1 / 83

F5 User’s Group

F5 User’s Group . Welcome!. Introductions Name Title Company Role Requests (optional). Please introduce yourself Name Title Company Your role Application Network Security Requests? (optional). F5 User’s Group Meeting February 24 th 2012 Agenda.

merry
Download Presentation

F5 User’s Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. F5 User’s Group

  2. Welcome! Introductions Name Title Company Role Requests (optional) • Please introduce yourself • Name • Title • Company • Your role • Application • Network • Security • Requests? (optional)

  3. F5 User’s Group Meeting February 24th 2012Agenda • F5 Technology Update – What’s new in version 11.1 • How to use multiple SSL certificates with a single virtual server using SNI & SAN certificates • Demo – Using Device Groups in version 11.x to automatically sync the BIG-IP config from Production to a DR site • Customer speaker: Brian Deitch, Senior Security Engineer from Apollo Group • My favorite iRule • Cloaking your web presence • Open roundtable discussion – your current and upcoming projects and how others are solving similar problems?

  4. Version 11.1

  5. DHCP Relay Configuration

  6. Conventional DHCP Relay

  7. Chained DHCP Relay Agents

  8. Unicast DHCP Lease Renewal

  9. DHCP Secondary

  10. Link Layer Discovery Protocol • What is LLDP (IEEE 802.1ab)? • Enables LAN devices to inform each other about their configurations • How is LLDP used? • Troubleshooting • When is LLDP used? • Typically used in mixed vendor environment to discover other devices and their properties.

  11. Optional LLDP TLVs • Basic Management (Type 4) Port Description (ifDescr OID) (Type 5) System Name (sysName OID) (Type 6) System Description (sysDescr OID) (Type 7) System Capabilities (for example bridge or router) (Type 8) Management Address (IP Address of local system) • IEEE802.1 (OUI 00-80-C2) (Type 127, Subtype 1) Port VLANID (VLAN ID) (Type 127, Subtype 2) PPVLAN ID (Port and Protocol VLAN ID, tagged/untagged) (Type 127, Subtype 3) VLAN Name (dot1QVLANStaticName OID) (Type 127, Subtype 4) Protocol Identity (Protocols Accessible) • IEEE802.3 (OUI 00-12-0F) (Type 127, Subtype 1) MAC/PHY configuration status (duplex, autoneg etc.) (Type 127, Subtype 3) Link Aggregation (whether enabled) (Type 127, Subtype 4) Max Frame Size (MTU of interface) • F5 Networks (OUI 00-2F-0D) (Type 127) Product Model (e.g. Viprion)

  12. LLDP General Options

  13. Remote Syslog Configuration in the GUI

  14. V11.1 iRules signed

  15. V11.1 Users new roles, iRule Manager and Auditor V11.1.0 V11.0.0

  16. V11.1 iFiles for iRules

  17. V11.1 Classification

  18. V11.1 Classification

  19. Jumbo Frame Support

  20. SNMPv3 Encryption

  21. What Has Been Missing?BIG-IP Now Certified as Network Firewall Network Security App Security Data Protection User Access

  22. BIG-IP ASM v11.1 • Improve Granular Web Application Visibility: • Session based enforcement and reporting (Session Awareness) • Group of violations with Violation Correlation • View requests as valid or attack with Response Capturing  • Troubleshoot performance and capacity issues with Virtual Server CPU statistics • Greater Vulnerability Assessment and Application Protection • Advanced vulnerability assessment and application protection (new vuln. scanners) • IBM Rational AppScan • Cenzic Hailstorm • Qualys’ QualysGuard WAS • WhiteHat Sentinel (Available since v10.1) • Fast Geolocation App. Protection • Geolocation based blocking (down to state or region) • Infrastructure Enhancements • ASM 64 bit support – 64bit OS support • IPv6 ASM support – correctly manage and protect IPv6 traffic • Route Domains support – aligning ASM with Route Domains • GUI enhancements • Deployment wizard to secure a Virtual Server • Dynamic reports definition: (e.g. top attacked URL out of top websites) • Colors highlight different severities

  23. Eliminate Web Interface Servers, NetScalers and STA Single policy and configuration setup, SSO for all clients Remove troubleshooting complexity First to support multi-stream ICA Eliminates XenApp Services Sites RSA 2-factor with Citrix Receiver Session reliability for network interruptions BIG-IP APM v11.1 Simplified Access for Citrix XenApp CapExand OpEx BIG-IP Local Traffic Manager + Access Policy Manager Citrix Receiver AuthMgmt Citrix XML Brokers Directory Mobile Users Internal Users

  24. BIG-IP APM v11.1 Unified VDI ArchitectureWe deliver VDI just like another application BIG-IP APM Local and Remote Users Hyper-V vSphere Hypervisor • Present OWA, VMWare View next to Citrix Apps in Portal Mode • Improved scale and reliability • Better user experience + SSO • Simplified Deployment • Improved quality of real-time applications Virtual Desktops Virtual Desktops Virtual Desktops Directories

  25. BIG-IP WebAccelerator v11.1

  26. VIPRION 4400 LTM + 2 Module Support vCMP VIPRION 2400 1M - 4M L7 RPS 400K - 1.6M L4 CPS 18G -72G/40G - 160G - L7/L4 TPUT 1.6M - 6.4M L7 RPS 700K - 2.8M L4 CPS 18G- 72G L7/L4 TPUT 135k L7 RPS 115K L4 CPS 2G L7/L4 TPUT LTM + 3 1 blade BIG-IP 8900, 8900F, 8950, 8950S Up to 1.9M L7 RPS Up to 800K L4 CPS Up to 20G TPUT BIG-IP 3600 LTM + 2 BIG-IP 11000, 11000F, 11050, 11050F 2.5M L7 RPS 1M L4 CPS Up to 42G TPUT 600k L7 RPS 220K L4 CPS 6G L7/L4 TPUT LTM + 1 400k L7 RPS 175K L4 CPS 4G L7/L4 TPUT BIG-IP 6900, 6900F, 6900S BIG-IP 3900 100k L7 RPS 60K L4 CPS 1G L7/L4 TPUT BIG-IP 1600 Virtual Editions Designation after platform: F = FIPS S = Turbo SSL 1 G TPUT 200M TPUT

  27. SNI and SAN

  28. An extension to Transport Layer Security (TLS) Adds ServerName field to Client Hello RFC 4366 http://tools.ietf.org/html/rfc4366#section-3.1 Allows dynamic server certificate selection What is Server Name Indication (SNI)

  29. How SNI Works CN=test01.example.com https://test01.example.com ServerName: test01.example.com • Client Hello • Server Hello • Certificate Virtual: 10.1.1.1:443 • Server Hello • Certificate • Client Hello https://test02.example.com ServerName: test02.example.com CN=test02.example.com

  30. Client-side Profile Configuration

  31. Virtual Configuration

  32. Verifying Clientssl Configuration test01.example.com test02.example.com ltm profile client-ssl test01.example.com { app-service none cert test01.example.com.crt defaults-from clientssl key test01.example.com.key server-name test01.example.com sni-default true sni-require false } ltm profile client-ssl test02.example.com { app-service none cert test02.example.com.crt defaults-from clientssl key test02.example.com.key server-name test02.example.com sni-default false sni-require false } openssls_client-connect test03.example.com:443 openssls_client -servernametest02.example.com -connect test01.example.com:443 openssls_client-servernametest02.example.com -connect test02.example.com:443 openssls_client-servername test01.example.com -connect test01.example.com:443 Server certificate subject=/C=US/ST=WA/L=Seattle/O=IT/OU=iRuleDevelopment/CN=test02.example.com issuer=/C=US/ST=WA/L=Seattle/O=IT/OU=iRuleDevelopment/CN=test02.example.com Server certificate subject=/C=US/ST=WA/L=Seattle/O=IT/OU=iRuleDevelopment/CN=test01.example.com issuer=/C=US/ST=WA/L=Seattle/O=IT/OU=iRuleDevelopment/CN=test01.example.com Why is this responding with test01.example.com?

  33. Server-side Profile Configuration

  34. Verifying SNI with Wireshark

  35. SNI requires browser support Internet Explorer 7 or later, on Windows Vista or higher. Does not work on Windows XP, even Internet Explorer 8. Mozilla Firefox 2.0 or later Opera 8.0 or later (the TLS 1.1 protocol must be enabled) Opera Mobile at least version 10.1 beta on Android Google Chrome (Vista or higher. OS X 10.5.7 or higher on Chrome 5.0.342.1 or newer) Safari 2.1 or later (Mac OS X 10.5.6 or higher and Windows Vista or higher) Konqueror/KDE 4.7 or later MobileSafari in Apple iOS 4.0 or later Android default browser on Honeycomb or newer Windows Phone 7 *Windows XP does not have native SNI support

  36. New iRule Events Client Side Events Server Side Events • CLIENTSSL_CLIENTHELLO • Triggered when a Client Hello is received on a Virtual Server. • SERVERSSL_CLIENTHELLO_SEND • Triggered before a Client Hello message is sent. • SERVERSSL_SERVERHELLO • Triggered when a Server Hello is received. • Client Hello • Client Hello • Pool • Member • Client • Server Hello • BIG-IP

  37. SSL::extensions SSL::extensions count SSL::extensions -index <extension number> SSL::extensions -type <extension type value> SSL::extensions exists -type <extension type value> SSL::extensions insert <tcl byte array> Valid in CLIENTSSL_CLIENTHELLO and SERVERSSL_CLIENTHELLO_SEND events New iRule Commands

  38. What is a SAN? (RFC 4985) • Subject Alternative Name: an additional field which can be added to an X.509 certificate • Allows an intermediary to certify whether a particular host is authorized to supply a specific service. • Multiple hosts can be secured with a single certificate. • Only available for DNS hostnames. • If present it must be populated (RFC 3280) • Authored by engineer at Microsoft

  39. SSL Certificate with SAN

  40. SNI, SAN or Wildcard? • Wildcard certificates are easy • What if you need a different top level domain? • SNI most flexible but has some browser limitations • SAN certificates has to be the same owner • What if you host different customers? • What do you use in your environment? Your thoughts?

  41. HA in version 11

  42. Only two modes: Active-Standby and Active-Active Active-Standby Traditional and recommended mode under these version Customer always asked why they had to pay full price for a standby Active-Active Difficult to configure and maintain Had to assign unit number 1 or 2 to listeners to determine active unit Two option: Hardware failover and Network Failover HA and Failover v9-v10 Current Model (Traditional v9 and v10) HA Active Active Standby Active

  43. Stateful failover features can mirror the following on active/standby pairs connections, both TCP and UDP connection qualities, such as, persistence data Once Redundant Pairs is selected the following menu items appear Floating IPs Network > Self IPs > Floating IPs MAC Masquerading (VLANs GUI) Persistence Mirroring Only persistence records created after the checkbox is selected are mirrored SNAT Connect Mirroring Only SNAT records created after the checkbox is selected are mirrored Virtual Server Connection Mirroring Duplicates the active systems real-time connection and/or persistence information on the standby system Mirroring can be resource intensive For long term sessions (i.e. FTP, TELNET , default gateway pools, etc) Other High Availability Menu Items

  44. Syncing the failover pair System>>High Availability>>ConfigSync By default the synchronization process uses the admin account The admin password must be the same on both BigIPs in a pair Sync is NOT automatic, can be push of pull How synchronization works: An archive of the configuration (.ucs file) is created on the desired BigIP The archive is transferred to the BigIP to be synchronized The BigIP to be synchronized runs the restore process on the archive received bigip_base.conf (base network config) is not part of theconfig sync restore process Synchronizing Configurations in v9 and v10

  45. How Things Have Changed Current Model (Traditional) Active/Standby Active/Active HA Active Active Active Active Standby Standby Standby New Model Active/Standby Active/Active Active/Active/Standby And more; many, many more. Active/Active/Active/Active Active/Active/Active/Standby Active/Active/Active/Standby/Standby Device Service Cluster (DSC) Not really new, just … extended.

  46. Device Objects • By default, each device will start with a “bigip1” Device Object • If you change the name of the device • Via the Set Up utility • Or the GUI • Reset Trust Domain to regenerate local certificate • Only necessary if the name of the object changed

  47. Device Trust Group • Once a device object is configured it can be added to a trust group • Trust group is a relationship between BIG-IP device objects based on mutual authentication and certificate exchange • Foundation for all things of an inter-device in nature • Configuration Synchronization and Failover • Centralized trust management in a distributed manner • It is a full-mesh • For this release, F5 recommends • Using the default “Root” domain • Making all devices “Peer Authorities” • Established communication channel and standard API

  48. Device Trust - Configuration • Trust is created on the requesting device • And the peer device

  49. Device Groups • Logical grouping of trusted device objects • All or part of the configuration is sync’d across device sets • Two types • Sync Only • Sync-Failover Trust Domain Device Group

  50. Sync Only Device Groups • Allows flexible membership • Different hardware platforms • Different license/modules • Can be configured to auto-sync objects • Max of 32 Sync-Only groups are supported • Device trust uses built-in “device_trust_group” • Auto-sync enabled • Adding devices to trust-domain auto-adds to device_trust_group ASM GTM EM ATM + GTM Sync Only Device Group

More Related