F5 Networks Traffic Management by Design: Presented By: Jürg Wiesmann Field System Engineer, Switzerland

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 69

F5 Networks

Traffic Management by Design

Presented by:
Jürg Wiesmann
Field System Engineer, Switzerland
[email protected]
2

Company Snapshot
Leading provider of solutions
that optimize the security,
performance & availability of
IP-based applications

Founded 1996 / Public 1999

Approx. 1,010 employees

FY05 Revenue: $281M

FY06 Revenue: $394M

– 40% Y/Y Growth


3

Clear Leader in Application Delivery


Challengers Leaders

Magic Quadrant for


F5 Networks
Application Delivery
Products

• “F5 continues to build on the


Ability to Execute

Citrix Systems (NetScaler) momentum generated by the


release of v9.0. It commands
Cisco Systems over 50% market share in the
advanced platform ADC
Radware segment and continues to pull
Juniper Networks (Redline) away from the competition. ”
Akamai Technologies

Nortel Networks Netli • “F5 is one of the thought


leaders in the market and
Stampede Technologies
Coyote Point Array Networks offers growing feature
Systems Zeus Technology
richness. It should be high on
Foundry NetContinuum every enterprise's shortlist for
Networks
application delivery.”
Niche Players Visionaries
Completeness of Vision

Source: Gartner, December 2005


4

What CEO´s CFO´s und CIO´s are interested in

Low Investment costs


– Reducing Load on Server infrastructure
Low Servicecosts
– Simple Problem-, Change und Releasemgt.
– Less Service windows
– Reduction of work during Service windows
– Simple secure and stable Environements
High availability
5

Problem: Networks Aren’t Adaptable Enough

New Security Hole


High Cost To Scale
Slow Performance

?
Application

Network Administrator Application Developer

Traditional Networks Applications Focus on


are Focused on Business Logic and
Connectivity Functionality
6

How Do You Fix the Problem?


Multiple Point Solutions

Application

More
Bandwidth

Network Administrator Application Developer

Add More Hire an Army of


Infrastructure? Developers?
7

A Costly Patchwork
Users Point Solutions Applications

DoS Protection
Mobile Phone
IPS/IDS SSL Acceleration
SFA
Rate Shaping/QoS CRM
CRM ERP
PDA

Network Firewall Application


Load Balancer
ERP
Laptop Content Proxy
Acceleration/ ERP
Transformation CRM SFA

WAN Connection
Traffic Compression
Optimization
Desktop
SFA
Application Firewall
Custom
Application

Co-location
8

The Better Application Delivery Alternative

The Old Way The F5 Way

First with Integrated Application Security


9

F5’s Integrated Solution


Users The F5 Solution Applications

Application Delivery Network


Mobile Phone

CRM
Database
Siebel
PDA BEA
Legacy
.NET
SAP

Laptop PeopleSoft
IBM
ERP
SFA
Custom
Desktop
TMOS

Co-location
10

The F5 Application Delivery Network


International
Data Center

TMOS

Users Applications
BIG-IP
Global BIG-IP BIG-IP Local BIG-IP BIG-IP
Link WANJet FirePass Application
Traffic Traffic Web
Manager Controller Manager Accelerator Security
Manager

iControl & iRules

Enterprise Manager
11

F5 Networks
Remote Access Today

Presented by:
Jürg Wiesmann
Field System Engineer, Switzerland
[email protected]
12

Current Issues
Unreliable access
Mobile Workforce Worm/virus propagation
High support costs

Employee on Limited application support


Home PC / Lack of data integrity
Public Kiosk Reduced user efficiency

Complex access controls


Business Partners
No application-level audits
High support costs

Systems or Complex API


Applications Unreliable access
High support costs
13

IPSec provides transparent Network


Access – BUT…

Needs preinstalled Client


Does not work well with NAT
No granular Application Access (Network Level)
Hard to Loadbalance
Is expensive to deploy
14

On the other hand SSL VPN…

No preinstalled Client Software needed


Works on transport Layer – No problem with NAT
Works on port 80/443 – No problem with
Firewall/Proxy
Easy to Loadbalance
Offers granular Application Access
Is Easy to deploy
15

Remote Access - Requirements


Any User
Employee
Partner Any
Any Location Application
Supplier
Hotel Web
Kiosk Client/Server
Hot Spot Legacy
Desktop

Any Devices
Laptop Highly Available
Kiosk Global LB
Home PC Stateful Failover
PDA/Cell Phone Disaster Recovery

Secure
Ease of
Data Privacy
Integration
Device Protection
Network Protection AAA Servers
Ease of Use
Granular App Access Directories
Clientless
Instant Access
Simple GUI
Detailed Audit Trail
16

Why not use IPSec?


Any User
Employee
Partner Any
Any Location Application
Supplier
Hotel Web
Kiosk Client/Server
Hot Spot Legacy
Desktop

Any Devices
Laptop Highly Available
Kiosk Global LB
Home PC Stateful Failover
PDA/Cell Phone Disaster Recovery

Secure
Ease of
Data Privacy
Integration
Device Protection
Network Protection AAA Servers
Ease of Use
Granular App Access Directories
Clientless
Instant Access
Simple GUI
Detailed Audit Trail
18

FirePass Overview
®

Any User Authorized


Any Device Dynamic Policies Applications

Portal
Access
Secured by
SSL
Laptop

FirePass
® Specific
Internet Application
Kiosk Access

Mobile Device Intranet Network


Access
Partner
19

Simplified User Access

Standard browser
– Access to applications
from anywhere
Select application
– Shortcuts automate
application connections
No preinstalled client
software required
– All access via a web
browser
20

Access Types
Network Access
Application Access
– Application Tunnels
– Terminal Server
– Legacy Hosts
– X Windows
Portal Access
– Web Applications
– File Browsing (Windows, Unix)
– Mobile E-Mail
Desktop Access (Webtop)
21

Access Methods Summary


Portal Access Application Access Network Access

Benefits Benefits Benefits


Most Flexible C/S Application Access Full Network Access (VPN)
Any Device Legacy Application Access No Resource Restrictions
Any Network Transparent Network Traversal
Any OS Any Network Drawbacks
Most Scalable Scalable Deployment More Limited Access
Browser Compatible No Network/Addr. Configuration OS/JVM Compatible
Secure Architecture Secure Architecture Issues
Restricted Resource Access Restricted Resource Access Client Security
Host Level Application Proxy Installation Privileges
Drawbacks
Limited Resource Access Drawbacks
Enterprise Web Limited Access Flexibility
Apps/Resources OS/JVM Compatible Issues
Webified Enterprise No Transistent Kiosk Access
Resources Client Security
Limited Nonweb Applications Installation Privileges
22

Adaptive Client Security


Kiosk/Untrusted PC PDA Laptop

Kiosk Corporate
Policy Mini Browser Policy
Policy
Cache/Temp File Firewall/Virus
Cleaner Check

Client/Server
Application
Full Network
Terminal Files Intranet Email
Servers
23

Policy Checking with Network Quarantine

Deep Integrity Quarantine Policy


Checking Support
– Specific antivirus checks – Ensure Policy Compliance
– Windows OS patch levels – Direct to quarantine network
– Registry settings

Full
FirePass Network
®

Quarantine
Network
Please update
your machine!
24

Visual Policy Editor

Graphically associates a policy relationship between end-points, users and resources


25

Unique Application Compression

Results
Over 50% faster access
Supports compression
for any IP application
Faster email & file
access
Works across both dial-
up and broadband
26

30 Minute Install
NEW

Quick Setup enables rapid installation and setup even for non-experts
28

Enterprise SSO Integration


Netegrity
Dynamic Policies SiteMinder

FirePass
®
Internet

Web
Servers

HTTP forms-based authentication

Single sign-on to all web applications

Major SSO & Identify Mgmt Vendor


Support
– Netegrity, Oblix and others
29

Application Security
Web
ICAP Servers
AntiVirus

FirePass
®
Internet

Policy-based virus Web application


scanning security
– File uploads – Cross-site scripting
– Webmail attachments – Buffer overflow
Integrated scanner – SQL injection
Open ICAP interface – Cookie management
30

Product Lines
31

FirePass Product Line


A product sized and priced appropriately for every customer

FirePass 1200 FirePass 4200


Medium Enterprise Large Enterprise

25-100 Concurrent Users 100-2000 Concurrent Users

• 25 to 500 employees • 500+ employees


• Comprehensive access • High performance platform
• End-to-End security • Comprehensive access
• Flexible support • End-to-End security
• Failover • Flexible support
• Failover
• Cluster up to 10
32

FirePass Failover
Redundant pair
– Stateful failover provides
uninterrupted failover for most
Internet applications (e.g. VPN
connector)
Single management point
Hot standby
– Active unit is configured
Active
– Configuration and state
information is periodically
synchronized
Separate SKU
Intranet application servers – Active unit determines software
configuration and concurrent
users
33

FirePass 4100 Clustering


Clustered pair
– Up to 10 servers can be
clustered for up to 20,000
Internet
concurrent users
Intranet application
– Master server randomly
servers distributes user sessions
– Distributed (e.g. different sites)
Cluster master clusters are supported
Single management point
Cluster nodes – Master server is configured
– Configuration information is
periodically synchronized
Second FP 4100 Required
– Software features purchased
on 2nd server
34

Case Study: FirePass vs IPSec Client


®

300 end user accounts, high availability configuration


IPSec Client FirePass® Savings
Rollout Engineering 120 hrs 20 hrs 100 hrs
Help Desk 200 hrs 60 hrs 140 hrs
End User 1 hrs + .5 hrs x 300 150 hrs
Sustaining Engineering 1.5 hrs/day .5 hrs/day 1 hrs/day
Help Desk 5 hrs/day 2 hrs/day 3 hrs/day
End User 0 0 0

Savings: 390 hours for rollout, 20 hours/week sustaining


80% user callback for IPSec Client; 15% for FirePass
25 users unable to use IPSec Client; 2 specific hotel
room issues w/FirePass
35

Summary of Benefits
Increased productivity
– Secure access from any
device, anywhere
– No preinstalled VPN clients
Reduced cost of ownership
– Lower deployment costs
– Fewer support calls
Improved application security
– Granular access to corporate resources
– Application layer security and audit trail
37
38
40

Partnerships

“F5's BIG-IP has been designed into a number of Oracle's


mission-critical architectures, such as the Maximum
Availability Architecture.”
Julian Critchfield, Vice President, Oracle Server Technologies

“Microsoft welcomes F5 Networks' support of Visual Studio


2005… F5 complements our strategy by providing our
mutual customers with a way to interact with their
underlying network.”

Christopher Flores, Group Product Manager in the .NET Developer Product


Management Group at Microsoft Corp.
41

Services & Support


Expertise – F5 offers a full range of personalized,
world-class support and services, delivered by
engineers with in-depth knowledge of F5 products.

Software Solution Updates – Customers with a


support agreement receive all software updates,
version releases, and relevant hot fixes as they are
released.

Flexibility – Whatever your support demands, F5


has a program to fit your needs. Choose from our
Standard, Premium, or Premium Plus service levels.

Full Service Online Tools – Ask F5 and our Web


Support Portal.

Fast Replacements – F5 will repair or replace any


product or component that fails during the term of
your maintenance agreement, at no cost.
42

F5 Services
SERVICES & SUPPORT CERTIFIED GLOBAL TRAINING PROFESSIONAL SERVICES

Expertise – World-class Expert Instruction – With highly Experience – F5 Professional


support and services, delivered interactive presentation styles and Consultants know F5 products
by engineers with in-depth extensive technical backgrounds and networking inside and out.
knowledge of F5 products. in networking, our training The result? The expertise you
need the first time.
professionals prepare students to
perform mission-critical tasks.
Software Solution Updates – High Availability – Our experts
Software updates, version work with you to design the best
releases, and relevant hot fixes Hands-On Learning – possible high- availability
as they are released. Theoretical presentations and application environment.
real-world, hands-on exercises
that use the latest F5 products. Optimization – Our consultants
Flexibility – Standard,
Premium, or Premium Plus can help you fine tune your F5
service levels. Convenience – Authorized traffic management solutions to
maximize your network’s
Training Centers (ATCs) efficiency.
strategically located around the
Full Service Online Tools –
world.
Ask F5 and our Web Support Knowledge Transfer – Our
Portal. professionals will efficiently
Knowledge Transfer – Direct transfer critical product
interaction with our training knowledge to your staff, so they
Fast Replacements – F5 will can most effectively support
experts allows students to get
repair or replace any product or your F5-enabled traffic
more than traditional “text book”
component that fails during the management environment.
training.
term of your maintenance
agreement, at no cost.
43

F5 Networks Globally

Seattle
EMEA

Japan

APAC

International HQ – Seattle
Regional HQ / Support Center
F5 Regional Office
F5 Dev. Sites –Spokane, San Jose, Tomsk, Tel Aviv,
Northern Belfast
44

F5 Networks
Message Security Module

Presented by:
Jürg Wiesmann
Field System Engineer, Switzerland
[email protected]
45

The Message Management Problem


Out of 75 billion emails sent worldwide each day, over 70% is
spam!
The volume of spam is doubling every 6-9 months!
Clogging networks
Cost to protect is increasing

TrustedSource Reputation Scores

Nov 2005 Oct 2006


Higher score = worse reputation
46

Typical Corporate Pain


Employees still get spam
Some are annoying, some are offensive
Infrastructure needed to deal with spam is expensive!
– Firewalls
– Servers
– Software (O/S, anti-spam licenses, etc.)
– Bandwidth
– Rack space
– Power
Budget doesn’t match spam growth
Legitimate email delivery slowed due to spam
47

Why is this happening?

Spam really works!


Click rate of 1 in 1,000,000 is successful
Spammers are smart professionals
– Buy the same anti-spam technology we do
– Develop spam to bypass filters
– Persistence through trial and error
– Blasted out by massive controlled botnets
Professional spammers have
– Racks of equipment
– Every major filtering software and appliance available
– Engineering staff
48

It’s not just annoying…it can be dangerous.

2% of all email globally contains some sort of


malware.
– Phishing
– Viruses
– Trojans (zombies, spyware)
49

High Cost of Spam Growth


Spam volume increases
Bandwidth usage increases
Load on Firewalls increases
Load on existing messaging security systems increases
Emails slow down
Needlessly uses up rackspace, power, admin time…

DMZ

Firewall
Messaging
Security Email Servers
50

MSM Blocking At the Edge


Messaging Security
BIG-IP MSM Server
Emails First Tier Second Tier Mail Servers
e hello

Works with any


Anti-Spam Solution

X
X
X
Terminating
X 70% of the
Spam from the
X “e hello” Filters out 10%
to 20% of Spam
X
X
51

Why TrustedSource?

Industry Leader
– Solid Gartner reviews & MQ
– IDC market share leader
Superior technology
Stability
52

TrustedSource: Leading IP Reputation DB

View into over 25% of email traffic


50M+ IP addresses tracked globally
Data from 100,000+ sources; 8 of 10 largest ISPs
Millions of human reporters and honeypots
53

TrustedSource
GLOBAL DATA MONITORING AUTOMATED ANALYSIS

Messages Analyzed
IntelliCenter per Month
• 10 Billion Enterprise
• 100 Billion Consumer
London
Portland
Atlanta

Hong Kong

Brazil

Dynamic Computation
Of Reputation Score

Bad Good

Global data monitoring is fueled by the network effect of real-time information


sharing from thousands of gateway security devices around the world
Animation slide
54

Shared Global Intelligence


Deploy agents
Physical officers around the globe
World (Police, FBI, CIA, Interpol.) Interpol

Global intelligence system


Share intelligence information
CIA
Example: criminal history, global finger FBI
printing system Police
Stations
Police Police
Results Stations Stations
Effective: Accurate detection of offenders
Intelligence Pro-active: Stop them from coming in the
Agents country

Cyber Deploy security probes


around the globe (firewall, email gateways,
World web gateways)
IntelliCenter

Global intelligence system


Share cyber communication London
info, Example: spammers, phishers,
hackers Portland
Atlanta
Hong Kong
Intelligent Results
probes Effective: Accurate detection of bad IPs,
domains Brazil
Pro-active: Deny connection to intruders
to your enterprise
55

TrustedSource Identifies Outbreaks


Before They Happen

♦ 11/01/05: This 9/12/05 11/02/05 11/03/05


machine began TrustedSource Other Reputation A/V Signatures
Flagged Zombie Systems Triggered
sending Bagle worm
across the Internet

♦ 11/03/05: Anti-virus
signatures were
available to protect
against Bagle

♦ Two months earlier,


TrustedSource
identified this
machine as not
being trustworthy
56

Content Filters Struggle to ID certain spam


57

Image-based spam

Hashbusting
Scratches
58

Summary of Benefits

Eliminate up to 70% of spam upon receipt of first packet


Reduce Cost for Message Management
– TMOS Module – High performance Cost effective spam blocking
at network edge
– Integrated into BIG-IP to avoid box proliferation
Improved Scaleability and Message Control
– Reputation Based Message Distribution and Traffic Shaping
Slightly increase kill-rate on unwanted email
59

Packaging License Tiers


MSM for over 100,000 Mailboxes
MSM for up to 100,000 Mailboxes
MSM for up to 75,000+ Mailboxes
BIG-IP LTM Only
MSM for up to 50,000 Mailboxes
Version Support: 9.2 and higher MSM for up to 25,000 Mailboxes
Module May be added to any MSM for up to 10,000 Mailboxes
– LTM or Enterprise MSM for up to 5,000 Mailboxes

– No Module incompatibilities with other Modules MSM for up to 1,000 Mailboxes

Licensed per BIG-IP by number of mailboxes


BIG-IP Platform sizing depends on:
– Email volume
– Number of BIG-IP’s
– Other functions expected of BIG-IP (additional taxes on CPU time)
60

How BIG-IP MSM Works

Secure Computing Existing


Messaging
Trusted Source™ Security
IP Reputation Score
Slow Pool

DNS 20% Suspicious?


Query
Existing
Messaging
Fast Pool Email Servers
Security
20% Good?
Internet 10% Trusted?

Error Msg
for clean termination

70% Bad? 10% Bad?

Drop first &


Delete
subsequent
Message
packets

Animation slide
61

Spam Volumes Out of Control


% of Worldwide email that is Spam

85%
Percent Spam

70%

Nov 2005 Oct 2006


62

Hard-to-detect Image Spam is Growing

35%

30%

25%
Percent of Total Email

20%

15%

10%

5%

0%
rd h h h t h h h h h h
5th 3 10t 17t 24t 31s 28t 6t 2nd 9t 2t 6t 9t 3r
d
r y l 2 g ct t 1 t 1 t 1 t 2
Ap M
a ay ay ay ay Ju
n
Ju Au O O
c
O
c
O
c
O
c
M M M M

2006
63

Reputation-based Security Model


Computing Physical World Cyber World
Credit
Businesses & Individuals IPs, Domains, Content, etc.
Track

Business Transactions Cyber Communication


• Purchases • Email exchanges
Compile • Mortgage, Leases • Web transaction
• Payment transactions • URLs, images

Credit Score Reputation Score


Compute • Timely payment • Good IPs, domains
• Late payment • Bad
• Transaction size • Grey – marketing, adware

Allow / Deny Credit Allow / Deny Communication


Use • Loan • Stop at FW, Web Proxy, Mail gateway
• LOC • Allow
• Credit terms • Quarantine
64

Backup Slides

Firepass
65

Windows Logon (GINA Integration)

Key Features
– Transparent secure logon to
corporate network from any access
network (remote, wireless and local
LAN)
– Non-intrusive and works with
existing GINA (no GINA
replacement)
– Drive mappings/Login scripts from
AD
– Simplified installation & setup (MSI
package)
– Password mgmt/self-service

Customer Benefits
– Unified access policy mgmt
– Increased ROI
– Ease of use
– Lower support costs
66

Configuring Windows Logon


67

Windows Installer Service


Problem
– Admin user
privileges required
for network access
client component
updates

Solution
– Provide a user
service on the client
machine which
allows component
updates without
admin privileges
68

Network Access Only WebTop

Simplified webtop
Interface

Automatically
minimizes to
system tray
69

Windows VPN Dialer

Simple way to connect for users familiar with dial-up


70

FirePass Client CLI

“f5fpc <cmd> <param>”


where <cmd> options
are:
– start
– info
– stop
– help
– profile

Single sign-on from 3rd


party clients (iPass)
71

Auto Remediation
72

Dynamic AppTunnels
Feature Highlights
– No client pre-
installation
– No special admin
rights for on-demand
component install
– No host file re-writes
– Broader application
interoperability
(complex web apps,
static & dynamic ports)
Benefits
– Lower deployment and
support costs
– Granular access
control
73

Configuring Dynamic AppTunnels

Web Apps

Client/Server
Apps

You might also like