Your SlideShare is downloading. ×
F5 Synthesis Toronto February 2014 Roadshow
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

F5 Synthesis Toronto February 2014 Roadshow

884
views

Published on

February 2014 Update on F5 Synthesis Program, delivered by Pat Fiorino in Toronto at the Hockey Hall of Fame. Prepared for IT decision- makers and administrators.

February 2014 Update on F5 Synthesis Program, delivered by Pat Fiorino in Toronto at the Hockey Hall of Fame. Prepared for IT decision- makers and administrators.

Published in: Technology

1 Comment
0 Likes
Statistics
Notes
  • http://www.sendspace.com/file/8kn03w
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total Views
884
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
97
Comments
1
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. F5 Synthesis Information Session February, 2014
  • 2. Agenda • Welcome and Introduction to Customer Technology Challenges • Software Defined Application Services • Reference Architectures for Today’s Customer Challenges • Total Cost of Ownership and New Business Models • Multi-network Environment and Partner Ecosystem • Making it Happen with Global Services • Q&A
  • 3. Advanced threats SDDC/Cloud Mobility © F5 Networks, Inc “Software defined” everything Internet of Things HTTP is the new TCP 3
  • 4. Impact on Data Center Architecture: Applications MICRO-ARCHITECTURES API DOMINANCE Each service is isolated and requires its own: • Load balancing • Authentication / authorization • Security • Layer 7 Services • May be API-based, expanding services required APIProxies are used in emerging API-centric architectures for: • API versioning • Client-based steering • API Load balancing • Metering & billing • API key management More applications need services More intelligence needed in services API v1 Service A Service C Service B © F5 Networks, Inc Service D API v2 4
  • 5. Impact on Data Center Architecture: Network SOLUTION SPRAWL OPERATIONAL INCONSISTENCY Increasing threats and client platforms result in need for: • Mobile device management • Mobile access management • Mobile security • DDoS • Application layer threats • Malware offIntroduction of off-premise cloud solutions without architectural parity results in: • Inconsistent enforcement of business and operational policies • Unpredictable application performance and security • Increased OpEx as new management paradigms are introduced SaaS © F5 Networks, Inc 5
  • 6. SDN Division of Labor Architect © F5 Networks, Inc Foreman Workers 6
  • 7. Components of SDN Controller SDN Applications / Mgmt “I manage switches, and tell them how to connect to each other” “I can use feedback to make adjustments to the blueprint as I see fit” “I take orders, and route packets accordingly” “I also collect and manage state, and can report back to the architect.” “I define the blueprint for what the network should look like to achieve some goal” “I can also report back info to the foreman” API API Architect © F5 Networks, Inc Switches Foreman (REST, OpenFlow) Workers 7
  • 8. Core Benefits • Automation & orchestration • Repeatability, speed • Less risk (avoid human error) • Reduced operating cost • Compliance • Agility • Faster app lifecycles and transient usage (dev/test) • Security • Network isolation • Resource Utilization • Dynamic allocation of resources © F5 Networks, Inc 8
  • 9. Who are the Players? SDN Applications / Mgmt Controller • VMware NSX • VMware NSX • Cisco/Insieme Switches • Cisco Nexus 9300/9500 • Cisco/Insieme APIC • NSX vSwitch (OVS) • OpenStack • Arista • Smaller Startups • Smaller Startups Anunta Networks • BigSwitch • PlumGRID Controller • Smaller Startups / Whitebox Architect © F5 Networks, Inc Foreman • Pluribus • • PlumGRID Workers 9
  • 10. Application SDN: L4-7 • L2-3 is just “plumbing” • Dynamic L2-3 == easy, generally solved • Dynamic L4-7: Application SDN • Fundamentally harder! • No good solution today
  • 11. Deliver the most secure, fast, and reliable applications to anyone anywhere at any time. © F5 Networks, Inc 11
  • 12. Driving Efficiency into Application Development Agile Development & Development & Operation (DevOps) • In the past 5 years we’ve seen the push to Agile Development. • Focused on speed and customer driven application solutions. • Drove more efficient application development • Agile wasn’t focused on rapid deployment of those applications • This gap was closed by many by either deploying their applications on the cloud and/or evolving their development and IT organizations with the creation of DevOps • DevOps describes what has also been called “agile system administration” or “agile operations” joined together with the values of agile collaboration between development and operations staff. • The goal of DevOps was simply to getting applications deployed quicker. © F5 Networks, Inc code release 12
  • 13. Application Environment Agile Development Speed, customerdriven, and quality of app development Rapid deployment─ network and operations velocity © F5 Networks, Inc 13
  • 14. Application Environment Agile Development Cloud and DevOps Speed, customerdriven, and quality of app development Accelerate time to market Rapid deployment─ network and operations velocity Cloud SLA, security and control private network agility © F5 Networks, Inc 14
  • 15. Application Environment Agile Development Cloud and DevOps SDN and Private Cloud Speed, customerdriven, and quality of app development Accelerate time to market Software defined data centers Failed to Address: Rapid deployment─ network and operations velocity © F5 Networks, Inc Cloud SLA and control private network agility L4– L4–7 device sprawl and application fluency 15
  • 16. The Time Is Right F5 VISION Agile Development Cloud and DevOps SDN and Private Cloud Speed, customerdriven, and quality of app development Accelerate time to market Software Defined Data Centers Applications without constraints Failed to Address: Rapid deployment─ network and operations velocity © F5 Networks, Inc Cloud SLA and control private network agility L4– L4–7 device sprawl and application fluency 16
  • 17. “Leave No Application Behind”
  • 18. 1000 Average number of applications deployed within an enterprise DDoS © F5 Networks, Inc WAF SSL Acceleration LTE Applications require services 18
  • 19. The selected few © F5 Networks, Inc 19
  • 20. ADC © F5 Networks, Inc ADC ADC ADC ADC ADC 20
  • 21. High-Performance Fabric BIG-IP © F5 Networks, Inc BIG-IP BIG-IP BIG-IP BIG-IP BIG-IP 21
  • 22. © F5 Networks, Inc Inc. 22
  • 23. The 4th Phase of the Evolution 4 3 2 1 © F5 Networks, Inc Inc. Software Defined Application Services Cloud Ready Broadened Application Services Application Delivery Controller 23
  • 24. Software Defined Application Services Elements HighHigh-Performance Services Fabric Simplified Business Models © F5 Networks, Inc 24
  • 25. Software Defined Application Services Elements HighHigh-Performance Services Fabric © F5 Networks, Inc 25
  • 26. High-Performance Services Fabric Virtual Edition Network Appliance Chassis [Physical • Overlay • SDN]
  • 27. High-Performance Services Fabric On-Demand Scaling All-Active Clustering Multi-Tenancy TMOS TMOS TMOS ScaleN Network [Physical • Overlay • SDN] TMOS
  • 28. High-Performance Services Fabric Throughput *40K when combining admin instances with vCMP Connections per second Network Concurrent connections Multi-tenant instances per device [Physical • Overlay • SDN] Device service clusters
  • 29. High-Performance Services Fabric Programmability Data Plane Virtual Edition Network Control Plane Appliance Management Plane Chassis [Physical • Overlay • SDN]
  • 30. High-Performance Services Fabric Programmability Data Plane Virtual Edition Network Control Plane Appliance Management Plane Chassis [Physical • Overlay • SDN]
  • 31. Software Defined Application Services
  • 32. Software Defined Application Services F5 Software Defined Application Services (SDAS) A rich set of services that address the delivery challenges faced by businesses today. © F5 Networks, Inc 32
  • 33. Software Defined Application Services Global Server LB Load Global Server LB CGNAT Balancing Availability Global Load Balancing Authoritative DNS Disaster Recovery Cloud Bursting Business DNS Caching & Resolving Intelligent EPC node selection © F5 Networks, Inc Continuity 33
  • 34. Software Defined Application Services Compression Traffic Management Caching Acceleration Performance Optimization Web Performance Optimization SPDY Gateway Traffic Shaping and QoS Application Optimization © F5 Networks, Inc 34
  • 35. Software Defined Application Services . SAML Federation Cloud Federation Access Control Anti-Malware Endpoint Inspection Single Sign-On SSL VPN Active Sync Proxy Secure Web Gateway Access & Identity Web Access Management © F5 Networks, Inc 35
  • 36. Software Defined Application Services Cloud Bridging MDM Service Chaining VO LTE Subscriber Traffic Control Policy Enforcement Enrichment MAM Diameter and Routing NfV VAS Bursting SDN Mobility LTE Roaming VDI Mobile Optimization Mobile © F5 Networks, Inc Quota Management Acceleration Application Traffic Control 36
  • 37. Software Defined Application Services Anti-Fraud Programmability DNS Firewall SSL Inspection Firewall AntiAnti-Phishing SSL intelligence WAF DNSSEC © F5 Networks, Inc ADF DDoS SSL VPN Security 37
  • 38. Software Defined Application Services Elements © F5 Networks, Inc 38
  • 39. Intelligent Services Orchestration Orchestration Connectors Fabric Connectors BIGBIG-IQ Module Connectors Cloud Connectors
  • 40. Completing the SDN Stack BIG-IQ Device™ Software-Defined Data Center Application Plane NBI Control Plane Virtual Networks Data Plane SDN Controller NVGRE BIG-IQ Security™ NBI OPEN REST APIs BIGF5 BIG-IQ VXLAN ETC… Service Chaining LAYER 2-3 LAYER 4-7 BIG-IQ Cloud™
  • 41. Centralized Management Platform BIG - IQ BIG-IP BIG-IP Data Center Hybrid Cloud Public Cloud
  • 42. Orchestration Modules BIG-IQ Platform Services BIG-IP Devices
  • 43. Application Services Modules
  • 44. Simplify License Orchestration VE License Pools • Pools available in 25packs of Good, Better, or Best offers vSwitch vSwitch vSwitch vSwitch • BIG-IQ manages licenses for all VEs in the pool F5 licensing server Hypervisor Hypervisor Hypervisor Hypervisor • One-time license provisioning Virtual Infrastructure BIG-IQ manages licensing for all VEs in the pool. 25 Pack of VEs Benefits • Spin up a VE when it’s needed • Retire a VE and return it to the pool
  • 45. Software Defined Application Services Elements Simplified Business Models
  • 46. Simplified Business Models Perpetual BYOL Subscriptions Cloud Licensing Program
  • 47. Flexibility BIG-IP Local Traffic Manager Make it easier to adopt advanced F5 functionality Simplicity Appliance Comparison Consolidate into fewer common configurations Best Value Good | Better | Best Save when purchasing bundles BIG-IP Global Traffic Manager Application Acceleration Manager Good BIG-IP Advanced Firewall Manager Better Best VE Price Comparison SDN Service Advanced Routing BIG-IP Access Policy Manager Good BIG-IP Application Security Manager Better Bought As Bundle Best Bought As Components
  • 48. Better BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager BIG-IP Application Acceleration Manager BIG-IP Advanced Firewall Manager • • • • • • Global server load balancing DNS services Real-time DNSSEC solution Global application high availability Geolocation DNS DDoS attack protection • Web performance optimization • WAN optimization (data deduplication, FEC) • Mobile optimization (smart client cache, image optimization) • SaaS acceleration (reduce bandwidth usage & page load times) • • • • High-performance ICSA firewall Network DDoS protection Application-centric firewall policies Protocol anomaly detection Key Benefits • Protect and optimize the data center • Optimize application delivery • Ensure optimal application availability and performance • Future-proof the business • Leverage the power of integrated SDN services
  • 49. Best BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager • PCI Compliant Web Application Firewall • Web scraping prevention • Integrated XML firewall • Violation correlation & incident grouping • Application DDoS protection BIG-IP Application Acceleration Manager BIG-IP Advanced Firewall Manager BIG-IP Application Security Manager BIG-IP Access Policy Manager • 500 concurrent users, scalable up to 200K • BYOD enablement • Full Proxy for VDI (Citrix, VMware) • Single sign-on enhancements (Identity Federation with SAML 2.0) Key Benefits Manage application access Support BYOD initiatives Accelerate remote access Protect IP and minimize vulnerability exposure • Free development resources to create value • • • •
  • 50. Synthesis and Good/Better/Best Licensing Streamline the architecture process 1 Match Reference Architecture To Business Need 2 Choose the Licensing You Need 3 Choose the Appropriate Platform
  • 51. Reference Architectures For Today’s Customer Challenges
  • 52. Reference Architectures Device, Network, Applications S/Gi Network Simplification DDoS Protection Bill of Materials © F5 Networks, Inc Inc. Security for Service Providers LTE Roaming • • • • Application Services Intelligent DNS Scale White Paper (Business) Solution diagram(s) Architecture diagram(s) Product map diagram(s) Migration to Cloud Cloud Federation DevOps Cloud Bursting • • • • Customer Presentation Solution Animation/Video White paper (Technical) Placemat leave-behind 52
  • 53. Reference Architectures Solution Documents… © F5 Networks, Inc 53
  • 54. DDoS Protection Reference Architecture Next-Generation Firewall Tier 2 Tier 1 Network attacks: ICMP flood, UDP flood, SYN flood Multiple ISP strategy Corporate Users Financial Services SSL attacks: SSL renegotiation, SSL flood Legitimate Users E-Commerce ISPa/b DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning DDoS Attacker Cloud Scrubbing Service Network and DNS Application HTTP attacks: Slowloris, slow POST, recursive POST/GET Subscriber IPS Threat Feed Intelligence Scanner Anonymous Proxies © F5 Networks, Inc Anonymous Requests Botnet Attackers Strategic Point of Control 54
  • 55. DDoS Protection Reference Architecture Next-Generation Firewall Corporate Users TIER 1 KEY FEATURES Tier 2 • The first tier at the perimeter is layer 3 and 4 network firewall services Tier 1 Network attacks: ICMP flood, UDP flood, SYN flood Multiple ISP strategy SSL attacks: SSL renegotiation, SSL flood Legitimate Users ISPa/b DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning DDoS Attacker Cloud Scrubbing Service Anonymous Proxies © F5 Networks, Inc Anonymous Requests HTTP attacks: Slowloris, slow POST, recursive POST/GET • IP reputation database E-Commerce Subscriber • Mitigates volumetric and DNS DDoS attacks IPS Threat Feed Intelligence Scanner Network and DNS • Simple load balancing Application to a second tier Financial Services Botnet Attackers Strategic Point of Control 55
  • 56. DDoS Protection Reference Architecture Next-Generation Firewall Corporate Users TIER 2 KEY FEATURES • The second tier is for application-aware, CPU-intensive defense Legitimate mechanisms Users Multiple ISP strategy Network attacks: ICMP flood, UDP flood, SYN flood Attacker Cloud • Mitigate asymmetric and Scrubbing SSL-based DDoS attacks Service Financial Services SSL attacks: SSL renegotiation, SSL flood E-Commerce ISPa/b • SSL termination • DDoS Web application firewall Tier 2 Tier 1 DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning Network and DNS Application HTTP attacks: Slowloris, slow POST, recursive POST/GET Subscriber IPS Threat Feed Intelligence Scanner Anonymous Proxies © F5 Networks, Inc Anonymous Requests Botnet Attackers Strategic Point of Control 56
  • 57. Recommended Practices Configuration Guide 2. 3. 2.4 En for ce R e al Br ow se r s 2. 4 Besides authentication and tps-based detection (section Error! Reference source not found.), there are additional ways that F5 devices can separate real web browsers from probable bots. The easiest way, with ASM, is to create a DoS protection profile and turn on the “Source IPBased Client Side Integrity Defense” option. This will inject a JavaScript redirect into the client stream and verify each connection the first time that source IP address is seen. 2. 3. 2. 5 Thro t t le GE T Req u est F lo o ds v ia S cript The F5 DevCentral community has developed several powerful iRules that automatically throttle GET requests. Customers are continually refining these to keep up with current attack techniques. Here is one of the iRules that is simple enough to be represented in this document. The live version can be found at this DevCentral page: HTTP-Request-Throttle when RULE_INIT { # Life timer of the subtable object. Defines how long this object exist in the subtable set static::maxRate 10 # This defines how long is the sliding window to count the requests. # This example allows 10 requests in 3 seconds set static::windowSecs 3 set static::timeout 30 } Figure 1. Insert a Javascript Redirect to verify a real browser when HTTP_REQUEST { if { [HTTP::method] eq "GET" } { set getCount [table key -count -subtable [IP::client_addr]] if { $getCount < $static::maxRate } { incr getCount 1 table set -subtable [IP::client_addr] $getCount "ignore" $static::timeout $static::windowSecs } else { HTTP::respond 501 content "Request blockedExceeded requests/sec limit." return } } } Another iRule, which is in fact descended from the above, is an advanced version that also includes a way to manage the banned IPs address from within the iRule itself: 32 Page Detailed Guide… © F5 Networks, Inc • URI-Request Limiter iRule – Drops excessive HTTP requests to specific URIs or from an IP 57
  • 58. Technical Validation & Performance Testing UDP Flood 2x Competition ICMP Flood 10x Competition Blended Attacks 25 + new DDoS Attack Vector Control options in Hardware © F5 Networks, Inc TCP Syn-Flood 16x Competition 58
  • 59. Mapping F5 Products to Synthesis Solutions Use Reference Architectures to Implement F5 Synthesis Solutions © F5 Networks, Inc 59
  • 60. Key Customer Benefits Maintain application availability Protect network infrastructure Defend against targeted attacks Safeguard your brand reputation Stay one step ahead Save money for your company ALL BACKED BY WORLD-CLASS SUPPORT AND PROFESSIONAL SERVICES © F5 Networks, Inc 60
  • 61. TCO Study─Details Data Center Consolidation DDoS 83% Lower TCO 81% Lower TCO 85% Savings • Service Contracts 92% Savings • Space/Power/Cooling 62% Savings • Training 82% Savings • Upgrades/Patching 81% Savings • Service Contracts 94% Savings • Space/Power/Cooling 66% Savings • Training 82% Savings • Upgrades/Patching © F5 Networks, Inc. DDoS Market Study • DDoS Products and Services • $870 Million Market by 2017 • FSI Represents 23% of DDoS Market • Services Accounts for 46% of DDoS TAM • Financial Services, Gaming, and Online Retail are top verticals 61
  • 62. Making it Happen with Global Services
  • 63. F5 Global Services and Synthesis PRODUCT FOCUSED SERVICE LED SOLUTION DRIVEN 4 3 2 1 © F5 Networks, Inc Advanced Services Packaged Core Services APPLICATION ENABLED Architecture and Integration Consultative and Strategic • Reference Architectures • Managed Services / SOC • F5aaS • Solution Definition Workshops • Security Envisioning • Remote Services • Security • Mobility • Service Provider • Implementation • Migration • Upgrades 63
  • 64. Services to Support Reference Architecture Lifecycle IMPLEMENT ARCHITECT Solution Definition Workshop Installation and Migrations OPTIMIZE MAINTAIN Managed Services and Live Monitoring S/Gi Network Simplification DDoS © F5 Networks, Inc. Secure Mobility Proactive Assessments and Integration Security for Service Providers LTE Roaming Application Services DNS CONFIDENTIAL Cloud Migration Cloud Federation DevOps Cloud Bursting 64
  • 65. Multi-network Environment and Partner Ecosystem
  • 66. F5 Synthesis Partner Ecosystem / DevOps © F5 Networks, Inc Inc. 66
  • 67. Completing the SDN Stack BIG-IQ Device™ Software-Defined Data Center Application Plane NBI Control Plane Virtual Networks Data Plane SDN Controller NVGRE BIG-IQ Cloud™ NBI OPEN REST APIs BIGF5 BIG-IQ VXLAN ETC… Service Chaining LAYER 2-3 © F5 Networks, Inc BIG-IQ Security™ LAYER 4-7 67
  • 68. Partner Integration with Synthesis Auto-scaling, application provisioning, and automated system maintenance and patching. Two-way communication Configure application networking services Automated network and service provisioning BIG IQ Cloud F5 SDAS Service Fabric Programmability Programmability Automate network and service provisioning, F5 Platforms Hardware | Software | Cloud Integrate network virtualization and ADN services Provisioning and orchestration of BIG-IP in AWS © F5 Networks, Inc Dynamically update state of servers in load balancing pool 68
  • 69. Cisco ACI Design Philosophy
  • 70. Why Cisco/ACI matters for Customers • Cisco and F5 share a common vision for simplifying networking end to end by taking an application-centric approach to solving key pain points in customer’s next generation data centers while meeting their critical data center requirements today. • Working with Cisco on Application Centric Infrastructure, F5 has a unique opportunity to deliver on vision of shaping infrastructure to the needs of the applications. • Cisco ACI integrates F5 Big-IP appliances (physical and virtual) to deliver application-centric, ADC-enabled network automation in existing and next generation data centers
  • 71. VMware NSX and F5 joint solution Overview Any Application (without modification) Virtual Networks Any Cloud Management Platform VMware NSX Network Virtualization Platform Logical Logical Logical Load Balancer VPN Firewall Logical Load Balancer Logical L2 Logical L3 Any Hypervisor Any Network Hardware NSX integrates with F5 BIG-IQ and BIG-IPs F5 Admin defined iApps get published to NSX Manager as ADN service templates BIG-IPs VEs get automatically deployed, licensed and configured User can instantiate and consume F5 iApps from NSX UI or API Benefits Virtual IP: 172.168.1.1 Member pool: 10.0.0.1, 10.0.0.2 ADN template: Web Gold © F5 Networks, Inc Compatible with all NSX features Compatible with all F5 BIG-IQ and BIG-IP features Seamless support for virtual networks and traditional networking with VLANs Support for any CMP including vCAC Familiar workflows for all teams (in NSX , and in F5 BIG-IQ) Supports virtual and physical form factor of F5 appliances 71
  • 72. F5 + NSX : Application delivery needs for enterprise virtualized workloads in NSX environments Context Aware Network Services: •Insertion of Application, user and resource awareness in NSX Insertion environments Speed of provisioning: •Intelligent services orchestration enhances time-to-production for Intelligent time-toall the necessary infrastructure services from weeks to minutes Simplified Operations: •Meet needs for simplified operations and programmability needs Meet for network services Application visibility and correlation •Enhanced visibility and correlation for the application Enhanced © F5 Networks, Inc. 72
  • 73. Benefits Drive © F5 Networks, Inc. Increase Reduce Future 73
  • 74. SDDC/Cloud
  • 75. Coming to a City Near You…. Cloud and Security Events Ask your Account Team for More Information…