MANAGE SECURE ACCESS TO APPLICATIONS BASED ON USER IDENTITY EMEA Webinar July 2013
Protecting the Enterprise Full Footprint Mobile user Application access management & Application security Enterprise headquarters Application delivery firewall Enterprise data center Mobile user access Partners, suppliers Internet data center Hacker Enterprise remote office Data center/ private cloud Customer
Who s Requesting Access? Employees Partner Customer Administrator Manage access based on identity IT challenged to: Control access based on user type and role Unify access to all applications Provide fast authentication and SSO Audit and report access and application metrics
Securing Access at the Critical Point in the Network Physical Connects any user, anywhere, from any device to the best application resources, independent of infrastructure Virtual Storage Clients Cloud Anywhere, any service, any device Intelligent Dynamic, agile, adaptive
Simplifying Application Access With BIG-IP Access Policy Manager (APM) SharePoint OWA Users BIG-IP Local Traffic Manager + Access Policy Manager Cloud Hosted virtual desktop APP OS APP OS APP OS APP OS Directory Web servers App 1 App n
Controlling Access of Endpoints Ensuring strong endpoint security Users Web BIG-IP APM Allow, deny or remediate users based on endpoint attributes such as: Antivirus software version and updates Software firewall status Machine certificate validation Invoke protected workspace for unmanaged devices: Restrict USB access Cache cleaner leaves no trace Ensure no malware enters corporate network
Auto-Connecting to the VPN Always connected application access Mobile users BIG-IP LTM +APM Internet Branch office users - OR - BIG-IP LTM VE +APM VDI VDI VDI VDI Hypervisor Wireless users Internal LAN VLAN2 Virtual desktops LAN users Internal LAN VLAN1
BIG-IP Edge Client Web-delivered and standalone client Mac, Windows, Linux iphone, ipad, itouch Android Endpoint inspection Full SSL VPN Per-user flexible policy Enable mobility Smart connection roaming Uninterrupted application sessions Accelerate access Adaptive compression Client-side cache Client-side QoS
Supporting Mobile Devices Corporate managed device? HR User = Finance App Store Finance Corporate managed device? AAA Server CRM Ensures connecting devices adhere to baseline security posture Reduces the risk of malware infecting the corporate network
ios and Android Access to Applications With BIG-IP Edge Portal
APM SAML How it Works Data center 1 Login.f5se.com Portal.f5se.com End user Public/private Data center 2 Active Directory ADFS Business partners Business partners OWA.f5se.com ADFS Sharepoint.f5se.com Apache/Tomcat App 1) Domain user makes a SAML-supported request for a resource 2) An SP-initiated post is sent back to client in the form of a redirect to https://login.f5se.com 3) Client posts credentials to login, credentials are validated with Active Directory 4) A SAML assertion is generated, passed back to client with a redirect to requested application 5) Client successfully logs on to application with SAML assertion
Consolidating Application Authentication (SSO) Salesforce.com Finance Corporate managed device Latest AV software AAA server User = Finance Expense report application Dramatically reduce infrastructure costs, increase productivity Provides seamless access to all web resources Integrated with common applications
Simplifying VDI Present RDP, VMware View next to Citrix apps in portal mode: Improved scale and reliability Better user experience + SSO Simplified deployment Improved quality of real-time applications XenDesktop VDI VDI VDI VDI Hypervisor Virtual desktops VDI VDI VDI VDI Hypervisor VDI VDI VDI RDP Virtual desktops AAA server View VDI VDI VDI VDI Hypervisor Optimise the experience for your users Simplify infrastructure and reduce costs Unify access control and security Virtual desktops
Streamlining Microsoft Exchange Migration Finance Outlook Web Access Outlook 2007 HR Outlook Anywhere Outlook 2010 Sales Exchange ActiveSync AAA server Outlook 2013 Migrate over time Distribute a single URL & let BIG-IP APM direct user Manage email access for all devices from all locations and any network Ease and decrease time to deployment with iapps
Enhancing Web Access Management Create policy Administrator 832849 Corporate domain HR Latest AV software Current O/S User = HR AAA server Proxy the web applications to All typing into Layer 4-7 ACLS provide authentication, authorisation, through F5 s Visual Policy Editor endpoint inspection, and more
Authentication Alternatives Today 1) Code in the application Users Web servers App 1 App 2 App 3 Code in the app Costly, difficult to change Not repeatable Decentralised Less secure WAM directory
Authentication Alternatives Today 2) Agents on servers Users Web servers App 1 App 2 App 3 Code in the app Agents on servers Difficult to administer Interoperability Decentralised Less secure WAM directory WAM policy manager
Authentication Alternatives Today 3) Specialised access proxies Users WAM proxy Web servers App 1 App 2 App 3 Code in the app Agents on servers Specialised access proxies Oracle Access Manager WAM = Web Access Management Don t scale as well Often inferior reliability Big CapEx and OpEx WAM directory WAM policy manager
A Better Alternative BIG-IP Access Policy Manager (APM) and Oracle Access Manager (OAM) Users WAM proxy Proxy BIG-IP LTM APM Web servers App 1 App 2 App 3 Replace OAM Proxy with BIG-IP Access Policy Manager (APM) Gain superior scalability and high availability Benefit from F5 s Unified Application Delivery Services WAM directory WAM policy manager LTM = Local Traffic Manager OAM = Oracle Access Manager
Richer Application Delivery Additional BIG-IP benefits Users WAM proxy Web servers Endpoint security checks BIG-IP LTM APM + ASM or AAM Virtualisation HA, LB App 1 App 2 App 3 Endpoint inspection Scaling and high availability for the application and OAM directory Web application security Web application acceleration Enterprise class architecture Virtualisation (HA, LB for directories) Oracle Access Manager LTM = Local Traffic Manager ASM = Application Security Manager AAM = Application Acceleration Manager OAM = Oracle Access Manager
Oracle Access Manager in a Nutshell Before After Data center Data center App 1 App 1 Load balancer OAM proxy Web apps BIG-IP LTM + APM Web apps Load balancer App 200 BIG-IP LTM + APM App 200 OAM OAM directory OAM OAM directory
Dynamic End-User Webtop Customisable and localisable list of resources Adjusts to mobile devices Toolbar, help and disconnect buttons
BIG-IP Access Policy Manager (APM) Unified access and control for BIG-IP BIG-IP APM ROI benefits: Scales to 200K users on single device Consolidates auth. infrastructure Simplifies remote, web, and application access control BIG-IP APM features: Centralises single sign-on and access control services Full proxy L4-L7 access control at BIG-IP speeds Adds endpoint inspection to the access policy Visual Policy Editor (VPE) provides policy-based access control VPE Rules Programmatic interface for custom access policies Supports IPv6
Security Technology Alliance Partners Endpoint inspect / AV Certificates encryption Anti-fraud / secure browser DAST Multi-factor authentication Web access management DB firewall Mobile OS Mobile device management Security change management FIPS/HSM security DNS security and SBS Web and SaaS security SIEM
Unified Access Solution Secure Web Gateway Internet Internet Apps Internet Apps Web Access Management Remote Access and Application Access Enterprise Apps Mobile Apps Mobile Application Management Federation Cloud, SaaS, and Partner Apps
Intelligent Services Framework F5 makes the connected world run better F5 solutions available today: Application delivery controller Application delivery firewall Mobile optimisation solution Mobile user and application access management Application acceleration WAN optimisation DNS delivery services Local and global load balancer User community Intelligent ecosystem Programmable/extensible Customisable traffic management Enterprise Intelligent Integrated Context aware Foundation Scale DevCentral irules icontrol iapps Fast Available Secure TMOS Hardware Software