Tuesday, July 26, 2011

Dynamic Application Control and Attack Protection

If you’ve perused any media outlet of late, the barrage of cyber threats are unrelenting and protecting your networks and applications continues to be a never ending task.  Organizations are making significant investments in IT security to improve their attack protection but still need to control costs and keep the systems running efficiently.  Since these attacks are targeting multiple layers of the infrastructure, both the network and applications, it is increasingly difficult to properly reduce the risk of exposure.  Siloes of protection and network firewalls alone cannot do the trick. Add to that, the dynamic nature of today’s infrastructures especially with cloud environments, makes the job even tougher.  Federal mandates and standards for government agencies, contractors and the public sector adds to an organization’s growing list of concerns.  DNS can be vulnerable to attacks; interactive Web 2.0 applications can be vulnerable; and IT needs analytics and detailed reporting to understand what’s happening within their dynamic data center.  On top of that, IPv6 is now a reality and v6 to v4 translation services are in demand. iapp graph

F5’s most recent release, BIG-IP v11, delivers a unified platform that helps protect Web 2.0 applications and data, secure DNS infrastructures, and establish centralized application access and policy control.  In BIG-IP v10, F5 offered the Application Ready Solution Templates to reduce the time, effort, and application-specific knowledge required of administrators to optimally deploy applications.  With BIG-IP v11, F5 introduces iApp, a template-driven system that automates application deployment. iApp helps reduce human error by enabling an organization’s IT department to apply preconfigured, approved security policies and repeat and reuse them with each application deployment.  Also iApp analytics provides real-time visibility into application performance, which helps IT staff identify the root cause of security and performance issues quickly and efficiently.

For DNS, BIG-IP GTM has offered a DNSSEC solution since v10 and with v11, we’ve added DNS Express, a high-speed authoritative DNS delivery solution. DNS query response performance can be improved as much as 10x. DNS Express offloads existing DNS servers and absorbs the flood of illegitimate DNS requests during an attack—all while supporting legitimate queries.  It’s critical to have the ability to protect and scale the DNS infrastructure when a DoS or DDoS attacks occur, since DNS is just as vulnerable as the web application or service that is being targeted.

For interactive web applications, BIG-IP ASM v11 can parse JSON (JavaScript Object Notation) payloads and protect AJAX (Asynchronous JavaScript and XML) applications that use JSON for data transfer between the client and server.  AJAX, which is a mix of technologies, is becoming more pervasive since it allows developers to deliver content without having to load the entire HTML page in which the AJAX objects are embedded. Unfortunately, poor AJAX code can allow an attacker to modify the application and prevent a user from seeing their customized content, or even initiate an XSS attack. Additionally, some developers are also using JSON payloads, a lightweight data-interchange format that is understandable by most modern programming languages and used to exchange information between browser and server. If JSON is insecure and carrying sensitive information, there is the potential for data leakage.  BIG-IP ASM can enforce the proper security policy and can even display an embedded blocking alert message. Very few WAF vendors are capable of enforcing JSON (other than the XML Gateways), and no other vendor can display an embedded blocking alert message. F5 is the only WAF vendor that fully supports AJAX, which is becoming more and more common even within enterprises. 

imageAlso with v11, BIG-IP ASM is now available in a Virtual Edition (BIG-IP ASM VE), either as a stand-alone appliance or an add-on module for BIG-IP Local Traffic Manager Virtual Edition (LTM VE).  BIG-IP ASM VE delivers the same functionality as the physical edition and helps companies maintain compliance, including PCI DSS, when they deploy applications in the cloud. If an organization discovers an application vulnerability, BIG-IP ASM VE can quickly be deployed in a cloud environment, enabling organizations to immediately virtually patch vulnerabilities until the development team can permanently fix the application. Additionally, organizations are often unable to fix applications developed by third parties, and this lack of control prevents many of them from considering cloud deployments. But with BIG-IP ASM VE, organizations have full control over securing their cloud infrastructure.

After about 5 years of IPv4 depletion stories, it finally seems to be coming soon and IPv6 is starting to be deployed.  Problem is that most enterprise networks are not yet ready to handle IPv4 and IPv6 at the same time.  BIG-IP v11 provides advanced support for IPv6 with built-in DNS 6-to-4 translation services and the ability to direct traffic to any server in mixed (IPv4 and IPv6) environments. This gives organizations the flexibility to support IPv6 devices today while transitioning their backend servers to IPv6 over time.

Many more new features are available across all F5 solutions including BIG-IP APM which added support for site-to-site IPsec tunnels, AppTunnels, Kerberos ticketing, enhanced virtual desktops, Android and iOS clients, and multi-domain single sign-on.  These are just a few of the many new enhancements available in BIG-IP v11.

ps

Resources:

Whitepapers:

Technorati Tags: F5,F5 News,v11,security,cloud computing,virtualization,access management,scalability,scaleN,BIG-IP,BIG-IP APM,BIG-IP LTM,BIG-IP GTM,JSON,Web 2.0,BIG-IP ASM,web application firewall,GSLB,DDoS,DoS,iApp

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, July 19, 2011

The Best of…Me

imagePart shameless self promotion while taking a cue from Morning Radio shows, I’m out of the office this week and decided to post some of my most popular blogs – according to you, the viewer.  Or as Kent Brockman puts it, ‘this reporter places the blame for all of this squarely on YOU, the viewers!’

CloudFucius Shares: Cloud Research and Stats: Sharing is caring, according to some and with the shortened week, CloudFucius decided to share some resources he’s come across during his Cloud exploration in this abbreviated post.  A few are aged just to give a perspective of what was predicted and written about over time.

The New Certificate 2048 My Performance: Transactions handled over SSL can require substantial computational power to establish the connection (handshake) and then to encrypt and decrypt the transferred data.  If you need the same performance as non-secured data, then additional computing power (CPU) is needed.  SSL processing can be up to 5 times more computationally expensive than clear text to have the same level of performance, no matter which vendor is providing the hardwareSSL Offload takes much of that computing burden off the servers and places it on dedicated SSL hardware. SSL offloading can relieve the Web server of the processing burden of encrypting and/or decrypting traffic sent via SSL.

F5’s BIG-IP system with Oracle Access Manager: F5 and Oracle announced plans to unify access management for web applications.  Press release can be found here.  The solution combines F5’s BIG-IP system with Oracle Access Manager to enhance single sign-on (SSO) capabilities and simplify access control.  Unifying application delivery and web access management. 

26 Short Topics about Security: Stats, Stories and Suggestions: The crew at DevCentral has a great series called A to Z, and I decided to build upon (or steal, however you see it) the idea with ‘26 Short Topics about Security.’  Not too technically heavy or all encompassing but definitely areas of concern for IT. 

F5's BIG-IP with Oracle® Access Manager to enhance SSO and Access Control: Learn how F5's BIG-IP LTM/APM helps in conjunction with Oracle Access Manager centralizing web application authentication and authorization services, streamline access management, and reduce infrastructure costs Watch how BIG-IP APM can reduce TCO, lower deployment risk, and streamline operational efficiencies for customers along with having a unified point of enforcement to simplify auditing and control changes in configuring application access settings.

Bit.ly, Twitter, Security & You: I’ve been using bit.ly for a little while both to shorten links and be able to track clicks placed on twitter (and other social sites) – as many of you do.  When the twitter outage hit last week, and many folks found themselves ‘lost’ without it, I decided to review my stats on the bit.ly links I’ve sent and found something interesting; or frightening.

The Threat Behind the Firewall: I had a different name for this blog entry but just ‘Jump Drive’ is an awful blog title.  They go by many names; jump drive, USB drive, flash drive, memory stick and a few others, but removable media is a serious threat to IT organizations.  From consultants, to government employees, to Mortgage lenders, to the International Space Station, what used to be a giveaway staple at trade shows, these tiny less-than-two-inch drives can hit and hurt you in a multitude of ways.

Cybercrime, the Easy Way: The Dummies series is a great collection of ‘How to’ instructions on a wide array of topics and while they have not published a ‘Cybercrime for Dummies®’ booklet (and don’t think they will), DYI Cybercrime Kits are helping drive Internet attacks.  Gone are the days when you had to visit a dark alley to get a crook’s cookbook.  You can get a Cybercrime toolkit to go with your black ski mask, getaway car and evil lair hideout.

How Terms Have Changed over Time: Meanings and terms often change or get adjusted over time, especially with Information Technology.  While never walking 5 miles to school in two-feet of snow, I did live during an era of TV’s without remotes and vinyl record players. 

Have a great week!

ps

Technorati Tags: F5, data breach report, threats, Pete Silva, security, malware, technology, phishing, cyber-threat, social engineering, attacks, virus, vulnerability, web, internet, cybercrime, identity theft, scam, data breach

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, July 12, 2011

Protection from Latest Network and Application Attacks

We offer a lot of webinars at F5 and this is one I recently presented to some partners. As I’ve mentioned, security attacks are moving “up the stack."  90% of security investments are focused on network security, however, 75% of the attacks are focused at the application layer.  Plus the average loss of revenue per hour for a layer 7 DDoS attack is approximately $220,000.  Modern DoS attacks are distributed, diverse and cross the chasm that divides network components from application infrastructure. A unified application delivery platform with multi-layer visibility is the best way to detect and mitigate multi-layer attacks.  This webinar covers how to prevent sophisticated web attacks utilizing your BIG-IP system and the BIG-IP Application Security Manager.  Running time: 53:52

In this webinar, we will discuss:

  • Examples of current attacks and the effects on those companies
  • The human element
  • How to protect from latest web threats
  • How to quickly resolve vulnerabilities
  • PCI compliance

ps

Resources:

Technorati Tags: F5, webinar, Pete Silva, security, business, education, technology, internet, big-ip

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Wednesday, July 6, 2011

IT Security: Mid-Year Gut Check

Is your stomach turning or does it feel a calm satisfaction halfway through 2011?  What seemed like a relatively calm 2011 during the first couple months has turned into a banner year of breaches.  The forecast could qualify as: In like a Lamb, out like a Lion as they say.  When thinking about this post and even as I started typing a couple sentences ago, I was planning on reviewing the trends of the last 6 months: looking at the 2011 Verizon Data Breach Investigations Report and how the total number of compromised records has decreased even if the number cybercrime caseloads has increased; examining some recent cloud surveys to see if security is still a top concern; reviewing the latest Ponemon Institute study which says that cyber attack and potential breach is a statistical certainty with 90% of businesses surveyed reporting at least 1 security incident over the last 12 months; the 2010 Symantec/Ponemon Data Breach Loss Report from this past March which calculated that the average cost to a company was $214 per compromised record and $7.2 million over the entire organization; a little on the rise of hactivism; along with how human behavior plays an important role in many breaches.

As I was doing a little research gathering up links, stats and other resources for this story, I ran across this chart from IEEE and I had to share it.  It’s called The Two Faces of Hacking.  It looks at the 25 biggest and best breach stories and maps them based on innovation and impact.  I would suggest visiting the original site since there is some interaction with the chart (good, bad and neutral hacks) and links to each of the stories.  Maybe I should have titled this blog, Hacks: The Good , The Bad, and The Neutral.

The Two Faces of Hacking - IEEE Spectrum_1309904396761

The story links are interesting like the Torturing the Secret out of a Secure Chip hack, the The Steampunk Contraptors and of course, Hands On about the RFID guinea pig but was surprised that the digital certificate breach didn’t make the list.  Anyway, this chart seemed like the perfect way to review the past and ponder the future.

ps

Resources:

Technorati Tags: F5, data breach report, threats, Pete Silva, security, malware, technology, phishing, cyber-threat, social engineering, attacks, virus, vulnerability, web, internet, cybercrime, identity theft, scam, data breach, rsa, lockheed, imf

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Friday, July 1, 2011

Audio White Paper - Controlling Migration to IPv6: A Gateway to Tomorrow

While organizations worldwide are beginning to acknowledge their need to adopt IPv6, most are still struggling to define a workable strategy around it.  F5 solutions provide the flexibility organizations need to devise gradual migration plans that minimize disruption and downtime.  This White Paper describes how the BIG-IP LTM system help organizations migrate to IPv6, and can operate as an IPv4 to IPv6 gateway; operating identically in either environment, and within mixed environments. This capability is ideal for organizations that are either actively planning for or anticipating an IPv4 to IPv6 transition.  Running Time: 13:26  Read full white paper here.  And click here for more F5 Audio.

ps

Technorati Tags: F5, integration, data center, Pete Silva, security, business, education, technology, application delivery, infrastructure, ipv4, optimize, ipv6, web, internet, security, hardware, audio, whitepaper, big-ip

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1] o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]