F5 Solution

- Application Delivery

Tony Chen
Manager, System Engineering
+86 18910083182
Tony.chen@f5.com
F5 Networks
F5 Company Introduction
 Company Snapshot Revenue
500

Founded 1996 | Public 1999 450

400
Market symbol: FFIV (NASDAQ)
350

Approx. 4,110 employees 300

$ Millions
FY15 revenue: $1.92B 250

200
FY15 R&D Investment: $296M
150

100

50

1Q10
2Q10
3Q10
4Q10
1Q11
2Q11
3Q11
4Q11
1Q12
2Q12
3Q12
4Q12
1Q13
2Q13
3Q13
4Q13
1Q14
2Q14
3Q14
4Q14
1Q15
2Q15
3Q15
F5 Agility 2015 3
 GARTNER
MAGIC QUADRANT
FOR APPLICATION
DELIVERY CONTROLLERS F5

Citrix

F5 is a Leader for 10th A10

consecutive year in
Gartner's Magic Quadrant Radware

for ADC
Barracuda Riverbed
Array
Kemp

Piolink Sangfor

As of October 2014

F5 Agility 2015 4
 Gartner

SSL VPN WAF

F5 Agility 2015 5
 F5 Partner Ecosystem
Network/SDN Cloud Security Orchestration Application Service Provider

F5 Agility 2015 6
Application Delivery Solution
 F5 MISSION

F5 Agility 2015 12
Application Delivery Controller: Understand Users and
Apps Context Which Application
Request ? Where does it from ?

Which device ? What Security

Policy to apply ?
Physical

Is it Secure ?
Hypervisor

Who ? Where is the Virtual

best resource ?
CONTEXT AWARE
Full Proxy Architecture
Application
Health ?
Response time ?
Clients User Proximity ? Cloud

Anywhere, any service, any device Intelligent Dynamic, agile, adaptive

F5 Agility 2015 14
 Key Values after Implementing ADC

Application Fluency
DNS Services
Scalability
Application Visibility
Security
Performance
Flexibility
F5 Agility 2015 15
Application Fluency
 Maintain Application Availability
Application Fluency

Load Balance
Distribute application load across multiple
servers to increase availability

Data
Center Health Monitoring
Verify health and performance to check the
status of applications and resources

Traffic Steering
Direct a particular type of traffic to resources
designed to handle that type of workload
Resources
Server Server Server CPU, Memory

F5 Agility 2015 18
DNS Services
F5 DNS Services Evolution
Datacenter

company.com
LDNS

F5 Agility 2015 20
Intelligent DNS Services
Is there a record for
www.company.com?
LDNS

66.163.171.129
http://www.company.com

Is there a record for

www.gtm.company.com?
66.163.171.129

Data Center

X company.com
66.163.171.129 www.gtm.company.com
72.68.171.103 DNS Server
 F5 Complete DNS Service
Clients DMZ Data Center

DNS
Servers

LDNS Internet DNS Firewall in

BIG-IP GTM Apps

F5 DNS FIREWALL SERVICES

Protocol inspection and validation IPv6 Support
DNS record type ACL Secure responsesDNSSEC
DNS load balancing Complete DNS controliRules
High-performance DNS cache DDoS threshold alerting
Higher-performance DNS slave DNS logging and reporting
Statefulnever accepts unsolicited responses Hardened F5 DNS codeNOT BIND
ICSA CertifiedDMZ deployment scale across devicesIP Anycast

F5 Agility 2015 22
 DNS deployments

Conventional DNS Thinking

External DNS Load Array of DNS Internal Hidden
Performance = Add DNS boxes
Internet
Firewall Balancing Servers Firewall Master DNS
Weak DoS/DDoS protection
Not Cost-effective
DMZ Datacenter Firewall is THE bottleneck

F5 PARADIGM SHIFT

F5 DNS Delivery Reimagined

DNS Firewall Massive performance over
Master DNS
Internet
Infrastructure DNS DDoS Protection 10M RPS!
Protocol Validation
Authoritative DNS
Caching Resolver
Best DoS/DDoS protection
BIG-IP
Global Traffic Transparent Caching
Manager High Performance DNSSEC Lower CapEx and OpEx
DNSSEC Validation
Intelligent GSLB

F5 Agility 2015 23
 Multi-ISPs Solution
1) Outbound Corporate User Request
Client
2) Internet Server Response
Server

1 2
2 Internet 1
1) Inbound Client Request
2) Corporate Server Response
ISP1 ISP2 ISP3
Intelligently load balance both ingress
and egress link/ISP traffic.
F5 BIG-IP Cache Servers

Multiple ISPs for high availability

Firewalls

ISP health check and failover

Corporate Network
Cache Server Load balancing

Saving Bandwidth cost Corporate Servers

Corporate Users

Faster response time

F5 Agility 2015 24
 Active/Active Datacenter Solutions

Separate Consolidate Aggregate Automate Liberate

Test and Server Capacity Self-Managing Enterprise
Development Consolidation On Demand Data Centers Computing Clouds
On and Off Premise

Private
APP APP
OS OS
APP APP APP APP Public
OS OS OS OS

APP APP APP APP

APP APP APP APP OS OS OS OS
OS OS OS OS
APP APP APP APP
OS OS OS OS

F5 Agility 2015
A Reusable and Extensible IT Services Platform from Enterprise to Cloud 25
 Resilient Data Center
- Intelligent steer connections to the best data center

Clients

DNS zone transfer makes Local DNS at

GTM authoritative responder Users ISP
for domain
ISP 1 ISP 1
GTM Probes its External Networks
local resources ISP 2
ISP 2
Primary Data Center Secondary Data Center
GTM shares resource
GTM
state, local DNS metrics

Web Tier Web Tier

App Tier
App Tier

F5 Agility 2015 26
 Resilient Architecture
- Beyond Of High Availability
Application Delivery Within Data Center
Protocol Optimization
Enabling Failover by Tier

Data Center 1 Data Center 2

TCP & HTTP Optimization

Web Tier

Optimization of
applications such
WAN Internet as HTTP
App Tier

Optimization of
data replication
Active Database File Servers
Logical Diagram Standby Database File Servers
and backup.

F5 Agility 2015 27
 User Beta User

Hybrid Cloud Architecture

On-Premises Data Center Clean Public Cloud

Center

Firewall

DNS Security
Anti L4 DDoS Application Service
attack L7 Security
BIG-IP Platform BIG-IP Platform

Private
Cloud
BIGIP VE BIGIP VE

DNS Intelligence Development/Testing

Application Bursting

[BIG-IP Local Traffic Manager] BIGIP VE

Development
[BIG-IP Global Traffic Manager]

[BIG-IP Advanced Firewall Manager]

[BIG-IP Application Security Manager]

F5 Agility 2015 28
Scale The Application With F5
 Dynamic Resource Management
Demand

Detection
Web Clients Web Clients

Frontends Virtualization
Automation iControl
BIG-IP LTM

Monitoring & Management

VM Provision

F5 Provision vCenter FrontEnd FrontEnd FrontEnd

AppSpeed iControl AppServers Virtualization

BIG-IP LTM
Demand

Detection App. Server App. Server App. Server

DB Virtualization
Automation
F5 Deprovision

VM Deprovision

F5 Agility 2015 31
Application Visibility
 Application Visibility Is Critical

Application analytics for assured

availability
Analytic logs provide deeper intelligence
grouped by application and user
Rules can be applied based on user behavior
Latency monitoring provides:
Business intelligence/capacity planning
Statistics collected Views Troubleshooting and performance tuning
URLs Methods Virtual server
Anomalous behavior detection
Client IPs and Pool member
Server/client latency
geos
Response codes
Throughput User agents
URLs and HTTP
Response codes User sessions methods

F5 Agility 2015 33
 Analytic Page Load Time

F5 Agility 2015 34
 Analytic Server Latency

F5 Agility 2015 35
 F5 with Splunk for Business Intelligent Analysis

F5 generate Application level logging

Splunk for F5 logging and reporting

POWERED

F5 Agility 2015 36
Security
 More sophisticated attacks are multi-layer

Application

SSL

DNS

Network

F5 Agility 2015 38
 Built on BIG-IP full-proxy architecture
A component of F5 Application Protection Solution

WAF WAF
Data
Slowloris attack
XSS HTTP iRule iRule HTTP leakage

SSL renegotiation SSL iRule iRule SSL

SYN flood TCP iRule iRule TCP

ICMP flood

Network
Firewall
F5 Agility 2015 39
F5 Security Solution Map
Full Proxy L2-L7 Solution for App Protection, Access and Availability

One Platform

Access Secure Web DDoS SSL DNS Traffic Network Application Fraud
Control Gateway Protection Security Management Firewall Security Protection

Access (IAM) Availability (AADC+DDOS) Protection (ADFW+DDOS)

EAL2+
EAL4+ (in
process)

F5 Agility 2015 40
 OSI Attacks LTM LTM+ IP Intel DNS ASM
AFM iRule

F5 L2-L7 Network
Based
IP Fragment

Protections (L2-L4) Tear Drop

SYN Flood (Dirt Jumper)
TCP (connection) Flood
e.g. SYN-ACK, ACK & PUSH-ACK, RST or FIN and Fragmented ACK
Christmas Tree
Fake Session

LAND
Redirect Traffic Attack
ICMP Flood, Ping Floods and SMURF Attacks
Ping of Death ICMP
DNS based UDP Flood
UDP Fragment
DNS Flood (Distributed and DNS Blacklisting) IP DNS
e.g. DNS UDP Flood, DNS Query Flood and DNS NXDOMAIN Flood Blacklist Express +
(Datagrp) DNS iRule

SSL/TLS SSL Floods, Malformed SSL (e.g. empty SSL HELLO)

based
SSL THC attack (Extending from SSL Renegotiation vulnerability) IPintel
(L5-L6)
iRule

Application Slowloris (Nuclear DDoSer, Slowhttptest)

based
(L6-L7) Keep-Dead
Slow POST (R-U-Dead-Yet, Tor Hammer, Nuclear DDoSer, Slowhttptest)
HashDoS
Apache Killer (Slowhttptest)
HTTP GET Flood, Recursive GET Flood (Web Scraping), Dirt Jumper (HTTP IP intel
Flood) iRule

#RefRef (exploit SQLi - OWASP Top 10 vulnerability as entry)

F5 Agility 2015 42
 F5 cloud-based scrubbing with on-premises defenses
Threat Intelligence Feed

Next-Generation
Firewall Corporate Users

Scanner Anonymous Anonymous Botnet Attackers

Proxies Requests

Cloud Network Application

Network attacks:
ICMP flood, SSL attacks:
UDP flood, SSL renegotiation, Financial
Multiple ISP SYN flood SSL flood Services
strategy

Legitimate
Users
Cloud E-Commerce
Scrubbing ISPa/b
Service
Network Application
DNS attacks: and DNS HTTP attacks:
Volumetric attacks and DNS amplification, Slowloris,
DDoS floods, operations query flood, slow POST, Subscriber
Attackers center experts, L3-7 dictionary attack, recursive POST/GET
known signature attacks DNS poisoning

IPS
Proactive Hybrid Silverline is always on and the first point of detection and mitigation for volumetric Strategic Point of Control
attacks before traffic is passed to the datacenter.

Reactive Hybrid AFM alerts Silverline and traffic is diverts traffic for cloud-based mitigation
when the datacenter is under volumetric attack
F5 Agility 2015 43
 Fastest Firewall in the West!
Throughput Connections per second
700 8
600 4x
500
6 21
Gbps

Millions
400
4
x
300
200
2
100
0 0
F5 Juniper Cisco Check Point F5 Juniper Cisco Check Point
(VIPRION 4800) (SRX 5800) (ASA 5585-X) (61000) (VIPRION (SRX 5800) (ASA 5585-X) (61000)
4800)
Sessions Footprint

400 200
14
Millions

17

Rack units
x
200 100
x

0 0
F5 Juniper Cisco Check Point F5 Juniper Cisco Check Point
(VIPRION 4800) (SRX 5800) (ASA 5585-X) (61000) (VIPRION (SRX 5800) (ASA 5585-X) (61000)
4800)
F5 Networks, Inc 44
WAF for application level threats protection
HTTP DoS Session Hijacking
Cookie injection
and poisoning Cross site scripting (XSS)
Only looks at application traffic
Analyzes behavior and logic using
the full context of packet information SSL-encrypted Site reconnaissance
Understands HTTP GET, POST,
HEAD, ETC. and Java script, SQL, application attacksSQL injections
HTML , Cookies, and more
Interrogates both requests and Cross site request forgery (CSRF)
response
Respond to unusual unexpected Phishing attacks GET
patterns in traffic like retuning much Floods Slowloris
more data than usual. Data Leakage
HashDoS Web page scraping
Brute force logins Forceful browsing
A WAF sits in front of the application and only interrogates app traffic
F5 Agility 2015 45
 Unsurpassed vulnerability patching
Ensures immediate patching against known CVEs
Customer website Vulnerability scanner
Finds a vulnerability
Virtual-patching with one-
click on BIG-IP ASM

DAST Solutions
BIG-IP ASM
integration Qualys
Vulnerability checking, with leading IBM
detection and remediation DAST vendors WhiteHat*
Complete website Cenzic
protection And others

BIG-IP Application Security Manager

Verify, assess, resolve and retest in one UI
Automatic creation of policies
Manual guidance for uncommon patching
Discovery and remediation in minutes
Automatic notification of website changes*
F5 Agility 2015 Enhanced automatic resolution in 26 vulnerability 48
 Gartner F5 Position

SSL VPN WAF

F5 Agility 2015 49
 F5 and Oracle Database Firewall
How The Integration Works
Combined and enriched
Syslog to SIEM
ASM Event
SQL & User
Injection Metadata
Detected

Applications
Database Firewall
HA Mode

External Network
Firewall Database Firewall
Management Server
Policy
Analyzer

Combined
Results

F5 Agility 2015 50
 80%
SSL Intercept Degraded
Typical Architecture Built for little/no encryption with SSL
70% year over year growth in SSL growth is
not stopping Network
Impacts ability to identify behaviors or
recognize exfiltration across all ports
80% performance degradation with SSL on Blind
NGFWs Security

Organizations do not want move their certs to

Difficult to scale for
unknown platforms
Defense-in-Depth
App Services & and more capacity
Load Balancing
SSL

Difficult to scale
Applications
Capacity

F5 Agility 2015 51
 SSL Traffic Visibility with F5

Perimeter Services Inspection Services Application Services Resources

SSL Visibility
SSL Decryption SSL Encryption
+ Traffic Steering + Load Balancing
Legitimate
Users Apps

BIG-IP System BIG-IP System

Malicious
Attackers
Policy
Enforcement

Security Services

Scale-Out
for Growth
DLP SWG Any Security
IPS

Defense-in-Depth

F5 Agility 2015 52
SSL VisibilityEmployees browsing internet over HTTPS

Use case: Employees on the corporate network browsing the internet

using desktops and hand held devices using Web agent browsers and
Internet apps.

Router Deployed Functionality:

SSL Forward proxy
URL filtering
Firewall Traffic steering
AFM (Firewall)

Switch 1. The outbound corporate end users web encrypted traffic is intercepted by BIG-IP LTM at
SSL Visibility
the ingress Load balancing
Firewall
BIG-IP 2. Any traffic pertaining to privacy and regulatory mandates (example: financial, healthcare)
is categorized based on preconfigured URL filters and allowed to pass through
NX Series

3. Interesting traffic is decrypted by BIG-IP and steered to pool of FireEye NX devices for
inspection

4. At egress, decrypted traffic is re-encrypted and send to the internet edge to route it to
destination web server
Corp Users (If NX uncovers any malicious content, NX will signal back to AFM to shun the malicious traffic/ bad actors)

The above solution shows NX deployed in SPAN/TAP mode. The same can be deployed in active protection IN-LINE mode
F5 Agility 2015 53 53
Performance
 No one likes Slow

74% of users will leave Slow Application:

a slow web site after just Reduced
5 seconds or less Productivity

Every 100ms delay in

costs Amazon 1% sales

F5 Agility 2015 55