Digital Government

Challenges faced by citizens

I have submitted my
I need to seek support I am trying to start a
Why do I have to application a month
for my family but I business. Why do I
queue at the counter ago but I have not
don’t know how to have to deal with so
to renew my license? received any
start? many agencies?
response

Oracle Confidential – Internal/Restricted/Highly Restricted 2

Citizen expectations are changing

Oracle Confidential – Internal/Restricted/Highly Restricted 3

“Digital Government refers to the use of digital
technologies, as an integrated part of governments’
modernization strategies, to create public value.”

Organization for Economic Co-operation and Development

4
 S M A C I
SOCIAL MOBILE ANALYTIC CLOUD IOT

ENABLE
Mobile
DIGITAL
Mobile First
GOVERNMENT
Social IOT
Devices,
News Context
Policies & Events

Analytics
Service Efficiency
Cloud
On Demand, Elasticity and Innovation
Digital Government Strategy
• Information centric
• Customer centric
• Smart Platform
• Security and Trust
• Provide digital government information
and services to citizens, business and
government workers anywhere, anytime
on any device
• Leverage on IOT to deliver innovative,
efficient and effective services
• Transition into Digital Economy with
paper-less processes , cashless society
and national e-ID system for secure
access
Oracle Confidential – Internal/Restricted/Highly Restricted 6
 Digital Government Journey

Digital government is not an end goal, but a

means to accomplish affordable and sustainable
government services

Andrea Di Maio, Gartner VP

Oracle Confidential – Internal/Restricted/Highly Restricted 7

 Agenda

© F5 Networks, Inc 8
Dynamic Data Center Services
The Notion of Application Services

APPLICATION CONTROL PLANE

Reliability and availability

Enhance applications performance

App App Hardened the entire app stack

Data Center
The Notion of Application Services

AVAILABILITY PERFORMANCE SECURITY

APPLICATION CONTROL PLANE

App App App App App App App App App App

Data Center
The Notion of Application Services

APPLICATION CONTROL PLANE

App App App App App App App App App App

Data Center
 Dynamic Data Centers Services

Dynamic DC Identity & Access

Dynamic DC Security
Application Delivery Management

• Optimized Application Delivery • Centralized SSL • Unified Access

• Dynamic DC Balancing • Data Center Layers Security • IPv6 Gateway

• Acceleration • Emerging Threat Defense • Automation

© F5 Networks, Inc 15
Why Active-Active Data Centers ?
Challenge Of Traditional Active-DR Design

Internet

Active – DR Sites Architecture

Primary Site DR Site

Action DC Inter-DC Network

The challenges of Active-Standby(DR) Architecture

▪ Failover the entire site/DC, involved complex decision-making
that resulted in longer critical service outage (RTO generally
Branch Office Branch Office Branch Office
more than 4 hours)
▪ Complicated failover procedures, required to involve a large
number of manpower in different IT Team, failover process is
easy to go wrong, resulting in longer service interruption
▪ Production Workload is focused on Primary DC, DR’s
resources is idle and is not sharing the workload with Primary
DC
 Why Active-Active Data Centers?
6 Key Benefits for Active-Active DC Solution:
• #1: Progress from mere Disaster Recovery to Active-Active DC
• #2: Reduces TCO & Long-term OpEx
• #3: Improved End User Experience
• #4: Intelligent Global Traffic Management
• #5: Eases the Transition to IPV6
• #6: DNS Protection and Performance

© F5 Networks, Inc 22
 #1 DC/DR Reliability Issue
Active-Passive Setup

Internet

PRIMARY (DC) SECONDARY (DR)

Active Data Center Passive Data Center

- Customers usually implement their DR at 50% capacity of DC

- If 10 x active servers are required in DC, additional 5 x passive servers are required in DR
- In the event of DC failover, there is half the capacity of 5 x servers from DR
- Because DR is NOT always on, DR might not work when it is activated. We have seen this reliability
issue in a number of customers.

IBM Confidential 3/21/2017 23

© F5 Networks, Inc 23
 #2 AADC Lower TCO and Better Reliability

Active-Active Setup

Internet
LTM GTM GTM LTM
Sync Group

PRIMARY SECONDARY
Data Center #1 Data Center #2

- With Active-Active DC, a total of 10 servers are required => Savings of 5 x servers and the associated SW licenses
- In the event of failure in 1 x DC, there is still half the capacity of 5 x servers
- Because secondary Data Center is always on, there is better reliability in the even of failover
- Enhanced user experience and application performance

IBM Confidential 3/21/2017 24

© F5 Networks, Inc 24
 #2 AADC Lower TCO and Better Reliability
Active-Active Setup

Internet
LTM GTM GTM LTM
Sync Group

PRIMARY SECONDARY
Data Center #1 Data Center #2

- Reduce service interruption time when disaster happened

- Target to improve from the current 4 hours RTO gradual towards zero downtime
- Simplify procedures and the needs of human intervention when failover happened
- Reduce the mobilization of manpower, automated mechanism and reduce the detection error
- Improve resource allocation and utilization of elasticity
- Proper use of remote resources , Workload can be configured in dual elastic data center
- Planned routine system maintenance and operation services are not interrupted
- Planned system firmware and software update will not affect the foreign service , up to 7 * 24 uninterrupted
operation
IBM Confidential 3/21/2017 25
© F5 Networks, Inc 25
 #3 Improved End User Experience
By Monitoring Application Health and Traffic Steering Users to the best DC/Server

• Direct users to available datacenters based on LTM/GTM application/data metrics

• GTM utilizes LTM for granular application health monitoring (L2-L7)
• Auto-configuration / population of LTM virtual servers into GTM config.
• LTM iRules capabilities applied to GTM DNS listeners manipulating DNS queries

The appropriate response is User requests can go to any In the event of an outage
dictated by business logic – of the GTMs in the sync notification from the LTM,
possibly based on group which act as one the GTM sends the traffic to
geography, response time,
GET /
HTTP/
1.1
? logical unit answering
GET /
HTTP/
1.1
? an available datacenter.
or capacity – and the LTM's
\r\n
identically. \r\n

knowledge of the
application's availability. When notified by the LTM
Internet that availability is restored,
traffic will once again be
directed to the datacenter.

LTMHTTP/ GTM GTM LTM

HTTP/
1.1 200
OK \r\n
1
2 1.1 200
OK \r\n
Sync Group

PRIMARY SECONDARY
Data Center #1 Data Center #2
© F5 Networks, Inc 26
 #4 Intelligent Global Traffic Management
Geo-Location and User Persistence

BIG-IP GTM

BIG-IP GTM

BIG-IP GTM

BIG-IP GTM with

IP geolocation
database

• Ensures high availability at all

times
Roaming Indonesia User • Improves user experience when
accessing from different location
with Persistent
Session e.g. VDI
Zone #1 Zone #2 Zone #3
© F5 Networks, Inc 27
 #5 Eases Migration to IPv6
NAT64, DNS64

Datacenter • Combined NAT64 and

DNS64 provide automatic
IPv4 Servers translation
• Eases evolution and
bridges gap between
IPv6/IPv4

IPv4
BIG-IP GTM
Dual IPv4 &
IPv6 DNS NAT64
NAT44

Dual - Stack

IPv4 IPv6

© F5 Networks, Inc 28
 #6 DNS Protection and Performance
Conventional DNS Thinking
• Adding performance = DNS boxes

Internet
External DNS Load Array of DNS Internal Hidden • Weak DoS/DDoS Protection
Firewall Balancing Servers Firewall Master DNS

• Firewall is THE bottleneck

DMZ Datacenter

F5 Paradigm Shift
F5 DNS Delivery Reimagined
• Massive performance over 10M RPS!
DNS Firewall

Internet
Master DNS DNS DDoS Protection • Best DoS / DDoS Protection
Infrastructure
Protocol Validation
BIG-IP • Simplified management
Global Traffic Manager Authoritative DNS
Caching Resolver
Transparent Caching • Less CAPEX and OPEX
High Performance DNSSEC
DNSSEC Validation

Intelligent GSLB

© F5 Networks, Inc 29
F5 Active-Active DC Solutions
 F5 Active-Active DC Solution Overview
• Primary components – Continuous Application Delivery
• LTM (Local Traffic Manager)
• DNS aka GTM (Global Traffic Manager)
• Application Optimisations, Security and Identity & Access Management –
• AAM (Application Acceleration Manager)
• Users/Internet Traffics Web acceleration
• ASM (Application Security Manager /AFM (Advanced Firewall Manager)
• Network & Web application security, Multi-layered DDOS Mitigation
• APM (Access Policy Manager)
• Authentication & Authorization, Single sign-on, SSL VPN, VDI Proxy

Desktop
IDENTITY & ACCESS NETWORK/APPLICATION Tablet Smartphone
(GSLB)
MANAGEMENT SECURITY
GLOBAL SERVER LOAD
Internet BALANCING

LTM/APM/AFM/ASM GTM GTM LTM/APM/AFM/ASM

Inter-DC Link

LOCAL TRAFFIC
LOAD BALANCE /
PRIMARY SECONDARY MANAGEMENT

© F5 Networks, Inc
Data Center #1 Data Center #2 40
Availability
 The role of LTM
Internet
LTM does the “heavy lifting”

• Monitoring and gathering of health statistics and performance metrics for the
following:
• ISP connections (transparent monitoring)
• Load balanced servers LTM
• Internal Firewall links (transparent monitoring)

• Application delivery services for:

• Inbound traffic / load balancing to servers
• Inbound load balancing across firewalls
• Outbound load balancing across ISP connections

• As well as: LTM

• SSL Termination and SSL acceleration
• Session Persistence
• Caching, compression

© F5 Networks, Inc 42
 The role of GTM
GTMs “direct the show”
• GTMs gather metrics from:
• Local DNS resolvers (LDNS) – path metrics etc
• LTMs at any data centre
• An Internal algorithm determines which GTMs are responsible for which LTMs
• If a GTM fails, another GTM automatically takes over its metric gathering duties
• GTMs share gathered metrics/statistics with each other.

LDNS LDNS

Internet

LTM GTM GTM LTM

Sync Group

PRIMARY SECONDARY
Data Center #1 Data Center #2
© F5 Networks, Inc 43
 Generic Implementation Process
1. Install GTM at each data center.
2. Configure GTMs to talk to LTMs
3. If necessary, migrate all BIND/DNS zone files to GTM
4. Test to make sure GTMs:
1. LB correctly?
2. Persist correctly?
3. Resolve correctly
5. All can be done without effecting production ☺
LDNS LDNS

Internet

LTM GTM GTM LTM

Sync Group

Data Center #1 Data Center #2

© F5 Networks, Inc 49
 Generic Implementation Process
• Once GTMs are fully tested, two ways to migrate to production:

1. Migrate - Re-register the top level domain with GTMs as authoritative

2. Delegate - Modify authoritative DNS server to delegate authority to GTMs

LDNS LDNS

Internet

LTM GTM GTM LTM

Sync Group

Data Center #1 Data Center #2

© F5 Networks, Inc 50
GSLB and Delegation Mode
Is there a record for
www.company.com?
LDNS

http://www.company.com

Go ask
.com

Is there a record for

www.company.com?

Go ask Return CNAME Is there a record for

company.com www.gtm.company.com www.company.com?
Root
DNS Server
Data Center
Is there a record for
www.company.com?

company.com
.com www.gtm.company.com
DNS Server
DNS Server
GSLB and Delegation Mode
Is there a record for
www.company.com?
LDNS

http://www.company.com

Go ask
.com

Is there a record for

www.gtm.company.com?

Go ask Is there a record for

domain.com www.gtm.company.com?
Root Is there a record for
DNS Server www.gtm.company.com?
Data Center

company.com
.com www.gtm.company.com
DNS Server
DNS Server
GLSB and Delegation Mode
Is there a record for
www.company.com?
LDNS

66.163.171.129
http://www.company.com

Is there a record for

www.gtm.company.com?
66.163.171.129

Data Center

X company.com
66.163.171.129 www.gtm.company.com
72.68.171.103 DNS Server
BIG-IP DNS Authoritative Screen

LDNS
If DNS Express is Else, forward the
Resolved DNS request enabled, check against
query to external DNS
DNS Express zones servers
and then local BIND
DNS Listener on the BIG-IP Data Center
receives all DNS requests

LDNS send a DNS query

www.gtm.company.com company.com

If GTM is enabled , check GTM

Wide IPs and if matched, resolves
to the best IP
www.subzone.company.com
DNS Server
 High-performance ADNS service
F5 DNS Express
• High-speed response and DDoS protection with in-memory DNS
DNS Servers
• Authoritative DNS serving out of RAM
• Configuration size for tens of millions of records
• Scale and Consolidate DNS Servers
Answer Manage
Devices DNS Express
DNS DNS
Query Records

BIG-IP
Answer Answer Admin
DNS DNS OS Auth
Query Query Roles

Internet Answer Answer Dynamic

DNS DNS NIC DNS
Query Query DHCP

© F5 Networks, Inc 55
 Complete load balancing Solutions across multiple DC
Intelligent steer connections to the “best” data center

Clients

DNS zone transfer makes Local DNS at

GTM authoritative responder User’s ISP
for domain
ISP 1 ISP 1
GTM Probes its External Networks
local resources ISP 2
ISP 2
Primary Data Center Secondary Data Center
GTM shares resource
GTM + DNS GTM + DNS
state, local DNS metrics

Web Tier Web Tier

App Tier
App Tier

© F5 Networks, Inc 57
Acceleration
Inter-DC Traffic
User Traffic
 Accelerating the Inter-DC Network

Compression and deduplication

• Reduce amount of data transmitted
• Improve network throughput and response
• Increase bandwidth efficiency

Protocol optimization Loss correction

• Tune TCP and HTTP parameters to • Correct for high-loss networks to
adapt to changing network conditions decrease transmission time and
improve user experience

© F5 Networks, Inc 59
 The Application Delivery Universe

Application Applications
Users
Out of your Network

control Works pretty well, most of the time

Always on “Chatty”
Always fast Latency Sensitive
Everywhere Not Optimized
Proprietary

FIX THE FIX THE

FIX THE USERS? FIX THE APPS?
CARRIER? NETWORK?

© F5 Networks, Inc 60
 Three Simple Steps to a Faster Web Application

Application Applications
Users
Network L7
TCP HTTP2.0
TOOLS

HIGH PERFORMANCE SERVICES

FABRIC

© F5 Networks, Inc 61
 TCP Optimization

TCP

F5 Optimized
Diverse client Advanced Server
characteristics TCP Stack Connection

© F5 Networks, Inc 62
 HTTP 2.0 Gateway

HTTP
HTTP

HTTP is inefficient and sensitive to latency

© F5 Networks, Inc 63
© F5 Networks, Inc 64
 HTTP 2.0 Gateway

F5
HTTP 2.0 HTTP

• Reduced TCP Connections

• Multiplexed content streams
• Compressed Headers (HTTP Header compression)

© F5 Networks, Inc 65
 How HTTP/2 reduces latency
HTTP/2 breaks up requests and responses into frames. These frames can be sent interleaved.

HTTP/1.1 HTTP/2

browser server browser server

Request Request frames

Response Response frames

time

Think about ~80 requests per page

© F5 Networks, Inc 66
 Unsolicited PUSH

© F5 Networks, Inc 67
 F5 as HTTP/2 Gateway

Application
1

Application
2

Application
3
Clients

HTTP/2 HTTP/1.1
© F5 Networks, Inc 70
 L7 Acceleration

L7
L7
TOOLS
TOOLS HTTP

• Cache more content on browser

• Make fewer backend requests
• Optimize backend connections
• Compress HTTP objects
• Send less data

© F5 Networks, Inc 71
 Intelligent Browser Referencing
Initial
Request
Cache Compression

Apply policy defined cache expiration & promote as Server sends No Cache Expire or Very
candidate for IBR Short Expire

Subsequent
Client Requests
Cache

Apply IBR cache expiration

Repeat
Visits

Retrieve from Browser

Cache
Solution
WebAccelerator Enables Browser Re-use of Cacheable Contents
No client to download
No changes to browser

© F5 Networks, Inc 72
HTTP Compression

 HTTP compression is a commonly-used feature among web

browsers and web servers
 Use HTTP compression to:
 Help clients get data more quickly
 Reduce bandwidth
 Encrypt less data

 What can be compressed

 Text – HTML, JS, CSS

 What can’t be compressed

 PDFs, images, video
 Mobile Acceleration: Image Optimization
Before All Headers—135 KB

QUALITY: 90
SIZE: 102

Location Label Camera Date Exposure Program

Copyright Firmware Digitized Date Thumbnail
ISO Flash Compensation Modified Date JPEG Quality
Shutter Speed Image Number File Date Tags
Exposure Bias Lens Flash Unique ID
Max Aperture Lens ID Focal Length X Resolution
Focal Plane X Resolution Serial Number Focal Length in 35mm film Y Resolution
SOURCE: HTTP Archive (http://www.httparchive.org) Focal Plane Y Resolution Software CCD Width Flash Function Not Present
Focal Plane Resolution Unit Files size Aperture Flash Mode
Custom Rendered Dimensions F Number Supports Red-Eye Reduction
Exposure Mode Camera make White balance Flash Return
Scene Capture Type Camera model Metering Mode

For mobile and remote users:

• Reduce file size of image by 20-40%
• Reduce quality, remove extraneous metadata,
convert format (GIF-> PNG) After All Headers—102 KB

• Converts to better optimized image formats

• Maintain privacy QUALITY: 70
SIZE: 50

Location File Date

File Size JPEG Quality
© F5 Networks, Inc Dimensions Unique ID 74
Accelerate Your Application Up to 5x

© F5 Networks, Inc 75
Security
HACKING
is a Hybrid Security platform that provides
full proxy architecture to address L3-L7
security gap holistically.
 FULL PROXY
Full Proxy Architecture is inherently more Secure.

Outside Inside
“Untrusted” Security “Trusted”
Digital
Air Gap

HTTP HTTP
SSL SSL
© F5 Networks, Inc 80
© 2016 F5 Networks
Local Traffic Manager (LTM)

Proxy BIG-IP TMOS – Full Proxy/Connection Mgmt Proxy

LTM
•Availability
•LB
•Monitoring
•App Visibility
•App Traffic Mgmt
•Acceleration
•TCP Express
•Caching
•Compression
•HTTP2 GW
•Security
•DDoS/Syn Flood
•Full Proxy
•SSL Visibility

© F5 Networks, Inc 81
 DRIVING CHANGE ENCRYPTED TRAFFIC

• %
Increased customer
awareness (PFS,
Heartbleed)
30 Annual Growth1

• Insider threat (Snowden)

TODAY 2020
• New regulatory and
compliance requirements

• Evolving cryptography
and new standards
50% 80%
•

• Everything is connected

1Netcraft
 Palo Alto PA-5020
79 % Next-Gen Firewall
Performance Impact

SourceFire SSL2000
75 %
Blind Spots
Next-Gen IPS
Performance Impact

Malware Visibility Performance

uses encrypted is reduced due to the for decryption is a
channels to evade growth of SSL usage significant undertaking % FireEye
detection
100 Threat Defense
No SSL Support

Source: NSS Labs and vendor data

Enabling SSL on a firewall or an IPS can reduce the overall performance of the appliance, often by more than 80%
 Perimeter Services Inspection Services Application Services Resources

SSL Decryption SSL Visibility SSL Encryption

+ Traffic Steering + Load Balancing
Legitimate
Users Apps

SSL visibility provides:

Malicious BIG-IP System BIG-IP System
Attackers

• Malware protection
Policy
• Corporate compliance Enforcement

Security Services
• Productivity monitoring
Scale-Out
• Intellectual property protection for Growth
IPS DLP SWG Any Security

• Customer experience enhancement

Defense-in-Depth
• Decreased cost and complexity of content security functions
• Purpose Built
• i2800 i5800 i10800
• Elliptical Curve in HW
• Other stuff
 Application Security Manager (ASM)

F5 Silverline
Cloud-Based Services

Proxy BIG-IP TOS – Full Proxy/Connection Mgmt Proxy

ASM LTM
• WAF • Availability
• Policy Builders • LB
• OWASP Top 10 • Monitoring
• CSRF • App Visibility
• Brute Force • App Traffic Mgmt
• PCI Compliancy • Acceleration
• L7 DoS • TCP Express
• Heavy URL • Caching
• Bad Bots Stopped • Compression
• Good Bots Allowed • HTTP2 GW
• Managed Cloud Svc • Security
• Silverline • DDoS/Syn Flood
• Visibility • Full Proxy
• Policy Portability • SSL Visibility

SSLi
Orchestrator SSLi
or Traffic Inspection Orchestrator
LTM Firewall or
LTM
© F5 Networks, Inc 86
Application Security Not Addressed by Traditional Firewalls
BIG-IP ASM delivers comprehensive protection against critical web attacks

CSRF Cookie manipulation

OWASP top 10 Brute force attacks
Forceful browsing Buffer overflows
Web scraping Parameter tampering
SQL injections information leakage
Field manipulation Session high jacking
Cross-site scripting Zero-day attacks
Command injection Malformed headers
Bots Business logic flaws

© F5 Networks, Inc
 BIG-IP ASM Learning Mode
Dynamic Web Application Firewall
ASM security policy Request load- Data Center
Request made
learns from request balanced to server
Devices
1.2.3.4

Physical

BIG-IP Platform

Hypervisor

ASM security policy Application Virtual

Response delivered
learns from response responds
URLs File Types Parameters Cookies
/images/banner.jpg /images/banner.jpg /app/app.php?name=value
/images/logo.gif /images/logo.gif /app/app.php?a=1&b=2 Cookie: name=value
/css/default.css /css/default.css /app/app.php?user=bloggsj Cookie: JSESSIONID=1A5306372...
Private/Public
/app/app.php /app/app.php /app/app.php?browser=safari Cloud
Cookie: price=399;total=1399
/index.html /index.html

© F5 Networks, Inc
 BIG-IP ASM Blocking Mode
Dynamic Web Application Firewall
Malicious
BIG-IP ASMrequest
security Request load- Data Center
Requestblocked
Request made
detected.
policy checked balanced to server
Devices
1.2.3.4

Physical

BIG-IP Platform

Hypervisor

Vulnerable
Secure response DLP scrubbing & Virtual
application
delivered application cloaking
responds
• Protection from DoS/DDoS attacks and web application security risks
• Enforce positive and/or negative security policies, protocol compliance
• DataGuard data-scrubbing/DLP/compliance
• Vulnerability assessment service integration Private/Public
• IP Intelligence malicious client classification and blocking Cloud

• Application logging and reporting

© F5 Networks, Inc
Detailed Logging, Actionable Compliance Reports
Drill-down to URLs or Attack Categories At-A-Glance PCI Compliance Reports

© F5 Networks, Inc
Hybrid Architecture
Protect web applications and data from layer 7 attacks, and enable compliance,
such as PCI DSS, with the Silverline Web Application Firewall service which
is built on BIG-IP Application Security Manager and backed by 24x7x365 support
from F5 experts.
Cloud

L7 Protection:
Geolocation attacks, DDoS, SQL
injection, OWASP Top Ten attacks, Private Cloud
zero-day threats, AJAX applications,
Web Application Hosted Web
JSON payloads App
Firewall Services

Legitimate
User WWAF
AF Physical Hosted
Web App

Attackers F5 Silverline VA/DAST Scans

Public Cloud
Hosted Web
Policy can be built App
from 3rd Party
DAST
 Leverage proven
security efficacy
Protect against critical web
attacks with an enterprise-
grade service built on BIG-IP
ASM
Reduce operating Protect web apps,
costs anywhere
Rapidly deploy WAF Protect web apps, no matter
protections and drive where they reside with
operational and cost consistent policies across
efficiencies by outsourcing hybrid environments in
WAF policy management to conjunction with BIG-IP
F5 security experts. deployments.
• Securely communicate with
Silverline SOC experts
• View centralized attack and Customer Portal Visibility &
Compliance
Attack
Reports
threat monitoring reports with
details including:
• source geo-IP mapping
• blocked vs. alerted attacks
• blocked traffic and attack types
• alerted attack types
• Threats*
• bandwidth used
• hits/sec*
• type of traffic and visits (bots v.
humans)*
Identity and Access
 F5 Silverline
Cloud-Based Services

Proxy BIG-IP TMOS – Full Proxy/Connection Mgmt Proxy

APM ASM LTM

• Remote Access • WAF • Availability
• SSLVPN • Policy Builder • LB
• Two Factor Auth • OWASP Top 10 • Monitoring
• Endpoint Protection • CSRF • App Visibility
• Visual Policy Editor • Brute Force • App Traffic Mgmt
• VDI • L7 DoS • Acceleration
• Citrix • Heavy URL • TCP Express
• VMWare (PCoIP) • Bad Bots Stopped • Caching
• MSRDP Gateway • Good Bots Allows • Compression
• Authentication • Managed Cloud Svc • HTTP2 GW
• Replace AuthN tier • Silverline • Security
• SSO • Visibility • DDoS/Syn Flood
• Federation • Policy Portability • Full Proxy
(IdP/SP) • SSL Visibility

SSLi
Orchestrator SSLi
or Traffic Inspection Orchestrator
LTM Firewall or
LTM
BIG-IP Access Policy Manager (APM) Network

Identify, authenticate, and control user access to applications and network

• Centralized access policy Devices Applications

enforcement Employees

• Single Sign-On (SSO) user Accept

Reject
authentication Contractors

• L3-7 access controls BIG-IP Platform

VDI
• Robust client device support Customers

• Advanced client endpoint

Auth Directory
security Hypervisor

Authentication
• Visual Policy Editor Success
Failure
Cloud

© F5 Networks, Inc
DDOS
 DDoS Protection

F5 Silverline Office365
Cloud-Based Services
BIG-IP BIG-IP
AWS Portability Azure Federation

Proxy BIG-IP TMOS – Full Proxy/Connection Mgmt Proxy

AFM DNS APM ASM LTM

DDoS
• DC/Inbound FW • Availability • Remote Access • WAF • Availability
Hybrid • Firewall Rules • GSLB • SSLVPN • Policy Builder • LB
Defender • SIP DDoS • Intelligent DNS • Two Factor Auth • OWASP Top 10 • Monitoring
(L3-7)
• DNS Firewall Resolution • Endpoint Protection • CSRF • App Visibility
• HTTP Protocol • Geolocation • Visual Policy Editor • Brute Force • App Traffic Mgmt
• On Premise DDoS • DNS and Security • VDI • L7 DoS • Acceleration
• L3/4 DDoS • DNS Express • Citrix • Heavy URL • TCP Express
• HW Acceleration • DNS Cache • VMWare (PCoIP) • Bad Bots Stopped • Caching
• Over 130 signatures • DNS Visibility • MSRDP Gateway • Good Bots Allows • Compression
• Cloud DDoS • DNSSEC • Authentication • Managed Cloud Svc • HTTP2 GW
• Silverline DDoS • DNS64/NAT64 • Replace auth tier • Silverline • Security
• PCI Compliant • Hybrid Cloud • SSO • Visibility • DDoS/Syn Flood
• SOC Visibility • Dynamically drive • Federation • Policy Portability • Full Proxy
• All F5 Hybrid use (IdP/SP) • SSL Visibility
DDoS Protection
SSLi
Orchestrator SSLi
or Traffic Inspection Orchestrator
LTM Firewall or
LTM
© F5 Networks, Inc 101
 DNS Attacks are common

© F5 Networks, Inc 102

Hybrid security platform that provides full
proxy architecture to completely fill L3-L7
security gap.
Silverline DDOS Protection Solution

SOC

F5 DDOS Scrubbing
Service
– San Jose, CA US Industry-Leading Capacity
– Ashburn, VA US • Scrubbing capacity of over
– Frankfurt, DE 2.0 Tbps
– Singapore, SG • Guaranteed bandwidth with
Tier 1 carriers
 DDoS Hybrid Defender
Comprehensive DDoS protection,
tightly-integrated on-premises and cloud

Simplified user experience

Multi-technique DDoS protection
Designed specifically for high performance
Intelligently integrates cloud scrubbing
 Simplified User Experience
Out of the box experience Reporting

• Quick configuration • Insightful dashboard for

• Deploy in minutes real-time visibility

• Simplified UI/UX • Detailed drilldown view

• Reduce time to
remediate attacks

Streamlined Configuration
• Easy setup to work flow
• Quickly activate cloud scrubbing &
security settings
• Streamlined approach to device
protection and application
 2. Automated signal sent to Silverline portal
Silverline indicating a volumetric attack.

Always Available
Routed Mode
3. Automated signal alerts Silverline SOC. 4. Attack scrubbed and clean
Redirection plan is executed.* traffic sent to customer.

End Users

Legitimate
Users Internet DHD Applications
Volumetric DDoS Attack

DDoS Attackers Enterprise

Customers
5. Response traffic sent directly back to 1. Volumetric DDoS attack detected
legitimate user. by Hybrid Defender

*If no all-clear signal is received within 5 minutes; ensures attack is sustained and appropriate for redirection.
 Threat Intelligence Feed

Next-Generation
Firewall Corporate Users

Scanner Anonymous Anonymous Botnet Attackers

Proxies Requests

Cloud Tier 1 Tier 2

Network attacks:
ICMP flood,
UDP flood, Financial
Multiple ISP SYN flood Services
strategy

Legitimate
Users
Silverline E-Commerce
Cloud SSL attacks:
Scrubbing ISPa/b SSL renegotiation,
Service SSL flood
HTTP attacks:
DHD ASM APM
DNS attacks: AAM LTM
Volumetric attacks and Slowloris, DNS amplification,
DDoS floods, operations slow POST, query flood, Subscriber
Attackers center experts, L3-7 recursive POST/GET dictionary attack,
known signature attacks DNS poisoning

Strategic Point of Control

Auto Signaling
Information and Policy Exchange
Summary
 F5 Solution At A Glance
ISP1 DNS Query ISP1
ISP2 ISP2
Link Load Balancing to
Secondary DC Web01 has
best performing ISP Link Load Balancing to
best performance
DNS reply with ip address best performing ISP

Primary DC Secondary DC
Bots Intelligent Global Traffic Mgmt
- DNS Services
- Capacity Bursting iQuery: exchanging statistic information
Security
- DNS Security
Incoming
SSL Unencrypted Traffic - DNS DDoS
Layer3 to Layer4 Security Intelligent Global Traffic Mgmt.
- Application Centric Firewall VE Edition
- L3 – L4 DDoS - DNS Services
Outgoing
- SSL Decryption - Capacity Bursting
Forward Proxy
Clean Traffic
- User Based Content Filtering
users - Bandwidth Control
Intelligent Local Traffic Mgmt.
- Load Balancing
Scanning Intelligent Local Traffic Mgmt. - Health Monitoring
Performance WebTier
- APT Solution - iApps
- Anti Virus Solution - SSL Offloading - Compression
- IPS Solution - Traffic Steering - RAM Caching
Identity and Access - TCP Optimization
- Single Sign on - Web Acceleration
- SSL VPN Layer7 Security
- Web Application Firewall
- L7 DDoS

Client Access SharePoint MPLS/Dark Fiber

Mail Box
Servers AppTier Servers

DB Traffics
- Traffic Management DB

© F5 Networks, Inc DB / Storage 155

 F5 Solution At A Glance
ISP1 DNS Query ISP1
ISP2 ISP2
Link Load Balancing to
Secondary DC Web01 has
best performing ISP Link Load Balancing to
best performance
DNS reply with ip address best performing ISP

Primary DC Secondary DC
Bots Intelligent Global Traffic Mgmt
- DNS Services
- Capacity Bursting iQuery: exchanging statistic information
Security
- DNS Security
Incoming
SSL Unencrypted Traffic - DNS DDoS
Layer3 to Layer4 Security Intelligent Global Traffic Mgmt.
GTM, LTM
- Application Centric Firewall VE Edition
- L3 – L4 DDoS - DNS Services
Outgoing
- SSL Decryption - Capacity Bursting
Forward Proxy
Clean Traffic AFM, LTM GTM, LTM
- User Based Content Filtering
users - Bandwidth Control
AFM, SWG, APM Intelligent Local Traffic Mgmt.
- Load Balancing
Scanning Intelligent Local Traffic Mgmt. - Health Monitoring
Performance WebTier
- APT Solution - iApps
- Anti Virus Solution - SSL Offloading - Compression
- IPS Solution - Traffic Steering - RAM Caching
Identity and Access - TCP Optimization
- Single Sign on - Web Acceleration
- SSL VPN Layer7 Security
APM, LTM, ASM - Web Application Firewall
- L7 DDoS
LTM, ASM, AAM

Client Access SharePoint MPLS/Dark Fiber

Mail Box
Servers AppTier Servers

DB Traffics
- Traffic Management DB

© F5 Networks, Inc DB / Storage 156