Architecture: Consolidated Platform Eddie...
-
Upload
nguyenquynh -
Category
Documents
-
view
223 -
download
2
Transcript of Architecture: Consolidated Platform Eddie...
![Page 1: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/1.jpg)
Architecture: Consolidated Platform Eddie Augustine
Major Accounts Manager: Federal
![Page 2: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/2.jpg)
© F5 Networks, Inc 2
Current DoD Situation – “Stovepipes” of Technology
VDI / BYOD Load
Balancing CAC / SSO
App
Security DNSSEC SSL VPN IP v4 – v6
App
Acceleration WAN Opt
Customization
Solutions
Traffic Management Operating System (TMOS)
Application Delivery Services
Access Security Availability
iRules iControl
![Page 3: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/3.jpg)
© F5 Networks, Inc 3
“Elimination of Stovepipes”
This is not a product pitch but rather
an ARCHITECTURE conversation
Customization
Solutions
Traffic Management Operating System
(TMOS)
Application Delivery Services
Access Security Availability
iRules iControl
![Page 4: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/4.jpg)
© F5 Networks, Inc 4
Benefits of a Consolidated Platform
- Reduced infrastructure = LOWER COST
- Reduced personnel / SMEs = LOWER COST
- Standardization = LOWER COST
- Less power (multiple devices) = LOWER COST
- SSL Offload = LOWER COST
- Less training = LOWER COST
- Lower maintenance fees = LOWER COST
- Faster delivery of apps = Happier Users
- Context aware = MORE SECURE (W,W,W,W,W, H)
![Page 5: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/5.jpg)
Application Delivery Networking App Access Management Paul Deakin
FSE
![Page 6: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/6.jpg)
© F5 Networks, Inc 6
Availability
Security
Growth
End-user
Experience
Efficiency
Application Architect
Application Complexity: Extending Beyond the Code
![Page 7: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/7.jpg)
© F5 Networks, Inc 7
Corporate Employees
Cloud Services Hosted Applications SAAS Corporate
Data Center
Remote
Employees
Mobile
Employees
Branch Employees Customer, Partners, or Suppliers
How do I connect all these applications and services to the
right people, at the right moment in time, using the right
amount of resources, meet all my SLAs, ensure security and
save money?
Branch Apps and Data
![Page 8: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/8.jpg)
F5’s Strategic Point of Control
Resources
Physical Virtual Multi-Site DCs Cloud
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP Private
Public
Users
Security
• Network
• Application
• Data
• Access
Management
• Integration
• Visibility
• Automation
• Orchestration
Availability
• Scale
• HA / DR
• Bursting
• Load-Balancing
Optimization
• Network
• Application
• Storage
• Offload
![Page 9: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/9.jpg)
© F5 Networks, Inc 9
A “Modern” IT Delivery Model
Corporate Employees
Remote
Employees
Mobile
Employees
Branch Employees Customer, Partners, or
Suppliers
Cloud Services Hosted Applications SAAS Branch Apps and
Data
Corporate
Data Center
![Page 10: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/10.jpg)
© F5 Networks, Inc 10
Proxy Web Servers
App 1
App 2
App 3
1
2
App n
3
Policy Manager
Directory
Application Authentication : 3 Common
(Static) Models
In a Proxy?
In an Agent?
In the Code?
![Page 11: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/11.jpg)
© F5 Networks, Inc 11
Web Servers
App 1
App 2
App 3
App n
Policy Manager
Directory
Application Authentication : Another
Virtualized Service!
Reduce Cost
Gain Scalability
Increase Security
![Page 12: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/12.jpg)
© F5 Networks, Inc 12
Client
Auth Virtual CC Virtual
CC Virtual
ex.com
colab.ex.com
support.ex.com
Credential Caching
Credential Caching and SSO
Unified Access Control
One Authentication – Multiple Access
![Page 13: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/13.jpg)
© F5 Networks, Inc 13
Users from different agencies
accessing federated sites
ADC
• Explosion of smart cards: Federal Govt's CAC card
• Extra auth. infrastructure required for Kerberos protocol
• Orgs. are required to federate between agencies
• Additional auth. costs $1M to $5M per agency
Federal Gov’t Authentication Complications
Auth. Gateway Kerberos
granting ticket
![Page 14: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/14.jpg)
© F5 Networks, Inc 14
Trusted Proxy
• Reduce infrastructure costs bringing auth. to BIG-IP
• Integrate and distribute users to domains
• Easier deployment throughout agencies
Simplified Smart Card Authentication Tier
Kerberos
granting ticket
Token based client access
card for mobile users
![Page 15: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/15.jpg)
© F5 Networks, Inc 15
Web Servers
App 1
App 2
App 3
App n
Policy Manager
Directory
Edge Authentication
Endpoint Control
Location Awareness
Flexible Authentication
![Page 16: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/16.jpg)
© F5 Networks, Inc 16
Applications Clients
Authentication on the Edge!
Greater Client Control
Decisions and Services Applied “Earlier”
![Page 17: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/17.jpg)
© F5 Networks, Inc 17
Graphical Access Policy Management
![Page 18: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/18.jpg)
© F5 Networks, Inc 18
Increased Situational Awareness
![Page 19: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/19.jpg)
© F5 Networks, Inc 19
Virtualization Support Built In
![Page 20: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/20.jpg)
Software Modules
![Page 21: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/21.jpg)
BIG-IP Local Traffic Manager Direct traffic to the best available server Guarantee application availability
• Compression
• RAM Caching
• TCP Multiplexing
• Load balancing
• Health Monitor
• Server Persistence
• DDoS protection
• TCP proxy
• Application proxy
• SSL offload
Available
Fast
Secure
![Page 22: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/22.jpg)
• Up to 20 million queries per second
• IP Anycast for increased resilience
• Automated configuration sync
Scale DNS
• DDoS protection
• DNS protocol validation
• End the BIND patching cycle
• Load balance across data centers
• Direct to physical and cloud DCs
• Geographic IP topology database
L-DNS
BIG-IP GTM
Client
Data Center 2
BIG-IP LTM
App Servers
Data Center 1
BIG-IP LTM
App Servers
BIG-IP Global Traffic Manager Direct, secure, and scale your DNS infrastructure
Secure DNS
Direct DNS
![Page 23: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/23.jpg)
Security Landscape
90% of security investment focused here Yet 75% of attacks are focused here
Source: Gartner
Network Threats Application Threats
Attack Vectors
TCP SYN Flood
TCP Conn Flood
DNS Flood
HTTP GET Flood
Attack Vectors
HTTP Slow Loris
DNS Cache Poison
SQL Injection
Cross Site Scripting
![Page 24: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/24.jpg)
EAL 2+, EAL4+ in process
Application 7 Presentation 6 Session 5 Transport 4 Network 3 Data Link 2
BIG-IP
Advanced Firewall
BIG-IP
Application Security
F5 Extends Security Across All Layers
![Page 25: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/25.jpg)
© F5 Networks, Inc 25
DDoS MITIGATION
Application attacks Network attacks Session attacks
OWASP Top 10 (SQL
Injection, XSS, CSRF, etc.),
Slowloris, Slow Post,
HashDos, GET Floods
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop,
ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP ASM
Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection
DNS UDP Floods, DNS Query Floods, DNS
NXDOMAIN Floods, SSL Floods, SSL
Renegotiation
BIG-IP LTM and GTM
High-scale performance, DNS Express,
SSL termination, iRules, SSL
renegotiation validation
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, full-proxy
traffic visibility, rate-limiting, strict TCP forwarding.
Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware
solution that increases scale by an order of magnitude above software-only
solutions.
F5
Mit
iga
tio
n T
ech
no
logie
s
Application (7) Presentation (6) Session (5) Transport (4) Network (3) Data Link (2) Physical (1)
Increasing difficulty of attack detection
• Protect against DDoS
at all layers
• Withstand the
largest attacks
• Gain visibility and
detection of SSL
encrypted attacks
F5
mit
iga
tio
n t
ech
no
logie
s
OSI stack OSI stack
![Page 26: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/26.jpg)
SE
PA
RA
TIO
N O
F F
IRE
WA
LL
S
“Next generation” firewall
Characteristics
• Outbound user inspection
• UserID and AppID
• Who is doing what?
• 1K users to 10K websites
• Broad but shallow
Corporate (users)
Internet data center (servers)
Characteristics
• Inbound application protection
• Application delivery focus
• 1M users to 100 apps
• Narrow but deep
• 12 protocols (HTTP, SSL, etc.)
BIG-IP Security Use the right tool
F5 Application Delivery Firewall
![Page 27: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/27.jpg)
Network Floods – Mitigated by Scale and Performance
Layer 3: Configurable rate-limiting of ICMP floods
Layer 4: SYN-flood protection in hardware, mitigating 1 billion SYNs per second
BIG-IP 10200v: 36M concurrent sessions
VIPRION 2400: 48M concurrent sessions
VIPRION 4480: 144M concurrent sessions
VIPRION 4800: 288M concurrent sessions
![Page 28: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/28.jpg)
• Layer 2 – 4 Protection
• Application-centric deployment
• Massive Scale for DDoS Protection
• ICSA Certified Network Firewall
• Integrated into the BIG-IP ADC
BIG-IP Advanced Firewall Full Network Firewall Integrated into the ADC
Connections per second
14x
F5 VIPRION 4480
Juniper SRX 5800
Cisco ASA 5585-X
Check Point 61000
0
1
2
3
4
5
6
7
Millio
ns
Advanced Firewall
![Page 29: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/29.jpg)
Users Web Applications BIG-IP ASM
• Layer 5 – 7 Application Protection
• PCI DSS Compliance
• Positive + Negative Security Models
• ICSA Certified Web App Firewall
• Integrated into the BIG-IP ADC
Application Security
BIG-IP Application Security Secure web applications from threats
Automate
Signature
Updates
Industry Partnerships
![Page 30: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/30.jpg)
BIG-IP Access Policy Manager Identify, authenticate, and control user access to your applications
• Secure and accelerate application access from any
device and location
• Consolidate AAA and SSO services for enterprise
applications
• RDP, View, Citrix Xen Support
• Federate via SAML
Single Sign On
• Scalable SSL VPN
• Advanced Endpoint checks
• BYOD: IOS, Win8, Android Support
Mobile User Access
![Page 31: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/31.jpg)
Page Generation Time Page Load
Time
Client Browser Server
Infrastructure
Page Generation Time Page Delivery Time
• Compression
• Dynamic Caching
• Content Spooling
• OneConnect
• Rate Shaping
• Connection limit
• Compression
• Dynamic Caching
• TCP Express
• Differential Compression
• QoS
• Security/authentication
BIG-IP Web Accelerator Acceleration for static and dynamic web apps
Network Acceleration Server Offload
![Page 32: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/32.jpg)
BIG-IP Wan Optimization Module Connection is encrypted and accelerated via network and application proxies, compression, de-duplication
App Tier
BIG-IP
Web Tier
File Servers
Active Database
Optimization of data replication and backup.
TCP & HTTP Optimization
Data Center 1 Data Center 2
Optimization of
applications such as HTTP
BIG-IP
BIG-IP / ARX
Logical Diagram File Servers
Standby Database
This is a logical diagram. Database and storage acceleration will physically route through the BIG-IP.
Migrate live VM images across WAN without dropping user sessions
Accelerate replication and backup such as SnapMirror or Exchange
Data center to data center acceleration
Internet or WAN
![Page 33: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/33.jpg)
Enterprise Manager Centralized Manager for BIG-IP Products
Reporting
• Predefined reports
• User generated reports
• Exportable (pdf, csv, email)
Views
• Node/Pool Member Views
• Easy access for Enable/Disable
Software Upgrades
• Stage upgrade packages to target BIG-IPs
• Schedule BIG-IP software upgrades
• Manual or automatic activation of upgrades
Backups
• Schedule automated config backups
• Run visual diffs against current configs
Heuristics
• Ability to connect to heuristics engine
• Ability to schedule heuristics run
![Page 34: Architecture: Consolidated Platform Eddie Augustinegovernmentvideosolutionsforum.com/pdf/TechTalkEdwards12-10-13.pdf · • Orgs. are required to federate between agencies ... Ping](https://reader031.fdocuments.in/reader031/viewer/2022020204/5ae99dae7f8b9a36698be28d/html5/thumbnails/34.jpg)
© F5 Networks, Inc 34
Thank You!