Application centric DatacenterManagementRalf Brünig, F5 Networks GmbH

Field Systems Engineer

March 2014

© F5 Networks, Inc 2

• Application Deliver Controller (ADC)

• Proxy

• ADC Advanced Feature

• Application Management

• Optional: Reference Architectures

Index

Application Deliver Controller (ADC)The central point of control

© F5 Networks, Inc 4

Network Loadbalancer

Clients

Internet

Server

Server

Server

Spread load over several Server

• Static or dynamic Loadbalancing Algorithm

• Session Persistence per Server

© F5 Networks, Inc 5

Network Loadbalancer

Clients

Internet

Server

Server

Server

Maintenance

• Set server into Maintenance Mode

• Existing Sessions can be allowed or moved to a different Server

Availability

• Monitoring of Server Pool

• Take not available Server out of the loadbalancing

MaintenanceMode

Marked Downby Monitor

© F5 Networks, Inc 6

• Performance:• Perfect adaption to the server side and client side tcp stack• Separate optimisation to channel needs (WAN/LAN optimisation)

• Security:• Malformed tcp/udp packets are dropped• SYN flooding protection

Application Delivery Controller (ADC)TCP/UDP full Proxy

ServersADC

WAN OPTIMISED LAN OPTIMISED

© F5 Networks, Inc 7

• An ADC can offload tasks from the Application Server• Reduce Number of Server• Reduce Power consumption• Centralize SSL key management

Application Delivery Controller (ADC)Offloading

Servers

ADCSSL OffloadFast Cache

CompressionOne Connect

Logging

© F5 Networks, Inc 8

• Traffic steering based on:• Header information• URI• Hostname• Etc.

• Header Enrichment• SSL On• Client Certificate

Information• X-Forwarded-For• User Name• Etc.

Application Delivery Controller (ADC)Traffic Steering and Header Enrichment

Servers PoolADC

Servers Pool

Servers Pool

© F5 Networks, Inc 9

ADC

L7 Message Handling

Application Delivery Controller (ADC)HTTP 1.1

1 TCP Connection, Single Stream, Request Pipelining

Clients

Internet

index.htmllogo.jpg

Web Server

Image Server

Video ServerSingle TCP Connection

© F5 Networks, Inc 10

ADC

L7 Message Handling

Application Delivery Controller (ADC)HTTP 2.0/SPDY

1 TCP Connection, Parallel Streams, Request Pipelining

Clients

Internet

index.htmllogo.jpg

Web Server

Image Server

Video Server

007.mov

Single TCP Connection

© F5 Networks, Inc 11

ADC

L7 Message Handling

Application Delivery Controller (ADC)HTTP 2.0/SPDY – Packet Encoding

1 TCP Connection, Parallel Streams, Request Pipelining

Clients

Internet

index.htmllogo.jpg

Web Server

Image Server

Video Server

007.mov

Single TCP Connection

ResponsePackets

TCP packets contain interlaced fragments from parallel streams – for performance!

Proxy

© F5 Networks, Inc 13

Internet Datacenter

(servers)

Characteristics• Inbound• SSL Offload and Acceleration• Provide visibility for traffic management• Internet-facing • Front-end to control and protect access to a

server

Two Use Cases

Characteristics• Outbound• Control user activity• Sanitize traffic• Takes requests from an internal network and

forwards them to the Internet or Cloud App

Corporate

(users)

Inbound Outbound

www Hosting

Deployment Models• SSL Offload

• SSL Transformation• Proxy SSL (Split)

Deployment Model• SSL Forward Proxy

Full Intelligence Requires a Full Proxy

• App “point of delivery & definition”• App Intelligence - layer 3- 7 visibility• Distinct client / server control• Unified services / context • Interoperability and gateway functions

Intelligent Full Proxy Benefits

Network

Session

Application

Physical

Client/Server

IT = Complete ControlBusiness = Reduced Delivery Costs

Network

Session

Application

Physical

Client/Server

Web Application Web Application

© F5 Networks, Inc 15

Inbound Secure Application DeliveryDeployment Models

Proxy SSL (Split / Reverse)SSL Offload SSL Transformation

HTTPS HTTP

PerformanceL3-L7

ECC

HTTPS HTTPS

Public

4K Key

RSA

Private

2K Key

ClientCert

SeverCert

SPDY HTTP

© F5 Networks, Inc 16

• Control all aspects of application traffic, even if encrypted

• Gain greater business value through integrated services

• Transparent to the end user experience

SSL Forward ProxyOutbound Use Case

What’s New

SSL Forward Proxy provides the ability to centralize SSL traffic monitoring and management through an SSL forward proxy

Visibility to all SSL traffic with Proxy SSL or SSL Forward Proxy providing complete control for both ingress and egress trafficTransparent to the end user experience

Internal Clients

Internet

Cloud Services

www

Hosting

ClientCert

ClientCert

SeverCert

SeverCert

Visibility and Control for Outbound Encrypted

TrafficEnterprise Network

ICAP ServicesSecure Application Delivery

Services

ICAP Services provides value-added services such as video and image optimization, virus scanning, and content filteringResponse and Request ADAPT profiles, steers traffic to the Internal Virtual Server to encapsulate traffic in ICAP to be modified (or not) by ICAP servers.

• Steer HTTP/S traffic to an ICAP service for content adaptation

• Modify on HTTP/S Request and/ or Response

• Stream connection as match exists• iRules supported for added flexibilityVirus Scanning Video Localization

+ AD

Ad Insertion IDS / DLP Other

Clients

Content Adaptation

Servers

HTTP/S Request

HTTP/S Response

ICAP

ICAP Services SSL Forward Proxy

Services

© F5 Networks, Inc 19

BIG-IP Local Traffic Manager + Access Policy Manager

Directory

SharePoint OWA

Cloud

Web servers

App 1 App n

APPOS

APPOS

APPOS

APPOS

Hosted virtual desktop

Users

ENABLE SIMPLIFIED APPLICATION ACCESSwith BIG-IP Access Policy Manager (APM)

© F5 Networks, Inc 20

Web Application Firewall

• Maintain security at application, protocol, and network levels• Launch secure applications protected from vulnerabilities

Enforcement

Request made BIG-IP ASM security policy checked Server response

BIG-IP ASM applies security policy Vulnerable applicationSecure response delivered

Advanced Attack and Traffic Reporting

ASM on BIG-IP Dashboard

A Firewall Built for the Data Center

Before F5

With F5

LoadBalancer

Network DDoS

LoadBalancer and SSL

Application DDoS

DNS Security

Protecting the Data Center

Firewall

Web Application Firewall

Web AccessManagement

Before f5

With F5

LoadBalancer

Network DDoS

LoadBalancer and SSL

Application DDoS

DNS Security

Protecting the Data Center

Firewall

Web Application Firewall

Web AccessManagement

IP IntelligenceService

IP Intelligence

WAN Acceleration

Protocol

• HTTP• MAPI• CIFS• HLS

SPDY

Dynamic caching

HTTP compression

Deduplication

Symmetric Adaptive Compression

TCP Optimization

• Congestion control• Buffers• Window size

Forward Error Correction

Bandwidth Allocation

SSL Encryption IPSEC Encryption

AAM BASE

AAM FULL

• Manages traffic between data centers

• Enables dynamic application migration

• Optimizes performance

• Increases availability

Global Service Load Balancing (GSLB)

LondonData Center

New YorkData Center

BIG-IPGlobal Traffic Manager

DNS DDoS ProtectionExternal Firewall

DNS Load Balancing

Array of DNS Servers

Hidden Master DNS

Internal FirewallInternet

DMZ

• Massive performance over 10M RPS!

• Best DoS / DDoS Protection

• Simplified management (partner)

• Less CAPEX and OPEX

• Adding performance = DNS boxes

• Weak DoS/DDoS Protection

• Firewall is THE bottleneck

Datacenter

Conventional DNS Thinking

Master DNS InfrastructureInternet

F5 DNS Delivery Reimagined

DNS Firewall

DNS DDoS Protection

Protocol Validation

Authoritative DNSCaching Resolver

Transparent Caching

High Performance DNSSECDNSSEC Validation

Intelligent GSLB

Paradigm Shift

Secure DNS Query Response

Simple DNSSEC:• Protection from cache poisoning and reduce management costs• Ensure trusted DNS queries with dynamically signed responses• Implement BIG-IP GTM in front of existing DNS servers

Data Center

Apps

DNS Servers

LDNS

example.com example.com

123.123.123.123+Public Key

123.123.123.123+Public Key

DMZ

© F5 Networks, Inc 30

Data Center

Filter and Control Site Access

Internet Site

• Filter outbound DNS queries• Prevent access to malware sites• Eliminate web proxies for DNS• Improve site performance and scalability

F5 DNS iRules: Blacklist

.

.

.

.

Internet

Application Management

© F5 Networks, Inc 32

BIG-IP V10 Managing Objects & ServicesBIG-IP V11 Managing Application Services

© F5 Networks, Inc 33

BIG-IP V11 Managing Application Services

F5 iAPPs:Managing application services … not network devices or objects.

© F5 Networks, Inc 34

F5 iApp Connecting People and Process

I

© F5 Networks, Inc 35

F5 iApp: How it works

• iApp templates allow for business policy-driven configuration and IT collaboration

• iApp drives automation and provisioning

• Changes can quickly be made and re-applied

• iApps are portable between F5 devices enabling rapid migration

• Every service is reusable

© F5 Networks, Inc 36

Completing the SDN Stack

BIG-IQOPEN

REST APIs

LAYER 2-3 LAYER 4-7

SDN Controller

BIG-IQSecurity™

BIG-IQCloud™

BIG-IQDevice™

NBI NBI

NVGRE VXLAN ETC…

Control Plane

Application Plane

Data Plane

Softw

are-

Def

ined

Dat

a Ce

nter

Virtual Networks

Service Chaining

Cisco Application Centric InfrastructureNetwork Fabric for the f5 Application Fabric

Policy Controlled Network Fabric• Automated Isolation Provisioning • Granular L2-L4 Path Decisions• Dynamic QoS and SLAs

L2 – L4 Stateless

Policy Controlled Application Fabric• Automated Device Onboarding• Automatic Network Fabric Provisioning• L4 – L7 Policy Defined in Service Chains • Device and Service Level

Health Checks

L4 – L7 Stateful

© F5 Networks, Inc. 38

What Is BIG-IQ?

Architecture

Data Plane

Applications

Management Plane

© F5 Networks, Inc 39

Public CloudHybrid Cloud

BIG - IQ

The BIG-IQ Vision

BIG-IP

BIG-IP

Data Center

© F5 Networks, Inc. 40

BIG-IQ – Abstraction Layer

TenantAdmin

iApps Catalog

Data Plane Mgmt Plane

Admin

1Gbit limit

10Mbit limit

1Mbit limit

Applications

iApps

HR Portal

Team Portal

Spare Part Portal

Users

© F5 Networks, Inc. 41

Private or Public Cloud

(Amazon Web Services)

Cloud Orchestrators

Provider PortalClick to enlarge

BIG-IP Platform

Tenant 3 & 4

AppAppApps

BIG-IP Platform

Tenant 2

AppAppApps

BIG-IP Platform

Tenant 1

Data Centers

iApp Lifecycle Management Cloud Connectors

BIG-IQ and BIG-IP Solution Diagram for Cloud Architectures

Tenant PortalClick to enlarge

© F5 Networks, Inc 42

Questions?

Reference Architectures

© F5 Networks, Inc 44

DDoS protection reference architecture

LegitimateUsers

Threat Feed Intelligence

DDoSAttacker

ISPa/b

CloudScrubbing

Service

Scanner AnonymousProxies

AnonymousRequests

Botnet Attackers

Network attacks:ICMP flood,UDP flood,SYN flood

DNS attacks:DNS amplification,

query flood,dictionary attack,

DNS poisoning

IPS

Next-Generation Firewall

Tier 2

SSL attacks:SSL renegotiation,

SSL flood

HTTP attacks:Slowloris,

slow POST,recursive POST/GET

Application

Corporate Users

FinancialServices

E-Commerce

Subscriber

Tier 2

Threat Feed Intelligence

Strategic Point of Control

Multiple ISP strategy

Network and DNS

Tier 1

© F5 Networks, Inc 45

Optimized DNS

Easy integration into existing DNS infrastructure for high availability

and security

Support over 10 million DNS responses per second (RPS)

Manageable and predictable data center utilization

Offload to the edgeTier 1: DMZ

Applicationhealth

Intelligent and Scalable DNS Services

Strategic Point of Control

LegitimateVisitors

MaliciousAttackers

Context basedon geographical

location

Tier 2: Application Delivery

Legitimate Queries

DNS AttacksLDNS Internet

Web Bot Attacker

IP Intelligence

DNSSECIP geolocation

DNS DDoS protection

TCP Port 80/443

TCP/UDP Port 53

Primary DNS

ApplicationThreat Intelligence

© F5 Networks, Inc 46

F5 Cloud Federation architecture

Strategic Point of Control

On-Premises Infrastructure

CorporateApplications

Users

Attackers

AccessManagement

SaaS Providers

Office 365

GoogleApps

Salesforce

DirectoryServices

Corporate Users

Identity federation

SAMLReal-time access control

Access policy enforcement

SAMLIdentity management

Multi-factor authentication

© F5 Networks, Inc 47

F5 Cloud Migration architectureOn-Premises Infrastructure

Line of Business Applications

Administrators

Line of Business Applications

DNS

Application

Business Unit Application

Manager

Business Unit Application

Manager

Cloud Administrator

User

Beta User

Application

CloudManagement

Global load balancingInfrastructure monitoring

Advanced reporting

Load balancingCustom business logic

Application healthSSL management

Load balancingCustom business logic

Application healthSSL management

Automated Application Delivery NetworkHealth/performance monitoring

BIG-IP VE deployment

Cloud Hosting Provider

Strategic Point of Control