Transcript application firewall

Introduction to F5 Networks
Andreas Guggenbichler
Regional Manager Eastern Europe
June 21st, 2005
Company
2
Company Snapshot
• Leading provider of technology to secure, optimise and
deliver IP-based applications
• Founded 1996, public 1999, Nasdaq listed (FFIV)
• HQ in Seattle, offices around the globe
• More than 9,000 customers
• Approx. 700 employees
• FY2004 revenue $171M
– 48% year-over-year growth
• More than 30,000
systems shipped
3
Undisputable Leader in Application Delivery
Magic Quadrant for WebEnabled Application
Delivery, 2H04
Source: Gartner Research Note, January 2005
•
“F5 Networks, with the
milestone release of v9.0, has
a strong platform on which to
build additional features.”
•
“The focus on application
delivery and secure access
has been a significant
contributor to F5's success
leading up to the v9.0 release.
F5 is one of the thought
leaders in the market and
offers growing feature
richness. Add F5 to your
shortlist for application
delivery.”
4
SSL VPN Market Leadership
SSL Virtual Private Networks
METAspectrumSM Evaluation
•
“A core group of market leaders
continues to rapidly innovate and
drive increasing degrees of
functionality. Other contenders
must often scramble to keep up.”
•
“SSL VPNs are already capable
of delivering great value to
organizations and have even
further up-side potential going
forward.”
5
Financial Trends
Cash &
Investments
60,0
Revenue
60
50,2
31,6
28,0
27,1
27,1
27.3*
27,1
35
29,2
36,1
40
$ Millions
40,6
45
44,2
50
27,0
$ Millions
55
30
254
250
225
200
175
150
125
100
75
50
25
Cash Flow
from Operations
5,6
4
2
3,3
2,7 2,9
2,8
1,9
3,4
1,5
0
(Pro Forma)
,26
0,25
0,20
$
8
6
96
84 89
80
79
79
72 76
0,30
8,4
1Q
02
2Q
0
3Q 2
02
4Q
02
1Q
0
2Q 3
03
3Q
03
4Q
0
1Q 3
04
2Q
04
3Q
0
4Q 4
04
1Q
05
$ Millions
13,5
10,2 10,5
10
222
EPS
11,4
12
211
,18
0,15
,11
0,10
,08
0,05
0,00
,13
,02 ,02 ,03
,04
.00*
-0,05 -.05 -,04-,03
1Q
0
2Q 2
0
3Q 2
0
4Q 2
0
1Q 2
0
2Q 3
0
3Q 3
0
4Q 3
0
1Q 3
0
2Q 4
0
3Q 4
0
4Q 4
0
1Q 4
04
14
205
1Q
0
2Q 2
0
3Q 2
0
4Q 2
0
1Q 2
0
2Q 3
0
3Q 3
0
4Q 3
0
1Q 3
0
2Q 4
0
3Q 4
0
4Q 4
0
1Q 4
05
02 02 02 02 03 03 03 03 04 04 04 04 05
1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q
227
6
F5 Expansion in Europe
• 80+ employees in EMEA
• Sequential growth
• Increasing country
presence
• Strong regional channel
• Large customer base
–
–
–
–
–
–
Financial
Media
Transportation
Technology
Telecommunications
Service providers
7
F5 Customers in Europe (1 of 2)
Banking,
Financial
Insurance,
Investments
Telco, Service
Providers, Mobile
8
F5 Customers in Europe (2 of 2)
Transport,
Travel
Media, Technology,
Online
Manufact.,
Energy
Governm.,
Other
Health,
Consumer
9
Product and Technology Leadership
BIG-IP
FirePass
TrafficShield
Traffic Management
SSL VPN Remote Access
Application Firewall
Local, Global & Link
Application Traffic
Management
Secure Application Access
Application Firewall
iControl Software Development Kit
iControl Services Manager
Standards Based Interface (SOAP/XML)
Centralised Management for F5 Devices
10
Partner Programme
11
Advantage Programme Categories
• Resellers
–
–
–
–
Authorised Advantage Partner
Premier Advantage Partner
Gold Advantage Partner
Global Advantage Partner
• Distributors
– Gold Advantage Distributor
12
EMEA Advantage Channel Model
Customer
Gold
Partner
Premier
Partner
Authorised
Partner
Global
Partner
Gold Distributor
13
Certification Programme
• F5 Certified Product Consultant
– Pre-sales specialist
• F5 Certified Configuration Professional
– Level 1 post-sales specialist
• F5 Certified Systems Engineer
– Level 2 post-sales specialist
• F5 Certified Product Consultant FirePass
– Pre-sales specialist
14
Customer Focused Services
 Support centres in London, Singapore,
Washington D.C. and Seattle
 Level 1/2/3
 24-hour global
technical support
support
 4-hour RMA
 Training centres
 Premium Plus
in London and
services
around the globe
 Installation
 Sell-through
services
 Consulting
 Advantage certification
programme
 Ask F5
knowledge base
F5’s global service strategy means reliable
application delivery – anytime, anywhere
15
Professional Services Offerings
• Premium Service
–
–
–
–
–
7x24 telephone support
Access to Ask F5 technical database
WebSupport portal
Software updates
Advance hardware replacement
• Standard Service
– Same as above, but 5x10
16
Application Traffic
Management
BIG-IP
17
Application Delivery Challenge
Application
Network Administrator
Deploy point solutions
•
•
Faster and centralised fix,
applications are offloaded
Costly, complex and hard to
manage
Application Developer
?
Code fix in the application
•
•
•
Expensive (Code, Manage, Maintain)
Consumes server cycles
Often not possible
18
Result: A Growing Network Problem
Users
Network Point Solutions
Applications
DoS Protection
Mobile Phone
Rate Shaping
SSL Acceleration
SFA
CRM
PDA
ERP
CRM
Server Load Balancer
ERP
Laptop
ERP
Content
Acceleration
Application
Firewall
Connection
Optimisation
Traffic
Compression
CRM
Desktop
SFA
SFA
Custom
Application
Co-location
19
What the Customer Wants
“How do I make my applications run better
without rewriting them, or incurring major
infrastructure cost and adding significant
management overhead?”
“I need to be as optimized as I can be, as simply as
possible and with minimal resource impacts”
-Director of Infrastructure for a major U.S. airline
20
Groundbreaking New Architecture
Users
Unified Network & Application
Infrastructure Services
Applications
CRM
Database
Mobile Phone
Deliver
Siebel
BEA
Legacy
PDA
.NET
Optimise
Secure
SAP
PeopleSoft
Laptop
IBM
Desktop
Traffic Management
Operating System (TM/OS)
ERP
SFA
Custom
Co-location
21
Comprehensive Single Solution
Users
The F5 Solution
Applications
CRM
Database
Mobile Phone
Siebel
BEA
Legacy
PDA
.NET
Laptop
BIG-IP 3400 with
Performance Pack
SAP
PeopleSoft
IBM
ERP
Desktop
SFA
Custom
Co-location
22
TM/OS Architecture is Built from the Ground Up
A revolutionary new architecture that provides organisations with
a unified system for optimal application delivery
TM/OS
Fast Application Proxy
Client Side
Key Components
1. TM/OS Fast Application Proxy
2. Universal Inspection Engine
3. iRules
Server Side
Benefits
1. Unifies multiple functions into one
2. Manages entire application flows
3. Delivers applications as intended
4. Granular, session level control
23
An Intelligent and Flexible Solution
iRules
Programmable Network Language
Programmable
Application
Network
GUI-Based Application Profiles
Repeatable Policies
Unified Application Infrastructure Services
Targeted and
Adaptable
Functions
Security
Optimization
Delivery
Universal Inspection Engine (UIE)
New Service
Complete Visibility
and Control of
Application Flows
TM/OS
Fast Application Proxy
Client
Side
Server
Side
24
Secure Optimised Application Delivery
Application performance
optimised by F5:
25
BIG-IP Delivers Applications Faster
100
90
80
Seconds
70
60
50
126%
40
30
55%
20
121%
125%
70%
10
0
IIS 6.0
OWA 2003
SharePoint
Without BIG-IP
Siebel
Weblogic
BIG-IP Optimized
*Percentage of Improvement With BIG-IP Optimizing the Applications
26
Fast Cache – Dramatic Server Offloading
IIS 6.0
Standard Web Content
98%
Siebel
eBusiness Suite Call
Center 7.7
72%
WebLogic
78%
Portal 8.1
27
Real World Performance and Results
350 Million Page Hits in 1 Week
1/3 Reduction in Servers
95% Fewer Connections
114.8
5
Million
Million
1/3 Reduction in Licenses
1/3 Reduction in
Management Time
66%
1.87
621
Terabyte
Gigabytes
3
Seconds
End-to-End
Page Load
Time
Reduction in
Bandwidth
300% Faster
1
Seconds
28
Customer Example: Airline
Customer Problem: Portal Applications are too Slow
•
•
•
•
•
Unusable Web portal applications – 5 to 30+ second page load times, limited
scale, costly infrastructure
Executive level visibility; end-user complaints
Too costly to change the applications
Difficult to manage growing number of point solutions in the network
Need to selectively compress based on client connection, application, and
servers
Market
Pervasiveness:
• $25 billion lost
annually in
e-business due to
poor web
performance
• Over half global
users are still dialup
High Latency
Connection
Dial-UP
Bandwidth
Bottleneck
Fast Connection
and application
Too many Point Solutions
• Internet latency on
average is 2x in
Europe and 4x in
ASIA compared with
the US (91 MS)
• Average Web
application can be
20x chattier than
traditional clientserver application
29
Customer Example: Airline
The BIG-IP Solution: Intelligent and Adaptable Optimization
BIG-IP Features & Functions Utilized
1.
2.
3.
4.
5.
Client-Aware Compression (Patent Pending) – Target compression for
high latency or dial-up users
Application Switching – High availability and cost-effective scale
TCP Offload & Optimization – Client-side & Server-side
Content Transformation – Eliminate need for application proxies
TM/OS & iRules – Unified framework for application services enabling an
integrated approach to consolidation of services
Detect High
TCP Latency
= Compress!
Detected Dial-up
Client = Compress!
Fast Connection
and application
Business
Benefit:
• 10x application
performance
improvement
(20 to 2.5 seconds)
• 70% bandwidth
reduction (thousands of
dollars in Telco
costs per month)
• Lower management
cost
(4 vendors/ Boxes
unified into 1
cohesive solution)
Payback Time,
3 Months
• Organizational
adaptability (can now
easily offer standardized
services across all
application types)
30
Sales Tool: Gomez
• Gomez Testing Results:
http://www.f5.com/solutions/gomez_testing.pdf
31
Sales Tool: Compression Calculator
http://www.f5demo.com/compression/
32
BIG-IP Platforms
Measurement BIG-IP 1500 BIG-IP 3400 BIG-IP 6400 BIG-IP 6800
Layer 4 Requests/sec
30,000
110,000
220,000
220,000
Layer 7 Requests/sec
22,000
50,000
75,000
110,000
Max. throughput
500 Mbps
1 Gbps
2 Gbps
4 Gbps
2,000
8,000
15,000
20,000
100 Mbps
500 Mbps
2 Gbps
2 Gbps
Max. SSL TPS
Max. compression
Options
• LTM, GTM, & LBL-to-LTM Software Modules
• SSL TPS Add-on’s
•Compression Add-ons
•Advanced Routing Modules
•Advanced Client Authentication
•L7 Rate Shaping
•Performance Package Bundles
•OCSP Modules
•IPV6
•SSL / FIPS SSL
• Memory
• 10/100 NIC
•GB Fiber/Copper NIC
• Redundant Power Supply
• 48v DC Power Supply
•SFP / SFP LX Fiber Optics
•Mid-Mount Kits
• Failover Cables
33
SSL VPN
FirePass
34
Remote Access Realities
End User
Chief Security Officer
“I’m in a different city every
few days. I just need to be
able to access my email,
critical files, and sales
application.”
“My job is to protect our network
and applications from our
known users AND intruders.”
“My remote access has to
work without calling IT
helpdesk twice each week!”
“Poor access impacts my
paycheck directly.”
Requires Ubiquitous
Access
• Any client
• Any application
“ Users distribute viruses – not
because they mean to – and
intruders attack us every day.”
“Failing to protect us can cost
us millions and me my job.”
Requires Strong
Security Control
• Email worms and viruses
• Web application attacks
IT Manager
“I already have too many
systems to manage. More
users and systems only
increase the problem.”
“Products that are hard to
manage are likely to be
avoided by my staff.”
“But, if maintenance doesn’t
happen, users get angry and
it shows on my performance
review.”
Requires Easy
Deploy & Management
• Existing auth server support
• 1000s of users, 100s of apps
35
Remote Access - Requirements
Any Location
Hotel
Kiosk
Hot Spot
Any User
Employee
Partner
Supplier
Any Devices
Laptop
Kiosk
Home PC
PDA/Cell Phone
Secure
Data Privacy
Device Protection
Network Protection
Granular App Access
Any
Application
Web
Client/Server
Legacy
Desktop
Highly Available
Global LB
Stateful Failover
Disaster Recovery
Ease of
Integration
Ease of Use
Clientless
Simple GUI
Detailed Audit Trail
AAA Servers
Directories
Instant Access
36
2003-2007 Forecast
individual
SSL/HTTPS
individual
IPSec/PPTP
site to site
IPSec
(not individual remote access)
2001
2003
2005
2007
Source: Gartner 2003 (Unofficial)
37
SSL VPN Secure Application Access
Ubiquitous Delivery
Laptop
Dynamic Policies
Any Application
HTTPS Transport
Mainframe
Internet
Mobile Device
Kiosk
FirePass Remote
Access Controller
Server
Desktop
38
Dynamic Policy Engine
• User / Device Security
Default Policy
Kiosk Policy
Wireless Policy
Laptop Policy
SSL
Policy
Access Engine
SSL VPN
Connector
AppTunnel
Connector
Webifyer
Desktop
Webifyer
Authentication
LDAP
RADIUS
WIN NT/2K
Web-based
Group
Sales
Financial
Auditors
etc….
– Dynamically adapt user
policy based on device used
• Seamless Integration
– Utilize existing AAA servers
– Automatic user mapping
from directory
• Detailed audit trail
– Application level visibility
Access Rights
Intranet
SAP
Siebel
File Shares
Audit
Usage Reporting
Who accessed
What was accessed
From Where
39
Adaptive Client Security
Kiosk
PDA
Laptop
Kiosk
Policy
Mini Browser
Policy
Corporate
Policy
Firewall / Virus
Check
Cache / Temp File
Cleaner
Terminal
Servers
Files
Intranet
Email
Client/Server
Application
Full Network
40
Customer Example Data Centre
FirePass
Sales Person
High Availability of Servers
with BIG-IP
High Availability for Data
Centres with 3-DNS
Engineers
Consultants
FirePass
Backup
Data Centre
41
Web Application Security
TrafficShield
42
Security’s Gaping Hole
“64% of the 10 million
security incidents tracked
targeted port 80.”
DATA
Information Week
43
TrafficShield Application Firewall
44
TrafficShield Application Firewall
1. Web application firewall
-
Protect web applications against known & unknown attacks
Uses positive security logic – All traffic is illegal unless known to be legal
2. Content scrubbing
-
Prohibit delivery of sensitive data
3. Application cloaking
-
Hide the identity of web applications from outside probing
45
The Application Flow Model
46
The Application Flow Model
<script>
Actions not known
to be legal can now
be blocked
- Wrong page order
- Invalid parameter
- Invalid value
- etc.
47
Protecting Web-based Applications
CONTENT
SCRUBBING
ATTACK
FILTERING
APPLICATION
FIREWALL
Social Security Numbers
Scrubbed
Credit Card Numbers
Blocked
Out-of-box Protection
Included
Scrubbed
Unvalidated Input
Manipulation
Blocked
Account Numbers
Scrubbed
Script Kiddies, Known Worms
& Vulnerabilities
Blocked
Broken Access Control
(Forceful Browsing)
Patient Health ePHI
Scrubbed
Buffer Overflow
Blocked
Requests for Restricted
Object and File Types
Blocked
Phone Numbers
Scrubbed
Cross-Site Scripting
Blocked
Non-RFC-Compliant Traffic
Blocked
Any other identifiable
text pattern
Scrubbed
SQL/OS Injection
Blocked
Illegal HTTP Format, Method
Blocked
Cookie Poisoning
Blocked
Unknown Worms and
Vulnerabilities
Blocked
15 min
Set-Up Time
SSL ACCELERATION &
KEY MANAGEMENT
CLOAKING
NETWORK
FIREWALL
OS and Web Server
Fingerprinting
Blocked
HTTP Error Messages
Blocked
IP/Port Filtering
Included
Application Error Messages
Blocked
Securing TCP/IP Session
Included
Leakage of Server Code
Blocked
Reverse Proxy
Included
SSL Accelerator
Included
Key Management &
Failover Handling
Included
SSL Termination and
Re-encryption to Servers
Included
48
Competition
49
Growing Fast in a Growing Market
Non-Modular L4-7 Switch Market – Q4’CY04
Total L4-7 Market
Foundry Networks
Cisco Systems 3%
7%
Other
8%
$529 Million
F5 Networks
40%
Year/Year Growth
L4-7 Market
27%
F5 Networks
57%
Radware
16%
Nortel Networks
26%
Change in Market Share
(1Q’03 - 4Q’04)
Cisco Systems
F5 Networks
Nortel Networks
Radware
SOURCE: Dell’Oro Group / F5 Networks
(February 2005)
-21%
58%
-10%
-7%
Total L4-7 Switch Market – Q4’CY04
Foundry Networks Other 6%
7%
Radware
9%
Cisco
Systems
38%
Nortel
Networks
15%
F5 Networks
(w/Appliances) 25%
50
SSL Market Share Leader
For 15th Consecutive Quarter (Q3‘04)
Worldwide L4–L7 Switch/Load Balancer with SSL Market Share (Revenue)
Nortel Networks
10%
Other
13%
F5 Networks
49%
Cisco Systems
28%
Source: Infonetics (November 2004)
“F5 released the next generation of their BIG-IP platform, which utilizes a
proxy architecture (called Traffic Management Operating System) to speed
up application performance; some of the highlights include improved SSL
performance, as well as IPv6.”
Matthias Machowinski, Analyst at Infonetics Research
51
Highest Growth and Momentum
Worldwide Application Security Gateway (SSL VPN) Market Share
Q3‘04 Unit Market Share (Revenue)
Aventail
11%
F5
13%
Nokia
5%
Juniper
42%
Other
29%
Source: Infonetics
(November 2004)
“SSL VPN products attempt to solve
deployment and management
problems that many IPSec VPN
users have already encountered;
IPSec clients can be a pain, and
many users only need access to
specific applications, not networklevel access.”
“F5 seems very committed to the success of this product and is putting significant
resources behind the acquisition, and have now acquired Magnifire and will be adding
application security to their growing suite of VPN and security solutions.”
Jeff Wilson, Principal Analyst at Infonetics Research
52
Fastest Growing SSL VPN Vendor
Network Security Solutions Surpass $1 Billion for Quarter
Source: Synergy Research Group (December 2004)
“What’s more, these markets continue to be driven by the need to protect corporate and
service provider networks from a growing and perpetually changing number of threats.
Moreover, investment in security solutions is being led by emerging solutions like
application firewalls, High-End and Next Gen Firewalls, IPS, and SSL VPNs.”
Aaron Vance, Senior Analyst at Synergy Research Group
53
Summary
54
App Traffic Management’s Unique Positioning
Intelligent Clients
Network Plumbing
Intelligent Applications
Routers
iControl
Switches
BIG-IP
FirePass
Functionality
Firewalls
TrafficShield
Application Traffic
Management
Application Access
Application Security
55
Product Roadmap
BIG-IP
TS Enforcer
FirePass
BIG-IP v4.x
TM/OS
BIG-IP O/S
BIG-IP v9
TM/OS
FirePass
FirePass
FirePass O/S
TM/OS
TrafficShield
TrafficShield
TrafficShield O/S
TM/OS
TM/OS is the foundation moving forward
56
Why F5?
1. The leader in Application Traffic Management
2. Secure, optimised, and reliable delivery of
applications to any user, anywhere
3. Maximising technology investment
4. Strong financial track record
5. World-class support
57