Transcript Slide 1
How to achieve a fast, secure and available virtualization infrastructure Luuk Dries 3 Why virtualization – a small recap • Efficiency – Maximize CPU, RAM and Disk resources – Energy savings • Flexibility – Quick response to business needs – Quickly adding and removing applications © F5 Networks 4 Why virtualization ? • Business Continuity • Disaster Recovery • Security • Test and Development © F5 Networks 5 Each Application has its own specific requirements: 99,999% Availability, Performance over the WAN, High Security, .... Application Delivery Networking Applications SharePoint Database Siebel Available BEA .NET SAP PeopleSoft Fast Secure IBM ERP SalesForce Custom © F5 Networks 6 Availability for the Web Tier… Internet 99% 99% 99% 99.99% 99% 99.9999% •Unmatched scalability and transparency •High Availability and Load Balancing •Centralized SSL offloading © F5 Networks 7 … and for the Application Tier Application WWW Internet •Full L7 application visibility •L7 content processing and switching •Application monitoring 99% 99% 99% 99% 99% 99% 99% 98% Accumulated Availability © F5 Networks 8 Flexibility:Data Center Automation Real-time interfacing with vCenter to add new VMs to the load balancing pool (iControl) Advanced Health Checks to ensure that newly provisioned VMs are ready for traffic © F5 Networks 9 Availability and Performance across ISP Links Select link on: Internet ISP1 ISP2 - Availability - Cost of route - Protocol - Source/Destination - Time And apply: - Bandwith Management - Traffic Prioritization © F5 Networks 10 Availability and Performance across Datacenters Local DNS Primary DC Internet Backup DC © F5 Networks 11 My Web Applications are Slow.. Difficult to accelerate SSL content First time visits are slow Network latency, packet loss, verbose protocols Dynamic Web content IT Manager & App Architect Users are increasingly remote and/or mobile Data center consolidation = © F5 Networks 12 Chatty Apps & Latency = Slow Apps Web Browser WAN Latency 250 ms WAN Latency 250 ms WAN Latency 250 ms WAN Latency 250 ms MyWebApp.com Web Servers Time A web page load with about 100 objects generates at least 100 round-trips LAN: 100/2 x 1 ms = 50 ms WAN: 100/2 x 250 ms = 12.5 seconds! © F5 Networks 13 Impact of Web Acceleration With Without © F5 Networks 14 F5 Approach – Three Tiers of Acceleration • Tier 1 Acceleration – Network Offload – Re-use downloaded objects/content (IBR) – Reduce data transferred (Compression) • Tier 2 Acceleration – Server Offload – – – – – Servers are busy serving same data over and over (Caching) Too many connections to back-end servers (OneConnect & spooling) Overflow of connections to back-end servers (RateShape & conn limit) SSL offload Compression offload • Tier 3 Acceleration – Application Offload – Browser re-downloads same content over and over (IBR) – Force multiple connections (MultiConnect) – Web apps are slow over the WAN (ESI, Compression, PDF linear..) © F5 Networks 15 Effect of 3 Tiers of Acceleration Page Load Time Up to 90% reduction in Page load time © F5 Networks 16 Effect of 3 Tiers of Acceleration CPU Utilization Up to 90% reduction in CPU utilization © F5 Networks 17 Intelligent Browser Referencing This is the only dynamic content Problem Repeated Content Retrieval Slows Web Application Dynamic pages contain mostly static content that is retrieved repeatedly © F5 Networks 18 Intelligent Browser Referencing Initial Request Cache Subsequent Client Requests Compression Cache Apply IBR cache expiration Repeat Visits Retrieve from Browser Cache Solution WebAccelerator Enables Browser Re-use of Cacheable Contents No client to download No changes to browser © F5 Networks 19 Easy to Deploy – Easy to Integrate • Validated in vendor application labs – Certified policies pre-configured © F5 Networks 20 Web Acceleration Performance BEA Weblogic Outlook Web Access Plumtree 2X to10X Performance Increase IBM Websphere Ecommerce SAP Portal PeopleSoft Siebel SharePoint 2007 Portal 0.00 5.00 10.00 15.00 20.00 25.00 30.00 35.00 Seconds Without Acceleration With Asymmetric Acceleration With Symmetric Acceleration © F5 Networks 23 F5 and VMware can enable a secure, live migration …of a virtualized application and its storage …from one site to another …without downtime and without user disruption. © F5 Networks 24 Initial Environment BIG-IP Global Traffic Manager BIG-IP Local Traffic Manager BIG-IP Local Traffic Manager vCenter A vCenter B © F5 Networks 25 Step 1: F5 BIG-IP Local Traffic Manager Opens WAN Optimization Tunnel BIG-IP Global Traffic Manager 1 BIG-IP Local Traffic Manager vCenter A • Compressed • De-Duplicated • Encrypted BIG-IP Local Traffic Manager vCenter B © F5 Networks 26 Step 2: Storage vMotion Executed Across WAN Optimized Tunnel BIG-IP Global Traffic Manager BIG-IP Local Traffic Manager BIG-IP Local Traffic Manager vCenter A vCenter B 2 This step can be avoided if storage is already being synchronously replicated between sites © F5 Networks 27 Step 2: Pending App vMotion, transactions rely on VM in Site A, but Storage in Site B BIG-IP Global Traffic Manager BIG-IP Local Traffic Manager BIG-IP Local Traffic Manager vCenter A vCenter B vCenter A still managing VM © F5 Networks 28 Step 3: Application vMotion Executed Over WAN Optimized Tunnel BIG-IP Global Traffic Manager BIG-IP Local Traffic Manager BIG-IP Local Traffic Manager vCenter A vCenter B 3 © F5 Networks 29 Step 4: vCenter Instructs F5 BIG-IP Global Traffic Manager to Cut Over to Site-B BIG-IP Global Traffic Manager 4 BIG-IP Local Traffic Manager vCenter A BIG-IP Local Traffic Manager vCenter B © F5 Networks 30 F5 BIG-IP Global Traffic Manager Routes All NEW Application Connections/Sessions Directly to Site B. BIG-IP Global Traffic Manager BIG-IP Local Traffic Manager BIG-IP Local Traffic Manager vCenter A vCenter B © F5 Networks 31 F5 BIG-IP Local Traffic Manager in Site A Redirects EXISTING Sessions Temporarily to Site B Until Clients Register DNS Change BIG-IP Global Traffic Manager BIG-IP Local Traffic Manager BIG-IP Local Traffic Manager vCenter A vCenter B © F5 Networks 32 Eventually, ALL Connections Go Directly to Site B. The Process Can Be Reversed When Necessary. BIG-IP Global Traffic Manager BIG-IP Local Traffic Manager BIG-IP Local Traffic Manager vCenter A vCenter B Successful Application Migration Complete © F5 Networks 33 Web Application Security ! Unauthorised Access Stops bad requests / responses ! Noncompliant Information WAF allows legitimate requests Browser ! Unauthorised Access ! Infrastructural Intelligence © F5 Networks 34 Challenges of Web Application Security • HTTP attacks are valid requests • HTTP is stateless, application is stateful • Web applications are unique – there are no signatures for YOUR web application • Good protection has to inspect the response as well • Encrypted traffic facilitates attacks… • Organizations are living in the dark – missing tools to expose/log/report HTTP(s) attacks © F5 Networks 35 ASM: Powerful Adaptable Solution • Provides comprehensive protection for all web application vulnerabilities • Provides out of the box security • Logs and reports all application traffic • Provides L2->L7 protection • Unifies security and acceleration services • Stop attacks unseen by traditional WAFs (anti-evasion) • Provide On-Demand WAF scaling • Sees Application level performance © F5 Networks 36 Layer 7 DoS and Brute Force Unique Attack Detection and Protection • Unwanted clients are remediated and desired clients are serviced • Improved application availability © F5 Networks 38 Why F5? The F5 Advanced ADN Application Delivery Networking Applications SharePoint Database Siebel Available BEA .NET SAP PeopleSoft Fast Secure IBM ERP SalesForce Custom © F5 Networks 41 Gartner Magic Quadrant for ADC challengers F5 Networks leaders • F5 Networks • | ability to execute | Citrix Systems • Cisco Systems Radware • Foundry Networks • Zeus Technology Nortel Networks niche players Offers the most feature-rich AP ADC, combined with excellent performance and programmability via iRules and a broad product line. Strong focus on applications, including long-term relationships with major application vendors, including Microsoft, Oracle and SAP. Strong balance sheet and cohesive management team with a solid track record for delivering the right products at the right time. Strong underlying platform allows easy extensibility to add features. Support of an increasingly loyal and large group of active developers tuning their applications environments specifically with F5 infrastructure. visionaries | completeness of vision | Source: Gartner (July 2008) © F5 Networks 42 BIG-IP Hardware Line-up VIPRION Price BIG-IP 8900 BIG-IP 6900 2 x Dual core CPU 16 10/100/1000 + 8x 1GB SFP 2x 320 GB HD (S/W RAID) + 8GB CF 8 GB memory SSL @ 25K TPS/ 4 Gb bulk 5 Gbps max hardware compression BIG-IP 3600 BIG-IP 1600 Dual core CPU 4 10/100/1000 + 2x 1GB SFP 1x 160GB HD 4 GB memory SSL @ 5K TPS/1 Gb Bulk 750 Mbps max software compression Dual core CPU 8 10/100/1000 + 2x 1GB SFP 1x 160 GB HD + 8GB CF 4 GB memory SSL @ 10K TPS/2 Gb bulk 1 Gbps max software compression 2 x Quad core CPU 16 10/100/1000 or 2 10GE SFP+ 2x 320 GB HD + 8GB CF 16 GB memory SSL @ 58K TPS/ 9.6 Gb Bulk 8 Gbps max hardware compression 36 Gbps Traffic Multiple Product Modules Ultimate redundancy in a single chassis 12 Gbps Traffic Multiple Product Modules 6 Gbps Traffic Multiple Product Modules 1.5 Gbps Traffic 1 Advanced Product Module 750 M Traffic 1 Basic Product Module Function / Performance © F5 Networks 43 PC - LAN Link 2 Link 3 DC 2: U.K. Link 1 Link 2 Link 3 WLAN BIG-IP LTM,GTM & LC Web Server Web Server Web Server Web Server BIG-IP LTM, WA, ASM App. Server App. Server App. Server File Storage Virtualization: Services & Policy Remote - WAN Link 1 Application Server Virtualization: Services & Policy PC - Home DC 1: U.S. Web Server Virtualization: Services & Policy Cell Data Center & Link Virtualization: Services & Policy F5’s Data Center Vision – Unified Application & Data Delivery EMC Windows file storage Windows file storage App. Server BIG-IP LTM, SAM NetApp F5 ARX © F5 Networks 44 ARX – File Virtualization BEFORE AFTER User / application access tightly coupled to physical file storage File access decoupled from physical storage location – Inflexible: change is disruptive – Flexible: change is non-disruptive – Complex: multiple mappings to heterogeneous storage devices – Simple: single mapping to unified storage pool – Inefficient: low aggregate utilization – Efficient: maximize utilization © F5 Networks 45 Tiering / ILM / Data Migration • Match cost of storage to business value of data – Files are automatically moved between tiers based on flexible criteria such as age, type, size, etc. • Drivers: – Storage cost savings, backup efficiencies, compliance • Benefits: – Reduced CAPEX – Reduced backup windows and infrastructure costs © F5 Networks 46 Summary F5 offers you the scalability both in performance and functionality to optimize all your applications F5 makes your applications – SECURE – FAST – AVAILABLE in the most flexible and stable solution F5 optimizes your storage environment © F5 Networks