Technical Article The New Data Center Firewall Paradigm January 24, 2012 by David Holmes 1101 article firewall security tradsec us 0 Blogging is a joy – it can be all the fun parts of writing, which is probably why people do it so much. But another part of my life is writing technical marketing pieces. Position papers are just as applicable for the same audience (perhaps more so) but the tone is different, and part of that is showing off one’s ability to express language at a higher level. Here is a piece that I collaborated on with Lori MacVittie. You don’t have to read between the lines on this one; we are coming right out and saying that there’s a new way to think about Data Center Firewalls. The increasing sophistication, frequency and diversity of today’s network attacks are overwhelming conventional stateful security devices at the edge of the data center. A new data center architecture based on the firewall services of F5 BIG-IP Local Traffic Manager (LTM) effectively combats modern attacks while providing significant capital expenditure (CapEx) savings. In most organizations, firewalls are the first line of defense for web and application services. The firewall is, and has been, the primary foundation around which conventional network security architectures are built. Effective protection of critical business services has been accomplished primarily by controlling access via often simple but powerful access controls: the data center firewall. The conventional architecture has matured so that many security standards require the deployment of certified firewalls. For example, any data center that processes credit card numbers must comply with the Payment Card Industry (PCI) standard, which requires a network firewall. The de facto standard referenced by PCI auditors is the International Computer Security Association (ICSA) Network Firewall, which defines a short list of firewalls that can be used for card processing purposes. This compliance requirement reinforces the use of the mature data center firewall architecture. But maturity implies age, and the data center firewall is beginning to show its limitations in detecting and repelling modern attacks. Attacks targeted at the application or network layers are causing failures of these stateful—and often expensive—firewalls, and the number of such attacks is growing. These firewall failures are particularly disconcerting in light of the circumstances enabling attackers. While the Anonymous and LulzSec attacks were tightly focused and required pre-planning on the part of the attackers, the bulk of attacks today require no such preparation, thanks to the creation of a vast pool of resources upon which attackers can draw to overwhelm their chosen targets. The lack of legal oversight in emerging technology powers such as China and India has enabled the establishment of massive botnets capable of being leased on a moment’s notice. Until nations and organizations reach a consensus that empowers legal action to disable these networks, attackers will continue to draw upon them to carry out more attacks. These increasingly diverse attacks involving multiple layers of the network stack are causing firewall failures with alarming frequency. As a result, traditional firewall services alone are insufficient for detecting attacks and subsequently preventing business disruption. It is necessary to also employ capabilities at the application layer to halt attacks that take advantage of application-layer protocols and behaviors. Conventional Firewall Limitations Firewalls are rated by data throughput—for example, 1 Gbps or 4 Gbps — and this makes it easy to match a purchase to the size of the ingress pipe. But bulk throughput is not the real story. During a distributed denial-of-service (DDoS) attack, it’s not just bulk throughput that matters; it’s how the device can handle concurrent connections and connections per second. For example, a typical $50,000 conventional firewall claims a throughput of 10 Gbps, which should be sufficient for a small- to medium-sized attack. But this class of firewalls can only handle between 1 and 2 million concurrent connections. It is no secret that the WikiLeaks attackers of 2010, using only a single botnet, easily generated more than 2 million concurrent connections, tipping over firewalls across the United States. A conventional firewall with the next level of concurrent-connection performance (4 to 10 million connections per second) requires a step up the price ladder into the $100,000 to $150,000 tier. The story is the same for connections per second. When a conventional firewall performs stateful inspection, it incurs a performance penalty for each TCP session set up. This limits the performance of the firewall for incoming connections. In the $50,000 price bracket, a typical conventional firewall can handle 50 to 100,000 new connections per second. Attackers are aware of these firewall limitations, and modern attacks are designed to exploit them. The resulting firewall failures are not uncommon, unfortunately, as industry analysts have noted. Indeed, these failures may be the reason a mere 8 percent of respondents in a September 2011 security survey indicated that traditional secure measures such as firewalls were sufficient to provide network security. Consequently, data center firewalls are being removed or, more often, simply depreciated instead of being refreshed. Another limitation of the conventional firewall deployment architecture is its ability to handle the breadth of today’s threat spectrum, which encompasses the entire network and application ecosystem. Solutions intended to mitigate these wide-ranging threats have traditionally been deployed separately, with specific technology to address attacks in logical groupings, such as application, network, and DDoS attacks. These disconnected solutions from multiple vendors increase overall management complexity and, of course, incur significant capital and operational expenditures. When considering the edge of the modern data center, customers are questioning paying any price for a conventional firewall that does little more than pass traffic through port 80, add latency, and incur expense and exposure. Nimble firms, especially startups and those sites without PCI requirements, have been able to run without conventional firewalls for some time. Companies reliant on Web 2.0 and other data center transactions increasingly benefit from a new data center architecture fronted by an integrated security device. A New Data Center Architecture The F5 Networks approach to the firewall problem converges security services into a single set of Application Delivery Controllers (ADCs) at the edge of the data center. With version 11.1, F5 BIG-IP® Local Traffic Manager™ (LTM) achieves ICSA network firewall certification. The significance of this critical certification is that, for the first time, BIG-IP LTM, BIG-IP® Global Traffic Manager™ (GTM), and BIG-IP® Application Security Manager™ (ASM) can be placed strategically at the edge of the data center while still maintaining a proper security posture and compliance for the organization. The significance of this change becomes apparent in light of current changes to the well-known “firewall sandwich” architecture. In the old sandwich architecture, conventional firewalls were required, but due to their limited capacity, they would have to be deployed in parallel with a set of BIG-IP LTM devices to load balance incoming connections. The traffic that passed through the firewalls would be sent back to the same BIG-IP LTM devices (or a second set, thus the sandwich metaphor) for proper application delivery control. Now that BIG-IP LTM itself has an ICSA certification, the parallel firewalls (the meat of the sandwich) can be depreciated and eliminated, substantially reducing the number of devices but providing the same overall capacity, compliance, and protection from attack. BIG-IP LTM makes this architecture possible because of its native firewall services, which can provide network-layer protection with a much higher connection capacity than traditional firewalls. BIG-IP LTM can handle up to 48 million connections, managing them with various timeout behaviors, buffer sizes, and other security-focused options when under attack. This capacity enables BIG-IP LTM to manage the volume of a traffic onslaught while performing the port and IP-based access control services typically provided by a stateful firewall. Native Application Protocol Fluency In addition, BIG-IP LTM can help halt attacks that take advantage of application layer protocols and behaviors. Because BIG-IP LTM is fluent in application protocols, it can monitor and act on behavior, not just specifications and standards. BIG-IP LTM decodes IPv4, IPv6, TCP, HTTP, SIP, DNS, SMTP, FTP, Diameter, and RADIUS communications, enabling more sophisticated analysis based on protocol as well as payload. This allows BIG-IP LTM to detect anomalies indicating an attack in progress and to take appropriate action. For example, BIG-IP LTM can detect the number of layer 7 connections per second, per client, and impose various rate-limiting schemes that have proven effective in mitigating layer 7 attacks. This native protocol fluency also ensures enforcement of protocol compliance, mitigating attacks that seek to leverage vulnerabilities introduced by lax interpretation of the protocol. The combination of protocol compliance and F5’s full-proxy architecture results in a unique DDoS mitigation solution. The native aspect of the protocol compliance enforcement is significant. The programmatic ability of the F5 iRules® scripting language provides a flexible means of enforcing protocol functions on both standard and emerging or custom protocols. Using iRules, BIG-IP LTM can be directed to enforce protocol compliance and perform rate limiting, response injection, and traffic steering and related actions. Security teams are finding that the flexibility of iRules enables them to mitigate a broad range of security solutions: With iRules, BIG-IP LTM can help build a fingerprint-cloaking profile for application servers by obfuscating server and OS headers and rewriting outbound HTTP response codes (such as 301, 401, and 501 errors). For transport layer security, iRules can reach deep into the SSL/TLS protocol stack, mitigating protocol attacks such as 2010’s SSL renegotiation vulnerability, in which a single handset can attack a secure server. Using iRules, organizations can react quickly to application vulnerabilities for which a patch has not yet been released. Mitigating iRules can be developed in-house, sourced from F5’s global DevCentral™ development community, or even published from F5 product development. The Apache Killer3 vulnerability, for example, was addressed by an iRule from the F5 security team weeks before an official solution was published by the Apache Server Foundation. Advanced DNS Protection For advanced DNS protection beyond that natively provided by version 11.1 of BIG-IP LTM, BIG-IP GTM adds iRules support, increasing the native fluency and compliance protection for the DNS protocol. BIG-IP GTM was the first commercial global traffic manager to support the Domain Name System Security Extensions (DNSSEC), thereby providing protection from cache-poisoning and man-in-the-middle attacks. Add the DNS Express™ feature of BIG-IP GTM to protect vital DNS services from denial-of-service (DoS) attacks. Advanced Web Application Protection For advanced web application security, the integrated BIG-IP ASM module provides web application firewall (WAF) services to secure individual applications against the Open Web Application Security Project (OWASP) Top 10 attacks, such as cross-site scripting (XSS), cross-site request forgeries (CSRF), and SQL injections. BIG-IP ASM is the only web application firewall with a learning mode that enables it to become aware of an application’s normal input parameters and reject attacks that don’t fit the normal traffic pattern. BIG-IP ASM also fulfills the critical WAF requirement in the PCI 2.0 specification. Web Access Management BIG-IP® Access Policy Manager™ (APM) is the final component of the new data center firewall paradigm. Many web applications need to limit certain users’ access, and BIG-IP APM supports this requirement with multi-factor authentication, authorization, and single sign-on (SSO) services. Dynamic access control into the data center is enforced using level 4 and level 7 access control lists (ACLs) derived from contextual information such as user identity, endpoint inspection results, geo-location, and any attribute pulled from a directory store. BIG-IP APM performs exceptionally by enforcing ACLs at forwarding speeds of up to 72 Gbps, supporting thousands of logins per second, and scaling to 100,000 concurrent users on a single platform. Cumulative Benefits The cumulative effect of these benefits (performance, protocol compliance, full-proxy architecture, access control, and iRules flexibility) is reduction of the overall threat surface. Having fewer, higher-capacity devices means fewer configurations and, ultimately, fewer battles to fight during an attack. IT staff can concentrate their defenses at a single point of control instead of doing the reboot dance as different devices fail up and down the security stack. This reduction of the threat surface works to mitigate the breadth of today’s threat spectrum, which encompasses not just the traditional network attacks, but also complex DDoS attacks and layer 7 vulnerabilities. An approach using F5 products consolidates security services for a superior defense against all three attack types (network, DDoS, and application) within a full-proxy architecture, something no conventional stateful firewall can provide. Conclusion Stateful firewalls have been the centerpiece of security at the edge of data centers for the past 25 years. But cracks are starting to appear in conventional firewall-based architectures as attackers use new techniques and global botnets to turn what used to be the defensive shield into a liability, exactly when that shield is needed most. The threat spectrum has significantly changed over time; traditional firewalls can mitigate simple network attacks, and so-called “next-generation” firewalls can address the outbound vulnerabilities of the enterprise data center. But only a new data center firewall architecture, one based on F5 products and featuring full-proxy, high connection-capacity ADCs at the edge of the network, can ensure standards-based compliance while significantly lowering CapEx by eliminating firewall devices and upgrades and maximizing other data center resources. Agile organizations are converging security services to address the three primary vectors of the modern data center threat spectrum: Traditional network attacks Complex DDoS attacks on HTTP and DNS Application-level vulnerabilities The new data center firewall paradigm addresses each of these vectors in a complete, integrated solution. Traffic management and network firewall services are managed by BIG-IP LTM. Deploy BIG-IP GTM to implement DNSSEC and DNS Express that protect vital DNS services from DoS and hijacking attacks, and deploy BIG-IP ASM to provide web application firewall services for the OWASP Top 10. Complete the solution with BIG-IP APM to provide secure web access management and SSO for applications. BIG-IP LTM thus becomes a modern threat mitigation platform that provides complete protection from the bottom to the top of the network stack. A security solution centered on F5 products enables organizations to implement a holistic, scalable security strategy capable of mitigating today’s most challenging attacks while remaining flexible enough to address those that will undoubtedly appear tomorrow. The Data Center Firewall Solution Guide Original piece as a PDF ICSA-Certified Network Firewall for Data Centers F5 BIG-IP Data Center Firewall – Overview BIG-IP Data Center Firewall Solution – SlideShare Presentation High Performance Firewall for Data Centers – Solution Profile The New Data Center Firewall Paradigm – White Paper Vulnerability Assessment with Application Security – White Paper Challenging the Firewall Data Center Dogma last modified: January 27, 2012 0 Comment(s): You must be logged in to post comments.