Presented by Philippe Bogaerts Senior Field Systems Engineer p.bogaerts@f5.com Securing application delivery in the cloud
2 The Leader in Application Delivery Networking Users Data Center At Home In the Office On the Road Application Delivery Network SAP Microsoft Oracle Business Goal: Achieve These Objectives in the Most Operationally Efficient Manner
3 Traditional Infrastructure Model Corporate Employees Mobile Employees Remote Employees Branch Employees Customer, Partners, or Suppliers How do I connect all these applications and services to the right people, at the right moment in time, using the right amount of resources, meet all my SLAs, ensure security and save money? Cloud Services Hosted Applications Corporate SAAS Data Center Branch Apps and Data
4 Filling the Gap: Creating a Dynamic Infrastructure Corporate Employees LAN & wlan Mobile Employees Remote Employees Branch Employees LAN & wlan Customer, Partners, or Suppliers Intercept Dynamic Infrastructure Model Interpret Instruct Cloud Services Hosted Applications Corporate SAAS Apps and Data Data Center in the Branch
5 Functions of Dynamic Infrastructure Traffic redirection, data placement, security, performance, provisioning Synchronize distributed points of control Intelligence Application and data streams Device presentation Target / Initiator Put in context of who, what, when, where, and how Relate to business policy Determine appropriate response
6 How Do You Solve These Issues? Multiple Point Solutions Application More Bandwidth Network Administrator Application Developer Add more infrastructure? Hire an army of developers?
7 F5 Application Delivery Networking International Data Center Users Enterprise Manager Applications & Storage BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Link Controller BIG-IP Web- Accelerator BIG-IP WAN Optimization Module BIG-IP Application Security Manager BIG-IP Access Policy Manager BIG-IP Edge Gateway FirePass SSL VPN ARX File Virtualization icontrol TMOS
8 Snippets From A Popular Cloud Definition dynamically scalable and often virtualized resources are provided as a service... users need not have knowledge of, expertise in, or control over the technology infrastructure on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released...
9 The F5 Powered Cloud F5 ADC s are a fundamental cloud building block
Hybrid Cloud Design 10
11 BIG-IP Local Traffic Manager Turn your infrastructure into an agile application delivery network BIG-IP Users Applications Scale the application infrastructure Eliminate downtime Improve application performance Secure your applications and data Increase server capacity, reduce bandwidth Customize the delivery of the app for your needs
12 It Starts with Load Balancing Ensure availability and plan for growth High Performance Hardware Dynamic LB Methods Application Health Monitoring Transaction Assurance Session Persistence LTM load balances at the application level Ensures the best resources are always selected Has deep visibility into application health Proactively inspects and responds to errors Eliminate downtime and scale the application
13 Getting Users to the Best Available Data Center Client Site 1 (Primary) L-DNS Site 2 (Back up) Router Router BIG-IP GTM BIG-IP GTM BIG-IP LTM BIG-IP LTM Corporate Servers Corporate Servers GTM: Global Traffic Manager
14 Let Servers Serve One Connect Fast Cache SSL Offload Compression LTM offloads tasks from application servers Reduce the number of servers required Centralized SSL key management 2048-bit key SSL certificates - offloading
15 Improve the End-User Experience TCP Express Intelligent Compression WebAccelerator (add-on module) isessions LTM improves the application performance Optimize the connections and prioritize traffic Reduce the amount of data sent, both to the client and across the WAN
16 Secure & Optimized Tunnel between Cloud & DC BIG-IP WOM Integrated in BIG-IP LTM v10 De-duplication Symmetric Compression SSL Encryption
17 Secure the Applications and Data Network and Protocol Attack Prevention Resource Cloaking and Content Security Selective Encryption Application Security Manager (add-on module) Security at Application, Protocol and Network Level Meet compliance requirements (PCI, HPPIA, etc.) Strong protection without interrupting legitimate traffic
18 BIG-IP Application Security Manager Powerful Adaptable Solution Provides comprehensive protection for all web application vulnerabilities Delivers out of the box security Logs and reports all application traffic and attacks Educates admin on attack type definitions and examples Enables L2->L7 protection Unifies security and acceleration services
19 Multiple security layers RFC enforcement Various HTTP limits enforcement Negative security model - signatures Positive security model - profiling of good traffic Defined list of allowed file types, URI s, parameters Each parameter is evaluated separately for: Pre defined value, length, character set, attack patterns Responses are checked as well Anomaly detection
20 BIG-IP Access Policy Manager (APM) Authentication and Authorization Services for BIG-IP BIG-IP APM ROI Benefits: Consolidates infrastructure Reduces AAA management costs Simplifies Web access BIG-IP APM Features: Centralizes web single sign on and access control services Full proxy L4 L7 access control at BIG-IP speeds Adds endpoint inspection to the access policy Visual Policy Editor (VPE) provides policy based access control VPE Rules programmatic interface for custom access policies *AAA = Authentication, Authorization and Accounting (or Auditing)
21 Complete Control and Flexibility irules icontrol Total Application Control Complete payload inspection and transformation Open API and SDK to integrate with infrastructure
22 Connect with 40,000 ADC Experts Blogs Multimedia irules and icontrol samples Forums Tutorials Tools http://devcentral.f5.com
23 Specialized Hardware for App Delivery Hardware designed specifically for Application Delivery Industry s best performance up to 76 Gbps throughput Hot-Swappable Components Flexible deployment options FIPS, NEBS, DC power Always-on Management Hardware SSL offload
New! BIG-IP LTM Virtual Edition 24