SlideShare a Scribd company logo

Users_Group_May_2016_new_better2

Download as PPTX, PDF
J
Jonathan Spigler

Jonathan Spigler from ClearShark gave a presentation on F5 products. He discussed how he first got interested in UAG and LTM/GTM to solve authentication and high availability problems. He then showed how APM could simplify architectures and authentication flows compared to traditional UAG and custom identity solutions. The presentation provided examples of using APM as a SAML identity provider and for visual policy-based authentication.

1 of 24
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
F5 Users Group Presentation By: Jonathan Spigler, ClearShark
Just a little about me… • Plymouth State University BS Information Technology • Came from the Pentagon as contractor • F5 enthusiast obviously… • In my spare time – Golfer …. Well I try – Scuba – Brunch • Getting Married in September
Why I became interested in These two products… But Why?...
How my first F5 experience happened • Needed to solve an authentication problem – CAC/Smart Card authentication – Sign Sign On Experience (Credential Delegation) – Work with Active Directory – Secure UAG ?
Real quick what is UAG? • Provides remote access to corporate Apps via portal or direct to site • SSO capabilities between multiple Apps • Direct Access Server Capabilities • Very customizable as far as authentication and Authentication server options CAC/SmartCard authentication Check! But there was a problem with using JUST UAG to deliver This application…
Good but not good enough… Short comings with UAG native LB and HA • Not flexible in LB • Difficult to scale up and scale down UAG servers • No Geo Failover Capabilities! • Mission critical app needed local and geo fault tolerance UAG ARRAY
to the Rescue• Easily scale up, scale down UAG • Geo failover • Flexible LB methods • Enter data center down? Operations continue uninterrupted • BONUS! iRules! HTTP redirect UAG ARRAY UAG ARRAY LTM LTM GTM GTM Site A Site B
ENTERPRISE AUTHENTICATION SYSTEM
Situation and Current Solution • Provide authentication capabilities to external DoD customers • Currently being addressed with Active Directory Accounts Or • Application Specific Identity Database The problem with that… • Caused AD “Bloat” • Account Administration Nightmare • Each app had unique authentication methodology • Identity Data not authoritative in authentication and authorization process – Inaccuracies in Identity Data • Insecure! Concept of the New Solution! Complete And Authoritative Identity Database Sync Daily Cached Copy Claims Based Authentication Authentication ServiceIdentity Provider (IdP) LDAP Query
Identity Provider and Claims Flow Identity Provider -Four headed dragon… -Made up of four servers Windows WAP Windows ADFS Custom CAC authentication App Windows ADLDS -Each Server have to be accessible by Client over HTTPS. Else app will not work! -Claim in the form of SAML token 1 2 3 ADLDS 4 LDAP Query 5 6 7 8 9 12 10 11 Access! Web Application
Where does F5 fit in? With LTM WAP ADFS Custom CAC Application ADLDS LTM LTM LTM HTTPS HTTPS HTTPS HTTPS LDAP HTTPS HTTPS We need Geo failover… -Rapid removal and Adding of Server nodes. Good for troubleshooting and scale out -load balance, HA, fault tolerant -health checks specific to service -no single point of failure -FYI all using the same LTM! Though it looks like 3 different devices But …
With LTM and GTM WAP ADFS Custom CAC Application ADLDS LTM LTM LTM HTTPS HTTPS HTTPS LDAP HTTPS HTTPS WAP ADFS Custom CAC Application ADLDS LTM LTM LTM HTTPS HTTPS HTTPS LDAP HTTPS HTTPS GTM GTM Benefits of GTM -Protect from entire data center or Support infrastructure Failure -Fail clients to site B servers if Site A servers needs maintenance HA at both local and geo levels Site A Site B
Looking Back… How could we improve the previous solutions? APM
What is APM? What is it? • Big-IP Module • Centralized Access Control • Policy Driven Application access control • Visual Policy Editor (VPE) • Flexible authentication methods and AAA servers • Simplified User SSO user experience. • Big-IP APM can be a SAML IDP(s) and (s)SP! What Can this do? • Simplify Architecture • Simplify Management and Troubleshooting • Flexibility in authentication Work flows using Visual Policy Editor
Visual Policy example
Improve First Solution APM Remove UAG Replace with APM Policy Use LTM still for Load Balancing APM will do CAC authentication Certificate Checking Credential Delegation SSO What did this do for us? • Simplify the architecture • Save Operational cost and time • Better Meet SLAs • Better detail on end user context and device (remove obscurity) • Option to create more dynamic authentication flows to meet a broader audience If needed • Oh also… UAG is End of Life as of April 2015.
What about the Enterprise Authentication Solution? APM What can APM do for us In relation to claims flow? -APM became the SAML IDP! -Simplify Claims flow -Flexibility in authentication -Supported Platform as Apposed to a custom Developed app What can APM do for us Operationally? -Reduce complexity.. A lot -supported documented Platform -Reduce troubleshooting pains Session Management Logging and Alerts! Session ID for reference!
What about the Enterprise Authentication Solution? LTM GTM LTM LTM LTM GTM LTM LTM APM APM What can APM do For our infrastructure? -reduce the number Of servers to manage -reduce complexity for operations meet SLAs Less angry customers -better insight to client and Connecting device
VPE Example of IDP Policy
Some References • Microsofts Guide to Claims Based Authentication https://msdn.microsoft.com/en-us/library/ff423674.aspx • F5 APM https://f5.com/products/modules/access-policy- manager • F5 Smart Card KCD https://www.f5.com/pdf/deployment- guides/kerberos-constrained-delegation-dg.pdf • F5 SAML IDP https://support.f5.com/kb/en- us/products/big-ip_apm/manuals/product/apm-saml- config-guide-11-3-0/2.html
Thank You
Questions
Appendix
Real quick…What are Claims? • Assertion of one’s self or another subject in a form of a token • Decouple of authentication from App • Centralize authentication • Usually represented in the form of SAML tokens • Commonly used in Web Authentication situations • Secured by HTTPS • Single Sign on Name: Jonathan Charles Spigler Height: 6 ft Eye Color: Hazel Hair: None… Organization: ClearShark Position: Systems Engineer EmployeeID: 1234567890 Email: jonathan@clearshark.com Building: Building A Phone Number: 555-5555

More Related Content

PDF
IT Change Management Using JIRA
Atlassian
 
PPTX
Dynatrace
Purnima Kurella
 
PDF
Application Performance Management - Solving the Performance Puzzle
LDragich
 
PDF
Peter Yared (Sapho) - Goodbye SaaS, hello Containers-as-a-Service
Techsylvania
 
PDF
Real User Monitoring: Getting Real Data from Real Users in the Real World - S...
Akamai Technologies
 
PPTX
Best New Low Cost Android Tablet POS System; The Clover Station
Prineta USA
 
PPTX
Simplified appointment scheduling using lightning scheduler
KadharBashaJ
 
PDF
The SharePoint Survival Guide Top 10
Eric Shupps
 
IT Change Management Using JIRA
Atlassian
 
Dynatrace
Purnima Kurella
 
Application Performance Management - Solving the Performance Puzzle
LDragich
 
Peter Yared (Sapho) - Goodbye SaaS, hello Containers-as-a-Service
Techsylvania
 
Real User Monitoring: Getting Real Data from Real Users in the Real World - S...
Akamai Technologies
 
Best New Low Cost Android Tablet POS System; The Clover Station
Prineta USA
 
Simplified appointment scheduling using lightning scheduler
KadharBashaJ
 
The SharePoint Survival Guide Top 10
Eric Shupps
 

What's hot (12)

PPTX
DevOps
Israel Brizuela
 
PDF
DF2UFL 2012: Visual Workflow for Sales and Service Clouds
Jennifer Phillips
 
PDF
Bring Order to the Chaos: Take the MVC Plunge
ColdFusionConference
 
PDF
What is Application Performance Management?
CA Technologies
 
PDF
DF2UFL 2012: Developer's Den - What's New and What's on the Horizon
Jennifer Phillips
 
ZIP
3-18-11
MDuckinson
 
PPTX
5 Secret Weapons Of A Great Salesforce Architect
Sebastian Wagner
 
PDF
Pipeline conference 2017 - Breaking down your build: architectural patterns f...
Abraham Marin-Perez
 
PDF
Performance Monitoring and Testing in the Salesforce Cloud
Salesforce Developers
 
PPTX
Implementing Test Automation: What a Manager Should Know
SoftServe
 
PDF
Testing Ajax, Mobile Apps the Agile Way
Clever Moe
 
PPTX
Xcopy inc handbook
Hussein shtia
 
DevOps
Israel Brizuela
 
DF2UFL 2012: Visual Workflow for Sales and Service Clouds
Jennifer Phillips
 
Bring Order to the Chaos: Take the MVC Plunge
ColdFusionConference
 
What is Application Performance Management?
CA Technologies
 
DF2UFL 2012: Developer's Den - What's New and What's on the Horizon
Jennifer Phillips
 
3-18-11
MDuckinson
 
5 Secret Weapons Of A Great Salesforce Architect
Sebastian Wagner
 
Pipeline conference 2017 - Breaking down your build: architectural patterns f...
Abraham Marin-Perez
 
Performance Monitoring and Testing in the Salesforce Cloud
Salesforce Developers
 
Implementing Test Automation: What a Manager Should Know
SoftServe
 
Testing Ajax, Mobile Apps the Agile Way
Clever Moe
 
Xcopy inc handbook
Hussein shtia
 
Ad

Similar to Users_Group_May_2016_new_better2 (20)

PPTX
F5 Infosec Israel 2013 Locking the Door in the Clouds
Tzoori Tamam
 
PPTX
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
Nordic Infrastructure Conference
 
PDF
Delivering Operational Intelligence at NAB with Splunk, Gartner Symposium ITX...
Splunk
 
PPTX
HAD05: Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
PPTX
F5 GOV Round Table - Securing Application Access
Tzoori Tamam
 
PPTX
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
PDF
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
IBM Sverige
 
PDF
Identity & Access Management for Securing DevOps
Eryk Budi Pratama
 
PPTX
PACE-IT, Security + 5.1: Summary of Authentication Services
Pace IT at Edmonds Community College
 
ODP
Ldap2010
CYJ
 
PDF
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
Risk Analysis Consultants, s.r.o.
 
PDF
Securing Microsoft Technologies for HITECH Compliance
Marie-Michelle Strah, PhD
 
PPTX
Authentication Methods authauthauthauthauthautha
Olajide Kuku
 
PDF
5. Identity and Access Management
Sam Bowne
 
PDF
Securing Microsoft Technologies for HITECH Compliance
Marie-Michelle Strah, PhD
 
PDF
Hitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Systems, Inc.
 
PPTX
Dynamic access control sbc12 - thuan nguyen
Thuan Ng
 
PPTX
IdP, SAML, OAuth
Dan Brinkmann
 
PDF
CNIT 125 6. Identity and Access Management
Sam Bowne
 
PDF
DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...
Andris Soroka
 
F5 Infosec Israel 2013 Locking the Door in the Clouds
Tzoori Tamam
 
Raymond Comvalius & Sander Berkouwer - Bring your own device essentials with ...
Nordic Infrastructure Conference
 
Delivering Operational Intelligence at NAB with Splunk, Gartner Symposium ITX...
Splunk
 
HAD05: Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
F5 GOV Round Table - Securing Application Access
Tzoori Tamam
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
IBM Sverige
 
Identity & Access Management for Securing DevOps
Eryk Budi Pratama
 
PACE-IT, Security + 5.1: Summary of Authentication Services
Pace IT at Edmonds Community College
 
Ldap2010
CYJ
 
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
Risk Analysis Consultants, s.r.o.
 
Securing Microsoft Technologies for HITECH Compliance
Marie-Michelle Strah, PhD
 
Authentication Methods authauthauthauthauthautha
Olajide Kuku
 
5. Identity and Access Management
Sam Bowne
 
Securing Microsoft Technologies for HITECH Compliance
Marie-Michelle Strah, PhD
 
Hitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Systems, Inc.
 
Dynamic access control sbc12 - thuan nguyen
Thuan Ng
 
IdP, SAML, OAuth
Dan Brinkmann
 
CNIT 125 6. Identity and Access Management
Sam Bowne
 
DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...
Andris Soroka
 
Ad

Users_Group_May_2016_new_better2

  • 1. F5 Users Group Presentation By: Jonathan Spigler, ClearShark
  • 2. Just a little about me… • Plymouth State University BS Information Technology • Came from the Pentagon as contractor • F5 enthusiast obviously… • In my spare time – Golfer …. Well I try – Scuba – Brunch • Getting Married in September
  • 3. Why I became interested in These two products… But Why?...
  • 4. How my first F5 experience happened • Needed to solve an authentication problem – CAC/Smart Card authentication – Sign Sign On Experience (Credential Delegation) – Work with Active Directory – Secure UAG ?
  • 5. Real quick what is UAG? • Provides remote access to corporate Apps via portal or direct to site • SSO capabilities between multiple Apps • Direct Access Server Capabilities • Very customizable as far as authentication and Authentication server options CAC/SmartCard authentication Check! But there was a problem with using JUST UAG to deliver This application…
  • 6. Good but not good enough… Short comings with UAG native LB and HA • Not flexible in LB • Difficult to scale up and scale down UAG servers • No Geo Failover Capabilities! • Mission critical app needed local and geo fault tolerance UAG ARRAY
  • 7. to the Rescue• Easily scale up, scale down UAG • Geo failover • Flexible LB methods • Enter data center down? Operations continue uninterrupted • BONUS! iRules! HTTP redirect UAG ARRAY UAG ARRAY LTM LTM GTM GTM Site A Site B
  • 9. Situation and Current Solution • Provide authentication capabilities to external DoD customers • Currently being addressed with Active Directory Accounts Or • Application Specific Identity Database The problem with that… • Caused AD “Bloat” • Account Administration Nightmare • Each app had unique authentication methodology • Identity Data not authoritative in authentication and authorization process – Inaccuracies in Identity Data • Insecure! Concept of the New Solution! Complete And Authoritative Identity Database Sync Daily Cached Copy Claims Based Authentication Authentication ServiceIdentity Provider (IdP) LDAP Query
  • 10. Identity Provider and Claims Flow Identity Provider -Four headed dragon… -Made up of four servers Windows WAP Windows ADFS Custom CAC authentication App Windows ADLDS -Each Server have to be accessible by Client over HTTPS. Else app will not work! -Claim in the form of SAML token 1 2 3 ADLDS 4 LDAP Query 5 6 7 8 9 12 10 11 Access! Web Application
  • 11. Where does F5 fit in? With LTM WAP ADFS Custom CAC Application ADLDS LTM LTM LTM HTTPS HTTPS HTTPS HTTPS LDAP HTTPS HTTPS We need Geo failover… -Rapid removal and Adding of Server nodes. Good for troubleshooting and scale out -load balance, HA, fault tolerant -health checks specific to service -no single point of failure -FYI all using the same LTM! Though it looks like 3 different devices But …
  • 12. With LTM and GTM WAP ADFS Custom CAC Application ADLDS LTM LTM LTM HTTPS HTTPS HTTPS LDAP HTTPS HTTPS WAP ADFS Custom CAC Application ADLDS LTM LTM LTM HTTPS HTTPS HTTPS LDAP HTTPS HTTPS GTM GTM Benefits of GTM -Protect from entire data center or Support infrastructure Failure -Fail clients to site B servers if Site A servers needs maintenance HA at both local and geo levels Site A Site B
  • 13. Looking Back… How could we improve the previous solutions? APM
  • 14. What is APM? What is it? • Big-IP Module • Centralized Access Control • Policy Driven Application access control • Visual Policy Editor (VPE) • Flexible authentication methods and AAA servers • Simplified User SSO user experience. • Big-IP APM can be a SAML IDP(s) and (s)SP! What Can this do? • Simplify Architecture • Simplify Management and Troubleshooting • Flexibility in authentication Work flows using Visual Policy Editor
  • 16. Improve First Solution APM Remove UAG Replace with APM Policy Use LTM still for Load Balancing APM will do CAC authentication Certificate Checking Credential Delegation SSO What did this do for us? • Simplify the architecture • Save Operational cost and time • Better Meet SLAs • Better detail on end user context and device (remove obscurity) • Option to create more dynamic authentication flows to meet a broader audience If needed • Oh also… UAG is End of Life as of April 2015.
  • 17. What about the Enterprise Authentication Solution? APM What can APM do for us In relation to claims flow? -APM became the SAML IDP! -Simplify Claims flow -Flexibility in authentication -Supported Platform as Apposed to a custom Developed app What can APM do for us Operationally? -Reduce complexity.. A lot -supported documented Platform -Reduce troubleshooting pains Session Management Logging and Alerts! Session ID for reference!
  • 18. What about the Enterprise Authentication Solution? LTM GTM LTM LTM LTM GTM LTM LTM APM APM What can APM do For our infrastructure? -reduce the number Of servers to manage -reduce complexity for operations meet SLAs Less angry customers -better insight to client and Connecting device
  • 19. VPE Example of IDP Policy
  • 20. Some References • Microsofts Guide to Claims Based Authentication https://msdn.microsoft.com/en-us/library/ff423674.aspx • F5 APM https://f5.com/products/modules/access-policy- manager • F5 Smart Card KCD https://www.f5.com/pdf/deployment- guides/kerberos-constrained-delegation-dg.pdf • F5 SAML IDP https://support.f5.com/kb/en- us/products/big-ip_apm/manuals/product/apm-saml- config-guide-11-3-0/2.html
  • 24. Real quick…What are Claims? • Assertion of one’s self or another subject in a form of a token • Decouple of authentication from App • Centralize authentication • Usually represented in the form of SAML tokens • Commonly used in Web Authentication situations • Secured by HTTPS • Single Sign on Name: Jonathan Charles Spigler Height: 6 ft Eye Color: Hazel Hair: None… Organization: ClearShark Position: Systems Engineer EmployeeID: 1234567890 Email: jonathan@clearshark.com Building: Building A Phone Number: 555-5555

Editor's Notes

  • #2: remove demo