Wir stellen vor: 

Prezi AI.

Ihr neuer Präsentationsassistent.

Verfeinern, verbessern und passen Sie Ihre Inhalte an, finden Sie relevante Bilder und bearbeiten Sie Bildmaterial schneller als je zuvor.

Wird geladen...
Transkript

F5 Solutions for Cloud Bound DoD

Demo

Business

Secure Cloud Computing Architecture (SCCA)

SCCA

  • Reference Architecture for DoD cloud adoption
  • Guidelines to achieve ATO
  • Setup in a Modular Fashion to fit use case
  • Spawned from Cloud Computing SRG (CC SRG)
  • Needed Components depends on Impact Level of App

Technical

CAP

The "CAP"

"CAP" - Cloud Access Point

BCAP - Boundary CAP (Public Cloud providers)

DODIN Connecting to AWS, Azure, Google Cloud

or any FedRamp AccreditedPublic Cloud Service Provider

ICAP - Internal CAP (On Prem Cloud providers)

MilCloud or any Cloud Service Provider existing

within DODIN Network space

YOU SHALL NOT PASS!!

Role of the CAP

  • Combination of a security stack and a secure connection to CSP
  • VPN tunnel or direct connection hosted at Colo
  • Deny All By default device for traffic originating in CSP
  • IPS capabilities to scan and inspect all traffic originating from CSP, bound for DoDIN
  • FPC capabilities for traversing traffic
  • Stateful FW
  • Needed for IL 4 and 5 applications
  • DOES NOT PROTECT MISSION OWNER APP!
  • This is the responsiblity of the VDSS role

VDSS

"Virtual Data Center Security Stack"

  • Virtual Security Stack used to protect Mission Owner Application
  • Focus is to inspect, detect and protect DoDIN user traffic bound for app in CSP
  • Think of it as protecting an app hosting within on prem data center but instead its now hosted in the cloud.

Role of VDSS

  • Protect MO (Mission Owner) Application
  • Responsibility of MO to stand up VDSS or procure SLA with organization providing VDSS services.
  • THE CAP IS NOT RESPONSIBLE FOR PROTECTING MISSION OWNER APP!
  • VDSS made up of:
  • WAF
  • HTTP Proxy
  • IPS
  • Stateful FW
  • On demand FPC capability
  • Segment of data traffic and management traffic
  • SSL decrytion (pretty straight forward)
  • Forward logs to Mission CND

VDMS

"Virtual Data center Management System"

  • Manage, monitor and maintain Cloud Virtual Machines
  • End point Security and Scanning (HBSS and ACAS)
  • Authoritative Identity DB for validating users (ie AD)

TCCM

"Trusted Cloud Credential Manager"

  • TCCM
  • Not a technical Role, more business related
  • Group which manages, maintains and enforces cloud credential issuance
  • Normally rolled into existing Credential Manager group
  • Enforce Least Privilege
  • Will utilize IdAM system provided by VDMS

  • Control at all Layers of the OSI Model
  • Control - Access any app anywhere
  • Security and Visibility at layers 2-7
  • DoD compliance experts
  • Multiple competence awards from cloud service providers as a network solution and security solution
  • Aligned with automation orchestration devops movement

F5

Control

at all

Layers

Full Proxy Architecture

Application

Presentation

Session

Transport

Network

Data

Physical

  • F5 works with traffic at all layers of OSI model
  • SSL decrytion both inbound and outbound
  • SSL bridging
  • SSL offloading
  • SSL authentication
  • L7 protocol intelligence, interaction and traffic delivery decision making
  • HTTP
  • SMTP
  • FTP
  • SSH
  • etc...
  • Exist as physical appliance and/or virtual appliance
  • Virtual appliance offered in all major cloud providers
  • iRules for everything else
  • Provide high fidelity access and delivery of application regardless of workload location

Security and Visibility

Security from App to User

>

  • Advanced Stateful Firewall
  • IP intelligence
  • Protocol Anomaly inspection
  • CVE signatures
  • Based off of Snort
  • Web Application Firewall
  • defend against Top 10 OWASP
  • DDOS proection
  • Bot protection
  • Web Threat Campaign
  • Captcha and Behavior analysis to block automated bots
  • Fraud and transaction protection
  • Verbose logging and analytics for Cyber
  • In depth access control
  • MFA
  • SAML IDP and SP
  • Authentication workflow and user experience
  • Webtop

Logs to SIEM

Automation and Orchestration

Benefit from Cloud while Meeting Security Requirements

Deployed, configured, managed and destroyed by multiple orchestration and automation suites

Meet compliance without any impedance on cloud efficiencies

F5 can become an "Idempotent" System

F5 continues to improve and add capabilities to 3rd party orchestration plugins

CFT and ARM templates available

Cloud Docs and Template references

https://github.com/F5Networks/f5-aws-cloudformation

https://github.com/F5Networks/f5-azure-arm-templates

https://github.com/F5Networks/f5-ansible

https://github.com/f5devcentral/f5-terraform

https://clouddocs.f5.com/training/community/

F5 SSLo Chain

  • Can run in L2 vwire mode (Completely transparent)
  • Outbound SSL decryption
  • Onboard FIPS 140-2 L3 HSM
  • Provide FPC to multiple devices
  • Focused on traffic originating in cloud
  • IPS
  • FW
  • Adapt to current and future security needs and scaling

Solutions and Architectures for CAP

Solutions and Architectures to Meet VDSS

Solutions

and Architectures For VDSS

  • Hub and Spoke Sandwich
  • Tunneled PCAP
  • SSL decrytion
  • WAF
  • FW
  • IPS
  • Authenication
  • Traffic segragation

Hub and Spoke Architecture

Hub and Spoke Sandwich

  • DMZ VPC
  • MGMT VPC
  • Share service by tenants
  • Elimination of Bastion hosts
  • Tunnelled PCAP for FPC
  • SNAT'ing to avoid transitive route issues
  • FW, IPS at perimeter F5 while WAF done at internal F5
  • Repeatable architecture

Replace Bastion Hosts

  • Single Administrative Portal
  • Log everything about every admin session!
  • App Tunnels
  • User Integrity
  • SPOF elimination
  • Remove SSH and RDP clients from the picture if so desired
  • SAML enable AWS portal and use F5 as IdP

Webtop to replace bastion Hosts

SCCA Table 18

Compliance Check

F5 Splunk Integration

Push or Pull Data from Big-IPs to Splunk

Data is Pushed Via HSL or Syslog profiles

Data is Pulled via Big-IP REST API

> Splunk

Splunk Supported Add-on

  • Splunk Supported >
  • Integrates into Common Information Model
  • Aligns indexed data to be used in Splunk SIEM ES (Enterprise Security)
  • Uses a combination querying iControl, iRules and syslog to gather data
  • Great if you are using ES and want a supported way to integrate F5 data into SIEM
  • http://docs.splunk.com/Documentation/AddOns/latest/F5BIGIP/About

Demo

Demo Time!

Contact Us

Please feel free to reach out!

Jonathan Spigler

Jared Penoyar

Roman Galeone

Contact

us

jared@j2rsolutions.io

jonathan@j2rsolutions.io

roman@j2rsolutions.io

Erfahren Sie mehr über das Erstellen von dynamischen und fesselnden Präsentationen mit Prezi