Application Infrastructure Protection

App infrastructure protection defends the systems that applications depend on. Preventing attacks on TLS, DNS, and the network is critical to keeping your apps secure and available

Under Attack? Call (866) 329-4253 or +1 (206) 272-7969

TOP CUSTOMER USE CASES

key with arrows

End-to-end encryption


 

Inspect encrypted traffic

Inspect encrypted traffic

Protect TLS/SSL

Protect TLS/SSL

Prevent DNS hijacking

Prevent DNS hijacking

APP INFRASTRUCTURE ATTACKS

Explore the different app tiers below to find out how several app infrastructure attacks target different tiers of the app.

APP SERVICES APP SERVICES APP SERVICES APP SERVICES

Application infrastructure refers to the systems that applications depend on that are external to the app itself. Attacks against application infrastructure target weaknesses in TLS, DNS, and network tiers. Attacks can include compromising a vulnerable implementation of TLS/SSL, spoofing DNS to divert user traffic, a man-in-the-middle attack on a network, or a DDoS attack on any of these tiers.

Arrow

TLS TLS TLS

Key Disclosure

The keys used to decrypt confidential data and establish authenticity are the highest value assets in the security infrastructure. Like credentials, keys provide access to an app or network, as well as data encrypted at rest or in transit. Key material can be exposed in a variety of ways: by attackers gaining access to the systems that host the key material, by accidentally “leaking” the key in a backup or low-security data repository, or via an exploit like Heartbleed. High-security environments typically use specialized hardware key storage (for example, FIPS 140) to protect keys from key disclosure.

Protocol Abuse

Protocols have defined purposes and uses, such as port 443 for HTTPS or encrypted web traffic. Attackers can abuse these by using a known protocol, which a traditional firewall may allow through, as a covert channel to transfer stolen data or issue commands to malware inside a network. When attackers send non-HTTPS traffic across defined ports (or any other port that isn’t intended for use by non-HTTPS traffic), it’s known as protocol abuse.

Certificate Spoofing

Digital certificates (also known as SSL certificates) provide secure, encrypted communications between a website and its users, decreasing the risk of sensitive information (such as login credentials or credit card numbers) being tampered with or stolen. Certificates are issued to organizations by trusted certificate authorities (CAs) to verify the identity of the organization’s website to users. (Think of it as the equivalent of a passport or driver’s license.) Certificate spoofing occurs when an attacker presents a fake digital certificate on a malicious website. This can lead to unsuspecting users trusting a malicious website or imposter app, making them vulnerable to malware infection, man-in-the-middle attacks, or stolen credentials.

Session Hijacking

When an attacker successfully obtains or generates an authentication session ID, it’s session hijacking. The attacker uses captured, brute-forced, or reverse-engineered session IDs to take control of a legitimate user’s web application session while the session is still in progress.

Arrow

DNS DNS DNS

DDoS

Also known as a DNS flood. In this type of attack, the attacker sends a barrage of requests to the DNS servers of a specific domain in an attempt to overload them with requests. If successful, this disrupts the address lookup process and prevents users from connecting to the requested site.

DNS Hijacking

An attack that forcibly redirects traffic to a website designated by the attacker. In this type of attack, an unsuspecting victim, thinking they’re connecting to a banking website, is actually connecting to a fake banking website where the attacker can steal their username and password when they try to log in. This attack is often carried out by an attacker who’s infected a user’s system with malware that changes its DNS settings, redirecting the user’s computer to a malicious DNS server.

DNS Cache Poisoning

This attack occurs when an attacker injects a forged DNS entry into the DNS cache. For example, in a DNS cache server that’s used by an ISP, which is in turn used by its customers, the fake DNS entry resolves a common domain name to an IP address specified by the attacker. Any user that tries to connect to that IP address is connected to a fake website instead.

DNS Spoofing

A broad category of attacks that attempt to spoof DNS records. This can involve DNS spoofing, compromising a DNS server, carrying out a DNS cache poisoning attack, guessing a sequence number in a request, or launching a man in the middle attack.

Arrow

NETWORK NETWORK NETWORK

DDoS

Almost all DDoS attacks are designed to disrupt or make services completely unavailable to the user by various means. Some of them include overwhelming the system with too many requests to handle. At the network level, these attacks involve disrupting of network/perimeter firewalls, load balancers, or other network devices, making an entire network unreachable (as opposed to a specific server, website, or application).

Man-in-the-middle

In a man-in-the-middle attack, attackers insert themselves into a network communication, often between a client and a web application. If successful, the attack enables an attacker to have full access to the communication and secretly alter it. For example, an attacker might hijack a communication between a user and their banking website, stealing the user’s login credentials or redirecting funds from the victim’s bank account to the attacker’s account.

Protocol Abuse

Protocols have defined purposes and uses, such as port 443 for HTTPS or encrypted web traffic. Attackers can abuse these by using a known protocol, which a traditional firewall may allow through, as a covert channel to transfer stolen data or issue commands to malware inside a network. When attackers send non-HTTPS traffic across defined ports (or any other port that isn’t intended for use by non-HTTPS traffic), it’s known as protocol abuse.

Eavesdropping

This attack involves an attacker using special network monitoring software (also known as a sniffer) to intercept and record communication between two parties (for example, between two hosts or a client and a server) with the goal of capturing valuable sensitive information. In wireless network environments, mitigation involves using strong encryption methods that operate at the lowest possible layers of the protocol stack.

Arrow

IF YOU CAN’T SEE IT, HOW CAN YOU SECURE IT?

68% of malware sites active in September and October of 2018 leveraged encryption. Attackers take advantage of it to mask malicious payloads. So, if you’re not inspecting SSL/TLS traffic, you’ll miss attacks, leaving your organization vulnerable. Learn how to manage the challenges of encryption.    

App Infrastructure Protection Solutions

INSPECT ENCRYPTED TRAFFIC

SSL/TLS enables businesses to securely communicate with customers and partners. Problem is, SSL/TLS can also function as a tunnel that attackers use to hide attacks and malware from security devices. Inspection devices like a next-gen firewall, an IDS/IPS, or a malware sandbox don’t see into encrypted SSL/TLS traffic or suffer degraded performance when decrypting. F5 SSL Orchestrator easily integrates into complex architectures and offers a centralized point for decryption and re-encryption while strategically directing traffic to all the appropriate inspection devices.

APP INFRASTRUCTURE PROTECTION PRODUCTS

App Infrastructure Protection Products

SSL Orchestrator >

MANAGING YOUR SOLUTION

Managing Your Solution

Need help managing your app infrastructure security solution? F5 offers numerous training opportunities and professional services.

Learn more >

SELF-MANAGED

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your app infrastructure security.

DEPLOYING YOUR SOLUTION

Deploying Your Solution

F5 app infrastructure protection solutions are available in both software and hardware.

Need help deploying your F5 solution?

Learn more >

On Premises: Outbound

Protect internal networks by inspecting outbound requests either inline, in passive mode, or by sending them to an ICAP server. The power to decrypt, steer, re-encrypt, and terminate outbound SSL protects the user and organization.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

END-TO-END ENCRYPTION

Managing the SSL/TLS connection between users and applications can be tedious and leave room for security risks. F5 offers a solution to centralize and simplify the management of keys, certificates, and ciphers used in end-to-end encryption, so you can cost-effectively protect data-in-transit by encrypting everything from the client to the server. It also adheres to the FIPS 140-2 standard and scales to absorb potentially crippling DDoS attacks. Use your solution to perform TLS termination, TLS cipher policy enforcement, or TLS offload.

APP INFRASTRUCTURE PROTECTION PRODUCTS MANAGING YOUR SOLUTION

Managing Your Solution

Need help managing your app infrastructure security solution? F5 offers numerous training opportunities and professional services.

Learn more >

SELF-MANAGED

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your app infrastructure security.    

DEPLOYING YOUR SOLUTION

Deploying Your Solution

F5 app infrastructure protection solutions are available in both software and hardware.

Need help deploying your F5 solution?

Learn more >

On Premises: Inbound

Deploy inline to terminate all traffic, decrypting (for analysis and modification) and re-encrypting to steer clean traffic appropriately—while blocking potential malware. Organizations may also deploy an SSL cipher policy enforcement tool or offload SSL to reduce server strain.

 

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

PROTECT SSL/TLS PROTOCOL

Attackers and security researchers are constantly trying to find new ways to break today’s popular methods of encrypting data-in-transit. Often, a flaw in the protocol design, a cipher, or an underlying library is the culprit. Our solution provides for centralized management of your TLS configuration which enables better application performance and allows seamless flexibility in updating your TLS configurations as needed.

APP INFRASTRUCTURE PROTECTION PRODUCTS

App Infrastructure Protection Products

F5’s suite of app infrastructure protection products offer comprehensive protection and easily fit into the environment that makes sense for your organization.

BIG-IP Local Traffic Manager >

BIG-IP Advanced Firewall Manager >

Advanced Web Application Firewall >
 

MANAGING YOUR SOLUTION

Managing Your Solution

Need help managing your app infrastructure security solution? F5 offers numerous training opportunities and professional services.

Learn more >

SELF-MANAGED

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your app infrastructure security.

DEPLOYING YOUR SOLUTION

Deploying Your Solution

F5 app infrastructure protection solutions are available in both software and hardware.

Learn more >

On Premises: Inbound

Deploy inline to terminate all traffic, decrypting (for analysis and modification) and re-encrypting to steer clean traffic appropriately—while blocking potential malware. Organizations may also deploy an SSL cipher policy enforcement tool or offload SSL to reduce server strain.

On Premises: Outbound 

Protect internal networks by inspecting outbound requests either inline, in passive mode, or by sending them to an ICAP server. The power to decrypt, steer, re-encrypt, and terminate outbound SSL protects the user and organization.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

PREVENT DNS HIJACKING

DNS hijacking attacks threaten the availability of your applications. They can even compromise the confidentiality and integrity of the data if customers are tricked into using a bogus application. With the F5 DNS security solution, you can digitally sign and encrypt your DNS query responses. This enables the resolver to determine the authenticity of the response, preventing DNS hijacking as well as cache poisoning.

APP INFRASTRUCTURE PROTECTION PRODUCTS

App Infrastructure Protection Products

BIG-IP DNS >

Secure your infrastructure at hyperscale during high query volumes and DDoS attacks, and ensure apps are highly available—even between multiple instances and across hybrid environments.

MANAGING YOUR SOLUTION

Managing Your Solution

Need help managing your app infrastructure security solution? F5 offers numerous training opportunities and professional services.

Learn more >

SELF-MANAGED

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your app infrastructure security.

DEPLOYING YOUR SOLUTION

Deploying Your Solution

F5 app infrastructure protection solutions are available in both software and hardware.

Need help deploying your F5 solution?

Learn more >

On Premises: Inbound

Deploy inline to all traffic and protect internal networks by inspecting inbound traffic requests.

 

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

PREVENT DNS DDOS ATTACKS

A DNS flood, including the reflection and amplification variations, disable or degrade a web application's ability to respond to legitimate traffic. These attacks can be difficult to distinguish from normal heavy traffic because the large volume of traffic often comes from several unique locations, querying for real records on the domain, mimicking legitimate traffic. The F5 DNS DDoS solution can stop these attacks by scaling up to process more requests per second when necessary.

APP INFRASTRUCTURE PROTECTION PRODUCTS

App Infrastructure Protection Products

BIG-IP DNS >

Secure your infrastructure at hyperscale during high query volumes and DDoS attacks, and ensure apps are highly available—even between multiple instances and across hybrid environments.

MANAGING YOUR SOLUTION

Managing Your Solution

Need help managing your app infrastructure security solution? F5 offers numerous training opportunities and professional services.

Learn more >

SELF-MANAGED

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your app infrastructure security.

DEPLOYING YOUR SOLUTION

Deploying Your Solution

F5 app infrastructure protection solutions are available in both software and hardware.

Need help deploying your F5 solution?

Learn more >

On Premises: Inbound

Deploy inline to all traffic and protect internal networks by inspecting inbound traffic requests.

 

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

DETECT DNS TUNNELING

Many firewalls and IPS solutions do not address the more modern threats to DNS infrastructure, like DNS tunneling. Managing DNS attack vectors like DNS tunneling requires inspection of the entire DNS query for deeper markers of either good or bad behavior without disrupting service performance.

APP INFRASTRUCTURE PROTECTION PRODUCTS

App Infrastructure Protection Products

BIG-IP DNS >

Secure your infrastructure at hyperscale during high query volumes and DDoS attacks, and ensure apps are highly available—even between multiple instances and across hybrid environments.

MANAGING YOUR SOLUTION

Managing Your Solution

Need help managing your app infrastructure security solution? F5 offers numerous training opportunities and professional services.

Learn more >

SELF-MANAGED

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your app infrastructure security.

DEPLOYING YOUR SOLUTION

Deploying Your Solution

F5 app infrastructure protection solutions are available in both software and hardware.

Need help deploying your F5 solution?

Learn more >

On Premises: Inbound

Deploy inline to all traffic and protect internal networks by inspecting inbound traffic requests.

 

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of devices or instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

VIDEO

Perfect forward secrecy. What does it take?

Watch Now

RELATED ARTICLES

Threat intel

DNS is still the Achilles’ heel of the Internet.

SSL visibility

Learn about the ultimate inline inspection architecture. 

F5 Labs

Lessons learned from a decade of breaches.

CUSTOMER STORY: MEDICAL DATA VISION

MDV DETECTS, BLOCKS TARGETED THREATS EMBEDDED IN SSL DATA WITHOUT SACRIFICING PERFORMANCE

Read the story

GET STARTED

Security products

Visit our Security Products page to learn about our robust portfolio for your application security needs.

Try before you buy

Get a free 90-day trial – see which products offer trials today.

Actionable threat intelligence

Actionable application threat intelligence that analyzes the Who, What, When, Why, How, and What’s Next of cyber attacks.