f5 networks traffic management by design presented by: jürg wiesmann field system engineer,...
Post on 22-Dec-2015
232 views
TRANSCRIPT
F5 Networks Traffic Management by DesignF5 Networks Traffic Management by Design
Presented by: Jürg Wiesmann Field System Engineer, Switzerlandjü[email protected]
2
Company Snapshot
Leading provider of solutions
that optimize the security,
performance & availability of
IP-based applications
Founded 1996 / Public 1999
Approx. 1,010 employees
FY05 Revenue: $281M
FY06 Revenue: $394M
– 40% Y/Y Growth
3
Source: Gartner, December 2005
Magic Quadrant for Application Delivery Products
• “F5 continues to build on the momentum generated by the release of v9.0. It commands over 50% market share in the advanced platform ADC segment and continues to pull away from the competition. ”
• “F5 is one of the thought leaders in the market and offers growing feature richness. It should be high on every enterprise's shortlist for application delivery.”
Clear Leader in Application Delivery
Cisco Systems
Citrix Systems (NetScaler)
Radware
Juniper Networks (Redline)
Akamai Technologies
Netli
Stampede Technologies
Zeus Technology
NetContinuumFoundry Networks
Coyote Point Systems
Array Networks
Nortel Networks
F5 Networks
Challengers Leaders
Niche Players Visionaries
Ab
ilit
y t
o E
xe
cu
te
Completeness of Vision
4
What CEO´s CFO´s und CIO´s are interested in
Low Investment costs– Reducing Load on Server infrastructure
Low Servicecosts– Simple Problem-, Change und Releasemgt.
– Less Service windows
– Reduction of work during Service windows
– Simple secure and stable Environements
High availability
5
Application
Problem: Networks Aren’t Adaptable Enough
Applications Focus on Business Logic and
Functionality
Traditional Networks are Focused on
Connectivity
Network Administrator Application Developer
New Security Hole
High Cost To Scale
Slow Performance
?
6
Application
How Do You Fix the Problem?
Network Administrator Application Developer
Hire an Army of Developers?
Add More Infrastructure?
More Bandwidth
Multiple Point Solutions
7
CRMCRM
SFA
ERP
ERPERP
SFACRM
SFA
Point Solutions ApplicationsUsers
Custom Application
Mobile Phone
PDA
Laptop
Desktop
Co-location
A Costly Patchwork
SSL Acceleration
Application Load Balancer
Rate Shaping/QoS
DoS Protection
Content ProxyAcceleration/
Transformation
Traffic CompressionWAN Connection
Optimization
Network Firewall
IPS/IDS
Application Firewall
8
The Better Application Delivery Alternative
The F5 WayThe Old Way
First with Integrated Application Security
9
The F5 Solution ApplicationsUsers
Mobile Phone
PDA
Laptop
Desktop
Co-location
F5’s Integrated Solution
CRM
Database
Siebel
BEA
Legacy
.NET
SAP
PeopleSoft
IBM
ERP
SFA
Custom
TMOS
Application Delivery Network
10
Enterprise Manager
TMOS
iControl & iRules
ApplicationsUsers
InternationalData Center
The F5 Application Delivery Network
WANJet FirePassBIG-IP Local
TrafficManager
BIG-IPApplication
SecurityManager
BIG-IP Link
Controller
BIG-IP Global Traffic
Manager
BIG-IPWeb
Accelerator
11
F5 Networks Remote Access TodayF5 Networks Remote Access Today
Presented by: Jürg Wiesmann Field System Engineer, Switzerlandjü[email protected]
12
Current Issues
Unreliable accessWorm/virus propagation
High support costs
Mobile Workforce
Limited application supportLack of data integrity
Reduced user efficiency
Employee onHome PC /
Public Kiosk
Complex access controlsNo application-level audits
High support costs
Business Partners
Systems orApplications
Complex APIUnreliable access
High support costs
13
IPSec provides transparent Network Access – BUT…
Needs preinstalled Client
Does not work well with NAT
No granular Application Access (Network Level)
Hard to Loadbalance
Is expensive to deploy
14
On the other hand SSL VPN…
No preinstalled Client Software needed
Works on transport Layer – No problem with NAT
Works on port 80/443 – No problem with Firewall/Proxy
Easy to Loadbalance
Offers granular Application Access
Is Easy to deploy
15
Remote Access - Requirements
Any LocationAny
Application
Any Devices
Secure
HotelKiosk
Hot Spot
LaptopKiosk
Home PCPDA/Cell Phone
Data PrivacyDevice Protection
Network ProtectionGranular App Access
AAA ServersDirectories
Instant Access
Ease of Use
Ease of Integration
Highly Available
EmployeePartnerSupplier
WebClient/Server
LegacyDesktop
Any User
ClientlessSimple GUI
Detailed Audit Trail
Global LBStateful Failover
Disaster Recovery
16
HotelKiosk
Hot Spot
Why not use IPSec?
Any LocationAny
Application
Any Devices
Secure
LaptopKiosk
Home PCPDA/Cell Phone
Data PrivacyDevice Protection
Network ProtectionGranular App Access
AAA ServersDirectories
Instant Access
Ease of Use
Ease of Integration
Highly Available
Global LBStateful Failover
Disaster Recovery
EmployeePartnerSupplier
WebClient/Server
LegacyDesktop
Any User
ClientlessSimple GUI
Detailed Audit Trail
18
FirePass® Overview
Internet
Laptop
Mobile Device
Partner
SpecificApplication Access
Portal Access
Network Access
Dynamic PoliciesAuthorized
ApplicationsAny User
Any Device
Kiosk
Secured bySSL
Intranet
FirePass®
19
Simplified User Access
Standard browser– Access to applications
from anywhere
Select application – Shortcuts automate
application connections
No preinstalled client software required– All access via a web
browser
20
Access Types
Network Access
Application Access– Application Tunnels
– Terminal Server
– Legacy Hosts
– X Windows
Portal Access– Web Applications
– File Browsing (Windows, Unix)
– Mobile E-Mail
Desktop Access (Webtop)
21
Access Methods Summary
BenefitsMost Flexible
Any DeviceAny NetworkAny OS
Most ScalableBrowser Compatible
Secure ArchitectureRestricted Resource Access
DrawbacksLimited Resource Access
Enterprise Web Apps/ResourcesWebified Enterprise ResourcesLimited Nonweb Applications
Portal Access Application Access
BenefitsC/S Application Access
Legacy Application AccessTransparent Network TraversalAny Network
Scalable DeploymentNo Network/Addr. Configuration
Secure ArchitectureRestricted Resource AccessHost Level Application Proxy
DrawbacksLimited Access Flexibility
OS/JVM Compatible IssuesNo Transistent Kiosk Access
Client SecurityInstallation Privileges
Network Access
BenefitsFull Network Access (VPN)
No Resource Restrictions
DrawbacksMore Limited Access
OS/JVM Compatible Issues
Client SecurityInstallation Privileges
22
CorporatePolicy
Firewall/VirusCheck
Adaptive Client SecurityLaptopKiosk/Untrusted PC PDA
KioskPolicy
Cache/Temp FileCleaner
Mini BrowserPolicy
Client/Server Application
Full NetworkTerminal Servers
Files Intranet Email
23
FirePass®
Quarantine Policy Support– Ensure Policy Compliance
– Direct to quarantine network
Policy Checking with Network Quarantine
Deep Integrity Checking– Specific antivirus checks
– Windows OS patch levels– Registry settings
FullNetwork
QuarantineNetwork
Please updateyour machine!
24
Visual Policy Editor
Graphically associates a policy relationship between end-points, users and resources
25
Unique Application Compression
Results
Over 50% faster access Supports compression for any IP applicationFaster email & file accessWorks across both dial-up and broadband
Results
Over 50% faster access Supports compression for any IP applicationFaster email & file accessWorks across both dial-up and broadband
26
30 Minute Install
Quick Setup enables rapid installation and setup even for non-experts
NEW
28
Dynamic Policies
Enterprise SSO Integration
HTTP forms-based authentication
Single sign-on to all web applications
Major SSO & Identify Mgmt Vendor Support– Netegrity, Oblix and others
FirePass® 1. User ID
, Password
3. Session Cookie
2. Session Cookie
Internet
NetegritySiteMinder
WebServers
29
Application Security
FirePass®
1. SQL Injection
XInternet
WebServers
Web application security– Cross-site scripting
– Buffer overflow
– SQL injection
– Cookie management
ICAP AntiVirus
Policy-based virus scanning– File uploads
– Webmail attachments
Integrated scanner
Open ICAP interface
30
Product Lines
31
FirePass Product Line
FirePass 1200Medium Enterprise
FirePass 4200Large Enterprise
25-100 Concurrent Users 100-2000 Concurrent Users
• 500+ employees• High performance platform • Comprehensive access • End-to-End security • Flexible support• Failover• Cluster up to 10
• 25 to 500 employees• Comprehensive access • End-to-End security• Flexible support• Failover
A product sized and priced appropriately for every customer
32
FirePass Failover
Redundant pair– Stateful failover provides
uninterrupted failover for most applications (e.g. VPN connector)
Single management point– Active unit is configured
– Configuration and state information is periodically synchronized
Separate SKU – Active unit determines software
configuration and concurrent users
Internet
Active
Hot standby
Intranet application servers
33
FirePass 4100 Clustering
Clustered pair– Up to 10 servers can be clustered for
up to 20,000 concurrent users
– Master server randomly distributes user sessions
– Distributed (e.g. different sites) clusters are supported
Single management point– Master server is configured
– Configuration information is periodically synchronized
Second FP 4100 Required– Software features purchased on 2nd
server
Internet
Intranet application servers
Cluster master
Cluster nodes
34
Case Study: FirePass®vs IPSec Client300 end user accounts, high availability configuration
Savings: 390 hours for rollout, 20 hours/week sustaining
80% user callback for IPSec Client; 15% for FirePass
25 users unable to use IPSec Client; 2 specific hotel room issues w/FirePass
Engineering
Help Desk
End User
Engineering
Help Desk
End User
Rollout
Sustaining
IPSec Client
120 hrs
200 hrs
1 hrs +
1.5 hrs/day
5 hrs/day
0
FirePass®
20 hrs
60 hrs
.5 hrs x 300
.5 hrs/day
2 hrs/day
0
Savings
100 hrs
140 hrs
150 hrs
1 hrs/day
3 hrs/day
0
35
Summary of Benefits
Increased productivity
– Secure access from any
device, anywhere
– No preinstalled VPN clients
Reduced cost of ownership
– Lower deployment costs
– Fewer support calls
Improved application security
– Granular access to corporate resources
– Application layer security and audit trail
37
38
40
Partnerships
“F5's BIG-IP has been designed into a number of Oracle's mission-critical architectures, such as the Maximum Availability Architecture.”
Julian Critchfield, Vice President, Oracle Server Technologies
“Microsoft welcomes F5 Networks' support of Visual Studio 2005… F5 complements our strategy by providing our mutual customers with a way to interact with their underlying network.”
Christopher Flores, Group Product Manager in the .NET Developer Product Management Group at Microsoft Corp.
41
Services & SupportExpertise – F5 offers a full range of personalized, world-class support and services, delivered by engineers with in-depth knowledge of F5 products.
Software Solution Updates – Customers with a support agreement receive all software updates, version releases, and relevant hot fixes as they are released.
Flexibility – Whatever your support demands, F5 has a program to fit your needs. Choose from our Standard, Premium, or Premium Plus service levels.
Full Service Online Tools – Ask F5 and our Web Support Portal.
Fast Replacements – F5 will repair or replace any product or component that fails during the term of your maintenance agreement, at no cost.
42
Experience – F5 Professional Consultants know F5 products and networking inside and out. The result? The expertise you need the first time.
High Availability – Our experts work with you to design the best possible high- availability application environment.
Optimization – Our consultants can help you fine tune your F5 traffic management solutions to maximize your network’s efficiency.
Knowledge Transfer – Our professionals will efficiently transfer critical product knowledge to your staff, so they can most effectively support your F5-enabled traffic management environment.
PROFESSIONAL SERVICES
Expert Instruction – With highly interactive presentation styles and extensive technical backgrounds in networking, our training professionals prepare students to perform mission-critical tasks.
Hands-On Learning – Theoretical presentations and real-world, hands-on exercises that use the latest F5 products.
Convenience – Authorized Training Centers (ATCs) strategically located around the world.
Knowledge Transfer – Direct interaction with our training experts allows students to get more than traditional “text book” training.
CERTIFIED GLOBAL TRAINING
Expertise – World-class support and services, delivered by engineers with in-depth knowledge of F5 products.
Software Solution Updates – Software updates, version releases, and relevant hot fixes as they are released.
Flexibility – Standard, Premium, or Premium Plus service levels.
Full Service Online Tools – Ask F5 and our Web Support Portal.
Fast Replacements – F5 will repair or replace any product or component that fails during the term of your maintenance agreement, at no cost.
SERVICES & SUPPORT
F5 Services
43
F5 Networks Globally
International HQ – Seattle
Regional HQ / Support Center
F5 Regional Office
F5 Dev. Sites –Spokane, San Jose, Tomsk, Tel Aviv,
Northern Belfast
EMEA
Japan
APAC
Seattle
44
F5 Networks Message Security ModuleF5 Networks Message Security Module
Presented by: Jürg Wiesmann Field System Engineer, Switzerlandjü[email protected]
45
The Message Management Problem
Out of 75 billion emails sent worldwide each day, over 70% is spam!
The volume of spam is doubling every 6-9 months!
Clogging networks
Cost to protect is increasing
Nov 2005 Oct 2006
TrustedSource Reputation Scores
Higher score = worse reputation
46
Typical Corporate Pain
Employees still get spamSome are annoying, some are offensiveInfrastructure needed to deal with spam is expensive!– Firewalls– Servers– Software (O/S, anti-spam licenses, etc.)– Bandwidth– Rack space– Power
Budget doesn’t match spam growthLegitimate email delivery slowed due to spam
47
Why is this happening?
Spam really works!
Click rate of 1 in 1,000,000 is successful
Spammers are smart professionals– Buy the same anti-spam technology we do
– Develop spam to bypass filters
– Persistence through trial and error
– Blasted out by massive controlled botnets
Professional spammers have– Racks of equipment
– Every major filtering software and appliance available
– Engineering staff
48
It’s not just annoying…it can be dangerous.
2% of all email globally contains some sort of malware. – Phishing– Viruses – Trojans (zombies, spyware)
49
High Cost of Spam Growth
Firewall
Email ServersMessaging
Security
DMZ
Spam volume increasesBandwidth usage increasesLoad on Firewalls increasesLoad on existing messaging security systems increasesEmails slow downNeedlessly uses up rackspace, power, admin time…
50
MSM Blocking At the Edge
e hello
X
X
X
X
X
X
Terminating 70% of the
Spam from the “e hello”
X
BIG-IP MSM
First Tier
Messaging Security Server
Second Tier Mail ServersEmails
Filters out 10% to 20% of Spam
Works with anyAnti-Spam Solution
51
Why TrustedSource?
Industry Leader– Solid Gartner reviews & MQ
– IDC market share leader
Superior technology
Stability
52
TrustedSource: Leading IP Reputation DB
View into over 25% of email traffic50M+ IP addresses tracked globally
Data from 100,000+ sources; 8 of 10 largest ISPsMillions of human reporters and honeypots
53
AUTOMATED ANALYSIS AUTOMATED ANALYSIS
Dynamic ComputationOf Reputation Score
Messages Analyzed per Month
• 10 Billion Enterprise• 100 Billion Consumer
Bad Good
GLOBAL DATA MONITORINGGLOBAL DATA MONITORING
TrustedSource
IntelliCenter
Brazil
London
PortlandAtlanta
Hong Kong
Global data monitoring is fueled by the network effect of real-time information sharing from thousands of gateway security devices around the world
Animation slide
54
Shared Global Intelligence
PhysicalWorld
CIAFBI
Interpol
PoliceStations
PoliceStations
PoliceStations
IntelligenceAgents
Deploy agents officers around the globe
(Police, FBI, CIA, Interpol.)
Global intelligence systemShare intelligence information
Example: criminal history, global finger printing system
ResultsEffective: Accurate detection of offendersPro-active: Stop them from coming in the
country
Atlanta
Brazil
London
Hong KongPortland
IntelliCenter
CyberWorld
Intelligentprobes
Deploy security probes around the globe (firewall, email gateways,
web gateways)
Global intelligence systemShare cyber communication
info, Example: spammers, phishers, hackers
ResultsEffective: Accurate detection of bad IPs,
domainsPro-active: Deny connection to intruders
to your enterprise
55
TrustedSource Identifies Outbreaks Before They Happen
11/03/05A/V Signatures
11/02/05Other Reputation Systems Triggered
9/12/05TrustedSourceFlagged Zombie
♦ 11/01/05: This machine began sending Bagle worm across the Internet
♦ 11/03/05: Anti-virus signatures were available to protect against Bagle
♦ Two months earlier, TrustedSource identified this machine as not being trustworthy
56
Content Filters Struggle to ID certain spam
57
Image-based spam
HashbustingScratches
58
Summary of Benefits
Eliminate up to 70% of spam upon receipt of first packet
Reduce Cost for Message Management
– TMOS Module – High performance Cost effective spam blocking at network edge
– Integrated into BIG-IP to avoid box proliferation
Improved Scaleability and Message Control
– Reputation Based Message Distribution and Traffic Shaping
Slightly increase kill-rate on unwanted email
59
Packaging
BIG-IP LTM Only
Version Support: 9.2 and higher
Module May be added to any– LTM or Enterprise
– No Module incompatibilities with other Modules
Licensed per BIG-IP by number of mailboxes
BIG-IP Platform sizing depends on:– Email volume
– Number of BIG-IP’s
– Other functions expected of BIG-IP (additional taxes on CPU time)
License Tiers
MSM for over 100,000 Mailboxes
MSM for up to 100,000 Mailboxes
MSM for up to 75,000+ Mailboxes
MSM for up to 50,000 Mailboxes
MSM for up to 25,000 Mailboxes
MSM for up to 10,000 Mailboxes
MSM for up to 5,000 Mailboxes
MSM for up to 1,000 Mailboxes
60
ExistingMessaging
Security
Error Msgfor clean termination
How BIG-IP MSM Works
70% Bad?
Drop first & subsequent
packets
Email Servers
Delete Message
10% Bad?
Internet
ExistingMessaging
Security
Slow Pool
20% Suspicious?
20% Good?
Animation slide
10% Trusted?
Fast Pool
Secure ComputingTrusted Source™
IP Reputation Score
DNSQuery
61
Spam Volumes Out of Control
Perc
en
t S
pam
% of Worldwide email that is Spam
Nov 2005 Oct 2006
70%
85%
62
0%
5%
10%
15%
20%
25%
30%
35%
Apr 5t
h
May 3r
d
May 10
th
May 17
th
May 24
th
May 31
st
Jun 2
8th
Jul 2
6th
Aug 2n
d
Oct 9th
Oct 12
th
Oct 16
th
Oct 19
th
Oct 23
rd
Hard-to-detect Image Spam is GrowingP
erc
en
t o
f T
ota
l Em
ail
2006
63
Reputation-based Security Model
ComputingCredit
Track
Compile
Compute
Use
Businesses & Individuals
Physical World
Business Transactions
Credit Score
Allow / Deny Credit
• Loan• LOC• Credit terms
• Timely payment• Late payment• Transaction size
• Purchases• Mortgage, Leases• Payment transactions
Cyber World
IPs, Domains, Content, etc.
Cyber Communication
Reputation Score
Allow / Deny Communication
• Stop at FW, Web Proxy, Mail gateway• Allow• Quarantine
• Good IPs, domains• Bad• Grey – marketing, adware
• Email exchanges• Web transaction• URLs, images
64
Backup Slides
Firepass
65
Windows Logon (GINA Integration)
Key Features– Transparent secure logon to
corporate network from any access network (remote, wireless and local LAN)
– Non-intrusive and works with existing GINA (no GINA replacement)
– Drive mappings/Login scripts from AD
– Simplified installation & setup (MSI package)
– Password mgmt/self-service
Customer Benefits– Unified access policy mgmt– Increased ROI– Ease of use– Lower support costs
66
Configuring Windows Logon
67
Windows Installer Service
Problem– Admin user
privileges required for network access client component updates
Solution– Provide a user
service on the client machine which allows component updates without admin privileges
68
Network Access Only WebTop
Automatically minimizes to system tray
Simplified webtopInterface
69
Windows VPN Dialer
Simple way to connect for users familiar with dial-up
70
FirePass Client CLI
“f5fpc <cmd> <param>”where <cmd> options are:– start
– info
– stop
– help
– profile
Single sign-on from 3rd party clients (iPass)
71
Auto Remediation
72
Dynamic AppTunnelsFeature Highlights– No client pre-installation
– No special admin rights for on-demand component install
– No host file re-writes
– Broader application interoperability (complex web apps, static & dynamic ports)
Benefits– Lower deployment and
support costs
– Granular access control
73
Configuring Dynamic AppTunnels
Web Apps
Client/ServerApps