F5 WWT Tech Talk

Jay De Leo, Federal FSE III

July 22, 2014

F5 Company Snapshot
Leading provider of Application Delivery Networking products
that optimize the security, performance & availability of
network applications, servers and storage systems

2Q12 Gartner Advanced Platform DC Market Share

FY12 Revenue: $1.38B (+31% y/y)

Gartner, Inc. Market Share: Application Acceleration Equipment, Worldwide, CYQ212, Joe
Skorupa, Nhat Pham, Sept 2012

Government Agencies Trust F5

15 of the 15 executive branch agencies, plus many other

DoD, civilian and commercial organizations rely on F5.

Government Certifications

Certifications

FIPS 140-2 Level 2

Common Criteria EAL2 (EAL4 In Process)
DISA STIG
3 Year ATO at DISA
DIACAP/DITSCAP MAC II Level Certification
JITC PKE
In Process: TIC Lab/JITC APL (UCCO TN 1312201)

F5 BIG-IP Product Suite

Application Delivery Services

Fast, secure, available

Best-in-class hardware platform and software virtual instance

F5: An Intelligent Services Platform

Product Modules
Available
LTM
GTM

: Local Traffic Manager

: Global Traffic Manager

Automated
Local
ServerGlobal
Load Site
Balancing
Redirection
Application
Network
andLayer
Application
Health Monitoring
Health Monitoring
ACLs, Packet
DNSSEC,
IP Geolocation
Filters, SYN Flood Protection

: WebAccelerator
: WAN Optimization Manager
: Application Acceleration Manager

WebAccelerator
HTTP
Symmetric
Protocol
Adaptive
Optimization
Features
Compression
Intelligent
Symmetric
WAN
Optimization
Browser
Data Deduplication
Features
Referencing
Image
L7
Combined
QoSOptimization
Module with 11.4

: Access Policy Manager

: Application Security Manager
: Advanced Firewall Manager

Full-Proxy
User
Layer
Access
7 Targeted
Firewall
Control
Attack Prevention / DDoS / DDDoS
CAC/PIV/Smartcard
Data
Layer
Leakage
4 DoS Protection
Protection
Enablement
Portal, WebTop
OWASP
Protocol
Top
Anomaly
Ten Detection

Fast
WBA
WOM
AAM
Secure
APM
ASM
AFM

F5 Security Architecture

Network Defense in Depth

Lack of performance and scale

Inability respond to changing threats

Failure to extend new services
Complexity and cost of multiple vendors
Firewall

Network DDoS

Application DDoS

Internet

Load
Balancer

Load
Balancer
& SSL
DNS Security

Web Application
Firewall

Web Access
Management

Service Defense in Depth: Full Proxy Security

Client / Server

Client / Server

Web application

Application health monitoring and performance anomaly detection

Web application

Application

HTTP proxy, HTTP DDoS and application security

Application

Session

SSL inspection and SSL DDoS mitigation

Session

Network

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

Network

Physical

Physical

Service Defense in Depth: Full Proxy Security

F5s Approach
Client / Server

Session

SSL inspection and SSL DDoS mitigation

Network

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

Application
TCP

OneConnect

Server
side

SSL

Client
side

Client / Server
Web application

Proxy

HTTP proxy, HTTP DDoS and application security

HTTP

SSL

TCP

Application

Application health monitoring and

performance anomaly detection
Traffic management microkernel

HTTP

IPv4/IPv6

Web application

APM

Firewall

Optional modules plug in for all F5 products and solutions

Session
Network

iRules

Physical

High-performance HW

TMOS traffic plug-ins

High-performance networking microkernel
Powerful application protocol support

iControl API

iControlExternal monitoring and control

iRulesNetwork programming language

Physical

Full Proxy Security Enables Service Defense

Bring deep application fluency to security

One platform

Network
firewall

Traffic
management

Application
security

Access
control

DDoS
mitigation

SSL
inspection

DNS
security

Keeping the Bad Guys Out

Most detected activity has targeted unclassified

networks connected to the Internet, but foreign
cyberactors are also targeting classified networks.
Importantly, much of the nation's critical proprietary
data are on sensitive but unclassified networks.
James Clapper
Director of National Intelligence
http://news.cnet.com/8301-1009_3-57573902-83/intelligence-chief-offers-dire-warning-on-cyberattacks/

F5 Networks, Inc

13

Cyber-attacks in the News for 2011

IBM X-Force 2011 Trend and Risk Report March 2012

IP
Intelligence

Defend against
malicious activity and
web attacks.

Web Application
Security

Proactively secure all

web applications from
current and future
threats.

OWASP
Top 10

Get protection from the

top threats without
impacting app
performance or scale.

SDLC

Use built-in security

capabilities to
accelerate and improve
app development.

Dynamic App
Security
Testing

Key partnerships give

you full vulnerability
checking and website
protection.

SSL INSPECTION

SSL?

SSL?

F5 Networks, Inc

Gain visibility and

detection of SSLencrypted attacks

Achieve high-scale/high-
performance SSL proxy

Offload SSLreduce load

on application servers
16

ASM PROTECTS AGAINST TOP APP VULNERABILITIES

OWASP Top 10 Web Application Security Risks:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

Injection
Cross-Site Scripting (XSS)
Broken Authentication and Session Management
Insecure Direct Object References
Cross-Site Request Forgery (CSRF)
Security Misconfiguration
Insecure Cryptographic Storage
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards

Source: www.owasp.org
F5 Networks, Inc

17

DDoS MITIGATION
Increasing difficulty of attack detection
Physical (1)

Data Link (2)

Network (3)

Transport (4)

Session (5)

F5 mitigation technologies

Network attacks

Presentation (6)

Session attacks

Application (7)

Application attacks

SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop,
ICMP Floods, Ping Floods and Smurf Attacks

DNS UDP Floods, DNS Query Floods, DNS

NXDOMAIN Floods, SSL Floods, SSL
Renegotiation

OWASP Top 10 (SQL

Injection, XSS, CSRF, etc.),
Slowloris, Slow Post,
HashDos, GET Floods

BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, full-proxy
traffic visibility, rate-limiting, strict TCP forwarding.

BIG-IP LTM and GTM

High-scale performance, DNS Express,
SSL termination, iRules, SSL
renegotiation validation

BIG-IP ASM
Positive and negative policy
reinforcement, iRules, full
proxy for HTTP, server
performance anomaly
detection

Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware

solution that increases scale by an order of magnitude above software-only
solutions.

F5 Networks, Inc

Protect against DDoS

at all layers

Withstand the
largest attacks

Gain visibility and

detection of SSL
encrypted attacks

OSI stack

F5 Mitigation Technologies

OSI stack

18

IP INTELLIGENCE

Botnet

Restricted
region or
country

IP intelligence
service

IP address feed
updates every 5 min

Attacker

Custom
application

Financial
application

Anonymous
requests

Anonymous
proxies
F5 Networks, Inc

Scanner
Geolocation database
19

F5 Integrated Security Solutions

ICSA-certified
firewall

Access
Control

Application
delivery cont.

DDoS
Mitigation

SSL
inspection

Application
security

DNS
security

Products
Access Policy
Manager

Advanced Firewall manager

Stateful full-proxy firewall

On-box logging and

reporting

Native TCP, SSL and HTTP

proxies
Network and Session antiDDoS

F5 Networks, Inc

Local Traffic
Manager

Dynamic, identity-based
access control

Simplified authentication,
consolidated infrastructure

Strong endpoint security

and secure remote access

Application Security
Manager

Global Traffic Manager and

DNSSEC

Leading web application

firewall

Huge scale DNS solution

Global server load

balancing

Signed DNS responses

Offload DNS crypto

#1 application delivery
controller

Application fluency

PCI compliance

App-specific health
monitoring

Virtual patching for

vulnerabilities

High performance and

scalability

iRules extensibility everywhere

HTTP anti-DDoS

IP protection

20

Letting the Good Guys Out?

Secure Web Gateway Reference Architecture

Facebook
Facebook
Games

Threat Intelligence Service

Authentication

Kerberos
NTLM
Basic Auth
407

Real Time
Classification

Malware
Analysis

E-Commerce
Secure Web Gateway

Malicious
Server

Private Network
Access Policy
Web Security
Reporting

B2B Server
Firewall

Internet
Entertainment
Site

BIG-IP Platform

Users
Identification
Mapping

Agent
Active
Directory

F5 Networks, Inc

Log requests and ensure

acceptable use compliance

Youtube
Viral Video

Web security

Categorization
Database

Malware protection
Control bandwidth by policy

Malware
LTM

BIG-IP Local Traffic Manager

APM

BIG-IP Access Policy Manager

22

Letting the Good Guys In

Whos Requesting Access?

Employees

Partner

Customer

Administrator

Manage access based on identity

IT challenged to:
Control access based on user-type and role
Unify access to all applications
Provide fast authentication and SSO
Audit and report access and application metrics
F5 Networks, Inc

24

Authentication Alternatives Today

1
Proxy

Web Servers

1
3

App 1

App 2

Code in the Application

Agents on servers

App 3

Costly, difficult to change

Not repeatable, less secure

Difficult to manage
Not interoperable or secure
Decentralized and costly

App n

Policy Manager

Directory

Specialized Access Proxies

Doesnt scale and basic reliability

More boxes and expensive

A Better Alternative
Proxy

BIG-IP benefits:

Web Servers

App 1
LTM +
APM

App 2

App 3

App n

Policy Manager

Directory

Reduce costs and complexity

Gain superior scalability and high
availability
Better security with Dynamic L4
L7 ACL control at LTM speeds
Repeatable, across multiple
applications

Enable Simplified Application Access

with BIG-IP Access Policy Manager (APM)

SharePoint

OWA

Cloud

Users

BIG-IP Local Traffic Manager +

Access Policy Manager

Hosted virtual
desktop
APP
OS

APP
OS

APP
OS

APP
OS

Directory

Web servers

App 1

F5 Networks, Inc

App n

27

Unified Access and Control

with BIG-IP Access Policy Manager (APM)

BIG-IP APM ROI benefits:

Scales to 100K users on a single device
Consolidates auth. infrastructure
Simplifies remote, web and application access control

BIG-IP APM features:

CAC/PIV/Smartcard Enablement
Centralizes single sign-on and access control services
Full proxy L4 L7 access control at BIG-IP speeds
Adds endpoint inspection to the access policy
Visual Policy Editor (VPE) provides policy-based access control
VPE Rulesprogrammatic interface for custom access policies
Supports IPv6

*AAA = Authentication, authorization and accounting

Control Access of Endpoints

Ensure strong endpoint security
Users

Web

BIG-IP APM

Allow, deny or remediate users based on endpoint

attributes such as:

Invoke protected workspace for unmanaged

devices:

Antivirus software version

and updates

Restrict USB access

Software firewall status

Machine certificate validation

Cache cleaner leaves no trace

Ensure no malware enters corporate network

CONSOLIDATING APP AUTHENTICATION (SSO)

Use case

Salesforce.com

Finance

Corporate managed
device
Latest AV software

Expense Report
App
AAA
server
User = Finance

F5 Networks, Inc

Dramatically reduce
infrastructure costs;
increase productivity

Provides seamless
access to all web
resources

Integrated with
common applications
30

Application Acceleration and Global

Availability

Application Delivery Optimization

Holistic approach to improving performance throughout the application delivery chain

Client
Improve the user experience
for traditional and mobile
users
Deliver the right content to
the right user in the fastest
time

Network

Data center

Connect applications and

users in a global enterprise
Provide the fastest network at
the lowest cost
Increase network efficiency to
best utilize resources

Improve availability of
enterprise applications
Increase application server
capacity
Integrate new technologies
without recoding applications

Acceleration in the Data Center

Load balance
Distribute application load
across multiple servers to
increase availability

Offload
Increase server capacity
Accelerate SSL processing
Manage TCP connections
more efficiently

Fast cache
Offload repetitive traffic from
web and application servers
to increase server capacity

SPDY gateway
Leverage SPDY and other
protocols without recoding
applications

Accelerating the Network

Compression and deduplication
Reduce amount of data transmitted
Improve network throughput and response
Increase bandwidth efficiency

Protocol optimization
Tune TCP and HTTP parameters to
adapt to changing network conditions

Loss correction
Correct for high-loss networks to
decrease transmission time and
improve user experience

Accelerating the Client

Content control

Data reduction

Deliver content to clients with

minimal network overhead

Optimize images and files for

mobile browsers to improve
page load times

Improve Application Performance

Users are directed by context

Client Status

Content

location, device,
relationship

type, size, security

Site Status
performance,
location,
capacity

Network
Conditions
local, remote,
public, private

Global Application Availability

with BIG-IP Global Traffic Manager (GTM)
OPTIMIZED APPLICATIONS & DATA

Dynamic Datacenter Load Balancing

TCP Optimization
Health Monitoring
Geolocation
Automatic site-to-site failover
IPv6/IPv4 Translation
Data Center 1

SECURE APPLICATIONS & DATA

Transaction Assurance
Dynamic DNSSEC
DNS DDoS Mitigation

Data Center 2

Automation and Programmability

Dynamic Services Automation

Demand
Detection
Automation

iControl

Front End Virtualization

iControl

App Server Virtualization

vCenter

VM Provision
F5 Provision

Monitoring and
Management

Demand

Detection
Automation
F5 Deprovision

Storage Virtualization

iRules
Key Component of F5s High-Performance Fabric

High-Performance Fabric

Unmatched Programmability: Built in customization with an

extensible and programmable architecture (iRules, iApps & iControl)

iRules provide access to control to

manipulate and manage any IP application
traffic

Utilizes an easy to learn scripting syntax

Event Driven scripting language

79% F5 Customers Deploy

iRules
~600 management
commands

Intelligent Services Orchestration with BIG-IQ

Cloud Management
Integration

Network
Interoperability

BIG-IQ

Multi-Cloud Control

Orchestrate F5
Services
F5 Networks, Inc.

41

Additional Resources

AskF5 Knowledge Base : askf5.com

iHealth Diagnostics : ihealth.f5.com

DevCentral : devcentral.f5.com
Web Support : websupport.f5.com

Free Web-based Training : LTM Essentials

http://university.f5.com

Account Team