Security

5 Stages of a Data Breach

Pete Silva — Fri, 03 Feb 2012 00:53:19 GMT

One thing I’ve noticed over the last couple years is that there are 5 Stages of a Data Breach:

Denial: We do not believe these attacks breached our critical servers.

Anger: We want to make it clear that we take security seriously!

Bargaining: We’d like to offer our affected customers a credit monitoring service.

Depression: We wish we could have done things differently.

Acceptance: Well, it just shows that no one is safe from hackers.

Technorati Tags: F5, cyber-crime, trojan, Pete Silva, security, business, education, 5 stages, cyber war, hackers, breach, verisign, internet, security, privacy,

Connect with Peter:	Connect with F5:

Vulnerability Assessment with Application Security

Pete Silva — Tue, 31 Jan 2012 16:04:16 GMT

The longer an application remains vulnerable, the more likely it is to be compromised.

Protecting web applications is an around-the-clock job. Almost anything that is connected to the Internet is a target these days, and organizations are scrambling to keep their web properties available and secure. The ramifications of a breach or downtime can be severe: brand reputation, the ability to meet regulatory requirements, and revenue are all on the line. A 2011 survey conducted by Merrill Research on behalf of VeriSign found that 60 percent of respondents rely on their websites for at least 25 percent of their annual revenue.

And the threat landscape is only getting worse. Targeted attacks are designed to gather intelligence; steal trade secrets, sensitive customer information, or intellectual property; disrupt operations; or even destroy critical infrastructure. Targeted attacks have been around for a number of years, but 2011 brought a whole new meaning to advanced persistent threat. Symantec reported that the number of targeted attacks increased almost four-fold from January 2011 to November 2011.

In the past, the typical profile of a target organization was a large, well-known, multinational company in the public, financial, government, pharmaceutical, or utility sector. Today, the scope has widened to include almost any size organization from any industry. The attacks are also layered in that the malicious hackers attempt to penetrate both the network and application layers. To defend against targeted attacks, organizations can deploy a scanner to check web applications for vulnerabilities such as SQL injection, cross site scripting (XSS), and forceful browsing; or they can use a web application firewall (WAF) to protect against these vulnerabilities. However a better, more complete solution is to deploy both a scanner and a WAF. BIG-IP Application Security Manager (ASM) version 11.1 is a WAF that gives organizations the tools they need to easily manage and secure web application vulnerabilities with multiple web vulnerability scanner integrations.

As enterprises continue to deploy web applications, network and security architects need visibility into who is attacking those applications, as well as a big-picture view of all violations to plan future attack mitigation. Administrators must be able to understand what they see to determine whether a request is valid or an attack that requires application protection. Administrators must also troubleshoot application performance and capacity issues, which proves the need for detailed statistics. With the increase in application deployments and the resulting vulnerabilities, administrators need a proven multi-vulnerability assessment and application security solution for maximum coverage and attack protection. But as many companies also support geographically diverse application users, they must be able to define who is granted or denied application access based on geolocation information.

Application Vulnerability Scanners

To assess a web application’s vulnerability, most organizations turn to a vulnerability scanner. The scanning schedule might depend on a change control, like when an application is initially being deployed, or other factors like a quarterly report. The vulnerability scanner scours the web application, and in some cases actually attempts potential hacks to generate a report indicating all possible vulnerabilities. This gives the administrator managing the web security devices a clear view of all the exposed areas and potential threats to the website. It is a moment-in-time report and might not give full application coverage, but the assessment should give administrators a clear picture of their web application security posture. It includes information about coding errors, weak authentication mechanisms, fields or parameters that query the database directly, or other vulnerabilities that provide unauthorized access to information, sensitive or not. Many of these vulnerabilities would need to be manually re-coded or manually added to the WAF policy—both expensive undertakings.

Another challenge is that every web application is different. Some are developed in .NET, some in PHP or PERL. Some scanners execute better on different development platforms, so it’s important for organizations to select the right one. Some companies may need a PCI DSS report for an auditor, some for targeted penetration testing, and some for WAF tuning. These factors can also play a role in determining the right vulnerability scanner for an organization. Ease of use, target specifics, and automated testing are the baselines. Once an organization has considered all those details, the job is still only half done. Simply having the vulnerability report, while beneficial, doesn’t mean a web app is secure. The real value of the report lies in how it enables an organization to determine the risk level and how best to mitigate the risk. Since re-coding an application is expensive and time-consuming, and may generate even more errors, many organizations deploy a web application firewall like BIG-IP ASM.

A WAF enables an organization to protect its web applications by virtually patching the open vulnerabilities until it has an opportunity to properly close the hole. Often, organizations use the vulnerability scanner report to then either tighten or initially generate a WAF policy. Attackers can come from anywhere, so organizations need to quickly mitigate vulnerabilities before they become threats. They need a quick, easy, effective solution for creating security policies. Although it’s preferable to have multiple scanners or scanning services, many companies only have one, which significantly impedes their ability to get a full vulnerability assessment. Further, if an organization’s WAF and scanner aren’t integrated, neither is its view of vulnerabilities, as a non-integrated WAF UI displays no scanner data. Integration enables organizations both to manage the vulnerability scanner results and to modify the WAF policy to protect against the scanner’s findings—all in one UI.

Integration Reduces Risk

While finding vulnerabilities helps organizations understand their exposure, they must also have the ability to quickly mitigate found vulnerabilities to greatly reduce the risk of application exploits. The longer an application remains vulnerable, the more likely it is to be compromised. F5 BIG-IP ASM, a flexible web application firewall, enables strong visibility with granular, session-based enforcement and reporting; grouped violations for correlation; and a quick view into valid and attack requests. BIG-IP ASM delivers comprehensive vulnerability assessment and application protection that can quickly reduce web threats with easy geolocation-based blocking—greatly improving the security posture of an organization’s critical infrastructure.

BIG-IP ASM version 11.1 includes integration with IBM Rational AppScan, Cenzic Hailstorm, QualysGuard WAS, and WhiteHat Sentinel, building more integrity into the policy lifecycle and making it the most advanced vulnerability assessment and application protection on the market. In addition, administrators can better create and enforce policies with information about attack patterns from a grouping of violations or otherwise correlated incidents. In this way, BIG-IP ASM enables organizations to mitigate threats in a timely manner and greatly reduce the overall risk of attacks and solve most vulnerabilities.

With multiple vulnerability scanner assessments in one GUI, administrators can discover and remediate vulnerabilities within minutes from a central location. BIG-IP ASM offers easy policy implementation, fast assessment and policy creation, and the ability to dynamically configure policies in real time during assessment. To significantly reduce data loss, administrators can test and verify vulnerabilities from the BIG-IP ASM GUI, and automatically create policies with a single click to mitigate unknown application vulnerabilities.

Security is a never-ending battle. The bad guys advance, organizations counter, bad guys cross over—and so the cat and mouse game continues. The need to properly secure web applications is absolute. Knowing what vulnerabilities exist within a web application can help organizations contain possible points of exposure. BIG-IP ASM v11.1 offers unprecedented web application protection by integrating with many market-leading vulnerability scanners to provide a complete vulnerability scan and remediate solution. BIG-IP ASM v11.1 enables organizations to understand inherent threats and take specific measures to protect their web application infrastructure. It gives them the tools they need to greatly reduce the risk of becoming the next failed security headline.

Resources:

Technorati Tags: F5, big-ip, virtualization, cloud computing, Pete Silva, security, waf, web scanners, compliance, application security, internet, TMOS, big-ip, asm

Connect with Peter:	Connect with F5:

ICSA Certified Network Firewall for Data Centers

Pete Silva — Tue, 24 Jan 2012 13:46:02 GMT

The BIG-IP platform is now ICSA Certified as a Network Firewall.

Internet threats are widely varied and multi-layered. Although applications and their data are attackers’ primary targets, many attackers gain entry at the network layer. Internet data centers and public-facing web properties are constant targets for large-scale attacks by hacker/hactivist communities and others looking to grab intellectual property or cause a service outage. Organizations must prepare for the normal influx of users, but they also must defend their infrastructure from the daily barrage of malicious users.

Security administrators who manage large web properties are struggling with security because traditional firewalls are not meeting their fundamental performance needs. Dynamic and layered attacks that necessitate multiple-box solutions, add to IT distress. Traditional firewalls can be overwhelmed by their limited ability to scale under a DDoS attack while keeping peak connection performance for valid users, which renders not only the firewalls themselves unresponsive, but the web sites they are supposed to protect. Additionally, traditional firewalls’ limited capacity to interpret context means they may be unable to make an intelligent decision about how to deliver the application while also keeping services available for valid requests during a DDoS attack.

Traditional firewalls also lack specialized capabilities like SSL offload, which not only helps reduce the load on the web servers, but enables inspection, re-encryption, and certificate storage. Most traditional firewalls lack the agility to react quickly to changes and emerging threats, and many have only limited ability to provide new services such as IP geolocation, traffic redirection, traffic manipulation, content scrubbing, and connection limiting. An organization’s inability to respond to these threats dynamically, and to minimize the exposure window, means the risk to the overall business is massive. There are several point solutions in the market that concentrate on specific problem areas; but this creates security silos that only make management and maintenance more costly, more cumbersome, and less effective.

The BIG-IP platform provides a unified view of layer 3 through 7 for both general and ICSA required reporting and alerts, as well as integration with SIEM vendors. BIG-IP Local Traffic Manager offers native, high-performance firewall services to protect the entire infrastructure. BIG-IP LTM is a purpose-built, high-performance Application Delivery Controller designed to protect Internet data centers. In many instances, BIG-IP LTM can replace an existing firewall while also offering scale, performance, and persistence.

Performance: BIG-IP LTM manages up to 48 million concurrent connections and 72 Gbps of throughput with various timeout behaviors, buffer sizes, and more when under attack.
Protocol security: The BIG-IP system natively decodes IPv4, IPv6, TCP, HTTP, SIP, DNS, SMTP, FTP, Diameter, and RADIUS. Organizations can control almost every element of the protocols they’re deploying.
DDoS prevention capabilities: An integrated architecture enables organizations to combine traditional firewall layers 3 and 4 with application layers 5 through 7.
DDoS mitigations: The BIG-IP system protects UDP, TCP, SIP, DNS, HTTP, SSL, and other network attack targets while delivering uninterrupted service for legitimate connections.
SSL termination: Offload computationally intensive SSL to the BIG-IP system and gain visibility into potentially harmful encrypted payloads.
Dynamic threat mitigation: iRules provide a flexible way to enforce protocol functions on both standard and emerging or custom protocols. With iRules, organizations can create a zero day dynamic security context to react to vulnerabilities for which an associated patch has not yet been released.
Resource cloaking and content security: Prevent leaks of error codes and sensitive content.

F5 BIG-IP LTM has numerous security features so Internet data centers can deliver applications while protecting the infrastructure that supports their clients and, BIG-IP is now ICSA Certified as a Network Firewall.

Resources:

Technorati Tags: F5, big-ip, virtualization, cloud computing, Pete Silva, security, icsa, iApp, compliance, network firewall, internet, TMOS, big-ip, vCMP

Connect with Peter:	Connect with F5:

Security’s Rough Ride

Pete Silva — Tue, 17 Jan 2012 21:59:30 GMT

1 if by land, 2 of by sea, 0 if by IP

I know I’ve said this before but it sure seems like almost daily there is a security breach somewhere. Over the years, the thought process has changed from prevent all attacks to, it is inevitable that we will be breached. The massive number of attacks occurring daily makes it a statistical reality. Now organizations are looking for the right solution (both technology and practice) to quickly detect a breach, stop it, identify what occurred and what data may have been compromised. Over the last couple of days various entities have had their security breached.

As you are probably already aware either due to the headlines or a direct note in your email inbox, Zappos, a popular online shoe site, was compromised exposing information on 24 million customers. While a good bit of info was taken, like usernames, passwords, addresses, email and other identifiable information, Zappos claims that the stored credit card information was apparently spared due to being encrypted. There are still many details that are unknown like how it occurred and how long it had been exposed but all users are being required to change their passwords immediately. Users might also want to change similar passwords on other websites since I’m sure the criminals are already trying those stolen passwords around the web. These days it's entirely too easy to use information from one hack in many others. It doesn't even matter if passwords were compromised. Your can change your password, but the make and model of your first car, and your mother's maiden name can't be changed. Yet, online service providers continue to rely on these relatively weak forms of secondary authentication. The interesting thing is Zappos is/was apparently PCI-DSS compliant, proving once again, PCI compliance is a first step, not the goal. Being PCI compliance does not mean that one is secure and this also underscores importance of using WAF like BIG-IP ASM. And if it was not a web app that was owned on the server in Kentucky, then Section 6.6 is irrelevant. But again, all the details are still to be uncovered and as far as I know, no-one has claimed responsibility.

Overseas, there is an ongoing cyber-war between a Saudi (reported) hacker and Israel. 0xOmar, as news articles have identified him, claims to have posted details of 400,000 Israeli-owned credit cards and Israel’s main credit card companies have admitted that 20,000 cards have been exposed. Along the way, he has also attacked the Tel Aviv Stock Exchange and Bank Massad. In an interesting and potentially scary turn of events, a group of Israeli hackers, IDF-Team, took down the Saudi Stock Exchange (Tadawul) and the Abu Dhabi Securities Exchange (ADX) as a counter-attack. Another Israeli hacker going by Hannibal claims to have 30 million Arab e-mail addresses, complete with passwords (including Facebook passwords), and says he’s received e-mails not only from potential victims but from officials in France and other countries asking him to stop. This cyber-conflict is escalating.

In a very different type of breach, you’ve probably also seen the cruise ship laying on it’s side a mere 200 yards from the Italian shore. While not necessarily a data security story, it is still a human security story that, so far, has been attributed to human error – like many data security breaches. Like many data breach victims, people put their trust in another entity. Their internal risk-analysis tells them that it is relatively safe and the probability of disaster is low. But when people make bad decisions which seems the case in this situation, many others are put at greater risk.

Put on your virtual life vests, 2012 is gonna be a ride.

References:

Technorati Tags: F5, cyber-crime, trojan, Pete Silva, security, business, education, technology, application delivery, cruise, cyber war, ddos, hackers, iPhone, web, internet, security, breach, privacy, PCI-DSS,

Connect with Peter:	Connect with F5:

Cloud Security With FedRAMP

Pete Silva — Tue, 10 Jan 2012 19:10:34 GMT

Want to provide Cloud services to the federal government? Then you’ll have to adhere to almost 170 security controls under the recently announced Federal Risk and Authorization Management Program. The program, set to go live in June, is designed to analyze/audit cloud computing providers for federal government agencies, expedite security clearances for cloud providers and foster the adoption of cloud computing by the Federal government. FedRAMP is meant to provide a baseline for low to moderate risk systems and is based on the NIST cyber-security Special Publication 800-53 Revision 3. FedRAMP provides an overall checklist for handling risks associated with Web services that would have a limited, or serious impact on government operations if disrupted. Cloud providers must implement these security controls to be authorized to provide cloud services to federal agencies. The government will forbid federal agencies from using a cloud service provider unless the vendor can prove that a FedRAMP-accredited third-party organization has verified and validated the security controls. Once approved, the cloud vendor would not need to be ‘re-evaluated’ by every government entity that might be interested in their solution. There may be instances where additional controls are added by agencies to address specific needs.

Independent, third-party auditors are tasked with testing each product/solution for compliance which is intended to save agencies from doing their own risk management assessment. Details of the auditing process are expected early next month but includes a System Security Plan that clarifies how the requirements of each security control will be met within a cloud computing environment. Within the plan, each control must detail the solutions being deployed such as devices, documents and processes; the responsibilities of providers and government customer to implement the plan; the timing of implementation; and how solution satisfies controls. A Security Assessment Plan details how each control implementation will be assessed and tested to ensure it meets the requirements and the Security Assessment Report explains the issues, findings, and recommendations from the security control assessments detailed in the security assessment plan. Ultimately, each provider must establish means of preventing unauthorized users from hacking the cloud service.

The regulations allow the contractor to determine which elements of the cloud must be backed up and how frequently. Three backups are required, one available online. All government information stored on a provider's servers must be encrypted. When the data is in transit, providers must use a "hardened or alarmed carrier protective distribution system," which detects intrusions, if not using encryption. Since cloud services may span many geographic areas with various people in the mix, providers must develop measures to guard their operations against supply chain threats. Also, vendors must disclose all the services they outsource and obtain the board's approval to contract out services in the future.

More details of the FedRAMP program will be available from the General Services Administration by February 8th, but they have already started accepting applications for third party assessment vendors.

Resources:

Technorati Tags: F5, federal government, integration, cloud computing, Pete Silva, security, business, fedramp, technology, nist, cloud, compliance, regulations, web, internet

Connect with Peter:	Connect with F5:

355 Shopping Days Left

Pete Silva — Wed, 04 Jan 2012 15:14:48 GMT

After just being bombarded with the endless options of gifts for your loved ones, a simple reminder that the next blitz is just around the corner. And you are a target. 2011 started relatively tame for breaches but when hacktivism and a few other entities decided to take hold, it became a massive year for lost data. From retail to healthcare to government to schools to financial institutions – no one was immune. Household names like Sony, RSA, Lockheed and Sega were all hit. Privacy Rights Clearinghouse reports that 535 security breaches in 2011 exposed 30 million sensitive records to identity thieves and other rip-off artists. Since 2005, 543 million records have been breached – almost double the US population and about 7% of the entire world’s population. Looking at the entire Privacy Rights Clearinghouse list is staggering both in numbers and names.

It might not get better any time soon. Since mobile devices have become fixed appendages and continue to dominate many areas of our lives (phone, entertainment, email, GPS, banking, work, etc), the crooks will look for more ways to infiltrate that love affair. I suspect that mobile financial (payment/banking) apps will get a lot of attention this year as will malware laced apps. Our health information is also at risk. Medical records are being digitized. A 2009 stimulus bill included incentives for doctors and hospitals who embrace electronic health records. The CDC saw a 12% increase from last year – now 57% of office-based physicians use electronic health records. The inadvertent result is that the number of reported breaches is up 32% this year according to Ponemon Institute. That cost the health care industry somewhere in the neighborhood of $6.5 Billion. Now you might think that you have less control over a health provider’s systems than your own mobile device. While mostly true, close to half of those case involved a lost or stolen phone or personal computer. Some sort of human element involved.

It is really up to each of us to practice safe computing and, if you’re knowledgeable, share insight with those who are not tech savvy. Yes, you can be the most cautious internet citizen and still be a victim due to someone else’s mistake, oversight or vulnerability. Even so, it is still important to be aware and do what you can. For centuries we’ve been physically protecting our property, neighbors, towns, identity and anything else important to us. At times, the thieves, enemies and otherwise unwanted still got in and created havoc. Advances and admissions, plus the value of whatever needed protection kept the battle going. It continues today in the digital universe.

References

Technorati Tags: F5, banking, trojan, Pete Silva, security, business, education, technology, application delivery, ipad, cloud, context-aware, mobile, iPhone, web, internet, security, android, privacy, smartphone,

Connect with Peter:	Connect with F5:

F5 Security Vignette Series

Pete Silva — Thu, 15 Dec 2011 18:24:47 GMT

Over the last couple weeks, we’ve been rolling out a series of short Security Vignette videos about various IT security challenges. We’ve posted them to the F5News blog account but also wanted to share in case you missed them. If we were going to sum up the role of security in corporate IT today we'd have to say it's to "be prepared." This series looks at many of those security concerns which can be addressed proactively, before they are exploited or become a fire drill.

F5 Security Vignette: Proactive Security - The F5 Security Vignette series looks at various security concerns, vulnerabilities and attacks which can cause headaches for Corporate IT and the business integrity overall. This video covers SSL Certificates.
F5 Security Vignette: DNSSEC Wrapping - The dirty little secret of the Internet is how insecure DNS really is. The good news is, there's a solution -- DNSSEC. It secures the DNS query and response process.
F5 Security Vignette: Hacktivism Attack – DDoS and other targeted attacks.
F5 Security Vignette: SSL Renegotiation - The premise of the SSL Renegotiation DOS attack is simple: "An SSL/TLS handshake requires at least 10 times more processing power on the server than on the client". If a client machine and server machine were equal in RSA processing power, the client could overwhelm the server by sending ten times as many SSL handshake requests as the server could service. The counter measure against the attacks was to write an iRule to limit renegotiation requests to 5 per minute per session.
F5 Security Vignette: Credit Card iRule - The consequences of exposing hundreds of thousands of customer credit card numbers is unthinkable. Fines, lawsuits, damaged brand -- the effects can be catastrophic. Even if it was accidental, the effect would be the same.
F5 Security Vignette: Apache HTTP RANGE Vulnerability - When we hear about an Apache vulnerability, it gets our attention. In this case the issue was the way Apache handles HTTP RANGE headers, which are used to request individual sub-ranges of a given response, instead of the entire response. The problem is that responding to an HTTP RANGE request is computationally expensive. A simple iRule fixes this.
F5 Security Vignette: iHealth - Security is a never ending battle. The bad guys advance, we counter, they cross over ... you're just never done. To give our side an edge we do a lot of research.
Security is our Job
F5 YouTube Feed

Technorati Tags: F5, cyber security, predictions, 2012, Pete Silva, security, mobile, vulnerabilities, crime, social media, hacks, internet, identity theft, F5 News, security, web application security, apache, HTTP, threat mitigation, video

Connect with Peter:	Connect with F5:

2012 IT Staffing Crisis?

Pete Silva — Mon, 12 Dec 2011 20:47:14 GMT

After just proclaiming, a mere four days ago in The Top 10, Top Predictions for 2012, that I wouldn’t predict anything for 2012 and simply would repurpose other’s predictions, I offer this prognosis.

An area I have been thinking about recently is the availability of IT personnel, or lack thereof in 2012. It began with a conversation with a F5 colleague and a simple premise: Information Technology personnel seem to be in demand. We have read stories to this effect, and even anecdotally realized that times are not that bad for IT careers, despite the financial crisis. Sure, many were laid off from failing startups or collapsing banks a couple years ago, but many seemed to get new jobs rather quickly, and many of us get a few job solicitations every month.

In researching the real statistics on IT unemployment (from Help Desk to System Admins to Developers to Business Analysts), we realized how much of an understatement the premise was:

Dice.com, May, 2011: 3.8% IT unemployment - 65% of hiring managers anticipated hiring more technology professions in 2H 2011, and 49% said they were paying more in salary this year than last year.

Bureau of Labor Statistics, June 2011: 3.3% IT unemployment – Expects IT employment to grow ‘much faster than the average of all occupations’ through 2018.

Bureau of Labor Statistics, July 9th, 2011: 3.3% IT unemployment - Information Security Analyst unemployment: ZERO. Network Architect unemployment: 0.2%

Consider that the economy has not really recovered from the crash, and that many companies downsized or went out of business altogether. 5% unemployment is generally considered to be "full employment"; 3.3% is typically unhealthy for business growth. When our economy gets through this difficult period, where are companies going to find IT workers? But more specific, what does this mean?

I think that operating expenses is going to be an increasingly difficult problem for everyone, in every industry. Besides paying serious money to lure IT people away from other companies, employers are going to start paying serious money to protect the IT resources they already have. When you are an IT manager, every system you consider for implementation has two costs – the upfront cost, and how much of a resource it will take to manage it, the classic CapEx and OpEx. If you produce a solution that does not require additional headcount to manage, or actually reduces headcount, you can save OpEx for a lot of companies. Even if ProductX costs $100k, that's only the price of one IT guy for one year. And that price is going up day by day.

iApps in BIG-IP v11 is a great step toward reducing OpEx, and evening the bar of who and what knowledge is needed to deploy our solution. Evening the bar of what skill set is needed is vitally important, because most companies can at least find some System Admins (2.8% unemployment) but may not find a Network Architect or InfoSec guy to implement the apps on the BIG-IP. The WhiteHat integration with BIG-IP ASM is similarly great, especially to those who implement the solution. Many organizations are unable to devote enough resources to managing a WAF, plus they can't find the InfoSec personnel anyway since their unemployment rate is ZERO and has been for a few years. The integration allows those with minimal security experience the ability to build a solid web application security policy. Often, simply feeling comfortable with an appliance is all that’s needed for IT staff to give it attention.

The coming or currently unfolding (?) IT HR crisis will matter to many organizations over the next few years. Interestingly, while I was writing this, a tweet arrived asking, ‘@wimremes: random thought : do you (still) rely on recruiters or do you use your own network to find the right people for a job?’ I’m really not sure exactly how it will play out but simply something to think about.

References:

Technorati Tags: F5, cyber security, predictions, 2012, Pete Silva, security, mobile, labor, jobs, social media, staffing, employment, internet, identity theft

Connect with Peter:	Connect with F5:

A Blog of Thanks

Pete Silva — Mon, 21 Nov 2011 16:50:58 GMT

With the shortened Thanksgiving holiday work week, I had a blog ready but thought I’d just thank all of you for reading, watching and listening to the various pieces of content I produce. I do appreciate it!

Technorati Tags: blog, social media, comscore, music, statistics, blog traffic, web traffic, digital media, mobile device, analytics, video

Connect with Peter:	Connect with F5:

F5 BIG-IP Platform Security

Pete Silva — Tue, 15 Nov 2011 19:46:49 GMT

When creating any security-enabled network device, development teams must fully investigate security of the device itself to ensure it cannot be compromised. A gate provides no security to a house if the gap between the bars is large enough to drive a truck through. Many highly effective exploits have breached the very software and hardware that are designed to protect against them. If an attacker can breach the guards, then they don’t need to worry about being stealthy, meaning if one can compromise the box, then they probably can compromise the code. F5 BIG-IP Application Delivery Controllers are positioned at strategic points of control to manage an organization’s critical information flow. In the BIG-IP product family and the TMOS operating system, F5 has built and maintained a secure and robust application delivery platform, and has implemented many different checks and counter-checks to ensure a totally secure network environment. Application delivery security includes providing protection to the customer’s Application Delivery Network (ADN), and mandatory and routine checks against the stack source code to provide internal security—and it starts with a secure Application Delivery Controller.

The BIG-IP system and TMOS are designed so that the hardware and software work together to provide the highest level of security. While there are many factors in a truly secure system, two of the most important are design and coding. Sound security starts early in the product development process. Before writing a single line of code, F5 Product Development goes through a process called threat modeling. Engineers evaluate each new feature to determine what vulnerabilities it might create or introduce to the system. F5’s rule of thumb is a vulnerability that takes one hour to fix at the design phase, will take ten hours to fix in the coding phase and one thousand hours to fix after the product is shipped—so it’s critical to catch vulnerabilities during the design phase. The sum of all these vulnerabilities is called the threat surface, which F5 strives to minimize. F5, like many companies that develop software, has invested heavily in training internal development staff on writing secure code. Security testing is time-consuming and a huge undertaking; but it’s a critical part of meeting F5’s stringent standards and its commitment to customers.

By no means an exhaustive list but the BIG-IP system has a number of features that provide heightened and hardened security: Appliance mode, iApp Templates, FIPS and Secure Vault

Appliance Mode

Beginning with version 10.2.1-HF3, the BIG-IP system can run in Appliance mode. Appliance mode is designed to meet the needs of customers in industries with especially sensitive data, such as healthcare and financial services, by limiting BIG-IP system administrative access to match that of a typical network appliance rather than a multi-user UNIX device. The optional Appliance mode “hardens” BIG-IP devices by removing advanced shell (Bash) and root-level access. Administrative access is available through the TMSH (TMOS Shell) command-line interface and GUI. When Appliance mode is licensed, any user that previously had access to the Bash shell will now only have access to the TMSH. The root account home directory (/root) file permissions have been tightened for numerous files and directories. By default, new files are now only user readable and writeable and all directories are better secured.

iApp Templates

Introduced in BIG-IP v11, F5 iApps is a powerful new set of features in the BIG-IP system. It provides a new way to architect application delivery in the data center, and it includes a holistic, application-centric view of how applications are managed and delivered inside, outside, and beyond the data center. iApps provide a framework that application, security, network, systems, and operations personnel can use to unify, simplify, and control the entire ADN with a contextual view and advanced statistics about the application services that support business. iApps are designed to abstract the many individual components required to deliver an application by grouping these resources together in templates associated with applications; this alleviates the need for administrators to manage discrete components on the network. F5’s new NIST 800-53 iApp Template helps organizations become NIST-compliant. F5 has distilled the 240-plus pages of guidance from NIST into a template with the relevant BIG-IP configuration settings—saving organizations hours of management time and resources.

Federal Information Processing Standards (FIPS)

Developed by the National Institute of Standards and Technology (NIST), Federal Information Processing Standards are used by United States government agencies and government contractors in non-military computer systems. FIPS 140 series are U.S. government computer security standards that define requirements for cryptography modules, including both hardware and software components, for use by departments and agencies of the United States federal government. The requirements cover not only the cryptographic modules themselves but also their documentation. As of December 2006, the current version of the standard is FIPS 140-2. A hardware security module (HSM) is a secure physical device designed to generate, store, and protect digital, high-value cryptographic keys. It is a secure crypto-processor that often comes in the form of a plug-in card (or other hardware) with tamper protection built in. HSMs also provide the infrastructure for finance, government, healthcare, and others to conform to industry-specific regulatory standards. FIPS 140 enforces stronger cryptographic algorithms, provides good physical security, and requires power-on self tests to ensure a device is still in compliance before operating. FIPS 140-2 evaluation is required to sell products implementing cryptography to the federal government, and the financial industry is increasingly specifying FIPS 140-2 as a procurement requirement. The BIG-IP system includes a FIPS cryptographic/SSL accelerator—an HSM option specifically designed for processing SSL traffic in environments that require FIPS 140-1 Level 2–compliant solutions.

Many BIG-IP devices are FIPS 140-2 Level 2–compliant. This security rating indicates that once sensitive data is imported into the HSM, it incorporates cryptographic techniques to ensure the data is not extractable in a plain-text format. It provides tamper-evident coatings or seals to deter physical tampering. The BIG-IP system includes the option to install a FIPS HSM (BIG-IP 6900, 8900, 11000, and 11050 devices). BIG-IP devices can be customized to include an integrated FIPS 140-2 Level 2–certified SSL accelerator. Other solutions require a separate system or a FIPS-certified card for each web server; but the BIG-IP system’s unique key management framework enables a highly scalable secure infrastructure that can handle higher traffic levels and to which organizations can easily add new services. Additionally the FIPS cryptographic/SSL accelerator uses smart cards to authenticate administrators, grant access rights, and share administrative responsibilities to provide a flexible and secure means for enforcing key management security.

Secure Vault

It is generally a good idea to protect SSL private keys with passphrases. With a passphrase, private key files are stored encrypted on non-volatile storage. If an attacker obtains an encrypted private key file, it will be useless without the passphrase. In PKI (public key infrastructure), the public key enables a client to validate the integrity of something signed with the private key, and the hashing enables the client to validate that the content was not tampered with. Since the private key of the public/private key pair could be used to impersonate a valid signer, it is critical to keep those keys secure. Secure Vault, a super-secure SSL-encrypted storage system introduced in BIG-IP version 9.4.5, allows passphrases to be stored in an encrypted form on the file system. In BIG-IP version 11, companies now have the option of securing their cryptographic keys in hardware, such as a FIPS card, rather than encrypted on the BIG-IP hard drive.

Secure Vault can also encrypt certificate passwords for enhanced certificate and key protection in environments where FIPS 140-2 hardware support is not required, but additional physical and role-based protection is preferred. In the absence of hardware support like FIPS/SEEPROM (Serial (PC) Electrically Erasable Programmable Read-Only Memory), Secure Vault will be implemented in software. Even if an attacker removed the hard disk from the system and painstakingly searched it, it would be nearly impossible to recover the contents due to Secure Vault AES encryption.

Each BIG-IP device comes with a unit key and a master key. Upon first boot, the BIG-IP system automatically creates a master key for the purpose of encrypting, and therefore protecting, key passphrases. The master key encrypts SSL private keys, decrypts SSL key files, and synchronizes certificates between BIG-IP devices. Further increasing security, the master key is also encrypted by the unit key, which is an AES 256 symmetric key. When stored on the system, the master key is always encrypted with a hardware key, and never in the form of plain text. Master keys follow the configuration in an HA (high-availability) configuration so all units would share the same master key but still have their own unit key. The master key gets synchronized using the secure channel established by the CMI Infrastructure as of BIG-IP v11. The master key encrypted passphrases cannot be used on systems other than the units for which the master key was generated. Secure Vault support has also been extended for vCMP guests. vCMP (Virtual Clustered Multiprocessing) enables multiple instances of BIG-IP software to run on one device. Each guest gets their own unit key and master key. The guest unit key is generated and stored at the host, thus enforcing the hardware support, and it’s protected by the host master key, which is in turn protected by the host unit key in hardware.

Finally

F5 provides Application Delivery Network security to protect the most valuable application assets. To provide organizations with reliable and secure access to corporate applications, F5 must carry the secure application paradigm all the way down to the core elements of the BIG-IP system. It’s not enough to provide security to application transport; the transporting appliance must also provide a secure environment. F5 ensures BIG-IP device security through various features and a rigorous development process. It is a comprehensive process designed to keep customers’ applications and data secure. The BIG-IP system can be run in Appliance mode to lock down configuration within the code itself, limiting access to certain shell functions; Secure Vault secures precious keys from tampering; and optional FIPS cards ensure organizations can meet or exceed particular security requirements. An ADN is only as secure as its weakest link. F5 ensures that BIG-IP Application Delivery Controllers use an extremely secure link in the ADN chain.

Resources:

Technorati Tags: F5, PCI DSS, virtualization, cloud computing, Pete Silva, security, coding, iApp, compliance, FIPS, internet, TMOS, big-ip, vCMP

Connect with Peter:	Connect with F5: