Securing and Accelerating the InteropNOC with

F5 Networks
Joe Wojcik - Consultant II - J.Wojcik@F5.com
Ken Bocchino - Principal Systems Architect KB@F5.com

Agenda

Overview of F5
SPDY (Pronounced Speedy)
Application Firewall Manager
Application Security Manager
Access Policy Manager
Questions

InteropNET Architecture Overview

F5 Technologies Used in the Network

ADC Application Delivery Controller

LTM Local Traffic Manager
GTM Global Traffic Manager
AFM Advanced Firewall Manager
ASM Application Security Manager
AAM Application Acceleration Manager
APM Access Policy Manager

The Basics - LTM

Profiles applied to the virtual server
allows for protocol parsing
Monitoring of pool members ensures
always available services

Virtual
Server

Pool

Pool
Member
Pool
Member

The Basics - GTM

WideIP

Pool

DC1
Virtual
Server
DC2
Virtual
Server

Wide IPs define FQDNs

Pool of data center virtual IPs
ensures global availability
Monitoring of pool members ensures
always available services

F5 Architecture Overview

Client / Server

Web application

Client / Server

Application health monitoring and performance anomaly detection

Web application

Application

HTTP proxy, HTTP DDoS and application security

Application

Session

SSL inspection and SSL DDoS mitigation

Session

Network

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

Network

Physical

Physical

F5 Architecture Overview

F5s Approach
Client / Server

Application health monitoring and performance anomaly detection

Traffic management microkernel

Session

SSL inspection and SSL DDoS mitigation

Network

L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation

Application

TCP

OneConnect

SSL

Server
side

HTTP

Client
side

Client / Server

Web application

Proxy
HTTP proxy, HTTP DDoS and application security

SSL

TCP

Application

HTTP

IPv4/IPv6

Web application

APM

Firewall

Optional modules plug in for all F5 products and solutions

Session

Network

iRules
Physical

High-performance HW

TMOS traffic plug-ins

High-performance networking microkernel
Powerful application protocol support

iControl API

iControlExternal monitoring and control

iRulesNetwork programming language

Physical

SPDY Overview
Google produced 1st Internet-Draft in 2009
Several major website already use it (Google, Twitter, Facebook, etc.)
Supported in updated versions of Chrome, Firefox, Internet Explorer, Opera
Kindle Fire Silk browser uses SPDY to internet sites and Amazon AWS cloud

HTTP has several built-in assumptions that affect latency

Single request per connection.

Exclusively client-initiated requests.
Uncompressed request and response headers.
Redundant headers
Optional data compression

SPDY is designed to reduce application layer latency

Many HTTP requests per TCP connection.

Compress headers and eliminating unnecessary headers.
Easy to implement and server-efficient
Always on SSL for a more secure web
Enable server initiated communications to the client

SPDY Overview Cont.

SPDY doesnt replace HTTP
SPDY still has HTTP methods, headers,
response codes, and other HTTP elements

Basic features of SPDY

Multiplexed streams - Allows unlimited concurrent
streams over a single TCP connection
Request prioritization Assign priority to multiple requests to combat bandwidth
limitations
HTTP header compression - compresses request/response HTTP headers

Server-initiated streams
Speed up connections by sending content or hints without the client specifically
requesting the resource.
Server push - servers push data to clients via the X-Associated-Content header.
Useful for initial-page downloads
Server hint - servers suggest resources to the client via the X-Subresources
header.

Draft located at http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft1

SPDY & F5

F5 provides production level SPDY support in BIG-IP LTM 11.4.0

BIG-IP Local Traffic Manager (LTM) uses a SPDY service profile to provide SPDY
endpoint and translation to backside HTTP. With everything handled on the F5 LTM no
backend changes are required to support SPDY.

The HTTP virtual server handles the initial request as a standard HTTP request, and
inserts an HTTP header into the response (to inform the client that a SPDY virtual
server is available to handle SPDY requests). The response is also compressesed and
cached.

A SPDY capable client uses SSL TLS (with NPN) to send SPDY requests to the BIG-IP
system, the SPDY virtual server receives the request on port 443, converts the SPDY
request into an HTTP request before sending it to the appropriate server.

When the server provides a response, the BIG-IP system converts the HTTP response
into an appropriate SPDY response, compresses and caches it, and sends the
response to the client.

SPDY Example www.interop.com

Multiplexed requests
Request priority
Stream ID

SPDY Some Numbers

These numbers are from Googles testing and are posted on the Chromium
project page.

Individual performance will be based on page complexity, domain use,

static/dynamic pages, and more.

AFM: High Level Capabilities

Access Control Policy

Stateful Firewalling - Policies, Rules, Address Lists
Application Access Control (DNS, HTTP, FTP, SMTP)

DOS Detection & Mitigation

L2-L4 Attack Mitigation, Resource Protection
Protocol Specific DOS (DNS, SIP, SSL)

Dynamic Endpoint Visibility & Enforcement

NGFW, Botnet Defense
IP Intelligence Profiles

Manageability & Visibility

Flexible & Powerful High Speed Logging
Network, Protocol & DOS Reporting (AVR)

Encrypted Traffic Handling

Site-to-Site IPsec VPN tunnels
High Scale SSL Termination

Advanced Firewall Manager

AFM: Access Control Policy

HUD Chain
LTM + ASM + APM + GTM

I/O

I/O
Flow
table

Install flow

Flow create

L2

L3

L2

Global
NW DoS

Query /
Response
Flow lookup

Accept
Match

Match

L3

Accept decisively

HW Accelerated*
*Some Vectors not HW accelerated

No flow exists

Ephemeral
listener

If TCP & Non-SYN

then Drop here
Exact match for ALG

Accept decisively: allows matching packets to

pass without further rule processing
LMF: longest match first

No
Match

Accept
decisively

Global
rules

Accept

Route
domain
rules

Accept

Default Accept

Default Accept

Rules processed in order

Rules processed in order

Drop/Reject

Drop/
Reject

No Match

DROP or NO MATCH = Silently discard

REJECT = If TCP, send RST; else DROP

Listener
Lookup
Accept
decisively path

Listener
rules
Match

Accept path

Configurable
default

Listener selected
with LMF

Drop/Reject

Rules processed in order

HW
Accelerated

AFM: Access Control Policy

Rule Lists

Flow Classification Criteria

Primary Actions

Grouping of rules
Global rules that can be used
anywhere in the policy
Can be referenced in multiple
policies on multiple firewalls

Time Based
Protocol
Source Address
Source Port
Source VLAN
Destination Address
Destination Port

Drop: Silently Discard

Reject: Drop and Inform Sender
Accept: Permit
Accept Decisively: Permit and skip
processing at subsequent contexts

Other Actions

Fire iRule (as of 11.4.1)

Log
Hit Count

Configurable
Default
Action

AFM: Visibility in the NOC

HIGH LEVEL

VERY DETAILED

F5 reporting to key SIEM partners: Splunk, Q1, ArcSight

Start with application-centric views and drill down to

more details

At-a-glance visibility and intelligence for ADFs context-aware

security

DDoS MITIGATION
Increasing difficulty of attack detection
Physical (1)

Data Link (2)

Network (3)

Transport (4)

F5 mitigation technologies

Network attacks

Session (5)

Presentation (6)

Session attacks

Application (7)

Application attacks

SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods,
Teardrop, ICMP Floods, Ping Floods and Smurf Attacks

DNS UDP Floods, DNS Query Floods,

DNS NXDOMAIN Floods, SSL Floods,
SSL Renegotiation

OWASP Top 10 (SQL

Injection, XSS, CSRF, etc.),
Slowloris, Slow Post,
HashDos, GET Floods

BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding.

BIG-IP LTM and GTM

High-scale performance, DNS
Express, SSL termination, iRules, SSL
renegotiation validation

BIG-IP ASM
Positive and negative
policy reinforcement,
iRules, full proxy for HTTP,
server performance
anomaly detection

Packet Velocity Accelerator (PVA) is a purpose-built, customized

hardware solution that increases scale by an order of magnitude
above software-only solutions.

OSI stack

F5 mitigation technologies

OSI stack

Automatic HTTP/S DoS attack detection and protection

Accurate detection techniquebased on latency

Three different mitigation techniques escalated serially

Focus on higher value productivity while automatic controls intervene

DETECT A DOS CONDITION

IDENTIFY POTENTIAL ATTACKERS
DROP ONLY THE ATTACKERS

DDoS protection reference architecture

Next-Generation Firewall

Corporate Users

Tier
Tier 22

Tier 1
Network attacks:
ICMP flood,
UDP flood,
SYN flood

Multiple ISP strategy

Financial
Services

SSL attacks:
SSL renegotiation,
SSL flood

Legitimate
Users
E-Commerce
ISPa/b
Network and
DNS

Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET

DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning

DDoS
Attacker

Subscriber

Cloud
Scrubbing Service
IPS
Threat Feed
Feed Intelligence
Intelligence
Threat

Scanner

Anonymous
Proxies

Anonymous
Requests

Botnet

Attackers

Strategic Point of Control

DDoS protection reference architecture

Next-Generation Firewall

Corporate Users

TIER 1 KEY FEATURES

Tier
Tier 22perimeter is
The first tier at the
layer 3
and 4 network firewall services

Tier 1
Network attacks:
ICMP flood,
UDP flood,
SYN flood

Multiple ISP strategy

SSL attacks:
SSL renegotiation,
SSL flood

Financial
Services

Simple load balancing

to a second tier

Legitimate
Users
ISPa/b
Network and
DNS
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning

DDoS
Attacker

E-Commerce

IP reputation database
Application

Mitigates volumetric and DNS DDoS

attacks
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET

Subscriber

Cloud
Scrubbing Service
IPS
Threat Feed
Feed Intelligence
Intelligence
Threat

Scanner

Anonymous
Proxies

Anonymous
Requests

Botnet

Attackers

Strategic Point of Control

DDoS protection reference architecture

Next-Generation Firewall

Corporate Users

Tier
Tier 22

Tier 1
Network attacks:
ICMP flood,
UDP flood,
SYN flood

Multiple ISP strategy

Financial
Services

SSL attacks:
SSL renegotiation,
SSL flood

Legitimate
Users
E-Commerce
ISPa/b
Network and
DNS

Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET

DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning

DDoS
Attacker

Subscriber

Cloud
Scrubbing Service
IPS
Threat Feed
Feed Intelligence
Intelligence
Threat

Scanner

Anonymous
Proxies

Anonymous
Requests

Botnet

Attackers

Strategic Point of Control

DDoS reference architecture

Next-Generation Firewall

Corporate Users

TIER 2 KEY FEATURES

The second tier is for applicationaware,

CPU-intensive defense mechanisms
Multiple ISP strategy

Tier
Tier 22

Tier 1
Network attacks:
ICMP flood,
UDP flood,
SYN flood

Financial
Services

SSL attacks:
SSL renegotiation,
SSL flood

Legitimate
SSL termination
Users

Web application firewall

E-Commerce

ISPa/b

Mitigate asymmetric and SSL-based

DDoS attacks
DDoS
Attacker

Network and
DNS

Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET

DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning

Subscriber

Cloud
Scrubbing Service
IPS
Threat Feed
Feed Intelligence
Intelligence
Threat

Scanner

Anonymous
Proxies

Anonymous
Requests

Botnet

Attackers

Strategic Point of Control

DDoS Protection Interop NOC

Protecting L37 and DNS

Customers
ISPa

Network Firewall Services

+ DNS Services
+ Web Application Firewall Services
+ Compliance Control

DDoS Attack

Partners
ISPb
BIG-IP Platform

DDoS Attack

ISP provides
volumetric DDoS
service

BIG-IP Advanced Firewall Manager

BIG-IP Local Traffic Manager
BIG-IP Global Traffic Manager
BIG-IP Access Policy Manager
BIG-IP Application Security Manager

Comprehensive Protections
BIG-IP ASM extends protection to more than application vulnerabilities
L7 DDOS

XML Firewall

Web Scraping

ASM
Geolocation
blocking

ICAP anti-virus
Integration

Web bot
identification

XML filtering,
validation & mitigation

Four ways to build a policy

Security policy
checked

Security policy
applied

DYNAMIC POLICY BUILDER

Automatic
No knowledge of the
app required
Adjusts policies if app
changes

INTEGRATION WITH APP SCANNERS

Manual
Advanced
configuration for
custom policies

Virtual patching with continuous

application scanning

PRE-BUILT POLICIES

Out-of-the-box
Pre-configure and validated
For mission-critical apps
including: Microsoft, Oracle,
PeopleSoft

BIG-IP Access Policy Manager

SECURE IDENTITY AND ACCESS MANAGEMENT

Provide unified global access to your applications

Simplified and consolidated management of your application security policies
Single Sign-On (SSO) across multiple domains/authentication types
Simplified access for virtual application environments

Citrix XenApp/XenDesktop VMWare Horizon View

Unifies security, access control and application delivery

Advanced Visual Policy Editor
SSL Application or VPN Tunnels for full range of user access
Secure Web Gateway /w URL filtering and real-time intelligence
Advanced reporting
Splunk, Syslog, ArcSight, etc..

BIG-IP Access Policy Manager

Provides client-side
and server-side
checking (Antivirus,
Firewall, OS Version, etc.)

Multiple AAA server

support (RADIUS,
Active Directory,
LDAP, SecureID,
Oracle, SAML,
HTTP, LocalDB,
TACACS+, CRLDP,
OCSP, and more)
Easy L4 and L7 ACL
management

BIG-IP Access Policy Manager

At Interop we
provide NOC
sponsors IPv4 and
IPv6 VPN access to
the NOC network
services
NOC users can VPN
securely into their
applications and
devices locally or in
our other Interop
Datacenters
Providing logging
and access
information to the
ScienceLogic,
PathSolutions, and
Splunk servers

Denver Colo

Las Vegas NOC

Sunnyvale Colo

Additional Resources

F5 Networks Website
http://www.f5.com/

F5 Networks Support Site

http://support.f5.com/

F5 Networks INTEROP Show Site

http://f5.enet.interop.net/

Chromium Project SPDY

http://www.chromium.org/spdy

F5 DDoS Recommended Practices

http://f5.enet.interop.net/interop/F5%20DDoS%20Recommended%20Practices.pdf