Presentation on theme: "F5 User’s Group September 13th 2011"— Presentation transcript:
1F5 User’s Group September 13th 2011 AgendaTMOS version 11New features and overviewDemo vCMPDemo and discuss iAppsUser discussion – iRulesSurvey and suggestions for next meetingBowling and/or game playMeet 2 times a year in Feburary and SeptemberUser Group website on Devcentral.f5.com – this presentation and survey results will be posted
7Statistics and Reporting Per Virtual Server CPU Stats and Profile Stats * Improved Visibility for Each Virtual Service
8Statistics and Reporting Per Process CPU & Memory Stats – Dashboard Customization * Improved Diagnostics
9Open Application Logging Engine ClientReal-time Transaction logsHigh Speed Logging Engine (HSL)GUI - Request Logging ProfileUnmatched performance - Up to 200,000 HSL (TCP/UDP) messages per second with minimal impact to cpu usageSupport compliance requirementsW3C standard web log format supportHSL is now in the GUI via a Logging Profile
10F5 ScaleN Architecture Ultimate Scalability and Reliability The flexibility to scale up, virtualize, and scale out on-demandClustered Multiprocessing (CMP) & SuperVIPVirtualization (vCMP)Scale UpTMOSScale Out
11Typical Failover – Limited Control Typical ADC runs Active-StandbyCan only fail entire ADCFailover events disrupt all services
12ScaleN : Device Service Clusters Dynamic Service Based Failover Fail-over targeted application workloadsAvoid application service disruptionsMove applications needing extra power
14TMOS – TCP, HTTP, & iRule Enhancements Separate caching & compression profiles from HTTPTCP Options inspection & transformation with iRulesAkamaiAbility to create TCP/UDP out of band connections via iRulesTCP Connection QueuingHTML ParsingiRulesTCP Connection Queuing: Provides the ability to queue connection requests that exceed the connection limit for a pool, pool member, or node. Consequently, instead of dropping connection requests, they reside within a queue in accordance with defined conditions until capacity becomes available.TCP/UDP out of band connections: This new feature will provide the ability to do a "callout" to an external system for connection related information, and as a result, take action. For example, based on the client's source IP address we could query a policy server and verify if the client was on the white/black list and pass or deny the connection. This policy server could be RADIUS, HTTP, DIAMETER or LDAPTCP Options read/write via iRules: Enhance the TCP Profile to allow iRules to be able to read and write to the TCP Option in a HTTP Header. Additionally, we'll add an iRule to extract the Akamai TCP Option.*Bigpipe is no longer supported in v11
15TCP Connection queuing Operates at TCP level; HTTP not requiredCurrently only engages when conn limit hitSpecify queue length limit, time limit, or bothQueues operate per-tmm (no state sharing)Length limit divided by tmm countFIFO guarantees only per-tmmQueued at the pool level for non-persistent connectionsQueued at the pool member level for persistent connectionsIf conn limit is overridden by persistence, that conn is not queuedWhen a pool member becomes available, it checks the head of its queue, and of the pool’s queue, and services the flow that got there first.
16New Product and Platform Support October announcement16003900/36006900 and 6900S8900/8950/8950S11000 and 11050New 6900S (Turbo SSL), (48 GB Memory, 4xSSD’s (4x 300GB), 16 Gbps HW Comp.), and 11000/11050F (FIPS) platforms (October announcement)WOM standalone product and platforms (1600, 3600, 3900, 6900, 8900,11000)Modules: Add-on Module support VE and 1600 (ASM, WA, APM, GTM, WOM)Modules: Triplet support on 3600 and higher (Any combination excluding LC)VE Production (LTM, APM, ASM, WOM,GTM) *WA coming next releaseNew VE Lab editions that include all productsBIG-IP hardware is designed specifically for application delivery. Features such as hardware SSL, hardware compression, and multi-core processing enable BIG-IP hardware to deliver even the most demanding applications. Options for dual hard drives, dual power, and hot swappable components give you the highest reliability.
17BIG-IP Advanced Acceleration Overview Adaptive Protection for Web 2.0 Applications
18Easily Secure JSON Payloads BIG-IP Application Security Manager Display a BlockingMessage in AJAX WidgetProtect from JSON threatsRender unique blocking message for AJAX widgetsUser informs admin with support ID for resolutionBlocking page:User doesn’t understand if there is not a blocking pageASM administrator: customer calls and says I can’t pass a certain imageA blocking page will allow the customer to inform the ASM administrator or tech. support of block and what the support ID is to give to Tech. Support to solve the problem.Also allow the testing team to make sure to test the ASM policy making sure the policy doesn’t contain a false positiveAn attacker using JSON payload will be blockedIf the JSON payload continues to violate the policy then the image/text will not render. If the payload doesn’t violate the policy then the image is rendered. If IT sees that this support ID is a false positive then correction could be made for JSON payload to not violate policy.The data flexibility provided by JSON and AJAX also creates a rich environment for web application attacks that are based on name=value pairs. Poorly written JSON code can allow an attacker to modify the application by manipulating the name=value object data or by inserting or altering the binary payloads, preventing a user from seeing their customized content. Sophisticated AJAX attacks can also be used to initiate XSS and JSON hijacking attacks, allowing the attacker to compromise very personalized information for targeted users.Example:
19F5 Innovative Protection for Web 2.0 Apps Secure all applicationsAutomatically share policies between devicesQuickly deploy BIG-IP ASM VE in private cloudsData CenterHackerBIG-IP ApplicationSecurity ManagerInternetClientsWeb 2.0 AppsPrivate Cloud AppsBIG-IP ApplicationSecurity Manager
20BIG-IP Application Security Manager Protection from Vulnerabilities Enhanced Integration: BIG-IP ASM and WhiteHat SentinelCustomer WebsiteWhiteHat SentinelFinds a vulnerabilityVirtual-patching with one-click on BIG-IP ASMVulnerability checking, detection and remediationComplete websiteprotectionBIG-IP Application Security ManagerVerify, assess, resolve and retest in one UIAutomatic or manual creation of policiesDiscovery and remediation in minutes
21ASM and the Software Development Lifecycle Policy TuningPen testsPerformance TestsWAF “offload” features:CookiesBrute ForceDDOSWeb ScrapingSSL, Caching, CompressionFinal Policy TuningPen TestsIncorporate vulnerability assessment into the SDLCUse business logic to address known vulnerabilitiesAllow resources to create valueBest scenario: Add ASM into SDLC in Design, Integration/Test , and Installation and Acceptance phase. Some customer unable to make that investment. For these customers we offer an alternative: vulnerability assessment on production environment followed a quick ASM mitigation. Essentially this is the WhiteHat integration giving them assurance of no open vulnerabilities.
22BIG-IP Advanced Acceleration Overview Advanced Dynamic Services for Unified Access Control
23F5 Unified Access and Control Flexible and Dynamic ADC Services – BIG-IP v11 Mobile and Remote UsersPublic/PrivateCloudBIG-IP System Virtual EditionsInternetOptimized Applicationsto BIG-IP Edge ClientBIG-IP Edge GatewayData CenterBIG-IP GlobalTraffic ManagerBIG-IP Local Traffic Manager+Access Policy ManagerCorporateWANIPsec: Optimized Site-to-Site TunnelsBIG-IP Edge Gateway+Access Policy Manager+WebAccelerator+WAN Optimization ManagerHeadquarters and Remote OfficesSupports users worldwideSecure IPsec site to site tunnelsFast apps to Edge Client usersVirtual and standalone deploymentsAPM v11 on Edge Gateway surpasses VPN feature parityIPSec (iSessions) site to site (gateway to gateway) extending layer 3 networks vs. initial IPSec (client to site) where normally SSL VPN is a replacementApp Tunnels: new and improvedEasily configurable Dynamic WebtopFlash patching
24Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager Dramatically reduce infrastructure costs; increase productivityAble to show the different back-end or server side auth mechanisms that we can supportIntegrate and distribute users to apps.Multi-domain Single Sign-On to applications and networksACA now in APM = OCSP , CRLDP (Certificate Revocation List) and TACACS+ (Cisco version of RADIUS)Easy and simple authentication designSingle Sign-On to multiple LTM/APM or Edge Gateway virtual servers. Example:* Client Cert authentication to an iPhone/iPad back to APM/Edge Gateway using Kerberos Constrained Delegation (KCD) and Kerberos Protocol Transition (KPT) to perform backend SSOEasy configuration for settings and domainsConfigure different cookie settings and SSO methods for different domains or different hosts in the same domainending multiple separate domains or multiple hosts within same domainsNTLM, Basic, HeaderKPT,= BIG-IP v11
25New Detailed Reporting BIG-IP APM e.g. Who accessed app. or network and when?e.g How many XP users are still on my network?e.g. Where are users accessing from (geolocation)?Custom, Built-in and Saved reportsExported and usedon other devices
26BIG-IP Advanced Acceleration Overview Scalable, Adaptive and Secure DNS infrastructure
27Scalable GSLB Performance Step 1: Multicore (CMP) BIG-IP GTM v11 Enable users to access apps during spikesScale with GTM query performance utilizing hardwareCMP enabled utilizing full set of processing coresUp to 6 million QPS on VIPRIONEach CPU Core ~ high performance DNS server = 130k+ qpsIntegrates GTM in TMM for exponential performancePreliminary estimates: (may exceed)Preliminary Estimates: (may exceed)Queries/second 130k+ QPS per coreGTM VE – 1 TMM = up to 125k QPS depending on server CPUGTM 1600 standalone – 2 cores = ~300k QPS (not pictured)GTM 3900 standalone – 4 cores = ~600K QPSGTM 8900 standalone – 8 cores = ~1.5 Million QPSGTM standalone – 12 cores = ~2 (or 2.5?) Million QPS (extra high speed bridge for L4)VIPRION 2000 GTM module scales with blades 16 cores = up to 3 Million QPSVIPRION 4000 GTM module scales with blades 32 cores = up to 6 Million QPS6Mil QPS125k QPS600k QPS1.5Mil QPS2Mil QPS3Mil QPS
28Exponential and Efficient DNS Performance Step 2: Implement DNS Express High-speed response and DDoS protection with in-memory DNSAuthoritative DNS serving out of RAMConfiguration size for tens of millions of recordsScalable DNS PerformanceConsolidate DNS ServersDNS ServerDNS Express in TMOSAnswerDNSQueryManageDNSRecordsAnswerDNSQueryAnswerDNSQueryOSAdminAuthRolesAnswerDNSQueryAnswerDNSQueryZone transfer and notify for updatesEstimated performance 250k QPS per coreNICDynamicDNSDHCP
29Solution: Easily Handle All DNS Requests Step 3: BIG-IP GTM and IP Anycast Integration Same IP Address for multiple devicesGeographically separate the DNS request load for all requestsScale DNS infrastructure up and out per BIG-IPRevenue and brand are protected*DNS queries, legitimate and attacks sent to closest device*Difficult for attackers to target a single device*Obscures the numbers of servers and devices answering DNS queries(after with IPAnycast and one IP address, routing system distributes DNS requests across multiple GTM devices reducing increased load each device has to handle.)Increase performance = if 2mil before now after balance query load with 6mil QPS*add graph for each GTM to show each managing DNS query requests sharing the loadSplitting the load allows for easy management of increased DNS query requests.Monitors GTM automatically for RHI (Checkbox in DNS Listener)Add Routing Module to Standalone GTMRoute Health Injection (RHI) for DNS ListenerRouting Architecture sends query to closest deviceUses networking / routing weightsCan be used inside a datacenter to cluster GTMsBasic Global Server Load Balancing GSLB illustration:Setup:The organization EXAMPLE.COM is concerned about application latency and maintaining high availability in the event of a datacenter failure.Clients located all over the worldThree major datacentersNorth AmericaEMEAASIAThree F5 BIG-IP Global Traffic Managers (GTM) in a synch group and effectively act as single systemFirst Click: Highlight the three datacentersSecond Click: Black line represents the clients requests for the same resource:Third Click: Details of F5 BIG-IP GTM handling the requestGTM receives requestMatch FQDN in GTM name listConfigured for topology load balancing using IP geolocationLookup LDNS IP against geolocation databaseMap LDNS location to the Datacenter’s regionValidate resource is availableRespond with appropriate IP for the chosen datacenterThen it shows the colored arrows representing the different IP addresses that are used for each datacenterFourth click: The GTM box dissolves and the answer arrows show the BEST answer that each client receives based on their location.Fifth Click: Text Box explaining that this configuration and dynamic IP response is invalid in the traditional world of DNSSEC.
30Eases the IPv6 Evolution DNS 6 4 Combined NAT64 and DNS64 provide automatic translationSupports pure IPv6 clients accessing both IPv6/IPv4 sitesCritical for mobile devices and any client optimized for pure IPv6Eases evolution and bridges gap between IPv6/IPv4 DNSBIG-IP Local Traffic Manager+Global Traffic ManagerInternetIPv4 and IPv6 ClientsForwarding/ Mapping VirtualNAT64DNS64NAT64 proxy LTM manages between IPv4 and IPv6DNS64 automatic method of simulating a IPv6 address for an IPv4 resourceMobile/Notepad/Notebooks unable to support both v4/v6 due to lack of resourcesHigh number of mobile devices on each network complicates hosting dual IP address for each device1. DNS query2. DNS64 (GTM) sends Queries to upstream recursive DNS servers based on configured options below3 options for DNS64 handlingTry IPv6 first then try IPv4Send both IPv6/IPv4 at same time. Take first responseConvert all queries to IPv43a. If v6 DNS then AAAA record returned to client as usual (assuming option 1 above)3b. If only v4 DNS A record returned, LTM adds 96 bit prefix to A record and returns AAAA to client4. Client sends traffic to AAAA address96 bit prefix network address is owned by LTM (or GTM combo) configured with NAT645. NAT64 transforms v6 address to v4 addresses for outgoing connection LTM full proxy6. NAT64 sends the response data to client using IPv6Many mobile providers have described a problem: Inability of running a dual network stack.v4 DNS(A)v6 DNS(AAAA)
31Usability Enhancements Route Domains, Monitors, & Default Certificates! Removed Basic/Advanced listeneriQuery status in in the GUIDefault certificate is now 10 yrs!BIG-IP Global Traffic ManagerBIG-IP Local Traffic Manager+Global Traffic ManagerGTM monitor support of Route DomainsRoute Domain 0Optional manual selection of prober assignmentsRoute Domain 1GTMRoute Domain 2
32Global Customer Training for V11 Free Customer Web-based Training What’s New in BIG-IP V11Additional v11 WBTs modules will be available later
33vCMP Demo Virtual Clustered Multi-Processing vCMP = F5’s purpose built hypervisorCurrently available with version 11 on the VIPRION platformsToday’s demo is on a VIPRION 2400
34V11: The iApp RevolutionFramework to unify, simplify and control Application Delivery ServicesApplication-centricContextual view and advanced analyticsRapid and predictable deployment Optimizing the network for specific applications takes weeks … and can be frustratingF5’s unique application deployment guides helped … now just daysF5’s new iApp capability reduces process to hours and minutes and it’s portable like virtual machines
35BIG-IP V11 Managing Application Services BIG-IP V10 Managing Objects & ServicesBIG-IP V11 Managing Application ServicesThere are so many objects to manage in order to deploy an application. It’s a large feat to manage all of these objects as independent collections.
36BIG-IP V11 Managing Application Services F5 iAPPs: Managing application services … not network devices or objects.There are so many objects to manage in order to deploy an application. It’s a large feat to manage all of these objects as independent collections.
37IT Network, Security, WAN, and Exchange Team Collaboration Application specific questions
38The network from an “Application’s Point of View” Use a single interface to:Understand F5 application service dependenciesRapidly perform operational tasksQuick view of overall application and health statusView availability status and type for each service objectRapidly enable and disable resource pool nodes or servers.Operational tasks and health status for App objects on a single pageAvailability status and type for each objectEnable/Disable one or more node(s)
39iApp Ecosystem More than 20 iApp templates come with v11 F5’s Open iApp Ecosystem is part of DevCentralShare iApps within organizations, between partners, and other vendors
40User Discussion: iRules Randy Ferguson – F5 Consultant (Tempe, AZ) Do you have an iRule you would like to discuss?Examples:Select a pool based on the HTTP host headerSideband Connection – new in v11LDAP ProxyProxy PassAdditional resources – DevCentral Tutorials