation
• DNS record type ACL*
• Block access to Malicious IPs (DNS Firewall)
• High performance DNS cache
• Stateful – Never accepts unsolicited responses
• ICSA Certified - deployment in the DMZ
• Scale across devices – IP Anycast
• Secure responses – DNSSEC • DNSSEC responses rate limited
• Complete DNS control – iRules & Programmability
• DDoS threshold alerting*
• DNS logging and reporting
• Hardened DNS code
F5 DNS Firewall Services
DNS
© 2017 F5 Networks 26
© 2017 F5 Networks 27
HTTP/HTTPS
Secured
Data center
WAF
HIPS
Traffic Management
NIPS
DLP
Network firewall
SIEM Leveraging
Browser
application
behavior • Caching content,
disk cookies, history
• Add-ons, Plug-ins
Manipulating
user actions: • Social engineering
• Weak browser
settings
• Malicious data theft
• Inadvertent data
loss
Embedding
malware: • Keyloggers
• Framegrabbers
• Data miners
• MITB / MITM
• Phishers / Pharmers
Customer Browser
© 2017 F5 Networks 28
Drop Zone C&C
Wells Fargo
Generic malware, such as
Zeus, infects a user’s device
The malware contains code designed to
insert specific content to the browser session
when the user accesses specific sites The user requests the login
page for Wells Fargo
This triggers the malware,
which injects additional
content to the browser
This information is sent to the
legitimate web server as expected
This information is sent to
the configured drop zone
*wellsfargo* add field
*bankofamerica* add button,
replace text
*chase* add cc#, pin,
remove text
*telebank* send credentials
*bankquepopulaire* …
The user enters the requested
content and clicks Go
© 2017 F5 Networks 29
This page is expected to
have only four forms… … and 14 input fields… … and six scripts…
PIN
The inclusion of this additional
input field due to malware will
now trigger an alert HTML Source Integrity is based on the expected number of
forms, input fields, and scripts
© 2017 F5 Networks 30
The victim is infected
with malware
The victim makes a secure
connection to a web site
This triggers to
malware to run
The victim enters data
into the web form
This content can be
stolen by the malware
The victim submits
the web form
The information is encrypted
and sent to the web server
The information is also sent
to the drop zone in clear text
Password
revealer icon
© 2017 F5 Networks 31
LTM Sec. Appliance
Data center Web application
How HFO Works – Field Name Obfuscation How HFO Works – Without HFO
© 2017 F5 Networks 32
MY BANK.COM • Gather client details related to
the transaction
• Run a series of checks to
identify suspicious activity
• Assign risk score to transaction
• Send alert based on score
• Apply L7 encryption to all
communications between client
and server
My Bank.com
© 2017 F5 Networks 33
Internet
Web Application
2. Save copy to computer
3. Upload copy to spoofed site
4. Test spoofed site
1. Copy website
Alert at each stage of phishing
site development
© 2017 F5 Networks 34
© 2017 F5 Networks 35
Cloud Interconnect
Servers Servers Servers
Native App
Services
Each Cloud Provides Siloed Native App Services: Basic, Proprietary, and Inconsistent
SaaS
Corporate Datacenter(s)
Servers Servers Servers
MSP
With Private Cloud
© 2017 F5 Networks 36 © F5 Networks, Inc 36
Defend against attacks
Ensure secure user access
Deliver app performance
Gain traffic visibility
Orchestrate tasks centrally
Enable both network and application security
Deliver high application availability; not just infrastructure availability
Ensure application performance
Centralize management and orchestration of the application
Streamline app delivery and security services across on-premises and cloud
Your cloud strategy should be an extension of your data center strategy: app-centric
Letting you focus on ensuring availability, security, and performance for each application
Application
Database
DNS
Storage
Mobile
Commerce Identity
Analytics
Website
VPN
Load Balancing
Application
© 2017 F5 Networks 37
App-Centric Strategy
On-premises Public cloud
Fu
ll contr
ol
Lim
ite
d c
ontr
ol
SaaS
apps
Dev
& test
Mobile
apps
ERP,
CRM
LOB
(HR, Acct.)
External
websites Packaged
apps
Custom
apps
Apps
© 2017 F5 Networks 38
Shared Responsibility in Amazon AWS
The idea behind this is to educate customers that they still need to be responsible for a large proportion of the services required to deliver applications in the cloud.
AWS Shared Responsibility Model
© 2017 F5 Networks 39
Shared Responsibility in Microsoft Azure The idea behind this is to educate customers that they still need to be responsible for a large proportion of the services required to deliver application in the cloud.
Azure Shared Responsibility Model
© 2017 F5 Networks 40
Active Directory
Identity Control Platform
Apps
Apps
Apps
© 2017 F5 Networks 41
Use Case Disaster Recovery
Requirements
• Application availability and performance
• Location-based and contextual user access
• Active-Active deployment for cost efficiency
• Insight and visibility into application traffic
Recommended application delivery services
• Local and global load balancing
• DNS
• SSL VPN or IPSec tunnel
• Access & identity
• Consistent DevOps + Management Tools
Key benefits:
• Seamless customer experience
• Secured and optimized site to site connectivity
• Advanced application health monitoring
L4-L7 Services
VPN
Compute
Storage
Compute
Storage
L4-L7 Services
Cloud Provider Data Center
Seamless global app experience
DNS DNS
Orchestration
© 2017 F5 Networks 42
Traditional
Servers Servers Servers
Application
Services
Strategic Control Point
New
On-Premises Cloud Interconnection Public/Private Cloud
Distributed Strategic Control Points
Application Services
aaS Hardware Virtual Edition Containers
top related