Securing the Cloud: F5 Enterprise Cloud Architecture

Securing the Cloud:F5 Enterprise Cloud Architecture

1

2

• New Virtual Application Delivery Controller– BIG-IP Local Traffic Manager Virtual Edition (VE)

• Enterprise to Cloud - AAA services, Access Control and Acceleration Services– BIG-IP Edge Gateway for Access and Acceleration for the Cloud

• Enterprise to Cloud - Web Application Attack protection– Application Security Manager (ASM) with Simplified CSRF

protection

Securing the Cloud – BIG-IP v10.2

3

Self-Managing Datacenters

Server Consolidation

Test and Development CapacityOn Demand

Enterprise Computing Clouds On and Off Premise

Separate Consolidate Aggregate Automate Liberate

Virtualization to Cloud Maturity Model

Private Public

Enterprise Objective: An IT Services On-Demand Platform

You Are

Here

OrHere

OrHere

OrHere

4

F5’s Dynamic Control Plane Architecture

Users

Resources

Physical Virtual Multi-Site DCs

Private Public

Cloud

Availability•Scale•HA / DR•Bursting•Load-Balancing

Optimization•Network•Application•Storage•Offload

Security•Network•Application•Data•Access

Management• Integration• Visibility• Orchestration

Appl

icati

on a

nd D

ata

Del

iver

y N

etw

ork

5

Problem: Secured Load-Balancing and Traffic Management in the Cloud

Users

Flexibility, Context, and Control in the Enterprise

Resources


Private Public

Cloud

Limited:• Different models per cloud service• No commonality with enterprise • LB scale can vary dramatically*• Very limited security• Limited control content / app switching• No transaction integrity / persistence• Limited network / application acceleration• No user context to apply policy• and on and on…..

…but not in the Cloud

*Rightscale White Paper: Load-Balancing in the Cloud

6

F5 Solution: Extend Enterprise-Class ADC to Internal / External Cloud

Users

Flexibility, Context, and Control in the Enterprise

Resources


Private Public

Cloud

Enterprise Ready Cloud:• Common / shared architectural model• Predictable, High Performance LB Scale• Rich content switching• Full transaction integrity / persistence• Superior security• User and application context • Network and application acceleration

….and the CloudBIG-IP LTM Virtual Edition

BIG-IP LTM Virtual Edition

7

Users

Lack of Simplicity, Flexibility, Context, and Control for the Enterprise

Resources


Private Public

Cloud

Problem: Access Control & Acceleration Across The Maturity Cycle

VPN

Vendor A

Web Accelerator

Vendor B

WAN Optimizer

Vendor C

LDAP

OAM

TAM

CAAAA

AAA AAAAAA AAA AAA

AAA AAA AAA

AAA x 10AAA x 5AAA x 2

AD AD

No contextDifficult change controlError proneCostlyLicensing / vendor management issuesCompliance problemsLimited control

AD

DNS Bind Server

Open Source

?

8

Users

Simplicity, Flexibility, Context, and Control for the Enterprise

Resources


Private Public

Cloud

F5 Solution: Extend Next Gen Access & Acceleration to the Cloud

LDAP

OAM

TAM

CAAAA

AAAAAA AAA AAA

AAA AAA AAA

AAA x 10AAA x 5AAA x 2

AD AD

AD

BIG-IP Edge GatewayBIG-IP Global Traffic Manager

VPN

Vendor A

Web Accelerator

Vendor B

WAN Optimizer

Vendor C

DNS Bind Server

Open Source

AAA

Use

r Req

uest

s

Optim

al Gatew

ay

• Unified access & acceleration model

• Simplified change control and auditing

• Flexible access policies• Context-aware: user, device,

location, and application• Control remains within enterprise

AAA

Secu

re O

ptim

ized

Sess

ion

Secure Optimized Session

http://www.google.com/imgres?imgurl=https://secure1.securewebexchange.com/woodview.ca/Images/ssl_lock.gif&imgrefurl=https://secure1.securewebexchange.com/woodview.ca/giving/&usg=__RIiK-rZzbRpRD62qKF8JrBvnhvU=&h=48&w=48&sz=2&hl=en&start=2&um=1&itbs=1&tbnid=6wrkzI0jPeu-DM:&tbnh=48&tbnw=48&prev=/images?q=picture+of+ssl+lock&um=1&hl=en&sa=X&rlz=1T4GGLL_en&tbs=isch:1




9

New in 10.2 • Edge Client Integration with Windows logon provides seamless VPN access• Access Control for the Cloud

ApplicationsClients

BIG-IPEdge Gateway

F5 Solution: Seamless Access to Applications

10

F5 Solution: Application Security Manager

Users

Resources


Private Public

Cloud

w/Security Policy

Application Firewall

User Requests

Policy Enforcement

Content Scrubbing and Application Cloaking

Security Enforcement inbound (Request) as well as outbound (Response) traffic protecting the application from attacks including OWASP top 10

11

F5 Solution: BIG-IP Application Security Manager (ASM) with CSRF Attack Protection

With v10.2 protection is easy to configure from the UI

Technology

Securing the Cloud: F5 Enterprise Cloud Architecture