ADC im Cloud - Zeitalter Applikationsdienste für Hybrid-Cloud- und Microservice-Szenarien Ralf Sydekum, SE Manager DACH, F5 Networks GmbH
Some of the Public Cloud Related Questions You May Have.. It s easy to get overwhelmed before you even start F5 Networks, Inc 3
The majority of responsibility for cloud security is on the user not the provider & Content Customer Deployment s, Platform & User Management OS, Firewall & Network Settings & Configuration Customer secures what runs IN the cloud Encryption & Network Traffic Protection Infrastructure Services Storage Network Compute Provider secures the infrastructure https://aws.amazon.com/compliance/shared-responsibility-model/ https://blogs.msdn.microsoft.com/azuresecurity/2016/04/18/what-does-shared-responsibility-in-the-cloud-mean/ Keeping Your Cloud Platform Projects Secure
F5 Mission Delivering app-centric services wherever your apps go ADC Local Load Balancing Security Performance Secure Web Gateway DDoS Protection Identity and Access Firewall PRIVATE CLOUD On premises PUBLIC CLOUD Off premises HYBRID CLOUD F5 Networks, Inc 5
Shifting Influence F5 Networks, Inc
From Traditional Center To Cloud TRADITIONAL DATA CENTER PRIVATE CLOUD DATA CENTER SECURITY ADMIN APP DEV TEAM SECURITY AUDITOR SELF-SERVICE AUTOMATION & ORCHESTRATION SYSTEM SERVER ADMIN NETWORK ADMIN STORAGE ADMIN CONTROLLER COMPUTE NETWORKING STORAGE COMPUTE NETWORKING STORAGE Manual and Silo administration of Compute, Networking and Storage Automation and Orchestration systems driving Compute, Networking and Storage F5 Networks, Inc
F5 Programmability PROGRAMMABLE MANAGEMENT, CONTROL & DATA PLANES icontrol (REST & SOAP) Allows light weight, rapid interaction between user, script & F5 devices iapps Services-based, templatedriven configurations on BIG-IP irule Allows complete programmatic access to application traffic in real time F5 Networks, Inc 8
L4-L7 Configuration via Cloud Orchestrator L2-L3 network configuration L4-L7 service configuration (F5) Control Plane APIC Heat (iapp) SDN Controller iworkflow iapp Catalogue Cloud Orchestrator (optional) REST API Proxy Plane L2-L3 Configuration LAYER 4-7 Services BIG-IP L4-L7 configuration REST APIs LAYER 2-3 Stateless Fabric APP APP APP APP APP App Configuration F5 Networks, Inc
Rise of DevOps, Containers, Open Source, Source: RightScale 2016 State of the Cloud report Source: dog Source: octoverse.github.com F5 Networks, Inc
What are Containers? App 1 Bins/Libs App 2 Bins/Libs App 3 Bins/Libs Lightweight, fast, portable! Guest OS Guest OS Guest OS App 1 App 2 App 3 Bins/Libs Bins/Libs Bins/Libs VM 1 VM 2 VM 3 Container 1 Container 2 Container 3 Hypervisor Host Operating System Infrastructure vs Container Runtime Environment Operating System Infrastructure Virtual Machines Containers Kind of feels like a virtual machine, but sheds all the weight and startup overhead of a guest operating system 11
Automating BIG-IP Services with F5 Container Connector - Managing north-south traffic (5) User makes request to App A through BIG-IP (6) L4-L7 services for N-S Traffic towards App A managed by BIG-IP BIG-IP (4) F5 CC configures application services for App A via REST API Cluster Scheduler App A App A App A F5 CC (1) Configures App A (3) Scheduler notifies F5 CC Master Node (2) Scheduler starts 3 instances of App A F5 Networks, Inc
Which Cloud is Best for You? PRO Private Cloud Pros and Cons Strong Security (sensitive data, keys) Full Control (policies & compliance) Easily Customizable Public Cloud Pros and Cons Time to Market Low initial costs (Pay per use) Flexible & unlimited capacity growth No CapEx Costs only for project live time CON Cost / upfront investment Under-utilization Capacity Ceiling (limit) Security: private keys, policies, sensitive data Storage: cost, data to/from the cloud Cloud lock-in: policies, data transfer cost Performance: Higher latency PRIVATE CLOUD On premises HYBRID CLOUD User PUBLIC CLOUD Off premises F5 Networks, Inc
Thinking about moving apps to Public Cloud? ADC & Security AWS Tools ADC & Security Private Cloud Public Internet ADC & Security Azure Tools How about migrating/scaling or adding new apps to a public cloud provider to get the benefits of public cloud : cost, time to market and scale? F5 Networks, Inc
Migrating to a Hybrid Cloud PROS CONS ADC & Security AWS Tools ADC & Security Private Cloud Public Internet Migrate/Scale out Orange App to AWS ADC & Security Azure Tools New Green App to Azure Time to Market Low initial costs (Pay per use) Flexible & unlimited capacity growth Security: private keys, policy, sensitive data Storage: cost, data to/from the cloud Cloud lock-in: policy, data transfer cost Performance: Higher latency F5 Networks, Inc 15
Deploying F5 Virtual Edition in Public Cloud PROS CONS ADC & Security AWS Tools ADC & Security Private Cloud Public Internet ADC & Security Azure Tools Unifying your L4-L7 application services and policies across your Private and Public Cloud deployments, common orchestration tools/scripts (BYOL, Utility Billing) Security: private keys, policy, sensitive data Storage: cost, data to/from the cloud Cloud lock-in: policy, data transfer cost Performance: Higher latency F5 Networks, Inc 16
Introducing the Connector Securing and automating app delivery in public cloud App Connector AC Private Cloud Private keys ADC & Security Public Internet Secure Reverse Tunnel App Connector AC Connector F5 Solution for Private Public Cloud inter-connect Secure reverse tunnel between Private Public cloud (SSL keys on BIG-IP in Private Cloud/DC) Public cloud resources auto-discovered and managed by BIG-IP in Private Cloud/DC F5 Networks, Inc 17
Introducing the Connector PROS CONS App Connector AC Private Cloud Private keys ADC & Security Public Internet Secure Reverse Tunnel App Connector AC Private keys stored in Private Cloud App front-end via BIG-IP in Private Cloud Auto-discovery of Public Cloud resources All resources managed from Private Cloud Security: private keys, sensitive data Storage: cost, data to/from the cloud Cloud lock-in: data transfer cost Performance: Higher latency F5 Networks, Inc 18
Cloud Interconnect via Colocation PROS CONS App Connector AC ADC & Security Private Cloud Public Internet Secure Reverse Tunnel Colo Facility ADC & Security App Connector AC Private Interconnect Storage Public Cloud XChange Extend your Private Cloud into Colo Facility Sensitive data securely stored in Colo Colo brings app closer to end users Moving data in/out colo at low cost Low latency towards all public cloud providers Security: sensitive data Storage: cost, data to/from the cloud Cloud lock-in: data transfer cost Performance: Higher latency F5 Networks, Inc
The expanded new DC App Connector AC ADC & Security Private Cloud Public Internet Secure Reverse Tunnel Colo Facility ADC & Security App Connector AC Private Interconnect Storage Public Cloud XChange Extend your Private Cloud into Colo Facility Silverline Services F5 Networks, Inc
F5 Cloud Vision Deploy any, Anywhere, with consistent application Services and Security AWS Google Consistent Policies Private Cloud Cloud Freedom Fastest Time to Service Visibility CoLo Azure IBM Rackspace Lowest TCO CoLo/Public Cloud Managed Hosting Current Center SaaS SaaS SaaS Apps SaaS F5 Networks, Inc
Cross-site request forgery Man-in-the-browser Visibility into threats Session hijacking Malware DDoS DNS spoofing DNS cache poisoning DNS hijacking Man-in-the-middle DDoS Eavesdropping Protocol abuse Man-in-the-middle Malware DDoS API attacks Injection Key disclosure Protocol abuse Session hijacking Abuse of functionality Certificate spoofing Cross-site scripting Cross-site request forgery Man-in-the-middle Credential theft Credential stuffing Session theft Brute force Phishing
Visibility into the cloud
SSL/TLS Decryption for Breach Visibility SSL Orchestrator Decrypt Re-encrypt Network tap (Long term capture) ICAP (DLP) L2 (IPS) L3 (NGFW)
BROWSER APP IMPORTANCE AND RISK BROWSER OS OPERATING SYSTEM APP TYPE / VERSION BROWSER v3.1 DEVICE TYPE & INTEGRITY APP LOCATION BROWSER You need to understand an application s normal and expected behavior so you can recognize abnormal conditions AUTHEN- TICATION LOCATION ACCESS METHOD BROWSER ENCRYPTION NETWORK INTEGRITY BROWSER NETWORK QUALITY & AVAILABILITY BROWSER NETWORK CONNECTION INTEGRITY BROWSER
You need to assess risk and make informed decisions about what kind of security controls to apply to protect your apps and data.
Risk-based Policy Protection Allow Deny Challenge OTP Client cert. Asien User ID Location Endpoint Device health Device type Malware Sensitive data Human Low-Value App Public Cloud IaaS Allow Deny Challenge OTP Client cert. Europa User ID Location Endpoint Device health Device type Malware Sensitive data Human High-Value App Enterprise Center 28
Federated Identity for Cloud Access Users Infrastructure Corporate Users MFA VPN SSO Context- Based Auth Attackers Office 365 SAML 2.0 OAUTH 2.0 Access Protection Directory Services s Google Apps Salesforce SaaS Providers Federation 2017 F5 Networks F5 Networks, Inc 29
Web Firewall Legitimate User OWASP Top 10 BOT protection, L7 DDoS, API Protection Private/Public/ Hybrid/Service Web Firewall Services Private/Hybrid Cloud Hosted Web App Physical Hosted Web App Attackers Public Cloud Hosted Web App Third-Party DAST /DAST Scans F5 Networks, Inc 30
APPLICATION ACCESS APPLICATION PROTECTION & User Protection Capabilities Secure Web Gateway Remote Access IP Intelligence Web Fraud Protection Hybrid WAF Access Federation SSL Inspection App Access Management Enterprise Mobility Gateway DDoS Protection DNS Security Perimeter/DC Firewall Securing access from any user on any device Strongest set of application security controls that reduce risk Protecting your applications regardless of where they live F5 Networks, Inc