APM Overall Use Case Presentation - Final
zyberpal
92 views
75 slides
Sep 23, 2024
Slide 1 of 75
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
About This Presentation
F5 APM Overall Use Case Presentation
Slide Content
F5 BIG-IP Access Policy Manager (APM) Presenter Name, Title Date
Every organization is in the digital experience business
Customer expectations for digital experiences are high* | ©2020 F5 3 32% of all customers would stop doing business with a brand they loved after one bad experience 78% of consumers are demanding financial compensation such as coupons or discounts for poor digital experiences via applications 79% of consumers say that digital services or applications have introduced them to new products and services *Source: AppDynamics – The App Attention Index - 2019
100% of organizations lack adequate visibility into their applications and app portfolio Source: Qualitative feedback from F5’s Customer Engagement Center briefings But it can be challenging to deliver on those expectations 300% increase in attacks on applications in the past two years Source: F5 Labs Threat Research - 2019 76% of organizations manage a complex portfolio spanning traditional and modern apps Source: F5 State of Application Services Report - 2020 Complex app portfolios Security exposures Inadequate visibility
To overcome these challenges, F5 believes applications should be able to adapt F5’s vision is that an application, like a living organism, will naturally adapt based on the environment, becoming an adaptive application. GROWS AS NEEDED SHRINKS AS NEEDED DEFENDS ITSELF HEALS ITSELF
Application business logic User The application data path is the pathway through which application traffic flows to reach a user APPLICATION DATA PATH
Application business logic User Today’s digital experiences are often stitched together from multiple application data path’s spanning on-prem to edge On-premises data center Application business logic Application business logic Colocation Public Cloud IaaS Edge Device or Browser Application business logic DIGITAL EXPERIENCE
Application business logic User Application security and delivery technologies sit along the application data path to ensure secure and reliable access APPLICATION SECURITY APPLICATION DELIVERY
Application business logic End-user Application security and delivery technologies are the foundation for fast and secure digital customer experiences APPLICATION APPLICATION API gateway Web app firewall Ingress controller App / web server Denial of service Anti-fraud & anti-bot Load balancer Secure access SECURITY DELIVERY APPLICATION SERVICES Ensure app availability and responsiveness Secure app data, APIs, and traffic flows APPLICATION SECURITY AND DELIVERY TECHNOLOGIES
F5 powers applications from development through their entire life cycle, so you can deliver differentiated , high-performing , and secure digital experiences . F5’s VALUE PROPOSITION
Load balancing Local Load Balancing Global Load Balancing Broadest and deepest app services portfolio Industry-leading, Advanced solutions SECURITY Web Application Firewall SSL Orchestration Anti-Bot L4 Firewall Access Management DDoS Protection
What do organizations care most about when deploying application services? Organizations demand security and ease of use to accelerate time to value Q. When you are deploying application services please select the primary and secondary characteristic desired of app services Security 47% Ease of use 32% Cost 26% Performance 24% Ease of integration 17% Automation 21% Ease of CI/CD Integration 8% Source: F5 Labs
F5 Security Portfolio F5 delivers end-to-end Security for Adaptive Applications Data Center Silverline DDoS Protection & DNS Sec App Layer Security SSL Orchestration NGFW NGFW, DLP NGFW, DLP, IPS Attackers Legitimate Users Security Service Chains Trusted Application Access Shape Security F5 Cloud Services
ELIMINATES THE IDEA OF A TRUSTED NETWORK INSIDE A DEFINED PERIMETER New approach to security–Zero Trust “A way to think about cyberthreats is to assume you have already been compromised; you simply don’t know it yet. Zero Trust may seem stark, but it is the proactive, architectural approach to align with mission priorities.” KEY POINTS TO ENABLE ZERO TRUST Apply least privilege access and scrutinize it as much as possible Assume attackers are already on the network and hiding in it Must get more context and visibility from the control points
Zero Trust principles “Trust, But Verify” is OUTDATED AND DANGEROUS NEVER TRUST ALWAYS VERIFY CONTINUOUSLY MONITOR
What are the control points to secure now? there are 4 control points that must be secured for Zero Trust ZERO TRUST APPLICATIONS (CLOUD, ON-PREMISES, SAAS) ENDPOINTS ACCESSING APPS THE NETWORK IDENTITY SERVICE
How does F5 help to secure each control point? ZERO TRUST Network level protection APP LAYER SECURITY TRUSTED APPLICATION ACCESS APP INFRASTRUCTURE SECURITY PARTNERSHIPS WITH IDENTITY PROVIDERS Security at the app Modern authentication for all apps
F5 application security pillars Our security investment areas to help with zero Trust APP Access Modern authentication for all apps INFRASTRUCTURE Network level protection APP LAYER Security at the app fraud Better business outcomes
F5 application security pillars Our security investment areas FIT YOUR DEPLOYMENT STRATEGIES APP Access Modern authentication for all apps INFRASTRUCTURE Network level protection APP LAYER Security at the app fraud Better business outcomes SELF MANAGED FULLY MANAGED AS-A-SERVICE
F5 application security pillars Single Sign-On (SSO) & Multi-Factor Authentication (MFA) Common access policies for hybrid Integration with modern Identity as a Service (IDaaS) App Access Modern authentication for all apps INFRASTRUCTURE Network level protection APP LAYER Security at the app fraud Better business outcomes
SIMPLIFIES ACCESS TO ALL APPLICATIONS SSO and MFA support simplifies user and device access to classic and custom applications SUPPORTS MULTI-CLOUD APP DEPLOYMENT Application metadata streamlines user access to multi-cloud applications DELIVERS FLEXIBLE DEPLOYMENT OPTIONS Support multiple access use cases including SSL VPN, Per-Request App Access, and more STREAMLINES COMPLIANCE Gain continuous device posture assessments with enhanced visibility and troubleshooting capabilities Users IDaaS provider Directory services APM SAML SP Kerberos/ header based Reverse proxy SAML redirect On Prem Continuous posture assessment Mobile MAC & MS Windows VPN VPN Trusted application access
Authentication, authorization, and SSO to all apps with F5 BIG-IP Access Policy Manager (APM) Simplified policy management Access control over third-party SaaS Context-aware policy enforcement Scalability and performance
F5 BIG-IP Access Policy Manager (APM) The industry’s most scalable access management proxy solution Consolidates in a single platform: Remote access I dentity federation Identity aware proxy API protection Enterprise mobility management (EMM) V irtual app access in a single platform Protects against data loss, malware infection, and rogue device access Replaces web access proxy tiers for common applications reducing infrastructure and management costs
F5 BIG-IP APM access Management proxy solution Features Scales up to 2M users on a single device Centralizes single sign-on (SSO) and access control services Full proxy L4-L7 access control at BIG-IP speeds Adds endpoint inspection to the access policy Visual Policy Editor (VPE) provides policy-based access control VPE Rules ‒ programmatic interface for custom access policies Benefits Consolidates authentication infrastructure Simplifies remote, web, application, and API access control and security
F5 BIG-IP Access Policy Manager (APM) F5’s Access Management Proxy solution Remote Access and Application Access Identity Federation Identity Aware Proxy Virtual Edition VIPRION BIG-IP Enterprise Mobility Management Cloud API Protection Virtual Application Access
Remote Access and Application Access
Top five app services for 2020 Security dominates the list of top five app services deployed today Q. Which of the following application services does your company currently deploy in an on-premises data center/private cloud or the public cloud. Select all that apply. APPLICATION SERVICES DEPLOYED ON PREMISES AND IN THE PUBLIC CLOUD Source: F5 Labs
Remote Access and Application Access Challenges Intelligent Services Platform Enabling secure remote access to corporate resources from any network, from any device Ensuring secure and fast application performance for remote users Protecting network resources, applications, and data from malware, theft or hack, and/or rogue and unauthorized access Users Resources
Fast, secure remote access Consistent, context-based, secure access to any app, anywhere, anytime Centralizes SSO / federation Leverages layer 4 / layer 7 access control lists (ACLs) Supports a robust ecosystem and integrations Seamlessly integrates with existing deployment Minimizes costs and simplifies user experience IDaaS On-premises / Data Center Private Apps (Classic / Custom) Home / Remote User Home / Remote User
CONFIDENTIAL Ensure real-time traffic won’t be slowed down—easily manage what traffic goes through the VPN Dynamically exclude traffic from services like Zoom, Microsoft 365, or WebEx Use across Apple MacOS, Microsoft Windows, Linux platforms, and Chromebooks Edge client Alleviates bottlenecks to enhance performance and improve end user experience Dynamic split tunneling
Identity Federation
CONFIDENTIAL And likely will for the foreseeable future Apps reside anywhere / everywhere Source: McKinsey & Co. for IBM 80% The simplest enterprise workloads are in process of migration to the cloud, but the remaining 80% of workloads remain on-premises An average of 760 cloud-based (IaaS) apps / org An average employee uses at least 8 SaaS apps and an average org of 1,000 employees uses 203 SaaS apps ~60% of IT decision makers believe apps that touch critical data and systems must remain on-premises for security reasons; 42% say they can’t migrate off legacy systems because they’re mission-critical
Simplifying application access is necessary today Simple user access to any application is necessary today: A centralized trusted source of user identity Centralized sign-on to every application Federating user identity across ALL apps IDaaS On-premises & custom apps SAP HANA Oracle PeopleSoft Line of Business Custom Apps Kerberos-Based Header-Based SAML OAuth / OIDC SaaS apps Cloud-based apps
Identity federation & Single sign-on (SSO) Centralizing access to ALL apps Header-based Kerberos Reverse Proxy RADIUS NTLM OAuth / OIDC Others Classic & Custom Apps SAP ERP Oracle PeopleSoft Line of Business SAML IDaaS Data Center / On-premises Cloud-based &SaaS apps Custom Expands coverage of single sign-on (SSO) and federation Modernizes on-premises application access Enhances security Reduces overhead Simplifies deployment
EXPANDS SEAMLESS USER EXPERIENCE TO ALL APPS Complete, seamless application access Expands coverage of single sign-on (SSO) and federation Modernizes on-premises application access Enhances security SAML IdP On-prem App Kerberos Reverse Proxy Directory Services SAML IdP SAP ERP Oracle PeopleSoft Custom Data Center / On-premises User On-prem App Access User SaaS App Access SAML Redirect SAML Redirect Reduces overhead Simplifies deployment Header-based RADIUS NTLM OAuth / OIDC Others Line of Business Classic
CONFIDENTIAL ENHANCE APP SECURITY WITH RISK-BASED ACCESS CONTROLS Seamlessly integrate with third-party MFA solutions from Duo (Cisco) and Okta: API-based integration with FIDO U2F protocols support end user registration to a new device MFA integration supports RADIUS authentication protocol Configure both identity and MFA app access policies via a single Okta dashboard Simplifies integration with leading MFA solutions
Identity Aware Proxy
Apps anywhere increases the attack surface Applications that can reside nearly anywhere increase the risk of human error, credential theft and attack, account takeover (ATO), and increase the threat surface On-premises & custom apps SAP HANA Oracle PeopleSoft Line of Business Custom Apps Kerberos-Based Header-Based SAML OAuth / OIDC SaaS apps Cloud-based apps
Identity aware proxy (IAP) delivers it Seamless, secure application access is necessary today User validation Device inspection Fine-grained authorization Secure authentication Third-party authentication / authorization Increased app access security
A vital part of identity aware proxy (IAP) and required for Zero Trust App Access Context-aware policies Verify user identity Determine whether app access is time or date limited Check to ensure appropriate device Continuously check device posture Limit or halt access to the app from specific user locations, or insecure or inappropriate locations Confirm app integrity Increase security if the app is sensitive Ensure network accessing app is secure Validate user’s app access rights Other access controls and limits
F5 BIG-IP ACCESS POLICY MANAGER (APM) ENABLES IDENTITY AWARE PROXY, USING A ZERO TRUST MODEL VALIDATION FOR EVERY ACCESS REQUEST User identity Continuous device posture monitoring Contextual access Multi-factor authentication Step-up authentication IDaaS integration Simplifying user and admin access Third-party integration via APIs (HTTP Connector) Single-sign to ALL apps Ephemeral authentication
Identity Aware Proxy enables Zero Trust App Access IDaaS User is authenticated via on-prem (AAA) or IDaaS, then returns 3 Verify the device state 2 Authenticated traffic is allowed through. User identity is passed to the application. 5 Azure Active Directory User requests app access, proxy intercepts 1 Connects to third-party UEBA (via HTTP Connector) to gather additional context about the user, device, etc. 4 (HTTP Connector) Third-party UEBA
A Zero trust operational model BIG-IP APM Identity Aware Proxy architecture SSO Users IDaaS Provider Single Sign-On SAML / OIDC Reverse Proxy SAML / OIDC On-premises Continuous Posture Assessment Mac / Windows / Mobile AWS Azure Google Posture Check Access Approved Access Denied Posture Check Posture Check Third-party UEBA (HTTP Connector)
Zero Trust for enterprise web apps Microsoft Azure AD Conditional Access and F5 Identity Aware Proxy Azure AD Conditional Access authenticates the user. 3 Verify the device state with Intune or F5 client. 2 4 Azure Active Directory Conditional Access User requests app access, F5 Identity Aware Proxy intercepts every request . 1 Enhanced security protection Complete end-to-end visibility Centralizes user authentication Authenticated traffic is allowed through. User identity is passed to the application. 5 Microsoft 365 Graph IAP connects to Microsoft 365 Graph to gather user / device risk and enforces access control on every request . F5 Identity Aware Proxy (IAP)
Risk-based access leveraging third-party security solutions Via HTTP Connector IDaaS User is authenticated via on-prem (AAA) or IDaaS, then returns 3 Verify the device state 2 Authenticated traffic is allowed through. User identity is passed to the application. 5 User requests app access, proxy intercepts 1 Connects to third-party security solution ( via HTTP Connector ) to gather additional context about the user, device, etc. 4 (HTTP Connector) Third-party Security Solutions REST APIs connect APM to a variety of third-party apps, including UEBA, risk engines, etc. Third-party risk assessments can be used to ensure risk-based access to all networks, clouds, and apps Provides greater visibility and analytics for determining “deny / grant” access Variables such as user group, domain, and network-based triggers can be applied to access policies
BIG-IP APM Identity Aware Proxy (IAP) benefits Enables Zero Trust App Access Enhances app access, security, and user experience Increases application security
API Protection
Percentage of companies using security in their API tier Threat Protection OAuth Spike Arrest Source: apigee 2015 report 74% 72% 78% API security adoption rate
2018 – July 2020 API incidents API s In the Crosshairs Increased attack surfaces with large ecosystems and integrations Attacked just like web apps, but without the same security controls in place Often unknown to SecOps as different orgs publish and manage APIs on their own
API Security Challenges OWASP API Top 10 Encryption DDoS L4-7 Data leakage Credential stuffing Brute force Bots Stat manipulation API injections Man-in-the-Middle
All APIs need common controls Use cases drive logical designs Access Controls Attack and DoS defenses Management Tailored security controls Deployment patterns Significant variations in function, scale, and risk F5 addresses a wide range of Api requirements APIs are diverse
Securing API access and authentication BIG-IP APM Granular API Access Controls and multifactor authentication (MFA) enforcement Imports the latest OpenAPI 3.0 files to ensure accurate API protection policies Support SAML and OAuth/OIDC across all apps Rate limits API requests via quotas, allow-lists, and deny-lists Automates API protection with efficient CI / CD deployment of policies Applies the same access controls used for apps across APIs via Access Guided Configurator (AGC)
F5 BIG-IP APM API access and authentication Granular API Access Controls and Zero Trust Operational model BIG-IP APM creates : PATHs Responses Per Request Policy Authentication and authorization macro Fine-grained access controls for APIs – write access controls in API, API doc – Google (?)
Confidently set up IAP services with Access Guided Configuration (AGC) Step-by-Step Guidance for Setting up and Deploying BIG-IP APM Access Guided Configuration enables administrators to quickly set up Identity Aware Proxy services to: Reduce training overhead Ensure correct security check setup Speed app deployment Integrate with IDaaS solutions Easily o nboard and manage integration of classic apps CONFIDENTIAL
Manually apply access policies with Traffic Management User Interface (TMUI) Configure and Manage Policies for up to 100 BIG-IP APM Instances with BIG-IQ Simplify access policy distribution by importing configs from a master “source” BIG-IP APM instance Propagate device- or location-specific object changes throughout the entire APM deployment View the differences between current and proposed access configurations Capture access reports and logs based on devices and groups
Centralize the management of contextual policies and make edits with just a few clicks Apply granular access control policies on an individual or group basis Design access policies for authentication, authorization, and endpoint security checks CONFIDENTIAL Design and manage granular access controls with Visual Policy Editor (VPE) Simplify creation of identity- and context-based Access policies
F5 BIG-IP API Access and Authentication Benefits Integrating existing swagger files saves time, resources, and cost Ensures accurate API protection policies are enforced Secures authentication and appropriate authorization Saves time Saves cost Enables secure authentication for REST APIs Ensures appropriate authorization actions
BIG-IP APM & Application Traffic Insights
Malicious users try to blend in with legitimate users User 3 User 2 User 1 There needs to be a reliable way to determine if a “user” is: A human? Good or bad? In other words, is it a legitimate user, a malicious attacker, or an automated bot?
An accurate device identifier can detect evasive behavior A B Porter Ranch, CA VPN use New York, NY VPN use Bogota, Columbia VPN use Washington D.C. VPN use Toronto, Canada VPN use BASED ON A CASE STUDY WITH A QSR OVER 2 DAYS TIME PERIOD JS A JS A JS A JS A JS A VPN use combined with other factors such as hosted ASN usage, time zone of origin, and volume can help detect suspicious behavior
v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v v Application Traffic Insights Persistent, signal based device identifier Continuous efficacy enhancements based on improved signals sets Strengthened by big data insights across F5 – Shape customer base Easy deployment with BIG-IP iApp and consumption models 61 Plugins Fonts Screen Size Application Traffic Insights Additional signals Emoji Rendering Unique instance of Chrome (distinct among other instances of Chrome)
Application Traffic Insights is superior to existing identifiers 62 Extremely precise identifier based on high-efficacy signal set backed by extensive research Easy JS injection leveraging existing F5 or Shape infrastructure, or tag managers Available for free Application Traffic Insights Existing Solutions Identifiers change quickly over time Require API integrations and other efforts from customers Solutions from other vendors are expensive, as is developing and maintaining a home-grown solution
Application Traffic Insights can differentiate between user groups APPROPRIATE SECURITY MEASURES CAN BE TAKEN FOR EACH GROUP User 3 = Malicious Automation User 2 = Malicious Attacker User 1 = Legitimate user Take appropriate security measures for each group
Application Traffic Insights improves login experiences for legitimate users ATTEMPTED MALICIOUS ATTACKER AND AUTOMATION ACCESS MITIGATED ACCORDINGLY Access can be mitigated appropriately User 1 = Legitimate user User 2 = Malicious Attacker User 3 = Malicious Automation Eases the login experience for legitimate user A vast improvement over “Remember Me” features and captchas Reduces login friction via session extension
Can use the iApp template to inject the JS and route API calls Easy integration with existing F5 infrastructure Minimal configuration required JS injection and API call will both happen as a first-party
Integrates seamlessly with BIG-IP APM policies Feed Application Traffic Insights into APM and implement a risk-based authentication system
Empowers SecOps and NetOps to identify anomalous activities Mitigate login friction / credential stuffing attacks Session hijacking Unusual devices accessing user accounts Bad actors spoofing their environment Deliberate use of proxy networks Single device accessing unauthorized accounts
Enterprise Mobility Management (EMM)
User = Finance App Store HR Purchasing Finance Managed device? Managed device? Enterprise Mobility Gateway (EMG) Ensure devices connect securely and adhere to a security posture baseline, regardless of ownership Reduce the risk of malware infecting the corporate network from corporate or personal mobile device AAA Server (RADIUS) (Windows, Chrome, Safari) (MDM/EMM)
Virtual Application Access
AAA server Horizon VDI VDI VDI Simplifying virtual application access Virtual desktops VDI VDI VDI VDI Hypervisor Virtual desktops VDI VDI VDI VDI Hypervisor Virtual desktops VDI VDI VDI VDI Hypervisor Microsoft RDP Citrix Virtual Apps and Desktops Citrix StoreFront
F5 BIG-IQ and BIG-IP APM
CONFIDENTIAL BIG-IQ: SecOps-focused functionality Security services catalog App delivery services catalog Device management F5-authored templates ADC & security dashboards Automated workflows BIG-IQ Source of truth Easy audit point Centralized management Application and network performance telemetry Consistent, API-driven deployment and configuration to app environments Cloud 1 On-prem Cloud 2 Security telemetry Security roles (SecOps) Security Policies Security policy development and deployment Create and augment WAF policies Detect and respond to threat profiles Manage security holistically—bot detection, DDoS, access policies, and network firewalls
F5 BIG-IQ centralized management Simplifies BIG-IP APM management by managing and configuring large collections of application access and security policies from one portal Provides deep visibility into application access and usage Enables security administrators to centrally create, manage, and deploy access policies across BIG-IP APM deployments Holistically controls and manages application access
Guided Configuration of Services Customer Challenges Administrator challenged to learn and master various control applications Configuration errors can impact user experience and security F5 APM Guided Configuration enables Administrators to confidently and quickly setup Identity Aware Proxy services Reduce training overhead Ensures correct security checks setup Faster deployment for application Easy integration with IDaaS solutions F5 Solution
Tags
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 92
- Slides 75
- Age 434 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
28 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
28 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
27 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
30 views