F5 Networks

Traffic Management by Design

Presented by:
Jrg Wiesmann
Field System Engineer, Switzerland
jrg.wiesmann@f5.com
 2

Company Snapshot
Leading provider of solutions
that optimize the security,
performance & availability of
IP-based applications

Founded 1996 / Public 1999

Approx. 1,010 employees

FY05 Revenue: $281M

FY06 Revenue: $394M

40% Y/Y Growth

 3

Clear Leader in Application Delivery

Challengers Leaders

Magic Quadrant for

F5 Networks
Application Delivery
Products

F5 continues to build on the

Ability to Execute

Citrix Systems (NetScaler) momentum generated by the

release of v9.0. It commands
Cisco Systems over 50% market share in the
advanced platform ADC
Radware segment and continues to pull
Juniper Networks (Redline) away from the competition.
Akamai Technologies

Nortel Networks Netli F5 is one of the thought

leaders in the market and
Stampede Technologies
Coyote Point Array Networks offers growing feature
Systems Zeus Technology
richness. It should be high on
Foundry NetContinuum every enterprise's shortlist for
Networks
application delivery.
Niche Players Visionaries
Completeness of Vision

Source: Gartner, December 2005

 4

What CEOs CFOs und CIOs are interested in

Low Investment costs

Reducing Load on Server infrastructure
Low Servicecosts
Simple Problem-, Change und Releasemgt.
Less Service windows
Reduction of work during Service windows
Simple secure and stable Environements
High availability
 5

Problem: Networks Arent Adaptable Enough

New Security Hole

High Cost To Scale
Slow Performance

?
Application

Network Administrator Application Developer

Traditional Networks Applications Focus on

are Focused on Business Logic and
Connectivity Functionality
 6

How Do You Fix the Problem?

Multiple Point Solutions

Application

More
Bandwidth

Network Administrator Application Developer

Add More Hire an Army of

Infrastructure? Developers?
 7

A Costly Patchwork
Users Point Solutions Applications

DoS Protection
Mobile Phone
IPS/IDS SSL Acceleration
SFA
Rate Shaping/QoS CRM
CRM ERP
PDA

Network Firewall Application

Load Balancer
ERP
Laptop Content Proxy
Acceleration/ ERP
Transformation CRM SFA

WAN Connection
Traffic Compression
Optimization
Desktop
SFA
Application Firewall
Custom
Application

Co-location
 8

The Better Application Delivery Alternative

The Old Way The F5 Way

First with Integrated Application Security

 9

F5s Integrated Solution

Users The F5 Solution Applications

Application Delivery Network

Mobile Phone

CRM
Database
Siebel
PDA BEA
Legacy
.NET
SAP

Laptop PeopleSoft
IBM
ERP
SFA
Custom
Desktop
TMOS

Co-location
 10

The F5 Application Delivery Network

International
Data Center

TMOS

Users Applications
BIG-IP
Global BIG-IP BIG-IP Local BIG-IP BIG-IP
Link WANJet FirePass Application
Traffic Traffic Web
Manager Controller Manager Accelerator Security
Manager

iControl & iRules

Enterprise Manager
 11

F5 Networks
Remote Access Today

Presented by:
Jrg Wiesmann
Field System Engineer, Switzerland
jrg.wiesmann@f5.com
 12

Current Issues
Unreliable access
Mobile Workforce Worm/virus propagation
High support costs

Employee on Limited application support

Home PC / Lack of data integrity
Public Kiosk Reduced user efficiency

Complex access controls

Business Partners
No application-level audits
High support costs

Systems or Complex API

Applications Unreliable access
High support costs
 13

IPSec provides transparent Network

Access BUT

Needs preinstalled Client

Does not work well with NAT
No granular Application Access (Network Level)
Hard to Loadbalance
Is expensive to deploy
 14

On the other hand SSL VPN

No preinstalled Client Software needed

Works on transport Layer No problem with NAT
Works on port 80/443 No problem with
Firewall/Proxy
Easy to Loadbalance
Offers granular Application Access
Is Easy to deploy
 15

Remote Access - Requirements

Any User
Employee
Partner Any
Any Location Application
Supplier
Hotel Web
Kiosk Client/Server
Hot Spot Legacy
Desktop

Any Devices
Laptop Highly Available
Kiosk Global LB
Home PC Stateful Failover
PDA/Cell Phone Disaster Recovery

Secure
Ease of
Data Privacy
Integration
Device Protection
Network Protection AAA Servers
Ease of Use
Granular App Access Directories
Clientless
Instant Access
Simple GUI
Detailed Audit Trail
 16

Why not use IPSec?

Any User
Employee
Partner Any
Any Location Application
Supplier
Hotel Web
Kiosk Client/Server
Hot Spot Legacy
Desktop

Any Devices
Laptop Highly Available
Kiosk Global LB
Home PC Stateful Failover
PDA/Cell Phone Disaster Recovery

Secure
Ease of
Data Privacy
Integration
Device Protection
Network Protection AAA Servers
Ease of Use
Granular App Access Directories
Clientless
Instant Access
Simple GUI
Detailed Audit Trail
 18

FirePass Overview

Any User Authorized

Any Device Dynamic Policies Applications

Portal
Access
Secured by
SSL
Laptop

FirePass
Specific
Internet Application
Kiosk Access

Mobile Device Intranet Network

Access
Partner
 19

Simplified User Access

Standard browser
Access to applications
from anywhere
Select application
Shortcuts automate
application connections
No preinstalled client
software required
All access via a web
browser
 20

Access Types
Network Access
Application Access
Application Tunnels
Terminal Server
Legacy Hosts
X Windows
Portal Access
Web Applications
File Browsing (Windows, Unix)
Mobile E-Mail
Desktop Access (Webtop)
 21

Access Methods Summary

Portal Access Application Access Network Access

Benefits Benefits Benefits

Most Flexible C/S Application Access Full Network Access (VPN)
Any Device Legacy Application Access No Resource Restrictions
Any Network Transparent Network Traversal
Any OS Any Network Drawbacks
Most Scalable Scalable Deployment More Limited Access
Browser Compatible No Network/Addr. Configuration OS/JVM Compatible
Secure Architecture Secure Architecture Issues
Restricted Resource Access Restricted Resource Access Client Security
Host Level Application Proxy Installation Privileges
Drawbacks
Limited Resource Access Drawbacks
Enterprise Web Limited Access Flexibility
Apps/Resources OS/JVM Compatible Issues
Webified Enterprise No Transistent Kiosk Access
Resources Client Security
Limited Nonweb Applications Installation Privileges
 22

Adaptive Client Security

Kiosk/Untrusted PC PDA Laptop

Kiosk Corporate
Policy Mini Browser Policy
Policy
Cache/Temp File Firewall/Virus
Cleaner Check

Client/Server
Application
Full Network
Terminal Files Intranet Email
Servers
 23

Policy Checking with Network Quarantine

Deep Integrity Quarantine Policy

Checking Support
Specific antivirus checks Ensure Policy Compliance
Windows OS patch levels Direct to quarantine network
Registry settings

Full
FirePass Network

Quarantine
Network
Please update
your machine!
 24

Visual Policy Editor

Graphically associates a policy relationship between end-points, users and resources

 25

Unique Application Compression

Results
Over 50% faster access
Supports compression
for any IP application
Faster email & file
access
Works across both dial-
up and broadband
 26

30 Minute Install
NEW

Quick Setup enables rapid installation and setup even for non-experts
 28

Enterprise SSO Integration

Netegrity
Dynamic Policies SiteMinder

FirePass

Internet

Web
Servers

HTTP forms-based authentication

Single sign-on to all web applications

Major SSO & Identify Mgmt Vendor

Support
Netegrity, Oblix and others
 29

Application Security
Web
ICAP Servers
AntiVirus

FirePass

Internet

Policy-based virus Web application

scanning security
File uploads Cross-site scripting
Webmail attachments Buffer overflow
Integrated scanner SQL injection
Open ICAP interface Cookie management
 30

Product Lines
 31

FirePass Product Line

A product sized and priced appropriately for every customer

FirePass 1200 FirePass 4200

Medium Enterprise Large Enterprise

25-100 Concurrent Users 100-2000 Concurrent Users

25 to 500 employees 500+ employees

Comprehensive access
End-to-End security
Flexible support
Failover
High performance platform
Comprehensive access
End-to-End security
Flexible support
Failover
Cluster up to 10
 32

FirePass Failover
Redundant pair
Stateful failover provides
uninterrupted failover for most
Internet applications (e.g. VPN
connector)
Single management point
Hot standby
Active unit is configured
Active
Configuration and state
information is periodically
synchronized
Separate SKU
Intranet application servers Active unit determines software
configuration and concurrent
users
 33

FirePass 4100 Clustering

Clustered pair
Up to 10 servers can be
clustered for up to 20,000
Internet
concurrent users
Intranet application
Master server randomly
servers distributes user sessions
Distributed (e.g. different sites)
Cluster master clusters are supported
Single management point
Cluster nodes Master server is configured
Configuration information is
periodically synchronized
Second FP 4100 Required
Software features purchased
on 2nd server
 34

Case Study: FirePass vs IPSec Client

300 end user accounts, high availability configuration

IPSec Client FirePass Savings
Rollout Engineering 120 hrs 20 hrs 100 hrs
Help Desk 200 hrs 60 hrs 140 hrs
End User 1 hrs + .5 hrs x 300 150 hrs
Sustaining Engineering 1.5 hrs/day .5 hrs/day 1 hrs/day
Help Desk 5 hrs/day 2 hrs/day 3 hrs/day
End User 0 0 0

Savings: 390 hours for rollout, 20 hours/week sustaining

80% user callback for IPSec Client; 15% for FirePass
25 users unable to use IPSec Client; 2 specific hotel
room issues w/FirePass
 35

Summary of Benefits
Increased productivity
Secure access from any
device, anywhere
No preinstalled VPN clients
Reduced cost of ownership
Lower deployment costs
Fewer support calls
Improved application security
Granular access to corporate resources
Application layer security and audit trail
37
38
 40

Partnerships

F5's BIG-IP has been designed into a number of Oracle's

mission-critical architectures, such as the Maximum
Availability Architecture.
Julian Critchfield, Vice President, Oracle Server Technologies

Microsoft welcomes F5 Networks' support of Visual Studio

2005 F5 complements our strategy by providing our
mutual customers with a way to interact with their
underlying network.

Christopher Flores, Group Product Manager in the .NET Developer Product

Management Group at Microsoft Corp.
 41

Services & Support

Expertise F5 offers a full range of personalized,
world-class support and services, delivered by
engineers with in-depth knowledge of F5 products.

Software Solution Updates Customers with a

support agreement receive all software updates,
version releases, and relevant hot fixes as they are
released.

Flexibility Whatever your support demands, F5

has a program to fit your needs. Choose from our
Standard, Premium, or Premium Plus service levels.

Full Service Online Tools Ask F5 and our Web

Support Portal.

Fast Replacements F5 will repair or replace any

product or component that fails during the term of
your maintenance agreement, at no cost.

F5 Services
SERVICES & SUPPORT
Expertise World-class
support and services, delivered
by engineers with in-depth
knowledge of F5 products.
Software Solution Updates
Software updates, version
releases, and relevant hot fixes
as they are released.
Flexibility Standard,
Premium, or Premium Plus
service levels.
Full Service Online Tools
Ask F5 and our Web Support
Portal.
Fast Replacements F5 will
repair or replace any product or
component that fails during the
term of your maintenance
agreement, at no cost.
CERTIFIED GLOBAL TRAINING
Expert Instruction With highly
interactive presentation styles and
extensive technical backgrounds
in networking, our training
professionals prepare students to
perform mission-critical tasks.
Hands-On Learning
Theoretical presentations and
real-world, hands-on exercises
that use the latest F5 products.
Convenience Authorized
Training Centers (ATCs)
strategically located around the
world.
Knowledge Transfer Direct
interaction with our training
experts allows students to get
more than traditional text book
training.
42
PROFESSIONAL SERVICES
Experience F5 Professional
Consultants know F5 products
and networking inside and out.
The result? The expertise you
need the first time.
High Availability Our experts
work with you to design the best
possible high- availability
application environment.
Optimization Our consultants
can help you fine tune your F5
traffic management solutions to
maximize your networks
efficiency.
Knowledge Transfer Our
professionals will efficiently
transfer critical product
knowledge to your staff, so they
can most effectively support
your F5-enabled traffic
management environment.
 43

F5 Networks Globally

Seattle
EMEA

Japan

APAC

International HQ Seattle
Regional HQ / Support Center
F5 Regional Office
F5 Dev. Sites Spokane, San Jose, Tomsk, Tel Aviv,
Northern Belfast
 44

F5 Networks
Message Security Module

Presented by:
Jrg Wiesmann
Field System Engineer, Switzerland
jrg.wiesmann@f5.com
 45

The Message Management Problem

Out of 75 billion emails sent worldwide each day, over 70% is
spam!
The volume of spam is doubling every 6-9 months!
Clogging networks
Cost to protect is increasing

TrustedSource Reputation Scores

Nov 2005 Oct 2006

Higher score = worse reputation
 46

Typical Corporate Pain

Employees still get spam
Some are annoying, some are offensive
Infrastructure needed to deal with spam is expensive!
Firewalls
Servers
Software (O/S, anti-spam licenses, etc.)
Bandwidth
Rack space
Power
Budget doesnt match spam growth
Legitimate email delivery slowed due to spam
 47

Why is this happening?

Spam really works!

Click rate of 1 in 1,000,000 is successful
Spammers are smart professionals
Buy the same anti-spam technology we do
Develop spam to bypass filters
Persistence through trial and error
Blasted out by massive controlled botnets
Professional spammers have
Racks of equipment
Every major filtering software and appliance available
Engineering staff
 48

Its not just annoyingit can be dangerous.

2% of all email globally contains some sort of

malware.
Phishing
Viruses
Trojans (zombies, spyware)
 49

High Cost of Spam Growth

Spam volume increases
Bandwidth usage increases
Load on Firewalls increases
Load on existing messaging security systems increases
Emails slow down
Needlessly uses up rackspace, power, admin time

DMZ

Firewall
Messaging
Security Email Servers
 50

MSM Blocking At the Edge

Messaging Security
BIG-IP MSM Server
Emails First Tier Second Tier Mail Servers
e hello

Works with any

Anti-Spam Solution

X
X
X
Terminating
X 70% of the
Spam from the
X e hello Filters out 10%
to 20% of Spam
X
X
 51

Why TrustedSource?

Industry Leader
Solid Gartner reviews & MQ
IDC market share leader
Superior technology
Stability
 52

TrustedSource: Leading IP Reputation DB

View into over 25% of email traffic

50M+ IP addresses tracked globally
Data from 100,000+ sources; 8 of 10 largest ISPs
Millions of human reporters and honeypots
 53

TrustedSource
GLOBAL DATA MONITORING AUTOMATED ANALYSIS

Messages Analyzed
IntelliCenter per Month
10 Billion Enterprise
100 Billion Consumer
London
Portland
Atlanta

Hong Kong

Brazil

Dynamic Computation
Of Reputation Score

Bad Good

Global data monitoring is fueled by the network effect of real-time information

sharing from thousands of gateway security devices around the world
Animation slide
 54

Shared Global Intelligence

Deploy agents
Physical officers around the globe
World (Police, FBI, CIA, Interpol.) Interpol

Global intelligence system

Share intelligence information
CIA
Example: criminal history, global finger FBI
printing system Police
Stations
Police Police
Results Stations Stations
Effective: Accurate detection of offenders
Intelligence Pro-active: Stop them from coming in the
Agents country

Cyber Deploy security probes

around the globe (firewall, email gateways,
World web gateways)
IntelliCenter

Global intelligence system

Share cyber communication London
info, Example: spammers, phishers,
hackers Portland
Atlanta
Hong Kong
Intelligent Results
probes Effective: Accurate detection of bad IPs,
domains Brazil
Pro-active: Deny connection to intruders
to your enterprise
 55

TrustedSource Identifies Outbreaks

Before They Happen

11/01/05: This 9/12/05 11/02/05 11/03/05

machine began TrustedSource Other Reputation A/V Signatures
Flagged Zombie Systems Triggered
sending Bagle worm
across the Internet

11/03/05: Anti-virus
signatures were
available to protect
against Bagle

Two months earlier,

TrustedSource
identified this
machine as not
being trustworthy
 56

Content Filters Struggle to ID certain spam

 57

Image-based spam

Hashbusting
Scratches
 58

Summary of Benefits

Eliminate up to 70% of spam upon receipt of first packet

Reduce Cost for Message Management
TMOS Module High performance Cost effective spam blocking
at network edge
Integrated into BIG-IP to avoid box proliferation
Improved Scaleability and Message Control
Reputation Based Message Distribution and Traffic Shaping
Slightly increase kill-rate on unwanted email
 59

Packaging License Tiers

MSM for over 100,000 Mailboxes
MSM for up to 100,000 Mailboxes
MSM for up to 75,000+ Mailboxes
BIG-IP LTM Only
MSM for up to 50,000 Mailboxes
Version Support: 9.2 and higher MSM for up to 25,000 Mailboxes
Module May be added to any MSM for up to 10,000 Mailboxes
LTM or Enterprise MSM for up to 5,000 Mailboxes

No Module incompatibilities with other Modules MSM for up to 1,000 Mailboxes

Licensed per BIG-IP by number of mailboxes

BIG-IP Platform sizing depends on:
Email volume
Number of BIG-IPs
Other functions expected of BIG-IP (additional taxes on CPU time)
 60

How BIG-IP MSM Works

Secure Computing Existing

Messaging
Trusted Source Security
IP Reputation Score
Slow Pool

DNS 20% Suspicious?

Query
Existing
Messaging
Fast Pool Email Servers
Security
20% Good?
Internet 10% Trusted?

Error Msg
for clean termination

70% Bad? 10% Bad?

Drop first &

Delete
subsequent
Message
packets

Animation slide
 61

Spam Volumes Out of Control

% of Worldwide email that is Spam

85%
Percent Spam

70%

Nov 2005 Oct 2006

 62

Hard-to-detect Image Spam is Growing

35%

30%

25%
Percent of Total Email

20%

15%

10%

5%

0%
rd h h h t h h h h h h
5th 3 10t 17t 24t 31s 28t 6t 2nd 9t 2t 6t 9t 3r
d
r y l 2 g ct t 1 t 1 t 1 t 2
Ap M
a ay ay ay ay Ju
n
Ju Au O O
c
O
c
O
c
O
c
M M M M

2006
 63

Reputation-based Security Model

Computing Physical World Cyber World
Credit
Businesses & Individuals IPs, Domains, Content, etc.
Track

Business Transactions Cyber Communication

Purchases Email exchanges
Compile Mortgage, Leases Web transaction
Payment transactions URLs, images

Credit Score Reputation Score

Compute Timely payment Good IPs, domains
Late payment Bad
Transaction size Grey marketing, adware

Allow / Deny Credit Allow / Deny Communication

Use Loan Stop at FW, Web Proxy, Mail gateway
LOC Allow
Credit terms Quarantine
 64

Backup Slides

Firepass
 65

Windows Logon (GINA Integration)

Key Features
Transparent secure logon to
corporate network from any access
network (remote, wireless and local
LAN)
Non-intrusive and works with
existing GINA (no GINA
replacement)
Drive mappings/Login scripts from
AD
Simplified installation & setup (MSI
package)
Password mgmt/self-service

Customer Benefits
Unified access policy mgmt
Increased ROI
Ease of use
Lower support costs
 66

Configuring Windows Logon

 67

Windows Installer Service

Problem
Admin user
privileges required
for network access
client component
updates

Solution
Provide a user
service on the client
machine which
allows component
updates without
admin privileges
 68

Network Access Only WebTop

Simplified webtop
Interface

Automatically
minimizes to
system tray
 69

Windows VPN Dialer

Simple way to connect for users familiar with dial-up

 70

FirePass Client CLI

f5fpc <cmd> <param>

where <cmd> options
are:
start
info
stop
help
profile

Single sign-on from 3rd

party clients (iPass)
 71

Auto Remediation
 72

Dynamic AppTunnels
Feature Highlights
No client pre-
installation
No special admin
rights for on-demand
component install
No host file re-writes
Broader application
interoperability
(complex web apps,
static & dynamic ports)
Benefits
Lower deployment and
support costs
Granular access
control
 73

Configuring Dynamic AppTunnels

Web Apps

Client/Server
Apps