Large FSI DDoS Protection Reference Architecture

Similar documents
Deploying a Next-Generation IPS Infrastructure

Deploying a Next-Generation IPS Infrastructure

Prompta volumus denique eam ei, mel autem

Archived. Deploying the BIG-IP LTM with IBM Cognos Insight. Deployment Guide Document version 1.0. What s inside: 2 Products and versions tested

Complying with PCI DSS 3.0

Simplifying Security for Mobile Networks

Enhancing VMware Horizon View with F5 Solutions

Optimizing NetApp SnapMirror Data Replication with F5 BIG-IP WAN Optimization Manager

F5 and Nuage Networks Partnership Overview for Enterprises

Archived. Configuring a single-tenant BIG-IP Virtual Edition in the Cloud. Deployment Guide Document Version: 1.0. What is F5 iapp?

Deploying the BIG-IP System with CA SiteMinder

Deploying the BIG-IP LTM with IBM QRadar Logging

Deploying the BIG-IP System with Oracle Hyperion Applications

Securing the Cloud. White Paper by Peter Silva

The F5 Intelligent DNS Scale Reference Architecture

DESIGN GUIDE. VMware NSX for vsphere (NSX-v) and F5 BIG-IP Design Guide

Archived. h h Health monitoring of the Guardium S-TAP Collectors to ensure traffic is sent to a Collector that is actually up and available,

Validating Microsoft Exchange 2010 on Cisco and NetApp FlexPod with the F5 BIG-IP System

Protect Against Evolving DDoS Threats: The Case for Hybrid

Comprehensive datacenter protection

Deploying the BIG-IP System v11 with DNS Servers

The Myth of Network Address Translation as Security

Managing the Migration to IPv6 Throughout the Service Provider Network White Paper

Distributing Applications for Disaster Planning and Availability

Prompta volumus denique eam ei, mel autem

Meeting the Challenges of an HA Architecture for IBM WebSphere SIP

Improving VDI with Scalable Infrastructure

Load Balancing 101: Nuts and Bolts

Data Center Virtualization Q&A

Protecting Against Online Banking Fraud with F5

Multi-Tenancy Designs for the F5 High-Performance Services Fabric

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Webshells. Webshell Examples. How does a webshell attack work? Nir Zigler,

Solutions Guide. F5 solutions for the emerging 5G landscape

Providing Security and Acceleration for Remote Users

Managing BIG-IP Devices with HP and Microsoft Network Management Solutions

WHITE PAPER. F5 and Cisco. Supercharging IT Operations with Full-Stack SDN

Geolocation and Application Delivery

Optimize and Accelerate Your Mission- Critical Applications across the WAN

Enabling Long Distance Live Migration with F5 and VMware vmotion

The Programmable Network

Unified Application Delivery

Document version: 1.0 What's inside: Products and versions tested Important:

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

A GUIDE TO DDoS PROTECTION

F5 iapps: Moving Application Delivery Beyond the Network

Vulnerability Assessment with Application Security

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

Resource Provisioning Hardware Virtualization, Your Way

Deploying WAN-Optimized Acceleration for VMware vmotion Between Two BIG-IP Systems

ANNUAL REPORT SOLUTIONS FOR AN APPLICATION WORLD.

Addressing Security Loopholes of Third Party Browser Plug ins UPDATED FEBRUARY 2017

v.10 - Working the GTM Command Line Interface

The F5 Application Services Reference Architecture

Securing LTE Networks What, Why, and How

F5 in AWS Part 3 Advanced Topologies and More on Highly Available Services

The Expectation of SSL Everywhere

APM Cookbook: Single Sign On (SSO) using Kerberos

Citrix Federated Authentication Service Integration with APM

Cookies, Sessions, and Persistence

Load Balancing 101: Nuts and Bolts

Server Virtualization Incentive Program

201 - TMOS TECHNOLOGY SPECIALIST

401 - SECURITY SOLUTION EXPERT

SOLUTION GUIDE. F5 Security Solutions

Converting a Cisco ACE configuration file to F5 BIG IP Format

Deploy F5 Application Delivery and Security Services in Private, Public, and Hybrid IT Cloud Environments

BIG IQ Reporting for Subscription and ELA Programs

F5 icontrol. In this white paper, get an introduction to F5 icontrol service-enabled management API. F5 White Paper

Secure Mobile Access to Corporate Applications

VMware vcenter Site Recovery Manager

OPTIMIZE. MONETIZE. SECURE. Agile, scalable network solutions for service providers.

Maintain Your F5 Solution with Fast, Reliable Support

NGIPS Recommended Practices

Session Initiated Protocol (SIP): A Five-Function Protocol

SOA Infrastructure Reference Architecture: Defining the Key Elements of a Successful SOA Infrastructure Deployment

F5 Reference Architecture for Cisco ACI

Archived. Deploying the BIG-IP LTM with IBM Lotus inotes BIG-IP LTM , 10.1, 11.2, IBM Lotus inotes 8.5 (applies to 8.5.

Key Considerations in Choosing a Web Application Firewall

Software-Defined Hardware: Enabling Performance and Agility with the BIG-IP iseries Architecture

SNMP: Simplified. White Paper by F5

Deploying the BIG-IP LTM with Oracle JD Edwards EnterpriseOne

Automating the Data Center

TCP Optimization for Service Providers

BIG-IP Global Traffic Manager

Pulse Secure Application Delivery

Sichere Applikations- dienste

Considerations for VoLTE Implementation

Key Considerations in Deploying an SSL Solution

RETHINKING DATA CENTER SECURITY. Reed Shipley Field Systems Engineer, CISSP State / Local Government & Education

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments

How to Future-Proof Application Delivery

Archived. For more information of IBM Maximo Asset Management system see:

A10 DDOS PROTECTION CLOUD

F5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

BIG IP APM: Max Sessions Per User Enable users to terminate a specified session

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

Global Distributed Service in the Cloud with F5 and VMware

The Dynamic DNS Infrastructure

Transcription:

Large FSI DDoS Protection Reference Architecture Customers ISPa Tier 1: Protecting L3-4 and DNS Network Firewall Services + Simple Load Balancing to Tier 2 Tier 2: Protecting L7 Web Application Firewall Services + SSL Termination AFM LTM ASM LTM Partners ISPb Multiple ISP strategy VIPRION Platform + IP Intelligence (IPI) Module DNS Services Network HSM (FIPS140) SSL re-encryption GTM SSL inspection at either tier Cloud Scrubbing Service BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager Simplified Business Models GOOD BETTER BEST BIG-IP Application Security Manager + IP Intelligence Figure 4: The F5 DDoS protection large FSI data center deployment scenario FSI customer scenario The large FSI data center scenario is a mature, well-recognized use case for DDoS. This is what FSIs are building right now. Typically the FSI will have multiple service providers but may forgo those service providers volumetric DDoS offerings in favor of a cloud-based scrubbing service. The FSI data center often has few corporate staff within it so there is no need for a next-generation firewall. FSIs have the most stringent security policy outside of the federal/military vertical. For example, nearly all FSIs must keep the payload encrypted through the entire data center. FSIs have the highest-value asset class (bank accounts) on the Internet, so they are frequent targets not just for DDoS but also for hacking. The two-tier architecture enables FSIs to scale their CPU-intensive, comprehensive security policy at tier 2 independently of their investment in tier 1. This use case allows FSIs to create a DDoS-resistant solution while retaining (indeed, while leveraging) the security equipment that they already have. The firewalls at tier 1 continue to do their job, and the BIG-IP ASM devices at tier 2 continue to prevent breaches. 13

Location Tier 1 Tier 2 DNS F5 Equipment VIPRION Chassis (Pair) VIPRION Add-On: BIG-IP AFM Mid-Range BIG-IP Appliance License Add-On: BIG-IP ASM Mid-Range BIG-IP Appliance (Pair) Table 4: Sizing recommendations for the FSI customer deployment scenario Enterprise DDoS Protection Reference Architecture STOMER SCENARIO: Next-Generation Firewall Users leverage NGFW for outbound protection Employees Customers ISPa Tier 1: Protecting L3 4 and DNS Network Firewall Services + DNS Services + Simple Load Balancing to Tier 2 Tier 2: Protecting L7 Web Application Firewall Services + SSL Termination Partners ISPb ISP provides volumetric DDoS service + IP Intelligence (IPI) Module Can inspect SSL at either tier Cloud Scrubbing Service BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Access Policy Manager BIG-IP Application Security Manager Simplified Business Models GOOD BETTER BEST + IP Intelligence Figure 5: The F5 DDoS protection enterprise data center deployment scenario Enterprise customer scenario The enterprise anti-ddos scenario is similar to the large FSI scenario. The primary difference is that enterprises do have staff inside the data center and therefore need the services of a next-generation firewall (NGFW). They are tempted to use a single NGFW for both ingress and egress, but this makes them vulnerable to DDoS attacks. Another difference is that enterprises will often use the volumetric DDoS service offered by the Internet service provider (ISP). 14

The recommended enterprise architecture includes a smaller NGFW on a separate path from the ingress application traffic. By using two tiers, the enterprise can take advantage of asymmetric scaling. They can add more BIG-IP ASM devices if they find that their CPU at tier 2 is at a premium. Different verticals and companies have different requirements. By using F5 equipment at both tiers, the enterprise architecture allows the customer to decide where it makes the most sense for them to decrypt (and optionally re-encrypt) the SSL traffic. For example, an enterprise can decrypt SSL at tier 1 so that they can mirror the decrypted traffic off to a network tap that is monitoring for advanced threats. Location Tier 1 Tier 2 F5 Equipment High-End BIG-IP Appliance (Pair) License Add-On: BIG-IP AFM Mid-Range BIG-IP Appliance License Add-On: BIG-IP ASM DNS Mid-Range BIG-IP Appliance (Pair) Table 5: Sizing recommendations for the enterprise customer deployment scenario SMB DDoS Protection Reference Architecture Next-Generation Firewall Users leverage NGFW for outbound protection Employees Customers ISPa Protecting L3 7 and DNS Network Firewall Services + DNS Services + Web Application Firewall Services + Compliance Control Partners ISPb ISP provides volumetric DDoS service BIG-IP Advanced Firewall Manager BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Access Policy Manager BIG-IP Application Security Manager Simplified Business Models GOOD BETTER BEST Figure 6: The F5 DDoS protection small-to-medium business data center deployment scenario 15

SMB customer scenario The SMB data center use case is all about providing security while maximizing the value of consolidation. These businesses are very serious about getting the most bang for their buck. They would like to do everything from one device if they can, and they are willing to go offline during a DDoS attack. For this use case, the customer is putting all their eggs in one basket. They will get the most cost-efficient solution but will also have the largest availability challenge. For example, if they have a policy issue with BIG-IP ASM, or if Application Visibility and Reporting cannot keep pace with the traffic, the entire box may become unavailable. However, a one-tier architecture can actually reduce risk in smaller organizations that do not have the resources to support a larger, two-tier architecture. The organization gains efficiency by focusing specialized resources with deep knowledge on a single platform. F5 provides high availability systems, superior scale and performance, and world-class support that help further offset risk. Certainly financial savings is the biggest benefit of the single-tier architecture. These customers get a superior DDoS solution with equipment that is already working to deliver their revenue-generating applications every day. The consolidated environment helps save on rack space, power, management, and a range of other costs. Location Single Tier F5 Equipment Mid- to High-End BIG-IP Appliance Pair License Add-On: BIG-IP GTM License Add-On: BIG-IP ASM License Add-On: BIG-IP AFM License Add-On: BIG-IP APM Table 6: Sizing recommendations for the SMB customer deployment scenario 16

Sizing Specifications Table 7 shows specifications for the range of F5 hardware devices that are available to meet customers scaling requirements. Throughput SYN Flood (per second) ICMP Flood HTTP Flood (JavaScript redirect) SSL Flood (+20k attack requests) TCP Connections SSL Connections VIPRION 2400 4-blade chassis 10200V Appliance High-end appliance 7200V Appliance Mid-range appliance 5200v Appliance Low-range appliance 160 Gbps 196 million 100 Gbps 350,000 RPS 16,000 TPS 48 million 10 million 80 Gbps 80 million 56 Gbps 175,000 RPS 16,000 TPS 36 million 7 million 40 Gbps 40 million 32 Gbps 131,000 RPS 16,000 TPS 24 million 4 million 30 Gbps 40 million 32 Gbps 131,000 RPS 16,000 TPS 24 million 4 million Table 7: F5 hardware specifications for DDoS protection. See the customer use cases for specific sizing recommendations. 17

Conclusion This recommended DDoS protection reference architecture leverages F5 s long experience combatting DDoS attacks with its customers. Small- and medium-size businesses are finding success with a consolidated approach. Global financial services institutions are recognizing that the recommended two-tier architecture represents the ideal placement for all of their security controls. Enterprise customers are re-arranging and re-architecting their security controls around this architecture as well. For the foreseeable future, a two-tier DDoS protection architecture should continue to provide the flexibility and manageability that today s architects need to combat the modern DDoS threat. F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com F5 Networks, Inc. Corporate Headquarters info@f5.com F5 Networks Asia-Pacific apacinfo@f5.com F5 Networks Ltd. Europe/Middle-East/Africa emeainfo@f5.com F5 Networks Japan K.K. f5j-info@f5.com Solutions for an application world. 2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 11/13 WP-SEC-13307-ddos-protection

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback