1 / 29

F5 User’s Group

F5 User’s Group . Welcome!. Introductions Name Title Company Role Requests (optional). Please introduce yourself Name Title Company Your role Application Network Security Requests? (optional). F5 User’s Group Meeting June 12 th , 2013 NEW Agenda.

kemal
Download Presentation

F5 User’s Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. F5 User’s Group

  2. Welcome! Introductions Name Title Company Role Requests (optional) • Please introduce yourself • Name • Title • Company • Your role • Application • Network • Security • Requests? (optional)

  3. F5 User’s Group Meeting June 12th, 2013NEW Agenda F5 Technology Update—What’s new in 11.4 • Application Acceleration Manager • Centralized Policy Matching • VMWare View Proxy • VXLAN Gateway & NVGRE Gateway • Programmable Infrastructure • JavaScript and CSS Minification • DNS Recap • New Platforms • F5’s role at Interop • By the way… FLOWJAM Lunch Roundtable discussion

  4. 11.0 was released in August 2011 What’s new in version 11.4 Brian Deitch, FSEJon Bartlett, FSE

  5. What is Application Acceleration Manager? • Web Accelerator Manager • WAN Optimization Manager • Web Accelerator will optimize your web applications and decreases page load time anywhere from 10 to 90% • WAN Optimization Manager will optimize network traffic and reduce latency What happens if I already own WA or WOM? • You will be licensed as AAM with 11.4 • Since WA and WOM are AAM, you get both features

  6. What is Centralized Policy Matching? • Policy matching framework enables creation of flexible L7 policies: • Centralized policy matching across BIG-IP modules • Protocol-neutral matching for HTTP and other L7/L4 protocols • Replaces HTTP class in v11.4 BIG-IP Local Traffic Manager BIG-IP Application Acceleration Manager BIG-IP Application Security Manager Centralized Policy Matching

  7. NewCentralized Policy OldHTTP Class

  8. VMWare View Proxy-PCoIP Support What does this really mean? • Customizable TCP/IP Stack • PCoIP Decryption and re-encryption • Elimination of Secure Gateway Servers

  9. Typical VMWare View Deployment Client Router DMZ BIG-IP LTM Secure Gateway ServersPCoIP CORP Connection Servers: VMWare View

  10. Using F5 to handle PCoIP Traffic Before After Client Client Router Router DMZ DMZ BIG-IP LTM + APM BIG-IP LTM Secure Gateway ServersPCoIP CORP CORP Connection Servers: VMWare View Connection Servers: VMWare View

  11. VXLAN Functionality What does this really mean? • Simplify the Expansion of Virtual Networks • Apply Services across Heterogeneous Networks for Optimized Performance • Improve Application Mobility and Business Continuity

  12. Configuring VXLAN from the CLI create net vlan vxlancontrol { interfaces add { 1.1} mtu 1550 } create net self myvtep { address 10.1.1.1/32 vlan vxlancontrol } create net tunnels tunnel vxlan5000 { local-address 10.1.1.1 remote-address 239.0.0.1 profile vxlan key 5000 } create net vlan legacy5000 { interfaces add { 1.2 } } create net vlan-group vxlan5000-bridge { members add { legacy5000 vxlan5000 } } create net self vxlan5000-defroute { address 11.1.1.254/32 vlan vxlan5000-bridge }

  13. NVGRE Functionality • Gateway between multiple Microsoft Hyper-V enabled virtual networks • NVGRE Gateway plugin available for Microsoft’s System Center Virtual Machine Manager on DevCentral • Video: http://goo.gl/jQKvE • Download: http://goo.gl/LfJd5

  14. What is Programmable Infrastructure? Programmable infrastructure improves IT agility to deliver your applications faster and with higher predictability. Extensibility Control Plane Management Plane Data Plane

  15. Programmable InfrastructureUnleashing TMOS Programmability iRules iApps iControl iCall Define and tie all related application availability, security and optimization services to the application. Deploy these services with optimum, application-specific configurations in only a few minutes. Intercept, inspect, transform, direct and make decisions based on inbound and outbound application traffic. Realize new levels of automation and configuration management with F5’s web services–enabled open. Automate tasks to improve operations by monitoring for events and executing scripts to resolve issues quickly and predictable. What’s New Control Plane Automation Automate BIG-IP to dynamically respond to events and perform BIG-IP configuration actions. Generic iApps Leverage application service objects to provide a logical container and context to your application without the need for deployment templates. iControl REST REST provides a modern lightweight API standard for integration preferred iRule Procedures Build a library of functionality that can be re-used, controlled and managed in a consistent way

  16. Triggered Run TCP Dump on an event Detect server errors and mark server down in a pool on excessive errors On Failover, generate qkview and/or ucs GTM Monitor weight change - Set LTM wildcard virtual server "VS Score" value based on the number of available pool members of tertiarily-related (that is, non-default to the VIP) pool. Re-prioritization of SharePoint nodes based on the SharePoint -reported health value that is delivered in an HTTP response. Automatic qkview creation upon core dump or unknown restart - Customers are frequently asked to generate qkviews for support to troubleshoot issues. To improve the chance of repro, it would be good to have an event that detects core dumps/ restarts and automatically creates a qkview. iCall ExamplesLocal Traffic Manager Periodic • Generate Config Backup • Pool Synchronization from DNS - use an iApp to accept a list of host names that will be used to populate a pool via DNS. Detect when the results of the resolution change and repopulate the pool to stay synchronized. • Pool update on DHCP response - create a script that takes DHCP responses and adds the IPs to a pool. • Re-prioritization of SharePoint nodes based on the SharePoint -reported health value that is delivered in an HTTP response. • Datagroup Sync with external source Perpetual • Achieve application delivery optimization and enhanced productivity without the need to rewrite applications

  17. JavaScript and CSS Minification What does this really mean? • Reduces overall file size • Removes whitespace • Removes comments

  18. Before: 6,167 BytesAfter : 5,574 Bytes -------------------------- Savings: 10% or 593 Bytes

  19. DNS Recap Conventional DNS Thinking DNS Load Balancing Internal Firewall Hidden Master DNS External Firewall Array of DNS Servers Internet Datacenter DMZ F5 Paradigm Shift F5 DNS Delivery Reimagined DNS Firewall DNS DDoS Protection Master DNS Infrastructure Internet Protocol Validation Authoritative DNS Caching Resolver Transparent Caching High Performance DNSSEC DNSSEC Validation Intelligent GSLB

  20. New platforms – TMOS versions

  21. F5’s Role at Interop

  22. Attacking the Network • 2 BreakingPoint Firestorms w/40 Gbits each • Denver • External Edge Las Vegas • Leveraged Capabilities • Client Simulation • Application Session Simulation • Security Attack Strike Lists • Protocol Fuzzing

  23. Attacking the Network • DDoS attack to www.interop.com • Sourced from 45.0.14&15.0/24 upstream over the 100Gbit link • Destined for www.interop.com • Common load 800Mbits per second • Common requests: 70k per second • Simulated bots: 30k • F5 tech: AFM & ASM • DoS attack to www.interop.com using SQL Injection • Sourced from 45.0.14&15.0/24 upstream over the 100Gbit link • Destined for www.interop.com • Common load 20Mbits per second • F5 tech: AFM & ASM Network Attack from the internet to all users at the show Sourced from random spoofed locations on the internet Destined for the attendees On ports identified that should be protected ie: Microsoft file transfers, SQL and other common vulnerabilities Common load 33Gbits per second F5 tech: AFM DDoS attack to www.interop.com Sourced from 45.0.14&15.0/24 upstream over the 100Gbit link Destined for the Interop show’s ns server Common load 7Gbits per second Common requests: 3.5 Million per second F5 tech: DNS Express Watch the Video http://www.youtube.com/watch?feature=player_detailpage&v=hFpVivIqx9Q#t=59s

  24. Attack Mitigation Technologies • Advanced Firewall Manager (AFM) • Provides ACL management • Provides DOS Vector Protection • DNS Express • High Speed Responder • Application Security Module (ASM) • Signature detection • DDoS detection • iRules • Provide custom detection and mitigation

  25. By the way… Other cool features in 11.4 • ASM HP WebInspect Vulnerability Scanner Integration • AFM SIP DDoS protection • APM local user DB • APM Citrix Traffic Shaping • AAM Forward Error Correction • vCMP Flexible Allocation • Heterogeneous Failover Groups • Enhanced sFlow • http://blog.sflow.com/2013/06/f5-big-ip-ltm-and-tmos-1140.html • SSL Elliptic Curve Cryptography • ProxyPass via Rewrite profiles

  26. Please fill out a survey

More Related