Application centric Datacenter Management Ralf Brünig, F5 Networks GmbH Field Systems Engineer March 2014
Index Application Deliver Controller (ADC) Proxy ADC Advanced Feature Application Management Optional: Reference Architectures F5 Networks, Inc 2
Application Deliver Controller (ADC) The central point of control
Network Loadbalancer Spread load over several Server Static or dynamic Loadbalancing Algorithm Session Persistence per Server Clients Server Server Internet Server F5 Networks, Inc 4
Network Loadbalancer Availability Monitoring of Server Pool Take not available Server out of the loadbalancing Clients Server Marked Down by Monitor Internet Maintenance Set server into Maintenance Mode Existing Sessions can be allowed or moved to a different Server Server Server Maintenance Mode F5 Networks, Inc 5
Application Delivery Controller (ADC) TCP/UDP full Proxy Performance: Perfect adaption to the server side and client side tcp stack Separate optimisation to channel needs (WAN/LAN optimisation) Security: Malformed tcp/udp packets are dropped SYN flooding protection WAN OPTIMISED LAN OPTIMISED ADC Servers F5 Networks, Inc 6
Application Delivery Controller (ADC) Offloading An ADC can offload tasks from the Application Server Reduce Number of Server Reduce Power consumption Centralize SSL key management ADC SSL Offload Fast Cache Compression One Connect Logging Servers F5 Networks, Inc 7
Application Delivery Controller (ADC) Traffic Steering and Header Enrichment Traffic steering based on: Header information URI Hostname Etc. Header Enrichment SSL On Client Certificate Information X-Forwarded-For User Name Etc. ADC Servers Pool Servers Pool Servers Pool F5 Networks, Inc 8
Application Delivery Controller (ADC) HTTP 1.1 1 TCP Connection, Single Stream, Request Pipelining Clients logo.jpg index.html L7 Message Handling Web Server Internet ADC Image Server Single TCP Connection Video Server F5 Networks, Inc 9
Application Delivery Controller (ADC) HTTP 2.0/SPDY 1 TCP Connection, Parallel Streams, Request Pipelining Clients L7 Message Handling Web Server logo.jpg index.html Internet 007.mov ADC Image Server Single TCP Connection Video Server F5 Networks, Inc 10
Application Delivery Controller (ADC) HTTP 2.0/SPDY Packet Encoding 1 TCP Connection, Parallel Streams, Request Pipelining Clients L7 Message Handling Web Server logo.jpg index.html Internet 007.mov ADC Image Server Single TCP Connection Video Server Response Packets TCP packets contain interlaced fragments from parallel streams for performance! F5 Networks, Inc 11
Proxy
Two Use Cases Inbound Outbound www Hosting Internet Datacenter Corporate (servers) (users) Characteristics Deployment Models Characteristics Deployment Model Inbound SSL Offload and Acceleration Provide visibility for traffic management Internet-facing Front-end to control and protect access to a server SSL Offload SSL Transformation Proxy SSL (Split) Outbound Control user activity Sanitize traffic Takes requests from an internal network and forwards them to the Internet or Cloud App SSL Forward Proxy F5 Networks, Inc 13
Full Intelligence Requires a Full Proxy Intelligent Full Proxy Benefits App point of delivery & definition App Intelligence - layer 3-7 visibility Distinct client / server control Unified services / context Interoperability and gateway functions Client/Server Client/Server Web Application Web Application Application Application Session Session Network Network Physical Physical IT = Complete Control Business = Reduced Delivery Costs
Inbound Secure Application Delivery Deployment Models SSL Offload SSL Transformation Proxy SSL (Split / Reverse) SPDY HTTP HTTPS HTTP 4K Key 2K Key HTTPS HTTPS Public Private ECC RSA Performance L3-L7 Client Cert Sever Cert F5 Networks, Inc 15
SSL Forward Proxy Outbound Use Case Enterprise Network Visibility and Control for Outbound Encrypted Traffic What s New Client Cert Client Cert www SSL Forward Proxy provides the ability to centralize SSL traffic monitoring and management through an SSL forward proxy Internet Internal Clients Sever Cert Transparent to the end user experience Sever Cert Hosting Cloud Services Visibility to all SSL traffic with Proxy SSL or SSL Forward Proxy providing complete control for both ingress and egress traffic Control all aspects of Gain greater business application traffic, even if encrypted value through integrated services Transparent to the end user experience F5 Networks, Inc 16
ICAP Services SSL Secure Application Delivery Forward Proxy HTTP/S Request Services Clients ICAP HTTP/S Response Servers ICAP Services provides value-added services such as video and image optimization, virus scanning, and content filtering Response and Request ADAPT profiles, steers traffic to the Internal Virtual Server to encapsulate traffic in ICAP to be modified (or not) by ICAP servers. Content Adaptation + AD Ad Insertion IDS / DLP Virus Scanning Video Localization Other Steer HTTP/S traffic to an ICAP service for content adaptation Modify on HTTP/S Request and/ or Response Stream connection as match exists irules supported for added flexibility
ENABLE SIMPLIFIED APPLICATION ACCESS with BIG-IP Access Policy Manager (APM) SharePoint OWA Users BIG-IP Local Traffic Manager + Access Policy Manager Cloud Hosted virtual desktop APP OS APP OS APP OS APP OS Directory Web servers App 1 App n F5 Networks, Inc 19
Web Application Firewall Request made BIG-IP ASM security policy checked Server response Enforcement Secure response delivered BIG-IP ASM applies security policy Vulnerable application Maintain security at application, protocol, and network levels Launch secure applications protected from vulnerabilities F5 Networks, Inc 20
Advanced Attack and Traffic Reporting ASM on BIG-IP Dashboard
A Firewall Built for the Data Center
Protecting the Data Center Before F5 Firewall Network DDoS Application DDoS Web Access Management Load Balancer DNS Security Load Balancer and SSL Web Application Firewall With F5
Protecting the Data Center Before f5 Firewall Network DDoS Application DDoS Web Access Management Load Balancer DNS Security Load Balancer and SSL Web Application Firewall With F5
IP Intelligence IP Intelligence Service
WAN Acceleration AAM BASE AAM FULL Deduplication SSL Encryption IPSEC Encryption HTTP MAPI CIFS HLS Protocol Symmetric Adaptive Compression TCP Optimization Congestion control Buffers Window size Bandwidth Allocation SPDY Dynamic caching Forward Error Correction HTTP compression
Global Service Load Balancing (GSLB) Manages traffic between data centers Enables dynamic application migration Optimizes performance Increases availability BIG-IP Global Traffic Manager London Data Center New York Data Center
DNS DDoS Protection Conventional DNS Thinking Adding performance = DNS boxes Internet External Firewall DNS Load Balancing Array of DNS Servers Internal Firewall Hidden Master DNS Weak DoS/DDoS Protection Firewall is THE bottleneck DMZ Datacenter Paradigm Shift F5 DNS Delivery Reimagined Internet Master DNS Infrastructure DNS Firewall DNS DDoS Protection Massive performance over 10M RPS! Best DoS / DDoS Protection Protocol Validation Authoritative DNS Caching Resolver Transparent Caching High Performance DNSSEC DNSSEC Validation Simplified management (partner) Less CAPEX and OPEX Intelligent GSLB
Secure DNS Query Response DMZ Data Center example.com 123.123.123.123 +Public Key LDNS example.com 123.123.123.123 +Public Key DNS Servers Apps Simple DNSSEC: Protection from cache poisoning and reduce management costs Ensure trusted DNS queries with dynamically signed responses Implement BIG-IP GTM in front of existing DNS servers
Filter and Control Site Access F5 DNS irules: Blacklist Internet Site Filter outbound DNS queries Prevent access to malware sites Eliminate web proxies for DNS Improve site performance and scalability. Data Center Internet... F5 Networks, Inc 30
Application Management
BIG-IP V11 V10 Managing Objects Application & Services F5 Networks, Inc 32
BIG-IP V11 Managing Application Services F5 iapps: Managing application services not network devices or objects. F5 Networks, Inc 33
F5 iapp Connecting People and Process F5 Networks, Inc 34 I
F5 iapp: How it works iapp templates allow for business policydriven configuration and IT collaboration iapp drives automation and provisioning Changes can quickly be made and reapplied iapps are portable between F5 devices enabling rapid migration Every service is reusable F5 Networks, Inc 35
Completing the SDN Stack Application Plane BIG-IQ Device BIG-IQ Security BIG-IQ Cloud Software-Defined Data Center Control Plane Virtual Networks Data Plane NBI SDN Controller OPEN REST APIs NBI BIG-IQ NVGRE VXLAN ETC Service Chaining LAYER 2-3 LAYER 4-7 F5 Networks, Inc 36
Cisco Application Centric Infrastructure Network Fabric for the f5 Application Fabric Policy Controlled Application Fabric Automated Device Onboarding Automatic Network Fabric Provisioning L4 L7 Policy Defined in Service Chains Device and Service Level Health Checks L4 L7 Stateful Policy Controlled Network Fabric Automated Isolation Provisioning Granular L2-L4 Path Decisions Dynamic QoS and SLAs L2 L4 Stateless
What Is BIG-IQ? Architecture Management Plane Data Plane Applications F5 Networks, Inc. 38
The BIG-IQ Vision BIG - IQ BIG-IP BIG-IP Data Center Hybrid Cloud Public Cloud F5 Networks, Inc 39
BIG-IQ Abstraction Layer Admin Admin Tenant Data Plane Mgmt Plane Applications iapps Catalog iapps 1Gbit limit Spare Part Portal 10Mbit limit HR Portal Users 1Mbit limit Team Portal F5 Networks, Inc. 40
BIG-IQ and BIG-IP Solution Diagram for Cloud Architectures Provider Portal Click to enlarge Cloud Orchestrators iapp Lifecycle Management Cloud Connectors Private or Public Cloud (Amazon Web Services) Tenant Portal Click to enlarge Tenant 1 Tenant 2 Tenant 3 & 4 App App Apps BIG-IP Platform App App Apps BIG-IP Platform Data Centers BIG-IP Platform F5 Networks, Inc. 41
Questions? F5 Networks, Inc 42
Reference Architectures
DDoS protection reference architecture Next-Generation Firewall Corporate Users Tier 1 Tier 2 Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood SSL attacks: SSL renegotiation, SSL flood Financial Services Legitimate Users DDoS Attacker ISPa/b Cloud Scrubbing Service DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS IPS HTTP attacks: Slowloris, slow POST, recursive POST/GET Application E-Commerce Subscriber Threat Feed Intelligence Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Strategic Point of Control F5 Networks, Inc 44
Optimized DNS Offload to the edge Tier 1: DMZ Tier 2: Application Delivery Legitimate Visitors Legitimate Queries DNSSEC IP geolocation DNS DDoS protection TCP/UDP Port 53 Primary DNS Malicious Attackers DNS Attacks LDNS Internet Intelligent and Scalable DNS Services TCP Port 80/443 Application health Context based on geographical location Threat Intelligence Application IP Intelligence Web Bot Attacker Strategic Point of Control Manageable and predictable data center utilization Easy integration into existing DNS infrastructure for high availability and security Support over 10 million DNS responses per second (RPS) F5 Networks, Inc 45
F5 Cloud Federation architecture On-Premises Infrastructure Corporate Users Users SAML Identity management Multi-factor authentication Attackers SAML Real-time access control Access policy enforcement Access Management Directory Services Corporate Applications Office 365 Google Apps Salesforce Identity federation SaaS Providers Strategic Point of Control F5 Networks, Inc 46
F5 Cloud Migration architecture Global load balancing Infrastructure monitoring Advanced reporting On-Premises Infrastructure Administrators Load balancing Custom business logic Application health SSL management DNS Line of Business Applications Business Unit Application Manager Application Business Unit Application Manager User Cloud Management Cloud Administrator Beta User Automated Application Delivery Network Health/performance monitoring BIG-IP VE deployment Load balancing Custom business logic Application health SSL management Line of Business Applications Strategic Point of Control Application Cloud Hosting Provider F5 Networks, Inc 47