Mais conteúdo relacionado Semelhante a F5 Synthesis Toronto February 2014 Roadshow (20) F5 Synthesis Toronto February 2014 Roadshow2. Agenda
• Welcome and Introduction to Customer Technology Challenges
• Software Defined Application Services
• Reference Architectures for Today’s Customer Challenges
• Total Cost of Ownership and New Business Models
• Multi-network Environment and Partner Ecosystem
• Making it Happen with Global Services
• Q&A
4. Impact on Data Center Architecture: Applications
MICRO-ARCHITECTURES
API DOMINANCE
Each service is isolated and requires its own:
• Load balancing
• Authentication / authorization
• Security
• Layer 7 Services
• May be API-based, expanding services required
APIProxies are used in emerging API-centric
architectures for:
• API versioning
• Client-based steering
• API Load balancing
• Metering & billing
• API key management
More applications need services
More intelligence needed in services
API v1
Service A
Service C
Service B
© F5 Networks, Inc
Service D
API v2
4
5. Impact on Data Center Architecture: Network
SOLUTION SPRAWL
OPERATIONAL INCONSISTENCY
Increasing threats and client platforms result in
need for:
• Mobile device management
• Mobile access management
• Mobile security
• DDoS
• Application layer threats
• Malware
offIntroduction of off-premise cloud solutions without
architectural parity results in:
• Inconsistent enforcement of business and
operational policies
• Unpredictable application performance and
security
• Increased OpEx as new management paradigms
are introduced
SaaS
© F5 Networks, Inc
5
7. Components of SDN
Controller
SDN Applications /
Mgmt
“I manage switches,
and tell them how to
connect to each other”
“I can use feedback to
make adjustments to
the blueprint as I see
fit”
“I take orders, and
route packets
accordingly”
“I also collect and
manage state, and
can report back to the
architect.”
“I define the blueprint
for what the network
should look like to
achieve some goal”
“I can also report back
info to the foreman”
API
API
Architect
© F5 Networks, Inc
Switches
Foreman
(REST,
OpenFlow)
Workers
7
8. Core Benefits
• Automation & orchestration
• Repeatability, speed
• Less risk (avoid human error)
• Reduced operating cost
• Compliance
• Agility
• Faster app lifecycles and transient usage (dev/test)
• Security
• Network isolation
• Resource Utilization
• Dynamic allocation of resources
© F5 Networks, Inc
8
9. Who are the Players?
SDN Applications /
Mgmt
Controller
• VMware NSX
• VMware NSX
• Cisco/Insieme
Switches
• Cisco Nexus
9300/9500
• Cisco/Insieme APIC
• NSX vSwitch (OVS)
• OpenStack
• Arista
• Smaller Startups
• Smaller Startups
Anunta Networks
•
BigSwitch
•
PlumGRID
Controller
• Smaller Startups /
Whitebox
Architect
© F5 Networks, Inc
Foreman
•
Pluribus
•
•
PlumGRID
Workers
9
10. Application SDN: L4-7
• L2-3 is just “plumbing”
• Dynamic L2-3 == easy, generally solved
• Dynamic L4-7: Application SDN
• Fundamentally harder!
• No good solution today
11. Deliver the most secure, fast,
and reliable applications to anyone
anywhere at any time.
© F5 Networks, Inc
11
12. Driving Efficiency into Application Development
Agile Development & Development & Operation (DevOps)
• In the past 5 years we’ve seen the push to Agile Development.
• Focused on speed and customer driven application solutions.
• Drove more efficient application development
• Agile wasn’t focused on rapid deployment of those applications
• This gap was closed by many by either deploying their applications on
the cloud and/or evolving their development and IT organizations with
the creation of DevOps
• DevOps describes what has also been called “agile system
administration” or “agile operations” joined together with the values of
agile collaboration between development and operations staff.
• The goal of DevOps was simply to getting applications deployed
quicker.
© F5 Networks, Inc
code
release
12
15. Application Environment
Agile
Development
Cloud and
DevOps
SDN and
Private Cloud
Speed, customerdriven, and quality of
app development
Accelerate time
to market
Software defined
data centers
Failed to Address:
Rapid deployment─
network and operations
velocity
© F5 Networks, Inc
Cloud SLA and control
private network agility
L4–
L4–7 device sprawl and
application fluency
15
16. The Time Is Right
F5 VISION
Agile
Development
Cloud and
DevOps
SDN and
Private Cloud
Speed, customerdriven, and quality of
app development
Accelerate time
to market
Software Defined
Data Centers
Applications
without constraints
Failed to Address:
Rapid deployment─
network and operations
velocity
© F5 Networks, Inc
Cloud SLA and control
private network agility
L4–
L4–7 device sprawl and
application fluency
16
23. The 4th Phase of the Evolution
4
3
2
1
© F5 Networks, Inc
Inc.
Software Defined Application Services
Cloud Ready
Broadened Application Services
Application Delivery Controller
23
32. Software Defined Application Services
F5 Software Defined
Application Services (SDAS)
A rich set of services that address
the delivery challenges faced by
businesses today.
© F5 Networks, Inc
32
33. Software Defined Application Services
Global Server LB Load
Global
Server LB CGNAT Balancing
Availability
Global Load Balancing Authoritative DNS
Disaster Recovery
Cloud Bursting Business
DNS Caching
& Resolving
Intelligent EPC node selection
© F5 Networks, Inc
Continuity
33
34. Software Defined Application Services
Compression
Traffic
Management
Caching
Acceleration
Performance
Optimization
Web Performance Optimization
SPDY Gateway
Traffic Shaping and QoS
Application Optimization
© F5 Networks, Inc
34
35. Software Defined Application Services
.
SAML Federation
Cloud Federation
Access Control
Anti-Malware
Endpoint Inspection
Single Sign-On
SSL VPN
Active Sync Proxy
Secure Web Gateway
Access &
Identity
Web Access Management
© F5 Networks, Inc
35
36. Software Defined Application Services
Cloud Bridging MDM
Service Chaining
VO LTE
Subscriber
Traffic Control Policy Enforcement Enrichment
MAM Diameter and Routing NfV
VAS Bursting
SDN
Mobility
LTE Roaming VDI
Mobile Optimization
Mobile
© F5 Networks, Inc
Quota Management
Acceleration Application Traffic Control
36
37. Software Defined Application Services
Anti-Fraud
Programmability
DNS Firewall
SSL Inspection
Firewall
AntiAnti-Phishing
SSL intelligence
WAF
DNSSEC
© F5 Networks, Inc
ADF
DDoS
SSL VPN
Security
37
40. Completing the SDN Stack
BIG-IQ
Device™
Software-Defined Data Center
Application Plane
NBI
Control Plane
Virtual Networks
Data Plane
SDN Controller
NVGRE
BIG-IQ
Security™
NBI
OPEN
REST APIs
BIGF5 BIG-IQ
VXLAN
ETC…
Service Chaining
LAYER 2-3
LAYER 4-7
BIG-IQ
Cloud™
44. Simplify License Orchestration
VE License Pools
• Pools available in 25packs of Good, Better,
or Best offers
vSwitch
vSwitch
vSwitch
vSwitch
• BIG-IQ manages
licenses for all VEs in
the pool
F5 licensing
server
Hypervisor
Hypervisor
Hypervisor
Hypervisor
• One-time license
provisioning
Virtual Infrastructure
BIG-IQ manages licensing
for all VEs in the pool.
25 Pack of VEs
Benefits
• Spin up a VE when it’s
needed
• Retire a VE and return
it to the pool
47. Flexibility
BIG-IP Local Traffic Manager
Make it easier to adopt
advanced F5
functionality
Simplicity
Appliance
Comparison
Consolidate into fewer
common configurations
Best Value
Good | Better | Best
Save when purchasing
bundles
BIG-IP Global Traffic Manager
Application Acceleration Manager
Good
BIG-IP Advanced Firewall Manager
Better
Best
VE Price
Comparison
SDN Service
Advanced Routing
BIG-IP Access Policy Manager
Good
BIG-IP Application Security Manager
Better
Bought As Bundle
Best
Bought As Components
48. Better
BIG-IP Local Traffic
Manager
BIG-IP Global Traffic
Manager
BIG-IP Application
Acceleration Manager
BIG-IP Advanced Firewall
Manager
•
•
•
•
•
•
Global server load balancing
DNS services
Real-time DNSSEC solution
Global application high availability
Geolocation
DNS DDoS attack protection
• Web performance optimization
• WAN optimization (data deduplication,
FEC)
• Mobile optimization (smart client
cache, image optimization)
• SaaS acceleration (reduce bandwidth
usage & page load times)
•
•
•
•
High-performance ICSA firewall
Network DDoS protection
Application-centric firewall policies
Protocol anomaly detection
Key Benefits
• Protect and optimize the data
center
• Optimize application delivery
• Ensure optimal application
availability and performance
• Future-proof the business
• Leverage the power of integrated
SDN services
49. Best
BIG-IP Local Traffic
Manager
BIG-IP Global Traffic
Manager
• PCI Compliant Web
Application Firewall
• Web scraping prevention
• Integrated XML firewall
• Violation correlation &
incident grouping
• Application DDoS protection
BIG-IP Application
Acceleration Manager
BIG-IP Advanced Firewall
Manager
BIG-IP Application
Security Manager
BIG-IP Access Policy
Manager
• 500 concurrent users,
scalable up to 200K
• BYOD enablement
• Full Proxy for VDI (Citrix,
VMware)
• Single sign-on enhancements
(Identity Federation with
SAML 2.0)
Key Benefits
Manage application access
Support BYOD initiatives
Accelerate remote access
Protect IP and minimize vulnerability
exposure
• Free development resources to
create value
•
•
•
•
50. Synthesis and Good/Better/Best Licensing
Streamline the architecture process
1
Match Reference Architecture
To Business Need
2
Choose the Licensing
You Need
3
Choose the
Appropriate Platform
52. Reference Architectures
Device, Network, Applications
S/Gi Network
Simplification
DDoS
Protection
Bill of Materials
© F5 Networks, Inc
Inc.
Security for
Service Providers
LTE
Roaming
•
•
•
•
Application
Services
Intelligent
DNS Scale
White Paper (Business)
Solution diagram(s)
Architecture diagram(s)
Product map diagram(s)
Migration to
Cloud
Cloud
Federation
DevOps
Cloud
Bursting
•
•
•
•
Customer Presentation
Solution Animation/Video
White paper (Technical)
Placemat leave-behind
52
54. DDoS Protection Reference Architecture
Next-Generation
Firewall
Tier 2
Tier 1
Network attacks:
ICMP flood,
UDP flood,
SYN flood
Multiple ISP
strategy
Corporate Users
Financial
Services
SSL attacks:
SSL renegotiation,
SSL flood
Legitimate
Users
E-Commerce
ISPa/b
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
DDoS
Attacker
Cloud
Scrubbing
Service
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Subscriber
IPS
Threat Feed Intelligence
Scanner
Anonymous
Proxies
© F5 Networks, Inc
Anonymous
Requests
Botnet
Attackers
Strategic Point of Control
54
55. DDoS Protection Reference Architecture
Next-Generation
Firewall
Corporate Users
TIER 1 KEY FEATURES
Tier 2
• The first tier at the
perimeter is layer 3
and 4 network firewall
services
Tier 1
Network attacks:
ICMP flood,
UDP flood,
SYN flood
Multiple ISP
strategy
SSL attacks:
SSL renegotiation,
SSL flood
Legitimate
Users
ISPa/b
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
DDoS
Attacker
Cloud
Scrubbing
Service
Anonymous
Proxies
© F5 Networks, Inc
Anonymous
Requests
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
• IP reputation database
E-Commerce
Subscriber
• Mitigates volumetric and
DNS DDoS attacks
IPS
Threat Feed Intelligence
Scanner
Network
and DNS
• Simple load balancing
Application
to a second tier
Financial
Services
Botnet
Attackers
Strategic Point of Control
55
56. DDoS Protection Reference Architecture
Next-Generation
Firewall
Corporate Users
TIER 2 KEY FEATURES
• The second tier is for
application-aware,
CPU-intensive defense
Legitimate
mechanisms
Users
Multiple ISP
strategy
Network attacks:
ICMP flood,
UDP flood,
SYN flood
Attacker
Cloud
• Mitigate asymmetric and
Scrubbing
SSL-based DDoS attacks
Service
Financial
Services
SSL attacks:
SSL renegotiation,
SSL flood
E-Commerce
ISPa/b
• SSL termination
• DDoS
Web application firewall
Tier 2
Tier 1
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
Network
and DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
Subscriber
IPS
Threat Feed Intelligence
Scanner
Anonymous
Proxies
© F5 Networks, Inc
Anonymous
Requests
Botnet
Attackers
Strategic Point of Control
56
57. Recommended Practices Configuration Guide
2. 3. 2.4 En for ce R e al Br ow se r s
2. 4
Besides authentication and tps-based detection (section Error! Reference source not found.),
there are additional ways that F5 devices can separate real web browsers from probable bots.
The easiest way, with ASM, is to create a DoS protection profile and turn on the “Source IPBased Client Side Integrity Defense” option. This will inject a JavaScript redirect into the client
stream and verify each connection the first time that source IP address is seen.
2. 3. 2. 5 Thro t t le GE T Req u est F lo o ds v ia S cript
The F5 DevCentral community has developed several powerful iRules that automatically throttle
GET requests. Customers are continually refining these to keep up with current attack
techniques.
Here is one of the iRules that is simple enough to be represented in this document. The live
version can be found at this DevCentral page: HTTP-Request-Throttle
when RULE_INIT {
# Life timer of the subtable object. Defines how long this object exist in the subtable
set static::maxRate 10
# This defines how long is the sliding window to count the requests.
# This example allows 10 requests in 3 seconds
set static::windowSecs 3
set static::timeout 30
}
Figure 1. Insert a Javascript Redirect to verify a real browser
when HTTP_REQUEST {
if { [HTTP::method] eq "GET" } {
set getCount [table key -count -subtable [IP::client_addr]]
if { $getCount < $static::maxRate } {
incr getCount 1
table set -subtable [IP::client_addr] $getCount "ignore" $static::timeout $static::windowSecs
} else {
HTTP::respond 501 content "Request blockedExceeded requests/sec limit."
return
}
}
}
Another iRule, which is in fact descended from the above, is an advanced version that also
includes a way to manage the banned IPs address from within the iRule itself:
32 Page Detailed Guide…
© F5 Networks, Inc
•
URI-Request Limiter iRule – Drops excessive HTTP requests to specific URIs or from an IP
57
58. Technical Validation & Performance Testing
UDP Flood
2x Competition
ICMP Flood
10x Competition
Blended Attacks
25 + new DDoS
Attack Vector
Control options in
Hardware
© F5 Networks, Inc
TCP Syn-Flood
16x Competition
58
59. Mapping F5 Products to Synthesis Solutions
Use Reference
Architectures to
Implement F5
Synthesis
Solutions
© F5 Networks, Inc
59
60. Key Customer Benefits
Maintain application
availability
Protect network
infrastructure
Defend against
targeted attacks
Safeguard your
brand reputation
Stay one
step ahead
Save money for
your company
ALL BACKED BY WORLD-CLASS SUPPORT AND PROFESSIONAL SERVICES
© F5 Networks, Inc
60
61. TCO Study─Details
Data Center Consolidation
DDoS
83% Lower TCO
81% Lower TCO
85% Savings
• Service Contracts
92% Savings
• Space/Power/Cooling
62% Savings
• Training
82% Savings
• Upgrades/Patching
81% Savings
• Service Contracts
94% Savings
• Space/Power/Cooling
66% Savings
• Training
82% Savings
• Upgrades/Patching
© F5 Networks, Inc.
DDoS Market Study
• DDoS Products and
Services
• $870 Million
Market by 2017
• FSI Represents 23% of
DDoS Market
• Services Accounts for
46% of DDoS TAM
• Financial Services,
Gaming, and Online
Retail are top verticals
61
63. F5 Global Services and Synthesis
PRODUCT FOCUSED
SERVICE LED
SOLUTION DRIVEN
4
3
2
1
© F5 Networks, Inc
Advanced
Services
Packaged Core
Services
APPLICATION ENABLED
Architecture
and Integration
Consultative and
Strategic
• Reference Architectures
• Managed Services / SOC
• F5aaS
• Solution Definition Workshops
• Security Envisioning
• Remote Services
• Security
• Mobility
• Service Provider
• Implementation
• Migration
• Upgrades
63
64. Services to Support Reference Architecture Lifecycle
IMPLEMENT
ARCHITECT
Solution Definition Workshop
Installation and Migrations
OPTIMIZE
MAINTAIN
Managed Services and Live Monitoring
S/Gi Network
Simplification
DDoS
© F5 Networks, Inc.
Secure
Mobility
Proactive Assessments and Integration
Security for
Service Providers
LTE
Roaming
Application
Services
DNS
CONFIDENTIAL
Cloud
Migration
Cloud
Federation
DevOps
Cloud
Bursting
64
67. Completing the SDN Stack
BIG-IQ
Device™
Software-Defined Data Center
Application Plane
NBI
Control Plane
Virtual Networks
Data Plane
SDN Controller
NVGRE
BIG-IQ
Cloud™
NBI
OPEN
REST APIs
BIGF5 BIG-IQ
VXLAN
ETC…
Service Chaining
LAYER 2-3
© F5 Networks, Inc
BIG-IQ
Security™
LAYER 4-7
67
68. Partner Integration with Synthesis
Auto-scaling, application
provisioning, and
automated system
maintenance and
patching.
Two-way communication
Configure application networking services
Automated network and service provisioning
BIG IQ Cloud
F5 SDAS Service
Fabric
Programmability
Programmability
Automate network and
service provisioning,
F5 Platforms
Hardware | Software | Cloud
Integrate network
virtualization and
ADN services
Provisioning and orchestration
of BIG-IP in AWS
© F5 Networks, Inc
Dynamically update
state of servers in
load balancing pool
68
70. Why Cisco/ACI matters for Customers
• Cisco and F5 share a common vision for simplifying networking end to
end by taking an application-centric approach to solving key pain points
in customer’s next generation data centers while meeting their critical
data center requirements today.
• Working with Cisco on Application Centric Infrastructure, F5 has a
unique opportunity to deliver on vision of shaping infrastructure to the
needs of the applications.
• Cisco ACI integrates F5 Big-IP appliances (physical and virtual) to deliver
application-centric, ADC-enabled network automation in existing and
next generation data centers
71. VMware NSX and F5 joint solution
Overview
Any Application
(without modification)
Virtual Networks
Any Cloud Management Platform
VMware NSX Network Virtualization Platform
Logical
Logical
Logical
Load Balancer
VPN
Firewall
Logical
Load Balancer
Logical L2
Logical L3
Any Hypervisor
Any Network Hardware
NSX integrates with F5 BIG-IQ and BIG-IPs
F5 Admin defined iApps get published to NSX Manager as
ADN service templates
BIG-IPs VEs get automatically deployed, licensed and
configured
User can instantiate and consume F5 iApps from NSX UI
or API
Benefits
Virtual IP:
172.168.1.1
Member pool: 10.0.0.1, 10.0.0.2
ADN template: Web Gold
© F5 Networks, Inc
Compatible with all NSX features
Compatible with all F5 BIG-IQ and BIG-IP features
Seamless support for virtual networks and traditional
networking with VLANs
Support for any CMP including vCAC
Familiar workflows for all teams (in NSX , and in F5 BIG-IQ)
Supports virtual and physical form factor of F5 appliances
71
72. F5 + NSX : Application delivery needs for enterprise
virtualized workloads in NSX environments
Context Aware
Network Services:
•Insertion of Application, user and resource awareness in NSX
Insertion
environments
Speed of
provisioning:
•Intelligent services orchestration enhances time-to-production for
Intelligent
time-toall the necessary infrastructure services from weeks to minutes
Simplified
Operations:
•Meet needs for simplified operations and programmability needs
Meet
for network services
Application
visibility and
correlation
•Enhanced visibility and correlation for the application
Enhanced
© F5 Networks, Inc.
72
75. Coming to a City Near You….
Cloud and Security Events
Ask your Account Team for More Information…