Transcript Document

SECURED ACCESS FOR MOBILE
WORKFORCE
ANY DEVICE ANYWHERE
Nattapon Palviriyachot
Solution Consultant
Contents
1. Market Trends and Challenges
2. The F5 Security Approach
3. Addressing Today’s IT Challenges
4. Logging and Reporting
Big Access Trends
How do you provide device freedom and access to applications while
maintaining corporate security and data integrity?
BYOD: 95% of information
workers report that they use at
least one self-purchased
device for work.
Mobile business: 50% of
business devices are expected
to be smartphones by 2014.
50%
Bye-bye PCs: For the first time, smartphones and
tablets out-shipped PCs in the 4th quarter of 2010.
Mobile apps: The number of enterprise
customers using mobile-based applications
will rise to more than 130 million by 2014.
– Juniper Research, March 2010
HUGE: The world’s
mobile worker
population will grow
to nearly
1.2 billion
people by
2013
Maintaining Security Is Challenging
Webification of apps
Device proliferation
95% of workers use at least
71% of internet
experts predict
most people will do work via web
or mobile by 2020.
one personal device for work.
130 million enterprises will
use mobile apps by 2014
Evolving security threats
Shifting perimeter
58% of all e-theft tied
80% of new apps will
to activist groups.
target the cloud.
81% of breaches
72% IT leaders have or will
involved hacking
move applications to the cloud.
Who’s Requesting Access?
Employees
Partner
Customer
Manage access based on identity
IT challenged to:
• Control access based on user-type and role
• Unify access to all applications
• Provide fast authentication and SSO
• Audit and report access and application metrics
Administrator
Power of the Platform:
Full Proxy Security
F5 Provides Complete Visibility and Control
Across Applications and Users
Users
Resources
Intelligent
Services
Platform
Securing access to applications
from anywhere
Protecting your applications
regardless of where they live
Security at the Critical Point in the Network
Physical
Virtual
Clients
Total Application Delivery Networking
Services
Remote
SSL
APP
access
VPN
firewall
Cloud
Storage
Full Proxy Security
Client / Server
Client / Server
Web application
Application health monitoring and performance anomaly detection
Web application
Application
HTTP proxy, HTTP DDoS and application security
Application
Session
SSL inspection and SSL DDoS mitigation
Session
Network
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
Network
Physical
Physical
Full Proxy Security
F5’s Approach
…
Client / Server
Web application
TCP
Server
side
SSL
Client
side
OneConnect
Proxy
HTTP proxy, HTTP DDoS and application security
HTTP
SSL
TCP
Application
Application health monitoring and
performance anomaly detection
Traffic management microkernel
HTTP
IPv4/IPv6
Web application
Optional modules plug in for all F5 products and
solutions
APM
Firewall
Client / Server
Session
SSL inspection and SSL DDoS mitigation
Network
L4 Firewall: Full stateful policy enforcement and TCP DDoS mitigation
Application
Session
Network
iRules
Physical
•
•
•
High-performance HW
TMOS traffic plug-ins
High-performance networking microkernel
Powerful application protocol support
•
•
iControl API
iControl—External monitoring and control
iRules—Network programming language
Physical
Protecting the Full Footprint
Mobile user
Application
delivery
firewall
Enterprise
headquarters
Application
access
manageme
nt
&
Application
security
Enterprise
data center
Mobile user
access
Partners,
suppliers
Internet
data center
Data center/
private cloud
Hacker
Enterprise
remote office
Customer
Four Solutions
A summary
Securing access
to applications
from anywhere
Protecting your
applications
regardless of
where they live
Mobile user access
Application access management
Accelerated remote access solution
residing at the edge of the network, that
brings together SSL VPN, end-point
inspection, strong authentication, app
acceleration and availability services.
Flexible, high-performance web access
and security solution, that provides
context-aware, policy-based access to
users while simplifying authentication,
authorization and accounting (AAA)
management.
Application security
Application delivery firewall
Leading web application firewall and
attack protection to reduce the risk to IP
and data, while keeping applications
secure, fast and available.
A native, high performance firewall
solution that protects the entire
infrastructure with full application visibility
and control, while scaling to perform under
the most demanding conditions.
BIG-IP Access Policy Manager
(APM) overview
Secure Access Challenges
Securing access to applications from anywhere
The number of enterprise customers using
mobile-based applications will rise to more than
130 million by 2014.
Mobile devices
Mobile workers
Mobile applications
End User
How do you provide access to enterprise applications
to users no matter where they are or what device they
are working on?
Without compromising the security
and the integrity of your data and
applications.
Approach:
Securing access to applications from anywhere
F5 security accelerates application access from
any device and location.
With F5: device choice + hybrid deployments = secure access
Through:
Multi-factor
authentication
Endpoint
inspection
Accelerated
remote access
Web and enterprise
access management
ENABLE SIMPLIFIED APPLICATION ACCESS
with BIG-IP Access Policy Manager (APM)
SharePoint
OWA
Cloud
Users
BIG-IP Local Traffic Manager
+ Access Policy Manager
Hosted virtual
desktop
APP APP APP APP
OS
OS
OS
OS
Directory
Web servers
App 1
App
n
BIG-IP Access Policy Manager (APM)
Unified access and control for BIG-IP
BIG-IP® APM ROI benefits:
• Scales to 100K users on a single device
• Consolidates auth. infrastructure
• Simplifies remote, web and application access
control
BIG-IP® APM features:
•
•
•
•
•
•
Centralizes single sign-on and access control services
Full proxy L4 – L7 access control at BIG-IP speeds
Adds endpoint inspection to the access policy
Visual Policy Editor (VPE) provides policy-based access control
VPE Rules—programmatic interface for custom access policies
Supports IPv6
*AAA = Authentication, authorization and accounting (or auditing)
Control Access of Endpoints
Ensure strong endpoint security
Users
Web
BIG-IP APM
Allow, deny or remediate users based
on endpoint attributes such as:
Invoke protected workspace for unmanaged
devices:
• Antivirus software version
and updates
• Restrict USB access
• Software firewall status
• Machine certificate validation
• Cache cleaner leaves no trace
• Ensure no malware enters corporate
network
Dynamic End-User Webtop
• Customizable and localizable list of resources
• Adjusts to mobile devices
• Toolbar, help and disconnect buttons
AUTO-CONNECT TO THE VPN
Always connected application access
Mobile users
BIG-IP LTM
+APM
INTERNET
VDI
-OR-
Branch office
users
VDI
VDI
VDI
Hypervisor
BIG-IP LTM VE +APM
Wireless users
LAN users
INTERNAL LAN
VLAN2
INTERNAL LAN
VLAN1
Virtual desktops
BIG-IP Edge Client
Web-delivered and standalone client
• Mac, Windows, Linux
• iPhone, iPad, iTouch
• Android
• Endpoint inspection
• Full SSL VPN
• Per-user flexible policy
Enable mobility
• Smart connection roaming
• Uninterrupted application sessions
Accelerate access
• Adaptive compression
• Client-side cache
• Client-side QoS
Easily Design Access for iPad
BIG-IP Edge Client Connection, Statistics and Settings
Addressing today’s
IT challenges
MOBILE DEVICE SUPPORT / BYOD
Use case
Corporate
managed
device?
HR
User = Finance
App Store
Finance
Corporate
managed
device?
AAA Server
•
Ensures connecting devices
adhere to baseline security
posture
•
Reduces the risk of malware
infecting the corporate network
CRM
Configure iOS and Android Access to Applications
with BIG-IP Edge Portal
BIG-IP MDM Partnerships
What F5 offers:
What MDM complements:
• SSL VPN access
• Device management
• ActiveSync proxy services
• Certificate and app provisioning
• Accelerations
• Remote wipe
Benefits
Benefits
• Simpler deployments
• Centralized control and management
• End-to-end security
Mobile Application Manager
(MAM)
F5 Mobile App Manager
F5 Mobile App Manager
A complete mobile application
management platform
COMPLIANCE • SECURITY • MANAGEMENT
MAM Components
F5 Mobile App Manager
Device
management
Secure PIM
App management
Mobile App
Manager
Connect
Enterprise app
store
Secure PIM
App store
Browser
F5 Mobile App Manager
Workspace
Reporting
F5 Mobile App Manager BI
APM/MAM Integration
SIMPLIFYING VDI
SIMPLFYING VDI / RDP
Use case
VDI
Present OWA, VMWare view next to Citrix apps in portal mode:
•
Improved scale and reliability
•
Better user experience + SSO
•
Simplified deployment
•
Improved quality of real-time applications
VDI
VDI
VDI
Hypervisor
XenDesktop
Virtual desktops
VDI
VDI
VDI
VDI
Hypervisor
RDP
VDI
VDI
VDI
Virtual desktops
VDI
VDI
VDI
VDI
Hypervisor
View
AAA
server
•
Optimize the
experience for your
users
•
Simplify infrastructure•
and reduce costs
Unify access control
and security
Virtual desktops
SINGLE NAMESPACE FOR GLOBAL AVAILABILITY
Use case
Geo-location
services
BIG-IP Global Traffic
Manager
Local and
remote users
L-DNS
Data center
BIG-IP LTM+APM
Data center
BIG-IP LTM+APM
Data center
BIG-IP LTM+APM
Monitoring
vs. iQuery
Global Traffic Manager improves VDI performance
•
Xen App/Desktop users sent •
to best data center
Continuous monitoring of
•
entire infrastructure including
network & application health •
Automatic failover during
outages
Persistence prevents broken
sessions
F5 Networks, Confidential
Enhancing web access
management
ENHANCING WEB ACCESS MANAGEMENT
Use case (2-Factor Authen)
Administrato
r
Create
policy
832849
HR
Corporate
domain
AAA
server
Latest AV
software
Current O/S
User = HR
•
Proxy the web applications to
provide authentication,
authorization, endpoint inspection,
and more – all typing into Layer 47 ACLS through F5’s Visual
Policy Editor
AUTHENTICATION ALTERNATIVES TODAY
1. Code in the app
Users
Web servers
App 1
App 2
App 3
Code in the app
•
•
•
•
Costly, difficult to change
Not repeatable
Decentralized
Less secure
WAM directory
AUTHENTICATION ALTERNATIVES TODAY
2. Agents on servers
Users
Web servers
App 1
App 2
App 3
Code in the app
Agents on servers
•
•
•
•
Difficult to administer
Interoperability
Decentralized
Less secure
WAM directory
WAM policy manager
AUTHENTICATION ALTERNATIVES TODAY
3. Specialized access proxies
Users
Web servers
WAM proxy
App 1
App 2
App 3
Code in the app
Oracle access mgr.
WAM = Web Access Management
Agents on servers
Specialized access proxies
• Don’t scale as well
• Often inferior reliability
• Big CAPEX & OPEX
WAM directory
WAM policy manager
A BETTER ALTERNATIVE
BIG-IP APM and OAM
Users
Web servers
WAM proxy
Proxy
BIG-IP LTM APM
App 1
App 2
App 3
• Replace OAM Proxy with BIG-IP
Access Policy Manager (APM)
• Gain superior scalability and high
availability
• Benefit from F5’s Unified
Application Delivery Services
LTM = Local Traffic Manager
OAM = Oracle Access Manager
WAM directory
WAM policy manager
RICHER APPLICATION DELIVERY
Additional BIG-IP benefits
WAM proxy
Endpoint security
checks
Web servers
BIG-IP LTM APM
+ ASM or WA
App 1
Virtualization
HA, LB
Users
App 2
App 3
Virtualization
• Endpoint inspection
• Scaling and high availability for
the application and OAM
directory
• Web application security
• Web application acceleration
• Enterprise class architecture
(HA, LB for directories)
LTM = Local Traffic Manager
ASM = Application Security Manager
WA= WebAccelerator
OAM = Oracle Access Manager
Oracle access mgr.
STREAMLINING EXCHANGE
STREAMLINING EXCHANGE MIGRATION
Use case
Finance
HR
Sales
Outlook
Web
Access
Outlook
2007
Outlook
Anywhere
Outlook
2010
Exchange
ActiveSync
AAA
server
•
Migrate over time
•
Distribute a single URL & let
BIG-IP APM direct user
•
Manage email access for all devices from
all locations and any network
Consolidating App
Authentication (SSO)
CONSOLIDATING APP AUTHENTICATION (SSO)
Use case
Salesforce.com
Finance
Corporate
managed device
Latest AV
software
Expense
report app
AAA
server
User = Finance
•
Dramatically reduce •
infrastructure costs;
increase productivity
Provides seamless
access to all web
resources
•
Integrated with
common applications
APM SAML
Domain user makes a SAML-supported request for a resource.
Data center 1
Login.f5se.com
Portal.f5se.com
Active
Directory
ADFS
End user
Public/private
Data center 2
OWA.f5se.com
Business Partners
Business Partners
Sharepoint.f5se.com
ADFS
Apache/Tomcat App
Accelerating and securing
remote access
SECURE, ACCELERATED REMOTE ACCESS
Use case
www.f5.com
•
Fast and secure connections
maximize productivity for global
users
•
Seamless integration minimizes
cost and simplifies end user
experience
Increase Revenue and Productivity
By dramatically improving the user experience
Up to 10x faster page load times
Improved mobile performance
Better employee productivity
10X
BIG-IP WebAccelerator improves performance by:
• Implementing front-end optimization (FEO) for mobile and remote acceleration
• Network optimization: TCP/HTTP and SPDY gateway
• Infrastructure and application offload
Front-End Optimization
Intelligent browser referencing
Features
Benefits
•
•
Reduced number of round trips
Utilization of browser to cache static objects
•
Lower bandwidth usage for client and server
•
Significant reduction in server load
•
•
Transparent to the origin application
No client to download, no changes to browser
•
Significant reduction of page load times!
Front-End Optimization: Content Re-Ordering
original
re-ordered
original
re-ordered
original
re-ordered
original
re-ordered
Improve start to display time
•
•
Move CSS style sheets to the top of the HTML
Move JavaScript to the bottom of the HTML
•
•
User perceives that the page loaded faster
Actual overall page load time doesn’t not change
Front-End Optimization: PDF Linearization
Client
Web Applications
100 pages
WebAccelerator
Sends a range of
pages at a time
1st page rendered immediately
while the rest of the document
are being retrieved
Real time PDF Linearization
•
•
•
Improves time to first page view
Full compatibility with Adobe PDF Specification
Works with all modern browsers
Retrieve entire
document from
server
Mobile Acceleration
Image optimization
Before all headers—135 KB
QUALITY: 90
SIZE: 102
SOURCE: HTTP Archive (http://www.httparchive.org)
For mobile and remote users:
•
Reduce file size of image by 20–40%
•
Reduce quality, remove extraneous
metadata, convert format (GIF-> PNG)
•
Maintain privacy
Location
Copyright
ISO
Shutter Speed
Exposure Bias
Max Aperture
Focal Plane X Resolution
Focal Plane Y Resolution
Focal Plane Resolution Unit
Custom Rendered
Exposure Mode
Scene Capture Type
Label
Firmware
Flash Compensation
Image Number
Lens
Lens ID
Serial Number
Software
Files size
Dimensions
Camera make
Camera model
Camera Date
Digitized Date
Modified Date
File Date
Flash
Focal Length
Focal Length in 35mm film
CCD Width
Aperture
F Number
White balance
Metering Mode
Exposure Program
Thumbnail
JPEG Quality
Tags
Unique ID
X Resolution
Y Resolution
Flash Function Not Present
Flash Mode
Supports Red-Eye Reduction
Flash Return
After all headers—102 KB
QUALITY: 70
SIZE: 50
Location
File Size
Dimensions
File Date
JPEG Quality
Unique ID
Logging and reporting
Detailed Reporting
BIG-IP APM
For example, who accessed app or network and when?
Sample Detailed Report
Gain a deeper understanding:
•
•
•
•
•
•
•
•
•
•
All sessions with geo-location
Local time
Virtual IP
Assigned IP
ACLs
Applications and OSs
Browsers
All sessions
Customize reports
Export for distribution
Access and Application Analytics
Stats grouped by
application and user
Provides:
•
•
•
•
•
Stats collected
• Client IPs
• Client geographic
• User agent
• User sessions
• Client-side latency
• Server latency
•
•
•
•
Throughput
Response codes
Methods
URLs
Business intelligence
ROI reporting
Capacity planning
Troubleshooting
Performance
Views
• Virtual server
• Pool member
• Response codes
• URL
• HTTP methods
Security TAP Partners
Endpoint inspect / AV
Certificates
encryption
Anti-fraud /
secure browser
DAST
Multi-factor
authentication
Web access
management
DB firewall
Mobile OS
Mobile device
management
Security change
management
FIPS/HSM
security
DNS security
and SBS
Web and
SaaS security
SIEM
F5 Intelligent Services Framework
for Enterprise Solutions
BIG-IP
Local Traffic
Manager
BIG-IP
Global Traffic
Manager
BIG-IQ
Cloud
BIG-IQ
Security
BIG-IP
Application
Acceleration
Manager
BIG-IP
Advanced
Firewall Manager
BIG-IP
Access Policy
Manager
BIG-IP
Application
Security Manager
Mobile App
Manager
BIG-IP
Edge Client