Microsoft P7305128, R1802907 Application Security, Unified Security Enforcement and Access Control

Page 4

F5 APPLICATION READY NETWORK GUIDE: MICROSOFT WINDOWS SERVER 2008

Benefits and F5 Value

browser and the web application, F5 mitigates the effects of WAN latency, networking errors, and packet loss.

One of the strengths of the F5’s Application Ready Network is the wide variety of materials that ease the burden of configuring and optimizing our devices, freeing valuable IT resources to work on other projects. As part of the Application Ready Network for Microsoft Windows 2008, F5 has configured, tested, and tuned our devices with the major components of Windows Server 2008 and carefully documented the procedures in our Deployment Guide. F5 also provides configuration Profiles and Policies to make configuration incredibly simple yet powerful and flexible, with some policies including prebuilt drop-downs for components like Microsoft Internet Information Services and Windows Terminal Services.

And now with our management devices, the deployment guide configuration files are available as a template, which can be easily uploaded and pushed to F5 devices. With the power of Microsoft PowerShell, the command line shell and scripting language included with Windows Server 2008, and F5’s iControl PowerShell Cmdlets and scripts, developers have a unique way to control and manage F5 devices in one location1.

Application Security

While performance and end-user experience are vital to a successful deployment of Windows Server 2008, ensuring application security

can be even more crucial. Because of the sensitive nature of data stored in applications and databases, coupled with new compliance initiatives and government regulations on data protection, securing your applications is more important than ever before. F5 security solutions provide comprehensive protection for Windows Server 2008, ensuring your data and applications are secure.

Years ago, merely having network firewalls in front of the LAN was considered an adequate level of security. Next came intrusion protection/ detection systems, which added another level of security, albeit one that provided a negative

security model. However, IPS/IDS systems could only protect against a known list of attacks and signatures, and soon attacks became more sophisticated, with zero-day attacks that would bypass these systems as their signatures were previously unknown. Recently, hackers are shifting their focus to applications themselves with attacks that look harmless to both network firewalls and intrusion protection/detection systems. More than 50 percent of all new vulnerabilities being identified on a weekly basis are attributed to web applications2.. Devices relying solely on a known list of signature attacks cannot defend against targeted attacks involving a malicious user seeking vulnerabilities unique to a particular application. F5 detects and mitigates patternless exploits in real time, adding accurate, complementary protection to existing firewalls and IDS devices, which do not efficiently address HTTP and HTTPS-borne threats.

In addition to analyzing and blocking known attack signatures, F5 can strip out identifying operating system and web server information (such as version strings, signatures, and fingerprinting) from message headers, conceal any HTTP error messages from users, and remove application error messages from pages sent to users while checking to ensure no server code or private HTML comments leak onto public web pages.

And attacks do not always come from the outside of the network; internal users can gain sensitive information or sabotage applications with greater ease than external users. Because F5 devices can offload SSL encryption duties, organizations can encrypt traffic for entire transactions, without affecting performance for the end user. This prevents information from being sent in clear text over the internal network, mitigating risks associated with internal users

as well as complying with state and federal regulations related to privacy.

F5 devices also protect against attacks that use cookies and other tokens that are transparently distributed for their entry point. F5 devices can be easily configured to encrypt cookies used by Windows Server 2008, preventing cookie tampering and other cookie-based attacks. This gives organizations superior security for all

stateful applications and a higher level of user identity trust.

F5 includes extremely granular endpoint security for remote users connecting to the network and to Windows Server 2008 servers and applications. Before a remote user can even log on to the F5 devices to gain access to the network, F5 can determine if an antivirus or personal firewall is running on their PC and if

it is up-to-date, or enforce a specific operating system patch level, among a host of other pre-logon checks. F5 can direct the user to a remediation page for further instructions or even turn on antivirus or firewalls for the user.

F5 remote access also supports two-factor authentication from leading vendors for those organizations that require more than just a user name and password for access to the network. And F5’s remote access solution can be easily integrated with Active Directory, providing centralized authentication.

When the remote user is finished working with their remote access session, F5 includes a cache cleanup control that removes cookies, browser history, auto-complete information, browser cache, temp files, and all ActiveX controls installed during the remote access session from the client PC. This makes ensures that no information is left behind, which is critical for users connecting from public computers, such as a kiosk.

Not only does F5 provide comprehensive application security, but we produce extremely secure devices. We ensure your Windows Server 2008 deployment, and the information it contains, remains completely secure.

Unified Security Enforcement and Access Control

Another integral piece of a complete security platform is security enforcement and access control. The number of employees requiring access to corporate resources from outside the network is growing every year. And it’s not only employees who need access to the network. With more business-to-business

1 For more information on iControl and Microsoft PowerShell integration, see http://devcentral.f5.com/Default.aspx?tabid=71 2 SANS@RISK, “The Consensus Security Vulnerability Report”

4

Image 4
Contents Microsoft Windows Server Summary Benefits and F5 Value User Experience and Application PerformanceUnified Security Enforcement and Access Control Application SecurityBusiness Continuity and Disaster Recovery Global F5 and Windows Server 2008 Deployment DMZDeployment Guides Additional InformationF5 Product offerings