1. F5 Networks Traffic Management by Design
Presented by: Jürg Wiesmann Field System Engineer, Switzerland

2. Company Snapshot
Leading provider of solutions that optimize the security, performance & availability of IP-based applications
Founded 1996 / Public 1999
Approx. 1,010 employees
FY05 Revenue: $281M
FY06 Revenue: $394M
40% Y/Y Growth

3. Clear Leader in Application Delivery
Challengers
Leaders
Magic Quadrant for Application Delivery Products
F5 Networks
“F5 continues to build on the momentum generated by the release of v9.0. It commands over 50% market share in the advanced platform ADC segment and continues to pull away from the competition. ”
Citrix Systems (NetScaler)
Cisco Systems
Ability to Execute
Radware
Juniper Networks (Redline)
Akamai Technologies
Nortel Networks
Netli
“F5 is one of the thought leaders in the market and offers growing feature richness. It should be high on every enterprise's shortlist for application delivery.”
Stampede Technologies
Coyote Point Systems
Array Networks
Zeus Technology
Foundry Networks
NetContinuum
Niche Players
Visionaries
Completeness of Vision
Source: Gartner, December 2005

4. What CEO´s CFO´s und CIO´s are interested in
Low Investment costs
Reducing Load on Server infrastructure
Low Servicecosts
Simple Problem-, Change und Releasemgt.
Less Service windows
Reduction of work during Service windows
Simple secure and stable Environements
High availability
Entlastung der Serverinfrastruktur
Caching
Verkehrsoptimierung
Hohe Verfügbarkeit
Active / Standby Konzept
Monitoring Application on Applicationlevel
7x24x365 Tage Wartung während des Betriebes
Tiefe Investitionskosten
Server reduzieren
Lizenzen reduzieren
Platzbedarf minimieren
Stromverbrauch senken
Tiefere Betriebskosten
Wartungsaufwand
Problemmanagement vereinfacht
Patch- und Releasemanagement
Mitarbeiteranzahl
Lohnkosten (Nacht und Wochenendzuschläge)

5. Problem: Networks Aren’t Adaptable Enough
New Security Hole
High Cost To Scale
Slow Performance ?
Application
Network Administrator
Application Developer
The challenge for application delivery is that wall exists between network and applications groups. The application teams on the right focuses on business functionality, viewing the network as a dependable system that they just need a socket to plug into. Once complete, the application is “thrown over the wall” to the network staff, often with little prep or communication. On the network side, the application package comes over the wall only to discover a myriad of issues unfold as it’s unwrapped and deployed in the real world.
The real challenge is that networks aren’t adaptable enough to handle the application level challenges that often drop in their lap. And when the application surprise is discovered the IT fire alarm sounds organizations as organizations wrestle with out to best solve the issue. Next slide
And so, with business driving new applications and functions they can’t afford
Today’s networks aren’t flexible enough to adapt to the demands of today’s applications and the problem continues to become more severe
Networks must now do more than deliver a packet
Networks must intelligently manage diverse traffic for a variety of applications with multidimensional requirements.
Applications are designed to provide functionality, not with the network (their delivery system) in mind
Developers assume quality delivery is a given (no latency, assumes state, guaranteed service, etc.). Like plugging something into an electrical outlet
Traditional Networks are Focused on Connectivity
Applications Focus on Business Logic and Functionality

6. How Do You Fix the Problem?
Multiple Point Solutions
Application
More
Bandwidth
Network Administrator
Application Developer
The challenge for application delivery is that wall exists between network and applications groups. The application teams on the right focuses on business functionality, viewing the network as a dependable system that they just need a socket to plug into. Once complete, the application is “thrown over the wall” to the network staff, often with little prep or communication. On the network side, the application package comes over the wall only to discover a myriad of issues unfold as it’s unwrapped and deployed in the real world.
The real challenge is that networks aren’t adaptable enough to handle the application level challenges that often drop in their lap. And when the application surprise is discovered the IT fire alarm sounds organizations as organizations wrestle with out to best solve the issue. Next slide
And so, with business driving new applications and functions they can’t afford
Today’s networks aren’t flexible enough to adapt to the demands of today’s applications and the problem continues to become more severe
Networks must now do more than deliver a packet
Networks must intelligently manage diverse traffic for a variety of applications with multidimensional requirements.
Applications are designed to provide functionality, not with the network (their delivery system) in mind
Developers assume quality delivery is a given (no latency, assumes state, guaranteed service, etc.). Like plugging something into an electrical outlet
Add More Infrastructure?
Hire an Army of Developers?

7. A Costly Patchwork
Users
Point Solutions
Applications
DoS Protection
Mobile Phone
IPS/IDS
SSL Acceleration
SFA
CRM
ERP
Rate Shaping/QoS
CRM
PDA
Network Firewall
Application Load Balancer
ERP
Laptop
Content Proxy Acceleration/ Transformation
ERP
Message – If you do not address this issue effectively with the big picture in mind, you are setting yourself up for failure down the road.
You’ve got this incredible demand for applications. Not only more applications but more ways to reach them. In trying to satisfy these demands, enteprises are taking shortsighted approaches. As a result, networks are becoming increasingly more complex and the problem is just getting worse.
CRM
SFA
WAN Connection Optimization
Traffic Compression
Desktop
SFA
Application Firewall
Custom Application
Co-location

8. The Better Application Delivery Alternative
The Old Way
The F5 Way
First with Integrated Application Security

9. F5’s Integrated Solution
Users
The F5 Solution
Applications
Application Delivery Network
CRM Database Siebel BEA Legacy .NET SAP PeopleSoft IBM ERP SFA Custom
Mobile Phone
PDA
Laptop
Message – If you do not address this issue effectively with the big picture in mind, you are setting yourself up for failure down the road.
You’ve got this incredible demand for applications. Not only more applications but more ways to reach them. In trying to satisfy these demands, enteprises are taking shortsighted approaches. As a result, networks are becoming increasingly more complex and the problem is just getting worse.
Desktop
TMOS
Co-location

10. The F5 Application Delivery Network
International
Data Center
TMOS
Users
Applications
FirePass
BIG-IP Global Traffic Manager
BIG-IP Link
Controller
BIG-IP
Application
Security
Manager
BIG-IP Local
Traffic
Manager
BIG-IP
Web
Accelerator
WANJet
This philosophy and product strategy enables the F5 network to uniquely handle the application optimization, availability, and security functions on behalf of the clients and the applications and to do so in the most cost-effective and efficient manner possible. Think of the F5 Network as the application network services layer (draw dotted line circle) where the sum is greater than the parts.
This better way to do business can be shared and applied across a wide variety of applications and client types whether the application is being delivered across the WAN or within the LAN. For proof and validation just go to F5’s solution center and DevCentral or speak with many of our application partners like Microsoft, Oracle, Seibel, IBM, and BEA to name a few. The end result is a more resilient and adaptive application infrastructure that achieves the objectives of security, optimization, and availability in the most operationally efficient manner.
Why is this capability so unique to F5? Well, firstly, we’re the only ones who have developed this comprehensive product/solution portfolio. secondly these functions require an adaptive internal architecture which is unique to F5 and based on our modular TMOS (Traffic Management / Operation System), iControl API, and specialized enterprise-class hardware designs. No other vendor has this internal architecture because no other vendor has had this vision which we’ve been working on for over 5 years (which comes with a lot of intellectual property). This internal architecture enables us to provide the necessary means of integration and rapid time to market for new application networking solutions. And thirdly, unlike the vast majority of our product competitors who are startups, F5 has a rock solid business model and balance sheet that, because we’re a public company, is completely transparent.
For backup purposes only if you’re challenged on any of the above statements
Juniper only has secure application access with their SSL VPN from Neoteris, routing, and a network firewall from Netscreen, now they will have branch WAN optimization with Peribit and Web acceleration with Redline; how are they going to integrate and unify these things? On which platform will they create the commonality; Junos? Redline’s, Peribit’s, Netscreen’s or Neo’s?; Cisco has a few older end-of-life global and local load balancers and some recent acquisitions around end-point security and branch performance optimization; neither have an integrated internal architecture developed or public strategy to get there, and neither have the application expertise or focus. Their core competencies are focused primarily on connectivity. As for the startups, there are some good point solutions out there. And a few have inflated their claims of doing what F5 can do. This is not uncommon marketing technique used by some startups to convey a position of strength but they run into problems later. It’s not unlike what Enron did to inflate profits and revenues that weren’t there. And we know where that got Enron.
iControl & iRules
Enterprise Manager

11. F5 Networks Remote Access Today
Presented by: Jürg Wiesmann Field System Engineer, Switzerland

12. Current Issues Unreliable access Worm/virus propagation
High support costs
Mobile Workforce
Employee on
Home PC /
Public Kiosk
Limited application support
Lack of data integrity
Reduced user efficiency
Complex access controls
No application-level audits
High support costs
Business Partners
Several types of users require remote access including:
Mobile workforce –users with laptops that typically already have an IPSec remote access solution. These users are having issues getting reliable access to their corporate applications (e.g. no access from their customer locations because IPSec is not allowed through the firewall). Other issues include virus propagation from full network access connections and the high support costs of installing and maintaining VPN clients.
Home PC / Kiosk users – users with devices that are not managed by the corporation often are not allowed access to the corporate applications. In some cases, companies have rolled out specific applications, such as webmail, for user access. However, these solution expose the corporation to temporary files being left behind which could expose corporate assets to hackers. Thus, users can only access corporate applications when they have their corporate laptop connected to the Internet – if they don’t have a laptop, they are limited to access when they are on the corporate network.
Business partners – Some companies have implemented complicated access controls for business partners using an existing IPSec remote access solution. However, this solution does not provide the application-level visibility that is desired by security administrators and is a very costly solution to support.
Complex API
Unreliable access
High support costs
Systems or
Applications

13. IPSec provides transparent Network Access – BUT…
Needs preinstalled Client
Does not work well with NAT
No granular Application Access (Network Level)
Hard to Loadbalance
Is expensive to deploy

14. On the other hand SSL VPN…
No preinstalled Client Software needed
Works on transport Layer – No problem with NAT
Works on port 80/443 – No problem with Firewall/Proxy
Easy to Loadbalance
Offers granular Application Access
Is Easy to deploy

15. Remote Access - Requirements
Any User
Employee
Partner
Supplier
Any
Application
Any Location
Hotel
Kiosk
Hot Spot
Web
Client/Server
Legacy
Desktop
Any Devices
Highly Available
Laptop
Kiosk
Home PC
PDA/Cell Phone
Global LB
Stateful Failover
Disaster Recovery
In choosing a remote access solution, core remote access requirements include:
Access to any application
Access from any location, such as a kiosk, laptop, PDA, cell phone, etc.
Support for any user – sales person, administrator, business partner, customer
Securing data in transit, eliminating cached / temp files from session downloads, and protecting against client attacks
Ease to use solution which leverages technologies familiar to most users (e.g. a web browser) and makes applications easy to access (e.g. URLs)
Easy to integrate into existing customer’s security infrastructure – allow the deployment of 1000s of users without creating a duplicate security infrastructure
Secure
Ease of Integration
Data Privacy
Device Protection
Network Protection
Granular App Access
AAA Servers
Directories
Instant Access
Ease of Use
Clientless
Simple GUI
Detailed Audit Trail

16. Why not use IPSec? Any User Employee Partner Any Supplier Application
Any Location
Hotel
Kiosk
Hot Spot
Web
Client/Server
Legacy
Desktop
Any Devices
Highly Available
Laptop
Kiosk
Home PC
PDA/Cell Phone
Global LB
Stateful Failover
Disaster Recovery
IPSec solutions fall short in meeting many requirements:
The yellow marks show where IPSec does a marginal job but may be a solution
The red marks show where IPSec cannot provide a solution (e.g. always client-based)
As shown on the slide, IPSec falls very short in offering a complete remote access solution.
Secure
Ease of Integration
Data Privacy
Device Protection
Network Protection
Granular App Access
AAA Servers
Directories
Instant Access
Ease of Use
Clientless
Simple GUI
Detailed Audit Trail

17. Prime Networking “Real Estate”
Intelligent Client
Network Plumbing
Intelligent Applications
ROUTERS
SWITCHES
FIREWALLS
iControl
BIG-IP
FirePass
TrafficShield
Functionality
Traffic Management
Remote Access
Security

18. Authorized Applications
FirePass® Overview
Any User Any Device
Authorized Applications
Dynamic Policies
Portal
Access
Secured by
SSL
Laptop
FirePass®
Specific
Application Access
Internet
Kiosk
F5’s FirePass Controller provides a comprehensive remote access solution consisting of:
Access from Any User on Any Device – FirePass supports virtually any device with a web browser
Dynamic policies – FirePass dynamically can adapt policies to ensure that users can only access their authorized applications. In addition, FirePass can adapt the level of access based on the type of device (e.g. corporate laptop, kiosk, mobile phone) used for remote access.
Authorized applications – FirePass provides 3 types of application access
Full network access – IPSec replacement with full access to all IP applications
Portal access – secure access to a customer portal or a FirePass web portal
Specific application access – access to specific applications, such as a single client/server application or specific web site
Network
Access
Mobile Device
Intranet
Partner

19. Simplified User Access
Standard browser
Access to applications from anywhere
Select application
Shortcuts automate application connections
No preinstalled client software required
All access via a web browser
This screen shot shows an example of what a user sees when accessing the FirePass server. The FirePass server is accessed like any other secure host on the Internet. When the user logs onto the FirePass server, an authorized set of applications is listed, and the user generally clicks on a link to access their applications. This interface is consist across all of the technologies used to access applications.

20. Access Types Network Access Application Access Portal Access
Application Tunnels
Terminal Server
Legacy Hosts
X Windows
Portal Access
Web Applications
File Browsing (Windows, Unix)
Mobile
Desktop Access (Webtop)

21. Access Methods Summary
Portal Access
Application Access
Network Access
Benefits
Most Flexible
Any Device
Any Network
Any OS
Most Scalable
Browser Compatible
Secure Architecture
Restricted Resource Access
Drawbacks
Limited Resource Access
Enterprise Web Apps/Resources
Webified Enterprise Resources
Limited Nonweb Applications
Benefits
C/S Application Access
Legacy Application Access
Transparent Network Traversal
Any Network
Scalable Deployment
No Network/Addr. Configuration
Secure Architecture
Restricted Resource Access
Host Level Application Proxy
Drawbacks
Limited Access Flexibility
OS/JVM Compatible Issues
No Transistent Kiosk Access
Client Security
Installation Privileges
Benefits
Full Network Access (VPN)
No Resource Restrictions
Drawbacks
More Limited Access
OS/JVM Compatible Issues
Client Security
Installation Privileges

22. Adaptive Client Security
Kiosk/Untrusted PC
PDA
Laptop
Kiosk
Policy
Cache/Temp File
Cleaner
Corporate
Policy
Firewall/Virus
Check
Mini Browser
Policy
One of the real strengths of a SSL VPN solution is the breadth of access. However, customers don’t want to open up access from any device to any application – this would be a huge security exposure. With adaptive client security the FirePass controller enables an administrator to enable different levels of access based on the device and user. For example:
Kiosk users with the cache cleanup feature can access terminal servers, files, intranet, and
PDA users can access the intranet,
Laptop users are provided full network access with support for all client /server applications
Client/Server Application
Full Network
Terminal
Servers
Files
Intranet

23. Policy Checking with Network Quarantine
Quarantine Policy Support
– Ensure Policy Compliance
– Direct to quarantine network
Deep Integrity Checking
– Specific antivirus checks
– Windows OS patch levels
– Registry settings
Full
Network
FirePass®
Quarantine
Network
Please update
your machine!

24. Visual Policy Editor
Visual policy editor graphically associates a policy relationship between end-points, users and resources. Makes it extremely easy to setup even sophisticated policies lowering TCO. Reduces configuration mistakes and avoid security holes
Graphically associates a policy relationship between end-points, users and resources

25. Unique Application Compression
Results
Over 50% faster access
Supports compression for any IP application
Faster & file access
Works across both dial-up and broadband
In addition to unmatched scalability, FirePass also offers unique optimization features. Other competitor products offer compression for web only or select access and not for all applications/access modes. FirePass offers compression in all of the access modes. Customers have mix of users using applications like (outlook/exchange, notes) as well as file downloads from wide variety of access methods including dialup, wifi etc. with FirePass optimization capabilities endusers see over 50% decrease in download times resulting in much faster and better enduser experience…

26. Quick Setup enables rapid installation and setup even for non-experts
30 Minute Install
NEW
Quick Setup enables rapid installation and setup even for non-experts

27. Dynamic Policy Engine User / Device Security Seamless Integration
Dynamically adapt user policy based on device used
Seamless Integration
Utilize existing AAA servers
Automatic user group mapping
Detailed audit trail
Application level visibility
Dynamic Policy
Engine
Application
Access
Mobile Device Policy
Kiosk Policy
Default Policy
Laptop Policy
The FirePass dynamic policy engine allows organizations to set up rules to match their business needs governing groups, authentication and access rights. These rules tell FirePass how the organization would like specific situations to be handled and ultimately reported on.
FirePass
Authentication
LDAP
RADIUS
WIN NT/2K
Web-Based
Group
Sales
Financial
Auditors
etc….
Access Rights
Intranet
SAP
Siebel
File Shares
Audit
Usage Reporting
Who accessed
What was accessed
From Where

28. Enterprise SSO Integration
Netegrity
SiteMinder
Dynamic Policies
1. User ID, Password
FirePass®
2. Session Cookie
Internet
Web
Servers
3. Session Cookie
HTTP forms-based authentication
Single sign-on to all web applications
Major SSO & Identify Mgmt Vendor Support
Netegrity, Oblix and others

29. Application Security Policy-based virus scanning Integrated scanner
Web
Servers
ICAP
AntiVirus
1. SQL Injection X
FirePass®
Internet
Policy-based virus scanning
File uploads
Webmail attachments
Integrated scanner
Open ICAP interface
Web application security
Cross-site scripting
Buffer overflow
SQL injection
Cookie management
XSS: scanning URL arguments and form POST data sent by users through Web Applications, and blocking the request if it looks suspicious
Buffer Overflow: Restrict maximum upload size
SQL Injection: scanning URL arguments and form POST data sent by users through Web Applications, and filtering/blocking the request if it looks suspicious

30. Product Lines

31. FirePass Product Line FirePass 4200 FirePass 1200
A product sized and priced appropriately for every customer
FirePass 4200
Large Enterprise
FirePass 1200
Medium Enterprise
Concurrent Users
Concurrent Users
25 to 500 employees
Comprehensive access
End-to-End security
Flexible support
Failover
500+ employees
High performance platform
Comprehensive access
End-to-End security
Flexible support
Failover
Cluster up to 10

32. FirePass Failover Redundant pair Single management point Separate SKU
Stateful failover provides uninterrupted failover for most applications (e.g. VPN connector)
Single management point
Active unit is configured
Configuration and state information is periodically synchronized
Separate SKU
Active unit determines software configuration and concurrent users
Internet
Hot standby
Active
Best practices call for FirePass to be set up like BIG-IP -- in a redundant pair. This ensures that service is not lost if a failure should occur. When ordering FirePass be sure to note the need to order an active unit and a failover unit.
Intranet application servers

33. Intranet application servers
FirePass 4100 Clustering
Clustered pair
Up to 10 servers can be clustered for up to 20,000 concurrent users
Master server randomly distributes user sessions
Distributed (e.g. different sites) clusters are supported
Single management point
Master server is configured
Configuration information is periodically synchronized
Second FP 4100 Required
Software features purchased on 2nd server
Internet
Intranet application servers
Cluster master
Cluster nodes

34. Case Study: FirePass®vs IPSec Client
300 end user accounts, high availability configuration
IPSec Client
120 hrs
200 hrs
1 hrs +
1.5 hrs/day
5 hrs/day
FirePass®
20 hrs
60 hrs
.5 hrs x 300
.5 hrs/day
2 hrs/day
Savings
100 hrs
140 hrs
150 hrs
1 hrs/day
3 hrs/day
Rollout
Sustaining
Engineering
Help Desk
End User
Savings: 390 hours for rollout, 20 hours/week sustaining
80% user callback for IPSec Client; 15% for FirePass
25 users unable to use IPSec Client; 2 specific hotel room issues w/FirePass

35. Summary of Benefits Increased productivity Reduced cost of ownership
Secure access from any device, anywhere
No preinstalled VPN clients
Reduced cost of ownership
Lower deployment costs
Fewer support calls
Improved application security
Granular access to corporate resources
Application layer security and audit trail
The key benefits of the FirePass SSL VPN solution include:
Increased productivity of all users from ubiquitous access to information from any device.
Reduced deployment costs from avoiding preinstalled clients and fewer support calls from confused users.
Improved application security from providing application-level access, not just filtered network-level access

36. Summary: FirePass Delivers
Key Features
Enterprise-class, High Availability platform
Built-in, load balanced clustering
SSL acceleration and server side caching
Visual Policy Editor and 30 Minute install
Supports Windows, Mac, Linux, Solaris and other clients
Built-in Protected Workspace and end-point security
Integrates with existing enterprise infrastructure and applications
Key differentiators
Out-of-box Scalability, Performance and Reliability
Powerful, easy to use management interface
Breadth of clients, applications and infrastructure
Comprehensive Risk Management including end-point security
Competitive Advantage
Best combination of capabilities, usability and security
Lowest Total Cost of Ownership and Highest ROI

39. Message Security Module
Backup Slides
Message Security Module

40. Partnerships
“F5's BIG-IP has been designed into a number of Oracle's mission-critical architectures, such as the Maximum Availability Architecture.”
Julian Critchfield, Vice President, Oracle Server Technologies
“Microsoft welcomes F5 Networks' support of Visual Studio 2005… F5 complements our strategy by providing our mutual customers with a way to interact with their underlying network.”
Christopher Flores, Group Product Manager in the .NET Developer Product Management Group at Microsoft Corp.

41. Services & Support
Expertise – F5 offers a full range of personalized, world-class support and services, delivered by engineers with in-depth knowledge of F5 products.
Software Solution Updates – Customers with a support agreement receive all software updates, version releases, and relevant hot fixes as they are released.
Flexibility – Whatever your support demands, F5 has a program to fit your needs. Choose from our Standard, Premium, or Premium Plus service levels.
Full Service Online Tools – Ask F5 and our Web Support Portal.
Fast Replacements – F5 will repair or replace any product or component that fails during the term of your maintenance agreement, at no cost.

42. F5 Services SERVICES & SUPPORT CERTIFIED GLOBAL TRAINING
PROFESSIONAL SERVICES
Expertise – World-class support and services, delivered by engineers with in-depth knowledge of F5 products.
Software Solution Updates – Software updates, version releases, and relevant hot fixes as they are released.
Flexibility – Standard, Premium, or Premium Plus service levels.
Full Service Online Tools – Ask F5 and our Web Support Portal.
Fast Replacements – F5 will repair or replace any product or component that fails during the term of your maintenance agreement, at no cost.
Expert Instruction – With highly interactive presentation styles and extensive technical backgrounds in networking, our training professionals prepare students to perform mission-critical tasks.
Hands-On Learning – Theoretical presentations and real-world, hands-on exercises that use the latest F5 products.
Convenience – Authorized Training Centers (ATCs) strategically located around the world.
Knowledge Transfer – Direct interaction with our training experts allows students to get more than traditional “text book” training.
Experience – F5 Professional Consultants know F5 products and networking inside and out. The result? The expertise you need the first time.
High Availability – Our experts work with you to design the best possible high- availability application environment.
Optimization – Our consultants can help you fine tune your F5 traffic management solutions to maximize your network’s efficiency.
Knowledge Transfer – Our professionals will efficiently transfer critical product knowledge to your staff, so they can most effectively support your F5-enabled traffic management environment.

43. F5 Networks Globally Seattle EMEA Japan APAC
International HQ – Seattle
Regional HQ / Support Center
F5 Regional Office
F5 Dev. Sites –Spokane, San Jose, Tomsk, Tel Aviv, Northern Belfast

44. F5 Networks Message Security Module
Presented by: Jürg Wiesmann Field System Engineer, Switzerland

45. The Message Management Problem
Out of 75 billion s sent worldwide each day, over 70% is spam!
The volume of spam is doubling every 6-9 months!
Clogging networks
Cost to protect is increasing
TrustedSource Reputation Scores
Nov 2005
Oct 2006
Higher score = worse reputation

46. Typical Corporate Pain
Employees still get spam
Some are annoying, some are offensive
Infrastructure needed to deal with spam is expensive!
Firewalls
Servers
Software (O/S, anti-spam licenses, etc.)
Bandwidth
Rack space
Power
Budget doesn’t match spam growth
Legitimate delivery slowed due to spam

47. Why is this happening? Spam really works!
Click rate of 1 in 1,000,000 is successful
Spammers are smart professionals
Buy the same anti-spam technology we do
Develop spam to bypass filters
Persistence through trial and error
Blasted out by massive controlled botnets
Professional spammers have
Racks of equipment
Every major filtering software and appliance available
Engineering staff
There must be a reason why this is happening. The reason is profit. Spammers make a lot of money by either selling their goods (or someone else’s goods) or profiting from artificially induced bumps in penny-stock prices (aka pump-and-dump schemes).
Serious spammers are no longer rogue individuals. They are professional outfits with large budgets, serious engineering talent, and the drive to find new ways to get through the best anti-spam filters in order to deliver their goods. The response must be in kind – serious.

48. It’s not just annoying…it can be dangerous.
2% of all globally contains some sort of malware.
Phishing
Viruses
Trojans (zombies, spyware)

49. High Cost of Spam Growth
Spam volume increases
Bandwidth usage increases
Load on Firewalls increases
Load on existing messaging security systems increases
s slow down
Needlessly uses up rackspace, power, admin time…
DMZ
Firewall
So why does all this matter anyway? Well traditionally the pain was (a) Annoyance of spam (b) Risk of malware carried in spam. But there is a new pain that is beginning to take center stage, and companies are complaining about it a lot: (c) Load on IT infrastructure.
The amount of anti-spam licenses, anti-spam processing hardware, bandwidth, firewalls, rack space, power, etc required to deal with the geometric growth in spam is EXPENSIVE! Not to mention the hassle of having to administer all these systems! There must be a more efficient way to deal with Spam at these massive volumes right? Well there is. It involves breaking your spam filtering into two separate layers. The first layer to kill the most obvious spam by using IP reputation. Don’t even accept the connection. At the first packet, kill it so you don’t even have to receive the rest of the packets from that spam connection. The second layer to kill the not-so-obvious spam, and legitimate messages that may contain other security risks. This is the layer that is typically already in place in a company’s messaging infrastructure, but is being overwhelmed by volume.
Messaging
Security
Servers

50. MSM Blocking At the Edge
Messaging Security Server
Second Tier
BIG-IP MSM
First Tier s
Mail Servers
e hello
Works with any
Anti-Spam Solution X X
Here’s a good animated explanation of how MSM works…
- First the connection attempts to connect to deliver it’s SMTP message (e hello). Typically the server replies back “hello I’m here, go ahead and send what you’ve got”.
- However in this case, before replying, BIG-IP checks the sender’s reputation score with TrustedSource (via the Internet).
- When scores are good, it forwards it on to the next layer of security, the “messaging security” layer, for further filtering.
- When scores are bad, it terminates the connection and sends and error code so the sender doesn’t try to keep re-sending the same message in an attempt to connect. X
Terminating 70% of the Spam from the “e hello” X X
Filters out 10% to 20% of Spam X X

51. Why TrustedSource? Industry Leader Superior technology Stability
Solid Gartner reviews & MQ
IDC market share leader
Superior technology
Stability

52. TrustedSource: Leading IP Reputation DB
View into over 25% of traffic
50M+ IP addresses tracked globally
Data from 100,000+ sources; 8 of 10 largest ISPs
Millions of human reporters and honeypots

53. GLOBAL DATA MONITORING
TrustedSource
GLOBAL DATA MONITORING
AUTOMATED ANALYSIS
IntelliCenter
Brazil
London
Portland
Atlanta
Hong Kong
Messages Analyzed per Month
10 Billion Enterprise
100 Billion Consumer
Dynamic Computation
Of Reputation Score
The animation to this slide is as follows:
- First what makes TrustedSource so good at giving accurate credit scores is the large number of sources providing data on a routine basis.
- This data comes from information collected about who sent the , what was in the , and the general behavior of traffic across the network.
- All of these billions of s are analyzed and processed using unique algorithms to determine that sender’s reputation *at that very moment* (dynamic). A lot of data goes into this computation, and that’s what makes it so accurate!
Bad Good
Global data monitoring is fueled by the network effect of real-time information sharing from thousands of gateway security devices around the world
Animation slide

54. Shared Global Intelligence
Physical
World
CIA
FBI
Interpol
Police
Stations
Intelligence
Agents
Deploy agents
officers around the globe (Police, FBI, CIA, Interpol.)
Global intelligence system
Share intelligence information
Example: criminal history, global finger printing system
Results
Effective: Accurate detection of offenders
Pro-active: Stop them from coming in the country
Atlanta
Brazil
London
Hong Kong
Portland
IntelliCenter
Cyber
World
Intelligent
probes
Deploy security probes
around the globe (firewall, gateways, web gateways) Global intelligence system
Share cyber communication info, Example: spammers, phishers, hackers
Results
Effective: Accurate detection of bad IPs, domains
Pro-active: Deny connection to intruders to your enterprise
Here’s an easy way to think about how TrustedSource works. It’s analogous to the world of police agencies.
In the police-world, agencies around the world collaborate and share information about who the bad guys are. These come from many sources, but are typically aggregated into a few central repositories like Interpol.
The same is true in the spam world. ISPs, companies and consumers are seeing spam on a daily basis. As they identify it and report back to TrustedSource, TrustedSource becomes smarter and more effective. Ultimately, the quality of any reputation system depends on the sheer volume of traffic it gets to see. TrustedSource sees one out of every four s globally, so it’s very hard to beat the quality of TrustedSource scores!

55. TrustedSource Identifies Outbreaks Before They Happen
11/01/05: This machine began sending Bagle worm across the Internet
11/03/05: Anti-virus signatures were available to protect against Bagle
Two months earlier, TrustedSource identified this machine as not being trustworthy
9/12/05
TrustedSource
Flagged Zombie
11/02/05
Other Reputation Systems Triggered
11/03/05
A/V Signatures
Why is reputation useful? The primary message of this presentation is that reputation can be used at high-speed to eliminate spam and reduce the load on your network. However there are a few other benefits shown in the next two slides. The first is speed of identification of risks. The second is quality of filtering.
Here’s an interested story related to the speed of identification of risks.
On November 1, 2005, the worm “bagle” started infecting computers and traveling across the Internet.
On November 3, two days later, the major anti-virus vendors had produced the necessary signature to identify and filter-out s containing the bagle virus.
HOWEVER…Back on September 12, TrustedSource had already identified the zombies that were used to propagate this virus, and were already filtering out ANY AND ALL s from those zombie computers. If you were using TrustedSource, you would have been protected the entire time. If you were using a typical AV vendor, you would have been exposed for 48 hours, which may not sound like much, but can be a long time in the world of rapidly-spreading viruses.

56. Content Filters Struggle to ID certain spam
As mentioned before, another benefit of using MSM is the quality of its filtering capabilities. Spammers are getting smart, and can always find loopholes to get around the filtering “artificial intelligence”. Here’s an example where the same spam changes each time it gets sent… and they add random text to make it appear to content filters like a real (“hashbusting”). Sneaky stuff, but it can’t get through TrustedSource because TrustedSource doesn’t care what’s in the . Only who sent it. And the facts are the dis-reputable senders pretty much never send good , and reputable senders pretty much never send bad . That makes reputation a good filtering mechanism, AS LONG AS YOUR REPUTATIONS ARE UP-TO-THE-MINUTE ACCURATE. Outdated RBL’s (reputation black lists) are useless because of this, and widely disregarded nowadays.

57. Image-based spam Hashbusting Scratches
Here’s an interesting example of image-based spam. No actual words to filter out here, just a picture of words. Not only that, but the spammers make each image unique by adding scratches and scuffs randomly to each image, thereby making it impossible to identify one just because you identified the other as spam (image hashbusting). Again, pretty sneaky, but when you consider that spammers have all the right tools and patience to find ways around content-inspecting filters, you see that content inspection is a game that will go in circles forever.

58. Eliminate up to 70% of spam upon receipt of first packet
Summary of Benefits
Eliminate up to 70% of spam upon receipt of first packet
Reduce Cost for Message Management
TMOS Module – High performance Cost effective spam blocking at network edge
Integrated into BIG-IP to avoid box proliferation
Improved Scaleability and Message Control
Reputation Based Message Distribution and Traffic Shaping
Slightly increase kill-rate on unwanted

59. Packaging BIG-IP LTM Only Version Support: 9.2 and higher
License Tiers
MSM for over 100,000 Mailboxes
MSM for up to 100,000 Mailboxes
MSM for up to 75,000+ Mailboxes
MSM for up to 50,000 Mailboxes
MSM for up to 25,000 Mailboxes
MSM for up to 10,000 Mailboxes
MSM for up to 5,000 Mailboxes
MSM for up to 1,000 Mailboxes
BIG-IP LTM Only
Version Support: 9.2 and higher
Module May be added to any
LTM or Enterprise
No Module incompatibilities with other Modules
Licensed per BIG-IP by number of mailboxes
BIG-IP Platform sizing depends on:
volume
Number of BIG-IP’s
Other functions expected of BIG-IP (additional taxes on CPU time)

60. Drop first & subsequent packets
How BIG-IP MSM Works
Secure Computing
Trusted Source™
IP Reputation Score
DNS
Query
Existing
Messaging
Security
Slow Pool
20% Suspicious?
Existing
Messaging
Security
20% Good?
Servers
10% Trusted?
Fast Pool
Internet
Error Msg for clean termination
70% Bad?
Drop first & subsequent packets
Delete Message
10% Bad?
Animation slide

61. Spam Volumes Out of Control
% of Worldwide that is Spam
85%
Percent Spam
70%
Nov 2005
Oct 2006

62. Hard-to-detect Image Spam is Growing
Percent of Total
2006

63. Reputation-based Security Model
Computing
Credit
Track
Compile
Compute
Use
Businesses & Individuals
Physical World
Business Transactions
Credit Score
Allow / Deny Credit
Loan
LOC
Credit terms
Timely payment
Late payment
Transaction size
Purchases
Mortgage, Leases
Payment transactions
Cyber World
IPs, Domains, Content, etc.
Cyber Communication
Reputation Score
Allow / Deny Communication
Stop at FW, Web Proxy, Mail gateway
Allow
Quarantine
Good IPs, domains
Bad
Grey – marketing, adware
exchanges
Web transaction
URLs, images

64. Backup Slides
Firepass

65. Windows Logon (GINA Integration)
Key Features
Transparent secure logon to corporate network from any access network (remote, wireless and local LAN)
Non-intrusive and works with existing GINA (no GINA replacement)
Drive mappings/Login scripts from AD
Simplified installation & setup (MSI package)
Password mgmt/self-service
Customer Benefits
Unified access policy mgmt
Increased ROI
Ease of use
Lower support costs

66. Configuring Windows Logon

67. Windows Installer Service
Problem
Admin user privileges required for network access client component updates
Solution
Provide a user service on the client machine which allows component updates without admin privileges

68. Network Access Only WebTop
Simplified webtop
Interface
Automatically minimizes to
system tray

69. Windows VPN Dialer
Simple way to connect for users familiar with dial-up

70. FirePass Client CLI
“f5fpc <cmd> <param>” where <cmd> options are:
start
info
stop
help
profile
Single sign-on from 3rd party clients (iPass)

71. Auto Remediation

72. Dynamic AppTunnels Feature Highlights Benefits
No client pre-installation
No special admin rights for on-demand component install
No host file re-writes
Broader application interoperability (complex web apps, static & dynamic ports)
Benefits
Lower deployment and support costs
Granular access control

73. Configuring Dynamic AppTunnels
Web Apps
Client/Server
Apps

74. Better Value than Juniper!
More features
Additional Software Features included in Base Package (1000 & 4100 series)
Terminal Server Adapter (Citrix, WTS, VNC)
AV & FW checker
AppTunnels
Additional 4 GB memory in 4140 & 4150
Less expensive
New SKU/Packages
4100 with 8 GB Failover SKU “4100E-F” Priced at $27,990
Factory Install OPT SKU for 4 GB memory (4110, 4120, 4130, 4100-F only)