Transcript Slide 1

1
F5
Traffic
Optimization
Radovan Gibala
Field Systems Engineer
[email protected]
+420 731 137 223
2007
2
Evolution of the Data Center
2010
2007
1999
On-demand, dynamic application &
Gigabit
Ethernet
10GbE
network
services
Access
virtualization
Limited
bandwidth
Broadband
Application
virtualization
Slow
app
servers
Fast
servers
Data
Virtualization
Islands
ofapps
functionality
Integrated
/ rich content
Network
virtualization
Limited
webification
Pervasive
access
SSL
everywhere
Wired
access
Mobility
“Exaflood”
trafficvirtualization
scale
Limited server
3
Datacenter Without F5 & ADN
Cell phone
Web Server
PC - Home
Web Server
NetApp
App. Server
MS SQL Server
EMC
Laptop – coffee shot
Web Server
App. Server
PC - LAN
Oracle
Web Server
Windows file
storage
App. Server
Web Server
PC - WAN
mySQL Server
App. Server
Web Server
Windows file
storage
4
Remote - WAN
PC - LAN
Web Server
Web Server
Web Server
Web Server
App. Server
App. Server
App. Server
App. Server
WLAN
Web Server
File Storage Virtualization (ARX)
PC - Home
Web Server
Application Server Virtualization (LTM)
Cell
Web Server Virtualization (LTM)
Datacenter With F5’s ADN
NetApp
EMC
Windows file
storage
Windows file
storage
5
Globalization:
Success = Collaboration
“Over the next 15 years markets will become even more global,
functions within their organizations will atomize across geographies
and partners, and competition will intensify from new corners of the
world.”
- Economist Intelligence Unit, Foresight 2020 Study
6
Business
Business
Continuity
HA
Continuity HA
Disaster
Disaster
Recovery
Recovery
User
User
Experience
Experience
& App
App
&
Performance
Performance
App
App
Security
Security
Data
&&Data
Integrity
Integrity
Managing
Managing
Scale &
Scale
Consolidation
Consolidatio
n
Unified
Unified
Security
Security
Enforcement
Enforcement
Access
&&Access
Control
Control
7
Business
Continuity HA
Disaster
Recovery
User
Experience
& App
Performance
App
Security
& Data
Integrity
People
Apps
Data
Managing
Scale &
Consolidatio
n
Storage
Growth
Unified
Security
Enforcement
& Access
Control
8
Business
Continuity HA
Disaster
Recovery
User
Experience
& App
Performance
App
Security
& Data
Integrity
People
Apps
Data
Managing
Scale &
Consolidatio
n
Storage
Growth
Unified
Security
Enforcement
& Access
Control
9
Business
Continuity HA
Disaster
Recovery
App
Security
& Data
Integrity
• AAA
• Data
Protection
• Transaction
Validation
• WAN Virtualization
• File Virtualization
• DC to DC
Acceleration
• Virtualized VPN
Access
People
People
User
Experience
& App
Performance
• Asymmetric &
Symmetric
Acceleration
• Server Offload
• Load Balancing
Apps
Apps Data
• Virtualized App &
Infrastructure
• Server & App Offload
• Load Balancing
Managing
Scale &
Consolidatio
n
Data
•
•
•
•
• Remote, WLAN & LAN
Central Policy Enforcement
• End-Point Security
• Encryption
• AAA
Unified
Security
Enforcement
& Access
Control
Virtualization
Migration
Tiering
Load
Balancing
Storage
Growth
10
Application Delivery
Network
BIG-IP LTM
• ASM
FirePass
App
Security
& Data
Integrity
• AAA
• Data
Protection
• Transaction
Validation
Business
Continuity HA
Disaster
Recovery
BIG-IP LTM • GTM •
LC • WA
FirePass • ARX •
WJ
• WAN Virtualization
• File Virtualization
• DC to DC
Acceleration
• Virtualized VPN
Access
User
Experience
& App
Performance
• Asymmetric &
Symmetric
Acceleration
• Server Offload
• Load Balancing
People
BIG-IP LTM • GTM •
WA ARX • WJ
Apps Data
Managing
Scale &
Consolidatio
n
• Virtualized App &
Infrastructure
• Server & App
Offload
• Remote, WLAN & LAN
• Load Balancing
Central Policy
Enforcement
• End-Point Security
• Encryption
• AAA
•
•
•
•
Virtualization
Migration
Tiering
Load
Balancing
BIG-IP LTM • GTM •
LC • WA
FirePass • ARX • WJ
Unified
Security
Enforcement
& Access
Control
FirePass
BIG-IP LTM • GTM
Storage
Growth
ARX
BIG-IP
GTM
11
Acceleration Functional Groups
Tier 1 Acceleration – Network Offload
Tier 2 Acceleration – Server Offload
Tier 3 Acceleration – Application Offload
12
Acceleration Functional Areas
and the Effect on Infrastructure
Page Generation
Time
Page Load
Time
Page Delivery Time
75%
75%
Page Delivery Time
Internet
Or WAN
60%
Client Browser
MyCSP Server
Infrastructure
Server Offload
• Compression
• Dynamic Caching
• Content Spooling
• OneConnect
• Rate Shaping
• Connection limit
13
Acceleration Functional Areas
and the Effect on Infrastructure
Page Generation
Time
Page Load
Time
Page Delivery Time
60%
Page Delivery Time
Internet
Or WAN
40%
Client Browser
MyCSP Server
Infrastructure
Network Acceleration
Server Offload
• Compression
• Dynamic Caching
• TCP Express
• Compression
• Dynamic Caching
• Content Spooling
• OneConnect
• Rate Shaping
• Connection limit
14
Acceleration Functional Areas
and the Effect on Infrastructure
Page Generation
Time
Page Load
Time
Page Delivery Time
35%
Page Delivery Time
Internet
Or WAN
25%
Client Browser
MyCSP Server
Infrastructure
Network Acceleration
Server Offload
• Compression
• Dynamic Caching
• TCP Express
• Differential Compression
• QoS
• Security/authentication
• Compression
• Dynamic Caching
• Content Spooling
• OneConnect
• Rate Shaping
• Connection limit
15
Acceleration Functional Areas
and the Effect on Infrastructure
Page Generation
Time
Page Load
Time
Page Delivery Time
10%
Page Delivery Time
Internet
Or WAN
10%
Client Browser
Application Acceleration
Network Acceleration
Server Offload
• IBR (Dynamic Content Control)
• Multi-Connect
• Dynamic Linearization
• Dynamic Caching
• Dynamic Compression
• SSL Acceleration
• Compression
• Dynamic Caching
• TCP Express
• Differential Compression
• QoS
• Security/authentication
• Compression
• Dynamic Caching
• Content Spooling
• OneConnect
• Rate Shaping
• Connection limit
16
How To Achieve the Requirements ?
Multiple Point Solutions
Application
More
Bandwidth
Network Administrator
Add More
Infrastructure?
Application Developer
Hire an Army of
Developers?
17
The Result: A Growing Network Problem
Users
Mobile Phone
Network Point Solutions
DoS Protection
Rate Shaping
SSL
Acceleration
PDA
Laptop
Desktop
Co-location
Applications
CRMCRM
Server Load
Balancer
Content
Acceleration
Application
Firewall
Connection
Optimisation
Traffic
Compression
SFA
ERP
ERP
ERP
CRM
SFA
Customised
Application
SFA
18
F5’s Integrated Solution
Users
The F5 Solution
Applications
Application Delivery Network
CRM
Mobile Phone
Database
Siebel
BEA
PDA
Legacy
.NET
SAP
Laptop
PeopleSoft
IBM
ERP
Desktop
Co-location
TMOS
SFA
Custom
19
The Most Intelligent and Adaptable Solution
iRules
Programmable Network Language
Programmable
Application
Network
GUI-Based Application Profiles
Repeatable Policies
Unified Application Infrastructure Services
Targeted and
Adaptable
Functions
Security
Optimisation
Delivery
New Service
Universal Inspection Engine (UIE)
Complete Visibility
and Control of
Application Flows
TM/OS
Fast Application Proxy
Client
Side
Compression
News Website
TCP Offloading
Load Balancing
Server
Side
20
Architect for Virtualized Applictions and
Resources; Leverage Network Services
International
Data Center
Policy-based, centralized
AND Management
Users
Intelligent &
policy-based
DNS; support
virtualization
& SOA
components
Bi-directional
applicationaware multihoming &
QoS Services
Symmetric
WAN
optimization &
application
acceleration
Services
Universal
client and
system
application &
network VPN
Services
Application
& server
virtualization
, SOA
component
support,
application
loadbalancing,
switching,
filtering
Open SOAP/XML API & SDK
IP Proxy O/S
Applications
Asymmetric
application
acceleration
Bi-directional
application
firewall
services
21
A Better Alternative: Virtualize and Unify
Network Services and Offload the Application
FAST
Network
SECURE
BIG-IP
W
W
A
Database
System
A
 DoS and SYN Flood
Protection
 Network Address/Port
Translation
 Application Attack Filtering
 Certificate Management
 Resource Cloaking
 Advanced Client
Authentication
 Firewall - Packet Filtering
 Selective Content Encryption
 Cookie Encryption
 Content Protection
 Protocol Sanitization
 Application Security Module









SSL Acceleration
Quality of Service
Connection Pooling
Intelligent Compression
L7 Rate Shaping
Content Spooling/Buffering
TCP Optimization
Content Transformation
Caching
AVAILABLE
 Comprehensive Load
Balancing
 Advanced Application
Switching
 Customized Health
Monitoring
 Intelligent Network Address
Translation
 Intelligent Port Mirroring
 Universal Persistence
 Response Error Handling
 Session / Flow Switching
 IPv6 Gateway
 Advanced Routing
22
TCP Optimization
23
TCP Express
Behaviors of a good TCP/IP implementation.
– Proper congestion detection.
– Good congestion recovery.
– High bandwidth utilization.
•
•
•
Being too aggressive can cause individual connections to consume all of the network.
Not being aggressive enough will leave unused bandwidth especially during a low number of connections.
Always needs to adapt to changing congestion.
– Increased windowing and buffering will often help compensate for latency and
can also offload the application equipment more quickly.
Most important tuning you can do in TCP typically has to do with
window sizes and retransmission logic (aka congestion control
behavior).
On today’s networks, loss is almost always caused from congestion.
– Most TCP stacks are not aggressive enough.
24
F5’s TCP Congestion Control
Algorithms
Reno Congestion Control
– Original TCP fast recover algorithm based on BSD Reno.
– Initially grows congestion window exponentially during the slow-start period.
– After slow-start, increases CWND by 1MSS for each CWND acked (this is linear growth).
– When loss or a recovery episode is detected, the CWND is cut in half.
New Reno modifications (this is currently the default mode)
– Improves on the Reno behaviour.
– When entering a recovery episode, implements a fast retransmit:
• Each ACK less than the recovery threshold triggers a one-time resend of the data started by
the ACK.
• Results in more aggressively sending the missing data and exiting the recovery period.
Scalable TCP (added in 9.4)
– Improves on the NewReno behaviour.
– Upon loss, the CWND is reduced by only 1/8.
– Once out of slow start, CWND increases by 1% of an MSS for each CWND ACK’d.
HighSpeed (F5's proprietary congestion control added in 9.4)
– Similarly improves on the NewReno behaviour in combination with Scalable TCP.
– Progressively switches from NewReno to Scalable TCP based on the size of the CWND.
• Upon loss, the CWND is reduced by somewhere between ½ and 1/8.
• CWND grows somewhere between 1% and 100% of an MSS for each CWND ACK’d.
25
New Reno
Scalable
HighSpeed
26
HTTP Optimization
27
OneConnect ™ – Connection Pooling
Increase server capacity by 30%
–
Aggregates massive number of client requests into fewer server
side connections
Transformations form HTTP 1.0 to 1.1 for Server Connection
Consolidation
Maintains Intelligent load balancing to dedicated content servers
Good Sources:
http://tech.f5.com/home/bigip/solutions/traffic/sol1548.html
http://www.f5.com/solutions/archives/whitepapers/httpbigip.html
28
OneConnect™ Review
OneConnect™ causes each request to be individually load-balanced
among members of the same pool and potentially uses pre-established
connections from a server connection pool.
The client connection is detached after each server response has been
received and the server-side connection is optionally saved for reuse in a
connection pool.
The OneConnect™ source mask profile settings control the behavior of
the server connection pool.
iRule commands also can control OneConnect™ behavior:
– “ONECONNECT::detach disable” will cause the client and server to stay
connected (as if OneConnect™ was not enabled).
– “ONECONNECT::reuse disable” will cause the recently used server-side
connection to be discarded after use.
29
OneConnect ™ New and Improved
HTTP Request Pooling
b.gif
c.asp
a.gif
20
index.htm
1
b.gif c.asp a.gif index.htm
•
Streamlines single client
request to BIG-IP
•
Enabled by HTTP 1.1
•
Avg. Reduction is 20 to 1 per
Web Page
•
Intelligent load balancing to
dedicated content servers
•
Maintain Server Logging
•
Transformation form HTTP 1.0
to 1.1 for Server Connection
Consolidation
1) OneConnect ™ Content Switching
b.gif c.asp a.gif index.htm
index.htm
HTML server pool
b.gif
GIF server pool
a.gif
c.asp
2) OneConnect ™ HTTP transformations
b.gif
c.asp
a.gif
index.htm
ASP server pool
New
One
b.gif c.asp a.gif index.htm
Many
3) OneConnect ™ Connection Pooling
b.gif c.asp a.gif index.htm
•
Aggregates massive number
of client requests into fewer
server side connections
Server
sales.htm e.gif
d.gif
f.asp
b.gif sales.htm c.asp
e.gif
a.gif
d.gif index.htm f.asp
30
OneConnect™ Facts
OneConnect™ does not effect the parsing of HTTP nor the execution of iRule events like
HTTP_REQUEST or HTTP_RESPONSE.
–
iRule events are triggered for every request regardless of whether the OneConnect™ profile is being used or not.
Without OneConnect™, the first request will be load-balanced to a member within the selected
pool. Subsequent requests will NOT be load-balanced to other members within the same pool.
–
–
–
If the pool selection changes, then a new load-balancing selection will be made.
A change in the persistence key will not trigger a new load-balancing decision and therefore will appear not to be
working.
LB::detach or OneConnect™ will cause a new load-balancing decision to be made on every request.
After each request, the pool is NOT reset to a default pool. Any previous pool selection is
always the default.
–
Unless you explicitly set a pool in all conditions, you may believe that a request is not getting load-balanced
correctly when OneConnect™ is not enabled.
OneConnect™ tracks the connection by the locally originating IP address.
–
–
Using a SNAT will effect the criteria for reuse of the server connection.
If you are using a SNAT with OneConnect™, it’s possible that two different client’s requests will share the same
server connection.
•
If this is not acceptable behavior, then disable reuse by either setting the source mask to none or using the
ONECONNECT::reuse disable iRule command.
31
Content Spooling
Problem: TCP Overhead on Servers
– There is overhead for breaking apart…”chunking”
content
– Client and Server negotiate TCP segmentation
– Client forces more segmentation that is good for the
server
– The Servers is burdened with breaking content up
into small pieces for good client consumption
Solution
Spoon feed
clients
Slurp up server
response
Benefit: Increases server capacity up to 15%
32
HTTP Compression
33
HTTP Compression
Compression works most efficiently when rechunking
responses.
An unchunked response must be completely buffered
while being compressed since the new content-length
can’t be determined until compression is completed.
This can introduce significant latency.
When compression is enabled, setting the profile
setting “response selective chunk” or “response
rechunk” are highly recommended.
A clear conscience is usually the sign of a bad memory.
34
HTTP Cache
35
What is RAM Cache
RAM cache is a cache of HTTP objects
stored in the BIG-IP system's RAM that are
reused by subsequent connections to reduce
the amount of load on the back-end servers
Ram cache became available in 9.0.5
Ram cache is an additional module
It is part of the “Application Accelerator”
Package
It is integrated with the HTTP profile
Cache is defined in RFC 1945
36
What is RAM cache used for?
The RAM Cache feature provides the ability to reduce
the traffic load to back-end servers by caching High
demand objects, Static content, and compressing
content.
 High demand objects
This feature is useful if a site has periods of high demand for
specific content. With RAM Cache configured, the content
server only has to serve the content to the BIG-IP system once
per expiration period
 Static content
This feature is also useful if a site consists of a large quantity
of static content such as CSS, java script, or images and
logos.
 Content compression
For compressible data, the RAM Cache can store data for
clients that can accept compressed data. When used in
conjunction with the compression feature on the BIG-IP
system, the RAM Cache takes stress off of the BIG-IP system
and the content servers
37
What can RAM cache cache?
The RAM Cache feature is fully compliant with the cache specifications
described in RFC 2616, Hypertext Transfer Protocol -- HTTP/1.1. This
means that you can configure RAM Cache to cache the following content
types:
200 (Ok), 203 (Non-Authoritative Information ), 206 (Partial Content ), 300
(Multiple Choices ), 301 (Moved Permanently) , and 410 (Not Found )
responses.
Responses to GET methods by default
Other HTTP methods for URIs specified in the URI Include list or
specified in an iRule.
Content based on the User-Agent and Accept-Encoding values.
The RAM Cache holds different content for Vary headers.
38
What can RAM cache cache?
By default, only responses to GET
methods are cached.
Data that is encoded as PUBLIC can be
cached
Non GET method can be cached by
including the URI in the include list or they
can be overridden from a rule.
– Conditional GET’s and HEAD’s can be answered
based on cached data.
Range requests are passed up to the
server.
39
What items will not cache?
The items we do not cache:
– Private data specified by cache control headers
– No-cache forces caches to submit the request to the
origin server for validation.
– No-store tells the cache server not to store the object
– Must-revalidate forces the cache to obey freshness
information
– HEAD, POST, PUT, DELETE, TRACE, and CONNECT
methods
– Any data that is marked as “un-cacheable” by the server
via its cache control headers are not cached.
(this can be overridden via rule or including the uri in the include list)
40
RAM Cache Header manipulation
Enabling the RAM Cache on a virtual will cause the
“HTTP/1.1” string in request headers to be rewritten
to “HTTP/1.0”.
– The server thinks it’s talking to a 1.0 client for simplicity sake.
– A “Connection: Keepalive” header will be added to allow
persistent server connections.
– Remove all cookie headers.
– The following headers are hop by hop headers and will be
modified accordingly when served:
• Connection:
• Keep-Alive:
• Transfer Encoding:
– Add the Date header. (This reflects the current time on the BIGIP),
– Add the Age header. (This reflects the amount of time the
document has been in the cache).
– All other headers are considered end to end and stored as is.
41
RAM Cache Header manipulation
Header manipulation for Cached Content
The following headers prevent caching of an
object:
– Authenticate:
– WWW-Authenticate:
– Proxy-Authenticate:
42
SSL Offload
43
SSL Profiles Overview
A profile is a collection of protocol, application, or other
feature-specific attributes. One or more profiles are
associated with a virtual server.
A profile tells a virtual server how to process traffic
destined for it, based on the profile's configuration.
For example, the ability to process SSL traffic is
configured using the SSL profile.
44
SSL Profile Overview
Clientside
Serverside
Client Server
Side
Side
Recv
Send
Request Request
TCP hudfilter
SSL hudfilter
TCP hudfilter
HTTP hudfilter
TCP hudproxy
• Hudfilters: Dev term for profiles. Modular filters chain
together to customize traffic.
• Hudproxy: Dev term for 9.x Full Proxy engine
software where LB, iRules, SNATs etc reside.
45
SSL Profiles Overview
TMM is full-proxy engine
treats client and server sides of a connection as
completely independent.
the proxy engine is considered a “connection-broker” that
relates these two independent connections.
TMM uses profiles to adjust application, or featurespecific attributes.
46
SSL Profiles Overview
Profiles begin at Transport layer and cover
different aspects of the TCP stack’s application
layer.
“Protocol” profiles reside at the Transport layer of
the tcp/ip protocol stack.
“Services” profiles reside at the Application layer
etc.
“SSL” profiles reside between the App/Transport
layers.
47
DoS and SynFlood Protection
48
Syn Cookies: Concept
The concept behind a syn_cookie is to help protect
servers from DOS of the initial TCP simple handshake
“SYN Flood”.
In setting up a TCP handshake the requesting client will
send a SYN packet to the destination server.
The server will respond to the client's SYN packet with a
SYN/ACK to acknowledge the request and open a TCP
socket for the requester.
This can create a resource issue for the server if a large
number of unfulfilled SYN request are directed to the
server. Since the server will respond by opening a new
socket for each request and then wait for the client to send
an ACK in response to the server's SYN/ACK.
49
Syn Cookies: Sockets & resources
A little about servers and Sockets and how a DOS
using initiating SYN packet impacts a server.
When a server receives a Syn request for initiating
a TCP handshake it will respond to the initiating
client with a SYN/ACK and open a TCP Socket for
the client to continue the initiated TCP session.
Servers have a limited amount of open Sockets
that can be utilized at one time. Once all of the
possible sockets have been placed in an Active or
Wait state (waiting for the client to continue their
tcp session with a subsequent ACK) the server can
no longer accept new connections.
This effectively stops access to the server..
50
Syn Cookies: Concept
Once the server has utilized all it's resources in “half” open
sockets from an overwhelming number of SYN request it will
begin to refuse new “legitimate” SYN request and stop
honouring legitimate current client connections.
To avoid this state the idea of a SYN tracking system was
invented. This is where the name “syn cookies” was coined.
The Syn Cookie is quite different form traditional HTTP style
cookie for several reasons.
The cookie is not given to the client and is not presented by
the client on subsequent connections.
A local cache on the server is created to track known cookies.
More or less the cookie is a self generated and stored cookie
for the client connection on the local server.
51
Syn Cookies and BigIP
How does the BigIP utilize syn cookies?
The BigIP implementation of syn cookies is
failry standard as implemented by Linux
systems. There is one key difference however
(for now).
The MSS is hard set by the BigIP where as the
Linux implementation auto negotiates this
setting.
In regards to when syn cookies are used the
BigIP and Linux implementations are about
equal.
52
Syn Cookies: When are they used?
The idea of syn cookies was designed around the
need to thwart DOS syn based attacks.
Early development of syn cookies displayed issues
when handling dropped/retransmitted packets.
Do to this sync cookies are enacted based on a
threshold of concurrent connections.
The threshold is user configurable and is defaulted
to the value of 150,000 on the BigIP.
The BigIP has been designed to avoid issues with
resends by storing the last 40 random seeds and
updating these every 100ms.
53
Syn Cookies and BigIP globals
Adjusting the threshold that syn cookies
will begin to be utilized on a BigIP can be
done in two areas. However the lowest
threshold will always be used 1st.
There is a system wide global setting that
is set the the previously mentioned
default of 150,000
54
Syn Cookies and Virtuals
The BigIP also offers the ability to set a
concurrent connection threshold on a per
virtual basis.
b virtual 10.1.0.1:80 syncookie_threshold 2000
b save
Keep in mind if the global setting on the BigIP for
syncookie_threshold is lower than the virtual's
setting for the threshold the global will be used.
55
Syn Cookies & BigIP details
When the BigIP is utilizing syn cookies for an L4
connection it will use delayed binding. Basically the
initial client SYN will not be forwarded to the server
until it has completed the authentication process. To
help prevent a bogus SYN from reaching the server
we advertise an initial window size in our SYN/ACK
of zero bytes. After the 3 way handshake has been
successful we send a window size update to the
client.
This complexity for L7 is not required.
Thus a SYN style DOS attack will never reach the
backend servers.
56
iRules
57
Why do programmers always get
Christmas and Halloween mixed up?
Because DEC 25 = OCT 31
58
What are iRules?
Programming language integrated into TMOS
Traffic Management Operating System
Based on industry standard TCL language
Tool Command Language
Provide ability to intercept, inspect, transform,
direct and track inbound or outbound
application traffic
Core of the F5 “secret sauce” and key
differentiator
59
How do iRules Work?
• iRules allow you to perform deep packet inspection (entire header and payload)
• Coded around Events
(HTTP_REQUEST, HTTP_RESPONSE, CLIENT_ACCEPTED etc.)
• Full scripting language allows for extremely granular control of inspection,
alteration and delivery on a packet by packet basis
Requests
iRule Triggered
HTTP Events Fire
(HTTP_REQUEST,
HTTP_RESPONSE, etc.)
Modified Responses*
*Note: BIG-IP’s Bi-Directional Proxy capabilities allow it to
inspect, modify and route traffic at nearly any point in the
traffice flow, regardless of direction.
60
The Better Alternative Example
Centralized Availability, Security & Acceleration
Centralized Transaction Assurance: Proactive Response
Error Handling for Higher Availability
rule redirect_error_code {
when HTTP_REQUEST {
set my_uri [HTTP::uri]
}
when HTTP_RESPONSE {
if { [HTTP::status] == 500 } {
HTTP::redirect http://192.168.33.131$my_uri
}
Centralized Data Protection: Rewrite, Remove, Block and or
Log Sensitive Content
rule protect_content {
when HTTP_RESPONSE_DATA {
set payload [HTTP::payload [HTTP::payload
length]]
#
# Find and replace SSN numbers.
#
regsub -all {\d{3}-\d{2}-\d{4}} $payload "xxx-xxxxxx" new_response
#
# Replace only if necessary.
#
A Repeatable, Extensible, Flexible Architecture
Host to URI mapping: Faster Access to Data through Automatic Redirection
when HTTP_REQUEST {
# www.A.com -- domain == A.com, company == A
regexp {\.([\w]+)\.com} [HTTP::host] domain company
If { "" ne $company } {
# look for the second string in the data group
set mapping [findclass $company $::valid_company_mappings " "]
if { "" ne $mapping } {
HTTP::redirect "http://www.my_vs.com/$mapping"
}
}
}
if {$new_response != 0} {
HTTP::payload replace 0 [HTTP::payload
length] $new_response
}
}
61
Solution: Server Resource Cloaking
Description
To protect from web server signatures exposing from potential security holes to hackers,
iRules are used to remove or “cloak” visible web server signatures
HOW IT WORKS
1. Client requests information
from an application and is
routed through BIG-IP
5
rule when HTTP_RESPONSE {
#
# Remove all but the given headers.
#
HTTP::header sanitize “ETag” “Connection” “ContentTYPE”
}
2. BIG-IP directs request to
best performing web server
3. Web server provides
application response BUT all
responses – by default –
include information that
indicates the type of server
responding
4. BIG-IP looks at traffic and
determines it must call the
iRule for “Resource Cloaking”
5. iRule runs, removing
Apache references, and send
request on to client
6. Client only sees “sanitized”
response.
iRule! Remove Apache v 2.0.49 Reference
2
4
1
HTTP Request
HTTP Response
6
3
Response from
Apache Web Server
includes server
signatures
62
What can an iRule do?
Read, transform, replace header or payload information
(HTTP, TCP, SIP, etc.)
Work with any protocol, such as SIP, RTSP, XML, others,
whether with native (HTTP::cookie) or generic (TCP::payload)
commands
Make adjustments to TCP behavior, such as MSS, checking
the RTT, deep payload inspection
Authentication assistance, offload, inspection and more for
LDAP, RADIUS, etc.
Caching, compression, profile selection, rate shaping and
much, much more
63
iRule Event Taxonomy
AUTH
AUTH_ERROR
AUTH_FAILURE
AUTH_RESULT
AUTH_SUCCESS
AUTH_WANTCREDENTIAL
CACHE
CACHE
CACHE_REQUEST
CACHE_RESPONSE
CLIENTSSL
CLIENTSSL
GLOBAL
GLOBAL
LB_FAILED
LB_SELECTED
RULE_INIT
HTTP
HTTP
HTTP_CLASS_FAILED
HTTP_CLASS_SELECTED
HTTP_REQUEST
HTTP_REQUEST_DATA
HTTP_REQUEST_SEND
HTTP_RESPONSE
HTTP_RESPONSE_CONTINUE
HTTP_RESPONSE_DATA
IP
IP
DNS_REQUEST
DNS_RESPONSE
NAME_RESOLVED
CLIENT_LINE
SERVER_LINE
RTSP
RTSP
CLIENTSSL_CLIENTCERT
CLIENTSSL_HANDSHAKE
DNS
DNS
LINE
LINE
CLIENT_ACCEPTED
CLIENT_CLOSED
CLIENT_DATA
SERVER_CLOSED
SERVER_CONNECTED
SERVER_DATA
RTSP_REQUEST
RTSP_REQUEST_DATA
RTSP_RESPONSE
RTSP_RESPONSE_DATA
SIP
SIP
SIP_REQUEST
SIP_REQUEST_SEND
SIP_RESPONSE
SERVERSSL
SERVERSSL
TCP
TCP
CLIENT_ACCEPTED
CLIENT_CLOSED
CLIENT_DATA
SERVER_CLOSED
SERVER_CONNECTED
SERVER_DATA
USER_REQUEST
USER_RESPONSE
UDP
UDP
CLIENT_ACCEPTED
CLIENT_CLOSED
CLIENT_DATA
SERVER_CLOSED
SERVER_CONNECTED
SERVER_DATA
XML
XML
SERVERSSL_HANDSHAKE
STREAM
STREAM
STREAM_MATCHED
XML_BEGIN_DOCUMENT
XML_BEGIN_ELEMENT
XML_CDATA
XML_END_DOCUMENT
XML_END_ELEMENT
XML_EVENT
64
Solution: FIX Protocol Persistence
Challenges
• Business chooses
protocol required by
industry sector
• Implemention on serverside impossible in
enterprise HA scenario
Solution
• iRule provides centralized
mechanism for
intercept/inspect/route
• Solution can be deployed
in true HA/multi-server
(even data center) mode
• Clean code management
HOW IT WORKS
3
1. Client requests information from an
application and is routed through BIG-IP
iRule Query identifies FIX SenderComp ID
2. BIG-IP UIE inspects for specific
information identified
rule FIX_regexp {
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
if { [regexp "\x0149=(.*)\x01" [TCP::payload] ->
SenderCompID] } {
persist uie $SenderCompID
TCP::release
} else {
TCP::collect
}
}
}
1
3. iRule runs and queries payload
(TCP::collect) for the specific identifier
needed (SenderCompID)
4. Based upon rule, client request is
persisted to a specific server dedicated
to that user
Pool A
2
HTTP Request
4
** Enhanced by community; see CodeShare
Pool B
65
What makes iRules so unique?
Full-fledged scripts, executed against traffic on
the network, at wire-speed
Powerful logical operations combined with deep
packet inspection
The ability to route, re-route, re-direct, retry, or
block traffic
Community support, tools and innovation
66
Solution: Credit Card Scrubber
Challenges
• Rapid feature
enhancements come at
expense of good security
practices
• Scanning on each server
doesn’t perform well
HOW IT WORKS
5
1. Client requests information from an
application and is routed through BIG-IP
Remove Valid Credit Card Numbers
when HTTP_REQUEST {
# Don't allow data to be chunked
if { [HTTP::version] eq "1.1" } {
if { [HTTP::header is_keepalive] } {
HTTP::header replace "Connection" "Keep-Alive"
}
HTTP::version "1.0"
}
}
2. BIG-IP directs request to best
performing web server
3. Web server provides application
response BUT iRule runs if it sees a
string of 16 digits
when HTTP_RESPONSE {
if { [HTTP::header exists "Content-Length"] } {
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 4294967295
}
if { $content_length > 0 } {
HTTP::collect $content_length
}
}
when HTTP_RESPONSE_DATA {
# Find ALL the possible credit card numbers in one pass
set card_indices [regexp -all -inline -indices {(?:3[4-7]\d{13})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})} [HTTP::payload]]
4. iRule fires off MOD-10 algorithm to
determine if 16-digit string is a valid
credit card number; offending server IP
address logged and flagged
foreach card_idx $card_indices {
set card_start [lindex $card_idx 0]
set card_end [lindex $card_idx 1]
set card_len [expr {$card_end - $card_start + 1}]
set card_number [string range [HTTP::payload] $card_start $card_end]
set double [expr {$card_len & 1}]
set chksum 0
set isCard invalid
Solution
• iRule provides centralized
mechanism for protection
• High-performance at
network maintains high end
user satisfaction
• App teams focus on
1
features, network teams
focus on protection
6
# Calculate MOD10
for { set i 0 } { $i < $card_len } { incr i } {
set c [string index $card_number $i]
if {($i & 1) == $double} {
if {[incr c $c] >= 10} {incr c -9}
}
incr chksum $c
}
5. If a valid match, first 12-digits are
replaced with Xs
# Determine Card Type
switch [string index $card_number 0] {
3 { set type AmericanExpress }
4 { set type Visa }
5 { set type MasterCard }
6 { set type Discover }
default { set type Unknown }
}
6. Client only sees “sanitized” response.
# If valid card number, then mask out numbers with X's
if { ($chksum % 10) == 0 } {
set isCard valid
HTTP::payload replace $card_start $card_len [string repeat "X" $card_len]
}
# Log Results
log local0. "Found $isCard $type CC# $card_number"
}
}
2
4
HTTP Request
HTTP Response
3
Response from
application server
accidentally leaks
customer credit card
numbers in HTTP
response
** Created collaboratively within community
67
Solution: Anti-phishing
5
Challenges
• Attacks are directed at
users, not the servers
themselves
• No control of user actions
•Can’t force software install
Solution
• iRule allows for
prevention of the scraping
required to perform the
attack
•Preventative approach
keeps users safe without
need for their interaction
•Server load decreased
HOW IT WORKS
Prevent unwanted referrals of Content
1.
Define a list of valid referrers in
the form of a class. This is a list
of those sites that you expect to
be linking to content on your
site.
2.
Define a list (in the form of a
class) of file types that should
not be linked to, besides by the
referrers listed in item #1.
3.
Check to see if an invalid
referrer (not someone in class
#1) is trying to serve data from
your site and what kind of
content they shouldn’t be trying
to serve. If it matches the file
types in Class #2 (block it. If
not, insert some custom code to
help prevent phishing attempts.
lass valid_referers {
"http://mydomain.com"
"http://mydomain1.com"
"http://url1"
"http://url2"
"http://url3"
}
class file_types {
".gif"
".jpg"
".png"
".bmp"
".js"
".css"
".xsl"
}
rule no_phishing {
when HTTP_REQUEST {
# Don't allow data to be chunked.
if {[HTTP::version] == "1.1"} {
if {[HTTP::header is_keepalive]} {
# Adjust the Connection header.
HTTP::header replace "Connection" "Keep-Alive"
}
HTTP::version "1.0"
}
if { [matchclass [HTTP::header "Referer"] starts_with $::valid_referers] < 1 } {
if { ([string tolower [HTTP::method] ] eq "get") && ([matchclass [HTTP::uri] contains $::file_types] > 0 )} {
discard
} elseif { ([HTTP::header exists "Content-Type"]) && ([HTTP::header "Content-Type"] starts_with "text" ) } {
set respond 1
}
}
}
when HTTP_RESPONSE {
if { $respond == 1 } {
if { [HTTP::header exists "Content-Length"] } {
set content_len [HTTP::header "Content-Length"]
} else {
set content_len 4294967295
}
if { $content_len > 0 } {
HTTP::collect $content_len
}
}
}
when HTTP_RESPONSE_DATA {
set bypass [string first -nocase "<html>" [HTTP::payload] ]
if { $bypass != -1 } {
HTTP::payload replace $bypass 0 "<script
type=\"text/javascript\">\n if (top.frames.length!=0) {\n if
(window.location.href.replace)\n top.location.replace(self.location.href);\n
else\n top.location.href=self.document.href;\n }\n </script>\n"
} else {
HTTP::respond 500
}
}
}
1
HTTP Request
HTTP Response
6
2
4
3
Web servers feed
content to anyone
requesting it,
including people
who shouldn’t be
serving this cotent.
68
F5 iRule Editor
First network rule editor
optimizes development
Includes:
–
–
–
–
–
–
–
–
Syntax checking
Auto-complete
Template support
Doc Links
Deployment integration
Statistics monitoring
Data group editing
Optional post to
CodeShare feature
Available: Now
Pricing: Free Download
Tutorials: on DevCentral
69
Link Collection
Overall
Technical
www.f5.com
www.f5.com
ask.f5.com
devcentral.f5.com
F5 University
www.f5university.com/
»
»
Login:
your email
Password: adv5tech
Partner Informaiotn
www.f5.com/partners
www.f5.com/training_services/certification/certFAQ.html
Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html
Important deployment information is available at
Data Center Virtualization
Application Traffic Management
Application Briefs
Solution Briefs
F5 Compression and Cache Test
F5 iControl Alliance Partners
F5 Technology Alliance Partners
http://www.f5.com/solutions/deployment/
http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdf
http://www.f5.com/solutions/technology/pdfs/atm_wp.pdf
http://www.f5.com/solutions/applications/
http://www.f5.com/solutions/sb/
http://www.f5demo.com/compression/index.php
http://www.f5.com/solutions/partners/iControl/
http://www.f5.com/solutions/partners/tech/
Let us know if you need any clarification or you have any further questions.
70
Analyst Leadership Position
Challengers
Leaders
Magic Quadrant for Application
Delivery Products, 2007
Ability to Execute
F5 Networks
F5 Strengths
• Offers the most feature-rich AP ADC,
combined with excellent performance
and programmability via iRules and a
broad product line.
Citrix Systems
Cisco Systems
Akamai Technologies
Foundry Networks
Nortel Networks
Juniper
Cresendo
Radware
• Strong balance sheet and cohesive
management team with a solid track
record for delivering the right
products at the right time.
Zeus
• Strong underlying platform allows
easy extensibility to add features.
Coyote Point
NetContinuum
Array Networks
Niche Players
Visionaries
Completeness of Vision
Source: Gartner, January 2007
• Strong focus on applications,
including long-term relationships with
major application vendors, including
Microsoft, Oracle and SAP.
• Support of an increasingly loyal and
large group of active developers
tuning their applications
environments specifically with F5
infrastructure.
71
Thank You