Thinking about SDN and whether it is the right approach for your organization?
4 likes1,339 views
The document outlines the agenda and key topics of an F5 Networks information session focusing on software-defined application services, customer technology challenges, and architecture solutions for modern data centers. It discusses the impact of increasing application services, the need for robust security measures, and the integration of F5 products with Cisco's application-centric infrastructure for optimized network management. Additionally, it highlights reference architectures designed to address DDoS protection and other operational complexities in cloud environments.
![High-Performance Services Fabric
Network [Physical • Overlay • SDN]
Virtual Edition ChassisAppliance](https://image.slidesharecdn.com/f5synthesisciscoconnect-140504115654-phpapp02/85/Thinking-about-SDN-and-whether-it-is-the-right-approach-for-your-organization-15-320.jpg)
![High-Performance Services Fabric
On-Demand Scaling All-Active Clustering Multi-Tenancy
ScaleN
TMOS TMOS TMOS TMOS
Network [Physical • Overlay • SDN]](https://image.slidesharecdn.com/f5synthesisciscoconnect-140504115654-phpapp02/85/Thinking-about-SDN-and-whether-it-is-the-right-approach-for-your-organization-16-320.jpg)
![High-Performance Services Fabric
Throughput Connections
per second
Concurrent
connections
Multi-tenant
instances per device
Device service
clusters
Network [Physical • Overlay • SDN]*40K when combining
admin instances with vCMP](https://image.slidesharecdn.com/f5synthesisciscoconnect-140504115654-phpapp02/85/Thinking-about-SDN-and-whether-it-is-the-right-approach-for-your-organization-17-320.jpg)
![High-Performance Services Fabric
Network [Physical • Overlay • SDN]
Virtual Edition ChassisAppliance
Data Plane
Programmability
Control Plane Management Plane](https://image.slidesharecdn.com/f5synthesisciscoconnect-140504115654-phpapp02/85/Thinking-about-SDN-and-whether-it-is-the-right-approach-for-your-organization-18-320.jpg)
![High-Performance Services Fabric
Network [Physical • Overlay • SDN]
Virtual Edition ChassisAppliance
Data Plane
Programmability
Control Plane Management Plane](https://image.slidesharecdn.com/f5synthesisciscoconnect-140504115654-phpapp02/85/Thinking-about-SDN-and-whether-it-is-the-right-approach-for-your-organization-19-320.jpg)
![© F5 Networks, Inc 39
Recommended Practices Configuration Guide
2.3.2.5 Throttle GET Request Floods via Script
The F5 DevCentral community has developed several powerful iRules that automatically throttle
GET requests. Customers are continually refining these to keep up with current attack
techniques.
Here is one of the iRules that is simple enough to be represented in this document. The live
version can be found at this DevCentral page: HTTP-Request-Throttle
when RULE_INIT {
# Life timer of the subtable object. Defines how long this object exist in the subtable
set static::maxRate 10
# This defines how long is the sliding window to count the requests.
# This example allows 10 requests in 3 seconds
set static::windowSecs 3
set static::timeout 30
}
when HTTP_REQUEST {
if { [HTTP::method] eq "GET" } {
set getCount [table key -count -subtable [IP::client_addr]]
if { $getCount < $static::maxRate } {
incr getCount 1
table set -subtable [IP::client_addr] $getCount "ignore" $static::timeout $static::windowSecs
} else {
HTTP::respond 501 content "Request blockedExceeded requests/sec limit."
return
}
}
}
Another iRule, which is in fact descended from the above, is an advanced version that also
includes a way to manage the banned IPs address from within the iRule itself:
· URI-Request Limiter iRule – Drops excessive HTTP requests to specific URIs or from an IP
2.3.2.4 Enforce Real Browsers
Besides authentication and tps-based detection (section Error! Reference source not found.),
there are additional ways that F5 devices can separate real web browsers from probable bots.
The easiest way, with ASM, is to create a DoS protection profile and turn on the “Source IP-
Based Client Side Integrity Defense” option. This will inject a JavaScript redirect into the client
stream and verify each connection the first time that source IP address is seen.
Figure 1. Insert a Javascript Redirect to verify a real browser
32 Page Detailed Guide…](https://image.slidesharecdn.com/f5synthesisciscoconnect-140504115654-phpapp02/85/Thinking-about-SDN-and-whether-it-is-the-right-approach-for-your-organization-39-320.jpg)
Thinking about SDN and whether it is the right approach for your organization?
- 1. April, 2014 F5 Synthesis Information Session
- 2. Agenda • Welcome and Introduction to Customer Technology Challenges • Software Defined Application Services • Reference Architectures for Today’s Customer Challenges • Total Cost of Ownership and New Business Models • Multi-network Environment and Partner Ecosystem • Making it Happen with Global Services • Q & A
- 3. © F5 Networks, Inc 3 Mobility SDDC/Cloud Advanced threats Internet of Things “Software defined” everything HTTP is the new TCP
- 4. © F5 Networks, Inc 4 Impact on Data Center Architecture: Applications MICRO-ARCHITECTURES Each service is isolated and requires its own: • Load balancing • Authentication / authorization • Security • Layer 7 Services • May be API-based, expanding services required API DOMINANCE Proxies are used in emerging API-centric architectures for: • API versioning • Client-based steering • API Load balancing • Metering & billing • API key management Service A Service C Service B Service D API v1 API v2 More intelligence needed in servicesMore applications need services
- 5. © F5 Networks, Inc 5 Impact on Data Center Architecture: Network SOLUTION SPRAWL Increasing threats and client platforms result in need for: • Mobile device management • Mobile access management • Mobile security • DDoS • Application layer threats • Malware OPERATIONAL INCONSISTENCY Introduction of off-premise cloud solutions without architectural parity results in: • Inconsistent enforcement of business and operational policies • Unpredictable application performance and security • Increased OpEx as new management paradigms are introduced SaaS
- 6. “Leave No Application Behind”
- 7. © F5 Networks, Inc 7 DDoS WAF SSL LTE 1000 Average number of applications deployed within an enterprise Applications require services Acceleration
- 8. © F5 Networks, Inc 8 The selected few
- 9. © F5 Networks, Inc 9 ADC ADC ADC ADC ADC ADC
- 10. © F5 Networks, Inc 10 High-Performance Fabric Application Services BIG-IP BIG-IP BIG-IP BIG-IP BIG-IP BIG-IP
- 11. © F5 Networks, Inc 11© F5 Networks, Inc. 11
- 12. © F5 Networks, Inc 12 Software Defined Application Services4 The 4th Phase of the Evolution Application Delivery Controller1 Broadened Application Services2 Cloud Ready3 © F5 Networks, Inc. 12
- 13. © F5 Networks, Inc 13 Software Defined Application Services Elements High-Performance Services Fabric Simplified Business Models
- 14. © F5 Networks, Inc 14 Software Defined Application Services Elements High-Performance Services Fabric
- 15. High-Performance Services Fabric Network [Physical • Overlay • SDN] Virtual Edition ChassisAppliance
- 16. High-Performance Services Fabric On-Demand Scaling All-Active Clustering Multi-Tenancy ScaleN TMOS TMOS TMOS TMOS Network [Physical • Overlay • SDN]
- 17. High-Performance Services Fabric Throughput Connections per second Concurrent connections Multi-tenant instances per device Device service clusters Network [Physical • Overlay • SDN]*40K when combining admin instances with vCMP
- 18. High-Performance Services Fabric Network [Physical • Overlay • SDN] Virtual Edition ChassisAppliance Data Plane Programmability Control Plane Management Plane
- 19. High-Performance Services Fabric Network [Physical • Overlay • SDN] Virtual Edition ChassisAppliance Data Plane Programmability Control Plane Management Plane
- 20. Software Defined Application Services
- 21. © F5 Networks, Inc 21 Software Defined Application Services F5 Software Defined Application Services (SDAS) A rich set of services that address the delivery challenges faced by businesses today.
- 22. © F5 Networks, Inc 22 Software Defined Application Services Availability Authoritative DNS Cloud Bursting CGNAT Disaster Recovery Business Continuity Global Load Balancing Intelligent EPC node selection Global Server LB Global Server LB DNS Caching & Resolving Load Balancing
- 23. © F5 Networks, Inc 23 Software Defined Application Services PerformanceAccelerationCaching Optimization SPDY Gateway Application Optimization Traffic Shaping and QoS Compression Web Performance Optimization Traffic Management
- 24. © F5 Networks, Inc 24 Software Defined Application Services Access & Identity Cloud Federation Endpoint Inspection Single Sign-OnAccess Control SAML Federation SSL VPNAnti-Malware Web Access Management Active Sync Proxy Secure Web Gateway .
- 25. © F5 Networks, Inc 25 Software Defined Application Services Security DNSSEC ADF Anti-Fraud WAF DDoS SSL VPN Anti-Phishing DNS Security SSL intelligence SSL Inspection Programmability
- 26. © F5 Networks, Inc 26 Software Defined Application Services Elements
- 27. Fabric Connectors Module Connectors Cloud Connectors Orchestration Connectors Intelligent Services Orchestration BIG-IQ •Rest API
- 28. Completing the SDN Stack F5 BIG-IQ OPEN REST APIs LAYER 2-3 LAYER 4-7 SDN Controller BIG-IQ Security™ BIG-IQ Cloud™ BIG-IQ Device™ NBI NBI NVGRE VXLAN ETC… Control Plane Application Plane Data Plane Software-DefinedDataCenter Virtual Networks Service Chaining
- 29. Public CloudHybrid Cloud BIG-IP BIG-IP Data Center Centralized Management Platform BIG - IQBIG - IQ
- 31. Software Defined Application Services Elements Simplified Business Models
- 32. Good | Better | Best Flexibility Make it easier to adopt advanced F5 functionality Simplicity Consolidate into fewer common configurations BestValue Save when purchasing bundles Good Better Best VE Price Comparison Bought As Bundle Bought As Components Good Better Best Appliance Comparison BIG-IP Local Traffic Manager BIG-IP Global Traffic Manager Application Acceleration Manager BIG-IP Application Protection SDN Service Advanced Routing BIG-IP Access Policy Manager BIG-IP Application Security Manager
- 33. Reference Architectures For Today’s Customer Challenges
- 34. © F5 Networks, Inc 34 Reference Architectures Device, Network, Applications Bill of Materials • White Paper (Business) • Solution diagram(s) • Architecture diagram(s) • Product map diagram(s) • Customer Presentation • Solution Animation/Video • White paper (Technical) • Placemat leave-behind © F5 Networks, Inc. DDoS Protection S/Gi Network Simplification Security for Service Providers Application Services Migration to Cloud DevOps LTE Roaming Intelligent DNS Scale Cloud Federation Cloud Bursting
- 35. © F5 Networks, Inc 35 Reference Architectures Solution Documents…
- 36. © F5 Networks, Inc 36 DDoS Protection Reference Architecture Legitimate Users Threat Feed Intelligence DDoS Attacker ISPa/b Cloud Scrubbing Service Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning IPS Next-Generation Firewall Tier 2 SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Application Corporate Users Financial Services E-Commerce Subscriber Tier 2 Threat Feed Intelligence Strategic Point of Control Multiple ISP strategy Network and DNS Tier 1
- 37. © F5 Networks, Inc 37 DDoS Protection Reference Architecture Legitimate Users Threat Feed Intelligence DDoS Attacker ISPa/b Cloud Scrubbing Service Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning IPS Next-Generation Firewall Tier 2 SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Application Corporate Users Financial Services E-Commerce Subscriber Tier 2 Threat Feed Intelligence Strategic Point of Control Multiple ISP strategy Network and DNS Tier 1 • The first tier at the perimeter is layer 3 and 4 network firewall services • Simple load balancing to a second tier • IP reputation database • Mitigates volumetric and DNS DDoS attacks TIER 1 KEY FEATURES
- 38. © F5 Networks, Inc 38 DDoS Protection Reference Architecture Legitimate Users Threat Feed Intelligence DDoS Attacker ISPa/b Cloud Scrubbing Service Scanner Anonymous Proxies Anonymous Requests Botnet Attackers Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning IPS Next-Generation Firewall Tier 2 SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Application Corporate Users Financial Services E-Commerce Subscriber Tier 2 Threat Feed Intelligence Strategic Point of Control Multiple ISP strategy Network and DNS Tier 1 • The second tier is for application-aware, CPU-intensive defense mechanisms • SSL termination • Web application firewall • Mitigate asymmetric and SSL-based DDoS attacks TIER 2 KEY FEATURES
- 39. © F5 Networks, Inc 39 Recommended Practices Configuration Guide 2.3.2.5 Throttle GET Request Floods via Script The F5 DevCentral community has developed several powerful iRules that automatically throttle GET requests. Customers are continually refining these to keep up with current attack techniques. Here is one of the iRules that is simple enough to be represented in this document. The live version can be found at this DevCentral page: HTTP-Request-Throttle when RULE_INIT { # Life timer of the subtable object. Defines how long this object exist in the subtable set static::maxRate 10 # This defines how long is the sliding window to count the requests. # This example allows 10 requests in 3 seconds set static::windowSecs 3 set static::timeout 30 } when HTTP_REQUEST { if { [HTTP::method] eq "GET" } { set getCount [table key -count -subtable [IP::client_addr]] if { $getCount < $static::maxRate } { incr getCount 1 table set -subtable [IP::client_addr] $getCount "ignore" $static::timeout $static::windowSecs } else { HTTP::respond 501 content "Request blockedExceeded requests/sec limit." return } } } Another iRule, which is in fact descended from the above, is an advanced version that also includes a way to manage the banned IPs address from within the iRule itself: · URI-Request Limiter iRule – Drops excessive HTTP requests to specific URIs or from an IP 2.3.2.4 Enforce Real Browsers Besides authentication and tps-based detection (section Error! Reference source not found.), there are additional ways that F5 devices can separate real web browsers from probable bots. The easiest way, with ASM, is to create a DoS protection profile and turn on the “Source IP- Based Client Side Integrity Defense” option. This will inject a JavaScript redirect into the client stream and verify each connection the first time that source IP address is seen. Figure 1. Insert a Javascript Redirect to verify a real browser 32 Page Detailed Guide…
- 41. © F5 Networks, Inc 41 Completing the SDN Stack F5 BIG-IQ OPEN REST APIs LAYER 2-3 LAYER 4-7 SDN Controller BIG-IQ Security™ BIG-IQ Cloud™ BIG-IQ Device™ NBI NBI NVGRE VXLAN ETC… Control Plane Application Plane Data Plane Software-DefinedDataCenter Virtual Networks Service Chaining
- 42. © F5 Networks, Inc 42 F5 Platforms Hardware | Software | Cloud Programmability F5 SDAS Service Fabric Programmability BIG IQ Cloud Provisioning and orchestration of BIG-IP in AWS Two-way communication Configure application networking services Automated network and service provisioning Auto-scaling, application provisioning, and automated system maintenance and patching. Automate network and service provisioning, Integrate network virtualization and ADN services Partner Integration with Synthesis
- 43. Cisco ACI Design Philosophy
- 44. Why Cisco/ACI matters for Customers • Cisco and F5 share a common vision for simplifying networking end to end by taking an application-centric approach to solving key pain points in customer’s next generation data centers while meeting their critical data center requirements today. • Working with Cisco on Application Centric Infrastructure, F5 has a unique opportunity to deliver on vision of shaping infrastructure to the needs of the applications. • Cisco ACI integrates F5 Big-IP appliances (physical and virtual) to deliver application-centric, ADC-enabled network automation in existing and next generation data centers
- 45. © F5 Networks, Inc. Benefits Drive Increase Reduce Future 45
- 46. SDDC/Cloud