slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
F5 Traffic Optimization PowerPoint Presentation
Download Presentation
F5 Traffic Optimization

Loading in 2 Seconds...

play fullscreen
1 / 71

F5 Traffic Optimization - PowerPoint PPT Presentation


  • 482 Views
  • Uploaded on

F5 Traffic Optimization. Radovan Gibala Field Systems Engineer r.gibala@f5.com +420 731 137 223. 2007. Evolution of the Data Center. Datacenter Without F5 & ADN. X. X. Cell phone. NetApp. X. X. X. X. PC - Home. X. MS SQL Server. Web Server. Web Server. Web Server. Web Server.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'F5 Traffic Optimization' - Thomas


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

F5TrafficOptimization

Radovan GibalaField Systems Engineerr.gibala@f5.com+420 731 137 223

2007

datacenter without f5 adn
Datacenter Without F5 & ADN

X

X

Cell phone

NetApp

X

X

X

X

PC - Home

X

MS SQL Server

Web Server

Web Server

Web Server

Web Server

Web Server

Web Server

X

X

Laptop – coffee shot

X

Oracle

App. Server

App. Server

App. Server

App. Server

PC - LAN

X

PC - WAN

mySQL Server

X

Windows file storage

Windows file storage

EMC

datacenter with f5 s adn
Datacenter With F5’s ADN

Cell

PC - Home

Web Server

Web Server

Web Server

Web Server

Web Server

Web Server

Web Server Virtualization (LTM)

Application Server Virtualization (LTM)

File Storage Virtualization (ARX)

Remote - WAN

App. Server

App. Server

App. Server

App. Server

PC - LAN

Windows file storage

Windows file storage

EMC

NetApp

WLAN

globalization success collaboration
Globalization:Success = Collaboration

“Over the next 15 years markets will become even more global, functions within their organizations will atomize across geographies and partners, and competition will intensify from new corners of the world.”

- Economist Intelligence Unit, Foresight 2020 Study

slide6

Business

Continuity HA

Disaster

Recovery

Business

Continuity HA

Disaster

Recovery

User

Experience

& App

Performance

User

Experience

& App

Performance

App

Security

& Data

Integrity

App

Security

& Data

Integrity

Managing

Scale &

Consolidation

Managing

Scale &

Consolidation

Unified

Security

Enforcement

& Access

Control

Unified

Security

Enforcement

& Access

Control

slide7

Business

Continuity HA

Disaster

Recovery

User

Experience

& App

Performance

App

Security

& Data

Integrity

People

Apps

Data

Managing

Scale &

Consolidation

Storage

Growth

Unified

Security

Enforcement

& Access

Control

slide8

Business

Continuity HA

Disaster

Recovery

User

Experience

& App

Performance

App

Security

& Data

Integrity

People

Apps

Data

Managing

Scale &

Consolidation

Storage

Growth

Unified

Security

Enforcement

& Access

Control

slide9

Business

Continuity HA

Disaster

Recovery

  • WAN Virtualization
  • File Virtualization
  • DC to DC Acceleration
  • Virtualized VPN Access

User

Experience

& App

Performance

App

Security

& Data

Integrity

  • AAA
  • Data Protection
  • Transaction Validation
  • Asymmetric & Symmetric Acceleration
  • Server Offload
  • Load Balancing

People

People

Apps

Apps

Data

Data

  • Virtualization
  • Migration
  • Tiering
  • Load Balancing
  • Virtualized App & Infrastructure
  • Server & App Offload
  • Load Balancing
  • Remote, WLAN & LAN Central Policy Enforcement
  • End-Point Security
  • Encryption
  • AAA

Managing

Scale &

Consolidation

Storage

Growth

Unified

Security

Enforcement

& Access

Control

slide10

Business

Continuity HA

Disaster

Recovery

BIG-IP LTM • GTM • LC • WA

FirePass • ARX • WJ

Application Delivery

Network

  • WAN Virtualization
  • File Virtualization
  • DC to DC Acceleration
  • Virtualized VPN Access

User

Experience

& App

Performance

App

Security

& Data

Integrity

BIG-IP LTM • GTM • WA ARX • WJ

BIG-IP LTM • ASM

FirePass

  • AAA
  • Data Protection
  • Transaction Validation
  • Asymmetric & Symmetric Acceleration
  • Server Offload
  • Load Balancing

People

Apps

Data

  • Virtualization
  • Migration
  • Tiering
  • Load Balancing
  • Virtualized App & Infrastructure
  • Server & App Offload
  • Load Balancing
  • Remote, WLAN & LAN Central Policy Enforcement
  • End-Point Security
  • Encryption
  • AAA

Managing

Scale &

Consolidation

Storage

Growth

ARX

BIG-IP GTM

BIG-IP LTM • GTM • LC • WA

FirePass • ARX • WJ

Unified

Security

Enforcement

& Access

Control

FirePass

BIG-IP LTM • GTM

acceleration functional groups
Acceleration Functional Groups
  • Tier 1 Acceleration – Network Offload

200% – 300% performance improvement

  • Tier 2 Acceleration – Server Offload

200% – 500% performance improvement

  • Tier 3 Acceleration – Application Offload

200% – 1000% performance improvement

acceleration functional areas and the effect on infrastructure
Acceleration Functional Areas and the Effect on Infrastructure

75%

60%

  • Server Offload
  • Compression
  • Dynamic Caching
  • Content Spooling
  • OneConnect
  • Rate Shaping
  • Connection limit

Page Generation Time

Page LoadTime

Page Delivery Time

Page Delivery Time

Internet

Or WAN

75%

60%

Client Browser

MyCSP ServerInfrastructure

acceleration functional areas and the effect on infrastructure13
Acceleration Functional Areas and the Effect on Infrastructure

Page Generation Time

Page LoadTime

Page Delivery Time

Page Delivery Time

Internet

Or WAN

60%

40%

Client Browser

MyCSP ServerInfrastructure

  • Network Acceleration
  • Compression
  • Dynamic Caching
  • TCP Express
  • Server Offload
  • Compression
  • Dynamic Caching
  • Content Spooling
  • OneConnect
  • Rate Shaping
  • Connection limit
acceleration functional areas and the effect on infrastructure14
Acceleration Functional Areas and the Effect on Infrastructure
  • Server Offload
  • Compression
  • Dynamic Caching
  • Content Spooling
  • OneConnect
  • Rate Shaping
  • Connection limit

Page Generation Time

Page LoadTime

Page Delivery Time

Page Delivery Time

Internet

Or WAN

35%

25%

Client Browser

MyCSP ServerInfrastructure

  • Network Acceleration
  • Compression
  • Dynamic Caching
  • TCP Express
  • Differential Compression
  • QoS
  • Security/authentication
acceleration functional areas and the effect on infrastructure15
Acceleration Functional Areas and the Effect on Infrastructure
  • Server Offload
  • Compression
  • Dynamic Caching
  • Content Spooling
  • OneConnect
  • Rate Shaping
  • Connection limit
  • Application Acceleration
  • IBR (Dynamic Content Control)
  • Multi-Connect
  • Dynamic Linearization
  • Dynamic Caching
  • Dynamic Compression
  • SSL Acceleration

Page Generation Time

Page LoadTime

Page Delivery Time

Page Delivery Time

Internet

Or WAN

10%

10%

Client Browser

  • Network Acceleration
  • Compression
  • Dynamic Caching
  • TCP Express
  • Differential Compression
  • QoS
  • Security/authentication
how to achieve the requirements

Application

How To Achieve the Requirements ?

Multiple Point Solutions

More

Bandwidth

Network Administrator

Application Developer

Add More Infrastructure?

Hire an Army of Developers?

the result a growing network problem
The Result: A Growing Network Problem

Applications

Users

Network Point Solutions

DoS Protection

Mobile Phone

SFA

Rate Shaping

SSL Acceleration

CRM

ERP

CRM

PDA

Server Load Balancer

ERP

Laptop

ERP

CRM

SFA

ContentAcceleration

ApplicationFirewall

Desktop

SFA

Connection Optimisation

TrafficCompression

Customised Application

Co-location

f5 s integrated solution
F5’s Integrated Solution

Applications

Users

The F5 Solution

Application Delivery Network

CRMDatabaseSiebelBEALegacy.NETSAPPeopleSoftIBMERPSFACustom

Mobile Phone

PDA

Laptop

Desktop

TMOS

Co-location

the most intelligent and adaptable solution

GUI-Based Application Profiles

Repeatable Policies

iRules

Programmable Network Language

Security

Optimisation

Delivery

New Service

News Website

The Most Intelligent and Adaptable Solution

Programmable Application Network

Unified Application Infrastructure Services

Targeted and Adaptable Functions

Complete Visibility and Control of Application Flows

Universal Inspection Engine (UIE)

TM/OS

Fast Application Proxy

Client

Side

Server

Side

Compression

TCP Offloading

Load Balancing

architect for virtualized applictions and resources leverage network services
Architect for Virtualized Applictions and Resources; Leverage Network Services

International

Data Center

Policy-based, centralized AND Management

Application & server virtualization, SOA component support, application load-balancing, switching, filtering

Applications

Users

Intelligent & policy-based DNS; support virtualization & SOA components

Symmetric WAN optimization & application acceleration Services

Universal client and system application & network VPN Services

Bi-directional application-aware multi-homing & QoS Services

Bi-directional application

firewall services

Asymmetric

application acceleration

Open SOAP/XML API & SDK

IP Proxy O/S

a better alternative virtualize and unify network services and offload the application

AVAILABLE

  • Comprehensive Load Balancing
  • Advanced Application Switching
  • Customized Health Monitoring
  • Intelligent Network Address Translation
  • Intelligent Port Mirroring
  • Universal Persistence
  • Response Error Handling
  • Session / Flow Switching
  • IPv6 Gateway
  • Advanced Routing

SECURE

  • DoS and SYN Flood Protection
  • Network Address/Port Translation
  • Application Attack Filtering
  • Certificate Management
  • Resource Cloaking
  • Advanced Client Authentication
  • Firewall - Packet Filtering
  • Selective Content Encryption
  • Cookie Encryption
  • Content Protection
  • Protocol Sanitization
  • Application Security Module

Network

BIG-IP

W

W

A

A

FAST

  • SSL Acceleration
  • Quality of Service
  • Connection Pooling
  • Intelligent Compression
  • L7 Rate Shaping
  • Content Spooling/Buffering
  • TCP Optimization
  • Content Transformation
  • Caching

DatabaseSystem

A Better Alternative: Virtualize and Unify Network Services and Offload the Application
tcp express
TCP Express
  • Behaviors of a good TCP/IP implementation.
    • Proper congestion detection.
    • Good congestion recovery.
    • High bandwidth utilization.
      • Being too aggressive can cause individual connections to consume all of the network.
      • Not being aggressive enough will leave unused bandwidth especially during a low number of connections.
      • Always needs to adapt to changing congestion.
    • Increased windowing and buffering will often help compensate for latency and can also offload the application equipment more quickly.
  • Most important tuning you can do in TCP typically has to do with window sizes and retransmission logic (aka congestion control behavior).
  • On today’s networks, loss is almost always caused from congestion.
    • Most TCP stacks are not aggressive enough.
f5 s tcp congestion control algorithms
F5’s TCP Congestion Control Algorithms
  • Reno Congestion Control
    • Original TCP fast recover algorithm based on BSD Reno.
    • Initially grows congestion window exponentially during the slow-start period.
    • After slow-start, increases CWND by 1MSS for each CWND acked (this is linear growth).
    • When loss or a recovery episode is detected, the CWND is cut in half.
  • New Reno modifications (this is currently the default mode)
    • Improves on the Reno behaviour.
    • When entering a recovery episode, implements a fast retransmit:
      • Each ACK less than the recovery threshold triggers a one-time resend of the data started by the ACK.
      • Results in more aggressively sending the missing data and exiting the recovery period.
  • Scalable TCP (added in 9.4)
    • Improves on the NewReno behaviour.
    • Upon loss, the CWND is reduced by only 1/8.
    • Once out of slow start, CWND increases by 1% of an MSS for each CWND ACK’d.
  • HighSpeed (F5's proprietary congestion control added in 9.4)
    • Similarly improves on the NewReno behaviour in combination with Scalable TCP.
    • Progressively switches from NewReno to Scalable TCP based on the size of the CWND.
      • Upon loss, the CWND is reduced by somewhere between ½ and 1/8.
      • CWND grows somewhere between 1% and 100% of an MSS for each CWND ACK’d.
slide25

New Reno

Scalable

HighSpeed

oneconnect connection pooling
OneConnect ™ – Connection Pooling
  • Increase server capacity by 30%
    • Aggregates massive number of client requests into fewer server side connections
  • Transformations form HTTP 1.0 to 1.1 for Server Connection Consolidation
  • Maintains Intelligent load balancing to dedicated content servers

Good Sources:

http://tech.f5.com/home/bigip/solutions/traffic/sol1548.html

http://www.f5.com/solutions/archives/whitepapers/httpbigip.html

oneconnect review
OneConnect™ Review
  • OneConnect™ causes each request to be individually load-balanced among members of the same pool and potentially uses pre-established connections from a server connection pool.
  • The client connection is detached after each server response has been received and the server-side connection is optionally saved for reuse in a connection pool.
  • The OneConnect™ source mask profile settings control the behavior of the server connection pool.
  • iRule commands also can control OneConnect™ behavior:
    • “ONECONNECT::detach disable” will cause the client and server to stay connected (as if OneConnect™ was not enabled).
    • “ONECONNECT::reuse disable” will cause the recently used server-side connection to be discarded after use.
oneconnect new and improved

HTML server pool

GIF server pool

ASP server pool

b.gif

sales.htm

c.asp

e.gif

a.gif

d.gif

index.htm

f.asp

OneConnect ™ New and Improved

HTTP Request Pooling

  • Streamlines single client request to BIG-IP
  • Enabled by HTTP 1.1
  • Avg. Reduction is 20 to 1 per Web Page

20

b.gif

c.asp

a.gif

index.htm

1

b.gif

c.asp

a.gif

index.htm

1) OneConnect ™ Content Switching

  • Intelligent load balancing to dedicated content servers
  • Maintain Server Logging

index.htm

b.gif

a.gif

b.gif

c.asp

a.gif

index.htm

c.asp

2) OneConnect ™ HTTP transformations

New

  • Transformation form HTTP 1.0 to 1.1 for Server Connection Consolidation

One

b.gif

c.asp

a.gif

index.htm

Many

b.gif

c.asp

a.gif

index.htm

3) OneConnect ™ Connection Pooling

  • Aggregates massive number of client requests into fewer server side connections

b.gif

c.asp

a.gif

index.htm

Server

sales.htm

e.gif

d.gif

f.asp

oneconnect facts
OneConnect™ Facts
  • OneConnect™ does not effect the parsing of HTTP nor the execution of iRule events like HTTP_REQUEST or HTTP_RESPONSE.
    • iRule events are triggered for every request regardless of whether the OneConnect™ profile is being used or not.
  • Without OneConnect™, the first request will be load-balanced to a member within the selected pool. Subsequent requests will NOT be load-balanced to other members within the same pool.
    • If the pool selection changes, then a new load-balancing selection will be made.
    • A change in the persistence key will not trigger a new load-balancing decision and therefore will appear not to be working.
    • LB::detach or OneConnect™ will cause a new load-balancing decision to be made on every request.
  • After each request, the pool is NOT reset to a default pool. Any previous pool selection is always the default.
    • Unless you explicitly set a pool in all conditions, you may believe that a request is not getting load-balanced correctly when OneConnect™ is not enabled.
  • OneConnect™ tracks the connection by the locally originating IP address.
    • Using a SNAT will effect the criteria for reuse of the server connection.
    • If you are using a SNAT with OneConnect™, it’s possible that two different client’s requests will share the same server connection.
      • If this is not acceptable behavior, then disable reuse by either setting the source mask to none or using the ONECONNECT::reuse disable iRule command.
content spooling
Content Spooling

Problem: TCP Overhead on Servers

  • There is overhead for breaking apart…”chunking” content
  • Client and Server negotiate TCP segmentation
  • Client forces more segmentation that is good for the server
  • The Servers is burdened with breaking content up into small pieces for good client consumption

Solution

Slurp up server response

Spoon feed clients

Benefit: Increases server capacity up to 15%

http compression33
HTTP Compression
  • Compression works most efficiently when rechunking responses.
  • An unchunked response must be completely buffered while being compressed since the new content-length can’t be determined until compression is completed. This can introduce significant latency.
  • When compression is enabled, setting the profile setting “response selective chunk” or “response rechunk” are highly recommended.

A clear conscience is usually the sign of a bad memory.

what is ram cache
What is RAM Cache
  • RAM cache is a cache of HTTP objects stored in the BIG-IP system's RAM that are reused by subsequent connections to reduce the amount of load on the back-end servers
  • Ram cache became available in 9.0.5
  • Ram cache is an additional module
  • It is part of the “Application Accelerator” Package
  • It is integrated with the HTTP profile
  • Cache is defined in RFC 1945
what is ram cache used for
The RAM Cache feature provides the ability to reduce the traffic load to back-end servers by caching High demand objects, Static content, and compressing content.What is RAM cache used for?
  • High demand objectsThis feature is useful if a site has periods of high demand for specific content. With RAM Cache configured, the content server only has to serve the content to the BIG-IP system once per expiration period
  • Static contentThis feature is also useful if a site consists of a large quantity of static content such as CSS, java script, or images and logos.
  • Content compressionFor compressible data, the RAM Cache can store data for clients that can accept compressed data. When used in conjunction with the compression feature on the BIG-IP system, the RAM Cache takes stress off of the BIG-IP system and the content servers
what can ram cache cache
What can RAM cache cache?

The RAM Cache feature is fully compliant with the cache specifications described in RFC 2616, Hypertext Transfer Protocol -- HTTP/1.1. This means that you can configure RAM Cache to cache the following content types:

200 (Ok), 203 (Non-Authoritative Information ), 206 (Partial Content ), 300 (Multiple Choices ), 301 (Moved Permanently) , and 410 (Not Found ) responses.

Responses to GET methods by default

Other HTTP methods for URIs specified in the URI Include list or specified in an iRule.

Content based on the User-Agent and Accept-Encoding values. The RAM Cache holds different content for Vary headers.

what can ram cache cache38
What can RAM cache cache?
  • By default, only responses to GET methods are cached.
  • Data that is encoded as PUBLIC can be cached
  • Non GET method can be cached by including the URI in the include list or they can be overridden from a rule.
    • Conditional GET’s and HEAD’s can be answered based on cached data.
  • Range requests are passed up to the server.
what items will not cache
What items will not cache?
  • The items we do not cache:
    • Private data specified by cache control headers
    • No-cache forces caches to submit the request to the origin server for validation.
    • No-store tells the cache server not to store the object
    • Must-revalidate forces the cache to obey freshness information
    • HEAD, POST, PUT, DELETE, TRACE, and CONNECT methods
    • Any data that is marked as “un-cacheable” by the server via its cache control headers are not cached.

(this can be overridden via rule or including the uri in the include list)

ram cache header manipulation
RAM Cache Header manipulation
  • Enabling the RAM Cache on a virtual will cause the “HTTP/1.1” string in request headers to be rewritten to “HTTP/1.0”.
    • The server thinks it’s talking to a 1.0 client for simplicity sake.
    • A “Connection: Keepalive” header will be added to allow persistent server connections.
    • Remove all cookie headers.
    • The following headers are hop by hop headers and will be modified accordingly when served:
      • Connection:
      • Keep-Alive:
      • Transfer Encoding:
    • Add the Date header. (This reflects the current time on the BIG-IP),
    • Add the Age header. (This reflects the amount of time the document has been in the cache).
    • All other headers are considered end to end and stored as is.
ram cache header manipulation41
RAM Cache Header manipulation
  • Header manipulation for Cached Content
  • The following headers prevent caching of an object:
    • Authenticate:
    • WWW-Authenticate:
    • Proxy-Authenticate:
ssl profiles overview
SSL Profiles Overview

A profile is a collection of protocol, application, or other feature-specific attributes. One or more profiles are associated with a virtual server.

A profile tells a virtual server how to process traffic destined for it, based on the profile's configuration.

For example, the ability to process SSL traffic is configured using the SSL profile.

ssl profile overview
SSL Profile Overview

TCP hudproxy

Client

Side

Server

Side

Recv

Request

Send

Request

Clientside

Serverside

TCP hudfilter

SSL hudfilter

HTTP hudfilter

TCP hudfilter

  • Hudfilters: Dev term for profiles. Modular filters chain together to customize traffic.
  • Hudproxy: Dev term for 9.x Full Proxy engine software where LB, iRules, SNATs etc reside.
ssl profiles overview45
SSL Profiles Overview

TMM is full-proxy engine

treats client and server sides of a connection as completely independent.

the proxy engine is considered a “connection-broker” that relates these two independent connections.

TMM uses profiles to adjust application, or feature-specific attributes.

ssl profiles overview46
SSL Profiles Overview

Profiles begin at Transport layer and cover different aspects of the TCP stack’s application layer.

“Protocol” profiles reside at the Transport layer of the tcp/ip protocol stack.

“Services” profiles reside at the Application layer etc.

“SSL” profiles reside between the App/Transport layers.

syn cookies concept
Syn Cookies: Concept

The concept behind a syn_cookie is to help protect servers from DOS of the initial TCP simple handshake “SYN Flood”.

In setting up a TCP handshake the requesting client will send a SYN packet to the destination server.

The server will respond to the client's SYN packet with a SYN/ACK to acknowledge the request and open a TCP socket for the requester.

This can create a resource issue for the server if a large number of unfulfilled SYN request are directed to the server. Since the server will respond by opening a new socket for each request and then wait for the client to send an ACK in response to the server's SYN/ACK.

syn cookies sockets resources
Syn Cookies: Sockets & resources

A little about servers and Sockets and how a DOS using initiating SYN packet impacts a server.

When a server receives a Syn request for initiating a TCP handshake it will respond to the initiating client with a SYN/ACK and open a TCP Socket for the client to continue the initiated TCP session.

Servers have a limited amount of open Sockets that can be utilized at one time. Once all of the possible sockets have been placed in an Active or Wait state (waiting for the client to continue their tcp session with a subsequent ACK) the server can no longer accept new connections.

This effectively stops access to the server..

syn cookies concept50
Syn Cookies: Concept

Once the server has utilized all it's resources in “half” open sockets from an overwhelming number of SYN request it will begin to refuse new “legitimate” SYN request and stop honouring legitimate current client connections.

To avoid this state the idea of a SYN tracking system was invented. This is where the name “syn cookies” was coined.

The Syn Cookie is quite different form traditional HTTP style cookie for several reasons.

The cookie is not given to the client and is not presented by the client on subsequent connections.

A local cache on the server is created to track known cookies. More or less the cookie is a self generated and stored cookie for the client connection on the local server.

syn cookies and bigip
Syn Cookies and BigIP

How does the BigIP utilize syn cookies?

The BigIP implementation of syn cookies is failry standard as implemented by Linux systems. There is one key difference however (for now).

The MSS is hard set by the BigIP where as the Linux implementation auto negotiates this setting.

In regards to when syn cookies are used the BigIP and Linux implementations are about equal.

syn cookies when are they used
Syn Cookies: When are they used?

The idea of syn cookies was designed around the need to thwart DOS syn based attacks.

Early development of syn cookies displayed issues when handling dropped/retransmitted packets. Do to this sync cookies are enacted based on a threshold of concurrent connections.

The threshold is user configurable and is defaulted to the value of 150,000 on the BigIP.

The BigIP has been designed to avoid issues with resends by storing the last 40 random seeds and updating these every 100ms.

syn cookies and bigip globals
Syn Cookies and BigIP globals

Adjusting the threshold that syn cookies will begin to be utilized on a BigIP can be done in two areas. However the lowest threshold will always be used 1st.

There is a system wide global setting that is set the the previously mentioned default of 150,000

syn cookies and virtuals
Syn Cookies and Virtuals

The BigIP also offers the ability to set a concurrent connection threshold on a per virtual basis.

b virtual 10.1.0.1:80 syncookie_threshold 2000

b save

Keep in mind if the global setting on the BigIP for syncookie_threshold is lower than the virtual's setting for the threshold the global will be used.

syn cookies bigip details
Syn Cookies & BigIP details

When the BigIP is utilizing syn cookies for an L4 connection it will use delayed binding. Basically the initial client SYN will not be forwarded to the server until it has completed the authentication process. To help prevent a bogus SYN from reaching the server we advertise an initial window size in our SYN/ACK of zero bytes. After the 3 way handshake has been successful we send a window size update to the client.

This complexity for L7 is not required.

Thus a SYN style DOS attack will never reach the backend servers.

what are irules
What are iRules?

Programming language integrated into TMOS

Traffic Management Operating System

Based on industry standard TCL language

Tool Command Language

Provide ability to intercept, inspect, transform, direct and track inbound or outbound application traffic

Core of the F5 “secret sauce” and key differentiator

how do irules work
How do iRules Work?
  • iRules allow you to perform deep packet inspection (entire header and payload)
  • Coded around Events(HTTP_REQUEST, HTTP_RESPONSE, CLIENT_ACCEPTED etc.)
  • Full scripting language allows for extremely granular control of inspection, alteration and delivery on a packet by packet basis

Requests

iRule Triggered

HTTP Events Fire

(HTTP_REQUEST, HTTP_RESPONSE, etc.)

Modified Request*

Modified Responses*

Original Request

*Note: BIG-IP’s Bi-Directional Proxy capabilities allow it to inspect, modify and route traffic at nearly any point in the traffice flow, regardless of direction.

centralized transaction assurance proactive response error handling for higher availability

rule redirect_error_code { when HTTP_REQUEST { set my_uri [HTTP::uri] } when HTTP_RESPONSE { if { [HTTP::status] == 500 } { HTTP::redirect http://192.168.33.131$my_uri }

rule protect_content {

when HTTP_RESPONSE_DATA {

set payload [HTTP::payload [HTTP::payload length]]

#

# Find and replace SSN numbers.

#

regsub -all {\d{3}-\d{2}-\d{4}} $payload "xxx-xx-xxxx" new_response

#

# Replace only if necessary.

#

if {$new_response != 0} {

HTTP::payload replace 0 [HTTP::payload length] $new_response

}

}

when HTTP_REQUEST {

# www.A.com -- domain == A.com, company == A

regexp {\.([\w]+)\.com} [HTTP::host] domain company

If { "" ne $company } {

# look for the second string in the data group

set mapping [findclass $company $::valid_company_mappings " "]

if { "" ne $mapping } {

HTTP::redirect "http://www.my_vs.com/$mapping"

}

}

}

The Better Alternative Example Centralized Availability, Security & Acceleration

Centralized Transaction Assurance: Proactive Response Error Handling for Higher Availability

Centralized Data Protection: Rewrite, Remove, Block and or Log Sensitive Content

A Repeatable, Extensible, Flexible Architecture

Host to URI mapping: Faster Access to Data through Automatic Re-direction

solution server resource cloaking
Solution: Server Resource Cloaking

DescriptionTo protect from web server signatures exposing from potential security holes to hackers, iRules are used to remove or “cloak” visible web server signatures

HOW IT WORKS

  • Client requests information from an application and is routed through BIG-IP
  • BIG-IP directs request to best performing web server
  • 3. Web server provides application response BUT all responses – by default – include information that indicates the type of server responding
  • 4. BIG-IP looks at traffic and determines it must call the iRule for “Resource Cloaking”
  • 5. iRule runs, removing Apache references, and send request on to client
  • 6. Client only sees “sanitized” response.

5

iRule! Remove Apache v 2.0.49 Reference

rule when HTTP_RESPONSE {

    #

    # Remove all but the given headers.

    #

HTTP::header sanitize “ETag” “Connection” “Content-TYPE”

}

2

3

Response from Apache Web Server includes server signatures

4

1

HTTP Request

HTTP Response

6

what can an irule do
What can an iRule do?

Read, transform, replace header or payload information (HTTP, TCP, SIP, etc.)

Work with any protocol, such as SIP, RTSP, XML, others, whether with native (HTTP::cookie) or generic (TCP::payload) commands

Make adjustments to TCP behavior, such as MSS, checking the RTT, deep payload inspection

Authentication assistance, offload, inspection and more for LDAP, RADIUS, etc.

Caching, compression, profile selection, rate shaping and much, much more

irule event taxonomy
iRule Event Taxonomy

AUTH

AUTH_ERROR

AUTH_FAILURE

AUTH_RESULT

AUTH_SUCCESS

AUTH_WANTCREDENTIAL

GLOBAL

LB_FAILED

LB_SELECTED

RULE_INIT

LINE

CLIENT_LINE

SERVER_LINE

TCP

CLIENT_ACCEPTED

CLIENT_CLOSED

CLIENT_DATA

SERVER_CLOSED

SERVER_CONNECTED

SERVER_DATA

USER_REQUEST

USER_RESPONSE

AUTH

GLOBAL

LINE

TCP

RTSP

RTSP_REQUEST

RTSP_REQUEST_DATA

RTSP_RESPONSE

RTSP_RESPONSE_DATA

RTSP

HTTP

HTTP_CLASS_FAILED

HTTP_CLASS_SELECTED

HTTP_REQUEST

HTTP_REQUEST_DATA

HTTP_REQUEST_SEND

HTTP_RESPONSE

HTTP_RESPONSE_CONTINUE

HTTP_RESPONSE_DATA

HTTP

CACHE

CACHE_REQUEST

CACHE_RESPONSE

CACHE

UDP

CLIENT_ACCEPTED

CLIENT_CLOSED

CLIENT_DATA

SERVER_CLOSED

SERVER_CONNECTED

SERVER_DATA

UDP

SIP

SIP_REQUEST

SIP_REQUEST_SEND

SIP_RESPONSE

SIP

CLIENTSSL

CLIENTSSL_CLIENTCERT

CLIENTSSL_HANDSHAKE

CLIENTSSL

IP

CLIENT_ACCEPTED

CLIENT_CLOSED

CLIENT_DATA

SERVER_CLOSED

SERVER_CONNECTED

SERVER_DATA

IP

SERVERSSL

SERVERSSL_HANDSHAKE

SERVERSSL

XML

XML_BEGIN_DOCUMENT

XML_BEGIN_ELEMENT

XML_CDATA

XML_END_DOCUMENT

XML_END_ELEMENT

XML_EVENT

DNS

DNS_REQUEST

DNS_RESPONSE

NAME_RESOLVED

XML

DNS

STREAM

STREAM_MATCHED

STREAM

solution fix protocol persistence
Solution: FIX Protocol Persistence
  • Challenges
  • Business chooses protocol required by industry sector
  • Implemention on server-side impossible in enterprise HA scenario
  • Solution
  • iRule provides centralized mechanism for intercept/inspect/route
  • Solution can be deployed in true HA/multi-server (even data center) mode
  • Clean code management

HOW IT WORKS

  • Client requests information from an application and is routed through BIG-IP
  • BIG-IP UIE inspects for specific information identified
  • 3. iRule runs and queries payload (TCP::collect) for the specific identifier needed (SenderCompID)
  • 4. Based upon rule, client request is persisted to a specific server dedicated to that user

3

iRule Query identifies FIX SenderComp ID

rule FIX_regexp {

when CLIENT_ACCEPTED {

TCP::collect

}

when CLIENT_DATA {

if { [regexp "\x0149=(.*)\x01" [TCP::payload] -> SenderCompID] } {

persist uie $SenderCompID

TCP::release

} else {

TCP::collect

}

}

}

Pool A

1

2

HTTP Request

Pool B

4

** Enhanced by community; see CodeShare

what makes irules so unique
What makes iRules so unique?

Full-fledged scripts, executed against traffic on the network, at wire-speed

Powerful logical operations combined with deep packet inspection

The ability to route, re-route, re-direct, retry, or block traffic

Community support, tools and innovation

solution credit card scrubber
Solution: Credit Card Scrubber

HOW IT WORKS

  • Challenges
  • Rapid feature enhancements come at expense of good security practices
  • Scanning on each server doesn’t perform well
  • Solution
  • iRule provides centralized mechanism for protection
  • High-performance at network maintains high end user satisfaction
  • App teams focus on features, network teams focus on protection

5

  • Client requests information from an application and is routed through BIG-IP
  • BIG-IP directs request to best performing web server
  • 3. Web server provides application response BUT iRule runs if it sees a string of 16 digits
  • 4. iRule fires off MOD-10 algorithm to determine if 16-digit string is a valid credit card number; offending server IP address logged and flagged
  • 5. If a valid match, first 12-digits are replaced with Xs
  • 6. Client only sees “sanitized” response.

Remove Valid Credit Card Numbers

when HTTP_REQUEST {

# Don't allow data to be chunked

if { [HTTP::version] eq "1.1" } {

if { [HTTP::header is_keepalive] } {

HTTP::header replace "Connection" "Keep-Alive"

}

HTTP::version "1.0"

}

}

when HTTP_RESPONSE {

if { [HTTP::header exists "Content-Length"] } {

set content_length [HTTP::header "Content-Length"]

} else {

set content_length 4294967295

}

if { $content_length > 0 } {

HTTP::collect $content_length

}

}

when HTTP_RESPONSE_DATA {

# Find ALL the possible credit card numbers in one pass

set card_indices [regexp -all -inline -indices {(?:3[4-7]\d{13})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})} [HTTP::payload]]

foreach card_idx $card_indices {

set card_start [lindex $card_idx 0]

set card_end [lindex $card_idx 1]

set card_len [expr {$card_end - $card_start + 1}]

set card_number [string range [HTTP::payload] $card_start $card_end]

set double [expr {$card_len & 1}]

set chksum 0

set isCard invalid

# Calculate MOD10

for { set i 0 } { $i < $card_len } { incr i } {

set c [string index $card_number $i]

if {($i & 1) == $double} {

if {[incr c $c] >= 10} {incr c -9}

}

incr chksum $c

}

# Determine Card Type

switch [string index $card_number 0] {

3 { set type AmericanExpress }

4 { set type Visa }

5 { set type MasterCard }

6 { set type Discover }

default { set type Unknown }

}

# If valid card number, then mask out numbers with X's

if { ($chksum % 10) == 0 } {

set isCard valid

HTTP::payload replace $card_start $card_len [string repeat "X" $card_len]

}

# Log Results

log local0. "Found $isCard $type CC# $card_number"

}

}

2

3

Response from application server accidentally leaks customer credit card numbers in HTTP response

4

1

HTTP Request

HTTP Response

** Created collaboratively within community

6

solution anti phishing
Solution: Anti-phishing

HOW IT WORKS

5

Prevent unwanted referrals of Content

  • Define a list of valid referrers in the form of a class. This is a list of those sites that you expect to be linking to content on your site.
  • Define a list (in the form of a class) of file types that should not be linked to, besides by the referrers listed in item #1.
  • 3.Check to see if an invalid referrer (not someone in class #1) is trying to serve data from your site and what kind of content they shouldn’t be trying to serve. If it matches the file types in Class #2 (block it. If not, insert some custom code to help prevent phishing attempts.
  • Challenges
  • Attacks are directed at users, not the servers themselves
  • No control of user actions
  • Can’t force software install
  • Solution
  • iRule allows for prevention of the scraping required to perform the attack
  • Preventative approach keeps users safe without need for their interaction
  • Server load decreased

lass valid_referers {

"http://mydomain.com"

"http://mydomain1.com"

"http://url1"

"http://url2"

"http://url3"

}

class file_types {

".gif"

".jpg"

".png"

".bmp"

".js"

".css"

".xsl"

}

rule no_phishing {

when HTTP_REQUEST {

# Don't allow data to be chunked.

if {[HTTP::version] == "1.1"} {

if {[HTTP::header is_keepalive]} {

# Adjust the Connection header.

HTTP::header replace "Connection" "Keep-Alive"

}

HTTP::version "1.0"

}

if { [matchclass [HTTP::header "Referer"] starts_with $::valid_referers] < 1 } {

if { ([string tolower [HTTP::method] ] eq "get") && ([matchclass [HTTP::uri] contains $::file_types] > 0 )} {

discard

} elseif { ([HTTP::header exists "Content-Type"]) && ([HTTP::header "Content-Type"] starts_with "text" ) } {

set respond 1

}

}

}

when HTTP_RESPONSE {

if { $respond == 1 } {

if { [HTTP::header exists "Content-Length"] } {

set content_len [HTTP::header "Content-Length"]

} else {

set content_len 4294967295

}

if { $content_len > 0 } {

HTTP::collect $content_len

}

}

}

when HTTP_RESPONSE_DATA {

set bypass [string first -nocase "<html>" [HTTP::payload] ]

if { $bypass != -1 } {

HTTP::payload replace $bypass 0 "<script

type=\"text/javascript\">\n if (top.frames.length!=0) {\n if

(window.location.href.replace)\n top.location.replace(self.location.href);\n

else\n top.location.href=self.document.href;\n }\n </script>\n"

} else {

HTTP::respond 500

}

}

}

2

3

4

Web servers feed content to anyone requesting it, including people who shouldn’t be serving this cotent.

1

HTTP Request

HTTP Response

6

f5 irule editor
F5 iRule Editor

First network rule editor optimizes development

Includes:

Syntax checking

Auto-complete

Template support

Doc Links

Deployment integration

Statistics monitoring

Data group editing

Optional post to CodeShare feature

Available: Now

Pricing: Free Download

Tutorials: on DevCentral

link collection www f5 com
Link Collectionwww.f5.com
  • Overall www.f5.com
  • Technicalask.f5.com

devcentral.f5.com

  • F5 University www.f5university.com/
          • Login: your email
          • Password: adv5tech
  • Partner Informaiotn

www.f5.com/partners

www.f5.com/training_services/certification/certFAQ.html

  • Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html

Important deployment information is available at http://www.f5.com/solutions/deployment/Data Center Virtualization http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdfApplication Traffic Management http://www.f5.com/solutions/technology/pdfs/atm_wp.pdfApplication Briefs http://www.f5.com/solutions/applications/Solution Briefs http://www.f5.com/solutions/sb/F5 Compression and Cache Test http://www.f5demo.com/compression/index.phpF5 iControl Alliance Partners http://www.f5.com/solutions/partners/iControl/F5 Technology Alliance Partners http://www.f5.com/solutions/partners/tech/Let us know if you need any clarification or you have any further questions.

analyst leadership position
Analyst Leadership Position

Challengers

Leaders

Ability to Execute

Niche Players

Visionaries

Completeness of Vision

Magic Quadrant for Application Delivery Products, 2007

F5 Networks

  • F5 Strengths
  • Offers the most feature-rich AP ADC, combined with excellent performance and programmability via iRules and a broad product line.
  • Strong focus on applications, including long-term relationships with major application vendors, including Microsoft, Oracle and SAP.
  • Strong balance sheet and cohesive management team with a solid track record for delivering the right products at the right time.
  • Strong underlying platform allows easy extensibility to add features.
  • Support of an increasingly loyal and large group of active developers tuning their applications environments specifically with F5 infrastructure.

Citrix Systems

Cisco Systems

Akamai Technologies

Foundry Networks

Cresendo

Nortel Networks

Radware

Juniper

Coyote Point

Zeus

NetContinuum

Array Networks

Source: Gartner, January 2007