session1 aud10 synthesis sdas and ra - f5 networks · the value you get from an infrastructure...
Post on 11-Jul-2020
0 Views
Preview:
TRANSCRIPT
F5 Synthesis™High Performance Services FabricReference Architectures
Steve AllieSenior Director, Marketing Architecture
F5 Synthesis™
Deliver the most secure, fast, and reliable applications to anyone anywhere at any time.
F5 MISSION
F5 Agility 2014 4
The Evolution of F5
• Security• Mobility/LTE• Domain Name Services
• Hypervisor/Cloud ubiquity• Multi-tenancy, all-active • Identity access management
• Traffic management• Optimization• Acceleration
1
2
3
F5 Agility 2014 5
Agile Development
Application Environment
Rapid deployment─network and operations velocity
Speed, customer-driven, and quality of app development
F5 Agility 2014 6
Cloud and DevOps
Cloud SLA and controlprivate network agility
Accelerate time to market
Application Environment
Agile Development
Rapid deployment─network and operations velocity
Speed, customer-driven, and quality of app development
F5 Agility 2014 7
SDN and Private Cloud
Software Defined Data Centers
Cloud and DevOps
Application Environment
Cloud SLA and controlprivate network agility
Accelerate time to market
Agile Development
Rapid deployment─network and operations velocity
Speed, customer-driven, and quality of app development
Failed to Address:L4–7 device sprawl and application awareness
F5 Agility 2014 8
SDN and Private Cloud
Software Defined Data Centers
Cloud and DevOps
Cloud SLA and controlprivate network agility
Accelerate time to market
Agile Development
Rapid deployment─network and operations velocity
Speed, customer-driven, and quality of app development
Failed to Address:L4–7 device sprawl and application awareness
F5 VISION
Applications without constraints
The Time Is Right
F5 Agility 2014 9
Software Defined Application Services 4
The Evolution of F5
Application Delivery Controller1
Broadened Application Services2
Cloud Ready3
© F5 Networks, Inc. 9
F5 Agility 2014 10
Software Defined Application Services Elements
High-Performance Services Fabric
Simplified Business Models
F5 Agility 2014 11
High-Performance Services Fabric
Simplified Business Models
• New licensing models• Easy to procure• Save by purchasing bundles
High Performance Services Fabric
The value you get from an infrastructure fabric is the product of four things: what services it can provide, how and where it can deliver the services, the flexibility and scale to meet demands, and how it integrates into your ecosystem.
This is the story of how to build the capability to deliver those services when and where you need them and value you’ll achieve with a scalable application delivery infrastructure.
F5 Agility 2014 14
High-Performance Services Fabric
Network [Physical • Overlay • SDN]
Virtual Edition Chassis Appliance
F5 Agility 2014 15
High-Performance Services Fabric
On-Demand Scaling All-Active Clustering Multi-Tenancy
ScaleN
TMOS TMOS TMOS TMOS
Network [Physical • Overlay • SDN]
F5 Agility 2014 16
High-Performance Services Fabric
Throughput Connections per second
Concurrentconnections
Multi-tenantinstances per device
Device serviceclusters
Network [Physical • Overlay • SDN]*40K when combining admin instances with vCMP
F5 Agility 2014 17
High-Performance Services Fabric
Network [Physical • Overlay • SDN]
Virtual Edition Chassis Appliance
Data Plane
Programmability
Control Plane Management Plane
F5 Agility 2014 18
High-Performance Services Fabric
Network [Physical • Overlay • SDN]
Virtual Edition Chassis Appliance
Data Plane
Programmability
Control Plane Management Plane
F5 Agility 2014 19
What is the High Performance Services Fabric?
Traffic Group
Device Group
Connected together using F5 DSC2-32 Trust Domain
Traffic Group Traffic Group
Exchange state & configuration
F5 Agility 2014 20
Why Use High Performance Services Fabric?
Horizontal Scalability
PlatformMigration
LessOverhead
Increased flexibility = greater capacity
Workloads can be migrated between devices
No need to over-provision by 100%
Devices
F5 Agility 2014 21
How does the High Performance Services Fabric work?
Device GroupTrust Domain
A
B
D
CSync-Only or Sync-Failover
Full-Mesh communication
F5 Agility 2014 22
Public CloudHybrid CloudBIG-IP
BIG-IP
Data Center
Centralized Management Platform
BIG -IQBIG - IQ
Application Services Modules
BIG-IQ Platform Services
BIG-IP Devices
F5 Agility 2014 24
Intelligent Services Orchestration
Reference Architectures
F5 Agility 2014 26
Main tenants of F5 Synthesis™ Reference Architectures
Cloud MobilitySecurityMigration, bursting and
federated servicesProvision, manage, secure
and scale for mobilitySecuring application and
service infrastructures
F5 Agility 2014 27
Reference Architectures
Migration to Cloud
DNS CloudBursting
VDI High-PerformanceIPS
DDoSProtection
S/Gi NetworkSimplification
Security forService Providers
ApplicationServices
DevOps
LTE Roaming
CloudFederation NFV
Web FraudProtection
Secure WebGateway
F5 Agility 2014 28
DDoS Reference Architecture
Solution Documents – “Why To”
F5 Agility 2014 29
Tier 1: Protecting L3–4 and DNS
Network Firewall Services + DNS Services
+ Simple Load Balancing to Tier 2
BIG-IP Platform
Next-Generation Firewall
Users leverage NGFW foroutbound protection
Employees
+ IP Intelligence(IPI) Module
Can inspect SSL at either
tierBIG-IP Platform
Tier 2: Protecting L7
Web Application Firewall Services
+ SSL Termination
Customers
DDoS Attack
ISPa
Partners
DDoS Attack
ISPb
ISP providesvolumetric DDoS
service
CloudScrubbing
Service
BIG-IP Advanced Firewall Manager
BIG-IP Local Traffic Manager
BIG-IP Global Traffic Manager
BIG-IP Access Policy Manager
BIG-IP Application Security Manager
DDoS Product Map
Technical Documents – “How To”
F5 Agility 2014 30
DDoS Recommended Practices Configuration Guide2.3 .2.5 Throttle GET Request Floods via Script The F5 DevCentral community has developed several powerful iRules that automatically throttle GET requests. Customers are continually refining these to keep up with current attack techniques.
Here is one of the iRules that is simple enough to be represented in this document. The live version can be found at this DevCentral page: HTTP-Request-Throttle
when RULE_INIT { # Life timer of the subtable object. Defines how long this object exist in the subtable set static::maxRate 10 # This defines how long is the sliding window to count the requests. # This example allows 10 requests in 3 seconds set static::windowSecs 3 set static::timeout 30 } when HTTP_REQUEST { if { [HTTP::method] eq "GET" } { set getCount [table key -count -subtable [IP::client_addr]] if { $getCount < $static::maxRate } { incr getCount 1 table set -subtable [IP::client_addr] $getCount "ignore" $static::timeout $static::windowSecs } else { HTTP::respond 501 content "Request blockedExceeded requests/sec limit." return } } }
Another iRule, which is in fact descended from the above, is an advanced version that also includes a way to manage the banned IPs address from within the iRule itself:
URI-Request Limiter iRule – Drops excessive HTTP requests to specific URIs or from an IP
2.3.2 .4 Enforce Real Browsers Besides authentication and tps-based detection (section Error! Reference source not found.),there are additional ways that F5 devices can separate real web browsers from probable bots.
The easiest way, with ASM, is to create a DoS protection profile and turn on the “Source IP-Based Client Side Integrity Defense” option. This will inject a JavaScript redirect into the client stream and verify each connection the first time that source IP address is seen.
Figure 1. Insert a Javascript Redirect to verify a real browser
Validation Documents – “Prove It”
F5 Agility 2014 31
Blended Attacks25 + new DDoS Attack Vector Control options in Hardware
DDoS (Hardware Accelerated) Performance Testing
UDP Flood2x Competition
ICMP Flood10x Competition
TCP Syn-Flood16x Competition
F5 Agility 2014 32
Total Cost of Ownership5 year analysis
Data CenterConsolidation
S/GiSimplification
DDoSProtection
F5 Agility 2014 33
SERVICE FUNCTIONALITYDEVICE NETWORK APPLICATION
Mob
ile a
pp m
anag
emen
t
End
poin
t ins
pect
ion
Web
ant
i-fra
ud
SD
N
CG
NAT
App
licat
ion
deliv
ery
firew
all
Pol
icy
enfo
rcem
ent
Aut
horit
ativ
e D
NS
IPv6
gat
eway
Link
load
bal
anci
ng
Load
bal
anci
ng
DN
SS
EC
DD
oSm
itiga
tion
Clo
ud b
ridgi
ng
Acc
eler
atio
n
Mob
ile o
ptim
izat
ion
Sec
ure
rem
ote
acce
ss
Clo
ud id
entit
y fe
dera
tion
Web
app
licat
ion
firew
all
Load
bal
anci
ng
SIP
del
iver
y an
d se
curit
y
VD
I
Avai
labi
lity
BC
\DR
Cac
hing
Com
pres
sion
F5
Radware
A10
Citrix
Riverbed
More Information
s.allie@f5.com
@f5allie
The F5 Synthesis™Reference Architectures
www.f5.com/architectures
Q&A
top related