BIG-IP Application Security Manager - DevCentral
Download
Report
Transcript BIG-IP Application Security Manager - DevCentral
F5 User’s Group September 13th 2011
1
Agenda
TMOS version 11
New features and overview
Demo vCMP
Demo and discuss iApps
User discussion – iRules
Survey and suggestions for next meeting
Bowling and/or game play
© F5 Networks, Inc.
V11 - Revolution
3
Analytics – URL Load Times
© F5 Networks, Inc.
4
Analytics – TPS per URL
© F5 Networks, Inc.
5
Analytics – Request Throughput per URL
© F5 Networks, Inc.
6
Analytics – Response Throughput per URL
© F5 Networks, Inc.
7
Statistics and Reporting
Per Virtual Server CPU Stats and Profile Stats
* Improved Visibility for Each Virtual Service
© F5 Networks, Inc.
8
Statistics and Reporting
Per Process CPU & Memory Stats – Dashboard Customization
* Improved Diagnostics
© F5 Networks, Inc.
9
Open Application Logging Engine
Client
Real-time
Transaction logs
High Speed Logging Engine (HSL)
•
GUI - Request Logging Profile
•
Unmatched performance - Up to 200,000 HSL (TCP/UDP) messages per second with
minimal impact to cpu usage
•
Support compliance requirements
•
W3C standard web log format support
© F5 Networks, Inc.
10
F5 ScaleN Architecture
Ultimate Scalability and Reliability
Scale
Up
Clustered Multiprocessing
(CMP) & SuperVIP
TMOS
The flexibility to scale
up, virtualize, and scale
out on-demand
Virtualization (vCMP)
Scale
Out
© F5 Networks, Inc.
11
Typical Failover – Limited Control
• Typical ADC runs Active-Standby
• Can only fail entire ADC
• Failover events disrupt all services
© F5 Networks, Inc.
12
ScaleN : Device Service Clusters
Dynamic Service Based Failover
• Fail-over targeted application workloads
• Avoid application service disruptions
• Move applications needing extra power
© F5 Networks, Inc.
13
ScaleN: Device Service Clusters
Elastic Scale Driving Efficiency
• Active-active-activeN Scale
• Blade fails on BIG-IP 1
• Add new blade to BIG-IP 3
• Blade replaced on BIG-IP 1
• Any type of BIG-IP device
© F5 Networks, Inc.
14
TMOS – TCP, HTTP, & iRule Enhancements
Separate
caching &
compression
profiles from
HTTP
TCP Options
inspection &
transformation
with iRules
TCP Connection
Queuing
Akamai
Ability to create
TCP/UDP out of
band connections
via iRules
HTML Parsing
iRules
*Bigpipe is no longer supported in v11
© F5 Networks, Inc.
15
TCP Connection queuing
•
•
•
•
Operates at TCP level; HTTP not required
Currently only engages when conn limit hit
Specify queue length limit, time limit, or both
Queues operate per-tmm (no state sharing)
•
•
Length limit divided by tmm count
FIFO guarantees only per-tmm
• Queued at the pool level for non-persistent connections
• Queued at the pool member level for persistent connections
•
If conn limit is overridden by persistence, that conn is not queued
• When a pool member becomes available, it checks the head of its
queue, and of the pool’s queue, and services the flow that got there
© F5 Networks, Inc.
first.
16
New Product and Platform Support
1600
3900/3600
6900 and 6900S
8900/8950/8950S
October
announcement
11000 and 11050
•
New 6900S (Turbo SSL), 11000 (48 GB Memory, 4xSSD’s (4x 300GB), 16 Gbps HW
Comp.), and 11000/11050F (FIPS) platforms (October announcement)
•
WOM standalone product and platforms (1600, 3600, 3900, 6900, 8900,11000)
•
Modules: Add-on Module support VE and 1600 (ASM, WA, APM, GTM, WOM)
•
Modules: Triplet support on 3600 and higher (Any combination excluding LC)
•
VE Production (LTM, APM, ASM, WOM,GTM) *WA coming next release
•
New VE Lab editions that include all products
© F5 Networks, Inc.
17
BIG-IP Advanced Acceleration Overview
Adaptive Protection for Web 2.0 Applications
© F5 Networks, Inc.
18
Easily Secure JSON Payloads
BIG-IP Application Security Manager
•
Protect from JSON threats
•
Render unique blocking
message for AJAX widgets
•
User informs admin with
support ID for resolution
Display a Blocking
Message in AJAX Widget
Example: www.stockfacts.com
© F5 Networks, Inc.
19
F5 Innovative Protection for Web 2.0 Apps
• Secure all applications
• Automatically share policies between devices
• Quickly deploy BIG-IP ASM VE in private
clouds
Data Center
© F5 Networks, Inc.
20
Protection from Vulnerabilities
Enhanced Integration: BIG-IP ASM and WhiteHat Sentinel
Customer Website
WhiteHat Sentinel
• Finds a vulnerability
• Virtual-patching with
one-click on BIG-IP ASM
• Vulnerability checking,
detection and remediation
• Complete website
protection
BIG-IP Application Security Manager
• Verify, assess, resolve and retest in one UI
• Automatic or manual creation of policies
• Discovery and remediation in minutes
© F5 Networks, Inc.
21
ASM and the Software Development
Lifecycle
• Policy Tuning
• Pen tests
• Performance Tests
•
•
•
•
•
•
WAF “offload” features:
Cookies
Brute Force
DDOS
Web Scraping
SSL, Caching,
Compression
• Final Policy Tuning
• Pen Tests
• Incorporate vulnerability assessment into the SDLC
• Use business logic to address known vulnerabilities
• Allow resources to create value
© F5 Networks, Inc.
22
BIG-IP Advanced Acceleration Overview
Advanced Dynamic Services for Unified Access Control
© F5 Networks, Inc.
23
F5 Unified Access and Control
Flexible and Dynamic ADC Services – BIG-IP v11
Data Center
Headquarters and
Remote Offices
© F5 Networks, Inc.
24
Authentication All in One and Fast SSO
F5 BIG-IP Access Policy Manager
Dramatically reduce infrastructure costs; increase productivity
= BIG-IP v11
© F5 Networks, Inc.
25
New Detailed Reporting
BIG-IP APM
e.g. Who accessed app. or
network and when?
e.g How many XP users are still
on my network?
e.g. Where are users accessing from
(geolocation)?
Custom, Built-in and
Saved reports
Exported and used
on other devices
© F5 Networks, Inc.
26
BIG-IP Advanced Acceleration Overview
Scalable, Adaptive and Secure DNS infrastructure
© F5 Networks, Inc.
27
Scalable GSLB Performance
Step 1: Multicore (CMP) BIG-IP GTM v11
• Enable users to access apps during spikes
• Scale with GTM query performance utilizing hardware
–
–
–
CMP enabled utilizing full set of processing cores
Up to 6 million QPS on VIPRION
Each CPU Core ~ high performance DNS server = 130k+ qps
• Integrates GTM in TMM for exponential performance
Preliminary estimates: (may exceed)
125k
QPS
600k
QPS
1.5Mil
QPS
2Mil
QPS
3Mil
QPS
6Mil
QPS
© F5 Networks, Inc.
28
Exponential and Efficient DNS Performance
Step 2: Implement DNS Express
DNS Express
•
High-speed response and DDoS protection with in-memory DNS
•
Authoritative DNS serving out of RAM
•
Configuration size for tens of millions of records
•
Scalable DNS Performance
•
Consolidate DNS Servers
DNS Server
DNS Express in TMOS
Answer
DNS
Query
Answer
DNS
Query
Answer
DNS
Query
Answer
DNS
Query
Answer
DNS
Query
Manage
DNS
Records
OS
Admin
Auth
Roles
NIC
Dynamic
DNS
DHCP
© F5 Networks, Inc.
29
Solution: Easily Handle All DNS Requests
Step 3: BIG-IP GTM and IP Anycast Integration
•
•
•
•
Same IP Address for multiple devices
Geographically separate the DNS request load for all requests
Scale DNS infrastructure up and out per BIG-IP
Revenue and brand are protected
© F5 Networks, Inc.
30
Eases the IPv6 Evolution
DNS 6 4
•
•
•
•
Combined NAT64 and DNS64 provide automatic translation
Supports pure IPv6 clients accessing both IPv6/IPv4 sites
Critical for mobile devices and any client optimized for pure IPv6
Eases evolution and bridges gap between IPv6/IPv4 DNS
© F5 Networks, Inc.
31
Usability Enhancements
Route Domains, Monitors, & Default Certificates!
iQuery status in
in the GUI
Removed
Basic/Advanced
listener
Default
certificate is
now 10 yrs!
GTM monitor
support of Route
Domains
Optional manual
selection of prober
assignments
GTM
© F5 Networks, Inc.
32
Global Customer Training for V11
• Free Customer Web-based Training What’s New in BIG-IP V11
•
Additional v11 WBTs modules will be available later
© F5 Networks, Inc.
33
vCMP Demo
Virtual Clustered Multi-Processing
vCMP = F5’s purpose built hypervisor
Currently available with version 11 on the VIPRION platforms
Today’s demo is on a VIPRION 2400
© F5 Networks, Inc.
34
V11: The iApp Revolution
network
for specific
applications
takesDelivery
weeks …
and
•• Optimizing
Frameworkthe
to unify,
simplify
and control
Application
Services
can be frustrating
• Application-centric
• F5’s unique application deployment guides helped … now just days
• Contextual view and advanced analytics
• F5’s new iApp capability reduces process to hours and minutes and
• it’s
Rapid
and predictable
deployment
portable
like virtual
machines
© F5 Networks, Inc.
35
V10 Managing Objects
& Services
BIG-IP V11
Application
Services
© F5 Networks, Inc.
36
BIG-IP V11 Managing Application Services
F5 iAPPs:
Managing application services … not
network devices or objects.
© F5 Networks, Inc.
37
• IT Network, Security,
WAN, and Exchange
Team Collaboration
• Application specific
questions
© F5 Networks, Inc.
38
The network from an “Application’s Point of View”
Use a single interface to:
• Understand F5 application
service dependencies
• Rapidly perform operational
tasks
• Quick view of overall
application and health status
• View availability status and
type for each service object
• Rapidly enable and disable
resource pool nodes or
servers.
© F5 Networks, Inc.
39
iApp Ecosystem
• More than 20 iApp templates come with v11
• F5’s Open iApp Ecosystem is part of DevCentral
• Share iApps within organizations, between partners, and other
vendors
© F5 Networks, Inc.
40
User Discussion: iRules
Randy Ferguson – F5 Consultant (Tempe, AZ)
Do you have an iRule you would like to discuss?
Examples:
Select a pool based on the HTTP host header
Sideband Connection – new in v11
LDAP Proxy
Proxy Pass
Additional resources – DevCentral Tutorials
© F5 Networks, Inc.
© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS,
and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries