architecture: consolidated platform eddie...
TRANSCRIPT
Architecture: Consolidated Platform Eddie Augustine
Major Accounts Manager: Federal
© F5 Networks, Inc 2
Current DoD Situation – “Stovepipes” of Technology
VDI / BYOD Load
Balancing CAC / SSO
App
Security DNSSEC SSL VPN IP v4 – v6
App
Acceleration WAN Opt
Customization
Solutions
Traffic Management Operating System (TMOS)
Application Delivery Services
Access Security Availability
iRules iControl
© F5 Networks, Inc 3
“Elimination of Stovepipes”
This is not a product pitch but rather
an ARCHITECTURE conversation
Customization
Solutions
Traffic Management Operating System
(TMOS)
Application Delivery Services
Access Security Availability
iRules iControl
© F5 Networks, Inc 4
Benefits of a Consolidated Platform
- Reduced infrastructure = LOWER COST
- Reduced personnel / SMEs = LOWER COST
- Standardization = LOWER COST
- Less power (multiple devices) = LOWER COST
- SSL Offload = LOWER COST
- Less training = LOWER COST
- Lower maintenance fees = LOWER COST
- Faster delivery of apps = Happier Users
- Context aware = MORE SECURE (W,W,W,W,W, H)
Application Delivery Networking App Access Management Paul Deakin
FSE
© F5 Networks, Inc 6
Availability
Security
Growth
End-user
Experience
Efficiency
Application Architect
Application Complexity: Extending Beyond the Code
© F5 Networks, Inc 7
Corporate Employees
Cloud Services Hosted Applications SAAS Corporate
Data Center
Remote
Employees
Mobile
Employees
Branch Employees Customer, Partners, or Suppliers
How do I connect all these applications and services to the
right people, at the right moment in time, using the right
amount of resources, meet all my SLAs, ensure security and
save money?
Branch Apps and Data
F5’s Strategic Point of Control
Resources
Physical Virtual Multi-Site DCs Cloud
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP Private
Public
Users
Security
• Network
• Application
• Data
• Access
Management
• Integration
• Visibility
• Automation
• Orchestration
Availability
• Scale
• HA / DR
• Bursting
• Load-Balancing
Optimization
• Network
• Application
• Storage
• Offload
© F5 Networks, Inc 9
A “Modern” IT Delivery Model
Corporate Employees
Remote
Employees
Mobile
Employees
Branch Employees Customer, Partners, or
Suppliers
Cloud Services Hosted Applications SAAS Branch Apps and
Data
Corporate
Data Center
© F5 Networks, Inc 10
Proxy Web Servers
App 1
App 2
App 3
1
2
App n
3
Policy Manager
Directory
Application Authentication : 3 Common
(Static) Models
In a Proxy?
In an Agent?
In the Code?
© F5 Networks, Inc 11
Web Servers
App 1
App 2
App 3
App n
Policy Manager
Directory
Application Authentication : Another
Virtualized Service!
Reduce Cost
Gain Scalability
Increase Security
© F5 Networks, Inc 12
Client
Auth Virtual CC Virtual
CC Virtual
ex.com
colab.ex.com
support.ex.com
Credential Caching
Credential Caching and SSO
Unified Access Control
One Authentication – Multiple Access
© F5 Networks, Inc 13
Users from different agencies
accessing federated sites
ADC
• Explosion of smart cards: Federal Govt's CAC card
• Extra auth. infrastructure required for Kerberos protocol
• Orgs. are required to federate between agencies
• Additional auth. costs $1M to $5M per agency
Federal Gov’t Authentication Complications
Auth. Gateway Kerberos
granting ticket
© F5 Networks, Inc 14
Trusted Proxy
• Reduce infrastructure costs bringing auth. to BIG-IP
• Integrate and distribute users to domains
• Easier deployment throughout agencies
Simplified Smart Card Authentication Tier
Kerberos
granting ticket
Token based client access
card for mobile users
© F5 Networks, Inc 15
Web Servers
App 1
App 2
App 3
App n
Policy Manager
Directory
Edge Authentication
Endpoint Control
Location Awareness
Flexible Authentication
© F5 Networks, Inc 16
Applications Clients
Authentication on the Edge!
Greater Client Control
Decisions and Services Applied “Earlier”
© F5 Networks, Inc 17
Graphical Access Policy Management
© F5 Networks, Inc 18
Increased Situational Awareness
© F5 Networks, Inc 19
Virtualization Support Built In
Software Modules
BIG-IP Local Traffic Manager Direct traffic to the best available server Guarantee application availability
• Compression
• RAM Caching
• TCP Multiplexing
• Load balancing
• Health Monitor
• Server Persistence
• DDoS protection
• TCP proxy
• Application proxy
• SSL offload
Available
Fast
Secure
• Up to 20 million queries per second
• IP Anycast for increased resilience
• Automated configuration sync
Scale DNS
• DDoS protection
• DNS protocol validation
• End the BIND patching cycle
• Load balance across data centers
• Direct to physical and cloud DCs
• Geographic IP topology database
L-DNS
BIG-IP GTM
Client
Data Center 2
BIG-IP LTM
App Servers
Data Center 1
BIG-IP LTM
App Servers
BIG-IP Global Traffic Manager Direct, secure, and scale your DNS infrastructure
Secure DNS
Direct DNS
Security Landscape
90% of security investment focused here Yet 75% of attacks are focused here
Source: Gartner
Network Threats Application Threats
Attack Vectors
TCP SYN Flood
TCP Conn Flood
DNS Flood
HTTP GET Flood
Attack Vectors
HTTP Slow Loris
DNS Cache Poison
SQL Injection
Cross Site Scripting
EAL 2+, EAL4+ in process
Application 7 Presentation 6 Session 5 Transport 4 Network 3 Data Link 2
BIG-IP
Advanced Firewall
BIG-IP
Application Security
F5 Extends Security Across All Layers
© F5 Networks, Inc 25
DDoS MITIGATION
Application attacks Network attacks Session attacks
OWASP Top 10 (SQL
Injection, XSS, CSRF, etc.),
Slowloris, Slow Post,
HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop,
ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASM
Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection
DNS UDP Floods, DNS Query Floods, DNS
NXDOMAIN Floods, SSL Floods, SSL
Renegotiation
BIG-IP LTM and GTM
High-scale performance, DNS Express,
SSL termination, iRules, SSL
renegotiation validation
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, full-proxy
traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware
solution that increases scale by an order of magnitude above software-only
solutions.
F5
Mit
iga
tio
n T
ech
no
logie
s
Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)
Increasing difficulty of attack detection
• Protect against DDoS
at all layers
• Withstand the
largest attacks
• Gain visibility and
detection of SSL
encrypted attacks
F5
mit
iga
tio
n t
ech
no
logie
s
OSI stack OSI stack
SE
PA
RA
TIO
N O
F F
IRE
WA
LL
S
“Next generation” firewall
Characteristics
• Outbound user inspection
• UserID and AppID
• Who is doing what?
• 1K users to 10K websites
• Broad but shallow
Corporate (users)
Internet data center (servers)
Characteristics
• Inbound application protection
• Application delivery focus
• 1M users to 100 apps
• Narrow but deep
• 12 protocols (HTTP, SSL, etc.)
BIG-IP Security Use the right tool
F5 Application Delivery Firewall
Network Floods – Mitigated by Scale and Performance
Layer 3: Configurable rate-limiting of ICMP floods
Layer 4: SYN-flood protection in hardware, mitigating 1 billion SYNs per second
BIG-IP 10200v: 36M concurrent sessions
VIPRION 2400: 48M concurrent sessions
VIPRION 4480: 144M concurrent sessions
VIPRION 4800: 288M concurrent sessions
• Layer 2 – 4 Protection
• Application-centric deployment
• Massive Scale for DDoS Protection
• ICSA Certified Network Firewall
• Integrated into the BIG-IP ADC
BIG-IP Advanced Firewall Full Network Firewall Integrated into the ADC
Connections per second
14x
F5 VIPRION 4480
Juniper SRX 5800
Cisco ASA 5585-X
Check Point 61000
0
1
2
3
4
5
6
7
Millio
ns
Advanced Firewall
Users Web Applications BIG-IP ASM
• Layer 5 – 7 Application Protection
• PCI DSS Compliance
• Positive + Negative Security Models
• ICSA Certified Web App Firewall
• Integrated into the BIG-IP ADC
Application Security
BIG-IP Application Security Secure web applications from threats
Automate
Signature
Updates
Industry Partnerships
BIG-IP Access Policy Manager Identify, authenticate, and control user access to your applications
• Secure and accelerate application access from any
device and location
• Consolidate AAA and SSO services for enterprise
applications
• RDP, View, Citrix Xen Support
• Federate via SAML
Single Sign On
• Scalable SSL VPN
• Advanced Endpoint checks
• BYOD: IOS, Win8, Android Support
Mobile User Access
Page Generation Time Page Load
Time
Client Browser Server
Infrastructure
Page Generation Time Page Delivery Time
• Compression
• Dynamic Caching
• Content Spooling
• OneConnect
• Rate Shaping
• Connection limit
• Compression
• Dynamic Caching
• TCP Express
• Differential Compression
• QoS
• Security/authentication
BIG-IP Web Accelerator Acceleration for static and dynamic web apps
Network Acceleration Server Offload
BIG-IP Wan Optimization Module Connection is encrypted and accelerated via network and application proxies, compression, de-duplication
App Tier
BIG-IP
Web Tier
File Servers
Active Database
Optimization of data replication and backup.
TCP & HTTP Optimization
Data Center 1 Data Center 2
Optimization of
applications such as HTTP
BIG-IP
BIG-IP / ARX
Logical Diagram File Servers
Standby Database
This is a logical diagram. Database and storage acceleration will physically route through the BIG-IP.
Migrate live VM images across WAN without dropping user sessions
Accelerate replication and backup such as SnapMirror or Exchange
Data center to data center acceleration
Internet or WAN
Enterprise Manager Centralized Manager for BIG-IP Products
Reporting
• Predefined reports
• User generated reports
• Exportable (pdf, csv, email)
Views
• Node/Pool Member Views
• Easy access for Enable/Disable
Software Upgrades
• Stage upgrade packages to target BIG-IPs
• Schedule BIG-IP software upgrades
• Manual or automatic activation of upgrades
Backups
• Schedule automated config backups
• Run visual diffs against current configs
Heuristics
• Ability to connect to heuristics engine
• Ability to schedule heuristics run
© F5 Networks, Inc 34
Thank You!