F5 Networks Traffic Management by Design

1
F5 Networks Traffic Management by Design
Presented by Jürg Wiesmann Field System
Engineer, Switzerlandjürg.wiesmann_at_f5.com
2
Company Snapshot

• Leading provider of solutions that optimize the
  security, performance availability of IP-based
  applications
• Founded 1996 / Public 1999
• Approx. 1,010 employees
• FY05 Revenue 281M
• FY06 Revenue 394M
• 40 Y/Y Growth

3
Clear Leader in Application Delivery
Challengers
Leaders
Magic Quadrant for Application Delivery Products
F5 Networks

• F5 continues to build on the momentum generated
  by the release of v9.0. It commands over 50
  market share in the advanced platform ADC segment
  and continues to pull away from the competition.

Citrix Systems (NetScaler)
Cisco Systems
Ability to Execute
Radware
Juniper Networks (Redline)
Akamai Technologies
Netli

• F5 is one of the thought leaders in the market
  and offers growing feature richness. It should be
  high on every enterprise's shortlist for
  application delivery.

Nortel Networks
Stampede Technologies
Array Networks
Coyote Point Systems
Zeus Technology
NetContinuum
Foundry Networks
Niche Players
Visionaries
Completeness of Vision
Source Gartner, December 2005
4
What CEOs CFOs und CIOs are interested in

• Low Investment costs
• Reducing Load on Server infrastructure
• Low Servicecosts
• Simple Problem-, Change und Releasemgt.
• Less Service windows
• Reduction of work during Service windows
• Simple secure and stable Environements
• High availability

5
Problem Networks Arent Adaptable Enough

• New Security Hole
• High Cost To Scale
• Slow Performance

?
Network Administrator
Application Developer
Applications Focus on Business Logic and
Functionality
Traditional Networks are Focused on Connectivity
6
How Do You Fix the Problem?
Multiple Point Solutions
More Bandwidth
Network Administrator
Application Developer
Hire an Army of Developers?
Add More Infrastructure?
7
A Costly Patchwork
Applications
Point Solutions
Users
DoS Protection
Mobile Phone
IPS/IDS
SSL Acceleration
SFA
CRM
ERP
CRM
Rate Shaping/QoS
PDA
Network Firewall
Application Load Balancer
ERP
ERP
Content ProxyAcceleration/ Transformation
Laptop
SFA
CRM
Traffic Compression
WAN Connection Optimization
SFA
Desktop
Application Firewall
Custom Application
Co-location
8
The Better Application Delivery Alternative
The F5 Way
The Old Way
First with Integrated Application Security
9
F5s Integrated Solution
Applications
The F5 Solution
Users
Application Delivery Network
CRMDatabaseSiebelBEALegacy.NETSAPPeopleSoft
IBMERPSFACustom
Mobile Phone
PDA
Laptop
Desktop
TMOS
Co-location
10
The F5 Application Delivery Network
International Data Center
TMOS
Applications
Users
BIG-IP Global Traffic Manager
BIG-IP Application Security Manager
BIG-IP Link Controller
BIG-IP Local Traffic Manager
BIG-IP Web Accelerator
WANJet
iControl iRules
Enterprise Manager
11
F5 Networks Remote Access Today
Presented by Jürg Wiesmann Field System
Engineer, Switzerlandjürg.wiesmann_at_f5.com
12
Current Issues
Unreliable access Worm/virus propagation High
support costs
Mobile Workforce
Employee on Home PC / Public Kiosk
Limited application support Lack of data
integrity Reduced user efficiency
Complex access controls No application-level
audits High support costs
Business Partners
Complex API Unreliable access High support costs
Systems or Applications
13
IPSec provides transparent Network Access BUT

• Needs preinstalled Client
• Does not work well with NAT
• No granular Application Access (Network Level)
• Hard to Loadbalance
• Is expensive to deploy

14
On the other hand SSL VPN

• No preinstalled Client Software needed
• Works on transport Layer No problem with NAT
• Works on port 80/443 No problem with
  Firewall/Proxy
• Easy to Loadbalance
• Offers granular Application Access
• Is Easy to deploy

15
Remote Access - Requirements
Any User
Employee Partner Supplier
Any Application
Any Location
Hotel Kiosk Hot Spot
Web Client/Server Legacy Desktop
Any Devices
Highly Available
Laptop Kiosk Home PC PDA/Cell Phone
Global LB Stateful Failover Disaster Recovery
Secure
Ease of Integration
Data Privacy Device Protection Network
Protection Granular App Access
AAA Servers Directories Instant Access
Ease of Use
Clientless Simple GUI Detailed Audit Trail
16
Why not use IPSec?
Any User
Employee Partner Supplier
Any Application
Any Location
Hotel Kiosk Hot Spot
Web Client/Server Legacy Desktop
Any Devices
Highly Available
Laptop Kiosk Home PC PDA/Cell Phone
Global LB Stateful Failover Disaster Recovery
Secure
Ease of Integration
Data Privacy Device Protection Network
Protection Granular App Access
AAA Servers Directories Instant Access
Ease of Use
Clientless Simple GUI Detailed Audit Trail
17
Prime Networking Real Estate
Intelligent Applications
Intelligent Client
Network Plumbing
ROUTERS SWITCHES FIREWALLS
iControl
BIG-IP FirePass TrafficShield
Functionality
Traffic Management Remote Access Security
18
FirePass Overview
Authorized Applications
Any User Any Device
Dynamic Policies
Portal Access
Secured by SSL
Laptop
FirePass
Specific Application Access
Internet
Kiosk
Network Access
Intranet
Mobile Device
Partner
19
Simplified User Access

• Standard browser
• Access to applications from anywhere
• Select application
• Shortcuts automate application connections
• No preinstalled client software required
• All access via a web browser

20
Access Types

• Network Access
• Application Access
• Application Tunnels
• Terminal Server
• Legacy Hosts
• X Windows
• Portal Access
• Web Applications
• File Browsing (Windows, Unix)
• Mobile E-Mail
• Desktop Access (Webtop)

21
Access Methods Summary
Portal Access
Application Access
Network Access

• Benefits
• Most Flexible
• Any Device
• Any Network
• Any OS
• Most Scalable
• Browser Compatible
• Secure Architecture
• Restricted Resource Access
• Drawbacks
• Limited Resource Access
• Enterprise Web Apps/Resources
• Webified Enterprise Resources
• Limited Nonweb Applications

• Benefits
• C/S Application Access
• Legacy Application Access
• Transparent Network Traversal
• Any Network
• Scalable Deployment
• No Network/Addr. Configuration
• Secure Architecture
• Restricted Resource Access
• Host Level Application Proxy
• Drawbacks
• Limited Access Flexibility
• OS/JVM Compatible Issues
• No Transistent Kiosk Access
• Client Security
• Installation Privileges

• Benefits
• Full Network Access (VPN)
• No Resource Restrictions
• Drawbacks
• More Limited Access
• OS/JVM Compatible Issues
• Client Security
• Installation Privileges

22
Adaptive Client Security
Laptop
Kiosk/Untrusted PC
PDA
23
Policy Checking with Network Quarantine

• Quarantine Policy Support
• Ensure Policy Compliance
• Direct to quarantine network

• Deep Integrity Checking
• Specific antivirus checks
• Windows OS patch levels
• Registry settings

FirePass
24
Visual Policy Editor
Graphically associates a policy relationship
between end-points, users and resources
25
Unique Application Compression

• Results
• Over 50 faster access
• Supports compression for any IP application
• Faster email file access
• Works across both dial-up and broadband

26
30 Minute Install
NEW
Quick Setup enables rapid installation and setup
even for non-experts
27
Dynamic Policy Engine

• User / Device Security
• Dynamically adapt user policy based on device
  used
• Seamless Integration
• Utilize existing AAA servers
• Automatic user group mapping
• Detailed audit trail
• Application level visibility

Dynamic Policy Engine
Application Access
Mobile Device Policy
Kiosk Policy
Default Policy
Laptop Policy
FirePass
Authentication LDAP RADIUS WIN NT/2K Web-Based
Group Sales Financial Auditors etc.
Access Rights Intranet SAP Siebel File Shares
Audit Usage Reporting Who accessed What was
accessed From Where
28
Enterprise SSO Integration
Netegrity SiteMinder
Dynamic Policies
1. User ID, Password
FirePass
2. Session Cookie
Internet
Web Servers
3. Session Cookie

• HTTP forms-based authentication
• Single sign-on to all web applications
• Major SSO Identify Mgmt Vendor Support
• Netegrity, Oblix and others

29
Application Security
Web Servers
ICAP AntiVirus
1. SQL Injection
X
FirePass
Internet

• Web application security
• Cross-site scripting
• Buffer overflow
• SQL injection
• Cookie management

• Policy-based virus scanning
• File uploads
• Webmail attachments
• Integrated scanner
• Open ICAP interface

30
Product Lines
31
FirePass Product Line
A product sized and priced appropriately for
every customer
FirePass 4200 Large Enterprise
FirePass 1200 Medium Enterprise
100-2000 Concurrent Users
25-100 Concurrent Users

• 500 employees
• High performance platform
• Comprehensive access
• End-to-End security
• Flexible support
• Failover
• Cluster up to 10

• 25 to 500 employees
• Comprehensive access
• End-to-End security
• Flexible support
• Failover

32
FirePass Failover

• Redundant pair
• Stateful failover provides uninterrupted failover
  for most applications (e.g. VPN connector)
• Single management point
• Active unit is configured
• Configuration and state information is
  periodically synchronized
• Separate SKU
• Active unit determines software configuration and
  concurrent users

Internet
Hot standby
Active
Intranet application servers
33
FirePass 4100 Clustering

• Clustered pair
• Up to 10 servers can be clustered for up to
  20,000 concurrent users
• Master server randomly distributes user sessions
• Distributed (e.g. different sites) clusters are
  supported
• Single management point
• Master server is configured
• Configuration information is periodically
  synchronized
• Second FP 4100 Required
• Software features purchased on 2nd server

Internet
Intranet application servers
Cluster master
Cluster nodes
34
Case Study FirePassvs IPSec Client

• 300 end user accounts, high availability
  configuration

IPSec Client 120 hrs 200 hrs 1 hrs 1.5
hrs/day 5 hrs/day 0

• FirePass
• 20 hrs
• 60 hrs
• .5 hrs x 300
• .5 hrs/day
• 2 hrs/day
• 0

Savings 100 hrs 140 hrs 150 hrs 1 hrs/day 3
hrs/day 0
Engineering Help Desk End User Engineering Help
Desk End User
Rollout Sustaining

• Savings 390 hours for rollout, 20 hours/week
  sustaining
• 80 user callback for IPSec Client 15 for
  FirePass
• 25 users unable to use IPSec Client 2 specific
  hotel room issues w/FirePass

35
Summary of Benefits

• Increased productivity
• Secure access from anydevice, anywhere
• No preinstalled VPN clients
• Reduced cost of ownership
• Lower deployment costs
• Fewer support calls
• Improved application security
• Granular access to corporate resources
• Application layer security and audit trail

36
Summary FirePass Delivers

• Key Features
• Enterprise-class, High Availability platform
• Built-in, load balanced clustering
• SSL acceleration and server side caching
• Visual Policy Editor and 30 Minute install
• Supports Windows, Mac, Linux, Solaris and other
  clients
• Built-in Protected Workspace and end-point
  security
• Integrates with existing enterprise
  infrastructure and applications
• Key differentiators
• Out-of-box Scalability, Performance and
  Reliability
• Powerful, easy to use management interface
• Breadth of clients, applications and
  infrastructure
• Comprehensive Risk Management including end-point
  security
• Competitive Advantage
• Best combination of capabilities, usability and
  security
• Lowest Total Cost of Ownership and Highest ROI

37
(No Transcript)
38
(No Transcript)
39
Backup Slides

• Message Security Module

40
Partnerships

• F5's BIG-IP has been designed into a number of
  Oracle's mission-critical architectures, such as
  the Maximum Availability Architecture.
• Julian Critchfield, Vice President, Oracle
  Server Technologies

Microsoft welcomes F5 Networks' support of
Visual Studio 2005 F5 complements our strategy
by providing our mutual customers with a way to
interact with their underlying network. Christo
pher Flores, Group Product Manager in the .NET
Developer Product Management Group at Microsoft
Corp.
41
Services Support

• Expertise F5 offers a full range of
  personalized, world-class support and services,
  delivered by engineers with in-depth knowledge of
  F5 products.
• Software Solution Updates Customers with a
  support agreement receive all software updates,
  version releases, and relevant hot fixes as they
  are released.
• Flexibility Whatever your support demands, F5
  has a program to fit your needs. Choose from our
  Standard, Premium, or Premium Plus service
  levels.
• Full Service Online Tools Ask F5 and our Web
  Support Portal.
• Fast Replacements F5 will repair or replace any
  product or component that fails during the term
  of your maintenance agreement, at no cost.

42
F5 Services
CERTIFIED GLOBAL TRAINING
SERVICES SUPPORT
PROFESSIONAL SERVICES

• Experience F5 Professional Consultants know F5
  products and networking inside and out. The
  result? The expertise you need the first time.
• High Availability Our experts work with you to
  design the best possible high- availability
  application environment.
• Optimization Our consultants can help you fine
  tune your F5 traffic management solutions to
  maximize your networks efficiency.
• Knowledge Transfer  Our professionals will
  efficiently transfer critical product knowledge
  to your staff, so they can most effectively
  support your F5-enabled traffic management
  environment.

• Expert Instruction With highly interactive
  presentation styles and extensive technical
  backgrounds in networking, our training
  professionals prepare students to perform
  mission-critical tasks.
• Hands-On Learning Theoretical presentations and
  real-world, hands-on exercises that use the
  latest F5 products.
• Convenience Authorized Training Centers (ATCs)
  strategically located around the world.
• Knowledge Transfer Direct interaction with our
  training experts allows students to get more than
  traditional text book training.

• Expertise World-class support and services,
  delivered by engineers with in-depth knowledge of
  F5 products.
• Software Solution Updates Software updates,
  version releases, and relevant hot fixes as they
  are released.
• Flexibility Standard, Premium, or Premium Plus
  service levels.
• Full Service Online Tools Ask F5 and our Web
  Support Portal.
• Fast Replacements F5 will repair or replace any
  product or component that fails during the term
  of your maintenance agreement, at no cost.

43
F5 Networks Globally
Seattle
EMEA
Japan
APAC
International HQ Seattle Regional HQ / Support
Center F5 Regional Office F5 Dev. Sites Spokane,
San Jose, Tomsk, Tel Aviv, Northern Belfast
44
F5 Networks Message Security Module
Presented by Jürg Wiesmann Field System
Engineer, Switzerlandjürg.wiesmann_at_f5.com
45
The Message Management Problem

• Out of 75 billion emails sent worldwide each day,
  over 70 is spam!
• The volume of spam is doubling every 6-9 months!
• Clogging networks
• Cost to protect is increasing

TrustedSource Reputation Scores
Nov 2005
Oct 2006
Higher score worse reputation
46
Typical Corporate Pain

• Employees still get spam
• Some are annoying, some are offensive
• Infrastructure needed to deal with spam is
  expensive!
• Firewalls
• Servers
• Software (O/S, anti-spam licenses, etc.)
• Bandwidth
• Rack space
• Power
• Budget doesnt match spam growth
• Legitimate email delivery slowed due to spam

47
Why is this happening?

• Spam really works!
• Click rate of 1 in 1,000,000 is successful
• Spammers are smart professionals
• Buy the same anti-spam technology we do
• Develop spam to bypass filters
• Persistence through trial and error
• Blasted out by massive controlled botnets
• Professional spammers have
• Racks of equipment
• Every major filtering software and appliance
  available
• Engineering staff

48
Its not just annoyingit can be dangerous.

• 2 of all email globally contains some sort of
  malware.
• Phishing
• Viruses
• Trojans (zombies, spyware)

49
High Cost of Spam Growth

• Spam volume increases
• Bandwidth usage increases
• Load on Firewalls increases
• Load on existing messaging security systems
  increases
• Emails slow down
• Needlessly uses up rackspace, power, admin time

DMZ
Firewall
Messaging Security
Email Servers
50
MSM Blocking At the Edge
Messaging Security Server Second Tier
BIG-IP MSM First Tier
Mail Servers
Emails
e hello
Works with any Anti-Spam Solution
Terminating 70 of the Spam from the e hello
Filters out 10 to 20 of Spam
51
Why TrustedSource?

• Industry Leader
• Solid Gartner reviews MQ
• IDC market share leader
• Superior technology
• Stability

52
TrustedSource Leading IP Reputation DB
53
TrustedSource
AUTOMATED ANALYSIS

• Messages Analyzed per Month
• 10 Billion Enterprise
• 100 Billion Consumer

Dynamic Computation Of Reputation Score
Global data monitoring is fueled by the network
effect of real-time information sharing from
thousands of gateway security devices around the
world
Animation slide
54
Shared Global Intelligence
55
TrustedSource Identifies Outbreaks Before They
Happen
11/03/05 A/V Signatures
11/02/05 Other Reputation Systems Triggered
9/12/05 TrustedSource Flagged Zombie

• 11/01/05 This machine began sending Bagle worm
  across the Internet
• 11/03/05 Anti-virus signatures were available to
  protect against Bagle
• Two months earlier, TrustedSource identified this
  machine as not being trustworthy

56
Content Filters Struggle to ID certain spam
57
Image-based spam
Hashbusting Scratches
58
Summary of Benefits

• Eliminate up to 70 of spam upon receipt of first
  packet
• Reduce Cost for Message Management
• TMOS Module High performance Cost effective
  spam blocking at network edge
• Integrated into BIG-IP to avoid box proliferation
• Improved Scaleability and Message Control
• Reputation Based Message Distribution and Traffic
  Shaping
• Slightly increase kill-rate on unwanted email

59
Packaging
License Tiers
MSM for over 100,000 Mailboxes
MSM for up to 100,000 Mailboxes
MSM for up to 75,000 Mailboxes
MSM for up to 50,000 Mailboxes
MSM for up to 25,000 Mailboxes
MSM for up to 10,000 Mailboxes
MSM for up to 5,000 Mailboxes
MSM for up to 1,000 Mailboxes

• BIG-IP LTM Only
• Version Support 9.2 and higher
• Module May be added to any
• LTM or Enterprise
• No Module incompatibilities with other Modules
• Licensed per BIG-IP by number of mailboxes
• BIG-IP Platform sizing depends on
• Email volume
• Number of BIG-IPs
• Other functions expected of BIG-IP (additional
  taxes on CPU time)

60
How BIG-IP MSM Works
Internet
Animation slide
61
Spam Volumes Out of Control
of Worldwide email that is Spam
85
Percent Spam
70
Nov 2005
Oct 2006
62
Hard-to-detect Image Spam is Growing
Percent of Total Email
2006
63
Reputation-based Security Model
64
Backup Slides

• Firepass

65
Windows Logon (GINA Integration)

• Key Features
• Transparent secure logon to corporate network
  from any access network (remote, wireless and
  local LAN)
• Non-intrusive and works with existing GINA (no
  GINA replacement)
• Drive mappings/Login scripts from AD
• Simplified installation setup (MSI package)
• Password mgmt/self-service
• Customer Benefits
• Unified access policy mgmt
• Increased ROI
• Ease of use
• Lower support costs

66
Configuring Windows Logon
67
Windows Installer Service

• Problem
• Admin user privileges required for network access
  client component updates
• Solution
• Provide a user service on the client machine
  which allows component updates without admin
  privileges

68
Network Access Only WebTop
Simplified webtop Interface
Automatically minimizes to system tray
69
Windows VPN Dialer
Simple way to connect for users familiar with
dial-up
70
FirePass Client CLI

• f5fpc ltcmdgt ltparamgtwhere ltcmdgt options are
• start
• info
• stop
• help
• profile
• Single sign-on from 3rd party clients (iPass)

71
Auto Remediation
72
Dynamic AppTunnels

• Feature Highlights
• No client pre-installation
• No special admin rights for on-demand component
  install
• No host file re-writes
• Broader application interoperability (complex web
  apps, static dynamic ports)
• Benefits
• Lower deployment and support costs
• Granular access control

73
Configuring Dynamic AppTunnels
74
Better Value than Juniper!

• More features
• Additional Software Features included in Base
  Package (1000 4100 series)
• Terminal Server Adapter (Citrix, WTS, VNC)
• AV FW checker
• AppTunnels
• Additional 4 GB memory in 4140 4150
• Less expensive
• New SKU/Packages
• 4100 with 8 GB Failover SKU 4100E-F Priced at
  27,990
• Factory Install OPT SKU for 4 GB memory (4110,
  4120, 4130, 4100-F only)