LBL Application Availability Infrastructure Unified Secure Reverse Proxy

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

_{Application Availability Infrastructure}

Unified Secure Reverse Proxy

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

TCOGROUP

Mission:

Development of Software Tools Aimed at Enhancing

High Availability (HA) of IT Services in Mission Critical

and Business Critical Environments

Main Focus:

HA, Business Continuity, and Disaster-Recovery

Target Markets: Finance, TELCO, e-Commerce, Healthcare,

Transportation, Energy Oil & Gas, Manufacturing,

Education, Public Administrations, Service Providers

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

The Reference Scenario

IT services evolution: Security, Performance, Control by design

Solution

Features

Full

Availability

Security

SSO

Analysis

&

Reporting

_Billing

Speed &

Performance

IaaS

OpenStack

SDN

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

The Reference Scenario

IT services evolution: from individual application ...

Network

Security

Application

Database

SAN

Service Layers

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

The Reference Scenario

... to service ...

Network

Security

Application A

Database

DBMS A

SAN

Service Layers

Application B

Application C

Database

DBMS B

Database

DIRSRV

Database

Text

Database

img

Database

logs

Reverse-proxy A

Reverse-proxy B

Reverse-proxy C

Reverse-proxy DBMS A

Reverse-proxy DBMS B

Reverse-proxy DBMS C

Reverse-proxy DIRSRV

SAN Virtualization

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

LBL

®

_{LoadBalancer Unified Reverse Proxy}

Network

Service Layers

Security

Application A

Remote Desktop

SAN

Application B

Application C

Network File System

Database

DIRSRV

Database

Text

Database

img

Exchange

SAN Virtualization

Unified

Reverse

Proxy

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

Network

Security

Application A

Remote Desktop

SAN

Service Layers

Application B

Application C

Network File System

Database

DIRSRV

Database

Text

Database

img

Exchange

SAN Virtualization

Unified

Reverse

Proxy

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

Network

Security

Application A

Remote Desktop

SAN

Service Layers

Application B

Application C

Network File System

Database

DIRSRV

Database

Text

Database

img

Exchange

SAN Virtualization

Dynamic Path

Unified

Reverse

Proxy

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

Business Continuity Sites

Primary building

Secondary building

Disaster Recovery Site

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

Business Continuity Sites

Primary building

Secondary building

Disaster Recovery Site

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

Border Router Protocol

(Amazon Regions Compliant) _{DoS/DDoS resolver}

DoS/DDoS Resolver

LBL

®

A.A.I.: a New Paradigm to HA

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

L7 HTTP/S / L4 TCP/UDP Contents rewriting

GET / HTTP/1.1

Host: www.tcoproject.dev

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; it; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive

Cookie: LBLSESSIONID=1277228676044; TCOPROJECTAUTH=1277048578420; TCOPROJECTSESSIONID=1277048578511

/* Linee di inclusione titolo e bottom della pagina */ td.EncloserLine { height: 2px; background-color: rgb(51, 51, 255); } /* Tabella di contenuti */ table.ContentTable { text-align: left; width: 100%; }

/* titolo del paragrafo */ td.ParagraphTitle { text-align: left; color: black; font-weight: bold; font-style: italic; background-color: rgb(255, 143, 89); }

/* corpo del paragrafo */ td.ParagraphBody {

text-align: left; }

Content inspection and rewriting of data

streams through regular expressions or/and by

easy java programming (call-back).

LBL®Content Rewriter allows you to perform

complex operations by SSO integration and

actively intervene in relation to the content or

quantity of data traffic load.

Body

rewriting

Header rewriting

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

A

<----SSL---->

LBL

<----NOSSL---->

B

A

<----SSLa-m---->

LBL

<----SSLm-b---->

B

user-agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 accept-encoding: gzip,deflate accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 keep-alive: 115 connection: keep-alive referer: https://localhost/trainingw/ cookie: LBLSESSIONID=1280903726322 content-type: application/x-www-form-urlencoded content-length: 33 x-fwdcertserialnumber_0: 1282479557 x-fwdcertdatenotbefore_0: 2010-08-22 14:19:17.0 UTC x-fwdcertdatenotafter_0: 2011-08-22 14:19:17.0 UTC

x-fwdcertsubject_0: CN=clientname, OU=clientlob, O=clientcompany, L=clientcountry, ST=clientdistrict, C=IT x-fwdcertissuer_0: CN=clientname, OU=clientlob, O=clientcompany, L=clientcountry, ST=clientdistrict, C=IT

x-fwdcertencodedpem_0: ---BEGIN+CERTIFICATE----0AMIICdTCCAd6gAwIBAgIETHEVxTANBgkqhkiG9w0BAQUFADB2FMQswCQYDVQQGEwJJVDEXMBUGA1UECBMOY2xpZW50ZGlzdHJp0AY3QxFjAU BgNVBAcTDWNsaWVudGNvdW50cnkxFjAUBgNVBAoTDWNsaWVudGNvbXBhbnkxEjAQBgNVBAsTCWNsaWVudGxvYjET0AMBEGA1UEAxMKY2xpZW 50bmFtZTAeFw0xMDA4MjIxMjE5MTdaFw0xMTA4MjIxMjE5MTdaMH8xCzAJBgNVBAYTAklUMRcwFQYD0AVQQIEw5jbGllbnRkaXN0cmljdDEWMBQG A1UEBxMNY2xpZW50Y291bnRyeTEWMBQGA1UEChMNY2xpZW50Y29tcGFueTESMBAG0AA1UECxMJY2xpZW50bG9iMRMwEQYDVQQDEwpjbGllbnR uYW1lMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGMdLc3mhc0ARflqNpPGUbfg2yyvNbuejsARzN6L0CjcQXLqpfMrh0npRiDG2BlSP98tISi2BK Mlcxbvl3Y6Dk6QTUCw1AxN7vUUapZ4tJBwzM0AUACAYp6HCr1tFTvgU8XQui74hqkcZjSPOSvoX2BuIjmSl832O6Iu0hoG0GPE2FqF3THQIDAQABMA0GCS qGSIb3DQEBBQUAA4GB0AADuMyBB76YZrcgvVDJtTQNLtFCXrwUnKj2qkbDDe9ESp2F9H8ZquCOwcig5Pj0zrYyAPFQSoWwdZ18RuT1ScqEUX2%2F7L2F 2FFyk0AEeSVL8mr9eB4mMxgACNFn6GzUTkUD2PBO5HNBc9TcKvEzTtTP35x13pNTaWvhNBL2Li09y5xUfIi%0D%0A----END+CERTIFICATE---%0D%0A x-forwarded-for: 127.0.0.1

TLS & Certificates management

TLS Termination & Spontaneous offloading

Client Certificate forwarding (Integrating J2EE application with no change)

TLS Re-encryption

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

TLS-SNI (Server Name Indication) public network

No number certificates limits per address/port

More certificates container with different passwords

TLS

handshake

using SNI

Client Hello

requesting

secursite2.com

Server Hello

secursite2.com

certificate

https://www.securesite1.com

https://www.securesite2.com

https://www.securesite3.com

DNS: 10.8.1.212

Listen on 10.8.1.212 port 80

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

SUCCESS STORIES

Microsoft TMG

replacement from 2011

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

_{Application Availability Infrastructure}

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

LBL

®

_{LoadBalancer Unified Reverse Proxy}

Network

Service Layers

Security

Application A

Database

DBMS A

SAN

Application B

Application C

Network File System

Database

DIRSRV

Database

Text

Database

img

Exchange

SAN Virtualization

Unified

Reverse

Proxy

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

LBL

®

_{LoadBalancer Unified Secure Reverse Proxy}

Network

Service Layers

Application A

Remote Desktop

SAN

Application B

Application C

Network File System

Database

DIRSRV

Database

Text

Database

img

Exchange

SAN Virtualization

Unified

Reverse

Proxy

Security

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

LBL

®

_{LoadBalancer Unified Secure Reverse Proxy}

Network

Service Layers

Application A

Remote Desktop

SAN

Application B

Application C

Network File System

Database

DIRSRV

Database

Text

Database

img

Exchange

SAN Virtualization

Unified

Secure

Reverse

Proxy

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

LBL

®

_{LoadBalancer Unified Secure Reverse Proxy}

Run-Time security

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

LBL

®

_{LoadBalancer Unified Secure Reverse Proxy}

Run-Time security

2. Set-Cookie app server generation 3. HSTS: Redirect from http to https

4. HSTS: Strict-Transport-Security injection on response

5. Check body lenght in POST no dependent by content-type / transfer enconding

6. DoS(Unique feature in today market)

7. DDoS(Unique feature in today market)

8. DDoS iRedCarpet (Application Quality of Service) (Unique feature in today market) 9. Client SSL Protocols interceptor and tracing

10. SSL ciphers suite And Protocols Global / Listeners / Backend abilitations 11. SSO e client certificate management

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

LBL

®

_{LoadBalancer Unified Secure Reverse Proxy}

Run-Time security

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

LBL

®

_{LoadBalancer Unified Secure Reverse Proxy}

Run-Time Tracing

LBL

_{Traffic Monetizer}

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

LBL

®

_{Unified Reverse Proxy Real-Time traffic analisys}

Services Consumers Services Producers Services Dispatcher

Attack Prophecy

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

LBL

®

_{Unified Reverse Proxy Real-Time reaction to Run-Time filtering}

Services Consumers Services Producers Services Dispatcher

Attack Prophecy

SOC

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

Cyber security cycle

Add rules WAF DoS DDoS resolver WAF Real-time Interceptions Real-time Reaction Data collection Data aggregation Real-time analisys Continuous assessment

External

assessment

Event notification

for authority

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

LBL

®

_{Traffic Monetizer}

SOC

NOC

BUSINESS

APPLICATIONS

The best solution is the

next generation systems

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

_{Application Availability Infrastructure}

LBL

®

_{A.A.I. products map}

LBL®_A.A.I. LoadBalancer Platform Standard HA Enterprise HA Selected Capacity S1 HA Selected Capacity S2 HA Selected Capacity S3 HA Selected Capacity S1 Selected Capacity S2 Selected Capacity S3 DoS/DDoS attack mitigation

WAF Developer Commander

Decision Engine WorkFlow DNS & PROXY Manager Traffic Monetizer Attack Prophecy Customer Experience DB Embedded appliance Management Console Catalog Catalog Selected Capacity TRAFFIC DATA SECURITY BC/DR MANAGEMENT TRACING/SECURITY PERFORMANCE WAF ADVANCED SECURITY

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I. DoS Attack Prevention

LBL® DoS DDoS Attack Prevention VIP iRedCarpet

Services Least priority Least priority Least priority Least priority Very Important Person Very Important Person Very Important Person Very Important Person

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

Thank you for your attention

TCOGROUP S.r.l.

[email protected]

TCO Software Group Inc.

Attack Prophecy e LBL - La nuova frontiera della Cyber Security - 29 Gennaio 2016 - Elmas

T

CO

G

RO

UP

S

RL

Inf

o

.italy

@t

cop

ro

jec

t.com

LBL

®

A.A.I.: a New Paradigm to HA

LBL

®

_{WAF DEVELOPER (Unique feature in today market)}

With consumer WAF developer there are multiple implementations in the dark. Everything that is implemented can be deeply tested before entry

into production. The times of implementations are reduced from 1000 to 1. LBL®WAF Developer allows you to follow the evolution of enterprise

security, SSO, quickly adapting policies with drastic costs reduction and

GUARANTEE OF A RESULT

.