Securely delivering Microsoft applications Paul Dignan F5 Networks

© F5 Networks, Inc 2 The Evolution of F5 Security Mobility/LTE Domain Name Services Hypervisor/Cloud ubiquity Multi-tenancy, all-active Identity access management Traffic management Optimization Acceleration 1 2 3

© F5 Networks, Inc 3 Software Defined Application Services 4 The Evolution of F5 Application Delivery Controller1 Broadened Application Services2 Cloud Ready3 © F5 Networks, Inc. 3

© F5 Networks, Inc 4 High-Performance Services Fabric Network [Physical Overlay SDN] Virtual Edition Chassis Appliance Data Plane Programmability Control Plane Management Plane

© F5 Networks, Inc 5 High-Performance Services Fabric Network [Physical Overlay SDN] Virtual Edition Chassis Appliance Data Plane Programmability Control Plane Management Plane

“ © F5 Networks, Inc 6 With the departure of Threat Management Gateway (TMG) how, or more importantly, what will administrators use to secure their Internet-facing Microsoft Applications?

F5 | Microsoft Strategic Relationship Joint investment, shared thought leadership and strategic planning Microsoft Technology Center Alliance Partner Microsoft Partner Solution Center Partner with office and lab space F5 training for Microsoft field, services, and support teams Visual Studio Industry Partner and VSIP Member “ We’re impressed with F5’s holistic view of the application…the comprehensive architecture F5 has designed will optimize application performance for Microsoft customers.” –Greg Kirchoff, Microsoft Director of ISV Group F5 International Technology Centers give customers who use Microsoft technologies access to the experts Solution development across products and technologies SSTP RDS/Terminal Services IIS/ASP.NET

© F5 Networks, Inc 8 Before f5 with f5 Internet Devices Load Balancing, DDoS Protection, Firewall Data Center ExchangeLyncSharePointWeb ServersExchangeLyncSharePointWeb Servers [Hardware Firewall] Internet Threat Management Gateway vs F5

© F5 Networks, Inc 9 Traffic Management is a core focus of F5, and the TM feature set found in BIG-IP LTM far exceeds anything else in the market today. Before f5 with f5 TMG included a basic Traffic Management feature set, which was primarily built for handling http traffic. Load Balancing: Primarily HTTP/HTTPs Monitoring: 3 Options: Simple get, ICMP, TCP port check Persistence: 2 Options: Source, Cookie SSL Engine: Offloading / Bridging / Rewrite Redirect Support F5 includes the industries widest, deepest, and most flexible Traffic Management engine. True application switching with full proxy support & the power of iRules. Load Balancing: Full Proxy, Multi Protocol Monitoring: Application aware health and availability, Synthetic client transactions Persistence: Multiple options with custom abilities SSL Engine: Full hardware based PKI support with advanced functionality TMG – Traffic Management

© F5 Networks, Inc 10 Customers migrating to F5 will be able to take advantage of a rich set of authentication and authorization features unique to F5. Endpoint inspection, AD interrogation, & layered auth are compelling capabilities that will be new to your customer. Management through the Visual Policy Editor will also make managing the advanced functionality even easier. Before f5 with f5 TMG offered customers a broad spectrum of authentication schemes (KCD, Basic, NTLM, Negotiate, Kerb, LDAP, Radius, AD, OTP, Client Cert, etc) with support for authentication translation. Landing Pages: Customized Cross forest: Supported Single Sign On: Limited The BIG-IP matches up well against TMGs range of supported authentication schemes and translation functionality. Landing Pages: Customized Cross forest: Supported Single Sign On: Full TMG – Client Authentication

© F5 Networks, Inc 11 With historically strong DOS & DDOS mitigation technology (syn cookies, connection limits, resource thresholds/watermarks, etc), recent certifications (ICSA) give credibility to F5s posture as a perimeter security device. Add to that BIG-IPs global address map & filtering capabilities, and you have firewalling with geographic awareness. Before f5 with f5 TMG is a certified (CC EAL4+) network firewall suitable for placement at the perimeter of any network. DOS prevention is supported via a set of connection (TCP, Half Open, UDP, HTTP RPS, non-TCP) limits per IP per second. Layer 3,4 Firewall Rules Supported Layer 3,4 DOS Prevention Connection Limits BIG-IP is an ICSA & CC certified network firewall suitable for placement at the perimeter of any network as well. Layer 3,4 Firewall Rules Supported Layer 3,4 DOS Prevention Advanced with DDOS prevention TMG – Network Layer (3,4) Firewall

© F5 Networks, Inc 12 Customers migrating to F5 will be able to take advantage of a rich set of authentication and authorization features unique to F5. Before f5 with f5 TMG included an RA/VPN engine with several access protocols. Access Protocols L2TP, PPTP, SSTP Methods Site to Site (IPSec), Remote User Quarantine Supported Authentication Username/Password, Certificate APM delivers a rich & full remote access & site to site feature set that provides clientless or client based options, endpoint inspection, quarantining. Providing client access over browser based HTTPS connections means that client management will no longer be an administrative burden. Management through APMs VPE (Virtual Policy Editor) makes management of complex security rules easy. TMG – Remote Access & VPN

© F5 Networks, Inc 13 F5 provides bespoke security policies for a broad range of Microsoft Applications and Services Before f5 with f5 TMG offered L7 firewalling in a set of application filters that covered several protocols Protocol filters HTTP, SMTP, …… Added Protection Virus Scanning, SPAM filtering TMGs L7 firewalling does rely on subscription services to keep maintained. F5’s ASM is designed with a focus on HTTP, SMTP, FTP, & XML security, with the flexibility to build policies specific to applications leveraging those protocols & data types. An automatic policy building engine will adapt to application updates, and visibility/analytics are presented through a web based real time dashboard. Pre-built policies ship for popular applications such as SharePoint and Exchange. TMG – Application Layer 7 Firewall

© F5 Networks, Inc 14 A Strategic Point of Control for Application Delivery An application delivery controller provides a strategic point of control where corporate applications can be deployed more securely and policy can be implemented consistently. BIG-IP provides a central point from which to administer access to multiple applications. Without this central management point solution, access must be configured and managed separately at each internal resource, such as Exchange and SharePoint. Single Sign-On, (SSO) across multiple on-premise and cloud-based applications. Endpoint Inspection With the BIG-IP® Access Policy Manager® (APM), administrators can manage access to corporate resources based upon the device that is trying to connect. Administrators can also ensure that the approved device adheres to corporate policies for AV status, OS versions, patch levels, and more. Reverse Proxy / Pre-Authentication “ Much like a nightclub bouncer working the door, the ADC isolates internal resources from external access, allowing only authenticated and authorized users to enter the corporate LAN and use internal resources.”

© F5 Networks, Inc 15 Multi-factor Authentication and Authorization Remote access solutions provide a much more secure authentication mechanism than what can be natively found on most applications. The BIG-IP with APM, (Access Policy Manager) integrates with a number of authentication mechanisms including RSA SecurID, RADIUS OTP, and client-side certificates. Using the flexibility of the BIG-IP APM Visual Policy Editor (see below) and BIG-IP iRules®, administrators can integrate with a variety of authentication providers and technologies. Figure 1: BIG-IP APM Visual Policy Editor. Ability to query Active Directory for user attributes such as AD group membership, assigned mailbox database, and device IDs. Attributes, along with deep packet inspection, can then be used to dynamically apply policy further enhancing device security. Reverse Proxy / Pre-Authentication

Questions?