Array Networks NetContinuum. Netli. Fine Ground. StrangeLoop. Akamai. Barracuda. Aptimize. Inkra. Nortel. Juniper. Cisco. Brocade/Foundry.
Size: px
Start display at page:

Download "Array Networks NetContinuum. Netli. Fine Ground. StrangeLoop. Akamai. Barracuda. Aptimize. Inkra. Nortel. Juniper. Cisco. Brocade/Foundry."

Transcription

1

2 Array Networks NetContinuum Netli Barracuda StrangeLoop Inkra Fine Ground Aptimize Akamai Cisco Citrix Juniper Zeus Radware Nortel ActivNetworks Brocade/Foundry Swan Labs A10 Redline Coyote Point Crescendo

3

4

5 5 BIG-IP Global Traffic Manager International Data Center (GTM) Users Enterprise Manager Applications & Storage BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Link Controller BIG-IP Web- Accelerator BIG-IP WAN Optimization Module BIG-IP Application Security Manager BIG-IP Access Policy Manager BIG-IP Edge Gateway FirePass SSL VPN ARX File Virtualization icontrol TMOS F5 Networks, Inc.

6 Rate Shaping TCP Express SSL Caching XML Compression OneConnect TCP Express App Security Web Accel 3 rd Party TMOS Architecture A unified system for application delivery Microkernel Full Proxy Client Side Server Side Users Applications irules High Performance Hardware icontrol

7

8

9 GTM & DNS

10 BIG-IP Global Traffic Manager (GTM) BIG-IP GTM: Is a wide-area load balancer also known as a Global Server Load Balancer (GSLB) Uses DNS as the traffic management mechanism Puts intelligence into the DNS resolution process Monitors site availability and performance BIG-IP GTM can be purchased: As a stand-alone As a software module add-on On BIG-IP hardware or as a Virtual Edition

11 Objects in the BIG-IP GTM Architecture Links Data Server Center provide objects (DC) access are objects from the are grouped Data physical Center in Data groupings to Centers the of Internet devices BIG-IP GTMs BIG-IP LTMs and LCs Standalone servers and other load balancers GTM LTM GTM LTM GTM LTM Server Server Primary DC Secondary DC Disaster Recovery DC

12 Objects in the BIG-IP GTM Architecture Wide IP (WIP) objects Virtual servers objects Fully Qualified Domain Names IP address:port (FQDNs) associated combinations with on one server or more objects pools Applications to load balance/resolve too Pool objects May represent multiple real servers (load balancers) Groups of virtual servers to be Or load a single balanced physical (standalone) server Server objects often host multiple virtual servers Wide IP: = or or GTM Pool :80 Virtual Server :80 Virtual Server GTM LTM GTM LTM GTM LTM : :80 Virtual Server Virtual Server Server Server Primary DC Secondary DC Disaster Recovery DC

13 Metric Collection in the GTM Architecture GTM is authoritative for DNS names to be load balanced Local DNS At least two GTMs: Geographically distributed Synchronize configurations and metric collection GTM LTM GTM LTM LTM Server Server Primary DC Secondary DC Disaster Recovery DC

14 Metric Collection in the GTM Architecture Monitors test availability and performance of servers and virtual servers BIG-IP devices use iquery to pass this information Local DNS and other servers (through Ping, SNMP, or EAVs) IQ:get_vips() GTM IQ:vips 1..n IQ:SNMP IQ:SNMP() data IQ:vips 1..n IQ:vips 1..n SNMP LTM GTM LTM Response LTM Server Server Primary DC Secondary DC Disaster Recovery DC

15 Metric Collection in the GTM Architecture Probes to determine network proximity between the GTM DC DNS and names the LDNS can be resolved based on: Availability Performance Network Proximity Topology Local DNS Primary DC is closest GTM LTM GTM LTM GTM LTM Server Server Primary DC Secondary DC Disaster Recovery DC

16 Metric Collection in the GTM Architecture BIG-IP GTM can persist repeat requests from a client (even to another BIG-IP GTM) to same server for transaction continuity Local DNS 1 st Query GTM LTM GTM LTM GTM LTM Server Primary DC Secondary DC Server Disaster Recovery DC

17 Subdomain Delegation Mode Client Request: Client LDNS DNS Request: LDNS GTM has WIP config and owns gtm subzone DNSSEC only for subzone Zone Runner on BIND for NS, SOA, etc Extra Management No other features CNAME To GTM Responds With BEST IP Based on LDNS mycompany.com gtm.mycompany.com

18 Screening Mode Client DNS Request: LDNS If match WideIP, answer otherwise LB request and send to pool mycompany.com GTM only manages WIP config Simpler configuration LTM irules on DNS VIP Dynamically rewrite response Add DNSSEC Signature Add DNS Express GTM

19 DNSSEC

20 F5 DNS Security Securing the DNS Infrastructure with DNSSEC Problem: The need to secure your DNS infrastructure from threats Why Secure DNS? Rogue servers can poison DNS cache and answer queries Need a method for trusted responses Need to meet some Government mandate for DNSSEC compliance Consequences DNS denial of service (DDoS) Redirection Phishing and pharming Passwords stolen Sensitive data revealed Loss of sales revenue

21 DNS Infrastructure is Vulnerable Local DNS example.com? example.com? GTM example.com LTM Cache Poisoning Application Servers

22 DNSSEC (Domain Name Security Extensions) A set of extensions to the Domain Name System (DNS). Provides an authenticated DNS query response Uses a chain of trust. Adds a digital signature to DNS data Addresses a DNS vulnerability to cache poisoning attacks.

23 Securing the DNS Infrastructure Local DNS example.com? Public Key Client gets signed, trusted response example.com? Public Key example.com GTM LTM Application Servers

24 Configuring DNSSEC on GTM Ensures all responses comply with the DNSSEC protocol To configure DNSSEC compliance on GTM: Create a DNSSEC key signing key Create a DNSSEC zone signing key Create a DNSSEC zone Assign at least one key signing key and one zone signing key to the zone To view the procedure for completing these tasks, see: Check out the deployment guide Or the GTM Manual on the F5 support site /gtm_dnssec.html#

25 Creating a Key Signing Key Key Name Bit Width For encryption algorithm Use FIPS Enabled or Disabled Type Key Signing Key Optional: Rollover Period Expiration Period

26 Creating a Zone Signing Key Key Name Bit Width For encryption algorithm Use FIPS Enabled or Disabled Type Zone Signing Key Optional: Rollover Period Expiration Period

27 Creating a DNSSEC Zone Global Traffic >> DNSSEC Zones Set Name to the FQDN Add at least one key signing key and one zone signing key Click Finished

28 Signed Resource Records After the zone is signed, any Resource Record created in that zone will automatically be signed

29 DNSSEC Availability on BIG-IP DNSSEC is an Add-On to GTM and is an additional cost Has been available since V10.x DNSSEC is available on LTM/GTM combination boxes If the DNSSEC add-on is purchased DNSSEC is not available on LTM with the DNS Services add-on license As of V11.1

30 DNS Express

31 DNS Express High-speed, high response authoritative DNS server Configuration size for tens of millions of records Answering millions of queries per second Zone transfer and notify for updates Authoritative DNS serving out of RAM Scalable DNS Performance DNS Server DNS Express in TMOS Answer DNS Query Manage DNS Records Answer DNS Query Answer DNS Query OS Admin Auth Roles Answer DNS Query Answer DNS Query NIC Dynamic DNS DHCP

32 DNS Express Features Full IPv6 support Supports TCP or UDP Record type support: Unsupported: AXFR and IXFR Supported: All others (e.g., A, AAAA, NS, CNAME, HINFO, WKS, MINFO, MX, TXT, MB, MG, AFSDB, ISDN, RP, RT, X25, PX, LOC, SPF) Update notification Allows primary DNS to push updates Transaction Signature (TSIG) Authenticates zone transfer request

33 DNS Express Zone Transfer F5 BIG-IP GTM DNS Servers DNS Query: ftp.example.com Check DNS Query against WIP ftp.example.com Matches Zone definition? sdfjqsjidfqsoijdfioqsjdfoiqsjfdoijq sfdoijqsdofijqsodifjoqsidjfoqisjdf oiqjsdfoijqsdfoijqsodifjqosidfjqo sijdfqoisjdfqoisjdfqsiodfjoqisjdfoi qsjdfoijqsdfjoqjsodfjioqsjdfjoqsj dfjqosidfjoiqsjdfioqjsdfoijqsdfoij qsdfoqsdfsdqfjoqisdfjqisqjdioqjs doiqqisjdoiqjsdoiqjsdjoqsjdojqo sijdoqjsodjqsjodjqjdojqsdjoiqjds qosijdoiqjdoqijdoiqjdoiqsjdoiqjd oiqjdoisdjoiqsjdoiqjdqjdoiqjdoiq dsjqoidjoj TMOS 1 2 ZONE Transfer Request ftp.example.com = ftp.example.com Matches WIP or zone definition? YES TMM responds with IP address

34 Is DNS Express DNS Caching? No! DNS Cache Asks the real authoritative server on each new query Caches the answer to answer subsequent requests for same query Almost never has the whole config, only the most requested items Easily beat in a DDoS attack by varying the DNS query on every request DNS Express Has the whole zone already and is authoritative for that zone More like a high speed slave server, not a cache

35 Scalable DNS Performance Enable users to access apps during spikes Scale with DNS query performance utilizing hardware CMP enabled, utilizes all processing cores Up to 6 million qps on VIPRION Each Core is high performance DNS server = 150k+ qps These are very conservative numbers: 125k QPS 600k QPS 1.5Mil QPS 2Mil QPS 3Mil QPS 6Mil QPS

36 Configuring DNS Express Begin by creating a custom DNS Profile DNS profile defaults to DNS Express enabled

37 Configuring DNS Express Create GTM listener or DNS virtual server Attach the DNS profile Optional: add pool

38 Configuring DNS Express DNS Express Zones are configured under Local Traffic

39 Configuring DNS Express Create an Express Zone for each delegated domain

40 Testing and Troubleshooting Verify zone status (e.g., green/blue/red) show ltm dns dns-express zone nslookup or dig against DNS Express zone names Review log files Logs relating to zxfrd Run dnsxdump Dumps DNS Express (zxfrd.bin) database

41 IP AnyCast

42 What it is and What it s Not IS : A configuration methodology Mentioned in RFCs but not really defined. Taking over the core of the DNS Root Infrastructure Been in use since mid 90 s for large scale internet deployments! Used for all sorts of protocols that ride on IP. Can be used in conjunction with GTM IS NOT : Not a protocol Does not require special servers, client, or network gear DNS centric

43 GTM + IP Anycast Integration Steps Enable ZebOS dynamic routing on BIG-IP Supported Routing Protocols: BGP-4, IS-IS, RIPv1&2, OSPFv2&3,& RIPing Configure a custom DNS profile Configure a GTM Listener for route advertisement

44 How does IP Anycast work Multiple instances of a service share the same IP address. The routing infrastructure directs traffic to the nearest instance of the service Logical Topology Routing Table DNS from request Router for 1: Destination Mask Next-Hop Distance Resolves single answer: /29 IN A / /

45 GTM Best Practices Have two or more GTMs geographically distributed Have a BIG-IP in each data center to avoid excess (internet or closed network) traffic Synchronize GTMs through network infrastructure or internet

46 Complete DNS Protection F5 DNS Firewall Services Data Center company.com X x A Q i LDNS x X A Q i GTM & DNS CMP High-performance DNS DNS Express Scalable DNS IP Anycast Load balancing across DNS DNSSEC Secure DNS queries Geolocation Route based on the nearest data center DNS irules Complete DNS control

47 Benefits of Global Traffic Manager Ensure Availability and Disaster Recovery Secure Your DNS Infrastructure with dynamic DNSSEC Improve & Increase DNS Performance with DNS Express Direct traffic to the best available datacenter with IP Anycast

48

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information