F5 Application Traffic Management - PowerPoint PPT Presentation

Loading...

PPT – F5 Application Traffic Management PowerPoint presentation | free to download - id: 3bb013-MmUxZ



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

F5 Application Traffic Management

Description:

F5 Application Traffic Management Radovan Gibala Senior Solutions Architect r.gibala_at_f5.com +420 731 137 223 2009 How To Achieve the Requirements ? The Result: A ... – PowerPoint PPT presentation

Number of Views:3715
Avg rating:5.0/5.0
Slides: 83
Provided by: readmeCz
Learn more at: http://www.readme.cz
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: F5 Application Traffic Management


1
F5 ApplicationTrafficManagement
Radovan GibalaSenior Solutions
Architectr.gibala_at_f5.com420 731 137 223
2009
2
  • WAN Virtualization
  • File Virtualization
  • DC to DC Acceleration
  • Virtualized VPN Access

User Experience App Performance
App Security Data Integrity
  • AAA
  • Data Protection
  • Transaction Validation
  • Asymmetric Symmetric Acceleration
  • Server Offload
  • Load Balancing
  • Virtualization
  • Migration
  • Tiering
  • Load Balancing
  • Virtualized App Infrastructure
  • Server App Offload
  • Load Balancing
  • Remote, WLAN LAN Central Policy Enforcement
  • End-Point Security
  • Encryption
  • AAA

Managing Scale Consolidation
Unified Security Enforcement Access Control
3
BIG-IP LTM GTM LC WA FirePass ARX WJ
Application Delivery Network
  • WAN Virtualization
  • File Virtualization
  • DC to DC Acceleration
  • Virtualized VPN Access

User Experience App Performance
App Security Data Integrity
BIG-IP LTM GTM WA ARX WJ
BIG-IP LTM  ASM FirePass
  • AAA
  • Data Protection
  • Transaction Validation
  • Asymmetric Symmetric Acceleration
  • Server Offload
  • Load Balancing
  • Virtualization
  • Migration
  • Tiering
  • Load Balancing
  • Virtualized App Infrastructure
  • Server App Offload
  • Load Balancing
  • Remote, WLAN LAN Central Policy Enforcement
  • End-Point Security
  • Encryption
  • AAA

Managing Scale Consolidation
ARX BIG-IP GTM
BIG-IP LTM GTM LC WA FirePass ARX WJ
Unified Security Enforcement Access Control
FirePass BIG-IP LTM GTM
4
How To Achieve the Requirements ?
Multiple Point Solutions
More Bandwidth
Network Administrator
Application Developer
Hire an Army of Developers?
Add More Infrastructure?
5
The Result A Growing Network Problem
Applications
Network Point Solutions
Users
DoS Protection
Mobile Phone
SFA
SSL Acceleration
Rate Shaping
CRM
ERP
CRM
PDA
Server Load Balancer
ERP
Laptop
ERP
SFA
CRM
ApplicationFirewall
ContentAcceleration
Desktop
SFA
TrafficCompression
Connection Optimisation
Customised Application
Co-location
6
F5s Integrated Solution
Applications
The F5 Solution
Users
Application Delivery Network
CRMDatabaseSiebelBEALegacy.NETSAPPeopleSoft
IBMERPSFACustom
Mobile Phone
PDA
Laptop
Desktop
TMOS
Co-location
7
A New Level of Intelligence
Legacy Approach
Packet Based
React to a Single Communication, One Direction
8
Deliver Application Exactly as Intended
Manage Entire Application Flows
  • Independent Connection Control
  • Supporting All IP Applications
  • High Performance Framework
  • BI-Directional, Full Payload Inspection
  • Session Level Control

Universal Inspection Engine (UIE)
TM/OS Fast Application Proxy
Client Side
Server Side
9
The Most Intelligent and Adaptable Solution
Programmable Application Network
Unified Application Infrastructure Services
Targeted and Adaptable Functions

Complete Visibility and Control of Application
Flows
Universal Inspection Engine (UIE)
TM/OS Fast Application Proxy
Client Side
Server Side
  • Compression
  • TCP Offloading
  • Load Balancing

10
Traffic Management Operating System
iRules Rate Shaping / Rate Limiting Resource
Cloaking Transaction Assurance Universal
Persistence Caching
Compression Selective Content Encryption Advanced
Client Authentication Application Health
Monitors Application Switching
Shared Application Services
TMOS
Operating System
Shared Network Services
TCP Express Protocol Sanitization High
Performance SSL DoS and DDoS Protection VLAN
Segmentation Line Rate L2 Switching (Mirroring,
Trunking, STP, LACP)
IP Packet Filtering IPv6 Dynamic Routing Secure
Network Address Translation Port Mapping Common
Management Framework
11
Unique TMOS Architecture
TrafficShield
Web Accel
3rd Party
Microkernel
TCP Proxy
SSL
Compression
TCP Express
TCP Express
Caching
OneConnect
XML
Rate Shaping
Client Side
Server Side
Server
Client
iRules
High Performance HW
iControl API
  • TMOS Traffic Plug-ins
  • High-Performance Networking Microkernel
  • Powerful Application Protocol Support
  • iControl External Monitoring and Control
  • iRules Network Programming Language

12
BIG-IP
13
First Unified Application Infrastructure Services
Delivering
  • Resource Cloaking
  • Advanced Client Authentication
  • Firewall - Packet Filtering
  • Selective Content Encryption
  • Cookie Encryption
  • Content Protection
  • Protocol Sanitization
  • DoS and DDos protection
  • Brute Force attacks protection
  • DoS and SYN Flood Protection
  • Network Address/Port Translation
  • Application Attack Filtering
  • Certificate Management
  • Secure and Accelerated DC to DC data flow
  • Comprehensive Load Balancing
  • Advanced Application Switching
  • Customized Health Monitoring
  • Intelligent Network Address
  • Translation
  • Advanced Routing
  • Intelligent Port Mirroring
  • SSL Acceleration
  • Quality of Service
  • Connection Pooling
  • Intelligent Compression
  • L7 Rate Shaping
  • Content Spooling/Buffering
  • TCP Optimization
  • Content Transformation
  • Caching
  • TCP Express
  • IPv6 Gateway
  • Universal Persistence
  • Response Error Handling
  • Session / Flow Switching
  • Network Virtualization
  • System resource Control
  • Application Templates
  • Dashboard

14
Comprehensive Load Balancing
  • Static
  • RoundRobin
  • Ratio
  • Dynamic
  • Fastest
  • LeastConnections
  • Observed
  • Predictive
  • Dynamic Ratio
  • Priority Groups

15
Feature Overview/BIG-IP
  • Availability Checking
  • Check any back-end process using EAV
  • Will work for any IP based application
  • Stateful failover between devices
  • Security
  • Firewall-like device to resist most attacks
  • All administration is encrypted
  • Integrated SSL/FIPS and secure NAT

16
Feature Overview/BIG-IP
  • SSL and E-Commerce
  • Only product with integrated SSL
  • Single certificate simplifies administration
  • Lowers certificate costs
  • Client certificate checking (Authentication)
  • Layer 7 Functionality
  • Can utilize all HTTP header/content or TCP
    content in traffic decisions
  • Can persist on anything
  • HTTP 1.1 keep-alives dramatically improve
    performance

17
Feature Overview/BIG-IP
  • Easy to Implement and Support
  • Can be deployed as either Layer 2 or 3 device
  • Simple and complete Graphical User Interface
  • Installation services by F5 and/or partner
  • Flexibility
  • BIG-IP works with any server or IP based
    service
  • iControl enables integration with internal
    and/or 3rd party applications

18
Powerful and Simplified Management
We have to deal with multiple products. The new
user interface makes every other solution in this
space look absolutely immature. F5s solutions
are 10 times easier to manage than Cisco. -
Major US Hosting Provider
19
Profile Based Management
  • Profile Based Traffic Management
  • Improved vision of all resources and traffic

20
Ensure Higher Availability - Superior System
Design
  • Processes Reporting and Control Granular
    status, logging and configurable actions for
    component-level failures. Capable of warm
    restarts and upgrades.
  • 3-way HA Design Robust Internal system checking
    and pass-through design.

21
Extensibility - IPv6 Gateway
22
Network VirtualizationRoute Domains
  • Consolidation with control
  • Host multiple groups on one BIG-IP without
    conflicts
  • Granular control to provide separate routing
    domains and overlapping IPs

23
System Resource ControlModule Provisioning
  • Consolidation with control
  • Allocate CPU, memory, and disk per module
  • Customize allocation to meet your needs

24
Simple Application Roll-outsApplication Templates
1
2
3
SharePoint 2007 VMware VDI Exchange Web Access
2007 IIS 7.0 HTTP BEA WebLogic 5.1, 8.1 Oracle
Application Server 10g SAP ERP 6.0 and ERP
2006 Citrix Presentation Server DNS IP
Forwarding LDAP RADIUS
The Application Templates allowed us to deploy
Microsoft IIS in seconds instead of hours -
System Engineer, Fortune 500 Co.
25
Simplified ManagementDashboard
26
Secure and Accelerate DC to DCiSessions
  • Secure and accelerate between data centers
  • Integrated and free with BIG-IP LTM v10
  • Symmetric Compression
  • Adaptive
  • Deflate
  • LZO
  • SSL Encryption

Note Not available on the 1500 and 3400
27
BIG-IP Security Add-On Modules
28
BIG-IP Software Add-On ModulesQuickly Adapt to
Changing Application Business Challenges
29
Intelligent HTTP Compression
Most Intelligent and flexible solution to target
HTTP compression where it matters most
  • URI/content filters allow/disallow lists
  • Compress only specified file types
  • Based on URI or MIME type
  • Client-aware compression (patent pending)
  • Based on TCP latency observe client RTT
  • Based on low bandwidth client connections
  • Granular L7 based compression
  • Tunable resource allocation
  • Devote more memory and CPU cycles for high
    priority compression jobs
  • Adaptable Compression
  • Scale back compression based on CPU load


30
Real Time Compression Tool
www.f5demo.com/compression
31
TCP Express
  • Behaviors of a good TCP/IP implementation.
  • Proper congestion detection.
  • Good congestion recovery.
  • High bandwidth utilization.
  • Being too aggressive can cause individual
    connections to consume all of the network.
  • Not being aggressive enough will leave unused
    bandwidth especially during a low number of
    connections.
  • Always needs to adapt to changing congestion.
  • Increased windowing and buffering will often help
    compensate for latency and can also offload the
    application equipment more quickly.
  • Most important tuning you can do in TCP typically
    has to do with window sizes and retransmission
    logic (aka congestion control behavior).
  • On todays networks, loss is almost always caused
    from congestion.
  • Most TCP stacks are not aggressive enough.

32
F5s TCP Congestion Control Algorithms
  • Reno Congestion Control
  • Original TCP fast recover algorithm based on BSD
    Reno.
  • Initially grows congestion window exponentially
    during the slow-start period.
  • After slow-start, increases CWND by 1MSS for each
    CWND acked (this is linear growth).
  • When loss or a recovery episode is detected, the
    CWND is cut in half.
  • New Reno modifications (this is currently the
    default mode)
  • Improves on the Reno behaviour.
  • When entering a recovery episode, implements a
    fast retransmit
  • Each ACK less than the recovery threshold
    triggers a one-time resend of the data started by
    the ACK.
  • Results in more aggressively sending the missing
    data and exiting the recovery period.
  • Scalable TCP (added in 9.4)
  • Improves on the NewReno behaviour.
  • Upon loss, the CWND is reduced by only 1/8.
  • Once out of slow start, CWND increases by 1 of
    an MSS for each CWND ACKd.
  • HighSpeed (F5's proprietary congestion control
    added in 9.4)
  • Similarly improves on the NewReno behaviour in
    combination with Scalable TCP.

33
OneConnect Connection Pooling
  • Increase server capacity by 30
  • Aggregates massive number of client requests into
    fewer server side connections
  • Transformations form HTTP 1.0 to 1.1 for Server
    Connection Consolidation
  • Maintains Intelligent load balancing to dedicated
    content servers

Good Sources http//tech.f5.com/home/bigip/solut
ions/traffic/sol1548.html http//www.f5.com/soluti
ons/archives/whitepapers/httpbigip.html
34
OneConnect New and Improved
HTTP Request Pooling
  • Streamlines single client request to BIG-IP
  • Enabled by HTTP 1.1
  • Avg. Reduction is 20 to 1 per Web Page

20
index.htm
a.gif
b.gif
c.asp
1
index.htm
a.gif
b.gif
c.asp
1) OneConnect Content Switching
  • Intelligent load balancing to dedicated content
    servers
  • Maintain Server Logging

index.htm
a.gif
b.gif
index.htm
a.gif
b.gif
c.asp
c.asp
2) OneConnect HTTP transformations
  • Transformation form HTTP 1.0 to 1.1 for Server
    Connection Consolidation

New
One
index.htm
a.gif
b.gif
c.asp
index.htm
a.gif
b.gif
c.asp
Many
3) OneConnect Connection Pooling
  • Aggregates massive number of client requests into
    fewer server side connections

index.htm
a.gif
b.gif
c.asp
Server
sales.htm
d.gif
e.gif
f.asp
35
Content Spooling
  • Problem TCP Overhead on Servers
  • There is overhead for breaking apartchunking
    content
  • Client and Server negotiate TCP segmentation
  • Client forces more segmentation that is good for
    the server
  • The Servers is burdened with breaking content up
    into small pieces for good client consumption
  • Solution

Slurp up server response
Spoon feed clients
Benefit Increases server capacity up to 15
36
L7 Rate Shaping
Integrated and Fine Grained Bandwidth Control
Rate Class
  • Sophisticated Bandwidth Control
  • Flexible bandwidth limits
  • Full support for bandwidth borrowing
  • Traffic queuing (stochastic fair queue, FIFO ToS
    priority queue)
  • Granular Traffic Classification L2
    through L7
  • iRules support can initiate a rate class on any
    traffic flow variable
  • Only Multi Direction Control
  • Control throughput in any direction

Ceiling Rate
Burst
Base
WAN
Network Segments
Pool of Servers
37
Hardware
38
BIG-IP Background
  • Launched in 1997
  • gt75,000 units deployed gt 12,000 customers
  • Most advanced ADC in the world
  • Enables integrated product modules
  • Global Traffic Manager
  • Link Load Balancing
  • Routing and IPV6
  • Web Application Firewall
  • Web Acceleration
  • SSL Acceleration
  • Market dominance
  • Price / Performance
  • Value
  • Functionality

39
Actual BIG-IP Platforms
Price
BIG-IP 8900
BIG-IP 6900
2 x Quad core CPU 16 10/100/1000 8x 1GB SFP 2x
320 GB HD (S/W RAID) 8GB CF 16 GB memory SSL _at_
58K TPS / 9.6Gb bulk 6 Gbps max hardware
compression 12 Gbps Traffic Multiple Product
Modules
BIG-IP 3600
2 x Dual core CPU 16 10/100/1000 8x 1GB SFP 2x
320 GB HD (S/W RAID) 8GB CF 8 GB memory SSL _at_
25K TPS / 4 Gb bulk 5 Gbps max hardware
compression 6 Gbps Traffic Multiple Product
Modules
BIG-IP 1600
Dual core CPU 8 10/100/1000 2x 1GB SFP 1x 160
GB HD 8GB CF 4 GB memory SSL _at_ 10K TPS / 2 Gb
bulk 1 Gbps max software compression 2 Gbps
Traffic 1 Advanced Product Module
Dual core CPU 4 10/100/1000 2x 1GB SFP 1x 160GB
HD 4 GB memorySSL _at_ 5K TPS / 1 Gb Bulk 1 Gbps
max software compression 1 Gbps Traffic 1 Basic
Product Module
Function / Performance
40
2008 Hardware Architectur (Single-Board-Design)
LCD-Panel
CFlash
HDD2 1 / 2
HDD1 1 / 2
SSL
TMM Traffic Management Microkernel FIPS
Federal Information Processing Standards AOM
Always On Module (SCCP in former Versions) BCM
Broadcom Asic
RAM
SSL
CPU
CPU
Hardware Compression Card
CPU
CPU
AOM
Powersupply
TMM (Layer4-7)
Powersupply
BCM (Layer 2)
Serial
Mgmt
Failover
x10/100/1000Base-T Copper/SFP-GBIC
10GbEth
Depends on platform (optional)
41
High-Performance Application Switches
BIG-IP 8900
  • Consolidate with Purpose-built Hardware
  • Designed specifically for application delivery
  • Integrated platform for security, acceleration,
    availability
  • Offload Application Servers
  • High performance hardware SSL and compression
    offload
  • Advanced connection management
  • Reduce Operating Costs
  • Simplified management with USB, front panel
    management, remote boot, and more
  • Increased uptime with hot swappable and redundant
    components

BIG-IP 6900
BIG-IP 1600 - 3600
42
BIG-IP 1600High performance meets high value
  • High Performance
  • Dual-core CPU provides 1 Gb/s of L7 throughput
  • Reliable and Adaptable
  • Options for dual power and DC power
  • Front-to-back cooling
  • Basic security and acceleration options
  • Protocol Security Module
  • 1 Gb/s compression and SSL throughput

43
BIG-IP 3600Integrated ADC in a 1U platform
  • Advanced security and acceleration options
  • WebAccelerator option
  • Application Security Module option
  • High Performance
  • Dual-core CPU provides 2 Gb/s of L7 throughput
  • Reliable and Adaptable
  • Options for dual power and DC power
  • Front-to-back cooling

44
BIG-IP 6900Consolidation and Integration
  • High Performance for Consolidation
  • Dual CPU, Dual Core for 6 Gb/s of L7 throughput
  • Hardware SSL and Compression offload
  • Multi-module Integration
  • Run multiple modules and unify application
    delivery functions onto a single device
  • Reliable and Adaptable
  • Dual power supplies and dual hard drives standard
  • Front-to-back cooling

45
BIG-IP 8900The Foundation of a Unified ADN
  • High Performance for Consolidation
  • Dual CPU, Quad Core for 12 Gb/s of L7 throughput
  • Hardware SSL and compression offload
  • 10G Ports for Next-gen Data Centers
  • Two 10G SFP ports in addition to 1G copper and
    fiber connections
  • Reliable and Adaptable
  • Dual power supplies and dual hard drives standard
  • Front-to-back cooling

46
Platform Performance
47
CMP Super-VIP
Servers
Multitasking means screwing up several tasks at
the same time.
48
The Worlds Only On Demand ADC
49
VIPRION On Demand ADC
  • Add application intelligence without adding
    management cost
  • Market-leading performance
  • Ultimate redundancy
  • TMOS inside

50
Viprion Overview
  • Unmatched Performance
  • Massive scalability
  • Processing architecture common with 8800
  • Intelligent clustering
  • SuperVIP (Virtuals can seamlessly span blades)
  • NM redundancy for all features in cluster
  • High Availability
  • Automatic failover within cluster
  • Chassis-to-chassis redundancy
  • Full Modular Chassis
  • 4 blade slots w/1 blade type
  • 1 blade type
  • Any blade can be chassis master
  • Common central management console
  • Single point of Management
  • Same user interface as BIG-IP appliances

51
On Demand Zero Reconfiguration
  • Automatic addition of power
  • No need to overprovision
  • Fixed and predictable OpEx

52
Ultimate Reliability
  • Multi-Level Redundancy
  • Internal blade to blade failover
  • External chassis to chassis
  • Hot swappable power supplies
  • Hot swappable fan trays
  • Hot swappable LCD display
  • Passive, redundant backplane
  • Integrated Lights Out mgmt

53
Ultimate Reliability
  • Multi-Level Redundancy
  • Blade failure will not cause chassis failure
  • Redundant and hot swappable components
  • Always Available

54
Traditional ADC Scaling
  • Each addition requires
  • DNS changes
  • Physical reconfigurations
  • Routing changes
  • ADC reconfiguration

55
Clustered Multi Processing Scales
Processing Resources
Performance
SMP
Time
56
Virtual Processing Fabric
  • Clustered Multi Processing
  • Custom Disaggregator ASICs
  • High Speed Bridge

Processing Complex
TMM 0
DAG
DAG
TMM 1



Client
Server
TMM n
57
The SuperVIP
WWW.
  • Virtualization
  • Separating the physical characteristics of
    computing resources from the systems,
    applications or end users interacting with those
    resources.
  • With a SuperVIP, a single virtual server may be
    processed by all computing resources of the
    VIPRION.

58
Market Leading Performance
59
More detailed measures
60
Avoid Management Nightmare
VIPRION
200,000 SSL TPS
12,000 SSL TPS per blade 16 Blades
61
Avoid Growing Pains
VIPRION
3,200,000 Layer 7 Requests/Sec
76,000 L7 RPS 42 Blades
62
VIPRION Management
63
Managementcontinued
64
Management
65
iRulesandiControl
66
What are iRules?
  • Programming language integrated into TMOS
  • Traffic Management Operating System
  • Based on industry standard TCL language
  • Tool Command Language
  • Provide ability to intercept, inspect, transform,
    direct and track inbound or outbound application
    traffic
  • Core of the F5 secret sauce and key
    differentiator

67
How do iRules Work?
  • iRules allow you to perform deep packet
    inspection (entire header and payload)
  • Coded around Events (HTTP_REQUEST,
    HTTP_RESPONSE, CLIENT_ACCEPTED etc.)
  • Full scripting language allows for extremely
    granular control of inspection, alteration and
    delivery on a packet by packet basis

Requests
iRule Triggered HTTP Events Fire (HTTP_REQUEST,
HTTP_RESPONSE, etc.)
Modified Request
Modified Responses
Original Request
Note BIG-IPs Bi-Directional Proxy capabilities
allow it to inspect, modify and route traffic at
nearly any point in the traffice flow, regardless
of direction.
68
Centralized Transaction Assurance Proactive
Response Error Handling for Higher Availability
The Better Alternative Example Centralized
Availability, Security Acceleration
Centralized Data Protection Rewrite, Remove,
Block and or Log Sensitive Content
A Repeatable, Extensible, Flexible Architecture
Host to URI mapping Faster Access to Data
through Automatic Re-direction
69
Solution Server Resource Cloaking
DescriptionTo protect from web server signatures
exposing from potential security holes to
hackers, iRules are used to remove or cloak
visible web server signatures
HOW IT WORKS
  • Client requests information from an application
    and is routed through BIG-IP
  • BIG-IP directs request to best performing web
    server
  • 3. Web server provides application response BUT
    all responses by default include information
    that indicates the type of server responding
  • 4. BIG-IP looks at traffic and determines it must
    call the iRule for Resource Cloaking
  • 5. iRule runs, removing Apache references, and
    send request on to client
  • 6. Client only sees sanitized response.

5
iRule! Remove Apache v 2.0.49 Reference
rule when HTTP_RESPONSE         Remove all
but the given headers.     HTTPheader
sanitize ETag Connection Content-TYPE
2
3
Response from Apache Web Server includes server
signatures
4
1
HTTP Request
HTTP Response
6
70
What can an iRule do?
  • Read, transform, replace header or payload
    information (HTTP, TCP, SIP, etc.)
  • Work with any protocol, such as SIP, RTSP, XML,
    others, whether with native (HTTPcookie) or
    generic (TCPpayload) commands
  • Make adjustments to TCP behavior, such as MSS,
    checking the RTT, deep payload inspection
  • Authentication assistance, offload, inspection
    and more for LDAP, RADIUS, etc.
  • Caching, compression, profile selection, rate
    shaping and much, much more

71
iRule Event Taxonomy
AUTH AUTH_ERROR AUTH_FAILURE AUTH_RESULT AUTH_SUC
CESS AUTH_WANTCREDENTIAL
GLOBAL LB_FAILED LB_SELECTED RULE_INIT
LINE CLIENT_LINE SERVER_LINE
TCP CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SER
VER_CLOSED SERVER_CONNECTED SERVER_DATA USER_REQUE
ST USER_RESPONSE
AUTH
GLOBAL
LINE
TCP
RTSP RTSP_REQUEST RTSP_REQUEST_DATA RTSP_RESPONSE
RTSP_RESPONSE_DATA
RTSP
HTTP HTTP_CLASS_FAILED HTTP_CLASS_SELECTED HTTP_R
EQUEST HTTP_REQUEST_DATA HTTP_REQUEST_SEND HTTP_RE
SPONSE HTTP_RESPONSE_CONTINUE HTTP_RESPONSE_DATA
HTTP
CACHE CACHE_REQUEST CACHE_RESPONSE
CACHE
UDP CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SER
VER_CLOSED SERVER_CONNECTED SERVER_DATA
UDP
SIP SIP_REQUEST SIP_REQUEST_SEND SIP_RESPONSE
SIP
CLIENTSSL CLIENTSSL_CLIENTCERT CLIENTSSL_HANDSHAK
E
CLIENTSSL
IP CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SERV
ER_CLOSED SERVER_CONNECTED SERVER_DATA
IP
SERVERSSL SERVERSSL_HANDSHAKE
XML XML_BEGIN_DOCUMENT XML_BEGIN_ELEMENT XML_CDAT
A XML_END_DOCUMENT XML_END_ELEMENT XML_EVENT
SERVERSSL
DNS DNS_REQUEST DNS_RESPONSE NAME_RESOLVED
XML
DNS
STREAM STREAM_MATCHED
STREAM
72
Solution FIX Protocol Persistence
  • Challenges
  • Business chooses protocol required by industry
    sector
  • Implemention on server-side impossible in
    enterprise HA scenario
  • Solution
  • iRule provides centralized mechanism for
    intercept/inspect/route
  • Solution can be deployed in true HA/multi-server
    (even data center) mode
  • Clean code management

HOW IT WORKS
  • Client requests information from an application
    and is routed through BIG-IP
  • BIG-IP UIE inspects for specific information
    identified
  • 3. iRule runs and queries payload (TCPcollect)
    for the specific identifier needed (SenderCompID)
  • 4. Based upon rule, client request is persisted
    to a specific server dedicated to that user

3
iRule Query identifies FIX SenderComp ID
rule FIX_regexp when CLIENT_ACCEPTED
TCPcollect when CLIENT_DATA if
regexp "\x0149(.)\x01" TCPpayload -gt
SenderCompID persist uie
SenderCompID TCPrelease else
TCPcollect
Pool A
2
1
HTTP Request
Pool B
4
Enhanced by community see CodeShare
73
What makes iRules so unique?
  • Full-fledged scripts, executed against traffic on
    the network, at wire-speed
  • Powerful logical operations combined with deep
    packet inspection
  • The ability to route, re-route, re-direct, retry,
    or block traffic
  • Community support, tools and innovation

74
Solution Credit Card Scrubber
HOW IT WORKS
  • Challenges
  • Rapid feature enhancements come at expense of
    good security practices
  • Scanning on each server doesnt perform well
  • Solution
  • iRule provides centralized mechanism for
    protection
  • High-performance at network maintains high end
    user satisfaction
  • App teams focus on features, network teams focus
    on protection

5
  • Client requests information from an application
    and is routed through BIG-IP
  • BIG-IP directs request to best performing web
    server
  • 3. Web server provides application response BUT
    iRule runs if it sees a string of 16 digits
  • 4. iRule fires off MOD-10 algorithm to determine
    if 16-digit string is a valid credit card number
    offending server IP address logged and flagged
  • 5. If a valid match, first 12-digits are replaced
    with Xs
  • 6. Client only sees sanitized response.

Remove Valid Credit Card Numbers
when HTTP_REQUEST Don't allow data to be
chunked if HTTPversion eq "1.1"
if HTTPheader is_keepalive
HTTPheader replace "Connection" "Keep-Alive"
HTTPversion "1.0" when
HTTP_RESPONSE if HTTPheader exists
"Content-Length" set content_length
HTTPheader "Content-Length" else
set content_length 4294967295 if
content_length gt 0 HTTPcollect
content_length when HTTP_RESPONSE_DATA
Find ALL the possible credit card numbers
in one pass set card_indices regexp -all
-inline -indices (?34-7\d13)(?4\d15)(?
51-5\d14)(?6011\d12) HTTPpayload
foreach card_idx card_indices set
card_start lindex card_idx 0 set card_end
lindex card_idx 1 set card_len expr
card_end - card_start 1 set
card_number string range HTTPpayload
card_start card_end set double expr
card_len 1 set chksum 0 set
isCard invalid Calculate MOD10 for
set i 0 i lt card_len incr i
set c string index card_number i if
(i 1) double if incr c
c gt 10 incr c -9 incr
chksum c Determine Card Type
switch string index card_number 0
3 set type AmericanExpress 4 set
type Visa 5 set type MasterCard
6 set type Discover default
set type Unknown If valid
card number, then mask out numbers with X's
if (chksum 10) 0 set isCard
valid HTTPpayload replace card_start
card_len string repeat "X" card_len
Log Results log local0. "Found isCard
type CC card_number"
2
3
Response from application server accidentally
leaks customer credit card numbers in HTTP
response
4
1
HTTP Request
HTTP Response
Created collaboratively within community
6
75
Solution Anti-phishing
HOW IT WORKS
5
Prevent unwanted referrals of Content
  • Define a list of valid referrers in the form of a
    class. This is a list of those sites that you
    expect to be linking to content on your site.
  • Define a list (in the form of a class) of file
    types that should not be linked to, besides by
    the referrers listed in item 1.
  • 3. Check to see if an invalid referrer (not
    someone in class 1) is trying to serve data from
    your site and what kind of content they shouldnt
    be trying to serve. If it matches the file types
    in Class 2 (block it. If not, insert some custom
    code to help prevent phishing attempts.
  • Challenges
  • Attacks are directed at users, not the servers
    themselves
  • No control of user actions
  • Cant force software install
  • Solution
  • iRule allows for prevention of the scraping
    required to perform the attack
  • Preventative approach keeps users safe without
    need for their interaction
  • Server load decreased

lass valid_referers "http//mydomain.com"
"http//mydomain1.com" "http//url1"
"http//url2" "http//url3" class file_types
".gif" ".jpg" ".png" ".bmp" ".js"
".css" ".xsl" rule no_phishing when
HTTP_REQUEST Don't allow data to be
chunked. if HTTPversion "1.1"
if HTTPheader is_keepalive
Adjust the Connection header.
HTTPheader replace "Connection" "Keep-Alive"
HTTPversion "1.0" if
matchclass HTTPheader "Referer" starts_with
valid_referers lt 1 if (string
tolower HTTPmethod eq "get")
(matchclass HTTPuri contains file_types
gt 0 ) discard elseif
(HTTPheader exists "Content-Type")
(HTTPheader "Content-Type" starts_with "text"
) set respond 1
when HTTP_RESPONSE if respond 1
if HTTPheader exists "Content-Length"
set content_len HTTPheader
"Content-Length" else set
content_len 4294967295 if
content_len gt 0 HTTPcollect
content_len when
HTTP_RESPONSE_DATA set bypass string
first -nocase "lthtmlgt" HTTPpayload if
bypass ! -1 HTTPpayload replace
bypass 0 "ltscript type\"text/javascript\"gt\n if
(top.frames.length!0) \n if (window.location.hre
f.replace)\n top.location.replace(self.location.hr
ef)\n else\n top.location.hrefself.document.href
\n \n lt/scriptgt\n" else
HTTPrespond 500
2
3
4
Web servers feed content to anyone requesting it,
including people who shouldnt be serving this
cotent.
1
HTTP Request
HTTP Response
6
76
F5 iRule Editor
  • First network rule editor optimizes development
  • Includes
  • Syntax checking
  • Auto-complete
  • Template support
  • Doc Links
  • Deployment integration
  • Statistics monitoring
  • Data group editing
  • Optional post to CodeShare feature
  • Available Now
  • Pricing Free Download
  • Tutorials on DevCentral

77
Introducing iControl v9
  • Open API (SOAP/XML) allows applications to
    automatically interact with the network
  • Integration with development tools from
    Microsoft, BEA, and Oracle
  • Online community F5 DevCentral
  • Developer assistance on F5 DevCentral via
    developer forums (http//devcentral.f5.com)
  • iRules forum and code examples

78
iControl Eases Application Integration
Leverage the skills and expertise you already
have!
  • Benefits
  • Open, standards based integration
  • Simplified development
  • Proven integration
  • Sample code, documentation, discussion forums
  • Key Components
  • XML/SOAP interface
  • Downloadable SDK
  • Technology partnerships
  • DevCentral resource centre and community

79
Integration and Extensibility - iControl Event
API
Create Subscription Administrator uses the
provided sample application (or custom
application) to create Event Subscriptions
Select Event Type Choose a specific event to
track. Then, create the Subscription name and
parameters. Upon Event, message is distributed
via log, email, or SMS to phone/PDA
  • Applications can subscribe to 47 different system
    events
  • Sample application (screenshots) provided with
    SDK
  • Bulk method support 1001 reduction in call,
    90 reduction in bandwidth

80
iControl Application Migration to v9
Paste Code Into Analyser Developer visits
DevCentral, accesses the Code Analyser, select
language, and report format
Summary Report Generated report identifies line
where conflicts exist, defines the method
affected, and enables direct link to online
versions of 4.x v9 SDKs
  • Analyser free for use by all F5 DevCentral
    members
  • DevCentral Forum available for posting migration
    questions
  • Additional sample and technical tips will be
    available

81
DevCentral Technical Community
http//devcentral.f5.com/
  • Forum for F5 customers for building iRules and
    iControl applications
  • F5 provides technical documentation, tips, free
    sample downloads, and a confidential discussion
    forum
  • Monitored by F5 engineers and technical experts
    that answer technical questions
  • Design, architecture, troubleshooting and general
    assistance with iRules and iControl

82
Link Collection www.f5.com
  • Overall www.f5.com
  • Technical ask.f5.com
  • devcentral.f5.com
  • F5 University www.f5university.com/
  • Login your email
  • Password adv5tech
  • Partner Informaiotn
  • www.f5.com/partners
  • www.f5.com/training_services/certification/certFAQ
    .html
  • Gartner Report http//mediaproducts.gartner.com/re
    prints/f5networks/article1/article1.html

Important deployment information is available at
http//www.f5.com/solutions/deployment/Data
Center Virtualization http//www.f5.com/solutio
ns/technology/pdfs/dc_virtualization_wp.pdfApplic
ation Traffic Management http//www.f5.com/solut
ions/technology/pdfs/atm_wp.pdfApplication
Briefs http//www.f5.com/solutions/applications
/Solution Briefs http//www.f5.com/solutions/s
b/F5 Compression and Cache Test
http//www.f5demo.com/compression/index.phpF5
iControl Alliance Partners http//www.f5.com/sol
utions/partners/iControl/F5 Technology Alliance
Partners http//www.f5.com/solutions/partners/te
ch/Let us know if you need any clarification or
you have any further questions.
83
Thank You
About PowerShow.com