Professional Documents
Culture Documents
Agenda
DNS and F5
Use Cases - The top four
Firewall for DNS or a DNS Firewall ?
DNS Reputational Intelligence
Competitive Comparisons
DNS Mitigation Test framework
Context and DNS
F5 Agility 2014
DNS and F5
F5 DNS
GSLB to DNS Delivery
11.3
11.1 / 11.2
11.0
10.X
COMPREHENSIVE
GSLB.
F5 Agility 2014
HIGH PERFORMANCE
CACHING &
RESOLVING.
HIGH PERFORMANCE
DNS DELIVERY.
F5 DNS
Secure High Performance DNS
11.5
11.4
SECURITY
AND
ELASTIC
SCALABILITY
.
F5 Agility 2014
EASE OF USE.
EASE OF DEPLOYMENT.
SERVICE PROVIDER
ENHANCEMENTS.
CURRENT RELEASE
F5 DNS
Secure High Performance DNS
11.6
11.5
11.4
SECURITY
AND
ELASTIC
SCALABILITY
.
F5 Agility 2014
SECURI
TY
DOS
EASE OF USE.
EASE OF DEPLOYMENT.
SERVICE PROVIDER
ENHANCEMENTS.
CURRENT RELEASE
Internet
External
Firewall
DNS Load
Balancing
Array of DNS
Servers
Internal Firewall
Hidden Master
DNS
F5 DNS products have unprecedented scale in virtual, appliances and chassis versions.
F5 DNS integrates an ICSA certified firewall into the same footprint.
Integrate with other F5 modules running on the same hardware.
DMZ
Security
Datacenter
F5 PARADIGM SHIFT
DNS Protocol Validation scrubs the incoming DNS queries to only answer valid clients.
Massive scale allows BIG-IP to absorb large attacks.
Query type filtering and rate limiting features can further protect DNS resources.
Master DNS
Infrastructure
Internet
30M RPS
BIG-IP
Global Traffic Manager
F5 Agility 2014
Use Cases
The top four
Local DNS
Where is www.f5.com?
F5 Agility 2014
Local DNS
Where is www.f5.com?
Authoritative DNS
Where is www.bell.co.za?
F5 Agility 2014
10
Local DNS
GSLB DNS
Data
Center
Where is www.f5.com?
Data
Center
Authoritative DNS
Where is www.bell.co.za?
F5 Agility 2014
11
Local DNS
GSLB DNS
Data
Center
Where is www.f5.com?
Authoritative DNS
Data
Center
GGSN / PGW
Mobile Core
DNS and
GSLB
GGSN/
PGW
MME
Where is www.bell.co.za?
F5 Agility 2014
(e)Node
B
BIG-IP Platform
SGW/
SGSN
12
!
1
Local DNS
DNS Firewall
GSLB DNS
Data
Center
Where is www.f5.com?
Authoritative DNS
Data
Center
GGSN / PGW
Mobile Core
DNS and
GSLB
GGSN/
PGW
MME
Where is www.bell.co.za?
F5 Agility 2014
(e)Node
B
BIG-IP Platform
SGW/
SGSN
13
IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification
F5 Agility 2014
15
Request
Response
AXFR Request
AXFR Response
DNS Server Pool
Clients
Local BIND
DNS 6-4
DNS LB
Pool
RPZ
/Cache /
Resolver
DNS
Express
6
4
GSLB iRules
6
4
iRules
DNSSEC
GSLB
DNSSEC
iRules
Protocol
Validatio
n + ACL
Zone XFR
TCP / UDP
IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification
IPv4 / IPv6
Zone XFR
F5 Agility 2014
16
TMOS
Performa
nce
8x
4x
SMP
2x
Single
Process
or
Time
F5 Agility 2014
17
IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification
F5 Agility 2014
18
F5 Agility 2014
19
IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification
F5 Agility 2014
MITIGATES THREATS BY
FQDN
Any IP Protocol with iRules
IP INTELLIGENCE
MITIGATES THREATS BY
FQDN
HTTP, HTTPS and DNS with iRules
URL FILTERING
MITIGATES THREATS BY
FQDN
POLICY CONTROL BY FQDN
20
IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification
Next-Generation
Firewall
Financial
Services
SSL attacks:
SSL
renegotiatio
n,
SSL flood
Legitimate
Users
Access
Control,
Policy
Enforcemen
t
HTTP
attacks:
Slowloris,
slow POST,
recursive
POST/GET
ISPa/b
Network
and DNS
DNS
attacks:
DNS
amplificatio
n,
query flood,
dictionary
attack,
DNS
poisoning
DDoS
Attacker
Cloud
Scrubbing
Service
Threat Feed
Intelligence
Scann
er
F5 Agility 2014
Tier 2
2
Tier
Tier 1
Network
attacks:
ICMP flood,
UDP flood,
SYN flood
Multiple
ISP
strategy
Corporate Users
Anonym
ous
Proxies
Anonym
ous
Request
s
Botnet
Attack
ers
ECommerce
Applicatio
n
Subscriber
IPS
21
IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification
Platforms
VIPRION4800
VIPRION44xxChassis
VIPRION2400Chassis
BIGIP10x00
BIGIP7x00
BIGIP5x00
BIGIP4x00
F5 Agility 2014
22
IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification
F5 Agility 2014
Internet
External
Firewall
DNS Load
Balancing
Array of DNS
Servers
DMZ
Internal Firewall
Hidden Master
DNS
Datacenter
F5 PARADIGM SHIFT
Master DNS
Infrastructure
Internet
30M RPS
BIG-IP
Global Traffic Manager
23
IP Anycast
Pre filter
Packet inspection
Performance
Scaling resolution
DNSsec and Validation
Reporting and Automation
DNS Reputational Intelligence
DNS scrubbing
Hardware sizing
Certification
F5 Agility 2014
24
DNS
Reputational
Intelligence
UNDESIRABLE
CONTENT
BotNets
Offensive
Viruses
Once installed, causes malicious
activity on end-user device,
sometimes for ransom.
OS Vulnerabilities
Unprotected, unpatched devices
are extremely vulnerable.
F5 Agility 2014
Irrelevant
Site redirection
Illegal content
File sharing or sites identified as
hosting banned material.
26
MITIGATES THREATS BY
FQDN
IP INTELLIGENCE
MITIGATES THREATS BY
FQDN
URL FILTERING
MITIGATES THREATS BY
POLICY FQDN
CONTROL BY
FQDN
*Response Policy Zones (RPZ) are a form of DNS firewall in which the rule sets are expressed as specially constructed DNS zones.
In this case, using RPZ means subscribing to commercial threat feeds that provide the up-to-date RPZ lists of bad domains.
F5 Agility 2014
27
RPZ
IP
INTELLIGENCE
URL
FILTERING
Limited to IP
address reputation.
http://194.71.107.15
accessing a malicious
website by IP address.*
No DNS
lookup to filter.
No URL or
FQDN to
examine.
http://www.facebook.com
Social networking
Against corp policy.
Cover
malicious
content only.
Limited to IP
address reputation.
*IPI blocks both the bad IP address (http://194.71.107.15) AND the domain name (www.badsite.com) mapped to the bad IP address.
F5 Agility 2014
28
Updates
RPZ feed
REPUTATI
ON
DATABASE
SPECIAL
HANDLING
F5 Agility 2014
RESOLVE
R
CACHE
IRULES
PROTOCOL
VALIDATION
IPV4/V6
LISTENER
BIG-IP GTM
29
Subscriber Policy
iControl
QUERY: WWW.DOMAIN.COM
iQuery
DNS iRules
PARKED
DOMAIN
GAMES
CACHE
SOCIAL
RESOLVER
BUSINESS
SUBSCRIBER
DATAGROUPS
F5 Agility 2014
ALL OTHERS
LOG
30
Response Policy Zones (RPZ) filters out and provides NXDOMAIN / Redirect for know bad doma
URL Filtering further provides granular policy controls using categories.
IP Intelligence blocks based on the resolved IP.
It can also be used in the data path for other protocols.
RPZ Feed
Subscriber
Policy
iControl
QUERY:
WWW.DOMAIN.COM
IPI Feed
URL Feed
iQuery
URL Filtering
iRule
RESOLVER
INGRESS DNS
PATH
RPZ
IP Intelligence
F5 Agility 2014
EGRESS DNS
PATH
31
Competitive
Comparisons
A word on terminology
DNS EXPRESS
DNS CACHING
DNS RESOLVER
F5 Agility 2014
33
1800000
1600000
1400000
1200000
1000000
800000
600000
400000
200000
0
2000S
2200S
4000S
5000S
4200V
11.4
F5 Agility 2014
7000S
10000S
5200V
10200V
7200V
11.5
34
25000000
20000000
15000000
10000000
5000000
0
B2150
Blade
B2100
Blade
B2250
Blade
B4200
Blade
11.4
F5 Agility 2014
B4300
Blade
2400
w/B2100
2400
w/B2250
4480
w/B4300
4800
w/B4300
11.5
35
1400000
1.3M RPS
1200000
1000000
800000
600000
400000
200000
0
2000S
2200S
4000S
4200V
10000S
11.4
F5 Agility 2014
5000S
7000S
10200V
5200V
7200V
11.5
36
18000000
16000000
15.5M RPS
14000000
12000000
10000000
8000000
6000000
4000000
2000000
0
B2150
Blade
B2100
Blade
B4300
Blade
B2250
Blade
11.4
F5 Agility 2014
2400
w/B2100
4480
Chassis
2400
w/B2250
4800
Chassis
11.5
37
DNS Caching
Cost per 1K RPS F5 versus Infoblox
1600
Included Functions
Enterprise & SP
Caching/Resolving Inc.
1400
Authoritative Inc.
GSLB Inc.
1200
Enterprise
Caching/Resolving Inc.
1000
800
Authoritative Inc.
SP
Caching/Resolving Inc.
Authoritative Inc.
600
SP
400
Caching/Resolving Inc.
200
0
F5 Agility 2014
38
DNS Authoritative
Cost per 1K RPS F5 versus Infoblox
1600
Included Functions
Enterprise & SP
Caching/Resolving Inc.
1400
Authoritative Inc.
GSLB Inc.
1200
Enterprise
Caching/Resolving Inc.
1000
800
Authoritative Inc.
SP
Caching/Resolving Inc.
Authoritative Inc.
600
SP
400
Caching/Resolving Inc.
200
0
F5 Agility 2014
39
1200000
RPS
1000000
800000
600000
400000
200000
0
2000S
F5 Agility 2014
Infoblox
Trinzic
1420
2200S
Infoblox
Trinzic
2210
4000S
Infoblox
Trinzic
2220
7000S
Infoblox
Trinzic
4010
7200V
Infoblox
Trinzic
4030
40
RPS
1200000
1000000
800000
600000
400000
200000
0
2000S
F5 Agility 2014
Infoblox
Trinzic
1420
2200S
Infoblox
Trinzic
2210
4000S
Infoblox
Trinzic
2220
7000S
Infoblox
Trinzic
4010
7200V
Infoblox
Trinzic
4030
41
DNS Mitigation
Test framework
Platforms
VIPRION4800
VIPRION44xxChassis
Traffic Generator
10M DNS requests
VIPRION2400Chassis
BIGIP10x00
VIPRION2400Chassis
BIGIP7x00
BIGIP5x00
BIGIP4x00
F5 Agility 2014
43
Platforms
VIPRION44xxChassis
VIPRION2400Chassis
BIGIP10x00
BIGIP7x00
BIGIP5x00
BIGIP4x00
44
F5 Agility 2014
45
46
DNS
Test Framework
?
Scanners
IP Intelligence
Service
Feed
RESPONSE
PAGE
F5 Agility 2014
ACL ON IP
FROM AFM
SUBSCRIBE
R RATE
MANAGEME
NT
IP
INTELLIGENC
E
IRULES
RESOLVE
R
REPUTATION
DATABASE
CACHE
SUBSCRIBE
R RATE
MANAGEME
NT
IRULES
PROTOCOL
VALIDATION
IPV4/V6
LISTENER
ACL ON IP
FROM AFM
SPECIAL
HANDLING
SPECIAL
HANDLING
Splunk Logging
47
Outcomes
Agree Measurement for:
Baseline the users performance and that the DNS is available, confidential and
has integrity for Cache and Resolver
Measure that the attacks do not affect the users and that the DNS is available,
confidential and has integrity, compare to baseline
F5 Agility 2014
48
Context and
DNS
50
Suspend
Threshold
Mobile or fixed.
Determine the SLA for RPS and allowed response size.
Drop
Threshold
QUERY RATE
SCORING
F5 Agility 2014
Client F
Client E
Client D
Client C
Client B
Client A
RESPONSE
SIZE
SCORING
Take an action
Is the client above the score threshold?
- Drop the request
- Suspend DNS service for a period.
51
SERVICE
PROVIDER
Primary
Customers
CSP
Service Providers need to ensure availability of DNS services to customers according to their service level.
Intelligent per-Client IP Rate Limiting gives SPs the tools to inhibit bad actors including DNS tunneling, without
adversely affecting performance.
ACTION
S
RATE LIMIT
CLIENT
LOG
MALICIOUS
IDENTITY
RESOLVE
R
SUSPEND
DNS SERVICE
CACHE
COMPROMISE
D CLIENT
Per-client
DNS
rates
DNS
RATE
LIMITER
MALICIOUS
ACTOR
Rate
limits
REGULAR
CLIENT
F5 Agility 2014
52
F5 Agility 2014
53
DNS
Reference
Architectures
F5 Agility 2014
CURRENT
FUTURE
1.
2.
3.
4.
5.
6.
7.
Cloud Bursting
Cloud Migration
DDoS Protection
Intelligent DNS Scale
Network Functions Virt.
Security for Service Providers
S/GI Network Simplification
55