1
BIG-IP APM: Access Policy Manager v11 David Perodin Field Systems Engineer
3 Overview What is BIG-IP Access Policy Manager (APM)? How APM protects organization-facing applications by providing policy-based, context-aware access to users Create individual and group authorizations with ease using APM s Visual Policy Editor APM Demo
4 F5 Application Delivery Networking
5 What is BIG-IP Access Policy Manager?
6 BIG-IP Access Policy Manager (APM) Authentication and Authorization Services for BIG-IP BIG-IP APM Features: Centralizes web single sign on and access control services Full proxy L4 L7 access control at BIG-IP speeds Dynamic ACL Control SSL VPN Leverage Split-tunneling capabilities Adds endpoint inspection to the access policy Visual Policy Editor (VPE) provides policy based access control VPE Rules programmatic interface for custom access policies BIG-IP APM ROI Benefits: Consolidates infrastructure Reduces AAA management costs Simplifies Web access *AAA = Authentication, Authorization and Accounting (or Auditing)
7 ALTERNATIVE APPROACHES 1 2 Code in the App Costly, difficult to change Not repeatable Decentralized Less secure Agents on servers Difficult to administer Interoperability Decentralized Less Secure 3 Specialized Access Proxies Don t scale as well Often inferior reliability More boxes for network operations APM Alternative No agents on servers No App coding / changes No extra proxy tier Repeatable across apps Gain superior scalability and HA Benefit from Unified Application Delivery Services (ADC) Load balance directory services Centralize auth visibility Better security model
8 APM v10.1 Features Better Authentication and Authorization Forms Based Authentication Dynamic per-session layer 4-7 (HTTP) ACLs Visual Policy Editor (VPE) SSO/Credential Caching: HTTP Basic, HTTP NTLMv1/v2, Cookie, Form, and HTTP Header Auth.: Native RSA SecurID, RADIUS accounting, AD, Auth. server redundancy Easy User Access Web-based and standalone client Mobility: Roaming and smart connection Acceleration: Dynamic data compression Strong Endpoint Security Endpoint Inspection checks Protected Workspace with encryption and Virtual File System Group policy integration Virtual Keyboard Manageability / Usability Customizeable user interface Set-up deployment wizards Dashboard executive summary Reporting and stats Policy import/export QoS on Windows machines (client side) Win7 Support Interoperability and Integration ASM and WA interoperability APM events in irules Splunk for F5 logging and reporting Virtualization Architecture Multiple virtual APMs Targeted at Service Providers and large enterprises Separate access policy grouping for each virtual APM Can have separate security administrators Master administrator control
9 APM v11 Features IPsec optimized site-to-site tunnels Dynamic Webtop: with Application Tunnels Access: External Dynamic ACLs, Flash patching, Oracle Access Manager 11g Hosted VDI: Microsoft Remote Desktops, Expanded Citrix VDI support (Proxy and Portal mode) EndPoint Inspection: Protected Workspace, Machine Info Inspector Powerful reporting/analytics: Custom & built-in reports, Access and Application Analytics for remote access solution Scale for Global enterprise: 11000 Series: ^60k users, w/1.2 TB of storage SSO enhancements: SSO across multiple domains, Kerberos auth. (CAC cards, etc)
10 How does APM work? How does APM enforce policy or contextbased access to users?
11 3 Primary components to BIG-IP APM Functionality Access Credentials Allows for designing policies for authentication and authorization Provides end-point security checking to ensure compliance Allows centralized visibility of authorization environment Define one access profile for all connections coming from any device Authorization Provides dynamic access control based on: user identity, IP address & attributes (such as Group Membership) Contributes to access profiles and authorization Allows customers to gain access control support in BIG-IP LTM virtual servers Authentication Performance Gain valuable insight into who is on the network and which applications they are using Maintains complete, policy based control Secures connections with SSL encryption & provides access authentication using ACLs and AAA server support Apply repeatable access policies while making the network context-aware!
12 Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager Dramatically reduce infrastructure costs; increase productivity = BIG-IP v11
13 Advanced authentication and access control Web based applications with Dynamic ACL Control www.example.com (LTM for public http traffic) news.example.com (LTM + APM for access control) 2 1 HTTP traffic for visitors/guests, access profile manages access 3 HTTP traffic for public with no access control HTTPS traffic for subscribers, access profile provides login page and authentication
14 All auth. in one solution! OCSP, CRLDP and TACACS+ Advanced Client Auth (ACA) features implemented in APM
15 Visual Policy Editor The easy way of creating an access policy
16 Access Policy Design Industry-leading advanced Visual Policy Editor (VPE) Flexible Easy to understand, visual representation of policy VPE Rules (TCL-based) for advanced functions Trigger TMM irules events Usability features Macros Visual cues to aid configuration
17 VPE creation
18 VPE creation -cont
19 VPE creation -cont
20 VPE creation -completed
21 Customized User Interface Updated End-User Interface with Full Customization Stylesheet (CSS) based customization eliminates the need to customize each page individually Form location (left, center, right) Font style/sizes Header and footer
Easy Access Policy Deployment Wizards 22 Deployment-specific wizards for Web Access Management for LTM virtuals, Network Access, and Web Applications Access Step-by-step configuration, context sensitive help, review and summary Creates base set of objects and access policy for common deployments Automatically branches to necessary configuration (e.g., DNS)
23 Reporting and Statistics Native BIG-IP TM Stats and RRD integration Dashboard integration for real-time monitoring New Reports section covering active and expired user sessions Easy navigation/view of user session variables
Sample Detailed Report 24 Gain a deeper understanding: All sessions with geolocation Local time Virtual IP Assigned IP ACLs Applications and OSs Browsers All sessions Customize reports Export for distribution
25 Dashboard Executive Summary Administrators quickly view the BIG-IP APM Dashboard Real-time understanding of access health View the default template of Active Sessions, Network Access Throughput, New Sessions, and Network Access Connections Optionally, administrators create customized views using the Dashboard Windows Chooser Drag and drop selections onto the window pane with the type of statistics desired for fast
26 Access and Application Analytics Stats grouped by application and user Provides Business Intelligence ROI Reporting Capacity Planning Troubleshooting Performance Stats Collected Client IPs Client Geographic User Agent User Sessions Client-Side Latency Server Latency Throughput Response Codes Methods URLs Views Virtual Server Pool Member Response Codes URL HTTP Methods
27 What is the value of F5 access? Access value proposition Integrates with existing enterprise infrastructure and applications Authentication and access to networks, applications and portals Comprehensive end-point security for corporate compliance Powerful, easy to use management interface Scalability, Performance and Reliability Better security driving identity into the network Reduce costs of managing AAA with integrated authentication Only ADC that effectively provides Web Access Management capabilities
28 Citrix XenApp and XenDesktop Auth Problems Costly, complex, and un-extensible Managing authentication in multiple locations Manual scripting for auth integration
29 Simplified Access for Citrix XenApp Manage access from consolidated solution Eliminate NetScalers and Access Gateways Supports Proxy or Portal Mode to Citrix Web Interface
2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, icontrol, irules, TMOS, and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries
31 F5 Contacts Jon Teunis Major Account Manager J.Teunis@f5.com - 301-788-0248 David Perodin Field Systems Engineer D.Perodin@F5.com - 703-282-0218
32 APM Demo
33