6. Load-Balancing an Internal Web Application
VDI
APPS
FW
DNS
DDo
S
GSL
B
SSL
OFFLOA
D
IPS
WAF
AUTH
PROX
Y
2FA/MFA
FRAUD
PREVENTIO
N
DLP
NG-
FW
SW
G
WE
B
7. Mitigating web vulnerabilities & securing data
in transit
VDI
APPS
FW
DNS
DDo
S
GSL
B
IPS
AUTH
PROX
Y
2FA/MFA
FRAUD
PREVENTIO
N
DLP
NG-
FW
SW
G
WE
B
WAF
SSL
OFFLOA
D
8. Protecting the Web Application from
distributed attacks
VDI
APPS
DNS
GSL
B
IPS
AUTH
PROX
Y
2FA/MFA
FRAUD
PREVENTIO
N
DLP
NG-
FW
SW
G
WE
B
WAF
SSL
OFFLOA
D
FW
DDo
S
9. Adding authentication/SSO to our Web
Application(s)
VDI
APPS
DNS
GSL
B
IPS
FRAUD
PREVENTIO
N
DLP
NG-
FW
SW
G
WE
B
WAF
SSL
OFFLOA
D
FW
DDo
S
2FA/MFA
AUTH
PROX
Y
FW
- F5 is an ICSA Certified Firewall
NGFW are typically outbound firewalls (browsing FB; Youtube etc)
F5 is not a NGFW but a DCFW – we can handle SSL & DDoS better than a NGFW can.
This is a L3/4 firewall
IAM
We integrate with AAA servers (LDAP; AD; Tacacs; Radius etc)
Users are required to authenticate before they gain access to a web applicaition
Authentication can be basic (username/password); or more advanced (multifactor auth)
F5 supports SSO (credentials can be cached & passed onto other applications – removes the need to login multiple times)
WAF
L7 Web firewall (HTTP/HTTPS)
F5 can detect if traffic is coming from a user or bot
We issue javascript challenges & look for human characteristics (mouse movement; keyboard strokes etc)
ADC
Persistence is always sending a user to the same backend server despite the load-balancing used by the F5
Our platform is programmable making us highly agile
SWG
We perform URL categorization (for outbound traffic) & malware protection
DNS
DNS is unintelligent
F5 DNS actively monitors backend servers to ensure they’re available
If services are unavailable, F5 DNS redirects users to DR resources without the need to update DNS records manually
Silverline
Silverline is F5’s managed cloud service for L3-7 DDoS Mitigation & WAF
Antifraud
Antifraud detects & mitigates against malware on client devices (e.g. laptops/phones)
Internal user accessing HTTP web application…..
…so maybe you might choose to enable SSL Offload and WAF functionality….
You might choose to also add FW and DDoS protection….