Providing Secure, Fast and Available SharePoint with F5 BIG-IP
John Lee, Federal Systems Engineer
Version 3.0
© F5 Networks, Inc 2
Traffic Manager Operating System (TMOS)
SS
L
Co
mp
res
sio
n
Client
Side
Server
Side
TC
P E
xp
res
s
Server TC
P E
xp
res
s
Ca
ch
ing
Microkernel
TMOS Traffic Plugins
High-performance Networking Microkernel
Powerful Application Protocol Support
iControl – External monitoring and control
iRules – Network Programming Language
High Performance HW
iRules
Client
iControl API
TCP Proxy
On
eC
on
ne
ct
XM
L
Ra
te S
ha
pin
g
AS
M
We
b A
cc
el
3rd
Pa
rty
Application
Delivery
Network
© F5 Networks, Inc 10
• SSL Acceleration (& Termination) • DHE, RSA, DSA, ECC, TLS
1.3 & PFS
• Protocol Optimization • TCP & HTTP
• Fast Cache (Limited)
• TCP Queuing
• Compression
• Application Availability & Redundancy
• Intelligent Application Monitors
• DDoS Protection (Core)
• SSL Visibility
• ICAP
Performance, Redundancy, DDoS Protection
© F5 Networks, Inc 11
• Host Named Site Collections
• More FQDN’s
• Request management
• L7: Throttling & Routing
• Static Weight
• Health Weight
• Disabled by Default
• Criteria
• CustomHeader
• Host
• HttpMethod
• IP
• SoapAction
New Features in 2013
© F5 Networks, Inc 14
• HTML Content Streaming & PII Protection
• OWASP Top 10
• A1 Injection
• A2 Broken Authentication and Session Management
• A3 Cross-Site Scripting (XSS)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration
• A6 Sensitive Data Exposure
• A7 Missing Function Level Access Control
• A8 Cross-Site Request Forgery (CSRF)
• A9 Using Components with Known Vulnerabilities
• A10 Unvalidated Redirects and Forwards
Protect your Apps
Automate
Signature
Updates
Industry Partnerships
• Layer 5 – 7 Application Protection
• PCI DSS Compliance
• Positive + Negative Security Models
• ICSA Certified Web App Firewall
• Integrated into the BIG-IP ADC
Application Security
© F5 Networks, Inc 17
BIG-IP Access Policy Manager Identify, authenticate, and control user access to your applications
• Secure and accelerate application access from any
device and location
• Consolidate AAA and SSO services for enterprise
applications
• RDP, View, Citrix Xen Support
• Federate via SAML
Single Sign On
• Scalable SSL VPN
• Advanced Endpoint checks
• BYOD: IOS, Win8, Android Support
Mobile User Access
© F5 Networks, Inc 18
Protocol Optimization + SSL Acceleration & Offloading + Authentication Offloading Faster Deployment + Added Security + Happier Users
The impact of LTM+APM for SharePoint?
Clients SharePoint Farm External System
Classic (Windows Auth)
Claims
Claims
Classic (Windows Auth)
Claims
Incoming
Authentication
Intra/Inter Farm
Authentication
Outgoing
Authentiction
But wait, there’s more…
© F5 Networks, Inc 20
• Workflow Manager
• Doesn’t support IPv6
• UX Improvements
• HTML5
• Caching (AppFabric Distributed Cache)
• Feeds
• Logon Tokens
• Search
• Mobile Support
• Minimal Download Strategy
• Browser Support
SharePoint Acceleration, More New stuff?
© F5 Networks, Inc 21
Application Delivery Optimization
Holistic approach to improving performance throughout the application delivery chain
Network
• Connect applications and
users in a global enterprise
• Provide the fastest network at
the lowest cost
• Increase network efficiency to
best utilize resources
Client
• Improve the user experience
for traditional and mobile
users
• Deliver the right content to
the right user in the fastest
time
Data center
• Improve availability of
enterprise applications
• Increase application server
capacity
• Integrate new technologies
without recoding applications
© F5 Networks, Inc 22
Accelerating the Client
Content control
• Deliver content to clients with
minimal network overhead
Data reduction
• Optimize images and files for
mobile browsers to improve
page load times
© F5 Networks, Inc 23
Accelerating the Network
Compression and deduplication
• Reduce amount of data transmitted
• Improve network throughput and response
• Increase bandwidth efficiency
• Adaptive / Client Aware Compression
Protocol optimization
• Tune TCP and HTTP parameters to
adapt to changing network conditions
Loss correction
• Correct for high-loss networks to
decrease transmission time and
improve user experience
© F5 Networks, Inc 24
Acceleration in the Data Center
Load balance
• Distribute application load
across multiple servers to
increase availability
Offload
• Increase server capacity
• Accelerate SSL processing
• Manage TCP connections
more efficiently
SPDY gateway
• Leverage SPDY and other
protocols without recoding
applications
Fast cache
• Offload repetitive traffic from
web and application servers
to increase server capacity
Core / LTM
© F5 Networks, Inc 25
Image Optimization? That too…
• Convert from JPEG or PNG to WebP
• Reduces file size by up to 73%
• Preserve copyright before stripping EXIF headers.
• Retries if optimization skipped due to load.
• Improved dashboard stats
What
Why
• Reduce size of web page
• Especially useful for mobile browsers.
What does it mean? Faster load times
Better user experience
Reduced bandwidth
Reduce VM Sprawl
Reduce Storage Requirements
Reduce Complexity
Low Level Test Case: LTM + APM + WA, 20 Concurrent Users, SSL Offload >89% Decrease in average page load time.
>36% Decrease in outbound Bandwidth consumption.
>50% Decrease in per user Bandwidth consumption.
© F5 Networks, Inc 29
• TMG End of Life
• Simplification of the current Architecture
• Complex Authentication requirements
• Cross-Domain Solution; Multiple SharePoint Farms, Multiple Active Directory Forests, External users
• LTM+APM+WA for NIPR and SIPR
• Streamlined farm migration
• Elimination of point solutions
Use Cases
© F5 Networks, Inc 30
• FIPS 140-2, DNSSEC, IPV6
• NIAP CCC
• C&A
• DISA ATO
• NMCI
• JWIC’s
• SOCOM & CENTCOM
• TIC PKE Certification
• DISA UC-APL (TN#1312201)
• US Army’s IA- APL
DoD Certifications
© F5 Networks, Inc 31
Know your FIPS levels?
Level 1
•Evaluated crypto algorithms and/or random number generators
•No physical security requirements, can be software only
Level 2 (L1+)
•Physical enclosures with pick-resistant locks or tamper-evident stickers
•Enclosures “opaque in the visible spectrum”
Level 3 (L2+)
•Automatic deletion
Level 4 (L3+)
•Kevlar jacketing and EMP-like deletion
•Hermetically sealed enclosure