There have been several different voices about the deployment of security products in the industry. There is a recognition that security is mainly for compliance, and under the premise of compliance, other things are not very important. But for real value of the user, the embodiment of the offensive and defensive ability may appear more important, due to the change of security attacks itself is a dynamic process, which requires safety protection also can adapt to change, can be adjusted with the change of the means of attack and and meet the protection requirements of different scenarios, which actually is the highest embodiment of offensive and defensive ability.
The F5 DDoS defense system is a multi-layered defense system. It aims to build a compliance system and provide users with powerful attack and defense measures to protect their services against various security threats. Security is not only compliance, but also offense and defense!
From practical experience, Bot defense is the top priority of Web defense, application layer DDoS defense is the responsibility of WAF, on-site service and emergency response is the prerequisite to successfully intercept attacks. In fact, F5’s DDoS protection system is a three-dimensional multi-level protection system. In addition to Advanced WAF (API security – a new generation of WAF), it also includes cloud DDoS cleaning and network DDoS protection. Advanced WAF (API security – next generation WAF) is good at application-layer DDoS protection. Through the establishment of three-dimensional defense architecture, it can effectively deal with mixed attacks separately.
F5 Layer 7 DDoS defense Schemes:
F5 Advanced WAF(API Security – next-generation WAF) provides defense solutions based on the combination of policies to deal with different DDoS scenarios. Include:
Defense schemes based on these combined policies can dynamically deploy defense policies for different DDoS scenarios to implement all-directional layer-7 DDoS defense. At the same time, with the help of big-IP AFM, big-IP LTM, big-IP DNS and big-IP ASM functional modules, F5 can fully defend against DDoS risks at different levels of OSI, ensuring the availability of applications.
Through the practical inspection of many recent security incidents, F5 can summarize the following points: 1. Protective architecture: the importance of two aspects of the offensive and defensive and compliance is a safe and security products not only look at the product parameters and function point, more important is how to merge to the user in the existing deployment architecture, according to the user’s actual situation, now can smoothly into the effect of safe protection, and not to let users now network environment to do a lot of adjustment to adapt to security products.
2. Distinct protection systems: layered security protection systems are required to prevent security problems at different levels. For application layer DDoS attacks, three-dimensional protection systems based on cloud, network and application layer should be constructed respectively. (For details, please refer to the general F5 hierarchical DDoS Defense Reference Architecture).
3. Disadvantages of the transparent mode: The transparent mode may not be a good choice in actual security events. A security gateway in the transparent mode often directly bypassed traffic in the face of real attacks and cannot effectively defend against security attacks. 4. The necessity of security services: more than half of the value of security should be services, good services can really help users. This is also the original intention of F5 to establish the Security Incident Response Team (SIRT). SIRT can quickly respond to various Security incidents and complement with the current F5 technical system to provide intimate and perfect Security services for customers in Security incidents.
General F5 hierarchical DDoS protection reference architecture