Providing Secure, Fast and Available SharePoint with F5 BIG-IP John Lee, Federal Systems Engineer Version 3.0
Rate Shaping TCP Express SSL Caching XML Compression OneConnect TCP Express ASM Web Accel 3 rd Party Traffic Manager Operating System (TMOS) Microkernel TCP Proxy Client Side Server Side Client Server irules High Performance HW icontrol API Application Delivery Network TMOS Traffic Plugins High-performance Networking Microkernel Powerful Application Protocol Support icontrol External monitoring and control irules Network Programming Language F5 Networks, Inc 2
F5 Networks, Inc 3
Too much, too fast F5 Networks, Inc 4
Most Common: CMS, Workflow, KPI/BI F5 Networks, Inc 6
Weak points F5 Networks, Inc 7
Standard Topologies = Complex, VM & Storage Sprawl F5 Networks, Inc 8
F5 Networks, Inc 9
Performance, Redundancy, DDoS Protection SSL Acceleration (& Termination) DHE, RSA, DSA, ECC, TLS 1.3 & PFS Protocol Optimization TCP & HTTP Fast Cache (Limited) TCP Queuing Compression Application Availability & Redundancy Intelligent Application Monitors DDoS Protection (Core) SSL Visibility ICAP F5 Networks, Inc 10
New Features in 2013 Host Named Site Collections More FQDN s Request management L7: Throttling & Routing Static Weight Health Weight Disabled by Default Criteria CustomHeader Host HttpMethod IP SoapAction F5 Networks, Inc 11
Application Security Manager F5 Networks, Inc 12
F5 Networks, Inc 13
Protect your Apps HTML Content Streaming & PII Protection OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards Application Security Layer 5 7 Application Protection PCI DSS Compliance Positive + Negative Security Models ICSA Certified Web App Firewall Integrated into the BIG-IP ADC Industry Partnerships Automate Signature Updates F5 Networks, Inc 14
Access Policy Manager F5 Networks, Inc 15
BIG-IP Access Policy Manager Identify, authenticate, and control user access to your applications Secure and accelerate application access from any device and location Consolidate AAA and SSO services for enterprise applications RDP, View, Citrix Xen Support Federate via SAML Single Sign On Mobile User Access Scalable SSL VPN Advanced Endpoint checks BYOD: IOS, Win8, Android Support F5 Networks, Inc 17
The impact of LTM+APM for SharePoint? Protocol Optimization + SSL Acceleration & Offloading + Authentication Offloading Faster Deployment + Added Security + Happier Users Clients SharePoint Farm External System Classic (Windows Auth) Claims Classic (Windows Auth) Claims Claims Incoming Authentication Intra/Inter Farm Authentication Outgoing Authentiction But wait, there s more F5 Networks, Inc 18
Application Accelerator Manager F5 Networks, Inc 19
SharePoint Acceleration, More New stuff? Workflow Manager Doesn t support IPv6 UX Improvements HTML5 Caching (AppFabric Distributed Cache) Feeds Logon Tokens Search Mobile Support Minimal Download Strategy Browser Support F5 Networks, Inc 20
Application Delivery Optimization Holistic approach to improving performance throughout the application delivery chain Client Improve the user experience for traditional and mobile users Deliver the right content to the right user in the fastest time Network Connect applications and users in a global enterprise Provide the fastest network at the lowest cost Increase network efficiency to best utilize resources Data center Improve availability of enterprise applications Increase application server capacity Integrate new technologies without recoding applications F5 Networks, Inc 21
Accelerating the Client Content control Deliver content to clients with minimal network overhead Data reduction Optimize images and files for mobile browsers to improve page load times F5 Networks, Inc 22
Accelerating the Network Compression and deduplication Reduce amount of data transmitted Improve network throughput and response Increase bandwidth efficiency Adaptive / Client Aware Compression Protocol optimization Tune TCP and HTTP parameters to adapt to changing network conditions Loss correction Correct for high-loss networks to decrease transmission time and improve user experience F5 Networks, Inc 23
Acceleration in the Data Center Fast cache Core / LTM Load balance Offload repetitive traffic from web and application servers to increase server capacity Distribute application load across multiple servers to increase availability Offload Increase server capacity Accelerate SSL processing Manage TCP connections more efficiently SPDY gateway Leverage SPDY and other protocols without recoding applications F5 Networks, Inc 24
Image Optimization? That too What Convert from JPEG or PNG to WebP Reduces file size by up to 73% Preserve copyright before stripping EXIF headers. Retries if optimization skipped due to load. Improved dashboard stats Why Reduce size of web page Especially useful for mobile browsers. F5 Networks, Inc 25
What does it mean? Faster load times Reduce VM Sprawl Better user experience Reduced bandwidth Reduce Storage Requirements Reduce Complexity
Low Level Test Case: LTM + APM + WA, 20 Concurrent Users, SSL Offload >89% Decrease in average page load time. >36% Decrease in outbound Bandwidth consumption. >50% Decrease in per user Bandwidth consumption.
Don t just take my word for it https://f5.com/support/tools/f5-application-speed-tester
Use Cases TMG End of Life Simplification of the current Architecture Complex Authentication requirements Cross-Domain Solution; Multiple SharePoint Farms, Multiple Active Directory Forests, External users LTM+APM+WA for NIPR and SIPR Streamlined farm migration Elimination of point solutions F5 Networks, Inc 29
DoD Certifications FIPS 140-2, DNSSEC, IPV6 NIAP CCC C&A DISA ATO NMCI JWIC s SOCOM & CENTCOM TIC PKE Certification DISA UC-APL (TN#1312201) US Army s IA- APL F5 Networks, Inc 30
Know your FIPS levels? Level 1 Level 2 (L1+) Level 3 (L2+) Level 4 (L3+) Evaluated crypto algorithms and/or random number generators No physical security requirements, can be software only Physical enclosures with pick-resistant locks or tamper-evident stickers Enclosures opaque in the visible spectrum Automatic deletion Kevlar jacketing and EMP-like deletion Hermetically sealed enclosure F5 Networks, Inc 31