With security now topping the priority lists of organizations using application services to monitor and maintain their applications, F5 Networks moved to update its security services.
“Historically, we’re an application delivery controller,” says Mike Convertino, CISO of F5 Networks. “That puts us right in front of these applications as they reside in data centers. It’s a very natural transition for us to talk about securing those apps.”
“We’re the gateway to the apps, which is the gateway to the data everyone is trying to protect,” he adds.
Today, organizations are increasingly using service chaining as a core part of their network operations. Service chaining uses software-defined networking (SDN) to create chains of connected services (web application firewalls, intrusion prevention systems, email and endpoint security, etc.) that enable the use of a single network connection for different services with different characteristics.
This allows you to automate the way virtual networks can be set up to handle traffic flows, depending on the source, destination or type of traffic. You might dynamically route traffic through a FireEye appliance that sits inline with an ERP-type application, or through a Cisco IronPort appliance inline with email traffic.
To help automate this process, and to offload the burden of encryption/decryption from individual devices, F5 Networks has introduced Herculon SSL Orchestrator.
“It provides that context-aware dynamic service that allows us to chain different devices into the path, depending on what the service is,” Convertino says. “It does the decryption and reassembly on the other end.”
By eliminating the need for individual appliances to have encryption/decryption capabilities, Convertino says it will push down infrastructure costs — appliances capable of handling encryption/decryption tend to be much beefier and more expensive.
“Aside from being really expensive to have to buy all these appliances, you’ve still got all these boxes to manage,” he says. “It’s expensive from the point of view of the purchase of discrete devices and it’s expensive from the point of view of management.”
To provide a multilayered defense against volumetric and pervasive DDoS attacks, F5 Networks has introduced a new managed service: Herculon DDoS Hybrid Defender. It integrates high-performance hardware with the intelligence of offsite cloud scrubbing via F5 Networks’ Sliverline cloud-based application services platform.
Convertino says the hybrid approach improves time to mitigation in scenarios where website and application availability are crucial to customer interactions and profitability. It can be deployed inline or in out-of-band mode, and F5 says it provides comprehensive DDoS coverage through behavioral analytics, with sub-second attack mitigation and visibility into sophisticated application-layer attacks.
Citing the paucity of experts with the skills to effectively initiate, provision and scale app protection services, F5 Networks also announced Silverline WAF Express, cloud-based application security-as-a-service. It’s a pre-configured, self-service offering built on Silverline. Customers can select which applications they want Web Application Firewall (WAF) services applied to, and F5 manages security policies behind the scenes to protect apps from threats ranging from OWASP attacks to parameter tampering and bots.
Convertino says that F5’s Security Operations Center experts engage and maintain policies, including monitoring, app attack mitigation and analytics for applications hosted in the public or private cloud, as well as the datacenter.
F5 has also added Security Incident Response Team (SIRT) services, available to all F5 security customers. SIRT services are intended to identify threats and deliver an immediate response to mitigate or neutralize potentially harmful activities and protect business operations.
Finally, to complement the products and services, F5 Labs brings together a team of security industry experts and researchers to gather global threat intelligence, analyze application threats and publish related findings.