Transcript BIG-IP
1
F5
Application
Traffic
Management
Radovan Gibala
Senior Solutions Architect
[email protected]
+420 731 137 223
2010
2
Application Delivery
Architecture
BIG-IP LTM
• ASM
FirePass
App
Security
& Data
Integrity
• AAA
• Data
Protection
• Transaction
Validation
Business
Continuity HA
Disaster
Recovery
BIG-IP LTM • GTM •
LC • WA
FirePass • ARX •
WJ
• WAN Virtualization
• File Virtualization
• DC to DC
Acceleration
• Virtualized VPN
Access
User
Experience
& App
Performance
• Asymmetric &
Symmetric
Acceleration
• Server Offload
• Load Balancing
People
BIG-IP LTM • GTM •
WA ARX • WJ
Apps Data
Managing
Scale &
Consolidatio
n
• Virtualized App &
Infrastructure
• Server & App
Offload
• Remote, WLAN & LAN
• Load Balancing
Central Policy
Enforcement
• End-Point Security
• Encryption
• AAA
•
•
•
•
Virtualization
Migration
Tiering
Load
Balancing
BIG-IP LTM • GTM •
LC • WA
FirePass • ARX • WJ
Unified
Security
Enforcement
& Access
Control
FirePass
BIG-IP LTM • GTM
Storage
Growth
ARX
BIG-IP
GTM
3
How To Achieve the Requirements ?
Multiple Point Solutions
Application
More
Bandwidth
Network Administrator
Add More
Infrastructure?
Application Developer
Hire an Army of
Developers?
4
The Result: A Growing Network Problem
Users
Mobile Phone
Network Point Solutions
DoS Protection
Rate Shaping
SSL
Acceleration
PDA
Laptop
Desktop
Co-location
Applications
CRMCRM
Server Load
Balancer
Content
Acceleration
Application
Firewall
Connection
Optimisation
Traffic
Compression
SFA
ERP
ERP
ERP
CRM
SFA
Customised
Application
SFA
5
Traditional Infrastructure Model
Corporate Employees
LAN & wLAN
Mobile
Employees
Remote
Employees
Branch Employees
LAN & wLAN
Customer, Partners,
or Suppliers
How do I connect all these applications
and services to the right people, at the
right moment in time, using the right
amount of resources, meet all my SLAs,
ensure security and save money?
Cloud Services
Hosted Applications
Corporate
Data Center
SAAS
Apps and Data
in the Branch
6
What is Required to Fill the Gap Unification
Corporate Employees
Mobile
Employees
Remote
Employees
Branch Employees
Customer, Partners, or
Suppliers
Integration
Visibility
Unified Application and Data Delivery Model:
Cloud Infrastructure
Context
Action
Cloud Services
Hosted Applications
Corporate
Data Center
SAAS
Branch apps
and Data
Unification Enables the Dynamic
Infrastructure
7
F5’s Integrated Solution
Users
The F5 Solution
Applications
Application Delivery Network
CRM
Mobile Phone
Database
Siebel
BEA
PDA
Legacy
.NET
SAP
Laptop
PeopleSoft
IBM
ERP
Desktop
Co-location
TMOS
SFA
Custom
8
A New Level of Intelligence
Legacy Approach
Packet
Based
React to a Single Communication, One Direction
Flow
Based
TM/OS
React to a Real Time, Two-Way Conversation
Translate Between Parties
9
Deliver Application Exactly as
Intended
Manage Entire Application Flows:
•
•
•
Independent Connection Control
Supporting All IP Applications
High Performance Framework
•
•
BI-Directional, Full Payload
Inspection
Session Level Control
Universal Inspection Engine (UIE)
TM/OS
Fast IP Interception
Client
Side
Server
Side
10
The entire solution is built on top of the TMOS
operating system that integrates all the tools
iRules and iControl
Programmable
Application
Network
Programmable Network Language
GUI-Based Application Profiles
Repeatable Policies
Unified Application Infrastructure Services
Targeted and
Adaptable
Functions
Security
Optimisation
Delivery
Universal Inspection Engine (UIE)
New Service
Complete Visibility
and Control of
Application Flows
TMOS
Fast IP Interception
Client Side
Server Side
11
Traffic Management Operating System
iRules
Rate Shaping / Rate Limiting
Resource Cloaking
Transaction Assurance
Universal Persistence
Caching
Compression
Selective Content Encryption
Advanced Client Authentication
Application Health Monitors
Application Switching
Shared Application Services
TMOS
Operating System
Shared Network Services
TCP Express
Protocol Sanitization
High Performance SSL
DoS and DDoS Protection
VLAN Segmentation
Line Rate L2 Switching
(Mirroring, Trunking, STP, LACP)
IP Packet Filtering
IPv6
Dynamic Routing
Secure Network Address Translation
Port Mapping
Common Management Framework
12
TCP Express
Server
Side
OneConnect
Client
Side
Compression
TCP Proxy
3rd Party
Web Accel
XML
Caching
SSL
TCP Express
Client
Rate Shaping
Microkernel
TrafficShield
Unique TMOS Architecture
iRules
High Performance HW
iControl API
TMOS Traffic Plug-ins
High-Performance Networking Microkernel
Powerful Application Protocol Support
iControl – External Monitoring and Control
iRules – Network Programming Language
Server
13
BIG-IP
14
First Unified Application Infrastructure Services Delivering
•
•
•
•
DoS and SYN Flood Protection
Network Address/Port Translation
Application Attack Filtering
Certificate Management
• DoS and DDos protection
• Brute Force Attacks protection
• Resource Cloaking
• Advanced Client Authentication
• Firewall - Packet Filtering
• Selective Content Encryption
• Cookie Encryption
• Content Protection
• Protocol Sanitization
• Secure and Accelerated
DC to DC data flow
• Comprehensive Load Balancing
• Advanced Application Switching
• Customized Health Monitoring
• Intelligent Network Address
Translation
• Advanced Routing
• Port Mirroring
• IPv6 Gateway
• Universal Persistence
• Response Error Handling
• Session / Flow Switching
• SSL Acceleration
• Quality of Service
• Network Virtualization
• System resource Control
• Application Templates
• Dashboard
• Connection Pooling
• Intelligent Compression
• L7 Rate Shaping
• Content
Spooling/Buffering
• TCP Optimization
• Content Transformation
• Caching
• TCP Express
15
BIG-IP Local Traffic Manager
Turn your infrastructure
into an agile application delivery network
BIG-IP
Users
Applications
Scale the application infrastructure
Eliminate downtime
Improve application performance
Secure your applications and data
Increase server capacity, reduce bandwidth
Customize the delivery of the app for your needs
16
It Starts with Load Balancing
Ensure availability and plan for growth
High Performance
Hardware
Dynamic LB
Methods
Transaction
Assurance
Application Health
Monitoring
Session
Persistence
LTM load balances at the application level
Ensures the best resources are always selected
Has deep visibility into application health
Proactively inspects and responds to errors
Eliminate downtime and scale the application
17
Comprehensive Load Balancing
Static
– RoundRobin
– Ratio
Dynamic
–
–
–
–
–
Fastest
LeastConnections
Observed
Predictive
Dynamic Ratio
Priority Groups
18
Feature Overview/BIG-IP
Availability Checking
• Check any back-end process using EAV
• Will work for any IP based application
• Stateful failover between devices
Security
• Firewall-like device to resist most attacks
• All administration is encrypted
• Integrated SSL/FIPS and secure NAT
19
Feature Overview/BIG-IP
SSL and E-Commerce
• Only product with integrated SSL
• Single certificate simplifies administration
• Lowers certificate costs
• Client certificate checking (Authentication)
Layer 7 Functionality
• Can utilize all HTTP header/content or TCP content in
traffic decisions
• Can persist on anything
• HTTP 1.1 keep-alives dramatically improve
performance
20
Feature Overview/BIG-IP
Easy to Implement and Support
• Can be deployed as either Layer 2 or 3 device
• Simple and complete Graphical User
Interface
• Installation services by F5 and/or partner
Flexibility
• BIG-IP works with any server or IP based
service
• iControl enables integration with internal
and/or 3rd party applications
21
Powerful and Simplified Management
“We have to deal with multiple products. The new user interface makes every other
solution in this space look absolutely immature. F5’s solutions are 10 times easier
to manage than Cisco.” - Major US Hosting Provider
22
Profile Based Management
Profile Based
Traffic
Management
Improved vision of
all resources and
traffic
Deliver
Optimize
Secure
23
Ensure Higher Availability - Superior
System Design
Processes Reporting and Control – Granular status, logging and
configurable actions for component-level failures. Capable of
warm restarts and upgrades.
3-way HA Design – Robust Internal system checking and passthrough design.
24
Extensibility - IPv6 Gateway
25
Network Virtualization
Route Domains
Consolidation with control
Host multiple groups on one BIG-IP without conflicts
Granular control to provide separate routing domains and
overlapping IPs
26
System Resource Control
Module Provisioning
Consolidation with control
Allocate CPU, memory, and disk per module
Customize allocation to meet your needs
27
Simple Application Roll-outs
Application Templates
1
SharePoint 2007
VMware VDI
Exchange Web Access 2007
IIS 7.0
HTTP
BEA WebLogic 5.1, 8.1
Oracle Application Server 10g
SAP ERP 6.0 and ERP 2006
Citrix Presentation Server
DNS
IP Forwarding
LDAP
RADIUS
2
3
“The Application Templates allowed us to deploy
Microsoft IIS in seconds instead of hours”
- System Engineer, Fortune 500 Co.
28
Simplified Management
Dashboard
29
Secure and Accelerate DC to DC
iSessions
Secure and accelerate between data centers
Integrated and free with BIG-IP LTM v10
Symmetric Compression
• Adaptive
• Deflate
• LZO
SSL Encryption
Note: Not available on the 1500 and 3400
30
BIG-IP Security Add-On Modules
Application Security Module
SSL Acceleration
Protect applications and data
Protect data over the Internet
Advanced Client
Authentication Module
Protect against unauthorised
access
31
BIG-IP Software Add-On Modules
Quickly Adapt to Changing Application & Business Challenges
Compression Module
Increase performance
Webaccelerator
- Fast Cache Module
Offload servers
Rate Shaping Module
Reserve bandwidth
32
Intelligent HTTP Compression
Most Intelligent and flexible solution to target HTTP
compression where it matters most
URI/content filters – allow/disallow lists
–
Compress only specified file types
–
Based on URI or MIME type
Client-aware compression (patent pending)
–
Based on TCP latency – observe client RTT
–
Based on low bandwidth client connections
Granular L7 based compression
Tunable resource allocation
–
Devote more memory and CPU cycles for high
priority compression jobs
Adaptable Compression
–
Scale back compression based on CPU load
33
Real Time Compression Tool
www.f5demo.com/compression
34
Improve the End-User Experience
TCP Express
Intelligent
Compression
WebAccelerator
(add-on module)
iSessions
LTM improves the application performance
Optimize the connections and prioritize traffic
Reduce the amount of data sent, both to the client
and across the WAN
35
Secure the Applications and Data
Network and
Protocol Attack
Prevention
Selective
Encryption
Resource
Cloaking and
Content Security
Application
Security Manager
(add-on module)
Application Policy
Manager
(add-on module)
Security at Application, Protocol and Network Level
Meet compliance requirements (PCI, HIPAA, etc.)
Strong protection without interrupting legitimate traffic
Authentication and Authorization (via client cert, AD, LDAP, RADIUS, RSA
SecurID agents)
Secure Remote Access (SSL-VPN)
Optimization (caching, compression, web acceleration)
Endpoint Security
Policy Engine
36
Let Servers Serve
One Connect
Fast Cache
SSL Offload
Compression
LTM offloads tasks from application servers
Reduce the number of servers required
Centralize SSL key management
1/2 of BIG-IP owners have saved 20% or more
on their total Capital Expenses with BIG-IP
Source: TechValidate Survey of F5 BIG-IP Users
37
TCP Express
Behaviors of a good TCP/IP implementation.
– Proper congestion detection.
– Good congestion recovery.
– High bandwidth utilization.
•
•
•
Being too aggressive can cause individual connections to consume all of the network.
Not being aggressive enough will leave unused bandwidth especially during a low number of connections.
Always needs to adapt to changing congestion.
– Increased windowing and buffering will often help compensate for latency and
can also offload the application equipment more quickly.
Most important tuning you can do in TCP typically has to do with
window sizes and retransmission logic (aka congestion control
behavior).
On today’s networks, loss is almost always caused from congestion.
– Most TCP stacks are not aggressive enough.
38
F5’s TCP Congestion Control
Algorithms
Reno Congestion Control
– Original TCP fast recover algorithm based on BSD Reno.
– Initially grows congestion window exponentially during the slow-start period.
– After slow-start, increases CWND by 1MSS for each CWND acked (this is linear growth).
– When loss or a recovery episode is detected, the CWND is cut in half.
New Reno modifications (this is currently the default mode)
– Improves on the Reno behaviour.
– When entering a recovery episode, implements a fast retransmit:
• Each ACK less than the recovery threshold triggers a one-time resend of the data started by
the ACK.
• Results in more aggressively sending the missing data and exiting the recovery period.
Scalable TCP (added in 9.4)
– Improves on the NewReno behaviour.
– Upon loss, the CWND is reduced by only 1/8.
– Once out of slow start, CWND increases by 1% of an MSS for each CWND ACK’d.
HighSpeed (F5's proprietary congestion control added in 9.4)
– Similarly improves on the NewReno behaviour in combination with Scalable TCP.
– Progressively switches from NewReno to Scalable TCP based on the size of the CWND.
• Upon loss, the CWND is reduced by somewhere between ½ and 1/8.
• CWND grows somewhere between 1% and 100% of an MSS for each CWND ACK’d.
39
OneConnect ™ – Connection Pooling
Increase server capacity by 30%
–
Aggregates massive number of client requests into fewer server
side connections
Transformations form HTTP 1.0 to 1.1 for Server Connection
Consolidation
Maintains Intelligent load balancing to dedicated content servers
Good Sources:
http://tech.f5.com/home/bigip/solutions/traffic/sol1548.html
http://www.f5.com/solutions/archives/whitepapers/httpbigip.html
40
OneConnect ™ New and Improved
HTTP Request Pooling
b.gif
c.asp
a.gif
20
index.htm
1
b.gif c.asp a.gif index.htm
•
Streamlines single client
request to BIG-IP
•
Enabled by HTTP 1.1
•
Avg. Reduction is 20 to 1 per
Web Page
•
Intelligent load balancing to
dedicated content servers
•
Maintain Server Logging
•
Transformation form HTTP 1.0
to 1.1 for Server Connection
Consolidation
1) OneConnect ™ Content Switching
b.gif c.asp a.gif index.htm
index.htm
HTML server pool
b.gif
GIF server pool
a.gif
c.asp
2) OneConnect ™ HTTP transformations
b.gif
c.asp
a.gif
index.htm
ASP server pool
New
One
b.gif c.asp a.gif index.htm
Many
3) OneConnect ™ Connection Pooling
b.gif c.asp a.gif index.htm
•
Aggregates massive number
of client requests into fewer
server side connections
Server
sales.htm e.gif
d.gif
f.asp
b.gif sales.htm c.asp
e.gif
a.gif
d.gif index.htm f.asp
41
Content Spooling
Problem: TCP Overhead on Servers
– There is overhead for breaking apart…”chunking”
content
– Client and Server negotiate TCP segmentation
– Client forces more segmentation that is good for the
server
– The Servers is burdened with breaking content up
into small pieces for good client consumption
Solution
Spoon feed
clients
Slurp up server
response
Benefit: Increases server capacity up to 15%
42
L7 Rate Shaping
Integrated and Fine Grained Bandwidth Control
Rate Class
Sophisticated Bandwidth Control
– Flexible bandwidth limits
– Full support for bandwidth borrowing
– Traffic queuing (stochastic fair queue,
FIFO ToS priority queue)
Granular Traffic Classification
L2
through L7
– iRules support can initiate a rate class
on any traffic flow variable
Only Multi Direction Control
– Control throughput in any direction
Ceiling Rate
Burst
Base
WAN
Network
Segments
Pool of
Servers
43
Hardware
45
Actual BIG-IP Platforms
BIG-IP 8900
Price
2 x Quad core CPU
16 10/100/1000 + 8x 1GB SFP
2x 320 GB HD (S/W RAID) + 8GB CF
16 GB memory
SSL @ 58K TPS / 9.6Gb bulk
6 Gbps max hardware compression
BIG-IP 6900
12 Gbps Traffic
Multiple Product Modules
BIG-IP 3900
Quad core CPU
8 10/100/1000 + 4x 1GB SFP
1x 300 GB HD + 8GB CF
8 GB memory
SSL @ 15K TPS / 3.8 Gb bulk
3.8 Gbps max software compression
BIG-IP 3600
BIG-IP 1600
Dual core CPU
4 10/100/1000 + 2x 1GB SFP
1x 160GB HD
4 GB memory
SSL @ 5K TPS / 1 Gb Bulk
1 Gbps max software compression
2 x Dual core CPU
16 10/100/1000 + 8x 1GB SFP
2x 320 GB HD (S/W RAID) + 8GB CF
8 GB memory
SSL @ 25K TPS / 4 Gb bulk
5 Gbps max hardware compression
6 Gbps Traffic
Multiple Product Modules
4 Gbps L7 Traffic
Multiple Product Modules
Dual core CPU
8 10/100/1000 + 2x 1GB SFP
1x 160 GB HD + 8GB CF
4 GB memory
SSL @ 10K TPS / 2 Gb bulk
1 Gbps max software compression
2 Gbps Traffic
1 Advanced Product Module
1 Gbps Traffic
1 Basic Product Module
Function / Performance
VIPRION
46
2008: Hardware Architectur (Single-Board-Design)
LCD-Panel
TMM:
Traffic Management Microkernel
HDD1
1/2
FIPS*:
Federal Information Processing
Standards
Hardware
Compression
Card*
* Depends on platform (optional)
SSL
RAM
SSL*
CPU
CPU*
CPU*
TMM
(Layer4-7)
Mgmt
Failover
Serial
AOM
Powersupply
Powersupply*
CFlash*
CPU
AOM:
Always On Module
(SCCP in former Versions)
BCM:
Broadcom Asic
HDD2*
1/2
BCM (Layer 2)
x*10/100/1000Base-T 10GbEth*
Copper/SFP-GBIC
47
High-Performance Application Switches
BIG-IP 8900
Consolidate with Purpose-built
Hardware
Designed specifically for application
delivery
BIG-IP 6900
Integrated platform for security,
acceleration, availability
Offload Application Servers
BIG-IP 3900
High performance hardware SSL and
compression offload
Advanced connection management
Reduce Operating Costs
Simplified management with USB, front
panel management, remote boot, and more
BIG-IP 1600 - 3600
Increased uptime with hot swappable and
redundant components
48
BIG-IP 1600
High performance meets high value
High Performance
– Dual-core CPU provides 1 Gb/s of L7 throughput
Reliable and Adaptable
– Options for dual power and DC power
– Front-to-back cooling
Basic security and acceleration options
– Protocol Security Module
– 1 Gb/s compression and SSL throughput
49
BIG-IP 3600
Integrated ADC in a 1U platform
Advanced security and acceleration options
– WebAccelerator option
– Application Security Module option
High Performance
– Dual-core CPU provides 2 Gb/s of L7 throughput
Reliable and Adaptable
– Options for dual power and DC power
– Front-to-back cooling
50
BIG-IP 3900
Integrated ADC in a 1U platform
Advanced security and acceleration options
– WebAccelerator and Application Security Module can run simultaneously
High Performance
– Quad-core CPU provides 4 Gb/s of L7 throughput
Reliable and Adaptable
– 4 SFP slots
– Options for dual power and DC power
– Front-to-back cooling
51
BIG-IP 6900
Consolidation and Integration
High Performance for Consolidation
– Dual CPU, Dual Core for 6 Gb/s of L7 throughput
– Hardware SSL and Compression offload
Multi-module Integration
– Run multiple modules and unify application delivery functions onto a
single device
Reliable and Adaptable
– Dual power supplies and dual hard drives standard
– Front-to-back cooling
52
BIG-IP 8900
The Foundation of a Unified ADN
High Performance for Consolidation
– Dual CPU, Quad Core for 12 Gb/s of L7 throughput
– Hardware SSL and compression offload
10G Ports for Next-gen Data Centers
– Two 10G SFP ports in addition to 1G copper and fiber connections
Reliable and Adaptable
– Dual power supplies and dual hard drives standard
– Front-to-back cooling
53
Platform Performance
BIG-IP
1600
Max. throughput
BIG-IP 3600 BIG-IP 3900 BIG-IP 6900 BIG-IP 8900
1 Gbps
2 Gbps
4 Gbps
6 Gbps
12 Gbps
60,000
115,000
175,000
220,000
400,000
100,000
135,000
400,000
600,000
1,200,000
Max. conc. conn.
4 Million
4 Million
8 Million
8 Million
16 Million
Max. SSL TPS
5,000
10,000
15,000
25,000
58,000
Max. SSL Bulk
1 Gbps
1.5 Gbps
3.8 Gbps
4 Gbps
9.6 Gbps
Max. SSL conc. conn.
1 Million
1 Million
1 Million
2 Million
4 Million
Max. compression
1 Gbps
1 Gbps
3.8 Gbps
5 Gbps
9.6 Gbps
Switch backplane
14 Gbps
24 Gbps
34 Gbps
68 Gbps
112 Gbps
Layer 4
New Connections / sec
Layer 7
Requests / sec (inf-inf)
54
CMP Super-VIP
Servers
TMM0
TMM1
Network
TMM2
switch
TMM3
switch
Multitasking means screwing up several tasks at the same time.
55
The World’s Only
On Demand ADC
56
VIPRION – On Demand ADC
Add application intelligence without adding
management cost
Market-leading performance
Ultimate redundancy
TMOS inside
57
Viprion Overview
Unmatched Performance
– Massive scalability
– Processing architecture common with 8800
Intelligent clustering
– SuperVIP (Virtuals can seamlessly span blades)
– N+M redundancy for all features in cluster
High Availability
– Automatic failover within cluster
– Chassis-to-chassis redundancy
Full Modular Chassis
– 4 blade slots w/1 blade type
– 1 blade type
– Any blade can be chassis master
Common central management console
– Single point of Management
– Same user interface as BIG-IP appliances
58
On Demand – Zero
Reconfiguration
Virtual
Machines
Servers
Physical Server
Servers
Automatic addition of power
No need to overprovision
Fixed and predictable OpEx
Virtual
Machines
Physical Server
Servers
59
Ultimate Reliability
Multi-Level Redundancy
Internal blade to blade failover
External chassis to chassis
Hot swappable power supplies
Hot swappable fan trays
Hot swappable LCD display
Passive, redundant backplane
Integrated Lights Out mgmt
60
Ultimate Reliability
Client
Multi-Level Redundancy
Blade failure will not cause chassis failure
Redundant and hot swappable components
Always Available
Server
61
Traditional ADC Scaling
WWW.
DNS
DNS
WWW1.
Server Farm A
WWW2.
WWW3.
Server Farm B
WWW4.
Server Farm C
GSLB Within the Datacenter
Each addition requires
DNS changes
Physical reconfigurations
Routing changes
ADC reconfiguration
Server Farm D
62
Clustered Multi Processing Scales
Performance
TMOS
8x
4x
SMP
2x
Single
Processor
Time
63
Virtual Processing Fabric
Clustered Multi Processing
Custom Disaggregator ASICs
High Speed Bridge
Processing Complex
DAG
TMM 1
TMM n
…
…
…
Client
DAG
TMM 0
Server
64
The SuperVIP
WWW.
Pool
Virtualization:
“Separating the physical characteristics of computing
resources from the systems, applications or end users
interacting with those resources”.
With a SuperVIP, a single virtual server may be
processed by all computing resources of the VIPRION.
65
Market Leading Performance
L7 Fast HTTP Inf/Inf
L7 Full Proxy Inf/Inf
SSL TPS
SSL Gbps
L4 Conn/s (1-1)
Compression
L4 Throughput
L7 Throughput
Single Blade
4 Blade System
800,000 Rps
300,000 Rps
50,000
9 Gbps
250,000 cps
4.5 Gbps
10 Gbps
10 Gbps
3,200,000 Rps
1,200,000 Rps
200,000
36 Gbps
1,000,000 cps
16 Gbps
36 Gbps
36 Gbps
66
More detailed measures
67
Avoid Management Nightmare
TMOS
+ Security
+ Accel
+ iRules
+ iControl
VIPRION
200,000 SSL TPS
12,000 SSL TPS per blade
= 16 Blades
68
Avoid Growing Pains
TMOS
+ Security
+ Accel
+ iRules
+ iControl
VIPRION
3,200,000 Layer 7 Requests/Sec
76,000 L7 RPS
= 42 Blades
69
VIPRION Management
70
Management
continued
71
Management
72
iRules
and
iControl
73
Complete Control and Flexibility
iRules
iControl
Total Application Control
Complete payload inspection and transformation
Open API and SDK to integrate with infrastructure
64% of BIG-IP users said that they can respond more quickly
to changing business needs after deploying F5 BIG-IP.
Source: TechValidate Survey of F5 BIG-IP Users
74
A Better Architecture with iRules
Large financial saves over $200k a year
with simple iRule
Primary Data Center
www.web.com
BIG-IP
sports.web.com
webpromo.com
iRules
with Class Lists
web.com
sports.web.com
webpromo.com
Web Servers
iRule uses lookup table to match domains to location
Simple text file to manage
Eliminates need for 3rd party proxies, saving $200k/year
75
What are iRules?
Programming language integrated into TMOS
Traffic Management Operating System
Based on industry standard TCL language
Tool Command Language
Provide ability to intercept, inspect, transform,
direct and track inbound or outbound
application traffic
Core of the F5 “secret sauce” and key
differentiator
76
How do iRules Work?
• iRules allow you to perform deep packet inspection (entire header and payload)
• Coded around Events
(HTTP_REQUEST, HTTP_RESPONSE, CLIENT_ACCEPTED etc.)
• Full scripting language allows for extremely granular control of inspection,
alteration and delivery on a packet by packet basis
Requests
iRule Triggered
HTTP Events Fire
(HTTP_REQUEST,
HTTP_RESPONSE, etc.)
Modified Responses*
*Note: BIG-IP’s Bi-Directional Proxy capabilities allow it to
inspect, modify and route traffic at nearly any point in the
traffice flow, regardless of direction.
77
The Better Alternative Example
Centralized Availability, Security & Acceleration
Centralized Transaction Assurance: Proactive Response
Error Handling for Higher Availability
rule redirect_error_code {
when HTTP_REQUEST {
set my_uri [HTTP::uri]
}
when HTTP_RESPONSE {
if { [HTTP::status] == 500 } {
HTTP::redirect http://192.168.33.131$my_uri
}
Centralized Data Protection: Rewrite, Remove, Block and or
Log Sensitive Content
rule protect_content {
when HTTP_RESPONSE_DATA {
set payload [HTTP::payload [HTTP::payload
length]]
#
# Find and replace SSN numbers.
#
regsub -all {\d{3}-\d{2}-\d{4}} $payload "xxx-xxxxxx" new_response
#
# Replace only if necessary.
#
A Repeatable, Extensible, Flexible Architecture
Host to URI mapping: Faster Access to Data through Automatic Redirection
when HTTP_REQUEST {
# www.A.com -- domain == A.com, company == A
regexp {\.([\w]+)\.com} [HTTP::host] domain company
If { "" ne $company } {
# look for the second string in the data group
set mapping [findclass $company $::valid_company_mappings " "]
if { "" ne $mapping } {
HTTP::redirect "http://www.my_vs.com/$mapping"
}
}
}
if {$new_response != 0} {
HTTP::payload replace 0 [HTTP::payload
length] $new_response
}
}
78
Solution: Server Resource Cloaking
Description
To protect from web server signatures exposing from potential security holes to hackers,
iRules are used to remove or “cloak” visible web server signatures
HOW IT WORKS
1. Client requests information
from an application and is
routed through BIG-IP
5
rule when HTTP_RESPONSE {
#
# Remove all but the given headers.
#
HTTP::header sanitize “ETag” “Connection” “ContentTYPE”
}
2. BIG-IP directs request to
best performing web server
3. Web server provides
application response BUT all
responses – by default –
include information that
indicates the type of server
responding
4. BIG-IP looks at traffic and
determines it must call the
iRule for “Resource Cloaking”
5. iRule runs, removing
Apache references, and send
request on to client
6. Client only sees “sanitized”
response.
iRule! Remove Apache v 2.0.49 Reference
2
4
1
HTTP Request
HTTP Response
6
3
Response from
Apache Web Server
includes server
signatures
79
What can an iRule do?
Read, transform, replace header or payload information
(HTTP, TCP, SIP, etc.)
Work with any protocol, such as SIP, RTSP, XML, others,
whether with native (HTTP::cookie) or generic (TCP::payload)
commands
Make adjustments to TCP behavior, such as MSS, checking
the RTT, deep payload inspection
Authentication assistance, offload, inspection and more for
LDAP, RADIUS, etc.
Caching, compression, profile selection, rate shaping and
much, much more
80
iRule Event Taxonomy
AUTH
AUTH_ERROR
AUTH_FAILURE
AUTH_RESULT
AUTH_SUCCESS
AUTH_WANTCREDENTIAL
CACHE
CACHE
CACHE_REQUEST
CACHE_RESPONSE
CLIENTSSL
CLIENTSSL
GLOBAL
GLOBAL
LB_FAILED
LB_SELECTED
RULE_INIT
HTTP
HTTP
HTTP_CLASS_FAILED
HTTP_CLASS_SELECTED
HTTP_REQUEST
HTTP_REQUEST_DATA
HTTP_REQUEST_SEND
HTTP_RESPONSE
HTTP_RESPONSE_CONTINUE
HTTP_RESPONSE_DATA
IP
IP
DNS_REQUEST
DNS_RESPONSE
NAME_RESOLVED
CLIENT_LINE
SERVER_LINE
RTSP
RTSP
CLIENTSSL_CLIENTCERT
CLIENTSSL_HANDSHAKE
DNS
DNS
LINE
LINE
CLIENT_ACCEPTED
CLIENT_CLOSED
CLIENT_DATA
SERVER_CLOSED
SERVER_CONNECTED
SERVER_DATA
RTSP_REQUEST
RTSP_REQUEST_DATA
RTSP_RESPONSE
RTSP_RESPONSE_DATA
SIP
SIP
SIP_REQUEST
SIP_REQUEST_SEND
SIP_RESPONSE
SERVERSSL
SERVERSSL
TCP
TCP
CLIENT_ACCEPTED
CLIENT_CLOSED
CLIENT_DATA
SERVER_CLOSED
SERVER_CONNECTED
SERVER_DATA
USER_REQUEST
USER_RESPONSE
UDP
UDP
CLIENT_ACCEPTED
CLIENT_CLOSED
CLIENT_DATA
SERVER_CLOSED
SERVER_CONNECTED
SERVER_DATA
XML
XML
SERVERSSL_HANDSHAKE
STREAM
STREAM
STREAM_MATCHED
XML_BEGIN_DOCUMENT
XML_BEGIN_ELEMENT
XML_CDATA
XML_END_DOCUMENT
XML_END_ELEMENT
XML_EVENT
81
Solution: FIX Protocol Persistence
Challenges
• Business chooses
protocol required by
industry sector
• Implemention on serverside impossible in
enterprise HA scenario
Solution
• iRule provides centralized
mechanism for
intercept/inspect/route
• Solution can be deployed
in true HA/multi-server
(even data center) mode
• Clean code management
HOW IT WORKS
3
1. Client requests information from an
application and is routed through BIG-IP
iRule Query identifies FIX SenderComp ID
2. BIG-IP UIE inspects for specific
information identified
rule FIX_regexp {
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
if { [regexp "\x0149=(.*)\x01" [TCP::payload] ->
SenderCompID] } {
persist uie $SenderCompID
TCP::release
} else {
TCP::collect
}
}
}
1
3. iRule runs and queries payload
(TCP::collect) for the specific identifier
needed (SenderCompID)
4. Based upon rule, client request is
persisted to a specific server dedicated
to that user
Pool A
2
HTTP Request
4
** Enhanced by community; see CodeShare
Pool B
82
What makes iRules so unique?
Full-fledged scripts, executed against traffic on
the network, at wire-speed
Powerful logical operations combined with deep
packet inspection
The ability to route, re-route, re-direct, retry, or
block traffic
Community support, tools and innovation
83
Solution: Credit Card Scrubber
Challenges
• Rapid feature
enhancements come at
expense of good security
practices
• Scanning on each server
doesn’t perform well
HOW IT WORKS
5
1. Client requests information from an
application and is routed through BIG-IP
Remove Valid Credit Card Numbers
when HTTP_REQUEST {
# Don't allow data to be chunked
if { [HTTP::version] eq "1.1" } {
if { [HTTP::header is_keepalive] } {
HTTP::header replace "Connection" "Keep-Alive"
}
HTTP::version "1.0"
}
}
2. BIG-IP directs request to best
performing web server
3. Web server provides application
response BUT iRule runs if it sees a
string of 16 digits
when HTTP_RESPONSE {
if { [HTTP::header exists "Content-Length"] } {
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 4294967295
}
if { $content_length > 0 } {
HTTP::collect $content_length
}
}
when HTTP_RESPONSE_DATA {
# Find ALL the possible credit card numbers in one pass
set card_indices [regexp -all -inline -indices {(?:3[4-7]\d{13})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})} [HTTP::payload]]
4. iRule fires off MOD-10 algorithm to
determine if 16-digit string is a valid
credit card number; offending server IP
address logged and flagged
foreach card_idx $card_indices {
set card_start [lindex $card_idx 0]
set card_end [lindex $card_idx 1]
set card_len [expr {$card_end - $card_start + 1}]
set card_number [string range [HTTP::payload] $card_start $card_end]
set double [expr {$card_len & 1}]
set chksum 0
set isCard invalid
Solution
• iRule provides centralized
mechanism for protection
• High-performance at
network maintains high end
user satisfaction
• App teams focus on
1
features, network teams
focus on protection
6
# Calculate MOD10
for { set i 0 } { $i < $card_len } { incr i } {
set c [string index $card_number $i]
if {($i & 1) == $double} {
if {[incr c $c] >= 10} {incr c -9}
}
incr chksum $c
}
5. If a valid match, first 12-digits are
replaced with Xs
# Determine Card Type
switch [string index $card_number 0] {
3 { set type AmericanExpress }
4 { set type Visa }
5 { set type MasterCard }
6 { set type Discover }
default { set type Unknown }
}
6. Client only sees “sanitized” response.
# If valid card number, then mask out numbers with X's
if { ($chksum % 10) == 0 } {
set isCard valid
HTTP::payload replace $card_start $card_len [string repeat "X" $card_len]
}
# Log Results
log local0. "Found $isCard $type CC# $card_number"
}
}
2
4
HTTP Request
HTTP Response
3
Response from
application server
accidentally leaks
customer credit card
numbers in HTTP
response
** Created collaboratively within community
84
Solution: Anti-phishing
5
Challenges
• Attacks are directed at
users, not the servers
themselves
• No control of user actions
•Can’t force software install
Solution
• iRule allows for
prevention of the scraping
required to perform the
attack
•Preventative approach
keeps users safe without
need for their interaction
•Server load decreased
HOW IT WORKS
Prevent unwanted referrals of Content
1.
Define a list of valid referrers in
the form of a class. This is a list
of those sites that you expect to
be linking to content on your
site.
2.
Define a list (in the form of a
class) of file types that should
not be linked to, besides by the
referrers listed in item #1.
3.
Check to see if an invalid
referrer (not someone in class
#1) is trying to serve data from
your site and what kind of
content they shouldn’t be trying
to serve. If it matches the file
types in Class #2 (block it. If
not, insert some custom code to
help prevent phishing attempts.
lass valid_referers {
"http://mydomain.com"
"http://mydomain1.com"
"http://url1"
"http://url2"
"http://url3"
}
class file_types {
".gif"
".jpg"
".png"
".bmp"
".js"
".css"
".xsl"
}
rule no_phishing {
when HTTP_REQUEST {
# Don't allow data to be chunked.
if {[HTTP::version] == "1.1"} {
if {[HTTP::header is_keepalive]} {
# Adjust the Connection header.
HTTP::header replace "Connection" "Keep-Alive"
}
HTTP::version "1.0"
}
if { [matchclass [HTTP::header "Referer"] starts_with $::valid_referers] < 1 } {
if { ([string tolower [HTTP::method] ] eq "get") && ([matchclass [HTTP::uri] contains $::file_types] > 0 )} {
discard
} elseif { ([HTTP::header exists "Content-Type"]) && ([HTTP::header "Content-Type"] starts_with "text" ) } {
set respond 1
}
}
}
when HTTP_RESPONSE {
if { $respond == 1 } {
if { [HTTP::header exists "Content-Length"] } {
set content_len [HTTP::header "Content-Length"]
} else {
set content_len 4294967295
}
if { $content_len > 0 } {
HTTP::collect $content_len
}
}
}
when HTTP_RESPONSE_DATA {
set bypass [string first -nocase "<html>" [HTTP::payload] ]
if { $bypass != -1 } {
HTTP::payload replace $bypass 0 "<script
type=\"text/javascript\">\n if (top.frames.length!=0) {\n if
(window.location.href.replace)\n top.location.replace(self.location.href);\n
else\n top.location.href=self.document.href;\n }\n </script>\n"
} else {
HTTP::respond 500
}
}
}
1
HTTP Request
HTTP Response
6
2
4
3
Web servers feed
content to anyone
requesting it,
including people
who shouldn’t be
serving this cotent.
85
F5 iRule Editor
First network rule editor
optimizes development
Includes:
–
–
–
–
–
–
–
–
Syntax checking
Auto-complete
Template support
Doc Links
Deployment integration
Statistics monitoring
Data group editing
Optional post to
CodeShare feature
Available: Now
Pricing: Free Download
Tutorials: on DevCentral
86
Introducing iControl v9
Open API (SOAP/XML) allows applications to
automatically interact with the network
Integration with development tools from
Microsoft, BEA, and Oracle
Online community F5 DevCentral
– Developer assistance on F5 DevCentral via
developer forums (http://devcentral.f5.com)
– iRules forum and code examples
87
iControl Eases Application Integration
Leverage the skills and expertise you already have!
Key Components
Benefits
– XML/SOAP interface
– Open, standards based integration
– Downloadable SDK
– Simplified development
– Technology partnerships
– Proven integration
– DevCentral resource centre
and community
– Sample code, documentation,
discussion forums
88
Integration and Extensibility iControl Event API
Create Subscription
Administrator uses the
provided sample
application (or custom
application) to create Event
Subscriptions
Select Event Type
Choose a specific event to
track. Then, create the
Subscription name and
parameters.
Upon Event, message is
distributed via log, email, or
SMS to phone/PDA
Applications can subscribe to 47
different system events
Sample application
(screenshots) provided with SDK
Bulk method support – 100:1
reduction in call, 90% reduction in
bandwidth
89
iControl Application Migration to v9
Paste Code Into Analyser
Developer visits DevCentral,
accesses the Code Analyser,
select language, and report
format
Summary Report
Generated report identifies line
where conflicts exist, defines the
method affected, and enables
direct link to online versions of
4.x & v9 SDKs
Analyser free for use by all F5
DevCentral members
DevCentral Forum available for
posting migration questions
Additional sample and technical
tips will be available
90
DevCentral Technical Community
http://devcentral.f5.com/
Forum for F5 customers
for building iRules and
iControl applications
F5 provides technical
documentation, tips, free
sample downloads, and
a confidential discussion
forum
Monitored by F5
engineers and technical
experts that answer
technical questions
– Design, architecture,
troubleshooting and
general assistance
with iRules and
iControl
91
Link Collection
Overall
Technical
www.f5.com
www.f5.com
ask.f5.com
devcentral.f5.com
F5 University
www.f5university.com/
»
»
Login:
your email
Password: adv5tech
Partner Informaiotn
www.f5.com/partners
www.f5.com/training_services/certification/certFAQ.html
Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html
Important deployment information is available at
Data Center Virtualization
Application Traffic Management
Application Briefs
Solution Briefs
F5 Compression and Cache Test
F5 iControl Alliance Partners
F5 Technology Alliance Partners
http://www.f5.com/solutions/deployment/
http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdf
http://www.f5.com/solutions/technology/pdfs/atm_wp.pdf
http://www.f5.com/solutions/applications/
http://www.f5.com/solutions/sb/
http://www.f5demo.com/compression/index.php
http://www.f5.com/solutions/partners/iControl/
http://www.f5.com/solutions/partners/tech/
Let us know if you need any clarification or you have any further questions.
92
Thank You