Académique Documents
Professionnel Documents
Culture Documents
- Application Delivery
Tony Chen
Manager, System Engineering
+86 18910083182
Tony.chen@f5.com
F5 Networks
F5 Company Introduction
Company Snapshot Revenue
500
400
Market symbol: FFIV (NASDAQ)
350
$ Millions
FY15 revenue: $1.92B 250
200
FY15 R&D Investment: $296M
150
100
50
1Q10
2Q10
3Q10
4Q10
1Q11
2Q11
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
1Q13
2Q13
3Q13
4Q13
1Q14
2Q14
3Q14
4Q14
1Q15
2Q15
3Q15
F5 Agility 2015 3
GARTNER
MAGIC QUADRANT
FOR APPLICATION
DELIVERY CONTROLLERS F5
Citrix
consecutive year in
Gartner's Magic Quadrant Radware
for ADC
Barracuda Riverbed
Array
Kemp
Piolink Sangfor
As of October 2014
F5 Agility 2015 4
Gartner
F5 Agility 2015 6
Application Delivery Solution
F5 MISSION
F5 Agility 2015 12
Application Delivery Controller: Understand Users and
Apps Context Which Application
Request ? Where does it from ?
Is it Secure ?
Hypervisor
Application Fluency
DNS Services
Scalability
Application Visibility
Security
Performance
Flexibility
F5 Agility 2015 15
Application Fluency
Maintain Application Availability
Application Fluency
Load Balance
Distribute application load across multiple
servers to increase availability
Data
Center Health Monitoring
Verify health and performance to check the
status of applications and resources
Traffic Steering
Direct a particular type of traffic to resources
designed to handle that type of workload
Resources
Server Server Server CPU, Memory
F5 Agility 2015 18
DNS Services
F5 DNS Services Evolution
Datacenter
company.com
LDNS
F5 Agility 2015 20
Intelligent DNS Services
Is there a record for
www.company.com?
LDNS
66.163.171.129
http://www.company.com
Data Center
X company.com
66.163.171.129 www.gtm.company.com
72.68.171.103 DNS Server
F5 Complete DNS Service
Clients DMZ Data Center
DNS
Servers
F5 Agility 2015 22
DNS deployments
F5 PARADIGM SHIFT
F5 Agility 2015 23
Multi-ISPs Solution
1) Outbound Corporate User Request
Client
2) Internet Server Response
Server
1 2
2 Internet 1
1) Inbound Client Request
2) Corporate Server Response
ISP1 ISP2 ISP3
Intelligently load balance both ingress
and egress link/ISP traffic.
F5 BIG-IP Cache Servers
Private
APP APP
OS OS
APP APP APP APP Public
OS OS OS OS
F5 Agility 2015
A Reusable and Extensible IT Services Platform from Enterprise to Cloud 25
Resilient Data Center
- Intelligent steer connections to the best data center
Clients
App Tier
App Tier
F5 Agility 2015 26
Resilient Architecture
- Beyond Of High Availability
Application Delivery Within Data Center
Protocol Optimization
Enabling Failover by Tier
Optimization of
applications such
WAN Internet as HTTP
App Tier
Optimization of
data replication
Active Database File Servers
Logical Diagram Standby Database File Servers
and backup.
F5 Agility 2015 27
User Beta User
Firewall
DNS Security
Anti L4 DDoS Application Service
attack L7 Security
BIG-IP Platform BIG-IP Platform
Private
Cloud
BIGIP VE BIGIP VE
F5 Agility 2015 28
Scale The Application With F5
Dynamic Resource Management
Demand
Detection
Web Clients Web Clients
Frontends Virtualization
Automation iControl
BIG-IP LTM
DB Virtualization
Automation
F5 Deprovision
VM Deprovision
F5 Agility 2015 31
Application Visibility
Application Visibility Is Critical
F5 Agility 2015 33
Analytic Page Load Time
F5 Agility 2015 34
Analytic Server Latency
F5 Agility 2015 35
F5 with Splunk for Business Intelligent Analysis
POWERED
F5 Agility 2015 36
Security
More sophisticated attacks are multi-layer
Application
SSL
DNS
Network
F5 Agility 2015 38
Built on BIG-IP full-proxy architecture
A component of F5 Application Protection Solution
WAF WAF
Data
Slowloris attack
XSS HTTP iRule iRule HTTP leakage
Network
Firewall
F5 Agility 2015 39
F5 Security Solution Map
Full Proxy L2-L7 Solution for App Protection, Access and Availability
One Platform
Access Secure Web DDoS SSL DNS Traffic Network Application Fraud
Control Gateway Protection Security Management Firewall Security Protection
EAL2+
EAL4+ (in
process)
F5 Agility 2015 40
OSI Attacks LTM LTM+ IP Intel DNS ASM
AFM iRule
F5 L2-L7 Network
Based
IP Fragment
LAND
Redirect Traffic Attack
ICMP Flood, Ping Floods and SMURF Attacks
Ping of Death ICMP
DNS based UDP Flood
UDP Fragment
DNS Flood (Distributed and DNS Blacklisting) IP DNS
e.g. DNS UDP Flood, DNS Query Flood and DNS NXDOMAIN Flood Blacklist Express +
(Datagrp) DNS iRule
Next-Generation
Firewall Corporate Users
Network attacks:
ICMP flood, SSL attacks:
UDP flood, SSL renegotiation, Financial
Multiple ISP SYN flood SSL flood Services
strategy
Legitimate
Users
Cloud E-Commerce
Scrubbing ISPa/b
Service
Network Application
DNS attacks: and DNS HTTP attacks:
Volumetric attacks and DNS amplification, Slowloris,
DDoS floods, operations query flood, slow POST, Subscriber
Attackers center experts, L3-7 dictionary attack, recursive POST/GET
known signature attacks DNS poisoning
IPS
Proactive Hybrid Silverline is always on and the first point of detection and mitigation for volumetric Strategic Point of Control
attacks before traffic is passed to the datacenter.
Reactive Hybrid AFM alerts Silverline and traffic is diverts traffic for cloud-based mitigation
when the datacenter is under volumetric attack
F5 Agility 2015 43
Fastest Firewall in the West!
Throughput Connections per second
700 8
600 4x
500
6 21
Gbps
Millions
400
4
x
300
200
2
100
0 0
F5 Juniper Cisco Check Point F5 Juniper Cisco Check Point
(VIPRION 4800) (SRX 5800) (ASA 5585-X) (61000) (VIPRION (SRX 5800) (ASA 5585-X) (61000)
4800)
Sessions Footprint
400 200
14
Millions
17
Rack units
x
200 100
x
0 0
F5 Juniper Cisco Check Point F5 Juniper Cisco Check Point
(VIPRION 4800) (SRX 5800) (ASA 5585-X) (61000) (VIPRION (SRX 5800) (ASA 5585-X) (61000)
4800)
F5 Networks, Inc 44
WAF for application level threats protection
HTTP DoS Session Hijacking
Cookie injection
and poisoning Cross site scripting (XSS)
Only looks at application traffic
Analyzes behavior and logic using
the full context of packet information SSL-encrypted Site reconnaissance
Understands HTTP GET, POST,
HEAD, ETC. and Java script, SQL, application attacksSQL injections
HTML , Cookies, and more
Interrogates both requests and Cross site request forgery (CSRF)
response
Respond to unusual unexpected Phishing attacks GET
patterns in traffic like retuning much Floods Slowloris
more data than usual. Data Leakage
HashDoS Web page scraping
Brute force logins Forceful browsing
A WAF sits in front of the application and only interrogates app traffic
F5 Agility 2015 45
Unsurpassed vulnerability patching
Ensures immediate patching against known CVEs
Customer website Vulnerability scanner
Finds a vulnerability
Virtual-patching with one-
click on BIG-IP ASM
DAST Solutions
BIG-IP ASM
integration Qualys
Vulnerability checking, with leading IBM
detection and remediation DAST vendors WhiteHat*
Complete website Cenzic
protection And others
Applications
Database Firewall
HA Mode
External Network
Firewall Database Firewall
Management Server
Policy
Analyzer
Combined
Results
F5 Agility 2015 50
80%
SSL Intercept Degraded
Typical Architecture Built for little/no encryption with SSL
70% year over year growth in SSL growth is
not stopping Network
Impacts ability to identify behaviors or
recognize exfiltration across all ports
80% performance degradation with SSL on Blind
NGFWs Security
Difficult to scale
Applications
Capacity
F5 Agility 2015 51
SSL Traffic Visibility with F5
SSL Visibility
SSL Decryption SSL Encryption
+ Traffic Steering + Load Balancing
Legitimate
Users Apps
Security Services
Scale-Out
for Growth
DLP SWG Any Security
IPS
Defense-in-Depth
F5 Agility 2015 52
SSL VisibilityEmployees browsing internet over HTTPS
Switch 1. The outbound corporate end users web encrypted traffic is intercepted by BIG-IP LTM at
SSL Visibility
the ingress Load balancing
Firewall
BIG-IP 2. Any traffic pertaining to privacy and regulatory mandates (example: financial, healthcare)
is categorized based on preconfigured URL filters and allowed to pass through
NX Series
3. Interesting traffic is decrypted by BIG-IP and steered to pool of FireEye NX devices for
inspection
4. At egress, decrypted traffic is re-encrypted and send to the internet edge to route it to
destination web server
Corp Users (If NX uncovers any malicious content, NX will signal back to AFM to shun the malicious traffic/ bad actors)
The above solution shows NX deployed in SPAN/TAP mode. The same can be deployed in active protection IN-LINE mode
F5 Agility 2015 53 53
Performance
No one likes Slow
F5 Agility 2015 55