F5 adc implementation project overview
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

F5 ADC Implementation Project Overview PowerPoint PPT Presentation


  • 139 Views
  • Uploaded on
  • Presentation posted in: General

F5 ADC Implementation Project Overview. 9/24/13. Scope.

Download Presentation

F5 ADC Implementation Project Overview

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


F5 adc implementation project overview

F5 ADC Implementation Project Overview

9/24/13


Scope

Scope

  • The scope of this project is to implement F5 Application Delivery Controllers into the Illinois and New Jersey collocation facilities to support enhanced load balancing, protocol optimization and application security for Guggenheim applications.

  • Key Driving Factors

    • Currently there is no standard for high availability deployments for Guggenheim applications.

    • Application delivery and performance can be enhanced though protocol tweaks, SSL offload, and application-aware security and DDOS threat mitigation.

    • Application outages can be minimized though intelligent server load balancing, global load balancing across multiple data centers (colos, B+M sites, and the cloud).

    • Enhanced scalability and environment growth potential via chassis-based hardware ADC solution.

2


Project work streams and communication plan

Project Work Streams and Communication Plan

Core Project Team

Audience Information Needs: Application migration tasks, project plan, status, notifications

Distribution Method: Weekly Call

Frequency of Distribution: Weekly or as needed as the project progresses

Deliverable: Project Status, Updated Project Plan, Meeting Notes

Communication Owner:

Working Groups

Audience Information Needs: Application migration tasks, requirements, notifications

Distribution Method: Weekly Call

Frequency of Distribution: Weekly or as needed as the project progresses

Deliverable: Planning and Design Documents, Tasks Lists, Status Reviews

Communication Owner:

3


Timeline and key dates

Timeline and Key Dates

  • Project Kickoff

    • 8/05/2013

  • Milestone One – ADC installation in NJ Colo

    • 9/28/2013 – Target Completion Date for all Groups

  • Milestone Two – ADC installation in IL Colo

    • 10/7/2013 – Target Completion Date for all Groups

  • Milestone Three – ADC GTM integrated into DNS, LTM/ASM ready for application migrations.

    • 10/21/2013 – Target Completion Date for all Groups

4


Project phases

Project Phases

  • Phase One – Application & Infrastructure Discovery and Analysis

    • Identify Key Applications that Need to be Migrated first to the ADCs

      • Current applications identified include SharePoint, Exchange, OpenText, Lync and Rydex

    • Identify All Dependencies such as Circuits, Backups, Databases, Firewall Rules, etc.

  • Phase Two – Design and Build out Phase

    • Design ADC implementation in colos

    • Install Viprion chassis pairs and stand alone 2000 series platforms in IL and NJ collocation facilities

  • Phase Three – Build virtual ips and wide-ips on ADCs for applications

    • Create new virtual IP and server pool for each application in each applicable environment

    • Create new wide-ip (FQDN) for each application globally load balanced across multiple DCs

    • Test new vips using host file entries alongside their current analogs with the help of the application teams to ensure full application functionality.

    • Cut over application via DNS change.

5


Discovery and classification

Discovery and Classification

  • Application Classification

    • Four Options –

      • Local hardware ADC with server load balancing and application firewall – configure new virtual application with server HA and WAF. Ideal for applications which only live in one particular location, and do not yet have a footprint in multiple DCs or colos.

      • Local and Global ADC – Configure local ADCs as above for each colo or location, in addition to configuring new wide-ip FQDN on the GTMs to provide GSLB across multiple environments. Ideal for applications which have footprints in multiple locations and desire faster and more controlled fail-over and/or better global distribution of traffic.

      • Virtual ADC with SLB – Ideal for locations other than the colos which have applications running on virtual servers. Virtual ADC apps can also be integrated into GSLB via the GTMs.

      • No ADC enhancement – For applications identified which will not be locally or globally load balanced, and for which we do not feel will be enhanced by protocol enhancements or application security.

6


Closing and questions

Closing and Questions

  • Closing and Questions

7


Ltm concepts

LTM Concepts

  • F5 LTM: Enhanced security

    • Full proxy architecture

      • Separate client/server facing tcp stacks

        • Client packet terminates at the LTM on one stack

        • LTM re-creates packet on the other stack if applicable

  • F5 LTM is an ICSA certified network firewall

    • LTM default action is to drop packets arriving at the LTM which don’t match:

      • A vip address

      • A SNAT (secure network address translation)

    • LTM protects against DDOS and other layer 3 attacks

      • Connection reaping, tcpsyn cookies, flood attack defense

      • Added flexibility of iRules for ‘virtual patching’

      • Layer 4-7 application awareness and protection offered in ASM and GTM modules (discussed later)

  • F5 LTM: protocol optimization

    • TCP/UDP optimization via profiles

    • Can offer different optimization at the client side and server side tcpstacks

  • F5 LTM: application optimization

    • http(s) / FTP / SSL / LDAP / RADIUS / Kerberos / persistence via profiles

    • Customizable profiles for each application or vip

    • SSL offload to LTM using dedicated ASIC’s for hardware-based SSL encryption / decryption on either/both client/server side tcp stacks.

8


Ltm concepts continued

LTM Concepts (continued)

  • iRules: provide fully customizable strategies for security via event-based, packet manipulation

    • Manipulate header information or packet data

    • Filter packets based on source/content/protocol/

    • Enforce protocol standards

    • Fix application-induced packet issues

    • Insert or delete cookies

    • And more

  • F5 LTM: local load balancing

    • Load balance across one or multiple pools per vip

    • Consolidate server connections via OneConnect to reduce server connection load

    • Enhance server productivity by offloading SSL intelligently caching data at the LTM, and/or protocol optimization

      • Servers get to focus solely on serving content

      • Other tasks offloaded to the LTM to be better handled by dedicated hardware

    • One application can span many vips

    • Each vip represents a socket

    • Each pool or node can have it’s own health monitor to ensure traffic only goes to healthy servers

9


Example application flow

Example: Application Flow

10


Gtm overview

GTM Overview

  • Global load balancing across multiple and/or geographically dispersed networks and data centers.

  • Works as an adjunct to local load balancing, or can be implemented on it’s own.

  • Can be implemented on the same hardware as LTM/ASM or can be implemented on it’s own hardware/VMs

  • Uses DNS as it’s core protocol

    • GTM is DNS on PEDs

      • Uses standard zone files (SOA, A records, etc)

      • Combines functionality of DNS with load balancing/health monitoring characteristics of LTM

    • Can be integrated easily into existing DNS infrastructure (BIND / AD / Infoblox / Etc)

      • Existing DNS can forward to GTMS for given subdomains

      • Existing DNS can list GTMs as authoritative for individual FQDNS

11


F5 adc implementation project overview

GTM Overview (Continued)

  • GTMs basic object is a Wide-IP

    • Wide-Ips load balance a pool(s) of IP addresses

      • These can be LTM vips, or regular, stand-alone hosts

      • These can be in the same or distant data centers.

      • There can be more than one pool balanced by a given wide-ip

    • Wide Ips can have primary, secondary and fallback LBAs

      • Primary LBA is the one used 99% of the time

      • Secondary is used if for some reason the primary LBA is invalid

      • Fallback is what a given wide-ip will respond with in the event none of it’s

      • pools/pool members are valid

  • Typical Load Balancing Algorithms

    • Global Availability

      • Always resolve with the first listed pool member if it is ‘alive’.

      • Used in situations where one site is the designated ‘production’, the other is the ‘DR’ or ‘Standby’ location.

      • Used where the expectation is that 100% traffic goes to the production site, unless it’s down, then 100% goes to the other site

    • Topology

      • Chooses with ip address to resolve a wide-ip to based on topology table

      • We build topology table to suit our needs

        • Example; anything on 10.10.2.x network resolves to a vip in data center close to 10.10.2.x network

    • Ratio

    • Round Robin

    • Least connections

      • This can be deceiving, a gtm typically sees DNS resolvers as ‘clients’

      • There can be 100 users behind one LDNS ‘client’, 5 users behind another LDNS ‘client’, and the GTM will consider them equally balanced, because from it’s perspective, it only has two clients, not 105 actual clients (unless the GTM is configured to be a LDNS)


Gtm integration into dns

GTM integration into DNS:

  • Example: GTM authoritative for subdomain in DNS:

    ILXXXGTM1 IN A 10.10.10.4

    NJXXXGTM1 IN A 10.10.14.4

    Oldapp1 IN A 10.10.9.100

    newapp1 IN NS ILXXXGTM1

    IN NS NJXXXGTM1

    newapp2 IN A 10.10.9.210

  • Example: Forwarding zone in DNS:

    zone “gtm.guggenheim.com" {

    type forward;

    forwarders { 10.10.10.4; 10.10.14.4; };

    };

    newapp1.guggenheim.com. CNAME newapp1.gtm.guggenheim.com

  • Newapp1.gtm.guggenheim.com exists as an ‘A’ record on the GTMs

13


F5 adc implementation project overview

GTM Fallback:

  • Fallback is the option of last resort for a wide-ip

  • Purpose is so that the GTM always has something to resolve a wide-ip to

    • In absence of a fallback method, the GTM responds to a wide-ip query with no surviving members the same way a DNS server responds to a query for which it’s not configured! NXDOMAIN

  • Fallback is an IP address

  • This can be the ip address of a “were sorry” webpage (or anything else)

  • This can be the ip address of one of the pool members


Example gtm querry

Example: GTM Querry

15


F5 adc implementation project overview

Overview: ASM

  • F5 ASM application firewall bimodal approach:

    • Negative security model protects against known attacks and exploits (sql injection, buffer overflow, screen scraping, clickjacking, cross-site scripting etc)

    • Positive security model protects by limiting user interaction to known/expected methods, objects, etc.

  • Flexible enforcement scenarios

    • Can deploy ASM policies in ‘transparent’ mode:

      • ASM sends alerts based on activity

      • ASM does not actually block suspicious traffic in transparent mode.

    • Deploy ASM policies in ‘blocking’ mode:

      • ASM blocks nonconforming traffic

      • ASM logs nonconforming activity and directs users to customizable page, giving them a tracking number for the incident.

        • We can use the tracking number to see what they did

        • We can use the incidents tracking number to quickly modify the ASM ruleset by ‘whitelisting’ that specific incident (and allowing any which follow)

  • Flexible deployment methodology

    • Apply ASM policy on a per-vip basis

    • Different vips can have their own policies

    • Different vips can be either transparent or blocking, or learning.


F5 adc implementation project overview

Overview: ASM (Continued)

  • Automatic or manual application learning and profiling

    • Offers greater control

    • Offers granular rulesets and customizable API

  • Easy-to-update attack signature database

    • Download new attack signatures directly from GUI

    • Apply new signatures according to company SOP

  • F5 ASM offers additional security

    • Protect against data leakage by masking credit card numbers, social security numbers, or other recognizable patterns

    • Validating/enforcing http protocol compliance

    • Enforce application flows, alert or block when users attempt to bypass login pages

    • Protect against additional evasion techniques by policy

    • Determine which http responses are allowed to be seen by a user

      • prevent users from seeing application specific errors

      • makes it harder to profile a webserver to discern potential vulnerabilities

      • Offer company branded, nontechnical response to server errors


Security at application protocol and network level how does it work

Security at application, protocol and network level How Does It Work?

Security at application, protocol and network level

Request made

Security policy checked

Server response

Content scrubbing

Application cloaking

Enforcement

Actions: Log, block, allow

Response delivered

Security policy applied

BIG-IP enabled us to improve security instead of having to

invest time and money to develop a new, more secure application.

18


Detailed logging with actionable reports

Detailed Logging with Actionable Reports

At-a-glance PCI compliance reports

Drill-down for information on security posture

19


Attack expert system in asm

Attack Expert System in ASM

1. Click on info tooltip

Attack expert system makes responding to vulnerabilities faster and easier:

Violations are represented graphically, with a tooltip to explain the violation.

The entire HTTP payload of each event is logged.

20


Beyond security application analytics for assured availability

Beyond Security Application analytics for assured availability

  • Additional statistics integrated into ASM logs provide deeper intelligence grouped by application and user

  • Rules can be applied based on user behavior

  • Latency monitoring provides:

  • Business intelligence/capacity planning

  • Troubleshooting and performance tuning

  • Anomalous behavior detection

21


Ddos mitigation

DDoS MITIGATION

Increasing difficulty of attack detection

OSI stack

Physical (1)

Data Link (2)

Network (3)

Transport (4)

Session (5)

Presentation (6)

Application (7)

OSI stack

Network attacks

Session attacks

Application attacks

SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks

DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation

OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods

BIG-IP

SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding.

Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions.

BIG-IP LTM and GTM

High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation

BIG-IP ASM

Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection

F5 mitigation technologies

F5 mitigation technologies

22


Automatic http s dos attack detection and protection

Automatic HTTP/S DOS Attack Detection and Protection

Detect a DOS condition

Identify potential attackers

Drop only the attackers

23

  • Accurate detection technique—based on latency

  • Three different mitigation techniques escalated serially

  • Focus on higher value productivity while automatic controls intervene


  • Login