Unsere Stunde als F5 Aktionaere kommt, und da ist die Marktkapitalisierung nicht mehr 2 Mrd $ sondern wie bei Akamai 20 Mrd $! (Kein Scherz!)
Artikel kann auch auf www.f5.com nachgelesen werden, dann sieht man auch die schoenen Bilder, die leider beim Kopieren des Textes verloren gingen.
A Counter Defense To Denial of
Service Attacks and Other Cyber
Threats
Introduction
The number of organizations integrating web-based applications within their
business systems continues to increase -- as is the reliance of consumers
who want a safe, secure, and reliable environment to do e-Business. The
recent Denial of Service attacks that have drawn national headlines symbolize
the need for networks to shore up their sites in order to handle the onslaught
of legitimate new users - but also to protect their sites from cyber-terrorists
whose only goal is to wreck havoc.
Clearly, businesses must reevaluate their network security strategy in order to
adapt to 1) an open computing environment and 2) protect against the
unsavory part of the population which this open environment has attracted. As
such, many F5 customers are realizing the added security benefits of using
the BIG/ip Controller, a unique high availability, intelligent load balancing
product which also includes a number of built-in features designed to heighten
network security and provide protection of servers and devices against
attacks.
BIG/ip Controller: Value-Added Security
BIG/ip comes standard with numerous security features to protect your site,
including:
Firewall capable. The BIG/ip Controller uses packet filtering to limit or deny
access to and from servers. You can specify rules, which allow or deny
access based on the source IP address of the packet, the destination IP
address, the source port number, the destination port number (for protocols
that support ports), or even the packet type (UDP, TCP, ICMP, etc). This
feature significantly heightens network security and gives you the flexibility to
restrict access on a very granular basis.
Stringent access control. The BIG/ip Controller is configured to allow only
specific types of traffic to pass through to the servers by granting or denying
ports on BIG/ip and Virtual Servers. A Virtual Server is a specific combination
of virtual addresses and virtual ports. Types of traffic that have not been
defined as allowed to pass through BIG/ip will be denied. This yields
extremely tight security, since only the traffic that you specify is allowed to
pass through BIG/ip.
Secure Administration. The BIG/ip Controller's default configuration only
allows encrypted administration traffic into the device.
Its web-based configuration tool uses SSL and Access Control Lists to
provide secure real-time configuration
BIG/ip command line interface via F-Secure SSH client supports
remote encrypted login and file transfer from most commercial UNIX
platforms, Windows 95, NT, and Mac operating systems
BIG/ip command line interface includes a VGA or serial console with
command history
Resists Common Attacks
BIG/ip is a default deny device that resists common attacks in the following
ways:
Thwarts Denial of Service attacks (reaps idle connections)
Thwarts IP spoofing (performs source route tracing)
Resists unacknowledged SYN without ACK buffers (thwarts SYN
floods)
Thwarts teardrop and land attacks
Protects itself and servers from ICMP attacks
Does not run SMTPd, FTPd, Telnetd, or any other attackable daemons
Uses packet filtering to limit or deny access to and from Internet sites
based on monitoring the traffic source, destination and port
Uses Secure Remote administration based on secure shell (SSH) for
command line or SSL for browser-based management
In addition, BIG/ip is inherently secure and averts common threats without the
need to purchase additional security devices.
Security Tool
BIG/ip's security report identifies any services and ports that receive illegal
access attempts by monitoring the:
IP address - source IP address of attacker
Frequency - amount of attempts
Port - which port(s) was hit
This information can help you identify security holes in your network and
identify the source of potential attackers. Additionally, access to BIG/ip can
be controlled on any interface. By default, BIG/ip denies access unless types
of specific traffic are enabled. This allows BIG/ip to be dynamic addition to a
site's overall security.
Port Mapping and Network Address Translation (NAT)
BIG/ip can be configured to map a single port into multiple ports. Well known
ports such as 80, 443, 20, 21 can be mapped to any port on the actual
servers. In addition, BIG/ip can translate addresses of the servers behind it to
addresses that are advertised to the outside world. These security features
provide several benefits, including:
Greater security by making it difficult for intruders to identify what
services are running on which port.
Uses non-publicly routed addresses - Using BIG/ip, Internet routable IP
addresses can be saved, thereby reducing consumption of IP
addresses.
Addresses of the servers behind BIG/ip are never exposed to the
outside world, reducing the chance of hackers gaining access to your
servers.
Secure Network Address Translation
BIG/ip also features Secure Network Address Translation (SNAT). This
provides servers with a secure outbound connection to the Internet, or to an
internal server array through a load balanced virtual server.
Firewall Load Balancing
Transparent proxy firewalls are a relatively recent generation of firewalls that
give Intranets the protection of a firewall, while providing internal users
transparent access to the Internet. Due to the growing use of these
transparently configured firewalls, and the inherent need to provide high
availability and scalability to these devices, BIG/ip again is increasingly being
deployed as a solution.
BIG/ip uses a feature called Transparent Node Mode. When enabled, it allows
BIG/ip to work with various devices, such as transparent firewalls. This feature
makes these firewalls more reliable and more scalable. The load balancing
functions of Transparent Node Mode simultaneously functions with BIG/ip's
normal load balancing intelligence. Additionally, BIG/ip can be configured in
front of an array of transparently configured firewalls and an array of Intranet
servers - all at the same time.
BIG/ip tests specific IP address and port combinations to determine if a
firewall is functioning properly. BIG/ip will make a non-transparent request to
the network device. The Extended Content Verification (ECV) feature of BIG/ip
can be used to increase the accuracy of these tests. If a firewall does not
respond to a predetermined amount of time, BIG/ip directs requests to other
devices instead. This delivers high availability to users, who will seamlessly
be redirected to a properly functioning firewall.
Transparent Node Load Balancing/High Availability on the BIG/ip Controller
offers many benefits for businesses. It provides full scaling of firewall solutions
that is not limited by the exchange of agent traffic between multiple firewalls.
It provides high availability and intelligent load balancing for any Intranet web
servers or other backbone or DMZ servers, while allowing them to stay
securely inside your network.
Additionally, the BIG/ip Controller supports a multitude of different firewall
vendor devices, which assists a business in migrating to new firewall
technology in the future. It also allows for implementation of diverse parallel
security, as opposed to serially linked firewall devices.
The Transparent Node Load Balancing/High Availability also adds to the
increased security that BIG/ip already brings to the network, further
supercharging its network-security functionality.
Figure 1: Firewall load balancing/high availability with redundant
BIG/ip Controllers.
Transparent Device Persistence - Firewall Sandwich
In situations where BIG/ip is accepting connections for virtual servers from
more than one device, such as firewalls, routers, or caches, it may be
desirable to send the return data back through the same device from which
the connection originated. This can be used to spread the load among
outbound devices, or to assure that connections go through the same device,
such as a proxy, cache, firewall, or VPN router. You can do this by defining a
pool that contains the list of devices from which the connections are received,
and then associating the pool with a virtual device using the lasthop keyword.
Figure 2: Transparent Device Persistence (Firewall Sandwich)
Summary
The BIG/ip Controller, an extremely robust and flexible product, enriches your
network security by cooperatively working with firewall products, router ACLs,
mail filters, and content filters. While F5 does not actively market the BIG/ip
Controller as a firewall or security device, many customers are using its
numerous security features to provide a highly scalable, available and secure
Internet site - more important than ever given recent events.
Artikel kann auch auf www.f5.com nachgelesen werden, dann sieht man auch die schoenen Bilder, die leider beim Kopieren des Textes verloren gingen.
A Counter Defense To Denial of
Service Attacks and Other Cyber
Threats
Introduction
The number of organizations integrating web-based applications within their
business systems continues to increase -- as is the reliance of consumers
who want a safe, secure, and reliable environment to do e-Business. The
recent Denial of Service attacks that have drawn national headlines symbolize
the need for networks to shore up their sites in order to handle the onslaught
of legitimate new users - but also to protect their sites from cyber-terrorists
whose only goal is to wreck havoc.
Clearly, businesses must reevaluate their network security strategy in order to
adapt to 1) an open computing environment and 2) protect against the
unsavory part of the population which this open environment has attracted. As
such, many F5 customers are realizing the added security benefits of using
the BIG/ip Controller, a unique high availability, intelligent load balancing
product which also includes a number of built-in features designed to heighten
network security and provide protection of servers and devices against
attacks.
BIG/ip Controller: Value-Added Security
BIG/ip comes standard with numerous security features to protect your site,
including:
Firewall capable. The BIG/ip Controller uses packet filtering to limit or deny
access to and from servers. You can specify rules, which allow or deny
access based on the source IP address of the packet, the destination IP
address, the source port number, the destination port number (for protocols
that support ports), or even the packet type (UDP, TCP, ICMP, etc). This
feature significantly heightens network security and gives you the flexibility to
restrict access on a very granular basis.
Stringent access control. The BIG/ip Controller is configured to allow only
specific types of traffic to pass through to the servers by granting or denying
ports on BIG/ip and Virtual Servers. A Virtual Server is a specific combination
of virtual addresses and virtual ports. Types of traffic that have not been
defined as allowed to pass through BIG/ip will be denied. This yields
extremely tight security, since only the traffic that you specify is allowed to
pass through BIG/ip.
Secure Administration. The BIG/ip Controller's default configuration only
allows encrypted administration traffic into the device.
Its web-based configuration tool uses SSL and Access Control Lists to
provide secure real-time configuration
BIG/ip command line interface via F-Secure SSH client supports
remote encrypted login and file transfer from most commercial UNIX
platforms, Windows 95, NT, and Mac operating systems
BIG/ip command line interface includes a VGA or serial console with
command history
Resists Common Attacks
BIG/ip is a default deny device that resists common attacks in the following
ways:
Thwarts Denial of Service attacks (reaps idle connections)
Thwarts IP spoofing (performs source route tracing)
Resists unacknowledged SYN without ACK buffers (thwarts SYN
floods)
Thwarts teardrop and land attacks
Protects itself and servers from ICMP attacks
Does not run SMTPd, FTPd, Telnetd, or any other attackable daemons
Uses packet filtering to limit or deny access to and from Internet sites
based on monitoring the traffic source, destination and port
Uses Secure Remote administration based on secure shell (SSH) for
command line or SSL for browser-based management
In addition, BIG/ip is inherently secure and averts common threats without the
need to purchase additional security devices.
Security Tool
BIG/ip's security report identifies any services and ports that receive illegal
access attempts by monitoring the:
IP address - source IP address of attacker
Frequency - amount of attempts
Port - which port(s) was hit
This information can help you identify security holes in your network and
identify the source of potential attackers. Additionally, access to BIG/ip can
be controlled on any interface. By default, BIG/ip denies access unless types
of specific traffic are enabled. This allows BIG/ip to be dynamic addition to a
site's overall security.
Port Mapping and Network Address Translation (NAT)
BIG/ip can be configured to map a single port into multiple ports. Well known
ports such as 80, 443, 20, 21 can be mapped to any port on the actual
servers. In addition, BIG/ip can translate addresses of the servers behind it to
addresses that are advertised to the outside world. These security features
provide several benefits, including:
Greater security by making it difficult for intruders to identify what
services are running on which port.
Uses non-publicly routed addresses - Using BIG/ip, Internet routable IP
addresses can be saved, thereby reducing consumption of IP
addresses.
Addresses of the servers behind BIG/ip are never exposed to the
outside world, reducing the chance of hackers gaining access to your
servers.
Secure Network Address Translation
BIG/ip also features Secure Network Address Translation (SNAT). This
provides servers with a secure outbound connection to the Internet, or to an
internal server array through a load balanced virtual server.
Firewall Load Balancing
Transparent proxy firewalls are a relatively recent generation of firewalls that
give Intranets the protection of a firewall, while providing internal users
transparent access to the Internet. Due to the growing use of these
transparently configured firewalls, and the inherent need to provide high
availability and scalability to these devices, BIG/ip again is increasingly being
deployed as a solution.
BIG/ip uses a feature called Transparent Node Mode. When enabled, it allows
BIG/ip to work with various devices, such as transparent firewalls. This feature
makes these firewalls more reliable and more scalable. The load balancing
functions of Transparent Node Mode simultaneously functions with BIG/ip's
normal load balancing intelligence. Additionally, BIG/ip can be configured in
front of an array of transparently configured firewalls and an array of Intranet
servers - all at the same time.
BIG/ip tests specific IP address and port combinations to determine if a
firewall is functioning properly. BIG/ip will make a non-transparent request to
the network device. The Extended Content Verification (ECV) feature of BIG/ip
can be used to increase the accuracy of these tests. If a firewall does not
respond to a predetermined amount of time, BIG/ip directs requests to other
devices instead. This delivers high availability to users, who will seamlessly
be redirected to a properly functioning firewall.
Transparent Node Load Balancing/High Availability on the BIG/ip Controller
offers many benefits for businesses. It provides full scaling of firewall solutions
that is not limited by the exchange of agent traffic between multiple firewalls.
It provides high availability and intelligent load balancing for any Intranet web
servers or other backbone or DMZ servers, while allowing them to stay
securely inside your network.
Additionally, the BIG/ip Controller supports a multitude of different firewall
vendor devices, which assists a business in migrating to new firewall
technology in the future. It also allows for implementation of diverse parallel
security, as opposed to serially linked firewall devices.
The Transparent Node Load Balancing/High Availability also adds to the
increased security that BIG/ip already brings to the network, further
supercharging its network-security functionality.
Figure 1: Firewall load balancing/high availability with redundant
BIG/ip Controllers.
Transparent Device Persistence - Firewall Sandwich
In situations where BIG/ip is accepting connections for virtual servers from
more than one device, such as firewalls, routers, or caches, it may be
desirable to send the return data back through the same device from which
the connection originated. This can be used to spread the load among
outbound devices, or to assure that connections go through the same device,
such as a proxy, cache, firewall, or VPN router. You can do this by defining a
pool that contains the list of devices from which the connections are received,
and then associating the pool with a virtual device using the lasthop keyword.
Figure 2: Transparent Device Persistence (Firewall Sandwich)
Summary
The BIG/ip Controller, an extremely robust and flexible product, enriches your
network security by cooperatively working with firewall products, router ACLs,
mail filters, and content filters. While F5 does not actively market the BIG/ip
Controller as a firewall or security device, many customers are using its
numerous security features to provide a highly scalable, available and secure
Internet site - more important than ever given recent events.
Text zur Anzeige gekürzt. Gesamten Beitrag anzeigen »
