“F5 provides an entirely new and more intelligent approach for defending public-facing web properties and DNS services against harmful attacks,” said Mark Vondemkamp, Director of Product Management at F5. “Many of the world’s largest and most prestigious brands are leveraging F5’s BIG-IP solution to protect web properties that have substantial traffic levels and are frequent targets of malicious attacks. An added benefit of our solution is that it delivers dramatically better price/performance than traditional firewalls.”
F5’s approach is unique in that the security capabilities noted above can be deployed on BIG-IP Application Delivery Controllers (ADCs)—best known for providing industry-leading intelligent traffic management and optimization capabilities. This firewall solution is part of F5’s comprehensive security architecture that enables customers to apply a unified security strategy. For the first time in the industry, organizations can secure their networks, data, protocols, applications, and users on a single, flexible, and extensible platform: BIG-IP.
The repeated failure of traditional network firewalls is a primary cause of outages and data leaks, which can profoundly impact revenue, degrade corporate reputations, and jeopardize regulatory compliance.
Traditional security solutions attempt to piece together point products such as network firewalls, DDoS appliances, DNS appliances, web application firewalls, and basic ADCs. This point product approach not only increases complexity, it also contributes to network latency and adds multiple points of failure. Worse, these divergent solutions have no ability to integrate information from different attack vectors, leaving potential gaps in protection and making it impossible for organizations to deliver a unified defense.
“Many organizations are finding that their network firewalls operating at layer 3 or 4 in the TCP/IP stack are having problems protecting against application layer attacks because the traffic is encrypted by SSL,” said Jeff Wilson, Principal Security Analyst at Infonetics. “Lacking the visibility and intelligence to inspect the entire protocol stack, traditional firewalls can’t protect against today’s increasingly sophisticated and massively distributed attacks. In addition, many network firewalls have only a fraction of the connection capacity required to handle the millions of requests per second that typify modern DDoS attacks.”
A Better Way to Help Protect Applications and Services
BIG-IP solutions reach well beyond the limitations of traditional network firewalls, enabling customers to:
Reduce hardware and operating costs by as much as 50%
Perform comprehensive inspection services to defend against 30+ types of network and application layer DDoS attacks
Respond rapidly to new security threats for which a patch does not yet exist, reducing the window of exposure
Significantly limit revenue loss and damage to corporate credibility caused by malicious cyber attacks
The BIG-IP version 11.1 platform, which includes multiple modules that can be deployed as standalone or layered solutions, provides enhanced protection for DNS servers, as well as highly scalable web access management capabilities and single sign-on services. In addition, it enables customers to dynamically create application security policies using context derived from leading vulnerability scanning tools.
The following characteristics put F5’s firewall solution in a class by itself:
Scalable Performance – BIG-IP devices support 2.8 million connections per second—eight times that of the closest competitor’s solution, with only 360,000 connections per second.
Extensible and Adaptable Platform Using F5’s event-driven scripting language, iRules', application, security, and network teams can quickly build new services that inspect, transform, and direct application traffic.
Vulnerability Assessment – BIG-IP Application Security Manager™ integrates with leading web application scanning tools, including WhiteHat Sentinel, IBM Rational AppScan, Qualys QualysGuard WAS, and Cenzic Hailstorm, to help assess and mitigate vulnerabilities.
DNS Protection – BIG-IP Global Traffic Manager™ provides security, scalability, performance, and control to help protect the DNS infrastructure from attacks (such as DDoS, DNS response hijacking, and cache poisoning) that can cause DNS outages and reduce productivity.
High Performance and Flexible Access – BIG-IP Access Policy Manager' on the F5 VIPRION' high performance chassis takes advantage of the world’s fastest ADC, delivering endpoint inspection, multifactor user authentication, L3–L7 access controls, and single sign-on capabilities.
Context Awareness – Because BIG-IP is fluent in application protocols, it can detect unusual application behavior and block traffic accordingly.
Industry Certification – Customers worldwide rely on the independent, objective evaluation and product assurances of ICSA Labs, which specializes in certifying security solutions. Customers can be confident that ICSA-certified BIG-IP products meet specific and objective test criteria and deliver strong security protections.
Engaged Community – F5’s DevCentral™ online community—with over 90,000 application developers, network professionals, and IT architects worldwide—offers practical, real-world solutions to help bridge the gap that has traditionally existed between functional teams.
Today’s news, which builds on F5’s vision of the dynamic data center, ties back to the BIG-IP version 11 announcement that focused on helping customers protect their Web 2.0 applications, secure their DNS infrastructures, and control application access and policies in a centralized manner. This new network firewall certification—the first of its kind available on an ADC—rounds out F5’s existing ICSA Labs’ certifications for its BIG-IP web application firewall and SSL VPN solutions.
“We cater to numerous industries—including energy, financial services, government, healthcare, and retail—and virtually all our customers’ top priorities include defense strategies against the increasing number of web, network, DDoS, and DNS attacks,” said Dan Thormodsgaard, VP of Solutions Architecture at FishNet Security. “BIG-IP gives us a common platform to deliver applications and rapidly respond to evolving threats, providing better value to our customers. The unification of high performance data center firewall services with an advanced platform ADC is a smart combination to effectively address the new wave of aggressive attacks.”
“Our customers tell us that attacks on applications, DNS, and their web properties are amongst their primary security concerns,” said Alastair Broom, Solutions Director at leading global IT security provider Integralis. “Delivering high performance data center firewall services as part of the BIG-IP Application Delivery Controller platform is likely to generate strong interest in F5 from a market keen to put effective countermeasures in place to protect themselves against today’s aggressive cyber attacks.”
“F5’s most recent certification of BIG-IP as a network firewall demonstrates the company’s commitment to being a security leader in the Application Delivery Controller space,” said Brian Monkman, Technology Programs Manager at ICSA Labs.
The BIG-IP data center firewall solution is available today with the newest release of BIG-IP software, version 11.1. The solution is built on BIG-IP Local Traffic Manager™ (LTM') and may be extended to include multiple BIG-IP software modules, depending upon customer requirements. To help organizations provide additional protection for DNS infrastructures, BIG-IP LTM can also be deployed with a DNS Services module, along with F5’s other bundled ADC offerings.
The BIG-IP product family is ICSA Labs network firewall-certified and encompasses multiple products, including BIG-IP LTM, Global Traffic Manager™, Access Policy Manager', Application Security Manager™, WebAccelerator™, and WAN Optimization Manager™. These products are all currently available and can be deployed in concert.
F5 BIG-IP Data Center Firewall – Overview
BIG-IP Data Center Firewall Solution – SlideShare Presentation
High Performance Firewall for Data Centers – Solution Profile
The New Data Center Firewall Paradigm – White Paper
Vulnerability Assessment with Application Security – White Paper
F5 Security Vignette: Hacktivism Attack – Video
F5 Security Vignette: DNSSEC Wrapping – Video
About ICSA Labs
ICSA Labs, an independent division of Verizon, offers third-party testing and certification of security and health IT products, as well as network-connected devices, to measure product compliance, reliability, and performance for many of the world’s top security vendors. ICSA Labs is an ISO/IEC 17025:2005 accredited and 9001:2008 registered organization. Visit http://www.icsalabs.com and http://www.icsalabs.com/blogs for more information.
About F5 Networks
F5 Networks, Inc., the global leader in Application Delivery Networking (ADN), helps the world’s largest enterprises and service providers realize the full value of virtualization, cloud computing, and on-demand IT. F5' solutions help integrate disparate technologies to provide greater control of the infrastructure, improve application delivery and data management, and give users seamless, secure, and accelerated access to applications from their corporate desktops and smart devices. An open architectural framework enables F5 customers to apply business policies at “strategic points of control” across the IT infrastructure and into the public cloud. F5 products give customers the agility they need to align IT with changing business conditions, deploy scalable solutions on demand, and manage mobile access to data and services. Enterprises, service and cloud providers, and leading online companies worldwide rely on F5 to optimize their IT investments and drive business forward. For more information, go to www.f5.com.
You can also follow @f5networks on Twitter or visit us on Facebook for more information about F5, its partners, and technology. For a complete listing of F5 community sites, please visit www.f5.com/news-press-events/web-media/community.html.