F5 Synthesis Information Session. April, 2014

Similar documents
What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

Advanced threats. "Software defined" everything. Internet of Things. SDDC/Cloud. HTTP is the new TCP. Mobile. F5 Networks, Inc 2

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Comprehensive datacenter protection

F5 Networks in the Software Defined DataCenter Era. Paolo Pambianco System Engineer CSP

Herding Cats. Carl Brothers, F5 Field Systems Engineer

KEEPING THE BAD GUYS OUT WHILE LETTING THE GOOD GUYS IN. Paul Deakin Federal Field Systems Engineer

Securing and Accelerating the InteropNOC with F5 Networks

Sichere Applikations- dienste

Architecture: Consolidated Platform. Eddie Augustine Major Accounts Manager: Federal

Estrategias de mitigación de amenazas a las aplicaciones bancarias. Carlos Valencia Sales Engineer - LATAM

Service Insertion with ACI using F5 iworkflow

Silverline DDoS Protection. Filip Verlaeckt

Security Overview and Cisco ACE Replacement

Orchestration: Accelerate Deployments and Reduce Operational Risk. Nathan Pearce, Product Development SA Programmability & Orchestration Team

F5 Demystifying Network Service Orchestration and Insertion in Application Centric and Programmable Network Architectures

Cloud, SDN and BIGIQ. Philippe Bogaerts Senior Field Systems Engineer

DATACENTER SECURITY. Paul Deakin System Engineer, F5 Networks

ADC im Cloud - Zeitalter

and public cloud infrastructure, including Amazon Web Services (AWS) and AWS GovCloud, Microsoft Azure and Azure Government Cloud.

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Management and Orchestration with F5 BIG-IQ 4.5. Philippe Bogaerts F5 Networks

August 14th, 2018 PRESENTED BY:

Technical and Service Provider Breakouts

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

SAS and F5 integration at F5 Networks. Updates for Version 11.6

O365 Solutions. Three Phase Approach. Page 1 34

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

Pulse Secure Application Delivery

Intelligent and Secure Network

RETHINKING DATA CENTER SECURITY. Reed Shipley Field Systems Engineer, CISSP State / Local Government & Education

Best Practice Deployment of F5 App Services in Private Clouds. Henry Tam, Senior Product Marketing Manager John Gruber, Sr. PM Solutions Architect

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Corrigendum 3. Tender Number: 10/ dated

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments

Providing Secure, Fast and Available

Deploy F5 Application Delivery and Security Services in Private, Public, and Hybrid IT Cloud Environments

Automate Application Deployment with F5 Local Traffic Manager and Cisco Application Centric Infrastructure

SaaS. Public Cloud. Co-located SaaS Containers. Cloud

AKAMAI CLOUD SECURITY SOLUTIONS

F5 Networks Defence Methodiken auf Transportund Applikationsebene. Specialist SE - Security

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Imperva Incapsula Product Overview

Build application-centric data centers to meet modern business user needs

A10 DDOS PROTECTION CLOUD

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Hybride Cloud Szenarien HHochverfügbar mit KEMP Loadbalancern. Köln am 10.Oktober 2017

Multi-Tenancy Designs for the F5 High-Performance Services Fabric

The F5 Application Services Reference Architecture

Solutions Guide. F5 solutions for the emerging 5G landscape

A different approach to Application Security

DevOps CICD PopUp. Software Defined Application Delivery Fabric. Frey Khademi. Systems Engineering DACH. Avi Networks

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Large FSI DDoS Protection Reference Architecture

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Drive Greater Value from Your Cisco Deployment with Radware Solutions

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

Czas na nowe platformy sprzętowe F5! Dlaczego są to najbardziej programowalne urządzenia ADC na rynku

Maximum Security, Zero Compromise in Availability and Performance

TALK THUNDER SOFTWARE FOR BARE METAL HIGH-PERFORMANCE SOFTWARE FOR THE MODERN DATA CENTER WITH A10 DATASHEET YOUR CHOICE OF HARDWARE

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

SOLUTION GUIDE. F5 Security Solutions

How to Future-Proof Application Delivery

RE-ARCHITECTING THE GI LAN OPTIMIZE & MONETIZE MOBILE BROADBAND. Bart Salaets Solution Architect

SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

Dynamic App Services in Containerized Environments

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

Future-Proof Your Hardware Investment PRESENTED BY:

DDoS Detection&Mitigation: Radware Solution

68% 63% 50% 25% 24% 20% 17% Credit Theft. DDoS. Web Fraud. Cross-site Scripting. SQL Injection. Clickjack. Cross-site Request Forgery.

Securing Your Amazon Web Services Virtual Networks

Brocade Application Delivery

A10 Thunder Series Application Delivery Controller (ADC)

McAfee Virtual Network Security Platform

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Cisco Firepower NGFW. Anticipate, block, and respond to threats

The DNS of Things. A. 2001:19b8:10 1:2::f5f5:1d Q. WHERE IS Peter Silva Sr. Technical Marketing

How to Leverage Containers to Bolster Security and Performance While Moving to Google Cloud

Radware s Attack Mitigation Solution Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Traffic Steering & Service Chaining

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

A GUIDE TO DDoS PROTECTION

Business Strategy Theatre

Cato Cloud. Global SD-WAN with Built-in Network Security. Solution Brief. Cato Cloud Solution Brief. The Future of SD-WAN. Today.

Unified Application Delivery

Cisco Cloud Application Centric Infrastructure

Pasiruoškite ateičiai: modernus duomenų centras. Laurynas Dovydaitis Microsoft Azure MVP

The Next Opportunity in the Data Centre

Mitigating DDoS A acks with F5 Technology

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC)

VMworld disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no

Transcription:

F5 Synthesis Information Session April, 2014

Agenda Welcome and Introduction to Customer Technology Challenges Software Defined Application Services Reference Architectures for Today s Customer Challenges Total Cost of Ownership and New Business Models Multi-network Environment and Partner Ecosystem Making it Happen with Global Services Q & A

Advanced threats Software defined everything SDDC/Cloud Internet of Things Mobility HTTP is the new TCP F5 Networks, Inc 3

Impact on Data Center Architecture: Applications MICRO-ARCHITECTURES Each service is isolated and requires its own: Load balancing Authentication / authorization Security Layer 7 Services May be API-based, expanding services required More applications need services API DOMINANCE Proxies are used in emerging API-centric architectures for: API versioning Client-based steering API Load balancing Metering & billing API key management More intelligence needed in services Service A Service C API v1 Service B Service D API v2 F5 Networks, Inc 4

Impact on Data Center Architecture: Network SOLUTION SPRAWL Increasing threats and client platforms result in need for: Mobile device management Mobile access management Mobile security DDoS Application layer threats Malware OPERATIONAL INCONSISTENCY Introduction of off-premise cloud solutions without architectural parity results in: Inconsistent enforcement of business and operational policies Unpredictable application performance and security Increased OpEx as new management paradigms are introduced SaaS F5 Networks, Inc 5

Leave No Application Behind

1000 Average number of applications deployed within an enterprise DDoS WAF SSL Acceleration LTE Applications require services F5 Networks, Inc 7

The selected few F5 Networks, Inc 8

ADC ADC ADC ADC ADC ADC F5 Networks, Inc 9

High-Performance Fabric Application BIG-IP BIG-IP Services BIG-IP BIG-IP BIG-IP BIG-IP F5 Networks, Inc 10

F5 Networks, Inc. 11

The 4 th Phase of the Evolution 4 Software Defined Application Services 3 Cloud Ready 2 Broadened Application Services 1 Application Delivery Controller F5 Networks, Inc. 12

Software Defined Application Services Elements High-Performance Services Fabric Simplified Business Models F5 Networks, Inc 13

Software Defined Application Services Elements High-Performance Services Fabric F5 Networks, Inc 14

High-Performance Services Fabric Virtual Edition Appliance Chassis Network [Physical Overlay SDN]

High-Performance Services Fabric On-Demand Scaling All-Active Clustering Multi-Tenancy TMOS TMOS TMOS TMOS ScaleN Network [Physical Overlay SDN]

High-Performance Services Fabric Throughput Connections per second Concurrent connections Multi-tenant instances per device Device service clusters *40K when combining admin instances with vcmp Network [Physical Overlay SDN]

High-Performance Services Fabric Programmability Data Plane Control Plane Management Plane Virtual Edition Appliance Chassis Network [Physical Overlay SDN]

High-Performance Services Fabric Programmability Data Plane Control Plane Management Plane Virtual Edition Appliance Chassis Network [Physical Overlay SDN]

Software Defined Application Services

Software Defined Application Services F5 Software Defined Application Services (SDAS) A rich set of services that address the delivery challenges faced by businesses today. F5 Networks, Inc 21

Software Defined Application Services Global Server LB Global Load Server LB CGNAT Balancing Global Load Balancing Authoritative DNS Disaster Recovery Cloud Bursting DNS Caching & Resolving Intelligent EPC node selection Business Continuity Availability F5 Networks, Inc 22

Software Defined Application Services Traffic Management Caching Compression Optimization Acceleration Web Performance Optimization SPDY Gateway Performance Traffic Shaping and QoS Application Optimization F5 Networks, Inc 23

Software Defined Application Services. Cloud Federation Access Control Anti-Malware Endpoint Inspection SAML Federation Single Sign-On SSL VPN Active Sync Proxy Secure Web Gateway Web Access Management Access & Identity F5 Networks, Inc 24

Software Defined Application Services Anti-Fraud Programmability WAF SSL intelligence DNSSEC ADF DNS Security SSL Inspection Anti-Phishing DDoS SSL VPN Security F5 Networks, Inc 25

Software Defined Application Services Elements F5 Networks, Inc 26

Intelligent Services Orchestration Orchestration Connectors Rest API Fabric Connectors BIG-IQ Cloud Connectors Module Connectors

Software-Defined Data Center Completing the SDN Stack Application Plane BIG-IQ Device BIG-IQ Security BIG-IQ Cloud NBI NBI Control Plane SDN Controller OPEN REST APIs F5 BIG-IQ Virtual Networks NVGRE VXLAN ETC Data Plane Service Chaining LAYER 2-3 LAYER 4-7

Centralized Management Platform BIG - IQ BIG-IP BIG-IP Data Center Hybrid Cloud Public Cloud

Application Services Modules

Software Defined Application Services Elements Simplified Business Models

Best Value Simplicity Flexibility Good Better Best BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager Application Acceleration Manager BIG-IP Application Protection SDN Service Advanced Routing BIG-IP Access Policy Manager BIG-IP Application Security Manager Good Better Best VE Price Comparison Good Better Best Bought As Bundle Appliance Comparison Bought As Components Make it easier to adopt advanced F5 functionality Consolidate into fewer common configurations Save when purchasing bundles

Reference Architectures For Today s Customer Challenges

Reference Architectures Device, Network, Applications S/Gi Network Simplification Security for Service Providers Application Services Migration to Cloud DevOps DDoS Protection LTE Roaming Intelligent DNS Scale Cloud Federation Cloud Bursting Bill of Materials White Paper (Business) Solution diagram(s) Architecture diagram(s) Product map diagram(s) Customer Presentation Solution Animation/Video White paper (Technical) Placemat leave-behind F5 Networks, Inc. 34

Reference Architectures Solution Documents F5 Networks, Inc 35

DDoS Protection Reference Architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attacker ISPa/b Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 36

DDoS Protection Reference Architecture Next-Generation Firewall Corporate Users TIER 1 KEY FEATURES Legitimate Users DDoS Attacker Multiple ISP strategy ISPa/b Cloud Scrubbing Service Threat Feed Intelligence Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Tier 1 Tier 2 The first tier at the Network and DNS SSL attacks: perimeter SSL renegotiation, is layer 3 SSL flood and 4 network firewall services Simple load balancing Application to a second tier HTTP attacks: Slowloris, slow POST, recursive POST/GET IP reputation database IPS Mitigates volumetric and DNS DDoS attacks Financial Services E-Commerce Subscriber Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 37

DDoS Protection Reference Architecture Next-Generation Firewall Corporate Users TIER 2 KEY FEATURES The second tier is for application-aware, Multiple ISP CPU-intensive defense strategy Legitimate Users SSL termination ISPa/b DDoS Attacker mechanisms Web application firewall Mitigate asymmetric Cloud and Scrubbing SSL-based Service DDoS attacks Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Tier 1 Network and DNS IPS SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Tier 2 Application Financial Services E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 38

Recommended Practices Configuration Guide 2.3.2.4 Enforce Real Browsers Besides authentication and tps-based detection (section Error! Reference source not found.), there are additional ways that F5 devices can separate real web browsers from probable bots. The easiest way, with ASM, is to create a DoS protection profile and turn on the Source IP- Based Client Side Integrity Defense option. This will inject a JavaScript redirect into the client stream and verify each connection the first time that source IP address is seen. Figure 1. Insert a Javascript Redirect to verify a real browser 2.3.2.5 Throttle GET Request Floods via Script The F5 DevCentral community has developed several powerful irules that automatically throttle GET requests. Customers are continually refining these to keep up with current attack techniques. Here is one of the irules that is simple enough to be represented in this document. The live version can be found at this DevCentral page: HTTP-Request-Throttle when RULE_INIT { # Life timer of the subtable object. Defines how long this object exist in the subtable set static::maxrate 10 # This defines how long is the sliding window to count the requests. # This example allows 10 requests in 3 seconds set static::windowsecs 3 set static::timeout 30 } when HTTP_REQUEST { if { [HTTP::method] eq "GET" } { set getcount [table key -count -subtable [IP::client_addr]] if { $getcount < $static::maxrate } { incr getcount 1 table set -subtable [IP::client_addr] $getcount "ignore" $static::timeout $static::windowsecs } else { HTTP::respond 501 content "Request blockedexceeded requests/sec limit." } } } return 32 Page Detailed Guide Another irule, which is in fact descended from the above, is an advanced version that also includes a way to manage the banned IPs address from within the irule itself: URI-Request Limiter irule Drops excessive HTTP requests to specific URIs or from an IP F5 Networks, Inc 39

Cisco Partnership

Software-Defined Data Center Completing the SDN Stack Application Plane BIG-IQ Device BIG-IQ Security BIG-IQ Cloud NBI NBI Control Plane SDN Controller OPEN REST APIs F5 BIG-IQ Virtual Networks NVGRE VXLAN ETC Data Plane Service Chaining LAYER 2-3 LAYER 4-7 F5 Networks, Inc 41

Partner Integration with Synthesis Auto-scaling, application provisioning, and automated system maintenance and patching. Two-way communication Configure application networking services Automated network and service provisioning BIG IQ Cloud F5 SDAS Service Fabric Integrate network virtualization and ADN services Programmability Programmability F5 Platforms Hardware Software Cloud Automate network and service provisioning, Provisioning and orchestration of BIG-IP in AWS F5 Networks, Inc 42

Cisco ACI Design Philosophy

Why Cisco/ACI matters for Customers Cisco and F5 share a common vision for simplifying networking end to end by taking an application-centric approach to solving key pain points in customer s next generation data centers while meeting their critical data center requirements today. Working with Cisco on Application Centric Infrastructure, F5 has a unique opportunity to deliver on vision of shaping infrastructure to the needs of the applications. Cisco ACI integrates F5 Big-IP appliances (physical and virtual) to deliver application-centric, ADC-enabled network automation in existing and next generation data centers

Benefits Drive Increase Reduce Future F5 Networks, Inc. 45

SDDC/Cloud

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback