Brocade vADC Portfolio Overview 2016

© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY

Scott [email protected]

vADC Technical PresentationJune 2016

Brocade vADC Portfolio

The Brocade vADC Portfolio OverviewServices Director

• Elastic Services Director

• Unique Flexible Licensing System

• Flexible Footprint• Automation and

Visibility

Web App Firewall

• Application Aware Firewall

• Defends your applications against Layer-7 attacks

Web Accelerator

• Website Acceleration• Reduces page load

time and cuts bandwidth

Traffic Manager

• Load Balancer / Traffic Manager / ADC

• Provides reliability, security availability, offload, scripting and more

Deployment Options

• 64-bit software binary• Linux or Solaris• Maximum flexibility forenterprise architects

• Pre-packaged for leading cloud providers

• Closer integration with named CSPs and CSFs

• AMIs for Amazon• VHD for Azure

• Pre-packaged VA• Range of Hypervisors• VMware, Hyper-V,

Oracle VM, etc.• Hypervisor-specific

features

PureSoftware

VirtualAppliance

CloudPackaging

Bare-MetalServer Image

• ISO or PXE image to install directly onto intel x86 servers

How It Works: Traffic Manager

Web andApplication

Servers

Response

Monitors

Request www www

APPS APPS

DB DB

Virtual Server

Client Connections

PoolServer

Connections

TrafficScript

RuleBuilder

TCP OffloadHTTP CachingContent CompressionService Level MonitoringBandwidth ShapingWeb AcceleratorApplication Firewall

Response Rules

Load BalancingSession PersistenceBandwidth ShapingSSL EncryptionHTTP MultiplexingConcurrency ControlApplication Auto-Scaling

TrafficScript

RuleBuilder

SSL DecryptionGlobal Load BalancingService ProtectionTCP OffloadRate ShapingApplication Firewall

Request Rules

Public VIP

Programmability Part 1 : TrafficScript• Full deep packet inspection of the request and

response packets:• A scripting language that lets you manipulate your traffic

as it passes through the Traffic Manager:‒ Request Rules, ‒ Response Rules, and‒ Transaction Completion Rules

• Some Common Use Cases:‒ Enforce Business Logic ‘on-the-wire’‒ Work-Around Common Application Problems‒ Add Business Value‒ Diagnose Issues

© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 7

Traffic Script: Translate URL after Web Site Update

1 $path = http.getpath();

2 if( string.startswith( $path, "/products" )){

3 http.redirect( "/services.html" );

4 }

Example of a simple rule: Check the URL for every request. If the URL starts with “/products, then redirect to “/services.html”

Rule Builder Traffic Script

Syntax will be familiar to anyone who has used Perl, PHP, C, BASIC, etc.

TrafficScript Examples• Hide Web Server Errors When Transactions Fail:


# If the server responds with an HTTP 500 Error:$code = http.getResponseCode(); if( $code >= 500 && $code != 503 ) { # Not retrying 503s here, because they get retried # automatically before response rules are run if( request.getRetries() < 3 ) { # Avoid the current node when we retry, if possible: request.avoidNode( connection.getNode() ); # Record a log event for the failure: log.warn( "Request " . http.getPath() . " to site " . http.getHostHeader() . " from " . request.getRemoteAddr() . " caused error " . http.getResponseCode() . " on node " . connection.getNode() ); # Then we can retry the request, and the user is none the wiser! ;^) request.retry(); } }

11

Traffic Script - Watermark PDF filesExample of a Traffic Script rule invoking a custom Java program


Downlo

aded

by 59

.197

.10.1

60

Wed, 1

6 sep

t 201

6 22:

07:4

9 GMT

Copyright Brocade 2016For restricted Distribution

12© 2016 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only

iRule vs TrafficScript

iRules = Time consuming and complicated

TrafficScript = Quick and easy (and just as powerful)

Scale up & Scale Out: Done Right

Clustering


14

Scale up & Scale Out: Done Right


Throughput1Gbps

2 Gbps 10 Gbps+

Single Device, allocate more capacity

Many Devices, Linear Scaling

Single or Multi-Tenant

Single or Multiple Physical Boxes

Single or Multiple Clouds


N+M Clustering (Traffic IP Group Basics)

A TRAFFIC IP (TIP) GROUP IS A “LISTENER” FOR INCOMING TRAFFIC TO BE “LOAD BALANCED”

TIP GROUPS CAN HAVE ONE OR MORE TRAFFIC IP ADDRESSES

TIP GROUPS CAN LIVE ON ONE OR MULTIPLE TRAFFIC MANAGERS

TIP Group 1

TIP Group 2

TIP Group 3

TIP TIP TIPTIP TIP

TIP TIP TIP


N+M Clustering (Traffic IP Group Basics)

A TRAFFIC IP (TIP) GROUP IS A “LISTENER” FOR INCOMING TRAFFIC TO BE “LOAD BALANCED”

TIP GROUPS CAN HAVE ONE OR MORE TRAFFIC IP ADDRESSES

TIP GROUPS CAN LIVE ON ONE OR MULTIPLE TRAFFIC MANAGERS

TIP Group 1

TIP Group 2

TIP Group 3

TIP TIP TIPTIP TIP

TIP TIP TIP

Web AcceleratorServices Director




Visibility

Web App Firewall



Web Accelerator



Traffic Manager



• Automates web performance best practices• Increases innovation capacity and speed• Improves web performance, reduce bandwidth costs, boosts

SEO & Sales

Automate Web Performance best Practices

Dynamic Layout

Compress• JavaScript & Stylesheet shrinking• Image resampling• Metadata removal• Dynamic Gzip/deflate compression

• JavaScript/Stylesheet re-ordering• Removal of missing and duplicate content• Browser aware optimizations (Desktop, Mobile and legacy browsers

)

Cache• On-Proxy resource caching • Dynamic page caching• Aggressive Browser caching• Auto URL versioning

Combine• Merge Stylesheets• Image Spriting• Background image inlining

Automates web performance best practices, so you can focus on strategic development & content

Services Director

• Automates the deployment, licensing, provisioning & meteringof ADC services


Web Accelerator



Web App Firewall



Traffic Manager



Web Application Firewall

• Out of the box OWASP Top Ten protection• Configuration Wizards, learning mode with suggested

rules • Granular custom rules • Application Security in the Cloud

20

WAF vs IPS vs NGFW


21

Open Web Application Security ProjectMost common application layer attacks


OWASP Top 10

22© 2016 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only

Brocade Web Application FirewallA scalable, application-aware Layer 7 security solution, offering the highest protection and performance in web and cloud application security. The vWAF identifies and stops attacks that would typically be missed by a network firewall protecting valuable data. Web Application Firewalls allow customers to mitigate web application security threats in a scalable manner.

1.Enforcer: lightweight, agent for data inspection

2.Decider: decides action based on current security for each app

3.Admin Console: central web-based admin console to create and maintain rule sets

Server Farm

Hacker

User vWAF

23

1

Application Firewall – IntegratedScale out the CPU Cores and RAM on the Integrated Traffic Manager

Web Servers

Integrated WAF: Enforcers, Decider & Admin on single instance

. . . . .

.

Scale out vTM

instances

Application Firewall – DistributedAny number or combination or Enforcers, Deciders and Admins is possible

Admin ServersDecider ServersWeb Servers with Enforcers

Enforcer

Decider

Admin

Dual Mode Protection Technical Aspects

• Simultaneous dual-mode protection, enforcement & detection-only rulesets

• Integration with third-party vulnerability scanning tools

• Fine-grained protection policies per application

Business Benefits• Allows iterative security policy

changes without risk of false positives or relaxed defenses

• Allows virtual patching of known vulnerabilities

• Tune shielding to individual risk profile

www www

APPS APPS

DB DB

DetectAlert / log

ProtectAlert / log , Block

© 2016 Brocade Communications Systems, Inc. CONFIDENTIAL


Web Application Firewall

•Reporting•Real-time Statistics•Logging

Management

• Proactive Security Features• Meet PCI-DSS compliance

requirements• OWASP Top Ten

Security

• Aggregate SNMP, alerts and logs

• Automated Learning and Ruleset Recommendations

Aggregate data

• Secure Session management, cookie protection, URL encryption, and form field protection

• Bidirectional HTTP inspection

App Level Security

28

• React appropriately to threats against relevant vulnerabilities as identified in the OWASP Top Ten • Enforce both positive and negative security models (white/black lists)• Inspect both web page content and the underlying protocols that

deliver content• Support SSL termination so that encrypted

transmissions are decrypted before being inspected by the WAF

PCI DDS Details


Brocade Services DirectorServices Director




Visibility

Web App Firewall



Web Accelerator



Traffic Manager



• Old world = Static Licenses• Over Provisioned / Under Utilized• Difficult to manage• Inflexible• Expensive

• New world = Flexible Licensing• Right Sized• Easily allocated / re-allocated• Flexible • Cost Effective

30

Services Director LicensingUnique Flexible Licensing System• Capacity is purchased in 2Gb/s

or 5Gb/s blocks of Capacity• Unrestricted number of vTMs

can be licensed:‒ Minimum 1Mb/s

• Capacity can be moved around‒ Allocating draws from the

bucket‒ De-allocating returns to the

bucket vtm150

EnterpriseBase Pack10 Gbps

StandardBase Pack10 Gbps

WAFAdd-On5 Gbps

vtm151 vtm1523 GbpsSTD

3 GbpsENT + WAF

2 GbpsSTD + WAF

UNIQUE USAGE-BASED LICENSING MODEL DYNAMIC RESOURCE AND CAPACITY

ALLOCATION FOR CHANGING WORKLOAD DRILL DOWN TO USAGE REPORTS AND

EXPORT BILLING DATA FOR CHARGEBACK

Enterprise Capacity Management

32© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY

Programmability Part 2 : Orchestration• Orchestration is easy:

‒ Full VMWare Guest Customization Support‒ Cloud Init for AWS, Azure and Openstack‒ Software form factor means Puppet, Chef just

work

• Configuration is easy:‒ REST/SOAP API

• Autoscale supported Natively on AWS, Rackspace ance VMWare vCentre.‒ 3rd Party Extensible with PS © 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. INTERNAL USE ONLY 36

39

vRealize Orchestrator Plugin

• Brocade plugin comes with 22 workflows to configure vTM.

• Works in conjunction with vCenter plugins that can orchestrate VMs

• Automation of these workflows through vCAC.

• Complex workflows possible by combination of workflows.


Cloud Footprint

All the rest can run Linux, so we can get in there too!

vTM deployments are on more virtual and cloud platforms than any other application delivery

controller.

Deploy your own Content Delivery Network (CDN)

Content Delivery Cloud


45 © 2014 Riverbed Technology. All rights reserved.

How Does a CDN Work?

1. User Requests www.example.com2. Connectivity established through

multiple hops back to the application

3. All communication follows the same path

Without a CDN CDN optimized1

2

1

1. User Requests www.example.com2. Application directs user to receive

select content from the closest location3. Dynamic communication still goes

back to the origin location

2

3 3

www www

APPS APPS

http://www.example.com/



How does the Content Delivery Cloud solution work?

1. User Requests www.example.com and Traffic Manager will direct the user to the best location. Content available locally is served directly to the user.

2. For dynamic requests, Traffic Manager will proxy connectivity back to the application over optimized connections, and client connections are established through a single Traffic Manager.

2

1

vTM at the Datacenter• Reliability• Protection• Control• Performanc

e

vTM in cloudWeb cache and Global Load Balancingrequests

www www

APPS APPS



Traffic Manager Advantage vs CDN onlyValue Flexibility Throughput Adaptive (Pubic / Private/

Hybrid) Consumption Dynamic Compute

Performance Optimizations Connections Protocols Deploy Everywhere

Security Control Layers Resiliency Encryption

Control Flexibility Programmability Simplify Development and

Deployment Time

vRouter


© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION 49

Brocade Vyatta 5600 vRouterTHE HIGHEST PERFORMING VIRTUAL ROUTER IN THE WORLD

• New Architecture‒ vPlane architecture ‒ Up to 10Gbps per Core on bare

metal‒ 10Gbps+ on VM with SRIOV or PCI

pass-through• Target Use Case: NFV

‒ High Scalability Services vRR, vRS‒ High Performance Routing,

Firewall, NAT, etc.• VMware, KVM, Hyper-V, Bare

Metal

Routing

Security

VPN

System Management

IP Services

Platforms

High Availability

IPv4, IPv6, Static, PBR, OSPF, RIP, BGP, Multicast

IPv4, IPv6, Stateful Firewall, NAT

IPSec, SSL, Route-based, L2-bridging, DMVPN

CLI, RESTful API, GUI

SSH, DHCP, DNS, SNMP

VRRP, Stateful Failover, Config Sync

VMware, KVM, x86, Hyper-V

Feature Highlights

50

Vyatta 5600 vRouter ArchitectureIntel DPDK

© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION

Packet PipelinePacket Pipeline

VMPacket

Packet

Packet

Core 0 Core 1

Core 2 Core 3

Core 4 Core 5

Core 6 Core 7

Packet

Packet

Packet

51

5600 Deployment ModelsDeployment models and relation to vSwitch

© 2016 BROCADE COMMUNICATIONS SYSTEMS, INC. COMPANY PROPRIETARY INFORMATION

NIC

NIC

NIC

vRouter

vTM VM

NIC

NIC

NIC

vRouter

Bare Metal Deployment

VirtualizedDeployment

Virtual Deployment with DPDK, SR-IOV/ PCI

Pass-through

vSwitch

Hypervisor

NIC

NIC

NIC

vRouter VM VM

vSwitch

Hypervisor

x86 x86 x86

vNIC

SR-IO

V


Software / Virtual Machines• Software environment: Traffic Manager: Linux x86_64: Kernel 2.6.18 - 3.19 (2.6.22+ for IPv6), glibc 2.5+ Solaris 10 (x86_64)Virtual Appliances:

VMware vSphere 5.0, 5.1, 5.5, 6.0;XenServer 6.1, 6.2, 6.5;Oracle VM for x86 2.1, 2.2, 3.2, 3.3;Microsoft Hyper-V Server 2012 & 2012 R2;Microsoft Hyper-V under Windows Server 2012 & 2012 R2;QEMU/KVM (RHEL/CentOS 6.x, 7.x; Ubuntu 12.04, 14.04);

Amazon EC2 - as a virtual appliance or native software install Microsoft Azure - as a virtual applianceCPU : 2-4 vCPU Memory: 2GB , 4GB with Web AcceleratorDisk Space: Minimum : 1GB ; Minimum for Virtual Appliance Install: 16GB

Platform Availability

53

Brocade Virtual Traffic Manager Functionality


55

Brocade Virtual Traffic Manager Specifications


60

Why Brocade vADC?

•Programmability•Scale up & Scale Out: Done Right•Better for Virtual & Cloud•Breakthrough Licensing Model•Best Cloud Footprint


61

Questions?



Thank you

64

Global Load Balancing Overview

Click icon to add picture
