F5 big v10_websecurity pressshort-phpapp01
Download as PPTX, PDF1 like428 views
F5 announced new capabilities in BIG-IP V10.1 to help customers address web security threats like web scraping attacks and simplify PCI compliance reporting. The release includes advanced web application firewall features in ASM to protect against scraping bots and reporting tools to validate PCI compliance. It also features secure dynamic DNS in GTM to meet DNSSEC compliance mandates and prevent DNS hijacking attacks.
F5 big v10_websecurity pressshort-phpapp01
- 1. BIG-IP V10.1Advanced Web SecurityNovember 2009
- 2. F5 Announcement Highlights New release of BIG-IP delivers advanced Web security solutions to help customers efficiently address threats to Web applicationsWeb scraping attack protection
- 3. Better protection against automated scanners and bots
- 5. Reporting with human readable policies to validate compliance with PCI DSS 1.2
- 6. Secure and Dynamic DNS
- 7. Meets DNSSEC 2009 government compliance
- 9. Integrated into F5’s TMOS architecture
- 10. Announcement date: Nov. 16, 2009Airline Inventory Vulnerable to Web Scraping Ryanair – Stolen data, litigation costs, decreasing revenueWins injunction against Vtours GmBHForbids screen-scraping as commercial use*Ryanair sent cease and desist letters to 300 siteseasyJet warns Expedia: 'Hands off our flights‘
- 11. Protection from Web Scraping Remote usersDublin DatacenterFrankfurt DatacenterLegitimate users see inventory while scrapers are remediatedIT StaffIT StaffAutomated scraperComprehensive reporting on scraping attacksWebDominoNetworkDetect requests and determine web site is being scraped WebDominoNetworkBIG-IP 8900BIG-IP 6900LTM/ASMLTM/ASMSolutionProtects valuable intellectual propertyPrices are controlled and users see airline approved inventoryIntegrated scrape reporting for PCI complianceAvoid litigation drastically reducing legal costs
- 13. Improved PCI Compliance Reporting
- 14. DNS Infrastructure is VulnerableSpoofing and cache poisoning allow hijacking of domainsExample.comwww.example.com?www.example.com?GSLB123.123.123.123012.012.012.012App ServersLDNSCache poisoningProblemNeed to secure DNS infrastructureCache poisoning and spoofing can hijack DNS records
- 15. Need a method for trusted responses
- 16. Need to meet US Government mandate for DNSSEC complianceHacker
- 17. Securing the DNS InfrastructureDynamic and secure DNS with Global Traffic ManagerExample.comwww.example.com?www.example.com?BIG-IP GTM123.123.123.123+ public key123.123.123.123+ public keyApp ServersLDNSClient gets signed, trusted responseSolutionSecure and dynamic DNSEnsure users get trusted DNS queries with signed responses
- 18. Reduce management costs – Simple to implement and maintain
- 19. Meet mandates with DNSSEC compliant solutionHacker
- 20. F5 – A Better Solution For Web SecurityBestWAF with protection from Web Scraping (ASM)Best WAF to assist administrators in understanding security threats (ASM: Attack Expert) Simplified PCI Reporting (ASM)Only GSLB with DNSSEC (GTM)
Editor's Notes
- #4: http://www.wilmerhale.com/publications/whPubsDetail.aspx?publication=1948 you can find public information on American Airlines, eBay and others who were involved with legal procedures against scrapers.Ryanair – Stolen data, litigation costs, decreasing revenueWins injunction against VtoursGmBHForbids screen-scraping as commercial use*Ryanair sent cease and desist letters to 300 siteshttp://www.theregister.co.uk/2008/06/25/easyjet_warns_expedia/*http://www.theregister.co.uk/2008/07/11/ryanair_screen_scraping_victory/**http://www.theregister.co.uk/2008/06/27/easyjet_travel_sites_warned/http://news.idg.no/cw/art.cfm?id=08DFD829-1A64-67EA-E4996B477BBCB6D3What I discovered is that our Web sites are being "scraped" by other companies -- our competitors! Some of the information on our sites is valuable intellectual property. It is provided online, in a restricted manner (passwords and such), to our customers. Such restrictions aren't very difficult to overcome for the Web crawlers that our competitors are using, because webmasters usually don't know much about security. They make a token attempt to put passwords and restrictions on sensitive files, but they often don't do a very good job.
- #6: Online dictionary for help. Network guy challenged with application security and now has violation and attack type description. Attack expert system provides knowledge, testing and reporting of attacks and policies: Attack profiles - Every attack is now explained, every violation includes detailed description of the exact check that ASM performsStaging – policies are staged so tightening changes are made before enforcementSuperior reporting - detailed review of vulnerabilities allowing for fast mitigation and easy management
- #7: Competition has beaten us up in the past but we haveconsolidated with PCI reports. With new PCI reporting, BIG-IP ASM details security measures required by PCI DSS 1.2, if you are in compliance and if not, steps required to become compliant.
- #8: A typical DNS request goes through a recursive set of public DNS servers to resolve the domain name. In this case I’m looking to connect to www.example.com. But one of these DNS servers has been compromised through cache poisoning. Cache poisoning occurs when a resolver or recursive DNS server queries another server in an effort to answer a query, and an attacker spoofs the query response to the resolver or recursive server. This can occur when the attacker impersonates the queried server by using an appropriate DNS message. In the case of the recursive server receiving such an answer, it not only supplies the resolver with the falsified information, it caches the information such that future queries, at least during the valid time interval of the answer, are answered with the same falsified information.