Global Service Loadbalancing & DNSSEC. Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC

Similar documents

F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution

Array Networks NetContinuum. Netli. Fine Ground. StrangeLoop. Akamai. Barracuda. Aptimize. Inkra. Nortel. Juniper. Cisco. Brocade/Foundry.

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

Global Server Load Balancing (GSLB) Concepts

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

DNSSEC and DNS Proxying

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Application and service delivery with the Elfiq idns module

Deployment Guide. Deploying F5 BIG-IP Global Traffic Manager on VMware vcloud Hybrid Service

Optimize Application Delivery Across Your Globally Distributed Data Centers

How to Add Domains and DNS Records

Optimize Application Delivery Across Your Globally Distributed Data Centers

How To Manage Dns On An Elfiq Link Load Balancer (Link Balancer) On A Pcode (Networking) On Ipad Or Ipad (Netware) On Your Ipad On A Ipad At A Pc Or Ipa

Deploying the BIG-IP GTM with Infoblox Grid Servers for DNSSEC

F5 ASM i DB Monitoring w ofercie NASK

Optimize Application Delivery Across Your Globally Distributed Data Centers

Automated Network Control for

Scale your DNS Infrastructure Ensure App and Service Availability. Nigel Ashworth Solution Architect EMEA

Optimize DNS Services and App Delivery Across Global Data Centers

Scale and Protect DNS Infrastructure and Optimize Global App Delivery

Application centric Datacenter Management. Ralf Brünig, F5 Networks GmbH Field Systems Engineer March 2014

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks

Infoblox Grid TM. Automated Network Control for. Unifying DNS Management and Extending the Infoblox Grid TM to the F5 Global Traffic Manager

EE Easy CramBible Lab DEMO ONLY VERSION EE F5 Big-Ip v9 Local Traffic Management

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

Annexure - " SERVICE REQUIREMENTS"

DNS Architecture Case Study: Resiliency and Disaster Recovery

BIG IP Global Traffic Manager (GTM) v.11

Reliable DNS and DHCP for Microsoft Active Directory

Citrix NetScaler Global Server Load Balancing Primer:

BEST PRACTICES. Application Availability Between Hybrid Data Centers

DNSSEC Applying cryptography to the Domain Name System

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

DNS at NLnet Labs. Matthijs Mekking

Traffic Controller Service. UltraDNS Whitepaper

Description: Topics covered in this course include:

F5 Datacenter Virtualization & Application Security

ICS 351: Today's plan. DNS WiFi

Vladimir Yordanov Director of Technology F5 Networks, Asia Pacific Developments in Web Application and Cloud Security

Global Server Load Balancing

Advanced DNS Course. Module 4. DNS Load Balancing

Availability Digest. Redundant Load Balancing for High Availability July 2013

Managing Horizon Traffic across Multiple Data Centers with BIG-IP

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

Firewall Firewall August, 2003

Reliable DNS and DHCP for Microsoft Active Directory Protecting and Extending Active Directory Infrastructure with Infoblox Appliances

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE

KEMP Exchange Overview

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

How To Deploy F5 With A Hyperv Virtual Machine Manager 2008

PES. High Availability Load Balancing in the Agile Infrastructure. Platform & Engineering Services. HEPiX Bologna, April 2013

Administering the Web Server (IIS) Role of Windows Server

LinkProof DNS Quick Start Guide

DEPLOYMENT GUIDE Version 1.0. Deploying F5 with Microsoft Virtualization Technology

Application Protocols in the TCP/IP Reference Model

Networking Domain Name System

FortiBalancer: Global Server Load Balancing WHITE PAPER

The story of dnsdist - or - Do we need a DNS Delivery Controller?

High-Performance DNS Services in BIG-IP Version 11

MS 10972A Administering the Web Server (IIS) Role of Windows Server

Application Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Concept. DNS - Domain Name System

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

WHITE PAPER. Best Practices DNSSEC Zone Management on the Infoblox Grid

10972-Administering the Web Server (IIS) Role of Windows Server

The story of dnsdist - or - Do we need a DNS Delivery Controller?

Exam : EE : F5 BIG-IP V9 Local traffic Management. Title. Ver :

BIG-IP Global Traffic Manager : Concepts. Version 11.3

Network Security Fundamentals

The Bomgar Appliance in the Network

Deploying the BIG-IP System v10 with SAP NetWeaver and Enterprise SOA: ERP Central Component (ECC)

Security F5 SECURITY SOLUTION GUIDE

Mithi Connect Server deployment options

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Use Domain Name System and IP Version 6

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Wirtualizacja i optymalizacja infrastruktury. Zbigniew Skurczyński Dyrektor regionalny EE F5 Networks

DEPLOYMENT GUIDE Version 1.3. Deploying F5 with VMware ESX Server

Configuration Example

AppDirector Load balancing IBM Websphere and AppXcel

DNS and BIND. David White

Deploying the Barracuda Load Balancer with Office Communications Server 2007 R2. Office Communications Server Overview.

BorderWare Firewall Server 7.1. Release Notes

Deploying the BIG-IP System v11 with DNS Servers

Address Resolution Protocol (ARP)

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

DEPLOYMENT GUIDE DEPLOYING F5 WITH VMWARE ESX SERVER

IxLoad - Layer 4-7 Performance Testing of Content Aware Devices and Networks

ExamPDF. Higher Quality,Better service!

The Dynamic DNS Infrastructure

Global Server Load Balancing

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

DNS Session 4: Delegation and reverse DNS. Joe Abley AfNOG 2006 workshop

NETASQ MIGRATING FROM V8 TO V9

Datacenter Transformation

The Domain Name System

Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers

Computer Networks: Domain Name System

Using the Domain Name System for System Break-ins

Transcription:

Global Service Loadbalancing & DNSSEC Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC

F5 s Integrated Solution Users The F5 Solution Applications Mobile Phone PDA Laptop Desktop Application Delivery Network TMOS CRM Database Siebel BEA Legacy.NET SAP PeopleSoft IBM ERP SFA Custom Co-location

Global Service Loadbalancing (GSLB)

Global Service Loadbalancing with bind Multiple A record Round Robin Multiple A Records: www.test.de A 72.12.3.5 A 153.32.4.5 A 182.34.2.6 DNS Server LDNS The site would be down for this client

Global Service Loadbalancing Monitoring ICMP TCP UDP HTTP HTTPS FTP SNMP IMAP POP3 SMTP LDAP RADIUS MSSQL Oracle... Multiple A Records: www.test.de A 72.12.3.5 A 153.32.4.5 A 182.34.2.6 GSLB This server would be taken out of the load balancing

Global Service Loadbalancing Load Balancing Method The Art of selecting the right server Resolver Round Robin Ratio Global Availability Topology Round Trip Time Packet Rate...

Directing Users to the Best Site Large social networking site needs state-level control Problem Poor Application Performance Unpredictable data center utilization random traffic distribution Poor user experience users are often sent across the country to access the site

Directing Users to the Best Site State level control improves end user experience BIG-IP GTM with IP Geolocation Database Solution Improved Application Performance Manageable and predictable data center utilization Better user experience lower latency

Integration Architectures Delegation LDNS DNS Query: www.example.com CNAME redirect: www.gtm.example.com Infoblox is authoritative for example.com Infoblox Grid Infoblox manages all zones except the delegated sub zone for GTM s GSLB services Contains references to the NS records for the gtm.example.com sub zone GSLB resources are referred or aliased via CNAME to records in the delegated zone DNS Query: www.gtm.example.com F5 GTM is authoritative for sub zone gtm.example.com DNS Response: www.gtm.example.com = 209.200.200.10 F5 BIG IP GTM Contains all the WIP names and related configuration. BIND server running on the F5 GTM contains all zone records for the gtm.example.com sub zone

Integration Architectures Authoritative Screening An NS record for example.com directs LDNS requests to ns1.example.com which points to the public IP address allocated to the DNS listener on the F5 BIG IP GTM ns1.example.com 204.100.100.10 Infoblox Grid Example.com Infoblox1 10.10.10.1 Infoblox2 10.10.10.2 Infoblox3 10.10.10.3 LDNS F5 BIG IP GTM Only contains the GSLB configuration Matches specific FQDN Names (WIP) Load balances all other record requests to a pool of Infoblox Grid appliances Infoblox Grid Full Managed Zone Configuration Hidden Master NS Records All DNS Records located here SOA, MX, SRV, A Records

DNSSEC

How big an issue is this? Has your organisation been a victim of a DNS poisoning attack in the past year? Nearly half of those answering yes report monthly occurrences of such attacks Source: Center for Strategic and International Studies

Solution: Real-time DNSSEC Signing F5 BIG IP GTM DNS Query Optional: +DNSSEC 1 TMOS 2 DNS Query for WIP GTM DNS Response 3 GTM Module 4 Request Processing: 1. TMOS receives request on the DNS listener IP 2. TMOS sends request to GTM module 3. GTM applies GSLB rules 4. GTM returns response DNS Response OR DNSSEC Response 6 8 5 7 Hardware Cryptography DNS Server Load Balancing Real time DNSSEC Signing Optional FIPS Key Storage 5. TMOS checks if original request included +DNSSEC 6. If a normal DNS request, TMOS responds normally 7. If a DNSSEC request, TMOS signs the response 8. DNSSEC Response F5 Patent Pending

GTM DNSSEC Integration The GTM can be placed transparent in front of the DNS server DNSSEC GTM DNS LDNS SYNC Second DC DNS DNSSEC GTM DNS DNS slave

F5 DNSSEC Configuration 1. Create the key signing key (KSK) 2. Create the zone signing key (ZSK) 3. Create the DNSSEC zone and assign the KSK and ZSK keys 4. Send public KSK to parent zone authority 5. Repeat step 3 to sign additional DNSSEC zones 6. Key management operations automated by policy 1 2 3

Automatic Key Rollover

Links http://www.f5.com/solutions/security/dnssec/ http://www.f5.com/news-press-events/webmedia/webcasts/deploying-dnssec.html http://devcentral.f5.com/weblogs/dctv/archive/ 2010/01/11/secure-dns-with-big-ip-v10.1- dnssec.aspx http://www.practicesafedns.org/