Beruflich Dokumente
Kultur Dokumente
F5 Networks
Joe Wojcik - Consultant II - J.Wojcik@F5.com
Ken Bocchino - Principal Systems Architect KB@F5.com
Agenda
Overview of F5
SPDY (Pronounced Speedy)
Application Firewall Manager
Application Security Manager
Access Policy Manager
Questions
Virtual
Server
Pool
Pool
Member
Pool
Member
Pool
DC1
Virtual
Server
DC2
Virtual
Server
F5 Architecture Overview
Client / Server
Web application
Client / Server
Web application
Application
Application
Session
Session
Network
Network
Physical
Physical
F5 Architecture Overview
F5s Approach
Client / Server
Session
Network
Application
TCP
OneConnect
SSL
Server
side
HTTP
Client
side
Client / Server
Web application
Proxy
HTTP proxy, HTTP DDoS and application security
SSL
TCP
Application
HTTP
IPv4/IPv6
Web application
APM
Firewall
Session
Network
iRules
Physical
High-performance HW
iControl API
Physical
SPDY Overview
Google produced 1st Internet-Draft in 2009
Several major website already use it (Google, Twitter, Facebook, etc.)
Supported in updated versions of Chrome, Firefox, Internet Explorer, Opera
Kindle Fire Silk browser uses SPDY to internet sites and Amazon AWS cloud
Server-initiated streams
Speed up connections by sending content or hints without the client specifically
requesting the resource.
Server push - servers push data to clients via the X-Associated-Content header.
Useful for initial-page downloads
Server hint - servers suggest resources to the client via the X-Subresources
header.
SPDY & F5
BIG-IP Local Traffic Manager (LTM) uses a SPDY service profile to provide SPDY
endpoint and translation to backside HTTP. With everything handled on the F5 LTM no
backend changes are required to support SPDY.
The HTTP virtual server handles the initial request as a standard HTTP request, and
inserts an HTTP header into the response (to inform the client that a SPDY virtual
server is available to handle SPDY requests). The response is also compressesed and
cached.
A SPDY capable client uses SSL TLS (with NPN) to send SPDY requests to the BIG-IP
system, the SPDY virtual server receives the request on port 443, converts the SPDY
request into an HTTP request before sending it to the appropriate server.
When the server provides a response, the BIG-IP system converts the HTTP response
into an appropriate SPDY response, compresses and caches it, and sends the
response to the client.
Multiplexed requests
Request priority
Stream ID
These numbers are from Googles testing and are posted on the Chromium
project page.
I/O
I/O
Flow
table
Install flow
Flow create
L2
L3
L2
Global
NW DoS
Query /
Response
Flow lookup
Accept
Match
Match
L3
Accept decisively
HW Accelerated*
*Some Vectors not HW accelerated
No flow exists
Ephemeral
listener
No
Match
Accept
decisively
Global
rules
Accept
Route
domain
rules
Accept
Default Accept
Default Accept
Drop/Reject
Drop/
Reject
No Match
Listener
Lookup
Accept
decisively path
Listener
rules
Match
Accept path
Configurable
default
Listener selected
with LMF
Drop/Reject
HW
Accelerated
Primary Actions
Grouping of rules
Global rules that can be used
anywhere in the policy
Can be referenced in multiple
policies on multiple firewalls
Time Based
Protocol
Source Address
Source Port
Source VLAN
Destination Address
Destination Port
Other Actions
Configurable
Default
Action
HIGH LEVEL
VERY DETAILED
DDoS MITIGATION
Increasing difficulty of attack detection
Physical (1)
Network (3)
Transport (4)
F5 mitigation technologies
Network attacks
Session (5)
Presentation (6)
Session attacks
Application (7)
Application attacks
SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods,
Teardrop, ICMP Floods, Ping Floods and Smurf Attacks
BIG-IP AFM
SynCheck, default-deny posture, high-capacity connection table, fullproxy traffic visibility, rate-limiting, strict TCP forwarding.
BIG-IP ASM
Positive and negative
policy reinforcement,
iRules, full proxy for HTTP,
server performance
anomaly detection
OSI stack
F5 mitigation technologies
OSI stack
Corporate Users
Tier
Tier 22
Tier 1
Network attacks:
ICMP flood,
UDP flood,
SYN flood
Financial
Services
SSL attacks:
SSL renegotiation,
SSL flood
Legitimate
Users
E-Commerce
ISPa/b
Network and
DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
DDoS
Attacker
Subscriber
Cloud
Scrubbing Service
IPS
Threat Feed
Feed Intelligence
Intelligence
Threat
Scanner
Anonymous
Proxies
Anonymous
Requests
Botnet
Attackers
Corporate Users
Tier 1
Network attacks:
ICMP flood,
UDP flood,
SYN flood
SSL attacks:
SSL renegotiation,
SSL flood
Financial
Services
Legitimate
Users
ISPa/b
Network and
DNS
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
DDoS
Attacker
E-Commerce
IP reputation database
Application
Subscriber
Cloud
Scrubbing Service
IPS
Threat Feed
Feed Intelligence
Intelligence
Threat
Scanner
Anonymous
Proxies
Anonymous
Requests
Botnet
Attackers
Corporate Users
Tier
Tier 22
Tier 1
Network attacks:
ICMP flood,
UDP flood,
SYN flood
Financial
Services
SSL attacks:
SSL renegotiation,
SSL flood
Legitimate
Users
E-Commerce
ISPa/b
Network and
DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
DDoS
Attacker
Subscriber
Cloud
Scrubbing Service
IPS
Threat Feed
Feed Intelligence
Intelligence
Threat
Scanner
Anonymous
Proxies
Anonymous
Requests
Botnet
Attackers
Corporate Users
Tier
Tier 22
Tier 1
Network attacks:
ICMP flood,
UDP flood,
SYN flood
Financial
Services
SSL attacks:
SSL renegotiation,
SSL flood
Legitimate
SSL termination
Users
E-Commerce
ISPa/b
Network and
DNS
Application
HTTP attacks:
Slowloris,
slow POST,
recursive POST/GET
DNS attacks:
DNS amplification,
query flood,
dictionary attack,
DNS poisoning
Subscriber
Cloud
Scrubbing Service
IPS
Threat Feed
Feed Intelligence
Intelligence
Threat
Scanner
Anonymous
Proxies
Anonymous
Requests
Botnet
Attackers
Customers
ISPa
DDoS Attack
Partners
ISPb
BIG-IP Platform
DDoS Attack
ISP provides
volumetric DDoS
service
Comprehensive Protections
BIG-IP ASM extends protection to more than application vulnerabilities
L7 DDOS
XML Firewall
Web Scraping
ASM
Geolocation
blocking
ICAP anti-virus
Integration
Web bot
identification
XML filtering,
validation & mitigation
Security policy
applied
Manual
Advanced
configuration for
custom policies
PRE-BUILT POLICIES
Out-of-the-box
Pre-configure and validated
For mission-critical apps
including: Microsoft, Oracle,
PeopleSoft
Provides client-side
and server-side
checking (Antivirus,
Firewall, OS Version, etc.)
At Interop we
provide NOC
sponsors IPv4 and
IPv6 VPN access to
the NOC network
services
NOC users can VPN
securely into their
applications and
devices locally or in
our other Interop
Datacenters
Providing logging
and access
information to the
ScienceLogic,
PathSolutions, and
Splunk servers
Denver Colo
Sunnyvale Colo
Additional Resources
F5 Networks Website
http://www.f5.com/