How To Make A Cloud Bursting System Work For A Business

Transcription

1 Where will your application be in the future, in the cloud, on premises, off premises? How will you protect them? Nigel Ashworth Solution Architect EMEA

2 Advanced threats Software defined everything SDDC/Cloud Internet of Things Mobility HTTP is the new TCP F5 Networks, Inc 2

3 Impact on Data Center Architecture: Applications MICRO-ARCHITECTURES Each service is isolated and requires its own: Load balancing Authentication / authorization Security Layer 7 Services May be API-based, expanding services required More applications needing services API DOMINANCE Proxies are used in emerging API-centric architectures for: API versioning Client-based steering API Load balancing Metering & billing API key management More intelligence needed in services Service A Service C API v1 Service B Service D API v2 F5 Networks, Inc 3

4 Linear Delivery is Gone F5 Networks, Inc 4

5 It s Now a Complex Matrix SaaS Cloud More endpoints More delivery models More apps F5 Networks, Inc 5

6 Deliver the most secure, fast, and reliable applications to anyone anywhere at any time. F5 Networks, Inc 6

7 Application Environment Agile Development Speed, customerdriven, and quality of app development Rapid deployment network and operations velocity F5 Networks, Inc 7

8 Application Environment Agile Development Cloud and DevOps Speed, customerdriven, and quality of app development Accelerate time to market Rapid deployment network and operations velocity Cloud SLA and control private network agility F5 Networks, Inc 8

9 Application Environment Agile Development Cloud and DevOps SDN and Private Cloud Speed, customerdriven, and quality of app development Accelerate time to market Software defined data centers Rapid deployment network and operations velocity Cloud SLA and control private network agility Failed to Address: L4 7 device sprawl and application awareness F5 Networks, Inc 9

10 Software Defined Application Services Elements High-Performance Services Fabric Simplified Business Models F5 Networks, Inc 10

11 High-Performance Services Fabric Virtual Edition Appliance Chassis Network [Physical Overlay SDN]

12 High-Performance Services Fabric Programmability Data Plane Control Plane Management Plane Virtual Edition Appliance Chassis Network [Physical Overlay SDN]

13 High-Performance Services Fabric Programmability Data Plane Control Plane Management Plane Virtual Edition Appliance Chassis Network [Physical Overlay SDN]

14 Leave No Application Behind

15 High-Performance Fabric Application BIG-IP BIG-IP Services BIG-IP BIG-IP BIG-IP BIG-IP F5 Networks, Inc 15

16 Software Defined Application Services Software Defined Application Services (SDAS) are a rich set of services that address the delivery challenges faced by businesses today. Built and deployed atop extensible F5 platforms, SDAS are all application and context-aware, highly scalable, and programmatic. Provisioned and managed within the F5 Synthesis architecture through BIG-IQ, SDAS provides organizations with the opportunity to simplify application delivery architectures without compromising on service breadth and depth. F5 Networks, Inc 16

17 Optimization Cloud Bridging Traffic Management CGNAT Caching Traffic Management DDoS MDM App Delivery Firewall Authoritative DNS LTE Roaming VDI Application Services Portfolio Global Server Load Balancing Anti-Fraud SSL Inspection Policy Enforcement Endpoint Inspection SSL VPN Subscriber Traffic Control NfV Traffic Shaping and QoS DNSSEC Anti-Malware Compression Disaster Recovery SPDY Gateway Application Optimization Access Control Web Access Management DNS Caching & Resolving VAS Bursting Intelligent EPC node selection SSL Programmability VOLTE Intelligence Service Chaining Firewall SAML FederationMobile Optimization SDN Mobile App Management Cloud Federation Anti-Phishing Diameter & Routing SAML Federation Mobile Acceleration Global Load Balancing Gi Firewall Web Performance EnrichmentOptimization Secure Web Gateway Cloud Bursting Single Sign-On Application Traffic Control Quota Management Web App Firewall Acceleration Business Continuity Active Sync Proxy DNS Firewall

18 Intelligent Services Orchestration Orchestration Connectors Fabric Connectors BIG-IQ Cloud Connectors Module Connectors

19 Simplified Business Models Perpetual Subscriptions Bundles BYOL Cloud Licensing Program Utility

20 Synthesis High-Performance Fabric To provide the most scalable, highdensity, high-performance fabric in the industry to leave no application behind. Intelligent Services Orchestration Offering BIG-IQ for the deployment of application services, cloud orchestration one push button provisioning and all necessary API management. Simplified Business Models Providing capacity- and volumebased licensing, software modules of application services.

21 Centralized Management Platform BIG-IQ IQ BIG-IP BIG-IP Data Center Hybrid Cloud Public Cloud

22 Agility and Integration Eliminate technology management silos

23 Automation Reported benefits of automation to the IT process: 80% 62% 54% Time savings Cost savings Improved SLA delivery to the business Source: Redwood Software survey, October % of enterprises that have implemented process automation have experienced time savings, 69% claim improved productivity

24 Different Approaches It is about applications Operated solely for an organization, typically within the firewall Composed of two or more interoperable clouds, enabling data and application portability Accessible over the Internet for general consumption F5 Networks, Inc. 24

25 Provisioning and Deployment Timelines Slow time-to-production Increasing rate of IT requests Repetitive tasks for IT Higher risk of misconfiguration

26 Provisioning and Deployment Timelines Time-to-production for all the necessary infrastructure services from weeks to minutes

27 Cloud Migration Architecture Global load balancing Infrastructure monitoring Advanced reporting On-Premises Infrastructure Administrators Load balancing Custom business logic Application health SSL management DNS Line of Business Applications Business Unit Application Manager Application Business Unit Application Manager User Cloud Management Cloud Administrator Beta User Automated Application Delivery Network Health/performance monitoring vadc deployment Load balancing Custom business logic Application health SSL management Line of Business Applications Application Cloud Hosting Provider Strategic Point of Control

28 Cloud Bursting Architecture Global load balancing Infrastructure monitoring Advanced reporting On-Premises Infrastructure Finite Resources Load balancing Custom business logic Object caching SSL management DNS Application User Cloud Management UI or REST API Cloud Administrator User Automated Application Delivery Network Health/performance monitoring vadc deployment Business Unit Application Manager Load balancing Custom business logic Object caching SSL management On-Demand Computing Application Cloud Hosting Provider Strategic Point of Control

29 Policy Management Application delivery services Repeatable Integrated Orchestrated Tenant Portal Provider Portal Cloud Portal Cloud Portal App Lifecycle Management Cloud Management Cloud Connectors Third-Party Cloud Orchestrators (VMware vcloud Director) Expedited Cloud Management REST API Public Cloud (Amazon Web Services) Data Center 1 Data Center 2 Data Center 3 Data Center 4 F5 Networks, Inc. 29

30 F5 Reference Architectures Solving Customer Issues

31 Service based security Same policy on premise or cloud. WAF policy (L7) Firewall policy (L4) Dynamic IP policy (L3) DDOS protection (L2-L7) Consolidated logging F5 Networks, Inc 31

32 F5 DDoS protection reference architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attacker ISPa/b Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 32

33 DDoS Mitigation DNS Attacks Protect against DDoS at all layers 38 vectors covered Withstand the largest attacks DNS DDoS Gain visibility and detection of DNS/SSL attacks F5 Networks, Inc. 33

34 More sophisticated attacks are multi-layer Application SSL DNS Network F5 Networks, Inc 34

35 Which DDoS technologies do you use? CLOUD/HOSTED SERVICE Content delivery network Communications service provider STRENGTHS Completely off-premises so DDoS attacks can t reach you Amortized defense across thousands of customers DNS anycast and multiple data centers protect you Cloud-based DDoS service WEAKNESSES Customers pay, whether attacked or not Bound by terms of service agreement Solutions focus on specific layers (not all layers) F5 Networks, Inc 35

36 Which DDoS technologies do you use? STRENGTHS Direct control over infrastructure. Immediate mitigation with instant response and reporting. Solutions can be architected to independently scale of one another. ON-PREMISES DEFENSE Network firewall with SSL inspection Web application firewall WEAKNESSES Many point solutions in market, few comprehensive DDoS solutions. Can only mitigate up to max inbound connection size No other value. Only providing benefit when you get attacked. (excludes F5) On-premises DDoS solution Intrusion detection/prevention F5 Networks, Inc 36

37 F5 DDoS protection reference architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attacker ISPa/b Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 37

38 F5 DDoS protection reference architecture Next-Generation Firewall Corporate Users TIER 1 KEY FEATURES Legitimate Users DDoS Attacker Multiple ISP strategy ISPa/b Cloud Scrubbing Service Threat Feed Intelligence Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Tier 1 Tier 2 The first tier at the Network and DNS SSL attacks: perimeter SSL renegotiation, is layer 3 SSL flood and 4 network firewall services Simple load balancing Application to a second tier HTTP attacks: Slowloris, slow POST, recursive POST/GET IP reputation database IPS Mitigates volumetric and DNS DDoS attacks Financial Services E-Commerce Subscriber Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 38

39 F5 DDoS protection reference architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attacker ISPa/b Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 39

40 F5 DDoS protection reference architecture Next-Generation Firewall Corporate Users TIER 2 KEY FEATURES The second tier is for application-aware, Multiple ISP CPU-intensive defense strategy Legitimate Users SSL termination ISPa/b DDoS Attacker mechanisms Web application firewall Mitigate asymmetric Cloud and Scrubbing SSL-based Service DDoS attacks Threat Feed Intelligence Protection is L7 based (not just a L4 reset) Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Tier 1 Network and DNS IPS SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Tier 2 Application Financial Services E-Commerce Subscriber Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 40

41 Network Based DoS Detection & Mitigation 80+ DoS Vectors Flood ARP Flood DNS Response Flood Ethernet Broadcast Packet Ethernet Multicast Packet ICMP Flood IPV6 Fragment Flood IP Fragment Flood Routing Header Type 0 TCP ACK Flood TCP RST Flood TCP SYN ACK Flood TCP SYN Flood UDP Flood Single Endpoint Flood Single Endpoint Sweeper Fragmentation ICMP Fragment IPV6 Fragment IPV6 Fragment Overlap IPV6 Fragment Too Small IP Fragment IP Fragment Overlap IP Fragment Too Small Bad Header IPv4 Bad IP Option Bad IP TTL Value Bad IP Version Header Length > L2 Length Header Length Too Short IP Error Checksum IP Length > L2 Length IP Option Frames IP Source Address == Destination Address L2 Length >> IP Length No L4 TTL <= 1 Bad Header IPv6 Bad IPV6 Hop Count Bad IPV6 Version IPV6 Extended Header Frames IPV6 Length > L2 Length IPV6 Source Address == Destination Address Payload Length < L2 Length Too Many Extended Headers No L4 (Extended Headers Go To Or Past End of Frame) Bad Header L2 Ethernet MAC Source Address == Destination Address Bad Header TCP Bad TCP Checksum Bad TCP Flags (All Cleared and SEQ# == 0) Bad TCP Flags (All Flags Set) FIN Only Set Option Present With Illegal Length SYN && FIN Set TCP Header Length > L2 Length TCP Header Length Too Short (Length < 5) TCP LAND TCP Option Overruns TCP Header Unknown TCP Option Type Bad Header UDP Bad UDP Checksum UDP LAND Bad UDP Header (UDP Length > IP Length or L2 Length) Bad Header ICMP Bad ICMP Frame ICMP Frame Too Large Other Host Unreachable F5 Networks, Inc TIDCMP 41

42 Service based security Same policy on premise or cloud. WAF policy (L7) Firewall policy (L4) Dynamic IP policy (L3) DDOS protection (L2-L7) Consolidated logging F5 Networks, Inc 42

43 Centralized Management Platform BIG-IQ IQ BIG-IP BIG-IP Data Center Hybrid Cloud Public Cloud F5 Networks, Inc 43

44

45 Millions Rack units Gbps Millions Performance & Scale Use case 700 Throughput 8 Connections per second x x F5 (VIPRION 4800) Juniper (SRX 5800) Cisco (ASA 5585-X) Check Point (61000) 0 F5 (VIPRION 4800) Juniper (SRX 5800) Cisco (ASA 5585-X) Check Point (61000) Sessions Footprint x x F5 (VIPRION 4800) Juniper (SRX 5800) Cisco (ASA 5585-X) Check Point (61000) F5 (VIPRION 4800) Juniper (SRX 5800) Cisco (ASA 5585-X) Check Point (61000) F5 Networks, Inc 45 0 For 576M concurrent connections