F5 Friday: Goodbye Defense in Depth. Hello Defense in Breadth.
#adcfw #infosec F5 is changing the game on security by unifying it at the application and service delivery layer.
Over the past few years we’ve seen firewalls fail repeatedly. We’ve seen business disrupted, security thwarted, and reputations damaged by the failure of the very devices meant to prevent such catastrophes from happening. These failures have been caused by a change in tactics from invaders who seek no longer to find away through or over the walls, but who simply batter it down instead. A combination of traditional attacks – network-layer – and modern attacks – application-layer – have become a force to be reckoned with; one that traditional stateful firewalls are often not equipped to handle. Encrypted traffic flowing into and out of the data center often bypasses security solutions entirely, leaving another potential source of a breach unaddressed. And performance is being impeded by the increasing number of devices that must “crack the packet” as it were and examine it, often times duplicating functionality with varying degrees of success. This is problematic because the resolution to this issue can be as disconcerting as the problem itself: disable security. Seriously. Security functions have been disabled, intentionally, in the name of performance.
IT security personnel within large corporations are shutting off critical functionality in security applications to meet network performance demands for business applications.
SURVEY: SECURITY SACRIFICED FOR NETWORK PERFORMANCE
What the company [NSS Labs] found would likely startle any existing or potential customers: three of the six firewalls failed to stay operational when subjected to stability tests, five out of six didn't handle what is known as the "Sneak ACK attack," that would enable attackers to side-step the firewall itself. Finally, according to NSS Labs, the performance claims presented in the vendor datasheets "are generally grossly overstated."
Independent lab tests find firewalls fall down on the job
Add in the complexity from the sheer number of devices required to implement all the different layers of security needed, which increases costs while impairing performance, and you’ve got a broken model in need of repair. This is a failure of the defense in depth strategy; the layered, multi-device (silo) approach to operational security. Most importantly, it’s one that’s failing to withstand attacks.
What we need is defense in breadth – the height of the stack –to assure availability and security using a more intelligent, unified security strategy.
DEFENSE in BREADTH
While it’s really not as catchy as “defense in the depth” the concept behind the admittedly awkward sounding phrase is sound: to assure availability and security simultaneously requires a strong security strategy from the bottom to the top of the networking stack, i.e. the application layer. The ability of the F5 BIG-IP platform to provide security up and down the stack has existed for many years, and its capabilities to detect, prevent, and withstand concerted attacks has been appreciated by its customers (quietly) for some time. While basic firewalling functions have been a part of BIG-IP for years, there are certain capabilities required of a firewall – specifically an ICSA certified firewall – that it didn’t have. So we decided to do something about that.
The result is the ICSA certification of the BIG-IP platform as a network firewall. Combined with its existing
ICSA certification for web application firewall (BIG-IP Application Security Manager) and SSL-TLS VPN 3.0 (BIG-IP Edge Gateway), the BIG-IP platform now supports a full-spectrum security solution in a single, unified system. What is unique about F5’s approach is that the security capabilities noted above can be deployed on BIG-IP Application Delivery Controllers (ADCs)—best known for providing industry-leading intelligent traffic management and optimization capabilities. This firewall solution is part of F5’s comprehensive security architecture that enables customers to apply a unified security strategy. For the first time in the industry, organizations can secure their networks, data, protocols, applications, and users on a single, flexible, and extensible platform: BIG-IP.
Combining network-firewall services with the ability to plug the hole in modern security implementations (the application layer) with a platform-based solution provides the opportunity to consolidate security services and leverage a shared infrastructure platform resulting in a more comprehensive, strategic deployment that is not only more secure, but more cost effective.
Resources:
- The Fundamental Problem with Traditional Inbound Protection
- The Ascendancy of the Application Layer Threat
- ISCA Certified Network Firewall for Data Centers
- Mature Security Organizations Align Security with Service Delivery
- BIG-IP Data Center Firewall Solution – SlideShare Presentation
- The New Data Center Firewall Paradigm – White Paper
- Independent lab tests find firewalls fall down on the job
- SURVEY: SECURITY SACRIFICED FOR NETWORK PERFORMANCE
- F5 Friday: When Firewalls Fail…
- Challenging the Firewall Data Center Dogma
- What We Learned from Anonymous: DDoS is now 3DoS
- The Many Faces of DDoS: Variations on a Theme or Two
- F5 Friday: Eliminating the Blind Spot in Your Data Center Security Strategy
- F5 Friday: Multi-Layer Security for Multi-Layer Attacks