Optimize Apps Across Hybrid Environments with DNS ServicesJonathan George Sr. Product Marketing Manager Dave Doucette Product Manager—DNS, GSLB Services
© 2016 F5 Networks
Market trends and challenges
Hybrid apps and DNS plans
Intelligent solutions for every instance
Hyperscale and secure your infrastructure
Optimize apps across hybrid environments
Agenda
3
12345
Market Trends and Challenges
© 2016 F5 Networks
Important Trends in Devices and Apps
5
© 2016 F5 Networks
Important Trends in Devices and Apps
5
EMERGING DEVICES AND APPLICATIONSBillions
INTERNET OF THINGS
80 billion things connected by 2020
Need scalable DNS and app services
Really fast connections and responses
© 2016 F5 Networks
Increasing Demands for DataInternet Queries, Web Complexity, and Mobile Data Growth
54% CAGR global growth
100+ DNS QUERIES FOR WEB PAGE MOBILE DATA = DNS GROWTHAVERAGE DAILY QUERY LOAD FOR DNS (.COM/.NET)
2011 2012 2013 2014 2015
123B110B
82B77B
57B
6
2020
4.4 GB/month
2015
929 MB/month
© 2016 F5 Networks
DDoS Attacks Continue to Inhibit Growth
DNS is now the most attacked protocol* DNS DDoS techniques • Flooding requests • Reflection attacks • Amplification attacks (and with open resolvers) • NXDOMAIN attacks • DNS cache poisoning
Traditional techniques inhibit DNS** • DNS is based on UDP • DNS DDoS = spoofed sources • ACL blocks legitimate clients • DNS attacks = massive volumes = firewalls
NETWORK AND APP ATTACKS
0%
20%
40%
60%
80%
DNS HTTP HTTPS SMTP SIP/VoIP IRC Other
7%8%
19%25%
47%
75%78%
TRADITIONAL DDOS MITIGATION
0%
20%
40%
60%
80%
IDMSACLsD/RTBHFirewallS/RTBHLoad BalancerIPSFlowSpecMSSPCDNOtherNone
2%4%13%17%19%22%27%
34%43%48%
70%73%
69% of organizations today don’t monitor or control recursive DNS traffic. Attackers love this! 92% of malware uses DNS to establish C2 communication, exfiltrate data, or redirect traffic.**
*Source: 2016 Arbor Networks Worldwide Infrastructure Security Report **Source: 2016 Cisco Annual Security Report 7
© 2016 F5 Networks
DNS CHALLENGES IN A CHANGING LANDSCAPE
8
IDG Research Services surveyed DNS administrators from large organizations to understand the challenges of
deploying an available, secure, high-performance DNS infrastructure.
© 2016 F5 Networks 9
© 2016 F5 Networks 9
© 2016 F5 Networks 9
© 2016 F5 Networks
Drive for Security and Request Capacity
10
Prevent cache poisoning attacks
Need for DNS DDoS mitigation
Drive for DNSSEC adoption
DISTRIBUTED, HIGH-PERFORMANCE NEEDS
DNS capacity close to clients
Geographically dispersed
Total app and service availability
DNSSEC DEPLOYMENT EXPANDINGMOST ATTACKED PROTOCOL
Hybrid Apps and DNS Plans
© 2016 F5 NetworksSource: F5 The State of App Delivery, 2016
Future Adoption Mix of web and mobile applications Deployed across hybrid environments Generating Big Data
12
© 2016 F5 NetworksSource: F5 The State of App Delivery, 2016
Future Adoption Mix of web and mobile applications Deployed across hybrid environments Generating Big Data
PRIVATE CLOUD43%
SaaS
SAAS40%
PUBLIC CLOUD34%
MOBILE APPS45%
BIG DATA37%
12
© 2016 F5 Networks
Implement for Security and Hybrid Growth
Source: F5 The State of App Delivery, 2016
Application services participants plan to implement in 2016
26% DNSSEC
26% Identity
Federation
24% Global Server
Load Balancing
24% Single Sign-on
24% Virtual Desktop Infrastructure
13
© 2016 F5 Networks
Most Likely Deployed in Cloud Environments
32% DDoS
Protection
29% Anti-Spam
28% Global Server
Load Balancing
27% DNSSEC
25% Identity
Federation
14
Source: F5 The State of App Delivery, 2016
Intelligent Solutions for Every Instance
© 2016 F5 Networks
What Can I Do to Scale My Existing DNS Services?Intelligent Services at the Edge
Conventional DNS Thinking
InternetExternal Firewall
DNS LoadBalancing
Array of DNS Servers
Internal Firewall
HiddenMaster DNS
F5 PARADIGM SHIFT
F5 DNS Delivery Reimagined
Authoritative DNS Caching Resolver
Transparent Caching
DNS FirewallDNS DDoS Protection
Protocol Validation
High Performance DNSSEC DNSSEC Validation
Intelligent GSLB
Internet Master DNSInfrastructure
DNS
Fire
wal
l
VIPRION Platform
Performance = add DNS boxes
Weak DoS/DDoS protection
Firewall is THE bottleneck
Hyperscale DNS authoritatively Strong DoS/DDoS protection Mitigate reflection/amplification Lower CapEx and OpEx
16
© 2016 F5 Networks
Optimize Every Instance for App Performance
Offload DNS Services for External or Internal Use Cases
Easy integration into existing DNS infrastructure
Supports millions responses per second (RPS) for high availability
Manageable and predictable data center utilization
DMZ: DNS/App Delivery
External Visitors
Malicious Attackers
Geolocation- based context
Local App Delivery
Legitimate queries
DNS DDoS attacksLDNS Internet
• Auth. DNS scale • DNS caching/resolv. • DNS firewall services • DNS DDoS mitigation • DNSSEC signing/validation • Global app routing
Cache poisoning
BIG-IP
Internal Users
BIG-IP
Applications
DNS IPAM,DHCP
17
Hyperscale and Secure Your Infrastructure
© 2016 F5 Networks
Exponential and Efficient Performance
• High-speed responses and DDoS protection with in-memory DNS • Scale up to 20× of a premium DNS Server (up to 20M RPS) • Configuration size for tens of millions of records • Authoritative DNS serving out of RAM
Implement Scalable DNS for All Scenarios
DNS Servers
Manage DNS
Records
NIC
OSAdmin Auth. Roles
Dynamic DNS
DHCP
Answer DNS
Query
Devices
DMZ
BIG-IP
Answer DNS
Query
Answer DNS
Query
Answer DNS
Query
Answer DNS
Query
19
© 2016 F5 Networks
How Do I scale without Increasing CAPEX? Hyperscale up to 200% for DDoS Protection and Query Growth
100,000 RPS per DNS Server
Internet Firewall Local LoadBalancing DNS Servers
Traditional DNS Delivery
Traditional way to increase DNS capacity • Add more DNS servers • Load balance between them • Only 100k RPS and a lot of OpEx when using BIND
F5 paradigm shift—DNS delivery reimagined • DNS Zone transfer for Auth. DNS • Hyperscale up to 200% with Rapid Response • Up to 40× a premium DNS server • Up to 400× performance of BIND
Rapid Response: 40M RPS 20M RPS
Master DNS
HIGH Performance DNS Delivery
Internet BIG-IP
20
© 2016 F5 Networks
Apps
DNS Servers
Data Center
DMZ
BIG-IP
DNS Firewall
Mitigate Attacks and Block Malicious CommunicationsDNS Firewall Services Keep Your Business Online
Internet
Devices
*Requires provisioning only BIG-IP® Advanced Firewall Manager™ to access functionality
• DNS DDoS mitigation with hyperscale • Protocol inspection and validation (hardware) • DNS record type ACL* • Block access to malicious IPs (RPZ) • High performance DNS cache • Stateful—no unsolicited responses • ICSA certified
• Spread the attack—IP Anycast • Secure responses—DNSSEC • Complete DNS control—iRules • DDoS threshold alerting* • DNS logging and reporting • Hardened F5 DNS code—NOT BIND
LDNS
21
© 2016 F5 Networks
Apps
DNS Servers
Data Center
DMZ
BIG-IP
DNS Firewall
Mitigate Attacks and Block Malicious CommunicationsDNS Firewall Services Keep Your Business Online
Internet
Devices
*Requires provisioning only BIG-IP® Advanced Firewall Manager™ to access functionality
• DNS DDoS mitigation with hyperscale • Protocol inspection and validation (hardware) • DNS record type ACL* • Block access to malicious IPs (RPZ) • High performance DNS cache • Stateful—no unsolicited responses • ICSA certified
• Spread the attack—IP Anycast • Secure responses—DNSSEC • Complete DNS control—iRules • DDoS threshold alerting* • DNS logging and reporting • Hardened F5 DNS code—NOT BIND
LDNS
21
© 2016 F5 Networks
Apps
DNS Servers
Data Center
DMZ
BIG-IP
DNS Firewall
Mitigate Attacks and Block Malicious CommunicationsDNS Firewall Services Keep Your Business Online
Internet
Devices
*Requires provisioning only BIG-IP® Advanced Firewall Manager™ to access functionality
• DNS DDoS mitigation with hyperscale • Protocol inspection and validation (hardware) • DNS record type ACL* • Block access to malicious IPs (RPZ) • High performance DNS cache • Stateful—no unsolicited responses • ICSA certified
• Spread the attack—IP Anycast • Secure responses—DNSSEC • Complete DNS control—iRules • DDoS threshold alerting* • DNS logging and reporting • Hardened F5 DNS code—NOT BIND
LDNS
21
© 2016 F5 Networks
Apps
DNS Servers
Data Center
DMZ
BIG-IP
DNS Firewall
Mitigate Attacks and Block Malicious CommunicationsDNS Firewall Services Keep Your Business Online
Internet
Devices
*Requires provisioning only BIG-IP® Advanced Firewall Manager™ to access functionality
• DNS DDoS mitigation with hyperscale • Protocol inspection and validation (hardware) • DNS record type ACL* • Block access to malicious IPs (RPZ) • High performance DNS cache • Stateful—no unsolicited responses • ICSA certified
• Spread the attack—IP Anycast • Secure responses—DNSSEC • Complete DNS control—iRules • DDoS threshold alerting* • DNS logging and reporting • Hardened F5 DNS code—NOT BIND
LDNS
21
© 2016 F5 Networks
How Do I Mitigate Malicious Communications?Open Service DNS Query Filtering by Reputation
Prevent malware and sites hosting malicious content from ever communicating with a client.
Live updates
BIG-IP
Inhibit the threat at the earliest opportunity. Internet activity starts with a DNS request.
Domain Reputation
Mitigate DNS threats by blocking access to malicious IPs. Reduce malware and virus infections.
Select your service
Response Policy Zone (RPZ) Live Feed
IP Reputation URL Categorization
IP Intelligence/URL Categories Feed
Example • Wekby’s Malware uses DNS Tunneling
“Pisloader” to send http commands in DNS request for a TXT record
• Allows the DNS request to download malware by bypassing security products that can’t inspect DNS correctly
22
© 2016 F5 Networks
How Do I Mitigate Malicious Communications?Open Service DNS Query Filtering by Reputation
Prevent malware and sites hosting malicious content from ever communicating with a client.
Live updates
BIG-IP
Inhibit the threat at the earliest opportunity. Internet activity starts with a DNS request.
Domain Reputation
Mitigate DNS threats by blocking access to malicious IPs. Reduce malware and virus infections.
Select your service
Response Policy Zone (RPZ) Live Feed
IP Reputation URL Categorization
IP Intelligence/URL Categories Feed
Example • Wekby’s Malware uses DNS Tunneling
“Pisloader” to send http commands in DNS request for a TXT record
• Allows the DNS request to download malware by bypassing security products that can’t inspect DNS correctly
22
© 2016 F5 Networks
Whiteboard: Scale Authoritatively with ProtectionsAudience-Provided Scenario
23
© 2016 F5 Networks
Whiteboard: Scale Authoritatively with ProtectionsAudience-Provided Scenario
23
© 2016 F5 Networks
Easy DNS Deployment, Visibility, and ManagementLive UI Demo—Consolidated Menus and Reporting
SIMPLIFIED DNS DEPLOYMENT
ONE AREA FOR ALL CONFIGS
VISIBILITY AND ANALYTICS
24
© 2016 F5 Networks
Easy DNS Deployment, Visibility, and ManagementLive UI Demo—Consolidated Menus and Reporting
SIMPLIFIED DNS DEPLOYMENT
ONE AREA FOR ALL CONFIGS
VISIBILITY AND ANALYTICS
24
© 2016 F5 Networks
Higher quality experience Reduction in DNS latency
The DNS services in the BIG-IP platform allowed us to offer
an improved service with a reduction in latency, due to F5 DNS’s caching capabilities.
Barry Kezik, General Manager Network Planning and Engineering, Vodafone Australia
25
© 2016 F5 Networks
Not cached
Optimize DNS Resolving with Cache Zone Forwarding
• DNS caching passes queries to the resolver when response isn’t cached
• Resolver uses root hints to kick off process
Root Hints (all other zones)
• Requests for specific zones sent to specific recursive name server
• Zone not listed, then resolver follows root hints
FASTER WEB BROWSING FASTEST WEB BROWSING
BIG-IP
DNS Request: Zone A
DNS Request: Zone B
DNS Request: Zone C
DNS Cache Resolver
Zone B NS
Zone C NSZone C
Forward NSZone B
Forward NS
26
Optimize Apps across Hybrid Environments
© 2016 F5 Networks
Optimize Global Apps in Hybrid Environments
Direct users to optimal apps • Continuously monitor application availability • Route based on business logic to available apps • Enable IP geolocation and repudiation • Plan for disaster recovery and business continuity
Data Center
Clients
LDNS
DMZ
Cloud Environment
BIG-IP BIG-IPInternet
Cloud Hosted Apps
BIG-IP Local Traffic Manager BIG-IP
DNS
28
© 2016 F5 Networks
Replicate Across Hybrid Cloud
• Cloud DNSSEC—signed zones in cloud • Replicate DNSSEC to non-DNSSEC environments • Cloud DNS—disaster recovery and business cont. • DNS replication service—to BIG-IP or other DNS servers in
data centers/clouds closest to users
USE CASES• Enhanced AXFR support for DNS Express • Zone transfer from DNS Express to any DNS service • Replicate DNS in physical, virtual, and cloud • NOTIFY is supported, as is TSIG key for each zone
MIGRATE TO CLOUD SERVICES
Data Center
BIG-IPUnsignedZone(s)
TraditionalDNS Server
High Performance DNS and DNSSEC
SignedZone(s)
Cloud DNS (BIG-IP VE)
Cloud DNS Service
SignedZone(s)
Cloud DNS (BIG-IP VE)
Cloud DNS Service
Replicate Zones
29
© 2016 F5 Networks
Control Apps Based on User LocationRegional Control Improves User Experience
Cloud Services
Cloud-Hosted Apps
BIG-IP Local Traffic Manager
BIG-IP DNS
Data Center
BIG-IP
BIG-IP
DMZ
30
© 2016 F5 Networks
Control Apps Based on User LocationRegional Control Improves User Experience
Cloud Services
Cloud-Hosted Apps
BIG-IP Local Traffic Manager
BIG-IP DNS
Data Center
BIG-IP
BIG-IP
Best available app Balance app requests
Fewer interuptions Lower latency
DMZ
30
© 2016 F5 Networks
Distributing Requests Across Hybrid CloudCloud Balancing with DNS and Global App Delivery
Data CenterPrivate Cloud
PublicCloud
Data Center
Data Center
• Ensure responses route users efficiently to best data center or cloud • Extend caching and app management to cloud deployments • Increase productivity with cloud balancing • Replicate and secure across hybrid environments
31
© 2016 F5 Networks
Distributing Requests Across Hybrid CloudCloud Balancing with DNS and Global App Delivery
Data CenterPrivate Cloud
PublicCloud
SaaS/DNS Hosting
Data Center
Data Center
• Ensure responses route users efficiently to best data center or cloud • Extend caching and app management to cloud deployments • Increase productivity with cloud balancing • Replicate and secure across hybrid environments
31
© 2016 F5 Networks
Distributing Requests Across Hybrid CloudCloud Balancing with DNS and Global App Delivery
Data CenterPrivate Cloud
PublicCloud
SaaS/DNS Hosting
Private Cloud
Data Center
• Ensure responses route users efficiently to best data center or cloud • Extend caching and app management to cloud deployments • Increase productivity with cloud balancing • Replicate and secure across hybrid environments
31
© 2016 F5 Networks
Global SaaS Provider—Crisis Mass NotificationsVirtual Solution Runs Across Hybrid EnvironmentsPROBLEM Ongoing investment in physical infrastructure not financially feasible for rapid scale and provisioning.
SOLUTION SaaS provider moved to Hybrid Cloud to handle sudden bursts. Deployed BIG-IP virtual editions across 4 cloud service providers creating 11 global virtual private data centers.
RESULT Resolves inconsistencies across CSPs and aligns with policy for scalability/resiliency. Avoids expensive infrastructure costs. Strengthens application availability and network security.
https://f5.com/solutions/customer-stories/everbridge-manages-traffic-and-security-across-global-cloud-providers-and-local-data-centers
Data Center
Applications Applications
Local and Global Delivery App and Network Security
Cloud Cloud Cloud Cloud
Internet
DevicesData Center
Applications Applications
Local and Global Delivery App and Network Security
“When we realized how easy it was to add bundled virtual editions, it was perfect for us.”
Frank Basso, VP of SAAS Operations
“We’re able to cut administrative overhead and costs... F5 gives us one platform—one management interface.”
Frank Basso, VP of SAAS Operations
32
© 2016 F5 Networks
Optimize Apps with Hyperscale and Secure DNS ServicesEnsure Availability to Business Applications
• Scale and manage globally • Improve performance and availability • Robust, flexible, and secure infrastructure • Mitigate DNS DDoS attacks • Support hybrid IP environments • Keep business online with DNS firewall
Learn more at f5.com/bigipdns
33
• Add class to your personal schedule.
• Survey will pop up in Mobile App. • Answer the multiple choice. • Submit your question to complete. • Receive 5 points!
Give Feedback – Get Points!