Beruflich Dokumente
Kultur Dokumente
I have submitted my
I need to seek support I am trying to start a
Why do I have to application a month
for my family but I business. Why do I
queue at the counter ago but I have not
don’t know how to have to deal with so
to renew my license? received any
start? many agencies?
response
4
S M A C I
SOCIAL MOBILE ANALYTIC CLOUD IOT
ENABLE
Mobile
DIGITAL
Mobile First
GOVERNMENT
Social IOT
Devices,
News Context
Policies & Events
Analytics
Service Efficiency
Cloud
On Demand, Elasticity and Innovation
Digital Government Strategy
• Information centric • Provide digital government information
and services to citizens, business and
• Customer centric
government workers anywhere, anytime
• Smart Platform on any device
• Security and Trust • Leverage on IOT to deliver innovative,
efficient and effective services
• Transition into Digital Economy with
paper-less processes , cashless society
and national e-ID system for secure
access
© F5 Networks, Inc 8
Dynamic Data Center Services
The Notion of Application Services
Data Center
The Notion of Application Services
App App App App App App App App App App
Data Center
The Notion of Application Services
App App App App App App App App App App
Data Center
Dynamic Data Centers Services
© F5 Networks, Inc 15
Why Active-Active Data Centers ?
Challenge Of Traditional Active-DR Design
Internet
© F5 Networks, Inc 22
#1 DC/DR Reliability Issue
Active-Passive Setup
Internet
Active-Active Setup
Internet
LTM GTM GTM LTM
Sync Group
PRIMARY SECONDARY
Data Center #1 Data Center #2
- With Active-Active DC, a total of 10 servers are required => Savings of 5 x servers and the associated SW licenses
- In the event of failure in 1 x DC, there is still half the capacity of 5 x servers
- Because secondary Data Center is always on, there is better reliability in the even of failover
- Enhanced user experience and application performance
Internet
LTM GTM GTM LTM
Sync Group
PRIMARY SECONDARY
Data Center #1 Data Center #2
The appropriate response is User requests can go to any In the event of an outage
dictated by business logic – of the GTMs in the sync notification from the LTM,
possibly based on group which act as one the GTM sends the traffic to
geography, response time,
GET /
HTTP/
1.1
? logical unit answering
GET /
HTTP/
1.1
? an available datacenter.
or capacity – and the LTM's
\r\n
identically. \r\n
knowledge of the
application's availability. When notified by the LTM
Internet that availability is restored,
traffic will once again be
directed to the datacenter.
PRIMARY SECONDARY
Data Center #1 Data Center #2
© F5 Networks, Inc 26
#4 Intelligent Global Traffic Management
Geo-Location and User Persistence
BIG-IP GTM
BIG-IP GTM
BIG-IP GTM
IPv4
BIG-IP GTM
Dual IPv4 &
IPv6 DNS NAT64
NAT44
Dual - Stack
IPv4 IPv6
© F5 Networks, Inc 28
#6 DNS Protection and Performance
Conventional DNS Thinking
• Adding performance = DNS boxes
Internet
External DNS Load Array of DNS Internal Hidden • Weak DoS/DDoS Protection
Firewall Balancing Servers Firewall Master DNS
DMZ Datacenter
F5 Paradigm Shift
F5 DNS Delivery Reimagined
• Massive performance over 10M RPS!
DNS Firewall
Internet
Master DNS DNS DDoS Protection • Best DoS / DDoS Protection
Infrastructure
Protocol Validation
BIG-IP • Simplified management
Global Traffic Manager Authoritative DNS
Caching Resolver
Transparent Caching • Less CAPEX and OPEX
High Performance DNSSEC
DNSSEC Validation
Intelligent GSLB
© F5 Networks, Inc 29
F5 Active-Active DC Solutions
F5 Active-Active DC Solution Overview
• Primary components – Continuous Application Delivery
• LTM (Local Traffic Manager)
• DNS aka GTM (Global Traffic Manager)
• Application Optimisations, Security and Identity & Access Management –
• AAM (Application Acceleration Manager)
• Users/Internet Traffics Web acceleration
• ASM (Application Security Manager /AFM (Advanced Firewall Manager)
• Network & Web application security, Multi-layered DDOS Mitigation
• APM (Access Policy Manager)
• Authentication & Authorization, Single sign-on, SSL VPN, VDI Proxy
Desktop
IDENTITY & ACCESS NETWORK/APPLICATION Tablet Smartphone
(GSLB)
MANAGEMENT SECURITY
GLOBAL SERVER LOAD
Internet BALANCING
LOCAL TRAFFIC
LOAD BALANCE /
PRIMARY SECONDARY MANAGEMENT
© F5 Networks, Inc
Data Center #1 Data Center #2 40
Availability
The role of LTM
Internet
LTM does the “heavy lifting”
• Monitoring and gathering of health statistics and performance metrics for the
following:
• ISP connections (transparent monitoring)
• Load balanced servers LTM
• Internal Firewall links (transparent monitoring)
© F5 Networks, Inc 42
The role of GTM
GTMs “direct the show”
• GTMs gather metrics from:
• Local DNS resolvers (LDNS) – path metrics etc
• LTMs at any data centre
• An Internal algorithm determines which GTMs are responsible for which LTMs
• If a GTM fails, another GTM automatically takes over its metric gathering duties
• GTMs share gathered metrics/statistics with each other.
LDNS LDNS
Internet
PRIMARY SECONDARY
Data Center #1 Data Center #2
© F5 Networks, Inc 43
Generic Implementation Process
1. Install GTM at each data center.
2. Configure GTMs to talk to LTMs
3. If necessary, migrate all BIND/DNS zone files to GTM
4. Test to make sure GTMs:
1. LB correctly?
2. Persist correctly?
3. Resolve correctly
5. All can be done without effecting production ☺
LDNS LDNS
Internet
© F5 Networks, Inc 49
Generic Implementation Process
• Once GTMs are fully tested, two ways to migrate to production:
LDNS LDNS
Internet
Sync Group
© F5 Networks, Inc 50
GSLB and Delegation Mode
Is there a record for
www.company.com?
LDNS
http://www.company.com
Go ask
.com
company.com
.com www.gtm.company.com
DNS Server
DNS Server
GSLB and Delegation Mode
Is there a record for
www.company.com?
LDNS
http://www.company.com
Go ask
.com
company.com
.com www.gtm.company.com
DNS Server
DNS Server
GLSB and Delegation Mode
Is there a record for
www.company.com?
LDNS
66.163.171.129
http://www.company.com
Data Center
X company.com
66.163.171.129 www.gtm.company.com
72.68.171.103 DNS Server
BIG-IP DNS Authoritative Screen
LDNS
If DNS Express is Else, forward the
Resolved DNS request enabled, check against
query to external DNS
DNS Express zones servers
and then local BIND
DNS Listener on the BIG-IP Data Center
receives all DNS requests
www.gtm.company.com company.com
BIG-IP
Answer Answer Admin
DNS DNS OS Auth
Query Query Roles
© F5 Networks, Inc 55
Complete load balancing Solutions across multiple DC
Intelligent steer connections to the “best” data center
Clients
App Tier
App Tier
© F5 Networks, Inc 57
Acceleration
Inter-DC Traffic
User Traffic
Accelerating the Inter-DC Network
© F5 Networks, Inc 59
The Application Delivery Universe
Application Applications
Users
Out of your Network
© F5 Networks, Inc 60
Three Simple Steps to a Faster Web Application
Application Applications
Users
Network L7
TCP HTTP2.0
TOOLS
© F5 Networks, Inc 61
TCP Optimization
TCP
F5 Optimized
Diverse client Advanced Server
characteristics TCP Stack Connection
© F5 Networks, Inc 62
HTTP 2.0 Gateway
HTTP
HTTP
© F5 Networks, Inc 63
© F5 Networks, Inc 64
HTTP 2.0 Gateway
F5
HTTP 2.0 HTTP
© F5 Networks, Inc 65
How HTTP/2 reduces latency
HTTP/2 breaks up requests and responses into frames. These frames can be sent interleaved.
HTTP/1.1 HTTP/2
time
© F5 Networks, Inc 67
F5 as HTTP/2 Gateway
Application
1
Application
2
Application
3
Clients
HTTP/2 HTTP/1.1
© F5 Networks, Inc 70
L7 Acceleration
L7
L7
TOOLS
TOOLS HTTP
© F5 Networks, Inc 71
Intelligent Browser Referencing
Initial
Request
Cache Compression
Apply policy defined cache expiration & promote as Server sends No Cache Expire or Very
candidate for IBR Short Expire
Subsequent
Client Requests
Cache
Repeat
Visits
© F5 Networks, Inc 72
HTTP Compression
QUALITY: 90
SIZE: 102
© F5 Networks, Inc 75
Security
HACKING
is a Hybrid Security platform that provides
full proxy architecture to address L3-L7
security gap holistically.
FULL PROXY
Full Proxy Architecture is inherently more Secure.
Outside Inside
“Untrusted” Security “Trusted”
Digital
Air Gap
HTTP HTTP
SSL SSL
© F5 Networks, Inc 80
© 2016 F5 Networks
Local Traffic Manager (LTM)
LTM
•Availability
•LB
•Monitoring
•App Visibility
•App Traffic Mgmt
•Acceleration
•TCP Express
•Caching
•Compression
•HTTP2 GW
•Security
•DDoS/Syn Flood
•Full Proxy
•SSL Visibility
© F5 Networks, Inc 81
DRIVING CHANGE ENCRYPTED TRAFFIC
• %
Increased customer
awareness (PFS,
Heartbleed)
30 Annual Growth1
• Evolving cryptography
and new standards
50% 80%
•
• Everything is connected
1Netcraft
Palo Alto PA-5020
79 % Next-Gen Firewall
Performance Impact
SourceFire SSL2000
75 %
Blind Spots
Next-Gen IPS
Performance Impact
Enabling SSL on a firewall or an IPS can reduce the overall performance of the appliance, often by more than 80%
Perimeter Services Inspection Services Application Services Resources
• Malware protection
Policy
• Corporate compliance Enforcement
Security Services
• Productivity monitoring
Scale-Out
• Intellectual property protection for Growth
IPS DLP SWG Any Security
F5 Silverline
Cloud-Based Services
ASM LTM
• WAF • Availability
• Policy Builders • LB
• OWASP Top 10 • Monitoring
• CSRF • App Visibility
• Brute Force • App Traffic Mgmt
• PCI Compliancy • Acceleration
• L7 DoS • TCP Express
• Heavy URL • Caching
• Bad Bots Stopped • Compression
• Good Bots Allowed • HTTP2 GW
• Managed Cloud Svc • Security
• Silverline • DDoS/Syn Flood
• Visibility • Full Proxy
• Policy Portability • SSL Visibility
SSLi
Orchestrator SSLi
or Traffic Inspection Orchestrator
LTM Firewall or
LTM
© F5 Networks, Inc 86
Application Security Not Addressed by Traditional Firewalls
BIG-IP ASM delivers comprehensive protection against critical web attacks
© F5 Networks, Inc
BIG-IP ASM Learning Mode
Dynamic Web Application Firewall
ASM security policy Request load- Data Center
Request made
learns from request balanced to server
Devices
1.2.3.4
Physical
BIG-IP Platform
Hypervisor
© F5 Networks, Inc
BIG-IP ASM Blocking Mode
Dynamic Web Application Firewall
Malicious
BIG-IP ASMrequest
security Request load- Data Center
Requestblocked
Request made
detected.
policy checked balanced to server
Devices
1.2.3.4
Physical
BIG-IP Platform
Hypervisor
Vulnerable
Secure response DLP scrubbing & Virtual
application
delivered application cloaking
responds
• Protection from DoS/DDoS attacks and web application security risks
• Enforce positive and/or negative security policies, protocol compliance
• DataGuard data-scrubbing/DLP/compliance
• Vulnerability assessment service integration Private/Public
• IP Intelligence malicious client classification and blocking Cloud
© F5 Networks, Inc
Detailed Logging, Actionable Compliance Reports
Drill-down to URLs or Attack Categories At-A-Glance PCI Compliance Reports
© F5 Networks, Inc
Hybrid Architecture
Protect web applications and data from layer 7 attacks, and enable compliance,
such as PCI DSS, with the Silverline Web Application Firewall service which
is built on BIG-IP Application Security Manager and backed by 24x7x365 support
from F5 experts.
Cloud
L7 Protection:
Geolocation attacks, DDoS, SQL
injection, OWASP Top Ten attacks, Private Cloud
zero-day threats, AJAX applications,
Web Application Hosted Web
JSON payloads App
Firewall Services
Legitimate
User WWAF
AF Physical Hosted
Web App
Public Cloud
Hosted Web
Policy can be built App
from 3rd Party
DAST
Leverage proven Reduce operating Protect web apps,
security efficacy costs anywhere
Protect against critical web Rapidly deploy WAF Protect web apps, no matter
attacks with an enterprise- protections and drive where they reside with
grade service built on BIG-IP operational and cost consistent policies across
ASM efficiencies by outsourcing hybrid environments in
WAF policy management to conjunction with BIG-IP
F5 security experts. deployments.
• Securely communicate with
Silverline SOC experts
• View centralized attack and Customer Portal Visibility &
Compliance
Attack
Reports
threat monitoring reports with
details including:
• source geo-IP mapping
• blocked vs. alerted attacks
• blocked traffic and attack types
• alerted attack types
• Threats*
• bandwidth used
• hits/sec*
• type of traffic and visits (bots v.
humans)*
Identity and Access
F5 Silverline
Cloud-Based Services
SSLi
Orchestrator SSLi
or Traffic Inspection Orchestrator
LTM Firewall or
LTM
BIG-IP Access Policy Manager (APM) Network
enforcement Employees
Authentication
• Visual Policy Editor Success
Failure
Cloud
© F5 Networks, Inc
DDOS
DDoS Protection
F5 Silverline Office365
Cloud-Based Services
BIG-IP BIG-IP
AWS Portability Azure Federation
DDoS
• DC/Inbound FW • Availability • Remote Access • WAF • Availability
Hybrid • Firewall Rules • GSLB • SSLVPN • Policy Builder • LB
Defender • SIP DDoS • Intelligent DNS • Two Factor Auth • OWASP Top 10 • Monitoring
(L3-7)
• DNS Firewall Resolution • Endpoint Protection • CSRF • App Visibility
• HTTP Protocol • Geolocation • Visual Policy Editor • Brute Force • App Traffic Mgmt
• On Premise DDoS • DNS and Security • VDI • L7 DoS • Acceleration
• L3/4 DDoS • DNS Express • Citrix • Heavy URL • TCP Express
• HW Acceleration • DNS Cache • VMWare (PCoIP) • Bad Bots Stopped • Caching
• Over 130 signatures • DNS Visibility • MSRDP Gateway • Good Bots Allows • Compression
• Cloud DDoS • DNSSEC • Authentication • Managed Cloud Svc • HTTP2 GW
• Silverline DDoS • DNS64/NAT64 • Replace auth tier • Silverline • Security
• PCI Compliant • Hybrid Cloud • SSO • Visibility • DDoS/Syn Flood
• SOC Visibility • Dynamically drive • Federation • Policy Portability • Full Proxy
• All F5 Hybrid use (IdP/SP) • SSL Visibility
DDoS Protection
SSLi
Orchestrator SSLi
or Traffic Inspection Orchestrator
LTM Firewall or
LTM
© F5 Networks, Inc 101
DNS Attacks are common
SOC
F5 DDOS Scrubbing
Service
– San Jose, CA US Industry-Leading Capacity
– Ashburn, VA US • Scrubbing capacity of over
– Frankfurt, DE 2.0 Tbps
– Singapore, SG • Guaranteed bandwidth with
Tier 1 carriers
DDoS Hybrid Defender
Comprehensive DDoS protection,
tightly-integrated on-premises and cloud
Streamlined Configuration
• Easy setup to work flow
• Quickly activate cloud scrubbing &
security settings
• Streamlined approach to device
protection and application
2. Automated signal sent to Silverline portal
Silverline indicating a volumetric attack.
Always Available
Routed Mode
3. Automated signal alerts Silverline SOC. 4. Attack scrubbed and clean
Redirection plan is executed.* traffic sent to customer.
End Users
Legitimate
Users Internet DHD Applications
Volumetric DDoS Attack
*If no all-clear signal is received within 5 minutes; ensures attack is sustained and appropriate for redirection.
Threat Intelligence Feed
Next-Generation
Firewall Corporate Users
Network attacks:
ICMP flood,
UDP flood, Financial
Multiple ISP SYN flood Services
strategy
Legitimate
Users
Silverline E-Commerce
Cloud SSL attacks:
Scrubbing ISPa/b SSL renegotiation,
Service SSL flood
HTTP attacks:
DHD ASM APM
DNS attacks: AAM LTM
Volumetric attacks and Slowloris, DNS amplification,
DDoS floods, operations slow POST, query flood, Subscriber
Attackers center experts, L3-7 recursive POST/GET dictionary attack,
known signature attacks DNS poisoning
Auto Signaling
Information and Policy Exchange
Summary
F5 Solution At A Glance
ISP1 DNS Query ISP1
ISP2 ISP2
Link Load Balancing to
Secondary DC Web01 has
best performing ISP Link Load Balancing to
best performance
DNS reply with ip address best performing ISP
Primary DC Secondary DC
Bots Intelligent Global Traffic Mgmt
- DNS Services
- Capacity Bursting iQuery: exchanging statistic information
Security
- DNS Security
Incoming
SSL Unencrypted Traffic - DNS DDoS
Layer3 to Layer4 Security Intelligent Global Traffic Mgmt.
- Application Centric Firewall VE Edition
- L3 – L4 DDoS - DNS Services
Outgoing
- SSL Decryption - Capacity Bursting
Forward Proxy
Clean Traffic
- User Based Content Filtering
users - Bandwidth Control
Intelligent Local Traffic Mgmt.
- Load Balancing
Scanning Intelligent Local Traffic Mgmt. - Health Monitoring
Performance WebTier
- APT Solution - iApps
- Anti Virus Solution - SSL Offloading - Compression
- IPS Solution - Traffic Steering - RAM Caching
Identity and Access - TCP Optimization
- Single Sign on - Web Acceleration
- SSL VPN Layer7 Security
- Web Application Firewall
- L7 DDoS
DB Traffics
- Traffic Management DB
Primary DC Secondary DC
Bots Intelligent Global Traffic Mgmt
- DNS Services
- Capacity Bursting iQuery: exchanging statistic information
Security
- DNS Security
Incoming
SSL Unencrypted Traffic - DNS DDoS
Layer3 to Layer4 Security Intelligent Global Traffic Mgmt.
GTM, LTM
- Application Centric Firewall VE Edition
- L3 – L4 DDoS - DNS Services
Outgoing
- SSL Decryption - Capacity Bursting
Forward Proxy
Clean Traffic AFM, LTM GTM, LTM
- User Based Content Filtering
users - Bandwidth Control
AFM, SWG, APM Intelligent Local Traffic Mgmt.
- Load Balancing
Scanning Intelligent Local Traffic Mgmt. - Health Monitoring
Performance WebTier
- APT Solution - iApps
- Anti Virus Solution - SSL Offloading - Compression
- IPS Solution - Traffic Steering - RAM Caching
Identity and Access - TCP Optimization
- Single Sign on - Web Acceleration
- SSL VPN Layer7 Security
APM, LTM, ASM - Web Application Firewall
- L7 DDoS
LTM, ASM, AAM
DB Traffics
- Traffic Management DB