f5 application traffic management
DESCRIPTION
F5 Application Traffic Management. Radovan Gibala Senior Solutions Architect [email protected] +420 731 137 223. 2009. Business Continuity HA Disaster Recovery. WAN Virtualization File Virtualization DC to DC Acceleration Virtualized VPN Access. User Experience & App Performance. App - PowerPoint PPT PresentationTRANSCRIPT
1
F5
ApplicationTrafficManagement
F5
ApplicationTrafficManagement
2009
Radovan GibalaSenior Solutions [email protected]+420 731 137 223
2
• Asymmetric & Symmetric Acceleration
• Server Offload• Load Balancing
• WAN Virtualization• File Virtualization• DC to DC
Acceleration• Virtualized VPN
Access• AAA• Data
Protection• Transaction
Validation
• Virtualized App & Infrastructure
• Server & App Offload• Load Balancing
• Remote, WLAN & LAN Central Policy Enforcement
• End-Point Security• Encryption• AAA
• Virtualization• Migration• Tiering• Load
Balancing
People
Data
Apps
People
Apps Data
BusinessContinuity HA
DisasterRecovery
ManagingScale &
Consolidation
UnifiedSecurity
Enforcement& AccessControl
AppSecurity & Data
Integrity
StorageGrowth
UserExperience
& AppPerformance
3Business
Continuity HADisasterRecovery
People
Apps Data
FirePassBIG-IP LTM • GTM
ARXBIG-IP GTM
BIG-IP LTM • ASMFirePass
BIG-IP LTM • GTM • LC • WAFirePass • ARX • WJ
• Asymmetric & Symmetric Acceleration
• Server Offload• Load Balancing
• WAN Virtualization• File Virtualization• DC to DC
Acceleration• Virtualized VPN
Access• AAA• Data
Protection• Transaction
Validation
• Virtualized App & Infrastructure
• Server & App Offload
• Load Balancing • Remote, WLAN & LAN Central Policy Enforcement
• End-Point Security• Encryption• AAA
• Virtualization• Migration• Tiering• Load
Balancing
BIG-IP LTM • GTM • WA ARX • WJ
BIG-IP LTM • GTM • LC • WAFirePass • ARX • WJ
Application DeliveryNetwork
ManagingScale &
Consolidation
UnifiedSecurity
Enforcement& AccessControl
AppSecurity & Data
Integrity
StorageGrowth
UserExperience
& AppPerformance
4
Application
How To Achieve the Requirements ?
Network Administrator Application Developer
Hire an Army of Developers?
Add More Infrastructure?
More Bandwidth
Multiple Point Solutions
5
CRMCRMSFA
ERP
ERPERP
SFACRM
SFA
SSL Acceleration
Network Point Solutions ApplicationsUsers
Server Load Balancer
Rate Shaping
DoS Protection
ApplicationFirewall
ContentAcceleration
TrafficCompression
Connection Optimisation Customised
Application
Mobile Phone
PDA
Laptop
Desktop
Co-location
The Result: A Growing Network Problem
6
The F5 Solution ApplicationsUsers
Mobile Phone
PDA
Laptop
Desktop
Co-location
F5’s Integrated Solution
CRM
Database
Siebel
BEA
Legacy
.NET
SAP
PeopleSoft
IBM
ERP
SFA
CustomTMOS
Application Delivery Network
7
TM/OS
A New Level of Intelligence
React to a Single Communication, One Direction
Packet
Based
React to a Real Time, Two-Way Conversation
Translate Between Parties
Flow
Based
Legacy Approach
8
Deliver Application Exactly as Intended
TM/OS Fast Application Proxy
Universal Inspection Engine (UIE)
Client Side
ServerSide
• Independent Connection Control
• Supporting All IP Applications
• High Performance Framework
• BI-Directional, Full Payload Inspection
• Session Level Control
Manage Entire Application Flows:
9
iRulesProgrammable Network Language
GUI-Based Application ProfilesRepeatable Policies
The Most Intelligent and Adaptable Solution
TM/OS Fast Application Proxy
Programmable Application
Network
Complete Visibility and Control of
Application Flows
Security Optimisation Delivery New Service
Universal Inspection Engine (UIE)
Client Side
ServerSide
Targeted and Adaptable Functions
Unified Application Infrastructure Services
Compression TCP Offloading
Load Balancing
News Website
10
Traffic Management Operating System
TMOSOperating System
Shared Application Services
CompressionSelective Content EncryptionAdvanced Client AuthenticationApplication Health MonitorsApplication Switching
iRulesRate Shaping / Rate LimitingResource CloakingTransaction AssuranceUniversal PersistenceCaching
Shared Network Services
TCP ExpressProtocol SanitizationHigh Performance SSLDoS and DDoS ProtectionVLAN Segmentation Line Rate L2 Switching (Mirroring, Trunking, STP, LACP)
IP Packet FilteringIPv6 Dynamic RoutingSecure Network Address Translation
Port MappingCommon Management Framework
11
SS
L
Co
mp
ress
ion
ClientSide
ServerSide
TC
P E
xpre
ss
ServerTC
P E
xpre
ss
Cac
hin
g
Microkernel
TMOS Traffic Plug-ins
High-Performance Networking Microkernel
Powerful Application Protocol Support
iControl – External Monitoring and Control
iRules – Network Programming Language
High Performance HW
iRules
Client
iControl API
TCP Proxy
On
eCo
nn
ect
XM
L
Rat
e S
hap
ing T
raff
icS
hie
ld
Web
Acc
el
3 rd P
arty
Unique TMOS Architecture
12
BIG-IP
13
First Unified Application Infrastructure Services Delivering
• Comprehensive Load Balancing• Advanced Application Switching• Customized Health Monitoring• Intelligent Network Address Translation• Advanced Routing• Port Mirroring
• IPv6 Gateway• Universal Persistence• Response Error Handling • Session / Flow Switching
• DoS and SYN Flood Protection• Network Address/Port Translation • Application Attack Filtering• Certificate Management
• SSL Acceleration• Quality of Service
• Connection Pooling• Intelligent Compression• L7 Rate Shaping• Content
Spooling/Buffering• TCP Optimization• Content Transformation• Caching• TCP Express
• Resource Cloaking • Advanced Client Authentication• Firewall - Packet Filtering• Selective Content Encryption• Cookie Encryption• Content Protection• Protocol Sanitization
• Network Virtualization• System resource Control• Application Templates• Dashboard
• Secure and Accelerated DC to DC data flow
• DoS and DDos protection• Brute Force Attacks protection
14
Comprehensive Load Balancing
Static– RoundRobin– Ratio
Dynamic– Fastest– LeastConnections– Observed– Predictive– Dynamic Ratio
Priority Groups
15
Availability Checking
• Check any back-end process using EAV
• Will work for any IP based application
• Stateful failover between devices
Security
• Firewall-like device to resist most attacks
• All administration is encrypted
• Integrated SSL/FIPS and secure NAT
Feature Overview/BIG-IP
16
SSL and E-Commerce
• Only product with integrated SSL
• Single certificate simplifies administration
• Lowers certificate costs
• Client certificate checking (Authentication)
Layer 7 Functionality
• Can utilize all HTTP header/content or TCP content in traffic decisions
• Can persist on anything
• HTTP 1.1 keep-alives dramatically improve performance
Feature Overview/BIG-IP
17
Easy to Implement and Support
• Can be deployed as either Layer 2 or 3 device
• Simple and complete Graphical User Interface
• Installation services by F5 and/or partner
Flexibility
• BIG-IP works with any server or IP based service
• iControl enables integration with internal and/or 3rd party applications
Feature Overview/BIG-IP
18
“We have to deal with multiple products. The new user interface makes every other solution in this space look absolutely immature. F5’s solutions are 10 times easier to manage than Cisco.” - Major US Hosting Provider
Powerful and Simplified Management
19
Profile Based Management
Profile Based Traffic Management
DeliverDeliver
OptimizeOptimize SecureSecure
Improved vision of all resources and traffic
20
Ensure Higher Availability - Superior System Design
Processes Reporting and Control – Granular status, logging and configurable actions for component-level failures. Capable of warm restarts and upgrades.
3-way HA Design – Robust Internal system checking and pass-through design.
21
Extensibility - IPv6 Gateway
22
Network VirtualizationRoute Domains
Consolidation with control
Host multiple groups on one BIG-IP without conflicts
Granular control to provide separate routing domains and overlapping IPs
23
System Resource ControlModule Provisioning
Consolidation with control
Allocate CPU, memory, and disk per module
Customize allocation to meet your needs
24
Simple Application Roll-outsApplication Templates
13
2
“The Application Templates allowed us to deploy Microsoft IIS in seconds instead of
hours”- System Engineer, Fortune 500 Co.
SharePoint 2007VMware VDI
Exchange Web Access 2007IIS 7.0HTTP
BEA WebLogic 5.1, 8.1Oracle Application Server 10gSAP ERP 6.0 and ERP 2006
Citrix Presentation ServerDNS
IP ForwardingLDAP
RADIUS
25
Simplified ManagementDashboard
26
Secure and Accelerate DC to DCiSessions
Symmetric Compression• Adaptive• Deflate• LZO
SSL Encryption
Secure and accelerate between data centers
Integrated and free with BIG-IP LTM v10
Note: Not available on the 1500 and 3400
27
Application Security ModuleProtect applications and data
SSL AccelerationProtect data over the Internet
Advanced Client Authentication ModuleProtect against unauthorised access
BIG-IP Security Add-On Modules
28
BIG-IP Software Add-On ModulesQuickly Adapt to Changing Application & Business Challenges
Compression ModuleIncrease performance
Webaccelerator - Fast Cache ModuleOffload servers
Rate Shaping ModuleReserve bandwidth
29
Intelligent HTTP Compression
URI/content filters – allow/disallow lists
– Compress only specified file types
– Based on URI or MIME type
Client-aware compression (patent pending)
– Based on TCP latency – observe client RTT
– Based on low bandwidth client connections
Granular L7 based compression
Tunable resource allocation
– Devote more memory and CPU cycles for high priority compression jobs
Adaptable Compression
– Scale back compression based on CPU load
Most Intelligent and flexible solution to target HTTP compression where it matters most
30
Real Time Compression Toolwww.f5demo.com/compression
31
TCP Express
Behaviors of a good TCP/IP implementation.– Proper congestion detection.– Good congestion recovery.– High bandwidth utilization.
• Being too aggressive can cause individual connections to consume all of the network.• Not being aggressive enough will leave unused bandwidth especially during a low number of connections.• Always needs to adapt to changing congestion.
– Increased windowing and buffering will often help compensate for latency and can also offload the application equipment more quickly.
Most important tuning you can do in TCP typically has to do with window sizes and retransmission logic (aka congestion control behavior).
On today’s networks, loss is almost always caused from congestion.– Most TCP stacks are not aggressive enough.
32
F5’s TCP Congestion Control Algorithms
Reno Congestion Control– Original TCP fast recover algorithm based on BSD Reno.– Initially grows congestion window exponentially during the slow-start period.– After slow-start, increases CWND by 1MSS for each CWND acked (this is linear growth).– When loss or a recovery episode is detected, the CWND is cut in half.
New Reno modifications (this is currently the default mode)– Improves on the Reno behaviour.– When entering a recovery episode, implements a fast retransmit:
• Each ACK less than the recovery threshold triggers a one-time resend of the data started by the ACK.
• Results in more aggressively sending the missing data and exiting the recovery period.
Scalable TCP (added in 9.4)– Improves on the NewReno behaviour.– Upon loss, the CWND is reduced by only 1/8.– Once out of slow start, CWND increases by 1% of an MSS for each CWND ACK’d.
HighSpeed (F5's proprietary congestion control added in 9.4)– Similarly improves on the NewReno behaviour in combination with Scalable TCP.– Progressively switches from NewReno to Scalable TCP based on the size of the CWND.
• Upon loss, the CWND is reduced by somewhere between ½ and 1/8.• CWND grows somewhere between 1% and 100% of an MSS for each CWND ACK’d.
33
OneConnect ™ – Connection PoolingIncrease server capacity by 30% – Aggregates massive number of client requests into fewer server
side connections
Transformations form HTTP 1.0 to 1.1 for Server Connection Consolidation
Maintains Intelligent load balancing to dedicated content servers
Good Sources: http://tech.f5.com/home/bigip/solutions/traffic/sol1548.htmlhttp://www.f5.com/solutions/archives/whitepapers/httpbigip.html
34
OneConnect ™ New and Improved
3) OneConnect ™ Connection Pooling
index.htma.gifb.gif c.aspsales.htm d.gife.gif f.aspsales.htm d.gife.gif f.asp
index.htma.gifb.gif c.asp
Server
index.htma.gifb.gif c.asp
index.htm
a.gifb.gif
c.asp
1) OneConnect ™ Content Switching
HTML server pool
GIF server pool
ASP server pool
HTTP Request Pooling
2) OneConnect ™ HTTP transformations
index.htma.gifb.gif c.asp
index.htma.gifb.gif c.asp
• Streamlines single client request to BIG-IP
• Enabled by HTTP 1.1
• Avg. Reduction is 20 to 1 per Web Page
• Intelligent load balancing to dedicated content servers
• Maintain Server Logging
• Transformation form HTTP 1.0 to 1.1 for Server Connection Consolidation
New
20
1
index.htma.gifb.gif c.asp
index.htma.gifb.gif c.aspMany
One
• Aggregates massive number of client requests into fewer server side connections
35
Content SpoolingProblem: TCP Overhead on Servers
– There is overhead for breaking apart…”chunking” content
– Client and Server negotiate TCP segmentation
– Client forces more segmentation that is good for the server
– The Servers is burdened with breaking content up into small pieces for good client consumption
Solution
Benefit: Increases server capacity up to 15%
Slurp up server response
Spoon feed clients
36
Sophisticated Bandwidth Control
– Flexible bandwidth limits
– Full support for bandwidth borrowing
– Traffic queuing (stochastic fair queue, FIFO ToS priority queue)
Granular Traffic Classification L2 through L7
– iRules support can initiate a rate class on any traffic flow variable
Only Multi Direction Control
– Control throughput in any direction
Ceiling Rate
Base
Rate Class
Burst
Integrated and Fine Grained Bandwidth Control
WAN
Pool of Servers
NetworkSegments
L7 Rate Shaping
37
Hardware
39
Price
Function / Performance
Actual BIG-IP Platforms
VIPRION
BIG-IP 3600
Dual core CPU8 10/100/1000 + 2x 1GB SFP1x 160 GB HD + 8GB CF4 GB memorySSL @ 10K TPS / 2 Gb bulk1 Gbps max software compression
2 Gbps Traffic1 Advanced Product Module
BIG-IP 8900
BIG-IP 1600
Dual core CPU4 10/100/1000 + 2x 1GB SFP1x 160GB HD4 GB memorySSL @ 5K TPS / 1 Gb Bulk1 Gbps max software compression
1 Gbps Traffic1 Basic Product Module
2 x Dual core CPU16 10/100/1000 + 8x 1GB SFP2x 320 GB HD (S/W RAID) + 8GB CF8 GB memorySSL @ 25K TPS / 4 Gb bulk5 Gbps max hardware compression
6 Gbps TrafficMultiple Product Modules
BIG-IP 69002 x Quad core CPU16 10/100/1000 + 8x 1GB SFP2x 320 GB HD (S/W RAID) + 8GB CF16 GB memorySSL @ 58K TPS / 9.6Gb bulk6 Gbps max hardware compression
12 Gbps TrafficMultiple Product Modules
40
2008: Hardware Architectur (Single-Board-Design)
TMM:Traffic Management Microkernel
FIPS*: Federal Information Processing Standards
AOM: Always On Module(SCCP in former Versions)
BCM: Broadcom Asic
RAMRAM
CFlash*CFlash*HDD2*
1 / 2HDD2*
1 / 2
TMM(Layer4-7)
x*10/100/1000Base-TCopper/SFP-GBIC
10GbEth*10GbEth*
PowersupplyPowersupply
Powersupply*Powersupply* BCM (Layer 2)BCM (Layer 2)
LCD-PanelLCD-Panel
* Depends on platform (optional)
HDD11 / 2
HDD11 / 2
AOMAOM
Ser
ial
Ser
ial
Mgm
tM
gmt
Fai
love
rF
ailo
ver
SSLSSL
SSL*SSL*
CPUCPU
CPUCPU
CPU*CPU*
CPU*CPU*
HardwareCompression
Card*
HardwareCompression
Card*
41
High-Performance Application Switches
Consolidate with Purpose-built HardwareDesigned specifically for application delivery
Integrated platform for security, acceleration, availability
Offload Application ServersHigh performance hardware SSL and compression offload
Advanced connection management
Reduce Operating CostsSimplified management with USB, front panel management, remote boot, and more
Increased uptime with hot swappable and redundant components
BIG-IP 1600 - 3600
BIG-IP 8900
BIG-IP 6900
42
BIG-IP 1600High performance meets high value
High Performance– Dual-core CPU provides 1 Gb/s of L7 throughput
Reliable and Adaptable– Options for dual power and DC power
– Front-to-back cooling
Basic security and acceleration options– Protocol Security Module
– 1 Gb/s compression and SSL throughput
43
BIG-IP 3600Integrated ADC in a 1U platform
Advanced security and acceleration options– WebAccelerator option
– Application Security Module option
High Performance– Dual-core CPU provides 2 Gb/s of L7 throughput
Reliable and Adaptable– Options for dual power and DC power
– Front-to-back cooling
44
BIG-IP 6900Consolidation and Integration
High Performance for Consolidation– Dual CPU, Dual Core for 6 Gb/s of L7 throughput
– Hardware SSL and Compression offload
Multi-module Integration– Run multiple modules and unify application delivery functions onto a single
device
Reliable and Adaptable– Dual power supplies and dual hard drives standard
– Front-to-back cooling
45
BIG-IP 8900The Foundation of a Unified ADN
High Performance for Consolidation– Dual CPU, Quad Core for 12 Gb/s of L7 throughput
– Hardware SSL and compression offload
10G Ports for Next-gen Data Centers– Two 10G SFP ports in addition to 1G copper and fiber connections
Reliable and Adaptable– Dual power supplies and dual hard drives standard
– Front-to-back cooling
46
Platform Performance
BIG-IP 1600 BIG-IP 3600 BIG-IP 6900 BIG-IP 8900
Max. throughput 1 Gbps 2 Gbps 6 Gbps 12 Gbps
Layer 4 New Connections / sec
60,000 115,000 220,000 400,000
Layer 7 Requests / sec (inf-inf)
100,000 135,000 600,000 1,200,000
Max. conc. conn. 4 Million 4 Million 8 Million 16 Million
Max. SSL TPS 5,000 10,000 25,000 58,000
Max. SSL Bulk 1 Gbps 1.5 Gbps 4 Gbps 9.6 Gbps
Max. SSL conc. conn. 1 Million 1 Million 2 Million 4 Million
Max. compression 1 Gbps 1 Gbps 5 Gbps 9.6 Gbps
Switch backplane 14 Gbps 24 Gbps 68 Gbps 112 Gbps
47
CMP Super-VIP
Network
TMM0
TMM1
TMM2
TMM3
Servers
switch switch
Multitasking means screwing up several tasks at the same time.
48
The World’s Only
On Demand ADCThe World’s Only
On Demand ADC
49
VIPRION – On Demand ADC
Add application intelligence without adding management cost
Market-leading performance
Ultimate redundancy
TMOS inside
50
Viprion Overview
Unmatched Performance – Massive scalability – Processing architecture common with 8800
Intelligent clustering– SuperVIP (Virtuals can seamlessly span blades)– N+M redundancy for all features in cluster
High Availability– Automatic failover within cluster– Chassis-to-chassis redundancy
Full Modular Chassis– 4 blade slots w/1 blade type– 1 blade type– Any blade can be chassis master
Common central management console– Single point of Management– Same user interface as BIG-IP appliances
51
Physical Server
VirtualMachines
Physical Server
VirtualMachines
Servers
Servers
Servers
On Demand – Zero Reconfiguration
Automatic addition of power
No need to overprovision
Fixed and predictable OpEx
52
Ultimate Reliability
Multi-Level RedundancyInternal blade to blade failover
External chassis to chassis
Hot swappable power supplies
Hot swappable fan trays
Hot swappable LCD display
Passive, redundant backplane
Integrated Lights Out mgmt
53
Ultimate Reliability
Client Server
Multi-Level Redundancy
Blade failure will not cause chassis failure
Redundant and hot swappable components
Always Available
54
Traditional ADC Scaling
GSLB Within the Datacenter
WWW.
DN
S
DN
S
WWW3.
Server Farm C
WWW2.
Server Farm B
WWW1. Server Farm A
WWW4.
Server Farm D
Each addition requires
DNS changes
Physical reconfigurations
Routing changes
ADC reconfiguration
55
Clustered Multi Processing ScalesP
erfo
rman
ce
Time
TMOS
SingleProcessor
Processing R
esources
SMP
8x
4x
2x
56
Virtual Processing Fabric
Clustered Multi Processing
Custom Disaggregator ASICs
High Speed Bridge
TMM 0
TMM 1
DA
G
DA
G
Client Server
Processing Complex
TMM n
… … …
57
The SuperVIP
Pool
Virtualization:
“Separating the physical characteristics of computing resources from the systems, applications or end users interacting with those resources”.
With a SuperVIP, a single virtual server may be processed by all computing resources of the VIPRION.
WWW.
58
Market Leading Performance
Single Blade 4 Blade System
L7 Fast HTTP Inf/Inf 800,000 Rps 3,200,000 RpsL7 Full Proxy Inf/Inf 300,000 Rps 1,200,000 RpsSSL TPS 50,000 200,000SSL Gbps 9 Gbps 36 GbpsL4 Conn/s (1-1) 250,000 cps 1,000,000 cpsCompression 4.5 Gbps 16 GbpsL4 Throughput 10 Gbps 36 GbpsL7 Throughput 10 Gbps 36 Gbps
59
More detailed measures
60
Avoid Management NightmareAvoid Management Nightmare
200,000 SSL TPS 12,000 SSL TPS per blade= 16 Blades
VIPRION
TMOS+ Security+ Accel+ iRules+ iControl
61
TMOS+ Security+ Accel+ iRules+ iControl
Avoid Growing Pains
3,200,000 Layer 7 Requests/SecVIPRION
76,000 L7 RPS= 42 Blades
62
VIPRION Management
63
Managementcontinued
64
Management
65
iRules
and
iControl
66
What are iRules?
Programming language integrated into TMOSTraffic Management Operating System
Based on industry standard TCL languageTool Command Language
Provide ability to intercept, inspect, transform, direct and track inbound or outbound application trafficCore of the F5 “secret sauce” and key differentiator
67
How do iRules Work?• iRules allow you to perform deep packet inspection (entire header and payload)
• Coded around Events (HTTP_REQUEST, HTTP_RESPONSE, CLIENT_ACCEPTED etc.)
• Full scripting language allows for extremely granular control of inspection,
alteration and delivery on a packet by packet basis
Requests
Original Request
Modified Request*
iRule Triggered
HTTP Events Fire (HTTP_REQUEST,
HTTP_RESPONSE, etc.)
Modified Responses*
*Note: BIG-IP’s Bi-Directional Proxy capabilities allow it to inspect, modify and route traffic at nearly any point in the traffice flow, regardless of direction.
68
Centralized Transaction Assurance: Proactive Response Error Handling for Higher Availability
rule redirect_error_code { when HTTP_REQUEST { set my_uri [HTTP::uri] } when HTTP_RESPONSE { if { [HTTP::status] == 500 } { HTTP::redirect http://192.168.33.131$my_uri }
when HTTP_REQUEST { # www.A.com -- domain == A.com, company == A regexp {\.([\w]+)\.com} [HTTP::host] domain company If { "" ne $company } { # look for the second string in the data group set mapping [findclass $company $::valid_company_mappings " "] if { "" ne $mapping } { HTTP::redirect "http://www.my_vs.com/$mapping" } } }
Host to URI mapping: Faster Access to Data through Automatic Re-direction
The Better Alternative Example Centralized Availability, Security & Acceleration
rule protect_content { when HTTP_RESPONSE_DATA { set payload [HTTP::payload [HTTP::payload length]] # # Find and replace SSN numbers. # regsub -all {\d{3}-\d{2}-\d{4}} $payload "xxx-xx-xxxx" new_response # # Replace only if necessary. # if {$new_response != 0} { HTTP::payload replace 0 [HTTP::payload length] $new_response }}
Centralized Data Protection: Rewrite, Remove, Block and or Log Sensitive Content
A Repeatable, Extensible, Flexible Architecture
69
Solution: Server Resource Cloaking
rule when HTTP_RESPONSE { # # Remove all but the given headers. # HTTP::header sanitize “ETag” “Connection” “Content-
TYPE”}
1. Client requests information from an application and is routed through BIG-IP
2. BIG-IP directs request to best performing web server
3. Web server provides application response BUT all responses – by default – include information that indicates the type of server responding
4. BIG-IP looks at traffic and determines it must call the iRule for “Resource Cloaking”
5. iRule runs, removing Apache references, and send request on to client
6. Client only sees “sanitized” response.
HOW IT WORKS
DescriptionTo protect from web server signatures exposing from potential security holes to hackers, iRules are used to remove or “cloak” visible web server signatures
iRule! Remove Apache v 2.0.49 Reference
HTTP Request
HTTP Response
Response from Apache Web Server
includes server signatures
1
2 3
4
5
6
70
What can an iRule do?
Read, transform, replace header or payload information (HTTP, TCP, SIP, etc.)
Work with any protocol, such as SIP, RTSP, XML, others, whether with native (HTTP::cookie) or generic (TCP::payload) commands
Make adjustments to TCP behavior, such as MSS, checking the RTT, deep payload inspection
Authentication assistance, offload, inspection and more for LDAP, RADIUS, etc.
Caching, compression, profile selection, rate shaping and much, much more
71
iRule Event TaxonomyAUTH
AUTH_ERRORAUTH_FAILUREAUTH_RESULTAUTH_SUCCESSAUTH_WANTCREDENTIAL
CACHECACHE_REQUESTCACHE_RESPONSE
CLIENTSSLCLIENTSSL_CLIENTCERTCLIENTSSL_HANDSHAKE
DNSDNS_REQUESTDNS_RESPONSENAME_RESOLVED
GLOBALLB_FAILEDLB_SELECTEDRULE_INIT
HTTPHTTP_CLASS_FAILEDHTTP_CLASS_SELECTEDHTTP_REQUESTHTTP_REQUEST_DATAHTTP_REQUEST_SENDHTTP_RESPONSEHTTP_RESPONSE_CONTINUEHTTP_RESPONSE_DATA
IPCLIENT_ACCEPTEDCLIENT_CLOSEDCLIENT_DATASERVER_CLOSEDSERVER_CONNECTEDSERVER_DATA
LINECLIENT_LINESERVER_LINE
RTSPRTSP_REQUESTRTSP_REQUEST_DATARTSP_RESPONSERTSP_RESPONSE_DATA
SIPSIP_REQUESTSIP_REQUEST_SENDSIP_RESPONSE
SERVERSSLSERVERSSL_HANDSHAKE
STREAMSTREAM_MATCHED
TCPCLIENT_ACCEPTEDCLIENT_CLOSEDCLIENT_DATASERVER_CLOSEDSERVER_CONNECTEDSERVER_DATAUSER_REQUESTUSER_RESPONSE
UDPCLIENT_ACCEPTEDCLIENT_CLOSEDCLIENT_DATASERVER_CLOSEDSERVER_CONNECTEDSERVER_DATA
XMLXML_BEGIN_DOCUMENTXML_BEGIN_ELEMENTXML_CDATAXML_END_DOCUMENTXML_END_ELEMENTXML_EVENT
AUTH
CACHE
CLIENTSSL
DNS
GLOBAL
HTTP
IP
LINE
RTSP
SIP
SERVERSSL
STREAM
TCP
UDP
XML
72
Solution: FIX Protocol Persistence
rule FIX_regexp { when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { if { [regexp "\x0149=(.*)\x01" [TCP::payload] ->
SenderCompID] } { persist uie $SenderCompID TCP::release } else { TCP::collect } }}
iRule Query identifies FIX SenderComp ID
HTTP Request
4
2
3
Pool A
Pool B
1
1. Client requests information from an application and is routed through BIG-IP
2. BIG-IP UIE inspects for specific information identified
3. iRule runs and queries payload (TCP::collect) for the specific identifier needed (SenderCompID)
4. Based upon rule, client request is persisted to a specific server dedicated to that user
HOW IT WORKS
Challenges• Business chooses protocol required by industry sector• Implemention on server-side impossible in enterprise HA scenario
Solution• iRule provides centralized mechanism for intercept/inspect/route• Solution can be deployed in true HA/multi-server (even data center) mode• Clean code management
** Enhanced by community; see CodeShare
73
What makes iRules so unique?
Full-fledged scripts, executed against traffic on the network, at wire-speed
Powerful logical operations combined with deep packet inspection
The ability to route, re-route, re-direct, retry, or block traffic
Community support, tools and innovation
74
Solution: Credit Card Scrubber
when HTTP_REQUEST { # Don't allow data to be chunked if { [HTTP::version] eq "1.1" } { if { [HTTP::header is_keepalive] } { HTTP::header replace "Connection" "Keep-Alive" } HTTP::version "1.0" }}
when HTTP_RESPONSE { if { [HTTP::header exists "Content-Length"] } { set content_length [HTTP::header "Content-Length"] } else { set content_length 4294967295 } if { $content_length > 0 } { HTTP::collect $content_length }}
when HTTP_RESPONSE_DATA { # Find ALL the possible credit card numbers in one pass set card_indices [regexp -all -inline -indices {(?:3[4-7]\d{13})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})} [HTTP::payload]]
foreach card_idx $card_indices { set card_start [lindex $card_idx 0] set card_end [lindex $card_idx 1] set card_len [expr {$card_end - $card_start + 1}] set card_number [string range [HTTP::payload] $card_start $card_end]
set double [expr {$card_len & 1}] set chksum 0 set isCard invalid
# Calculate MOD10 for { set i 0 } { $i < $card_len } { incr i } { set c [string index $card_number $i] if {($i & 1) == $double} { if {[incr c $c] >= 10} {incr c -9} } incr chksum $c }
# Determine Card Type switch [string index $card_number 0] { 3 { set type AmericanExpress } 4 { set type Visa } 5 { set type MasterCard } 6 { set type Discover } default { set type Unknown } } # If valid card number, then mask out numbers with X's if { ($chksum % 10) == 0 } { set isCard valid HTTP::payload replace $card_start $card_len [string repeat "X" $card_len] } # Log Results log local0. "Found $isCard $type CC# $card_number" }}
1. Client requests information from an application and is routed through BIG-IP
2. BIG-IP directs request to best performing web server
3. Web server provides application response BUT iRule runs if it sees a string of 16 digits
4. iRule fires off MOD-10 algorithm to determine if 16-digit string is a valid credit card number; offending server IP address logged and flagged
5. If a valid match, first 12-digits are replaced with Xs
6. Client only sees “sanitized” response.
HOW IT WORKS
Remove Valid Credit Card Numbers
HTTP Request
HTTP Response
Response from application server accidentally leaks
customer credit card numbers in HTTP
response
1
2 3
4
5
6
Challenges• Rapid feature enhancements come at expense of good security practices• Scanning on each server doesn’t perform well
Solution• iRule provides centralized mechanism for protection• High-performance at network maintains high end user satisfaction• App teams focus on features, network teams focus on protection
** Created collaboratively within community
75
Solution: Anti-phishinglass valid_referers { "http://mydomain.com" "http://mydomain1.com" "http://url1" "http://url2" "http://url3"}
class file_types { ".gif" ".jpg" ".png" ".bmp" ".js" ".css" ".xsl"}
rule no_phishing { when HTTP_REQUEST { # Don't allow data to be chunked. if {[HTTP::version] == "1.1"} { if {[HTTP::header is_keepalive]} { # Adjust the Connection header. HTTP::header replace "Connection" "Keep-Alive" } HTTP::version "1.0" }
if { [matchclass [HTTP::header "Referer"] starts_with $::valid_referers] < 1 } { if { ([string tolower [HTTP::method] ] eq "get") && ([matchclass [HTTP::uri] contains $::file_types] > 0 )} { discard } elseif { ([HTTP::header exists "Content-Type"]) && ([HTTP::header "Content-Type"] starts_with "text" ) } { set respond 1 } } }
when HTTP_RESPONSE { if { $respond == 1 } { if { [HTTP::header exists "Content-Length"] } { set content_len [HTTP::header "Content-Length"] } else { set content_len 4294967295 }
if { $content_len > 0 } { HTTP::collect $content_len } } }
when HTTP_RESPONSE_DATA { set bypass [string first -nocase "<html>" [HTTP::payload] ] if { $bypass != -1 } { HTTP::payload replace $bypass 0 "<scripttype=\"text/javascript\">\n if (top.frames.length!=0) {\n if(window.location.href.replace)\n top.location.replace(self.location.href);\nelse\n top.location.href=self.document.href;\n }\n </script>\n" } else { HTTP::respond 500 } }}
1. Define a list of valid referrers in the form of a class. This is a list of those sites that you expect to be linking to content on your site.
2. Define a list (in the form of a class) of file types that should not be linked to, besides by the referrers listed in item #1.
3. Check to see if an invalid referrer (not someone in class #1) is trying to serve data from your site and what kind of content they shouldn’t be trying to serve. If it matches the file types in Class #2 (block it. If not, insert some custom code to help prevent phishing attempts.
HOW IT WORKS
Prevent unwanted referrals of Content
HTTP Request
HTTP Response
Web servers feed content to anyone
requesting it, including people who shouldn’t be
serving this cotent.
1
2 3
4
5
6
Challenges• Attacks are directed at users, not the servers themselves• No control of user actions•Can’t force software install
Solution• iRule allows for prevention of the scraping required to perform the attack•Preventative approach keeps users safe without need for their interaction•Server load decreased
76
F5 iRule EditorFirst network rule editor optimizes developmentIncludes:– Syntax checking– Auto-complete– Template support– Doc Links– Deployment integration– Statistics monitoring– Data group editing– Optional post to
CodeShare feature
Available: NowPricing: Free DownloadTutorials: on DevCentral
77
Introducing iControl v9
Open API (SOAP/XML) allows applications to automatically interact with the network
Integration with development tools from Microsoft, BEA, and Oracle
Online community F5 DevCentral– Developer assistance on F5 DevCentral via
developer forums (http://devcentral.f5.com)
– iRules forum and code examples
78
Benefits
– Open, standards based integration
– Simplified development
– Proven integration
– Sample code, documentation, discussion forums
Leverage the skills and expertise you already have!
Key Components
– XML/SOAP interface
– Downloadable SDK
– Technology partnerships
– DevCentral resource centre and community
iControl Eases Application Integration
79
Integration and Extensibility - iControl Event API
Applications can subscribe to 47 different system eventsSample application (screenshots) provided with SDKBulk method support – 100:1 reduction in call, 90% reduction in bandwidth
Create Subscription
Administrator uses the provided sample
application (or custom application) to create Event Subscriptions
Select Event TypeChoose a specific event
to track. Then, create the Subscription name and
parameters.
Upon Event, message is distributed via log, email,
or SMS to phone/PDA
80
iControl Application Migration to v9
Analyser free for use by all F5 DevCentral membersDevCentral Forum available for posting migration questionsAdditional sample and technical tips will be available
Paste Code Into Analyser
Developer visits DevCentral, accesses the Code Analyser, select language, and report
format
Summary ReportGenerated report identifies line where conflicts exist,
defines the method affected, and enables direct link to online versions of 4.x
& v9 SDKs
81
DevCentral Technical Community
Forum for F5 customers for building iRules and iControl applicationsF5 provides technical documentation, tips, free sample downloads, and a confidential discussion forumMonitored by F5 engineers and technical experts that answer technical questions
– Design, architecture, troubleshooting and general assistance with iRules and iControl
http://devcentral.f5.com/
82
Overall www.f5.com
Technical ask.f5.com
devcentral.f5.com
F5 University www.f5university.com/» Login: your email» Password: adv5tech
Partner Informaiotn
www.f5.com/partnerswww.f5.com/training_services/certification/certFAQ.html
Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html
Important deployment information is available at http://www.f5.com/solutions/deployment/Data Center Virtualization http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdfApplication Traffic Management http://www.f5.com/solutions/technology/pdfs/atm_wp.pdfApplication Briefs http://www.f5.com/solutions/applications/Solution Briefs http://www.f5.com/solutions/sb/F5 Compression and Cache Test http://www.f5demo.com/compression/index.phpF5 iControl Alliance Partners http://www.f5.com/solutions/partners/iControl/F5 Technology Alliance Partners http://www.f5.com/solutions/partners/tech/
Let us know if you need any clarification or you have any further questions.
Link Collection www.f5.com
83
Thank You