View
557
Download
0
Category
Preview:
Citation preview
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
Scott Simsssims@brocade.com
vADC Technical PresentationJune 2016
Brocade vADC Portfolio
The Brocade vADC Portfolio OverviewServices Director
• Elastic Services Director
• Unique Flexible Licensing System
• Flexible Footprint• Automation and
Visibility
Web App Firewall
• Application Aware Firewall
• Defends your applications against Layer-7 attacks
Web Accelerator
• Website Acceleration• Reduces page load
time and cuts bandwidth
Traffic Manager
• Load Balancer / Traffic Manager / ADC
• Provides reliability, security availability, offload, scripting and more
Deployment Options
• 64-bit software binary• Linux or Solaris• Maximum flexibility forenterprise architects
• Pre-packaged for leading cloud providers
• Closer integration with named CSPs and CSFs
• AMIs for Amazon• VHD for Azure
• Pre-packaged VA• Range of Hypervisors• VMware, Hyper-V,
Oracle VM, etc.• Hypervisor-specific
features
PureSoftware
VirtualAppliance
CloudPackaging
Bare-MetalServer Image
• ISO or PXE image to install directly onto intel x86 servers
How It Works: Traffic Manager
Web andApplication
Servers
Response
Monitors
Request www www
APPS APPS
DB DB
Virtual Server
Client Connections
PoolServer
Connections
TrafficScript
RuleBuilder
TCP OffloadHTTP CachingContent CompressionService Level MonitoringBandwidth ShapingWeb AcceleratorApplication Firewall
Response Rules
Load BalancingSession PersistenceBandwidth ShapingSSL EncryptionHTTP MultiplexingConcurrency ControlApplication Auto-Scaling
TrafficScript
RuleBuilder
SSL DecryptionGlobal Load BalancingService ProtectionTCP OffloadRate ShapingApplication Firewall
Request Rules
Public VIP
Programmability Part 1 : TrafficScript• Full deep packet inspection of the request and
response packets:• A scripting language that lets you manipulate your traffic
as it passes through the Traffic Manager:‒ Request Rules, ‒ Response Rules, and‒ Transaction Completion Rules
• Some Common Use Cases:‒ Enforce Business Logic ‘on-the-wire’‒ Work-Around Common Application Problems‒ Add Business Value‒ Diagnose Issues
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 7
Traffic Script: Translate URL after Web Site Update
1 $path = http.getpath();
2 if( string.startswith( $path, "/products" )){
3 http.redirect( "/services.html" );
4 }
Example of a simple rule: Check the URL for every request. If the URL starts with “/products, then redirect to “/services.html”
Rule Builder Traffic Script
Syntax will be familiar to anyone who has used Perl, PHP, C, BASIC, etc.
TrafficScript Examples• Hide Web Server Errors When Transactions Fail:
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 10
# If the server responds with an HTTP 500 Error:$code = http.getResponseCode(); if( $code >= 500 && $code != 503 ) { # Not retrying 503s here, because they get retried # automatically before response rules are run if( request.getRetries() < 3 ) { # Avoid the current node when we retry, if possible: request.avoidNode( connection.getNode() ); # Record a log event for the failure: log.warn( "Request " . http.getPath() . " to site " . http.getHostHeader() . " from " . request.getRemoteAddr() . " caused error " . http.getResponseCode() . " on node " . connection.getNode() ); # Then we can retry the request, and the user is none the wiser! ;^) request.retry(); } }
11
Traffic Script - Watermark PDF filesExample of a Traffic Script rule invoking a custom Java program
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
Downlo
aded
by 59
.197
.10.1
60
Wed, 1
6 sep
t 201
6 22:
07:4
9 GMT
Copyright Brocade 2016For restricted Distribution
12© 2016 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
iRule vs TrafficScript
iRules = Time consuming and complicated
TrafficScript = Quick and easy (and just as powerful)
Scale up & Scale Out: Done Right
Clustering
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 13
14
Scale up & Scale Out: Done Right
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
Throughput1Gbps
2 Gbps 10 Gbps+
Single Device, allocate more capacity
Many Devices, Linear Scaling
Single or Multi-Tenant
Single or Multiple Physical Boxes
Single or Multiple Clouds
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
N+M Clustering (Traffic IP Group Basics)
A TRAFFIC IP (TIP) GROUP IS A “LISTENER” FOR INCOMING TRAFFIC TO BE “LOAD BALANCED”
TIP GROUPS CAN HAVE ONE OR MORE TRAFFIC IP ADDRESSES
TIP GROUPS CAN LIVE ON ONE OR MULTIPLE TRAFFIC MANAGERS
TIP Group 1
TIP Group 2
TIP Group 3
TIP TIP TIPTIP TIP
TIP TIP TIP
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
N+M Clustering (Traffic IP Group Basics)
A TRAFFIC IP (TIP) GROUP IS A “LISTENER” FOR INCOMING TRAFFIC TO BE “LOAD BALANCED”
TIP GROUPS CAN HAVE ONE OR MORE TRAFFIC IP ADDRESSES
TIP GROUPS CAN LIVE ON ONE OR MULTIPLE TRAFFIC MANAGERS
TIP Group 1
TIP Group 2
TIP Group 3
TIP TIP TIPTIP TIP
TIP TIP TIP
Web AcceleratorServices Director
• Elastic Services Director
• Unique Flexible Licensing System
• Flexible Footprint• Automation and
Visibility
Web App Firewall
• Application Aware Firewall
• Defends your applications against Layer-7 attacks
Web Accelerator
• Website Acceleration• Reduces page load
time and cuts bandwidth
Traffic Manager
• Load Balancer / Traffic Manager / ADC
• Provides reliability, security availability, offload, scripting and more
• Automates web performance best practices• Increases innovation capacity and speed• Improves web performance, reduce bandwidth costs, boosts
SEO & Sales
Automate Web Performance best Practices
Dynamic Layout
Compress• JavaScript & Stylesheet shrinking• Image resampling• Metadata removal• Dynamic Gzip/deflate compression
• JavaScript/Stylesheet re-ordering• Removal of missing and duplicate content• Browser aware optimizations (Desktop, Mobile and legacy browsers
)
Cache• On-Proxy resource caching • Dynamic page caching• Aggressive Browser caching• Auto URL versioning
Combine• Merge Stylesheets• Image Spriting• Background image inlining
Automates web performance best practices, so you can focus on strategic development & content
Services Director
• Automates the deployment, licensing, provisioning & meteringof ADC services
• Elastic Services Director
Web Accelerator
• Website Acceleration• Reduces page load
time and cuts bandwidth
Web App Firewall
• Application Aware Firewall
• Defends your applications against Layer-7 attacks
Traffic Manager
• Load Balancer / Traffic Manager / ADC
• Provides reliability, security availability, offload, scripting and more
Web Application Firewall
• Out of the box OWASP Top Ten protection• Configuration Wizards, learning mode with suggested
rules • Granular custom rules • Application Security in the Cloud
20
WAF vs IPS vs NGFW
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
21
Open Web Application Security ProjectMost common application layer attacks
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
OWASP Top 10
22© 2016 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
Brocade Web Application FirewallA scalable, application-aware Layer 7 security solution, offering the highest protection and performance in web and cloud application security. The vWAF identifies and stops attacks that would typically be missed by a network firewall protecting valuable data. Web Application Firewalls allow customers to mitigate web application security threats in a scalable manner.
1.Enforcer: lightweight, agent for data inspection
2.Decider: decides action based on current security for each app
3.Admin Console: central web-based admin console to create and maintain rule sets
Server Farm
Hacker
User vWAF
23
1
Application Firewall – IntegratedScale out the CPU Cores and RAM on the Integrated Traffic Manager
Web Servers
Integrated WAF: Enforcers, Decider & Admin on single instance
. . . . .
.
Scale out vTM
instances
Application Firewall – DistributedAny number or combination or Enforcers, Deciders and Admins is possible
Admin ServersDecider ServersWeb Servers with Enforcers
Enforcer
Decider
Admin
Dual Mode Protection Technical Aspects
• Simultaneous dual-mode protection, enforcement & detection-only rulesets
• Integration with third-party vulnerability scanning tools
• Fine-grained protection policies per application
Business Benefits• Allows iterative security policy
changes without risk of false positives or relaxed defenses
• Allows virtual patching of known vulnerabilities
• Tune shielding to individual risk profile
www www
APPS APPS
DB DB
DetectAlert / log
ProtectAlert / log , Block
© 2016 Brocade Communications Systems, Inc. CONFIDENTIAL
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 27
Web Application Firewall
•Reporting•Real-time Statistics•Logging
Management
• Proactive Security Features• Meet PCI-DSS compliance
requirements• OWASP Top Ten
Security
• Aggregate SNMP, alerts and logs
• Automated Learning and Ruleset Recommendations
Aggregate data
• Secure Session management, cookie protection, URL encryption, and form field protection
• Bidirectional HTTP inspection
App Level Security
28
• React appropriately to threats against relevant vulnerabilities as identified in the OWASP Top Ten • Enforce both positive and negative security models (white/black lists)• Inspect both web page content and the underlying protocols that
deliver content• Support SSL termination so that encrypted
transmissions are decrypted before being inspected by the WAF
PCI DDS Details
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
Brocade Services DirectorServices Director
• Elastic Services Director
• Unique Flexible Licensing System
• Flexible Footprint• Automation and
Visibility
Web App Firewall
• Application Aware Firewall
• Defends your applications against Layer-7 attacks
Web Accelerator
• Website Acceleration• Reduces page load
time and cuts bandwidth
Traffic Manager
• Load Balancer / Traffic Manager / ADC
• Provides reliability, security availability, offload, scripting and more
• Old world = Static Licenses• Over Provisioned / Under Utilized• Difficult to manage• Inflexible• Expensive
• New world = Flexible Licensing• Right Sized• Easily allocated / re-allocated• Flexible • Cost Effective
30
Services Director LicensingUnique Flexible Licensing System• Capacity is purchased in 2Gb/s
or 5Gb/s blocks of Capacity• Unrestricted number of vTMs
can be licensed:‒ Minimum 1Mb/s
• Capacity can be moved around‒ Allocating draws from the
bucket‒ De-allocating returns to the
bucket vtm150
EnterpriseBase Pack10 Gbps
StandardBase Pack10 Gbps
WAFAdd-On5 Gbps
vtm151 vtm1523 GbpsSTD
3 GbpsENT + WAF
2 GbpsSTD + WAF
UNIQUE USAGE-BASED LICENSING MODEL DYNAMIC RESOURCE AND CAPACITY
ALLOCATION FOR CHANGING WORKLOAD DRILL DOWN TO USAGE REPORTS AND
EXPORT BILLING DATA FOR CHARGEBACK
Enterprise Capacity Management
32© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
Programmability Part 2 : Orchestration• Orchestration is easy:
‒ Full VMWare Guest Customization Support‒ Cloud Init for AWS, Azure and Openstack‒ Software form factor means Puppet, Chef just
work
• Configuration is easy:‒ REST/SOAP API
• Autoscale supported Natively on AWS, Rackspace ance VMWare vCentre.‒ 3rd Party Extensible with PS © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 36
39
vRealize Orchestrator Plugin
• Brocade plugin comes with 22 workflows to configure vTM.
• Works in conjunction with vCenter plugins that can orchestrate VMs
• Automation of these workflows through vCAC.
• Complex workflows possible by combination of workflows.
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
Cloud Footprint
All the rest can run Linux, so we can get in there too!
vTM deployments are on more virtual and cloud platforms than any other application delivery
controller.
Deploy your own Content Delivery Network (CDN)
Content Delivery Cloud
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 44
45 © 2014 Riverbed Technology. All rights reserved.
How Does a CDN Work?
1. User Requests www.example.com2. Connectivity established through
multiple hops back to the application
3. All communication follows the same path
Without a CDN CDN optimized1
2
1
1. User Requests www.example.com2. Application directs user to receive
select content from the closest location3. Dynamic communication still goes
back to the origin location
2
3 3
www www
APPS APPS
46 © 2014 Riverbed Technology. All rights reserved.
How does the Content Delivery Cloud solution work?
1. User Requests www.example.com and Traffic Manager will direct the user to the best location. Content available locally is served directly to the user.
2. For dynamic requests, Traffic Manager will proxy connectivity back to the application over optimized connections, and client connections are established through a single Traffic Manager.
2
1
vTM at the Datacenter• Reliability• Protection• Control• Performanc
e
vTM in cloudWeb cache and Global Load Balancingrequests
www www
APPS APPS
47 © 2014 Riverbed Technology. All rights reserved.
Traffic Manager Advantage vs CDN onlyValue Flexibility Throughput Adaptive (Pubic / Private/
Hybrid) Consumption Dynamic Compute
Performance Optimizations Connections Protocols Deploy Everywhere
Security Control Layers Resiliency Encryption
Control Flexibility Programmability Simplify Development and
Deployment Time
vRouter
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 48
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 49
Brocade Vyatta 5600 vRouterTHE HIGHEST PERFORMING VIRTUAL ROUTER IN THE WORLD
• New Architecture‒ vPlane architecture ‒ Up to 10Gbps per Core on bare
metal‒ 10Gbps+ on VM with SRIOV or PCI
pass-through• Target Use Case: NFV
‒ High Scalability Services vRR, vRS‒ High Performance Routing,
Firewall, NAT, etc.• VMware, KVM, Hyper-V, Bare
Metal
Routing
Security
VPN
System Management
IP Services
Platforms
High Availability
IPv4, IPv6, Static, PBR, OSPF, RIP, BGP, Multicast
IPv4, IPv6, Stateful Firewall, NAT
IPSec, SSL, Route-based, L2-bridging, DMVPN
CLI, RESTful API, GUI
SSH, DHCP, DNS, SNMP
VRRP, Stateful Failover, Config Sync
VMware, KVM, x86, Hyper-V
Feature Highlights
50
Vyatta 5600 vRouter ArchitectureIntel DPDK
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
Packet PipelinePacket Pipeline
VMPacket
Packet
Packet
Core 0 Core 1
Core 2 Core 3
Core 4 Core 5
Core 6 Core 7
Packet
Packet
Packet
51
5600 Deployment ModelsDeployment models and relation to vSwitch
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION
NIC
NIC
NIC
vRouter
vTM VM
NIC
NIC
NIC
vRouter
Bare Metal Deployment
VirtualizedDeployment
Virtual Deployment with DPDK, SR-IOV/ PCI
Pass-through
vSwitch
Hypervisor
NIC
NIC
NIC
vRouter VM VM
vSwitch
Hypervisor
x86 x86 x86
vNIC
SR-IO
V
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
Software / Virtual Machines• Software environment: Traffic Manager: Linux x86_64: Kernel 2.6.18 - 3.19 (2.6.22+ for IPv6), glibc 2.5+ Solaris 10 (x86_64)Virtual Appliances:
VMware vSphere 5.0, 5.1, 5.5, 6.0;XenServer 6.1, 6.2, 6.5;Oracle VM for x86 2.1, 2.2, 3.2, 3.3;Microsoft Hyper-V Server 2012 & 2012 R2;Microsoft Hyper-V under Windows Server 2012 & 2012 R2;QEMU/KVM (RHEL/CentOS 6.x, 7.x; Ubuntu 12.04, 14.04);
Amazon EC2 - as a virtual appliance or native software install Microsoft Azure - as a virtual applianceCPU : 2-4 vCPU Memory: 2GB , 4GB with Web AcceleratorDisk Space: Minimum : 1GB ; Minimum for Virtual Appliance Install: 16GB
Platform Availability
53
Brocade Virtual Traffic Manager Functionality
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
55
Brocade Virtual Traffic Manager Specifications
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
60
Why Brocade vADC?
•Programmability•Scale up & Scale Out: Done Right•Better for Virtual & Cloud•Breakthrough Licensing Model•Best Cloud Footprint
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
61
Questions?
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
Thank you
64
Global Load Balancing Overview
Click icon to add picture
© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY
Recommended