You are on page 1of 69

F5 Networks

Traffic Management by Design

Presented by:
Jürg Wiesmann
Field System Engineer, Switzerland
jürg.wiesmann@f5.com

2

Company Snapshot
Leading provider of solutions
that optimize the security,
performance & availability of
IP-based applications

Founded 1996 / Public 1999

Approx. 1,010 employees

FY05 Revenue: $281M

FY06 Revenue: $394M

– 40% Y/Y Growth

3

Clear Leader in Application Delivery
Challengers Leaders

Magic Quadrant for
F5 Networks
Application Delivery
Products

• “F5 continues to build on the
Ability to Execute

Citrix Systems (NetScaler) momentum generated by the
release of v9.0. It commands
Cisco Systems over 50% market share in the
advanced platform ADC
Radware segment and continues to pull
Juniper Networks (Redline) away from the competition. ”
Akamai Technologies

Nortel Networks Netli • “F5 is one of the thought
leaders in the market and
Stampede Technologies
Coyote Point Array Networks offers growing feature
Systems Zeus Technology
richness. It should be high on
Foundry NetContinuum every enterprise's shortlist for
Networks
application delivery.”
Niche Players Visionaries
Completeness of Vision

Source: Gartner, December 2005

4 What CEO´s CFO´s und CIO´s are interested in Low Investment costs – Reducing Load on Server infrastructure Low Servicecosts – Simple Problem-. – Less Service windows – Reduction of work during Service windows – Simple secure and stable Environements High availability . Change und Releasemgt.

5 Problem: Networks Aren’t Adaptable Enough New Security Hole High Cost To Scale Slow Performance ? Application Network Administrator Application Developer Traditional Networks Applications Focus on are Focused on Business Logic and Connectivity Functionality .

6 How Do You Fix the Problem? Multiple Point Solutions Application More Bandwidth Network Administrator Application Developer Add More Hire an Army of Infrastructure? Developers? .

7 A Costly Patchwork Users Point Solutions Applications DoS Protection Mobile Phone IPS/IDS SSL Acceleration SFA Rate Shaping/QoS CRM CRM ERP PDA Network Firewall Application Load Balancer ERP Laptop Content Proxy Acceleration/ ERP Transformation CRM SFA WAN Connection Traffic Compression Optimization Desktop SFA Application Firewall Custom Application Co-location .

8 The Better Application Delivery Alternative The Old Way The F5 Way First with Integrated Application Security .

9 F5’s Integrated Solution Users The F5 Solution Applications Application Delivery Network Mobile Phone CRM Database Siebel PDA BEA Legacy .NET SAP Laptop PeopleSoft IBM ERP SFA Custom Desktop TMOS Co-location .

10 The F5 Application Delivery Network International Data Center TMOS Users Applications BIG-IP Global BIG-IP BIG-IP Local BIG-IP BIG-IP Link WANJet FirePass Application Traffic Traffic Web Manager Controller Manager Accelerator Security Manager iControl & iRules Enterprise Manager .

com .wiesmann@f5. 11 F5 Networks Remote Access Today Presented by: Jürg Wiesmann Field System Engineer. Switzerland jürg.

12 Current Issues Unreliable access Mobile Workforce Worm/virus propagation High support costs Employee on Limited application support Home PC / Lack of data integrity Public Kiosk Reduced user efficiency Complex access controls Business Partners No application-level audits High support costs Systems or Complex API Applications Unreliable access High support costs .

13 IPSec provides transparent Network Access – BUT… Needs preinstalled Client Does not work well with NAT No granular Application Access (Network Level) Hard to Loadbalance Is expensive to deploy .

14 On the other hand SSL VPN… No preinstalled Client Software needed Works on transport Layer – No problem with NAT Works on port 80/443 – No problem with Firewall/Proxy Easy to Loadbalance Offers granular Application Access Is Easy to deploy .

Requirements Any User Employee Partner Any Any Location Application Supplier Hotel Web Kiosk Client/Server Hot Spot Legacy Desktop Any Devices Laptop Highly Available Kiosk Global LB Home PC Stateful Failover PDA/Cell Phone Disaster Recovery Secure Ease of Data Privacy Integration Device Protection Network Protection AAA Servers Ease of Use Granular App Access Directories Clientless Instant Access Simple GUI Detailed Audit Trail . 15 Remote Access .

16 Why not use IPSec? Any User Employee Partner Any Any Location Application Supplier Hotel Web Kiosk Client/Server Hot Spot Legacy Desktop Any Devices Laptop Highly Available Kiosk Global LB Home PC Stateful Failover PDA/Cell Phone Disaster Recovery Secure Ease of Data Privacy Integration Device Protection Network Protection AAA Servers Ease of Use Granular App Access Directories Clientless Instant Access Simple GUI Detailed Audit Trail .

18 FirePass Overview ® Any User Authorized Any Device Dynamic Policies Applications Portal Access Secured by SSL Laptop FirePass ® Specific Internet Application Kiosk Access Mobile Device Intranet Network Access Partner .

19 Simplified User Access Standard browser – Access to applications from anywhere Select application – Shortcuts automate application connections No preinstalled client software required – All access via a web browser .

Unix) – Mobile E-Mail Desktop Access (Webtop) . 20 Access Types Network Access Application Access – Application Tunnels – Terminal Server – Legacy Hosts – X Windows Portal Access – Web Applications – File Browsing (Windows.

21 Access Methods Summary Portal Access Application Access Network Access Benefits Benefits Benefits Most Flexible C/S Application Access Full Network Access (VPN) Any Device Legacy Application Access No Resource Restrictions Any Network Transparent Network Traversal Any OS Any Network Drawbacks Most Scalable Scalable Deployment More Limited Access Browser Compatible No Network/Addr. Configuration OS/JVM Compatible Secure Architecture Secure Architecture Issues Restricted Resource Access Restricted Resource Access Client Security Host Level Application Proxy Installation Privileges Drawbacks Limited Resource Access Drawbacks Enterprise Web Limited Access Flexibility Apps/Resources OS/JVM Compatible Issues Webified Enterprise No Transistent Kiosk Access Resources Client Security Limited Nonweb Applications Installation Privileges .

22 Adaptive Client Security Kiosk/Untrusted PC PDA Laptop Kiosk Corporate Policy Mini Browser Policy Policy Cache/Temp File Firewall/Virus Cleaner Check Client/Server Application Full Network Terminal Files Intranet Email Servers .

23 Policy Checking with Network Quarantine Deep Integrity Quarantine Policy Checking Support – Specific antivirus checks – Ensure Policy Compliance – Windows OS patch levels – Direct to quarantine network – Registry settings Full FirePass Network ® Quarantine Network Please update your machine! .

24 Visual Policy Editor Graphically associates a policy relationship between end-points. users and resources .

25 Unique Application Compression Results Over 50% faster access Supports compression for any IP application Faster email & file access Works across both dial- up and broadband .

26 30 Minute Install NEW Quick Setup enables rapid installation and setup even for non-experts .

Oblix and others . 28 Enterprise SSO Integration Netegrity Dynamic Policies SiteMinder FirePass ® Internet Web Servers HTTP forms-based authentication Single sign-on to all web applications Major SSO & Identify Mgmt Vendor Support – Netegrity.

29 Application Security Web ICAP Servers AntiVirus FirePass ® Internet Policy-based virus Web application scanning security – File uploads – Cross-site scripting – Webmail attachments – Buffer overflow Integrated scanner – SQL injection Open ICAP interface – Cookie management .

30 Product Lines .

31 FirePass Product Line A product sized and priced appropriately for every customer FirePass 1200 FirePass 4200 Medium Enterprise Large Enterprise 25-100 Concurrent Users 100-2000 Concurrent Users • 25 to 500 employees • 500+ employees • Comprehensive access • High performance platform • End-to-End security • Comprehensive access • Flexible support • End-to-End security • Failover • Flexible support • Failover • Cluster up to 10 .

g. 32 FirePass Failover Redundant pair – Stateful failover provides uninterrupted failover for most Internet applications (e. VPN connector) Single management point Hot standby – Active unit is configured Active – Configuration and state information is periodically synchronized Separate SKU Intranet application servers – Active unit determines software configuration and concurrent users .

000 Internet concurrent users Intranet application – Master server randomly servers distributes user sessions – Distributed (e. 33 FirePass 4100 Clustering Clustered pair – Up to 10 servers can be clustered for up to 20.g. different sites) Cluster master clusters are supported Single management point Cluster nodes – Master server is configured – Configuration information is periodically synchronized Second FP 4100 Required – Software features purchased on 2nd server .

5 hrs/day .5 hrs x 300 150 hrs Sustaining Engineering 1. 2 specific hotel room issues w/FirePass .5 hrs/day 1 hrs/day Help Desk 5 hrs/day 2 hrs/day 3 hrs/day End User 0 0 0 Savings: 390 hours for rollout. high availability configuration IPSec Client FirePass® Savings Rollout Engineering 120 hrs 20 hrs 100 hrs Help Desk 200 hrs 60 hrs 140 hrs End User 1 hrs + . 34 Case Study: FirePass vs IPSec Client ® 300 end user accounts. 20 hours/week sustaining 80% user callback for IPSec Client. 15% for FirePass 25 users unable to use IPSec Client.

anywhere – No preinstalled VPN clients Reduced cost of ownership – Lower deployment costs – Fewer support calls Improved application security – Granular access to corporate resources – Application layer security and audit trail . 35 Summary of Benefits Increased productivity – Secure access from any device.

37 .

38 .

Vice President. Group Product Manager in the .” Christopher Flores.” Julian Critchfield.NET Developer Product Management Group at Microsoft Corp. such as the Maximum Availability Architecture. 40 Partnerships “F5's BIG-IP has been designed into a number of Oracle's mission-critical architectures. Oracle Server Technologies “Microsoft welcomes F5 Networks' support of Visual Studio 2005… F5 complements our strategy by providing our mutual customers with a way to interact with their underlying network. .

or Premium Plus service levels. world-class support and services. Choose from our Standard. Flexibility – Whatever your support demands. F5 has a program to fit your needs. version releases. Fast Replacements – F5 will repair or replace any product or component that fails during the term of your maintenance agreement. . Software Solution Updates – Customers with a support agreement receive all software updates. at no cost. delivered by engineers with in-depth knowledge of F5 products. Premium. and relevant hot fixes as they are released. 41 Services & Support Expertise – F5 offers a full range of personalized. Full Service Online Tools – Ask F5 and our Web Support Portal.

hands-on exercises that use the latest F5 products. delivered interactive presentation styles and Consultants know F5 products by engineers with in-depth extensive technical backgrounds and networking inside and out. 42 F5 Services SERVICES & SUPPORT CERTIFIED GLOBAL TRAINING PROFESSIONAL SERVICES Expertise – World-class Expert Instruction – With highly Experience – F5 Professional support and services. in networking. professionals will efficiently Knowledge Transfer – Direct transfer critical product interaction with our training knowledge to your staff. version work with you to design the best releases. strategically located around the Full Service Online Tools – world. so they Fast Replacements – F5 will can most effectively support experts allows students to get repair or replace any product or your F5-enabled traffic more than traditional “text book” component that fails during the management environment. real-world. Software Solution Updates – High Availability – Our experts Software updates. term of your maintenance agreement.availability as they are released. Theoretical presentations and application environment. knowledge of F5 products. Ask F5 and our Web Support Knowledge Transfer – Our Portal. . professionals prepare students to perform mission-critical tasks. our training The result? The expertise you need the first time. Convenience – Authorized traffic management solutions to maximize your network’s Training Centers (ATCs) efficiency. or Premium Plus can help you fine tune your F5 service levels. and relevant hot fixes Hands-On Learning – possible high. Optimization – Our consultants Flexibility – Standard. at no cost. Premium. training.

Tomsk. Tel Aviv. San Jose. Sites –Spokane. 43 F5 Networks Globally Seattle EMEA Japan APAC International HQ – Seattle Regional HQ / Support Center F5 Regional Office F5 Dev. Northern Belfast .

com . Switzerland jürg.wiesmann@f5. 44 F5 Networks Message Security Module Presented by: Jürg Wiesmann Field System Engineer.

over 70% is spam! The volume of spam is doubling every 6-9 months! Clogging networks Cost to protect is increasing TrustedSource Reputation Scores Nov 2005 Oct 2006 Higher score = worse reputation . 45 The Message Management Problem Out of 75 billion emails sent worldwide each day.

some are offensive Infrastructure needed to deal with spam is expensive! – Firewalls – Servers – Software (O/S. anti-spam licenses. 46 Typical Corporate Pain Employees still get spam Some are annoying.) – Bandwidth – Rack space – Power Budget doesn’t match spam growth Legitimate email delivery slowed due to spam . etc.

000. 47 Why is this happening? Spam really works! Click rate of 1 in 1.000 is successful Spammers are smart professionals – Buy the same anti-spam technology we do – Develop spam to bypass filters – Persistence through trial and error – Blasted out by massive controlled botnets Professional spammers have – Racks of equipment – Every major filtering software and appliance available – Engineering staff .

48 It’s not just annoying…it can be dangerous. 2% of all email globally contains some sort of malware. spyware) . – Phishing – Viruses – Trojans (zombies.

admin time… DMZ Firewall Messaging Security Email Servers . 49 High Cost of Spam Growth Spam volume increases Bandwidth usage increases Load on Firewalls increases Load on existing messaging security systems increases Emails slow down Needlessly uses up rackspace. power.

50 MSM Blocking At the Edge Messaging Security BIG-IP MSM Server Emails First Tier Second Tier Mail Servers e hello Works with any Anti-Spam Solution X X X Terminating X 70% of the Spam from the X “e hello” Filters out 10% to 20% of Spam X X .

51 Why TrustedSource? Industry Leader – Solid Gartner reviews & MQ – IDC market share leader Superior technology Stability .

8 of 10 largest ISPs Millions of human reporters and honeypots .000+ sources. 52 TrustedSource: Leading IP Reputation DB View into over 25% of email traffic 50M+ IP addresses tracked globally Data from 100.

53 TrustedSource GLOBAL DATA MONITORING AUTOMATED ANALYSIS Messages Analyzed IntelliCenter per Month • 10 Billion Enterprise • 100 Billion Consumer London Portland Atlanta Hong Kong Brazil Dynamic Computation Of Reputation Score Bad Good Global data monitoring is fueled by the network effect of real-time information sharing from thousands of gateway security devices around the world Animation slide .

Example: spammers. email gateways. World web gateways) IntelliCenter Global intelligence system Share cyber communication London info. CIA.) Interpol Global intelligence system Share intelligence information CIA Example: criminal history. domains Brazil Pro-active: Deny connection to intruders to your enterprise . FBI. hackers Portland Atlanta Hong Kong Intelligent Results probes Effective: Accurate detection of bad IPs. Interpol. global finger FBI printing system Police Stations Police Police Results Stations Stations Effective: Accurate detection of offenders Intelligence Pro-active: Stop them from coming in the Agents country Cyber Deploy security probes around the globe (firewall. phishers. 54 Shared Global Intelligence Deploy agents Physical officers around the globe World (Police.

TrustedSource identified this machine as not being trustworthy . 55 TrustedSource Identifies Outbreaks Before They Happen ♦ 11/01/05: This 9/12/05 11/02/05 11/03/05 machine began TrustedSource Other Reputation A/V Signatures Flagged Zombie Systems Triggered sending Bagle worm across the Internet ♦ 11/03/05: Anti-virus signatures were available to protect against Bagle ♦ Two months earlier.

56 Content Filters Struggle to ID certain spam .

57 Image-based spam Hashbusting Scratches .

58 Summary of Benefits Eliminate up to 70% of spam upon receipt of first packet Reduce Cost for Message Management – TMOS Module – High performance Cost effective spam blocking at network edge – Integrated into BIG-IP to avoid box proliferation Improved Scaleability and Message Control – Reputation Based Message Distribution and Traffic Shaping Slightly increase kill-rate on unwanted email .

000+ Mailboxes BIG-IP LTM Only MSM for up to 50.2 and higher MSM for up to 25. 59 Packaging License Tiers MSM for over 100.000 Mailboxes – No Module incompatibilities with other Modules MSM for up to 1.000 Mailboxes MSM for up to 100.000 Mailboxes – LTM or Enterprise MSM for up to 5.000 Mailboxes Module May be added to any MSM for up to 10.000 Mailboxes MSM for up to 75.000 Mailboxes Licensed per BIG-IP by number of mailboxes BIG-IP Platform sizing depends on: – Email volume – Number of BIG-IP’s – Other functions expected of BIG-IP (additional taxes on CPU time) .000 Mailboxes Version Support: 9.

60 How BIG-IP MSM Works Secure Computing Existing Messaging Trusted Source™ Security IP Reputation Score Slow Pool DNS 20% Suspicious? Query Existing Messaging Fast Pool Email Servers Security 20% Good? Internet 10% Trusted? Error Msg for clean termination 70% Bad? 10% Bad? Drop first & Delete subsequent Message packets Animation slide .

61 Spam Volumes Out of Control % of Worldwide email that is Spam 85% Percent Spam 70% Nov 2005 Oct 2006 .

62

Hard-to-detect Image Spam is Growing

35%

30%

25%
Percent of Total Email

20%

15%

10%

5%

0%
rd h h h t h h h h h h
5th 3 10t 17t 24t 31s 28t 6t 2nd 9t 2t 6t 9t 3r
d
r y l 2 g ct t 1 t 1 t 1 t 2
Ap M
a ay ay ay ay Ju
n
Ju Au O O
c
O
c
O
c
O
c
M M M M

2006

63

Reputation-based Security Model
Computing Physical World Cyber World
Credit
Businesses & Individuals IPs, Domains, Content, etc.
Track

Business Transactions Cyber Communication
• Purchases • Email exchanges
Compile • Mortgage, Leases • Web transaction
• Payment transactions • URLs, images

Credit Score Reputation Score
Compute • Timely payment • Good IPs, domains
• Late payment • Bad
• Transaction size • Grey – marketing, adware

Allow / Deny Credit Allow / Deny Communication
Use • Loan • Stop at FW, Web Proxy, Mail gateway
• LOC • Allow
• Credit terms • Quarantine

64

Backup Slides

Firepass

wireless and local LAN) – Non-intrusive and works with existing GINA (no GINA replacement) – Drive mappings/Login scripts from AD – Simplified installation & setup (MSI package) – Password mgmt/self-service Customer Benefits – Unified access policy mgmt – Increased ROI – Ease of use – Lower support costs . 65 Windows Logon (GINA Integration) Key Features – Transparent secure logon to corporate network from any access network (remote.

66 Configuring Windows Logon .

67 Windows Installer Service Problem – Admin user privileges required for network access client component updates Solution – Provide a user service on the client machine which allows component updates without admin privileges .

68 Network Access Only WebTop Simplified webtop Interface Automatically minimizes to system tray .

69 Windows VPN Dialer Simple way to connect for users familiar with dial-up .

70 FirePass Client CLI “f5fpc <cmd> <param>” where <cmd> options are: – start – info – stop – help – profile Single sign-on from 3rd party clients (iPass) .

71 Auto Remediation .

static & dynamic ports) Benefits – Lower deployment and support costs – Granular access control . 72 Dynamic AppTunnels Feature Highlights – No client pre- installation – No special admin rights for on-demand component install – No host file re-writes – Broader application interoperability (complex web apps.

73 Configuring Dynamic AppTunnels Web Apps Client/Server Apps .