Session1 AUD10 Synthesis SDAS and RA - F5 Networks · The value you get from an infrastructure fabric is the product of four things: what services it can provide, how and where it

F5 Synthesis™High Performance Services FabricReference Architectures

Steve AllieSenior Director, Marketing Architecture

F5 Synthesis™

Deliver the most secure, fast, and reliable applications to anyone anywhere at any time.

F5 MISSION

F5 Agility 2014 4

The Evolution of F5

• Security• Mobility/LTE• Domain Name Services

• Hypervisor/Cloud ubiquity• Multi-tenancy, all-active • Identity access management

• Traffic management• Optimization• Acceleration

1

2

3

F5 Agility 2014 5

Agile Development

Application Environment

Rapid deployment─network and operations velocity

Speed, customer-driven, and quality of app development

F5 Agility 2014 6

Cloud and DevOps

Cloud SLA and controlprivate network agility

Accelerate time to market


Agile Development



F5 Agility 2014 7

SDN and Private Cloud

Software Defined Data Centers

Cloud and DevOps




Agile Development



Failed to Address:L4–7 device sprawl and application awareness

F5 Agility 2014 8

SDN and Private Cloud

Software Defined Data Centers

Cloud and DevOps



Agile Development



Failed to Address:L4–7 device sprawl and application awareness

F5 VISION

Applications without constraints

The Time Is Right

F5 Agility 2014 9

Software Defined Application Services 4

The Evolution of F5

Application Delivery Controller1

Broadened Application Services2

Cloud Ready3

© F5 Networks, Inc. 9

F5 Agility 2014 10

Software Defined Application Services Elements

High-Performance Services Fabric

Simplified Business Models

F5 Agility 2014 11


Simplified Business Models

• New licensing models• Easy to procure• Save by purchasing bundles

High Performance Services Fabric

The value you get from an infrastructure fabric is the product of four things: what services it can provide, how and where it can deliver the services, the flexibility and scale to meet demands, and how it integrates into your ecosystem.

This is the story of how to build the capability to deliver those services when and where you need them and value you’ll achieve with a scalable application delivery infrastructure.

F5 Agility 2014 14


Network [Physical • Overlay • SDN]

Virtual Edition Chassis Appliance

F5 Agility 2014 15


On-Demand Scaling All-Active Clustering Multi-Tenancy

ScaleN

TMOS TMOS TMOS TMOS


F5 Agility 2014 16


Throughput Connections per second

Concurrentconnections

Multi-tenantinstances per device

Device serviceclusters

Network [Physical • Overlay • SDN]*40K when combining admin instances with vCMP

F5 Agility 2014 17




Data Plane

Programmability

Control Plane Management Plane

F5 Agility 2014 18




Data Plane

Programmability

Control Plane Management Plane

F5 Agility 2014 19

What is the High Performance Services Fabric?

Traffic Group

Device Group

Connected together using F5 DSC2-32 Trust Domain

Traffic Group Traffic Group

Exchange state & configuration

F5 Agility 2014 20

Why Use High Performance Services Fabric?

Horizontal Scalability

PlatformMigration

LessOverhead

Increased flexibility = greater capacity

Workloads can be migrated between devices

No need to over-provision by 100%

Devices

F5 Agility 2014 21

How does the High Performance Services Fabric work?

Device GroupTrust Domain

A

B

D

CSync-Only or Sync-Failover

Full-Mesh communication

F5 Agility 2014 22

Public CloudHybrid CloudBIG-IP

BIG-IP

Data Center

Centralized Management Platform

BIG -IQBIG - IQ

Application Services Modules

BIG-IQ Platform Services

BIG-IP Devices

F5 Agility 2014 24

Intelligent Services Orchestration

Reference Architectures

F5 Agility 2014 26

Main tenants of F5 Synthesis™ Reference Architectures

Cloud MobilitySecurityMigration, bursting and

federated servicesProvision, manage, secure

and scale for mobilitySecuring application and

service infrastructures

F5 Agility 2014 27

Reference Architectures

Migration to Cloud

DNS CloudBursting

VDI High-PerformanceIPS

DDoSProtection

S/Gi NetworkSimplification

Security forService Providers

ApplicationServices

DevOps

LTE Roaming

CloudFederation NFV

Web FraudProtection

Secure WebGateway

F5 Agility 2014 28

DDoS Reference Architecture

Solution Documents – “Why To”

F5 Agility 2014 29

Tier 1: Protecting L3–4 and DNS

Network Firewall Services + DNS Services

+ Simple Load Balancing to Tier 2

BIG-IP Platform

Next-Generation Firewall

Users leverage NGFW foroutbound protection

Employees

+ IP Intelligence(IPI) Module

Can inspect SSL at either

tierBIG-IP Platform

Tier 2: Protecting L7

Web Application Firewall Services

+ SSL Termination

Customers

DDoS Attack

ISPa

Partners

DDoS Attack

ISPb

ISP providesvolumetric DDoS

service

CloudScrubbing

Service

BIG-IP Advanced Firewall Manager

BIG-IP Local Traffic Manager

BIG-IP Global Traffic Manager

BIG-IP Access Policy Manager

BIG-IP Application Security Manager

DDoS Product Map

Technical Documents – “How To”

F5 Agility 2014 30

DDoS Recommended Practices Configuration Guide2.3 .2.5 Throttle GET Request Floods via Script The F5 DevCentral community has developed several powerful iRules that automatically throttle GET requests. Customers are continually refining these to keep up with current attack techniques.

Here is one of the iRules that is simple enough to be represented in this document. The live version can be found at this DevCentral page: HTTP-Request-Throttle

when RULE_INIT { # Life timer of the subtable object. Defines how long this object exist in the subtable set static::maxRate 10 # This defines how long is the sliding window to count the requests. # This example allows 10 requests in 3 seconds set static::windowSecs 3 set static::timeout 30 } when HTTP_REQUEST { if { [HTTP::method] eq "GET" } { set getCount [table key -count -subtable [IP::client_addr]] if { $getCount < $static::maxRate } { incr getCount 1 table set -subtable [IP::client_addr] $getCount "ignore" $static::timeout $static::windowSecs } else { HTTP::respond 501 content "Request blockedExceeded requests/sec limit." return } } }

Another iRule, which is in fact descended from the above, is an advanced version that also includes a way to manage the banned IPs address from within the iRule itself:

URI-Request Limiter iRule – Drops excessive HTTP requests to specific URIs or from an IP

2.3.2 .4 Enforce Real Browsers Besides authentication and tps-based detection (section Error! Reference source not found.),there are additional ways that F5 devices can separate real web browsers from probable bots.

The easiest way, with ASM, is to create a DoS protection profile and turn on the “Source IP-Based Client Side Integrity Defense” option. This will inject a JavaScript redirect into the client stream and verify each connection the first time that source IP address is seen.

Figure 1. Insert a Javascript Redirect to verify a real browser

Validation Documents – “Prove It”

F5 Agility 2014 31

Blended Attacks25 + new DDoS Attack Vector Control options in Hardware

DDoS (Hardware Accelerated) Performance Testing

UDP Flood2x Competition

ICMP Flood10x Competition

TCP Syn-Flood16x Competition

F5 Agility 2014 32

Total Cost of Ownership5 year analysis

Data CenterConsolidation

S/GiSimplification

DDoSProtection

F5 Agility 2014 33

SERVICE FUNCTIONALITYDEVICE NETWORK APPLICATION

Mob

ile a

pp m

anag

emen

t

End

poin

t ins

pect

ion

Web

ant

i-fra

ud

SD

N

CG

NAT

App

licat

ion

deliv

ery

firew

all

Pol

icy

enfo

rcem

ent

Aut

horit

ativ

e D

NS

IPv6

gat

eway

Link

load

bal

anci

ng

Load

bal

anci

ng

DN

SS

EC

DD

oSm

itiga

tion

Clo

ud b

ridgi

ng

Acc

eler

atio

n

Mob

ile o

ptim

izat

ion

Sec

ure

rem

ote

acce

ss

Clo

ud id

entit

y fe

dera

tion

Web

app

licat

ion

firew

all

Load

bal

anci

ng

SIP

del

iver

y an

d se

curit

y

VD

I

Avai

labi

lity

BC

\DR

Cac

hing

Com

pres

sion

F5

Radware

A10

Citrix

Riverbed

More Information

[email protected]

@f5allie

The F5 Synthesis™Reference Architectures

www.f5.com/architectures

Q&A