Datacenter Transformation Consolidation Without Compromising Compliance and Security Joe Poehls Solution Architect, F5 Networks
Challenges in the infrastructure I have a DR site, but the ROI on having all of those devices sitting idle is a concern I m not sure if DR will actually work properly if we do have some sort of disaster Our customer centricity business initiatives require us to deploy new services quickly, but my vendors can t keep up There are certain times of the month or year that we just need more capacity than I have for certain applications 2 F5 Networks, Inc.
An Active/Active infrastructure Client Access Global Traffic Manager Presentation Primary Data Center Public/ Private Cloud Presentation Secondary Data Center Presentation Layer and Core Systems are always in use, no standby units If running virtualized hardware, time to deploy can be minimized Core Systems Core Systems Can add new data centers/ private clouds as needed to expand capacity Databases/ Databases/ Data Transaction Engine Data Transaction Engine 3 F5 Networks, Inc. Management Management
Active-Active Use Cases Customer: Online Service Website Environment: Multiple US datacenters with large databases Critical Issues: Solve read-write database replication issue Scale performance Add redundancy Improve user response time Solution: Global traffic management Scale by making use of active/active datacenter resources Insert read/write timing information into cookie and use to determine where to steer subsequent requests 4 F5 Networks, Inc.
Challenges around Compliance I really don t have a big-picture view of how transactions flow through our complex app environment I want to enforce strict governance, but for compliance purposes we need to keep a clear separation of responsibilities for some applications On the other hand, to ensure compliance sometimes we need to gather and collate access information across applications At the same time we still need to enable customer centricity and keep performance high 5 F5 Networks, Inc.
Application Monitoring for Compliance Use a combination of logging and Application Visibility features to monitor the application and provide information to improve compliance, as well as performance Syslog Server Do I have enough resources? Where should I add them? Am I receiving DoS attacks? Which process in my app is consuming the most resources? Management Console Information collected Serverside latency Clientside latency Throughput Response codes Methods URL Client IP Client location info User Agent User Session Views Application Virtual Server Pool Member Response Code URL Method Deposits Loans Cards 6 F5 Networks, Inc.
Enforcing Compliance in the App When receiving requests, check and enforce service interface definitions Add Layer 7 security in front of all web services Log a summary of the transaction that protects separation of responsibilities yet also allows you to enforce and maintain governance Identity and Service Management Service Definition Repository Log transactions in a way that enforces governance while maintaining compliance Frontend Service Enforce and screen requests before sending downstream Bank Transfer Service Loan and Lending App (.NET based) Async Access Loan Service X-lation GW Core Banking App (Mainframe) Presentation Layer Core Systems Data Management 7 F5 Networks, Inc.
Use Case: Standard Life Standard Life, in Scotland, provides a number of financial products including life insurance, pension services, and investment banking. They have over 6.5 million customers worldwide. They began their SOA project a number of years ago and began using F5 as they rolled out their 4 th generation architecture F5 helps them in key areas of their architecture: Performing load distribution at layer 7 Maintaining compliance with PCI DSS, HIPAA, Basel II, SOX security requirements Achieving scalability and fault tolerance We concluded that, to deliver on our goals, we needed to implement powerful application-layer load balancing and security capabilities while minimizing infrastructure complexity." 8 F5 Networks, Inc.
Compliance Case Study Challenges PCI, FFIEC compliance Using F5 for Intelligent traffic management PCI, FFIEC, DNSSEC, FIPS and IPv6 compliance Virtualization support and enablement Results Improved visibility and control of applications Reduce OPEX between 31%-40% 9 F5 Networks, Inc.
Challenges around Security I understand the need for higher security, but I m not sure what we can do to increase security in my online applications We don t like the idea of adding point solutions in the network to address security problems We have a feeling that our point security solutions will not give me protection in today s complex threat environment We really need a way to increase time to detect and time to resolve security issues 10 F5 Networks, Inc.
Security F5 solutions offer multiple layers of security SECURE APPLICATIONS & DATA Transaction Assurance Resource Cloaking Network and protocol attack protection Secure Network Address Translation Port Mapping Selective Content Encryption Denial of Service attack protection We can apply security policies to both request AND response LAYER 7 SECURITY Brute Force Layer 7 DDoS Web Scraping XSS, CSRF, SQL Injection Zero Day attacks Compliance (PCI DSS, HIPAA, etc.) Information Leakage protection Data Center 1 Web/App Tier DB Tier 11 F5 Networks, Inc.
Security framework Creating a multi-layer security framework with F5: - 1) DNS DDoS attack mitigation Primary Data Center SYN Check, ICMP (3) Web Tier Flood Mitigation N+1 Tier (4) SSL attack prevention (1) DNS Express +GTM - 2) Secure/Unsecure zone network isolation - 3) Flexible TCP and IP DDoS protection App Tier (2) Full Proxy mode (5) L7 irules Infoblox - 4) SSL renegotiaion Attack mitigation DB Tier - 5) Layer 7 DDoS mitigation 12 F5 Networks, Inc.
Security framework Creating a multi-layer security framework with F5: Primary Data Center SYN Check, ICMP (3) Web Tier Flood Mitigation (6) ASM Tier N+1 Tier (1) DNS Express +GTM App Tier (2) Full Proxy mode (5) L7 irules X X (7) Geolocation identifies origin of attacks Infoblox - 5) Web Application Firewall for intelligent L7 attack prevention - 6) Identify and block attack origins with Geolocation - 7) Real-time forensics and threat response with intelligent logging Access logged for DB Tier (8) analysis and response Log Servers 13 F5 Networks, Inc.
Case Study: Attacks at Online Service Company Problem: Company s existing security solutions could not protect servers from attack using 3 tier DDoS methodology LOIC (L4 connection DDoS) Slowloris (L7 DDoS) ICMP attack (Ping of death etc.) Existing solutions ISP border router blacklist IPS device in Stateless mode Integrated LB + FW chassis device F5 Solution Absorb LOIC attack with TCP proxy Reroute Slowloris attack to special servers for forensics and to free service platform from the attack 14 F5 Networks, Inc.
Call to Action Create initiatives to understand your (new) customer base and what services can keep their loyalty Build an agile infrastructure, as well as application environment that will enable you to quickly deploy new services Examine your needs for compliance, governance, and security Deploy mechanisms that will allow for faster analysis, faster response, and faster resolution to security, governance, and compliance issues 15 F5 Networks, Inc.
2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5.