F5 User’s Group
Transcription
F5 User’s Group
F5 User’s Group 2 Welcome! Please introduce yourself Name Title Company Your role Introductions Name Title Company Role Requests (optional) • Application • Network • Security Requests? (optional) IT agility. Your way. 3 F5 User’s Group Meeting June 12th, 2013 NEW Agenda F5 Technology Update—What’s new in 11.4 Application Acceleration Manager Centralized Policy Matching VMWare View Proxy VXLAN Gateway & NVGRE Gateway Programmable Infrastructure JavaScript and CSS Minification DNS Recap New Platforms F5’s role at Interop By the way… FLOWJAM Lunch Roundtable discussion 11.0 was released in August 2011 WHAT’S NEW IN VERSION 11.4 Brian Deitch, FSE Jon Bartlett, FSE 5 What is Application Acceleration Manager? • Web Accelerator Manager • WAN Optimization Manager • Web Accelerator will optimize your web applications and decreases page load time anywhere from 10 to 90% • WAN Optimization Manager will optimize network traffic and reduce latency What happens if I already own WA or WOM? • You will be licensed as AAM with 11.4 • Since WA and WOM are AAM, you get both features 6 What is Centralized Policy Matching? • Policy matching framework enables creation of flexible L7 policies: • Centralized policy matching across BIG-IP modules • Protocol-neutral matching for HTTP and other L7/L4 protocols • Replaces HTTP class in v11.4 BIG-IP Local Traffic Manager BIG-IP Application Acceleration Manager BIG-IP Application Security Manager Centralized Policy Matching 7 Old HTTP Class New Centralized Policy 8 VMWare View Proxy-PCoIP Support What does this really mean? • Customizable TCP/IP Stack • PCoIP Decryption and re-encryption • Elimination of Secure Gateway Servers 9 Typical VMWare View Deployment Client DMZ Router BIG-IP LTM Secure Gateway Servers PCoIP CORP Connection Servers: VMWare View 10 Using F5 to handle PCoIP Traffic Before After Client DMZ Router Client DMZ BIG-IP LTM Router BIG-IP LTM + APM Secure Gateway Servers PCoIP CORP CORP Connection Servers: VMWare View Connection Servers: VMWare View 11 VXLAN Functionality What does this really mean? • Simplify the Expansion of Virtual Networks • Apply Services across Heterogeneous Networks for Optimized Performance • Improve Application Mobility and Business Continuity 12 Configuring VXLAN from the CLI create net vlan vxlancontrol { interfaces add { 1.1} mtu 1550 } create net self myvtep { address 10.1.1.1/32 vlan vxlancontrol } create net tunnels tunnel vxlan5000 { local-address 10.1.1.1 remoteaddress 239.0.0.1 profile vxlan key 5000 } create net vlan legacy5000 { interfaces add { 1.2 } } create net vlan-group vxlan5000-bridge { members add { legacy5000 vxlan5000 } } create net self vxlan5000-defroute { address 11.1.1.254/32 vlan vxlan5000-bridge } 13 NVGRE Functionality • Gateway between multiple Microsoft Hyper-V enabled virtual networks • NVGRE Gateway plugin available for Microsoft’s System Center Virtual Machine Manager on DevCentral Video: http://goo.gl/jQKvE Download: http://goo.gl/LfJd5 14 What is Programmable Infrastructure? Programmable infrastructure improves IT agility to deliver your applications faster and with higher predictability. Extensibility Management Plane Data Plane Control Plane 15 Programmable Infrastructure Unleashing TMOS Programmability iRules Intercept, inspect, transform, direct and make decisions based on inbound and outbound application traffic. iApps Define and tie all related application availability, security and optimization services to the application. Deploy these services with optimum, application-specific configurations in only a few minutes. iControl Realize new levels of automation and configuration management with F5’s web services–enabled open. iCall Automate tasks to improve operations by monitoring for events and executing scripts to resolve issues quickly and predictable. What’s New iRule Procedures Build a library of functionality that can be re-used, controlled and managed in a consistent way Generic iApps Leverage application service objects to provide a logical container and context to your application without the need for deployment templates. iControl REST REST provides a modern lightweight API standard for integration preferred Control Plane Automation Automate BIG-IP to dynamically respond to events and perform BIGIP configuration actions. 16 iCall Examples Local Traffic Manager Triggered – Run TCP Dump on an event – Detect server errors and mark server down in a pool on excessive errors – On Failover, generate qkview and/or ucs – GTM Monitor weight change - Set LTM wildcard virtual server "VS Score" value based on the number of available pool members of tertiarilyrelated (that is, non-default to the VIP) pool. – – Re-prioritization of SharePoint nodes based on the SharePoint -reported health value that is delivered in an HTTP response. Automatic qkview creation upon core dump or unknown restart - Customers are frequently asked to generate qkviews for support to troubleshoot issues. To improve the chance of repro, it would be good to have an event that detects core dumps/ restarts and automatically creates a qkview. Periodic • Generate Config Backup • Pool Synchronization from DNS - use an iApp to accept a list of host names that will be used to populate a pool via DNS. Detect when the results of the resolution change and repopulate the pool to stay synchronized. • Pool update on DHCP response - create a script that takes DHCP responses and adds the IPs to a pool. • Re-prioritization of SharePoint nodes based on the SharePoint -reported health value that is delivered in an HTTP response. • Datagroup Sync with external source Perpetual • Achieve application delivery optimization and enhanced productivity without the need to rewrite applications 17 JavaScript and CSS Minification What does this really mean? • Reduces overall file size • Removes whitespace • Removes comments 18 Before: 6,167 Bytes After : 5,574 Bytes -------------------------Savings: 10% or 593 Bytes 19 DNS Recap Conventional DNS Thinking Internet External Firewall DNS Load Balancing Array of DNS Servers DMZ Internal Firewall Hidden Master DNS Datacenter F5 Paradigm Shift F5 DNS Delivery Reimagined DNS Firewall Internet Master DNS Infrastructure DNS DDoS Protection Protocol Validation Authoritative DNS Caching Resolver Transparent Caching High Performance DNSSEC DNSSEC Validation Intelligent GSLB 20 New platforms – TMOS versions Platform Versions supported F5-BIG-LTM-5000s v11.4 F5-BIG-LTM-5200v v11.4 F5-BIG-LTM-7000s V11.4 F5-BIG-LTM-7200v v11.4 F5-BIG-LTM-10200s v11.4 21 22 23 24 F5’s Role at Interop 25 Attacking the Network • 2 BreakingPoint Firestorms w/40 Gbits each – Denver – External Edge Las Vegas • Leveraged Capabilities – – – – Client Simulation Application Session Simulation Security Attack Strike Lists Protocol Fuzzing 26 Attacking the Network Network Attack from the internet to all users at the show Sourced from random spoofed locations on the internet Destined for the attendees On ports identified that should be protected ie: Microsoft file transfers, SQL and other common vulnerabilities Common load 33Gbits per second F5 tech: AFM DDoS attack to www.interop.com Sourced from 45.0.14&15.0/24 upstream over the 100Gbit link Destined for the Interop show’s ns server Common load 7Gbits per second Common requests: 3.5 Million per second DDoS attack to www.interop.com Sourced from 45.0.14&15.0/24 upstream over the 100Gbit link Destined for www.interop.com Common load 800Mbits per second Common requests: 70k per second Simulated bots: 30k F5 tech: AFM & ASM DoS attack to www.interop.com using SQL Injection Sourced from 45.0.14&15.0/24 upstream over the 100Gbit link Destined for www.interop.com Common load 20Mbits per second F5 tech: AFM & ASM F5 tech: DNS Express Watch the Video http://www.youtube.com/watch?feature=player_detailpage&v=hFpVivIqx9Q#t=59s 27 Attack Mitigation Technologies • Advanced Firewall Manager (AFM) – Provides ACL management – Provides DOS Vector Protection • DNS Express – High Speed Responder • Application Security Module (ASM) • – Signature detection – DDoS detection iRules – Provide custom detection and mitigation 28 By the way… Other cool features in 11.4 • • • • • • • • ASM HP WebInspect Vulnerability Scanner Integration AFM SIP DDoS protection APM local user DB APM Citrix Traffic Shaping AAM Forward Error Correction vCMP Flexible Allocation Heterogeneous Failover Groups Enhanced sFlow • http://blog.sflow.com/2013/06/f5-big-ip-ltm-and-tmos-1140.html • SSL Elliptic Curve Cryptography • ProxyPass via Rewrite profiles Thank You! Please fill out a survey