Title: F5 Networks Traffic Management by Design
1F5 Networks Traffic Management by Design
Presented by Jürg Wiesmann Field System
Engineer, Switzerlandjürg.wiesmann_at_f5.com
2Company Snapshot
- Leading provider of solutions that optimize the
security, performance availability of IP-based
applications - Founded 1996 / Public 1999
- Approx. 1,010 employees
- FY05 Revenue 281M
- FY06 Revenue 394M
- 40 Y/Y Growth
3Clear Leader in Application Delivery
Challengers
Leaders
Magic Quadrant for Application Delivery Products
F5 Networks
- F5 continues to build on the momentum generated
by the release of v9.0. It commands over 50
market share in the advanced platform ADC segment
and continues to pull away from the competition.
Citrix Systems (NetScaler)
Cisco Systems
Ability to Execute
Radware
Juniper Networks (Redline)
Akamai Technologies
Netli
- F5 is one of the thought leaders in the market
and offers growing feature richness. It should be
high on every enterprise's shortlist for
application delivery.
Nortel Networks
Stampede Technologies
Array Networks
Coyote Point Systems
Zeus Technology
NetContinuum
Foundry Networks
Niche Players
Visionaries
Completeness of Vision
Source Gartner, December 2005
4What CEOs CFOs und CIOs are interested in
- Low Investment costs
- Reducing Load on Server infrastructure
- Low Servicecosts
- Simple Problem-, Change und Releasemgt.
- Less Service windows
- Reduction of work during Service windows
- Simple secure and stable Environements
- High availability
5Problem Networks Arent Adaptable Enough
- New Security Hole
- High Cost To Scale
- Slow Performance
?
Network Administrator
Application Developer
Applications Focus on Business Logic and
Functionality
Traditional Networks are Focused on Connectivity
6How Do You Fix the Problem?
Multiple Point Solutions
More Bandwidth
Network Administrator
Application Developer
Hire an Army of Developers?
Add More Infrastructure?
7A Costly Patchwork
Applications
Point Solutions
Users
DoS Protection
Mobile Phone
IPS/IDS
SSL Acceleration
SFA
CRM
ERP
CRM
Rate Shaping/QoS
PDA
Network Firewall
Application Load Balancer
ERP
ERP
Content ProxyAcceleration/ Transformation
Laptop
SFA
CRM
Traffic Compression
WAN Connection Optimization
SFA
Desktop
Application Firewall
Custom Application
Co-location
8The Better Application Delivery Alternative
The F5 Way
The Old Way
First with Integrated Application Security
9F5s Integrated Solution
Applications
The F5 Solution
Users
Application Delivery Network
CRMDatabaseSiebelBEALegacy.NETSAPPeopleSoft
IBMERPSFACustom
Mobile Phone
PDA
Laptop
Desktop
TMOS
Co-location
10The F5 Application Delivery Network
International Data Center
TMOS
Applications
Users
BIG-IP Global Traffic Manager
BIG-IP Application Security Manager
BIG-IP Link Controller
BIG-IP Local Traffic Manager
BIG-IP Web Accelerator
WANJet
iControl iRules
Enterprise Manager
11F5 Networks Remote Access Today
Presented by Jürg Wiesmann Field System
Engineer, Switzerlandjürg.wiesmann_at_f5.com
12Current Issues
Unreliable access Worm/virus propagation High
support costs
Mobile Workforce
Employee on Home PC / Public Kiosk
Limited application support Lack of data
integrity Reduced user efficiency
Complex access controls No application-level
audits High support costs
Business Partners
Complex API Unreliable access High support costs
Systems or Applications
13IPSec provides transparent Network Access BUT
- Needs preinstalled Client
- Does not work well with NAT
- No granular Application Access (Network Level)
- Hard to Loadbalance
- Is expensive to deploy
14On the other hand SSL VPN
- No preinstalled Client Software needed
- Works on transport Layer No problem with NAT
- Works on port 80/443 No problem with
Firewall/Proxy - Easy to Loadbalance
- Offers granular Application Access
- Is Easy to deploy
15Remote Access - Requirements
Any User
Employee Partner Supplier
Any Application
Any Location
Hotel Kiosk Hot Spot
Web Client/Server Legacy Desktop
Any Devices
Highly Available
Laptop Kiosk Home PC PDA/Cell Phone
Global LB Stateful Failover Disaster Recovery
Secure
Ease of Integration
Data Privacy Device Protection Network
Protection Granular App Access
AAA Servers Directories Instant Access
Ease of Use
Clientless Simple GUI Detailed Audit Trail
16Why not use IPSec?
Any User
Employee Partner Supplier
Any Application
Any Location
Hotel Kiosk Hot Spot
Web Client/Server Legacy Desktop
Any Devices
Highly Available
Laptop Kiosk Home PC PDA/Cell Phone
Global LB Stateful Failover Disaster Recovery
Secure
Ease of Integration
Data Privacy Device Protection Network
Protection Granular App Access
AAA Servers Directories Instant Access
Ease of Use
Clientless Simple GUI Detailed Audit Trail
17Prime Networking Real Estate
Intelligent Applications
Intelligent Client
Network Plumbing
ROUTERS SWITCHES FIREWALLS
iControl
BIG-IP FirePass TrafficShield
Functionality
Traffic Management Remote Access Security
18FirePass Overview
Authorized Applications
Any User Any Device
Dynamic Policies
Portal Access
Secured by SSL
Laptop
FirePass
Specific Application Access
Internet
Kiosk
Network Access
Intranet
Mobile Device
Partner
19Simplified User Access
- Standard browser
- Access to applications from anywhere
- Select application
- Shortcuts automate application connections
- No preinstalled client software required
- All access via a web browser
20Access Types
- Network Access
- Application Access
- Application Tunnels
- Terminal Server
- Legacy Hosts
- X Windows
- Portal Access
- Web Applications
- File Browsing (Windows, Unix)
- Mobile E-Mail
- Desktop Access (Webtop)
21Access Methods Summary
Portal Access
Application Access
Network Access
- Benefits
- Most Flexible
- Any Device
- Any Network
- Any OS
- Most Scalable
- Browser Compatible
- Secure Architecture
- Restricted Resource Access
- Drawbacks
- Limited Resource Access
- Enterprise Web Apps/Resources
- Webified Enterprise Resources
- Limited Nonweb Applications
- Benefits
- C/S Application Access
- Legacy Application Access
- Transparent Network Traversal
- Any Network
- Scalable Deployment
- No Network/Addr. Configuration
- Secure Architecture
- Restricted Resource Access
- Host Level Application Proxy
- Drawbacks
- Limited Access Flexibility
- OS/JVM Compatible Issues
- No Transistent Kiosk Access
- Client Security
- Installation Privileges
- Benefits
- Full Network Access (VPN)
- No Resource Restrictions
- Drawbacks
- More Limited Access
- OS/JVM Compatible Issues
- Client Security
- Installation Privileges
22Adaptive Client Security
Laptop
Kiosk/Untrusted PC
PDA
23Policy Checking with Network Quarantine
- Quarantine Policy Support
- Ensure Policy Compliance
- Direct to quarantine network
- Deep Integrity Checking
- Specific antivirus checks
- Windows OS patch levels
- Registry settings
FirePass
24Visual Policy Editor
Graphically associates a policy relationship
between end-points, users and resources
25Unique Application Compression
- Results
- Over 50 faster access
- Supports compression for any IP application
- Faster email file access
- Works across both dial-up and broadband
2630 Minute Install
NEW
Quick Setup enables rapid installation and setup
even for non-experts
27Dynamic Policy Engine
- User / Device Security
- Dynamically adapt user policy based on device
used - Seamless Integration
- Utilize existing AAA servers
- Automatic user group mapping
- Detailed audit trail
- Application level visibility
Dynamic Policy Engine
Application Access
Mobile Device Policy
Kiosk Policy
Default Policy
Laptop Policy
FirePass
Authentication LDAP RADIUS WIN NT/2K Web-Based
Group Sales Financial Auditors etc.
Access Rights Intranet SAP Siebel File Shares
Audit Usage Reporting Who accessed What was
accessed From Where
28Enterprise SSO Integration
Netegrity SiteMinder
Dynamic Policies
1. User ID, Password
FirePass
2. Session Cookie
Internet
Web Servers
3. Session Cookie
- HTTP forms-based authentication
- Single sign-on to all web applications
- Major SSO Identify Mgmt Vendor Support
- Netegrity, Oblix and others
29Application Security
Web Servers
ICAP AntiVirus
1. SQL Injection
X
FirePass
Internet
- Web application security
- Cross-site scripting
- Buffer overflow
- SQL injection
- Cookie management
- Policy-based virus scanning
- File uploads
- Webmail attachments
- Integrated scanner
- Open ICAP interface
30Product Lines
31FirePass Product Line
A product sized and priced appropriately for
every customer
FirePass 4200 Large Enterprise
FirePass 1200 Medium Enterprise
100-2000 Concurrent Users
25-100 Concurrent Users
- 500 employees
- High performance platform
- Comprehensive access
- End-to-End security
- Flexible support
- Failover
- Cluster up to 10
- 25 to 500 employees
- Comprehensive access
- End-to-End security
- Flexible support
- Failover
32FirePass Failover
- Redundant pair
- Stateful failover provides uninterrupted failover
for most applications (e.g. VPN connector) - Single management point
- Active unit is configured
- Configuration and state information is
periodically synchronized - Separate SKU
- Active unit determines software configuration and
concurrent users
Internet
Hot standby
Active
Intranet application servers
33FirePass 4100 Clustering
- Clustered pair
- Up to 10 servers can be clustered for up to
20,000 concurrent users - Master server randomly distributes user sessions
- Distributed (e.g. different sites) clusters are
supported - Single management point
- Master server is configured
- Configuration information is periodically
synchronized - Second FP 4100 Required
- Software features purchased on 2nd server
Internet
Intranet application servers
Cluster master
Cluster nodes
34Case Study FirePassvs IPSec Client
- 300 end user accounts, high availability
configuration
IPSec Client 120 hrs 200 hrs 1 hrs 1.5
hrs/day 5 hrs/day 0
- FirePass
- 20 hrs
- 60 hrs
- .5 hrs x 300
- .5 hrs/day
- 2 hrs/day
- 0
Savings 100 hrs 140 hrs 150 hrs 1 hrs/day 3
hrs/day 0
Engineering Help Desk End User Engineering Help
Desk End User
Rollout Sustaining
- Savings 390 hours for rollout, 20 hours/week
sustaining - 80 user callback for IPSec Client 15 for
FirePass - 25 users unable to use IPSec Client 2 specific
hotel room issues w/FirePass
35Summary of Benefits
- Increased productivity
- Secure access from anydevice, anywhere
- No preinstalled VPN clients
- Reduced cost of ownership
- Lower deployment costs
- Fewer support calls
- Improved application security
- Granular access to corporate resources
- Application layer security and audit trail
36Summary FirePass Delivers
- Key Features
- Enterprise-class, High Availability platform
- Built-in, load balanced clustering
- SSL acceleration and server side caching
- Visual Policy Editor and 30 Minute install
- Supports Windows, Mac, Linux, Solaris and other
clients - Built-in Protected Workspace and end-point
security - Integrates with existing enterprise
infrastructure and applications - Key differentiators
- Out-of-box Scalability, Performance and
Reliability - Powerful, easy to use management interface
- Breadth of clients, applications and
infrastructure - Comprehensive Risk Management including end-point
security - Competitive Advantage
- Best combination of capabilities, usability and
security - Lowest Total Cost of Ownership and Highest ROI
37(No Transcript)
38(No Transcript)
39Backup Slides
40Partnerships
- F5's BIG-IP has been designed into a number of
Oracle's mission-critical architectures, such as
the Maximum Availability Architecture. - Julian Critchfield, Vice President, Oracle
Server Technologies
Microsoft welcomes F5 Networks' support of
Visual Studio 2005 F5 complements our strategy
by providing our mutual customers with a way to
interact with their underlying network. Christo
pher Flores, Group Product Manager in the .NET
Developer Product Management Group at Microsoft
Corp.
41Services Support
- Expertise F5 offers a full range of
personalized, world-class support and services,
delivered by engineers with in-depth knowledge of
F5 products. - Software Solution Updates Customers with a
support agreement receive all software updates,
version releases, and relevant hot fixes as they
are released. - Flexibility Whatever your support demands, F5
has a program to fit your needs. Choose from our
Standard, Premium, or Premium Plus service
levels. - Full Service Online Tools Ask F5 and our Web
Support Portal. - Fast Replacements F5 will repair or replace any
product or component that fails during the term
of your maintenance agreement, at no cost.
42F5 Services
CERTIFIED GLOBAL TRAINING
SERVICES SUPPORT
PROFESSIONAL SERVICES
- Experience F5 Professional Consultants know F5
products and networking inside and out. The
result? The expertise you need the first time. - High Availability Our experts work with you to
design the best possible high- availability
application environment. - Optimization Our consultants can help you fine
tune your F5 traffic management solutions to
maximize your networks efficiency. - Knowledge Transfer  Our professionals will
efficiently transfer critical product knowledge
to your staff, so they can most effectively
support your F5-enabled traffic management
environment.
- Expert Instruction With highly interactive
presentation styles and extensive technical
backgrounds in networking, our training
professionals prepare students to perform
mission-critical tasks. - Hands-On Learning Theoretical presentations and
real-world, hands-on exercises that use the
latest F5 products. - Convenience Authorized Training Centers (ATCs)
strategically located around the world. - Knowledge Transfer Direct interaction with our
training experts allows students to get more than
traditional text book training.
- Expertise World-class support and services,
delivered by engineers with in-depth knowledge of
F5 products. - Software Solution Updates Software updates,
version releases, and relevant hot fixes as they
are released. - Flexibility Standard, Premium, or Premium Plus
service levels. - Full Service Online Tools Ask F5 and our Web
Support Portal. - Fast Replacements F5 will repair or replace any
product or component that fails during the term
of your maintenance agreement, at no cost.
43F5 Networks Globally
Seattle
EMEA
Japan
APAC
International HQ Seattle Regional HQ / Support
Center F5 Regional Office F5 Dev. Sites Spokane,
San Jose, Tomsk, Tel Aviv, Northern Belfast
44F5 Networks Message Security Module
Presented by Jürg Wiesmann Field System
Engineer, Switzerlandjürg.wiesmann_at_f5.com
45The Message Management Problem
- Out of 75 billion emails sent worldwide each day,
over 70 is spam! - The volume of spam is doubling every 6-9 months!
- Clogging networks
- Cost to protect is increasing
TrustedSource Reputation Scores
Nov 2005
Oct 2006
Higher score worse reputation
46Typical Corporate Pain
- Employees still get spam
- Some are annoying, some are offensive
- Infrastructure needed to deal with spam is
expensive! - Firewalls
- Servers
- Software (O/S, anti-spam licenses, etc.)
- Bandwidth
- Rack space
- Power
- Budget doesnt match spam growth
- Legitimate email delivery slowed due to spam
47Why is this happening?
- Spam really works!
- Click rate of 1 in 1,000,000 is successful
- Spammers are smart professionals
- Buy the same anti-spam technology we do
- Develop spam to bypass filters
- Persistence through trial and error
- Blasted out by massive controlled botnets
- Professional spammers have
- Racks of equipment
- Every major filtering software and appliance
available - Engineering staff
48Its not just annoyingit can be dangerous.
- 2 of all email globally contains some sort of
malware. - Phishing
- Viruses
- Trojans (zombies, spyware)
49High Cost of Spam Growth
- Spam volume increases
- Bandwidth usage increases
- Load on Firewalls increases
- Load on existing messaging security systems
increases - Emails slow down
- Needlessly uses up rackspace, power, admin time
DMZ
Firewall
Messaging Security
Email Servers
50MSM Blocking At the Edge
Messaging Security Server Second Tier
BIG-IP MSM First Tier
Mail Servers
Emails
e hello
Works with any Anti-Spam Solution
Terminating 70 of the Spam from the e hello
Filters out 10 to 20 of Spam
51Why TrustedSource?
- Industry Leader
- Solid Gartner reviews MQ
- IDC market share leader
- Superior technology
- Stability
52TrustedSource Leading IP Reputation DB
53TrustedSource
AUTOMATED ANALYSIS
- Messages Analyzed per Month
- 10 Billion Enterprise
- 100 Billion Consumer
Dynamic Computation Of Reputation Score
Global data monitoring is fueled by the network
effect of real-time information sharing from
thousands of gateway security devices around the
world
Animation slide
54Shared Global Intelligence
55TrustedSource Identifies Outbreaks Before They
Happen
11/03/05 A/V Signatures
11/02/05 Other Reputation Systems Triggered
9/12/05 TrustedSource Flagged Zombie
- 11/01/05 This machine began sending Bagle worm
across the Internet - 11/03/05 Anti-virus signatures were available to
protect against Bagle - Two months earlier, TrustedSource identified this
machine as not being trustworthy
56Content Filters Struggle to ID certain spam
57Image-based spam
Hashbusting Scratches
58Summary of Benefits
- Eliminate up to 70 of spam upon receipt of first
packet - Reduce Cost for Message Management
- TMOS Module High performance Cost effective
spam blocking at network edge - Integrated into BIG-IP to avoid box proliferation
- Improved Scaleability and Message Control
- Reputation Based Message Distribution and Traffic
Shaping - Slightly increase kill-rate on unwanted email
59Packaging
License Tiers
MSM for over 100,000 Mailboxes
MSM for up to 100,000 Mailboxes
MSM for up to 75,000 Mailboxes
MSM for up to 50,000 Mailboxes
MSM for up to 25,000 Mailboxes
MSM for up to 10,000 Mailboxes
MSM for up to 5,000 Mailboxes
MSM for up to 1,000 Mailboxes
- BIG-IP LTM Only
- Version Support 9.2 and higher
- Module May be added to any
- LTM or Enterprise
- No Module incompatibilities with other Modules
- Licensed per BIG-IP by number of mailboxes
- BIG-IP Platform sizing depends on
- Email volume
- Number of BIG-IPs
- Other functions expected of BIG-IP (additional
taxes on CPU time)
60How BIG-IP MSM Works
Internet
Animation slide
61Spam Volumes Out of Control
of Worldwide email that is Spam
85
Percent Spam
70
Nov 2005
Oct 2006
62Hard-to-detect Image Spam is Growing
Percent of Total Email
2006
63Reputation-based Security Model
64Backup Slides
65Windows Logon (GINA Integration)
- Key Features
- Transparent secure logon to corporate network
from any access network (remote, wireless and
local LAN) - Non-intrusive and works with existing GINA (no
GINA replacement) - Drive mappings/Login scripts from AD
- Simplified installation setup (MSI package)
- Password mgmt/self-service
- Customer Benefits
- Unified access policy mgmt
- Increased ROI
- Ease of use
- Lower support costs
66Configuring Windows Logon
67Windows Installer Service
- Problem
- Admin user privileges required for network access
client component updates - Solution
- Provide a user service on the client machine
which allows component updates without admin
privileges
68Network Access Only WebTop
Simplified webtop Interface
Automatically minimizes to system tray
69Windows VPN Dialer
Simple way to connect for users familiar with
dial-up
70FirePass Client CLI
- f5fpc ltcmdgt ltparamgtwhere ltcmdgt options are
- start
- info
- stop
- help
- profile
- Single sign-on from 3rd party clients (iPass)
71Auto Remediation
72Dynamic AppTunnels
- Feature Highlights
- No client pre-installation
- No special admin rights for on-demand component
install - No host file re-writes
- Broader application interoperability (complex web
apps, static dynamic ports) - Benefits
- Lower deployment and support costs
- Granular access control
73Configuring Dynamic AppTunnels
74Better Value than Juniper!
- More features
- Additional Software Features included in Base
Package (1000 4100 series) - Terminal Server Adapter (Citrix, WTS, VNC)
- AV FW checker
- AppTunnels
- Additional 4 GB memory in 4140 4150
- Less expensive
- New SKU/Packages
- 4100 with 8 GB Failover SKU 4100E-F Priced at
27,990 - Factory Install OPT SKU for 4 GB memory (4110,
4120, 4130, 4100-F only)