f5 synthesis toronto february 2014 roadshow

76
February, 2014 F5 Synthesis Information Session

Upload: patmisasi

Post on 06-May-2015

1.138 views

Category:

Technology


0 download

DESCRIPTION

February 2014 Update on F5 Synthesis Program, delivered by Pat Fiorino in Toronto at the Hockey Hall of Fame. Prepared for IT decision- makers and administrators.

TRANSCRIPT

Page 1: F5 Synthesis Toronto February 2014 Roadshow

February, 2014

F5 Synthesis Information Session

Page 2: F5 Synthesis Toronto February 2014 Roadshow

Agenda

• Welcome and Introduction to Customer Technology Challenges

• Software Defined Application Services

• Reference Architectures for Today’s Customer Challenges

• Total Cost of Ownership and New Business Models

• Multi-network Environment and Partner Ecosystem

• Making it Happen with Global Services

• Q & A

Page 3: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 3

Mobility

SDDC/Cloud

Advanced threats

Internet ofThings

“Software defined”everything

HTTP is the new TCP

Page 4: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 4

Impact on Data Center Architecture: Applications

MICRO-ARCHITECTURES

Each service is isolated and requires its own:Each service is isolated and requires its own:Each service is isolated and requires its own:Each service is isolated and requires its own:

• Load balancing

• Authentication / authorization

• Security

• Layer 7 Services

• May be API-based, expanding services required

API DOMINANCE

Proxies are used in emerging APIProxies are used in emerging APIProxies are used in emerging APIProxies are used in emerging API----centric centric centric centric

architectures for:architectures for:architectures for:architectures for:

• API versioning

• Client-based steering

• API Load balancing

• Metering & billing

• API key management

Service A

Service C

Service B Service D

API v1

API v2

More intelligence needed in services More intelligence needed in services More intelligence needed in services More intelligence needed in services More applications need servicesMore applications need servicesMore applications need servicesMore applications need services

Page 5: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 5

Impact on Data Center Architecture: Network

SOLUTION SPRAWL

Increasing threats and client platforms result in Increasing threats and client platforms result in Increasing threats and client platforms result in Increasing threats and client platforms result in

need need need need for:for:for:for:

• Mobile device management

• Mobile access management

• Mobile security

• DDoS

• Application layer threats

• Malware

OPERATIONAL INCONSISTENCY

Introduction of offIntroduction of offIntroduction of offIntroduction of off----premise cloud solutions without premise cloud solutions without premise cloud solutions without premise cloud solutions without

architectural parity results in: architectural parity results in: architectural parity results in: architectural parity results in:

• Inconsistent enforcement of business and

operational policies

• Unpredictable application performance and

security

• Increased OpEx as new management paradigms

are introduced

SaaS

Page 6: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 6

SDN Division of Labor

Architect Foreman Workers

Page 7: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 7

SDN Applications /SDN Applications /SDN Applications /SDN Applications /MgmtMgmtMgmtMgmt

Components of SDN

Architect

ControllerControllerControllerController

Foreman

API

SwitchesSwitchesSwitchesSwitches

Workers

API

(REST,

OpenFlow)

“I define the blueprint

for what the network should look like to achieve some goal”

“I can use feedback to make adjustments to the blueprint as I see fit”

“I manage switches, and tell them how to connect to each other”

“I also collect and manage state, and can report back to the architect.”

“I take orders, and route packets accordingly”

“I can also report back info to the foreman”

Page 8: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 8

• Automation & orchestration

• Repeatability, speed

• Less risk (avoid human error)

• Reduced operating cost

• Compliance

• Agility

• Faster app lifecycles and transient usage (dev/test)

• Security

• Network isolation

• Resource Utilization

• Dynamic allocation of resources

Core Benefits

Page 9: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 9

SDN Applications /SDN Applications /SDN Applications /SDN Applications /MgmtMgmtMgmtMgmt

Who are the Players?

Architect

ControllerControllerControllerController

Foreman

SwitchesSwitchesSwitchesSwitches

Workers

• VMware NSX

• Cisco/Insieme

• OpenStack

• Smaller Startups

• Anunta Networks

• VMware NSX

• Cisco/Insieme APIC

• Smaller Startups

• BigSwitch

• PlumGRIDController

• Cisco Nexus 9300/9500

• NSX vSwitch (OVS)

• Arista

• Smaller Startups / Whitebox

• Pluribus

• PlumGRID

Page 10: F5 Synthesis Toronto February 2014 Roadshow

• L2-3 is just “plumbing”

• Dynamic L2-3 == easy, generally solved

• Dynamic L4-7: Application SDN

• Fundamentally harder!harder!harder!harder!

• No good solution today

Application SDN: L4-7

Page 11: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 11

Deliver the most secure, fast,and reliable applications to anyone

anywhere at any time.

Page 12: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 12

Driving Efficiency into Application DevelopmentAgile Development & Development & Operation (DevOps)

code

release

• In the past 5 years we’ve seen the push to Agile Development.

• Focused on speed and customer driven application solutions.

• Drove more efficient application development

• Agile wasn’t focused on rapid deployment of those applications

• This gap was closed by many by either deploying their applications on

the cloud and/or evolving their development and IT organizations with

the creation of DevOps

• DevOps describes what has also been called “agile system

administration” or “agile operations” joined together with the values of

agile collaboration between development and operations staff.

• The goal of DevOps was simply to getting applications deployed

quicker.

Page 13: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 13

Agile

Development

Application Environment

Rapid deployment─network and operations velocity

Speed, customer-driven, and quality of app development

Page 14: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 14

Cloud and

DevOps

Cloud SLA, security and control private network agility

Accelerate time to market

Application Environment

Agile

Development

Rapid deployment─network and operations velocity

Speed, customer-driven, and quality of app development

Page 15: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 15

SDN and

Private Cloud

Software defined data centers

Cloud and

DevOps

Application Environment

Cloud SLA and controlprivate network agility

Accelerate time to market

Agile

Development

Rapid deployment─network and operations velocity

Speed, customer-driven, and quality of app development

Failed to Address:Failed to Address:Failed to Address:Failed to Address:

L4L4L4L4––––7 device sprawl and 7 device sprawl and 7 device sprawl and 7 device sprawl and application fluencyapplication fluencyapplication fluencyapplication fluency

Page 16: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 16

F5 VISION

Applicationswithout constraints

The Time Is Right

SDN and

Private Cloud

Software Defined Data Centers

Cloud and

DevOps

Cloud SLA and controlprivate network agility

Accelerate time to market

Agile

Development

Rapid deployment─network and operations velocity

Speed, customer-driven, and quality of app development

Failed to Address:Failed to Address:Failed to Address:Failed to Address:

L4L4L4L4––––7 device sprawl and 7 device sprawl and 7 device sprawl and 7 device sprawl and application fluencyapplication fluencyapplication fluencyapplication fluency

Page 17: F5 Synthesis Toronto February 2014 Roadshow

“Leave No Application Behind”

Page 18: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 18

DDoSDDoSDDoSDDoS WAFWAFWAFWAF SSLSSLSSLSSL LTELTELTELTE

1000Average number of

applications deployed

within an enterprise

Applicationsrequire services

AccelerationAccelerationAccelerationAcceleration

Page 19: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 19

The selected few

Page 20: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 20

ADC ADC ADC ADC ADC ADC

Page 21: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 21

High-PerformanceFabric

BIG-IP BIG-IP BIG-IP BIG-IP BIG-IP BIG-IP

Page 22: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 22© F5 Networks, Inc. 22

Page 23: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 23

Software Defined Application Services Software Defined Application Services Software Defined Application Services Software Defined Application Services 4

The 4th Phase of the Evolution

Application Delivery ControllerApplication Delivery ControllerApplication Delivery ControllerApplication Delivery Controller1

Broadened Application ServicesBroadened Application ServicesBroadened Application ServicesBroadened Application Services2

Cloud ReadyCloud ReadyCloud ReadyCloud Ready3

© F5 Networks, Inc. 23

Page 24: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 24

Software Defined Application Services Elements

HighHighHighHigh----Performance Performance Performance Performance Services Fabric

Simplified Simplified Simplified Simplified Business Models

Page 25: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 25

Software Defined Application Services Elements

HighHighHighHigh----Performance Performance Performance Performance Services Fabric

Page 26: F5 Synthesis Toronto February 2014 Roadshow

High-Performance Services Fabric

Network [Physical • Overlay • SDN]

Virtual Edition Chassis Appliance

Page 27: F5 Synthesis Toronto February 2014 Roadshow

High-Performance Services Fabric

On-Demand Scaling All-Active Clustering Multi-Tenancy

ScaleN

TMOS TMOS TMOS TMOS

Network [Physical • Overlay • SDN]

Page 28: F5 Synthesis Toronto February 2014 Roadshow

High-Performance Services Fabric

Throughput Connections

per second

Concurrent

connections

Multi-tenant

instances per device

Device service

clusters

Network [Physical • Overlay • SDN]****40K when combining 40K when combining 40K when combining 40K when combining admin instances with vCMP admin instances with vCMP admin instances with vCMP admin instances with vCMP

Page 29: F5 Synthesis Toronto February 2014 Roadshow

High-Performance Services Fabric

Network [Physical • Overlay • SDN]

Virtual Edition Chassis Appliance

Data Plane

Programmability

Control Plane Management Plane

Page 30: F5 Synthesis Toronto February 2014 Roadshow

High-Performance Services Fabric

Network [Physical • Overlay • SDN]

Virtual Edition Chassis Appliance

Data Plane

Programmability

Control Plane Management Plane

Page 31: F5 Synthesis Toronto February 2014 Roadshow

Software Defined Application Services

Page 32: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 32

Software Defined Application Services

F5 Software Defined F5 Software Defined F5 Software Defined F5 Software Defined

Application Services (SDAS) Application Services (SDAS) Application Services (SDAS) Application Services (SDAS)

A rich set of services that address

the delivery challenges faced by

businesses today.

Page 33: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 33

Software Defined Application Services

Availability

Authoritative DNS

Cloud Bursting

CGNATCGNATCGNATCGNAT

Disaster RecoveryDisaster RecoveryDisaster RecoveryDisaster RecoveryBusiness Business Business Business ContinuityContinuityContinuityContinuity

Global Load Balancing

Intelligent EPC node selection

Global Server LBGlobal

Server LB

DNS Caching& Resolving

Load Balancing

Page 34: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 34

Software Defined Application Services

PerformanceAccelerationCaching

OptimizationOptimizationOptimizationOptimization

SPDY Gateway

Application OptimizationTraffic Shaping and QoS

Compression

Web Performance Optimization

Traffic Traffic Traffic Traffic ManagementManagementManagementManagement

Page 35: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 35

Software Defined Application Services

Access &

Identity

Cloud Federation

Endpoint Inspection

Single Sign-OnAccess ControlAccess ControlAccess ControlAccess Control

SAML Federation

SSL VPNAnti-Malware

Web Access Management

Active Sync ProxyActive Sync ProxyActive Sync ProxyActive Sync Proxy

Secure Web Gateway

.

Page 36: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 36

Software Defined Application Services

Cloud Bridging

Mobile Optimization

MAMMAMMAMMAMSDN

VDIVDIVDIVDI

Diameter and RoutingPolicy Enforcement

MDM

Mobile Acceleration

VAS Bursting

Enrichment

Quota ManagementApplication Traffic Control

Service Chaining

Subscriber Traffic Control

NfV

VO LTEVO LTEVO LTEVO LTE

LTE RoamingLTE RoamingLTE RoamingLTE Roaming

Mobility

Page 37: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 37

Software Defined Application Services

Security

DNSSECADFADFADFADF

Anti-Fraud

WAFWAFWAFWAF

DDoSDDoSDDoSDDoSSSL VPNSSL VPNSSL VPNSSL VPN

AntiAntiAntiAnti----PhishingPhishingPhishingPhishing

DNS Firewall

FirewallFirewallFirewallFirewall

SSL intelligenceSSL intelligenceSSL intelligenceSSL intelligence

SSL InspectionProgrammabilityProgrammabilityProgrammabilityProgrammability

Page 38: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 38

Software Defined Application Services Elements

Page 39: F5 Synthesis Toronto February 2014 Roadshow

Fabric Connectors Fabric Connectors Fabric Connectors Fabric Connectors

Module ConnectorsModule ConnectorsModule ConnectorsModule Connectors

Cloud ConnectorsCloud ConnectorsCloud ConnectorsCloud Connectors

Orchestration Orchestration Orchestration Orchestration ConnectorsConnectorsConnectorsConnectors

Intelligent Services Orchestration

BIGBIGBIGBIG----IQIQIQIQ

Page 40: F5 Synthesis Toronto February 2014 Roadshow

Completing the SDN Stack

F5 BIGF5 BIGF5 BIGF5 BIG----IQIQIQIQOPEN OPEN OPEN OPEN

REST REST REST REST APIsAPIsAPIsAPIs

LAYER 2-3 LAYER 4-7

SDN ControllerSDN ControllerSDN ControllerSDN Controller

BIG-IQ

Security™

BIG-IQ

Cloud™

BIG-IQ

Device™

NBI NBI

NVGRENVGRENVGRENVGRE VXLANVXLANVXLANVXLAN ETC…ETC…ETC…ETC…

Control Plane

Application Plane

Data Plane

So

ftw

are

-De

fin

ed

Da

ta C

en

ter

Virtual Networks

Service ChainingService ChainingService ChainingService Chaining

Page 41: F5 Synthesis Toronto February 2014 Roadshow

Public CloudHybrid Cloud

BIG-IP

BIG-IP

Data Center

Centralized Management Platform

BIG BIG BIG BIG ---- IQIQIQIQBIG BIG BIG BIG ---- IQIQIQIQ

Page 42: F5 Synthesis Toronto February 2014 Roadshow

Orchestration Modules

BIG-IQ Platform Services

BIG-IP Devices

Page 43: F5 Synthesis Toronto February 2014 Roadshow

Application Services Modules

Page 44: F5 Synthesis Toronto February 2014 Roadshow

VE License Pools VE License Pools VE License Pools VE License Pools

• One-time license

provisioning

• BIG-IQ manages

licenses for all VEs in

the pool

• Pools available in 25-

packs of Good, Better,

or Best offers

BenefitsBenefitsBenefitsBenefits

• Spin up a VE when it’s

needed

• Retire a VE and return

it to the pool

25 Pack of VEs

vSw

itch

vSw

itch

vSw

itch

vSw

itch

Hyp

ervis

or

Hyp

ervis

or

Hyp

ervis

or

Hyp

ervis

or

Virtual InfrastructureVirtual InfrastructureVirtual InfrastructureVirtual Infrastructure

BIG-IQ manages licensingfor all VEs in the pool.

F5 licensingserver

Simplify License Orchestration

Page 45: F5 Synthesis Toronto February 2014 Roadshow

Software Defined Application Services Elements

Simplified Simplified Simplified Simplified Business Models

Page 46: F5 Synthesis Toronto February 2014 Roadshow

� Perpetual Perpetual Perpetual Perpetual

� Subscriptions Subscriptions Subscriptions Subscriptions

Simplified Business Models

� BYOLBYOLBYOLBYOL

� Cloud Licensing ProgramCloud Licensing ProgramCloud Licensing ProgramCloud Licensing Program

Page 47: F5 Synthesis Toronto February 2014 Roadshow

Good | Better | Best

Fle

xib

ilit

yF

lexi

bilit

yF

lexi

bilit

yF

lexi

bilit

y Make it easierMake it easierMake it easierMake it easier to adopt to adopt to adopt to adopt

advanced F5 advanced F5 advanced F5 advanced F5

functionalityfunctionalityfunctionalityfunctionality

Sim

plicit

yS

imp

licit

yS

imp

licit

yS

imp

licit

y

Consolidate into fewer Consolidate into fewer Consolidate into fewer Consolidate into fewer

common configurationscommon configurationscommon configurationscommon configurations

Be

st

Va

lue

Be

st

Va

lue

Be

st

Va

lue

Be

st

Va

lue

Save Save Save Save when purchasing when purchasing when purchasing when purchasing

bundlesbundlesbundlesbundlesGood Better Best

VE Price VE Price VE Price VE Price ComparisonComparisonComparisonComparison

Bought As Bundle Bought As Components

Good Better Best

ApplianceApplianceApplianceApplianceComparison Comparison Comparison Comparison

BIG-IP Local Traffic Manager � � �

BIG-IP Global Traffic Manager � �

Application Acceleration Manager � �

BIG-IP Advanced Firewall Manager � �

SDN Service � �

Advanced Routing � �

BIG-IP Access Policy Manager �

BIG-IP Application Security Manager �

Page 48: F5 Synthesis Toronto February 2014 Roadshow

Better

BIG-IP Local Traffic

Manager

BIG-IP Global Traffic

Manager

BIG-IP Application

Acceleration Manager

BIG-IP Advanced Firewall

Manager

Key BenefitsKey BenefitsKey BenefitsKey Benefits

• Protect and optimize the data

center

• Optimize application delivery

• Ensure optimal application

availability and performance

• Future-proof the business

• Leverage the power of integrated

SDN services

• High-performance ICSA firewall

• Network DDoS protection

• Application-centric firewall policies

• Protocol anomaly detection

• Web performance optimization

• WAN optimization (data deduplication,

FEC)

• Mobile optimization (smart client

cache, image optimization)

• SaaS acceleration (reduce bandwidth

usage & page load times)

• Global server load balancing

• DNS services

• Real-time DNSSEC solution

• Global application high availability

• Geolocation

• DNS DDoS attack protection

Page 49: F5 Synthesis Toronto February 2014 Roadshow

Best

Key BenefitsKey BenefitsKey BenefitsKey Benefits• Manage application access

• Support BYOD initiatives

• Accelerate remote access

• Protect IP and minimize vulnerability

exposure

• Free development resources to

create value

• PCI Compliant Web

Application Firewall

• Web scraping prevention

• Integrated XML firewall

• Violation correlation &

incident grouping

• Application DDoS protection

• 500 concurrent users,

scalable up to 200K

• BYOD enablement

• Full Proxy for VDI (Citrix,

VMware)

• Single sign-on enhancements

(Identity Federation with

SAML 2.0)

BIG-IP Local Traffic

Manager

BIG-IP Global Traffic

Manager

BIG-IP Application

Acceleration Manager

BIG-IP Advanced Firewall

Manager

BIG-IP Application

Security Manager

BIG-IP Access Policy

Manager

Page 50: F5 Synthesis Toronto February 2014 Roadshow

Choose the

Appropriate Platform

2Choose the Licensing

You Need

3

1Match Reference Architecture

To Business Need

Synthesis and Good/Better/Best Licensing

Streamline the architecture processStreamline the architecture processStreamline the architecture processStreamline the architecture process

Page 51: F5 Synthesis Toronto February 2014 Roadshow

ReferenceArchitecturesFor Today’s Customer Challenges

Page 52: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 52

Reference ArchitecturesDevice, Network, Applications

Bill of Materials • White Paper (Business)

• Solution diagram(s)

• Architecture diagram(s)

• Product map diagram(s)

• Customer Presentation

• Solution Animation/Video

• White paper (Technical)

• Placemat leave-behind

© F5 Networks, Inc.

DDoS

Protection

S/Gi Network

Simplification

Security for

Service Providers

Application

Services

Migration to

Cloud DevOps

LTE

Roaming

Intelligent

DNS Scale

Cloud

Federation

Cloud

Bursting

Page 53: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 53

Reference Architectures

Solution Documents…

Page 54: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 54

DDoS Protection Reference Architecture

LegitimateUsers

Threat Feed Intelligence

DDoSAttacker

ISPa/b

CloudScrubbing

Service

Scanner AnonymousProxies

AnonymousRequests

Botnet Attackers

Network attacks:ICMP flood,UDP flood,SYN flood

DNS attacks:DNS amplification,

query flood,dictionary attack,

DNS poisoning

IPS

Next-Generation Firewall

Tier 2

SSL attacks:SSL renegotiation,

SSL flood

HTTP attacks:Slowloris,

slow POST,recursive POST/GET

Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2

Threat Feed Intelligence

Strategic Point of Control

Multiple ISP strategy

Network

and DNS

Tier 1

Page 55: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 55

DDoS Protection Reference Architecture

LegitimateUsers

Threat Feed Intelligence

DDoSAttacker

ISPa/b

CloudScrubbing

Service

Scanner AnonymousProxies

AnonymousRequests

Botnet Attackers

Network attacks:ICMP flood,UDP flood,SYN flood

DNS attacks:DNS amplification,

query flood,dictionary attack,

DNS poisoning

IPS

Next-Generation Firewall

Tier 2

SSL attacks:SSL renegotiation,

SSL flood

HTTP attacks:Slowloris,

slow POST,recursive POST/GET

Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2

Threat Feed Intelligence

Strategic Point of Control

Multiple ISP strategy

Network

and DNS

Tier 1 • The first tier at the perimeter is layer 3 and 4 network firewall services

• Simple load balancing to a second tier

• IP reputation database

• Mitigates volumetric and DNS DDoS attacks

TIER 1 KEY FEATURES

Page 56: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 56

DDoS Protection Reference Architecture

LegitimateUsers

Threat Feed Intelligence

DDoSAttacker

ISPa/b

CloudScrubbing

Service

Scanner AnonymousProxies

AnonymousRequests

Botnet Attackers

Network attacks:ICMP flood,UDP flood,SYN flood

DNS attacks:DNS amplification,

query flood,dictionary attack,

DNS poisoning

IPS

Next-Generation Firewall

Tier 2

SSL attacks:SSL renegotiation,

SSL flood

HTTP attacks:Slowloris,

slow POST,recursive POST/GET

Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2

Threat Feed Intelligence

Strategic Point of Control

Multiple ISP strategy

Network

and DNS

Tier 1• The second tier is for application-aware, CPU-intensive defense mechanisms

• SSL termination

• Web application firewall

• Mitigate asymmetric and SSL-based DDoS attacks

TIER 2 KEY FEATURES

Page 57: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 57

Recommended Practices Configuration Guide

2.2.2.2.3.3.3.3.2.2.2.2.5555 ThroThroThroThro tttt tttt le GEle GEle GEle GET ReqT ReqT ReqT Req uuuuestestestest F F F F lolololooooods vds vds vds v iaiaiaia S S S Scriptcriptcriptcript

The F5 DevCentral community has developed several powerful iRules that automatically throttle GET requests. Customers are continually refining these to keep up with current attack techniques.

Here is one of the iRules that is simple enough to be represented in this document. The live version can be found at this DevCentral page: HTTP-Request-Throttle

when RULE_INIT {

# Life timer of the subtable object. Defines how long this object exist in the subtable set static::maxRate 10

# This defines how long is the sliding window to count the requests.

# This example allows 10 requests in 3 seconds set static::windowSecs 3

set static::timeout 30

}

when HTTP_REQUEST {

if { [HTTP::method] eq "GET" } { set getCount [table key -count -subtable [IP::client_addr]]

if { $getCount < $static::maxRate } {

incr getCount 1 table set -subtable [IP::client_addr] $getCount "ignore" $static::timeout $static::windowSecs

} else {

HTTP::respond 501 content "Request blockedExceeded requests/sec limit."

return

} }

}

Another iRule, which is in fact descended from the above, is an advanced version that also includes a way to manage the banned IPs address from within the iRule itself:

• URI-Request Limiter iRule – Drops excessive HTTP requests to specific URIs o r from an IP

2.2.2.2.3.3.3.3.2.2.2.2.4444 EnEnEnEn forforforforcececece R R R Reeeeal Bral Bral Bral Browowowowseseseserrrrs s s s

Besides authentication and tps-based detection (section Error! Reference source not found. ), there are additional ways that F5 devices can separate real web browsers from probable bots.

The easiest way, with ASM, is to create a DoS protection profile and turn on the “Source IP-Based Client Side Integrity Defense” option. This will inject a JavaScript redirect into the client stream and verify each connection the first time that source IP address is seen.

Figure 1. Insert a Javascript Redirect to verify a real browser

32 Page Detailed Guide…

Page 58: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 58

Blended AttacksBlended AttacksBlended AttacksBlended Attacks

25 + new DDoS

Attack Vector

Control options in

Hardware

Technical Validation & Performance Testing

UDP Flood

2x Competition

ICMP Flood

10x Competition

TCP Syn-Flood

16x Competition

Page 59: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 59

Mapping F5 Products to Synthesis Solutions

Use Reference

Architectures to

Implement F5

Synthesis

Solutions

Page 60: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 60

Key Customer Benefits

ALL BACKED BY WORLD-CLASS SUPPORT AND PROFESSIONAL SERVICES

Maintain application

availability

Save money for

your company

Protect network

infrastructureSafeguard your

brand reputation

Defend against

targeted attacks

Stay one

step ahead

Page 61: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc. 61

TCO Study─Details

Data Center Consolidation DDoS DDoS Market Study

83% 83% 83% 83% LLLLower TCOower TCOower TCOower TCO

85% Savings

• Service Contracts

92% Savings

• Space/Power/Cooling

62% Savings

• Training

82% Savings

• Upgrades/Patching

81% 81% 81% 81% LLLLower TCOower TCOower TCOower TCO

81% Savings

• Service Contracts

94% Savings

• Space/Power/Cooling

66% Savings

• Training

82% Savings

• Upgrades/Patching

• DDoS Products and Services

• $870 Million Market by 2017

• FSI Represents 23% of DDoS Market

• Services Accounts for 46% of DDoS TAM

• Financial Services, Gaming, and Online Retail are top verticals

Page 62: F5 Synthesis Toronto February 2014 Roadshow

Making it Happen with Global Services

Page 63: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 63

F5 Global Services and Synthesis

Packaged Packaged Packaged Packaged Core Core Core Core ServicesServicesServicesServices

• Implementation• Migration• Upgrades

1

Advanced Advanced Advanced Advanced ServicesServicesServicesServices

• Security• Mobility• Service Provider

2

Consultative and Consultative and Consultative and Consultative and StrategicStrategicStrategicStrategic

• Solution Definition Workshops • Security Envisioning • Remote Services

3

© F5 Networks, Inc 63

PRODUCT FOCUSED SERVICE LED SOLUTION DRIVEN

Architecture Architecture Architecture Architecture and Integrationand Integrationand Integrationand Integration4

• Reference Architectures• Managed Services / SOC• F5aaS

APPLICATION ENABLED

Page 64: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc. CONFIDENTIAL 64

Services to Support Reference Architecture Lifecycle

OPTIMIZE

ARCHITECT IMPLEMENT

MAINTAINProactive Assessments and Integration Managed Services and Live Monitoring

Installation and MigrationsSolution Definition Workshop

DDoS

S/Gi Network

Simplification

Security for

Service Providers

Application

Services

Cloud

Migration DevOps

Secure

Mobility

LTE

Roaming

DNS Cloud

Federation

Cloud

Bursting

Page 65: F5 Synthesis Toronto February 2014 Roadshow

Multi-network Environment and Partner Ecosystem

Page 66: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 66

F5 Synthesis Partner Ecosystem

////

© F5 Networks, Inc. 66

DevOps

Page 67: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 67

Completing the SDN Stack

F5 BIGF5 BIGF5 BIGF5 BIG----IQIQIQIQOPEN OPEN OPEN OPEN

REST REST REST REST APIsAPIsAPIsAPIs

LAYER 2-3 LAYER 4-7

SDN ControllerSDN ControllerSDN ControllerSDN Controller

BIG-IQ

Security™

BIG-IQ

Cloud™

BIG-IQ

Device™

NBI NBI

NVGRENVGRENVGRENVGRE VXLANVXLANVXLANVXLAN ETC…ETC…ETC…ETC…

Control Plane

Application Plane

Data Plane

So

ftw

are

-De

fin

ed

Da

ta C

en

ter

Virtual Networks

Service ChainingService ChainingService ChainingService Chaining

Page 68: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 68

F5 Platforms

Hardware | Software | Cloud

Programmability

F5 SDAS Service F5 SDAS Service F5 SDAS Service F5 SDAS Service

Fabric Fabric Fabric Fabric

Programmability

BIG IQ CloudBIG IQ CloudBIG IQ CloudBIG IQ Cloud

Provisioning and orchestration

of BIG-IP in AWS

Two-way communication

Configure application networking services

Automated network and service provisioning

Auto-scaling, application

provisioning, and

automated system

maintenance and

patching.

Dynamically update

state of servers in

load balancing pool

Automate network and

service provisioning,

Integrate network

virtualization and

ADN services

Partner Integration with Synthesis

Page 69: F5 Synthesis Toronto February 2014 Roadshow

Cisco ACI Design Philosophy

Page 70: F5 Synthesis Toronto February 2014 Roadshow

Why Cisco/ACI matters for CustomersWhy Cisco/ACI matters for CustomersWhy Cisco/ACI matters for CustomersWhy Cisco/ACI matters for Customers

• Cisco and F5 share a common vision for simplifying networking end to end by taking an application-centric approach to solving key pain points in customer’s next generation data centers while meeting their critical data center requirements today.

• Working with Cisco on Application Centric Infrastructure, F5 has a unique opportunity to deliver on vision of shaping infrastructure to the needs of the applications.

• Cisco ACI integrates F5 Big-IP appliances (physical and virtual) to deliver application-centric, ADC-enabled network automation in existing and next generation data centers

Page 71: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc 71

VMware NSX and F5 joint solution

Any Application(without modification)

Virtual Networks

VMware NSX Network Virtualization Platform

Logical L2

Any Network Hardware

Any Cloud Management Platform

Logical

FirewallLogical

Load Balancer

Logical L3

Logical

VPN

Any Hypervisor

Logical

Load Balancer

Virtual IP: 172.168.1.1

Member pool: 10.0.0.1, 10.0.0.2

ADN template: Web Gold

OverviewOverviewOverviewOverview

� NSX integrates with F5 BIG-IQ and BIG-IPs

� F5 Admin defined iApps get published to NSX Manager as

ADN service templates

� BIG-IPs VEs get automatically deployed, licensed and

configured

� User can instantiate and consume F5 iApps from NSX UI

or API

BenefitsBenefitsBenefitsBenefits

� Compatible with all NSX features

� Compatible with all F5 BIG-IQ and BIG-IP features

� Seamless support for virtual networks and traditional

networking with VLANs

� Support for any CMP including vCAC

� Familiar workflows for all teams (in NSX , and in F5 BIG-IQ)

� Supports virtual and physical form factor of F5 appliances

Page 72: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc. 72

F5 + NSX : Application delivery needs for enterprise virtualized workloads in NSX environments

Context Aware Context Aware Context Aware Context Aware Network Services:Network Services:Network Services:Network Services:

•Insertion of Application, user and resource awareness in NSX Insertion of Application, user and resource awareness in NSX Insertion of Application, user and resource awareness in NSX Insertion of Application, user and resource awareness in NSX environmentsenvironmentsenvironmentsenvironments

Speed of Speed of Speed of Speed of provisioning:provisioning:provisioning:provisioning:

•Intelligent services orchestration enhances timeIntelligent services orchestration enhances timeIntelligent services orchestration enhances timeIntelligent services orchestration enhances time----totototo----production for production for production for production for all the necessary infrastructure services from weeks to minutesall the necessary infrastructure services from weeks to minutesall the necessary infrastructure services from weeks to minutesall the necessary infrastructure services from weeks to minutes

Simplified Simplified Simplified Simplified Operations:Operations:Operations:Operations:

•Meet needs for simplified operations and programmability needs Meet needs for simplified operations and programmability needs Meet needs for simplified operations and programmability needs Meet needs for simplified operations and programmability needs for network servicesfor network servicesfor network servicesfor network services

Application Application Application Application visibility and visibility and visibility and visibility and correlationcorrelationcorrelationcorrelation

•Enhanced visibility and correlation for the application Enhanced visibility and correlation for the application Enhanced visibility and correlation for the application Enhanced visibility and correlation for the application

Page 73: F5 Synthesis Toronto February 2014 Roadshow

© F5 Networks, Inc.

Benefits

Drive Increase Reduce Future

73

Page 74: F5 Synthesis Toronto February 2014 Roadshow

SDDC/Cloud

Page 75: F5 Synthesis Toronto February 2014 Roadshow

Coming to a City Near You….Cloud and Security Events

Ask your Account Team for More Information…

Page 76: F5 Synthesis Toronto February 2014 Roadshow