F5 Application Traffic Management

Radovan Gibala

Senior Solutions Architect [email protected]

+420 731 137 223

2009 1

Business Continuity HA Disaster Recovery App Security & Data Integrity Managing Scale & Consolidatio n

• • • • WAN Virtualization File Virtualization DC to DC Acceleration Virtualized VPN Access • • • AAA Data Protection Transaction Validation

People People Apps Apps Data

• • • Asymmetric & Symmetric Acceleration Server Offload Load Balancing • • • Virtualized App & Infrastructure Server & App Offload Load Balancing • • • •

Data

Remote, WLAN & LAN Central Policy Enforcement End-Point Security Encryption AAA • • • • Virtualization Migration Tiering Load Balancing

User Experience & App Performance Storage Growth Unified Security Enforcement & Access Control 2

Application Delivery Network Business Continuity HA Disaster Recovery BIG WJ IP LTM • GTM • LC • WA FirePass • ARX • BIG-IP LTM • ASM FirePass App Security & Data Integrity BIG IP LTM • GTM • LC • WA FirePass • ARX • WJ Managing Scale & Consolidatio n

• • • •

WAN Virtualization File Virtualization DC to DC Acceleration Virtualized VPN Access

• • •

AAA Data Protection Transaction Validation People

• • •

Asymmetric & Symmetric Acceleration Server Offload Load Balancing Apps Data

• • •

Virtualized App & Infrastructure Server & App Offload Load Balancing

• • • •

Remote, WLAN & LAN Central Policy Enforcement

• • • •

End-Point Security Encryption AAA Virtualization Migration Tiering Load Balancing User Experience & App Performance Storage Growth BIG IP LTM • GTM • WA ARX • WJ ARX BIG-IP GTM Unified Security Enforcement & Access Control FirePass BIG IP LTM • GTM 3

How To Achieve the Requirements ?

Multiple Point Solutions

4

More Bandwidth

Network Administrator Add More Infrastructure?

Application Application Developer Hire an Army of Developers?

The Result: A Growing Network Problem

5 Users Network Point Solutions Applications

Mobile Phone PDA Laptop Desktop DoS Protection Rate Shaping SSL Acceleration Server Load Balancer Content Acceleration Application Firewall Connection Optimisation Traffic Compression CRM CRM SFA ERP ERP CRM ERP SFA Customised Application SFA Co-location

F5’s Integrated Solution

Users The F5 Solution

Application Delivery Network

Mobile Phone PDA Laptop Desktop TMOS

Applications

CRM Database Siebel BEA Legacy .NET

SAP PeopleSoft IBM ERP SFA Custom Co-location

6

A New Level of Intelligence

Legacy Approach

Packet Based React to a Single Communication, One Direction Flow Based TM/OS React to a Real Time, Two-Way Conversation Translate Between Parties 7

Deliver Application Exactly as Intended

Manage Entire Application Flows:

• Independent Connection Control • Supporting All IP Applications • High Performance Framework • BI-Directional, Full Payload Inspection • Session Level Control

8 Universal Inspection Engine (UIE) TM/OS Fast Application Proxy Client Side Server Side

The Most Intelligent and Adaptable Solution

9 Client Side Security iRules Programmable Network Language GUI-Based Application Profiles Repeatable Policies Unified Application Infrastructure Services Programmable Application Network Targeted and Adaptable Functions Optimisation Delivery Universal Inspection Engine (UIE) New Service Complete Visibility and Control of Application Flows TM/OS Fast Application Proxy

Compression

News Website

TCP Offloading Load Balancing

Server Side

Traffic Management Operating System

iRules Rate Shaping / Rate Limiting Resource Cloaking Transaction Assurance Universal Persistence Caching Compression Selective Content Encryption Advanced Client Authentication Application Health Monitors Application Switching

Shared Application Services

TMOS

Operating System

Shared Network Services

TCP Express Protocol Sanitization High Performance SSL DoS and DDoS Protection VLAN Segmentation Line Rate L2 Switching (Mirroring, Trunking, STP, LACP) IP Packet Filtering IPv6 Dynamic Routing Secure Network Address Translation Port Mapping Common Management Framework

10

Unique TMOS Architecture

Client Microkernel TCP Proxy Client Side Server Side iRules High Performance HW iControl API

TMOS Traffic Plug-ins High-Performance Networking Microkernel Powerful Application Protocol Support iControl – External Monitoring and Control iRules – Network Programming Language

Server 11

BIG-IP

12

First Unified Application Infrastructure Services Delivering

• DoS and SYN Flood Protection • Network Address/Port Translation • Application Attack Filtering • Certificate Management • •

DoS and DDos protection Brute Force attacks protection

• Resource Cloaking • Advanced Client Authentication • Firewall - Packet Filtering • Selective Content Encryption • Cookie Encryption • Content Protection • Protocol Sanitization •

Secure and Accelerated DC to DC data flow

• Comprehensive Load Balancing • Advanced Application Switching • Customized Health Monitoring • Intelligent Network Address Translation • Advanced Routing • Intelligent Port Mirroring • IPv6 Gateway • Universal Persistence • Response Error Handling • Session / Flow Switching • • • •

Network Virtualization System resource Control Application Templates Dashboard

• SSL Acceleration • Quality of Service • Connection Pooling • Intelligent Compression • L7 Rate Shaping • Content Spooling/Buffering • TCP Optimization • Content Transformation • Caching • TCP Express

13

Comprehensive Load Balancing

Static

– RoundRobin – Ratio

Dynamic

– Fastest – LeastConnections – Observed – Predictive – Dynamic Ratio

Priority Groups

14

Feature Overview/BIG-IP

Availability Checking

•

Check any back-end process using EAV

•

Will work for any IP based application

•

Stateful failover between devices Security

•

Firewall-like device to resist most attacks

•

All administration is encrypted

•

Integrated SSL/FIPS and secure NAT 15

Feature Overview/BIG-IP

SSL and E-Commerce

•

Only product with integrated SSL

•

Single certificate simplifies administration

•

Lowers certificate costs

•

Client certificate checking (Authentication) Layer 7 Functionality

•

Can utilize all HTTP header/content or TCP content in traffic decisions

•

Can persist on anything

•

HTTP 1.1 keep-alives dramatically improve performance 16

Feature Overview/BIG-IP

Easy to Implement and Support

•

Can be deployed as either Layer 2 or 3 device

•

Simple and complete Graphical User Interface

•

Installation services by F5 and/or partner Flexibility

•

BIG-IP works with any server or IP based service

•

iControl enables integration with internal and/or 3 rd party applications 17

Powerful and Simplified Management

18

“We have to deal with multiple products. The new user interface makes every other solution in this space look absolutely immature. F5’s solutions are 10 times easier to manage than Cisco.”

- Major US Hosting Provider

Profile Based Management

Profile Based Traffic Management Improved vision of all resources and traffic

19 Deliver Optimize Secure

Ensure Higher Availability - Superior System Design

Processes Reporting and Control

– Granular status, logging and configurable actions for component-level failures. Capable of warm restarts and upgrades.

3-way HA Design

– Robust Internal system checking and pass through design.

20

Extensibility - IPv6 Gateway

21

Network Virtualization

Route Domains

Consolidation with control

Host multiple groups on one BIG-IP without conflicts Granular control to provide separate routing domains and overlapping IPs

22

System Resource Control

Module Provisioning

Consolidation with control

Allocate CPU, memory, and disk per module Customize allocation to meet your needs

23

Simple Application Roll-outs

Application Templates 1 2 3

SharePoint 2007 VMware VDI Exchange Web Access 2007 IIS 7.0

HTTP BEA WebLogic 5.1, 8.1

Oracle Application Server 10g SAP ERP 6.0 and ERP 2006 Citrix Presentation Server DNS IP Forwarding LDAP RADIUS “The Application Templates allowed us to deploy Microsoft IIS in

seconds instead of hours

”

- System Engineer, Fortune 500 Co .

24

Simplified Management

Dashboard 25

Secure and Accelerate DC to DC

iSessions

Secure and accelerate between data centers Integrated and free with BIG-IP LTM v10

26

Symmetric Compression • Adaptive • Deflate • LZO SSL Encryption

Note: Not available on the 1500 and 3400

BIG-IP Security Add-On Modules

Application Security Module

Protect applications and data

SSL Acceleration

Protect data over the Internet

27 Advanced Client Authentication Module

Protect against unauthorised access

BIG-IP Software Add-On Modules

Quickly Adapt to Changing Application & Business Challenges Compression Module

Increase performance

Webaccelerator - Fast Cache Module

Offload servers

28 Rate Shaping Module

Reserve bandwidth

Intelligent HTTP Compression

Most Intelligent and flexible solution to target HTTP compression where it matters most

URI/content filters – allow/disallow lists – Compress only specified file types – Based on URI or MIME type Client-aware compression (patent pending) – Based on TCP latency – observe client RTT – Based on low bandwidth client connections Granular L7 based compression Tunable resource allocation – Devote more memory and CPU cycles for high priority compression jobs Adaptable Compression – Scale back compression based on CPU load

29

Real Time Compression Tool

www.f5demo.com/compression 30

TCP Express

Behaviors of a good TCP/IP implementation.

– – –

Proper congestion detection.

Good congestion recovery.

–

High bandwidth utilization.

• • •

Being too aggressive can cause individual connections to consume all of the network.

Not being aggressive enough will leave unused bandwidth especially during a low number of connections.

Always needs to adapt to changing congestion.

Increased windowing and buffering will often help compensate for latency and can also offload the application equipment more quickly.

Most important tuning you can do in TCP typically has to do with window sizes and retransmission logic (aka congestion control behavior).

On today’s networks, loss is almost always caused from congestion.

–

Most TCP stacks are not aggressive enough.

31

F5’s TCP Congestion Control Algorithms

Reno Congestion Control

–

Original TCP fast recover algorithm based on BSD Reno.

– – –

Initially grows congestion window exponentially during the slow-start period.

After slow-start, increases CWND by 1MSS for each CWND acked (this is linear growth).

When loss or a recovery episode is detected, the CWND is cut in half.

New Reno modifications (this is currently the default mode)

–

Improves on the Reno behaviour.

–

When entering a recovery episode, implements a fast retransmit:

•

Each ACK less than the recovery threshold triggers a one-time resend of the data started by the ACK.

•

Results in more aggressively sending the missing data and exiting the recovery period.

Scalable TCP (added in 9.4)

–

Improves on the NewReno behaviour.

–

Upon loss, the CWND is reduced by only 1/8.

–

Once out of slow start, CWND increases by 1% of an MSS for each CWND ACK’d.

HighSpeed (F5's proprietary congestion control added in 9.4)

–

Similarly improves on the NewReno behaviour in combination with Scalable TCP.

–

Progressively switches from NewReno to Scalable TCP based on the size of the CWND.

•

Upon loss, the CWND is reduced by somewhere between ½ and 1/8.

•

CWND grows somewhere between 1% and 100% of an MSS for each CWND ACK’d.

32

OneConnect ™ – Connection Pooling

Increase server capacity by 30% – Aggregates massive number of client requests into fewer server side connections Transformations form HTTP 1.0 to 1.1 for Server Connection Consolidation Maintains Intelligent load balancing to dedicated content servers

33

Good Sources: http://tech.f5.com/home/bigip/solutions/traffic/sol1548.html

http://www.f5.com/solutions/archives/whitepapers/httpbigip.html

OneConnect ™ New and Improved

HTTP Request Pooling b.gif

c.asp

a.gif

index.htm

b.gif c.asp

a.gif

index.htm

20 1

• • •

Streamlines single client request to BIG-IP Enabled by HTTP 1.1

Avg. Reduction is 20 to 1 per Web Page 34 1) OneConnect ™ Content Switching index.htm

b.gif c.asp

a.gif

index.htm

b.gif

a.gif

c.asp

3) OneConnect ™ Connection Pooling b.gif c.asp

a.gif

index.htm

HTML server pool

•

GIF server pool

•

Intelligent load balancing to dedicated content servers Maintain Server Logging ASP server pool 2) OneConnect ™ HTTP transformations b.gif

c.asp

Many a.gif

index.htm

New One b.gif c.asp

a.gif

index.htm

•

Transformation form HTTP 1.0 to 1.1 for Server Connection Consolidation

•

Aggregates massive number of client requests into fewer server side connections Server sales.htm

e.gif

d.gif

f.asp

b.gif

sales.htm

c.asp

e.gif

a.gif

d.gif

index.htm

f.asp

Content Spooling

Problem: TCP Overhead on Servers – There is overhead for breaking apart…”chunking” content – – Client and Server negotiate TCP segmentation Client forces more segmentation that is good for the server – Solution The Servers is burdened with breaking content up into small pieces for good client consumption

Slurp up server response Spoon feed clients

35

Benefit: Increases server capacity up to 15%

L7 Rate Shaping

Integrated and Fine Grained Bandwidth Control Sophisticated Bandwidth Control – Flexible bandwidth limits – Full support for bandwidth borrowing – Traffic queuing (stochastic fair queue, FIFO ToS priority queue) Granular Traffic Classification L2 through L7 – iRules support can initiate a rate class on any traffic flow variable Only Multi Direction Control – Control throughput in any direction Rate Class Ceiling Rate Burst Base

WAN Pool of Servers Network Segments 36

Hardware

37

Actual BIG-IP Platforms

Price BIG-IP 8900 BIG-IP 1600

Dual core CPU 4 10/100/1000 + 2x 1GB SFP 1x 160GB HD 4 GB memory SSL @ 5K TPS / 1 Gb Bulk 1 Gbps max software compression

1 Gbps Traffic

1 Basic Product Module

BIG-IP 6900 BIG-IP 3600

Dual core CPU 8 10/100/1000 + 2x 1GB SFP 1x 160 GB HD + 8GB CF 4 GB memory SSL @ 10K TPS / 2 Gb bulk 1 Gbps max software compression

2 Gbps Traffic

1 Advanced Product Module 2 x Dual core CPU 16 10/100/1000 + 8x 1GB SFP 2x 320 GB HD (S/W RAID) + 8GB CF 8 GB memory SSL @ 25K TPS / 4 Gb bulk 5 Gbps max hardware compression

6 Gbps Traffic

Multiple Product Modules 2 x Quad core CPU 16 10/100/1000 + 8x 1GB SFP 2x 320 GB HD (S/W RAID) + 8GB CF 16 GB memory SSL @ 58K TPS / 9.6Gb bulk 6 Gbps max hardware compression

12 Gbps Traffic

Multiple Product Modules VIPRION

39 Function / Performance

2008: Hardware Architectur (Single-Board-Design)

LCD-Panel CFlash* SSL TMM: Traffic Management Microkernel HDD1 1 / 2 HDD2* 1 / 2 RAM SSL* FIPS*: Federal Information Processing Standards AOM: Always On Module (SCCP in former Versions) Hardware Compression Card* CPU CPU CPU* CPU* BCM: Broadcom Asic Powersupply AOM TMM (Layer4-7)

40

Powersupply* * Depends on platform (optional) BCM (Layer 2) x*10/100/1000Base-T Copper/SFP-GBIC 10GbEth*

High-Performance Application Switches

BIG-IP 8900 BIG-IP 6900 BIG-IP 1600 - 3600

Consolidate with Purpose-built Hardware

Designed specifically for application delivery Integrated platform for security, acceleration, availability

Offload Application Servers

High performance hardware SSL and compression offload Advanced connection management

Reduce Operating Costs

Simplified management with USB, front panel management, remote boot, and more Increased uptime with hot swappable and redundant components

41

BIG-IP 1600

High performance meets high value

High Performance

– Dual-core CPU provides 1 Gb/s of L7 throughput

Reliable and Adaptable

– Options for dual power and DC power – Front-to-back cooling

Basic security and acceleration options

– Protocol Security Module – 1 Gb/s compression and SSL throughput

42

BIG-IP 3600

Integrated ADC in a 1U platform

Advanced security and acceleration options

– WebAccelerator option – Application Security Module option

High Performance

– Dual-core CPU provides 2 Gb/s of L7 throughput

Reliable and Adaptable

– Options for dual power and DC power – Front-to-back cooling

43

BIG-IP 6900

Consolidation and Integration High Performance for Consolidation

– Dual CPU, Dual Core for 6 Gb/s of L7 throughput – Hardware SSL and Compression offload

Multi-module Integration

– Run multiple modules and unify application delivery functions onto a single device

Reliable and Adaptable

– Dual power supplies and dual hard drives standard – Front-to-back cooling

44

BIG-IP 8900

The Foundation of a Unified ADN High Performance for Consolidation

– Dual CPU, Quad Core for 12 Gb/s of L7 throughput – Hardware SSL and compression offload

10G Ports for Next-gen Data Centers

– Two 10G SFP ports in addition to 1G copper and fiber connections

Reliable and Adaptable

– Dual power supplies and dual hard drives standard – Front-to-back cooling

45

Platform Performance

Max. throughput Layer 4 Connections/sec Layer 7 Requests/sec (inf-inf) Max. conc. conn.

Max. SSL TPS Max. SSL Bulk Max. SSL conc. conn.

Max. compression Switch backplane BIG-IP 1600 BIG-IP 3600

1 Gbps 60,000 2 Gbps 115,000 100,000 4 Million 5,000 1 Gbps 1 Million 1 Gbps 14 Gbps 135,000 4 Million 10,000 1.5 Gbps 1 Million 1 Gbps 24 Gbps

BIG-IP 6900 BIG-IP 8900

6 Gbps 220,000 12 Gbps 400,000 600,000 8 Million 25,000 4 Gbps 2 Million 5 Gbps 68 Gbps 1,200,000 16 Million 58,000 9.6 Gbps 4 Million 9.6 Gbps 112 Gbps

46

CMP Super-VIP

Servers Network TMM0 TMM1 TMM2 TMM3 switch switch

Multitasking means screwing up several tasks at the same time.

47

The World’s Only

On Demand ADC

48

VIPRION – On Demand ADC

Add application intelligence without adding management cost Market-leading performance Ultimate redundancy TMOS inside

49

Viprion Overview

Unmatched Performance – Massive scalability – Processing architecture common with 8800 Intelligent clustering – SuperVIP (Virtuals can seamlessly span blades) – N+M redundancy for all features in cluster High Availability – Automatic failover within cluster – Chassis-to-chassis redundancy Full Modular Chassis – 4 blade slots w/1 blade type – 1 blade type – Any blade can be chassis master Common central management console – Single point of Management – Same user interface as BIG-IP appliances

50

On Demand – Zero Reconfiguration

Virtual Machines Servers Servers Physical Server Virtual Machines 51

Automatic addition of power No need to overprovision Fixed and predictable OpEx

Servers Physical Server

Ultimate Reliability Multi-Level Redundancy

Internal blade to blade failover External chassis to chassis Hot swappable power supplies Hot swappable fan trays Hot swappable LCD display Passive, redundant backplane Integrated Lights Out mgmt

52

Ultimate Reliability

Client Multi-Level Redundancy

Blade failure will not cause chassis failure Redundant and hot swappable components

Always

Available

Server 53

Traditional ADC Scaling

WWW.

WWW1.

WWW2.

WWW3.

WWW4.

GSLB Within the Datacenter

Each addition requires DNS changes Physical reconfigurations Routing changes ADC reconfiguration

Server Farm A Server Farm B Server Farm C Server Farm D 54

Clustered Multi Processing Scales

TMOS

8x 4x SMP 2x

Single Processor Time 55

Virtual Processing Fabric

Clustered Multi Processing Custom Disaggregator ASICs High Speed Bridge

Processing Complex TMM 0 TMM 1 Client Server TMM n

56

The SuperVIP

WWW.

Pool

Virtualization:

“Separating the physical characteristics of computing resources from the systems, applications or end users interacting with those resources”.

With a SuperVIP, a single virtual server may be processed by all computing resources of the VIPRION.

57

Market Leading Performance

L7 Fast HTTP Inf/Inf L7 Full Proxy Inf/Inf SSL TPS SSL Gbps L4 Conn/s (1-1) Compression L4 Throughput L7 Throughput

Single Blade

800,000 Rps 300,000 Rps 50,000 9 Gbps 250,000 cps 4.5 Gbps 10 Gbps 10 Gbps

4 Blade System

3,200,000 Rps 1,200,000 Rps 200,000 36 Gbps 1,000,000 cps 16 Gbps 36 Gbps 36 Gbps

58

More detailed measures

59

Avoid Management Nightmare

TMOS

+ Security + Accel + iRules + iControl

60

VIPRION 200,000 SSL TPS 12,000 SSL TPS per blade = 16 Blades

Avoid Growing Pains

TMOS

+ Security + Accel + iRules + iControl VIPRION 3,200,000 Layer 7 Requests/Sec 76,000 L7 RPS = 42 Blades

61

VIPRION Management

62

Management continued

63

Management

64

iRules and iControl

65

What are iRules?

Programming language integrated into TMOS

Traffic Management Operating System

Based on industry standard TCL language

Tool Command Language

Provide ability to intercept, inspect, transform, direct and track inbound or outbound application traffic Core of the F5 “secret sauce” and key differentiator

66

How do iRules Work?

• iRules allow you to perform deep packet inspection (entire header

and

payload) • Coded around

Events

(HTTP_REQUEST, HTTP_RESPONSE, CLIENT_ACCEPTED etc.) • Full scripting language allows for extremely granular control of inspection, alteration and delivery on a packet by packet basis

Requests

67 iRule Triggered HTTP Events Fire (HTTP_REQUEST, HTTP_RESPONSE, etc.)

Modified Responses*

*Note: BIG IP’s Bi-Directional Proxy capabilities allow it to inspect, modify and route traffic at nearly any point in the traffice flow, regardless of direction.

The Better Alternative Example

Centralized Availability, Security & Acceleration

Centralized Transaction Assurance: Proactive Response Error Handling for Higher Availability Centralized Data Protection: Rewrite, Remove, Block and or Log Sensitive Content

rule

redirect_error_code

{ when HTTP_REQUEST { set my_uri [HTTP::uri] } when HTTP_RESPONSE { rule

protect_content

{ when

HTTP_RESPONSE_DATA

{ set payload [HTTP::payload [HTTP::payload } if { [HTTP::status] == 500 } { length]]

A Repeatable, Extensible, Flexible Architecture

#

Find and replace SSN numbers

.

#

Host to URI mapping: Faster Access to Data through Automatic Re direction

regsub -all {\d{3}-\d{2}-\d{4}} $payload "xxx-xx xxxx" new_response # # Replace only if necessary.

# when HTTP_REQUEST { # www.A.com -- domain == A.com, company == A regexp {\.([\w]+)\.com} [HTTP::host] domain company If { "" ne $company } { # look for the second string in the data group set mapping [findclass $company $::valid_company_mappings " "] } if { "" ne $mapping } { HTTP::redirect "http://www.my_vs.com/$mapping" } } } if {$new_response != 0} { HTTP::payload replace 0 [HTTP::payload length] $new_response }

68

Solution: Server Resource Cloaking

Description To protect from web server signatures exposing from potential security holes to hackers, iRules are used to remove or “cloak” visible web server signatures HOW IT WORKS 1. Client requests information from an application and is routed through BIG-IP

5

iRule! Remove Apache v 2.0.49 Reference

2. BIG-IP directs request to best performing web server } rule when HTTP_RESPONSE { # # Remove all but the given headers.

# HTTP::header sanitize “ETag” “Connection” “Content TYPE” 3. Web server provides application response BUT all responses – by default – include information that indicates the type of server responding

1

HTTP Request

4 2 3 Response from Apache Web Server includes server signatures

4. BIG-IP looks at traffic and determines it must call the iRule for “Resource Cloaking”

6

HTTP Response

5. iRule runs, removing Apache references, and send request on to client 6. Client only sees “sanitized” response.

69

What can an iRule do?

Read, transform, replace header or payload information (HTTP, TCP, SIP, etc.) Work with any protocol, such as SIP, RTSP, XML, others, whether with native (HTTP::cookie) or generic (TCP::payload) commands Make adjustments to TCP behavior, such as MSS, checking the RTT, deep payload inspection Authentication assistance, offload, inspection and more for LDAP, RADIUS, etc.

Caching, compression, profile selection, rate shaping and much, much more

70

iRule Event Taxonomy

AUTH_ERROR AUTH_FAILURE AUTH_RESULT AUTH_SUCCESS AUTH_WANTCREDENTIAL CACHE_REQUEST CACHE_RESPONSE CLIENTSSL_CLIENTCERT CLIENTSSL_HANDSHAKE DNS_REQUEST DNS_RESPONSE NAME_RESOLVED LB_FAILED LB_SELECTED RULE_INIT CLIENT_LINE SERVER_LINE HTTP_CLASS_FAILED HTTP_CLASS_SELECTED HTTP_REQUEST HTTP_REQUEST_DATA HTTP_REQUEST_SEND HTTP_RESPONSE HTTP_RESPONSE_CONTINUE HTTP_RESPONSE_DATA RTSP_REQUEST RTSP_REQUEST_DATA RTSP_RESPONSE RTSP_RESPONSE_DATA SIP_REQUEST SIP_REQUEST_SEND SIP_RESPONSE CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SERVER_CLOSED SERVER_CONNECTED SERVER_DATA SERVERSSL_HANDSHAKE STREAM_MATCHED CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SERVER_CLOSED SERVER_CONNECTED SERVER_DATA USER_REQUEST USER_RESPONSE CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SERVER_CLOSED SERVER_CONNECTED SERVER_DATA XML_BEGIN_DOCUMENT XML_BEGIN_ELEMENT XML_CDATA XML_END_DOCUMENT XML_END_ELEMENT XML_EVENT

71

Solution: FIX Protocol Persistence

Challenges • Business chooses protocol required by industry sector • Implemention on server side impossible in enterprise HA scenario Solution • iRule provides centralized mechanism for intercept/inspect/route • Solution can be deployed in true HA/multi-server (even data center) mode • Clean code management

3

iRule Query identifies FIX SenderComp ID

1

} rule FIX_regexp { when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { if { [regexp "\x0149=(.*)\x01" [TCP::payload] -> SenderCompID] } { persist uie $SenderCompID TCP::release } } else { TCP::collect }

2

HTTP Request

4

** Enhanced by community; see CodeShare HOW IT WORKS 1. Client requests information from an application and is routed through BIG-IP 2. BIG-IP UIE inspects for specific information identified 3. iRule runs and queries payload (TCP::collect) for the specific identifier needed (SenderCompID) 4. Based upon rule, client request is persisted to a specific server dedicated to that user

Pool A Pool B

72

What makes iRules so unique?

Full-fledged scripts, executed against traffic on the network, at wire-speed Powerful logical operations combined with deep packet inspection The ability to route, re-route, re-direct, retry, or block traffic Community support, tools and innovation

73

Solution: Credit Card Scrubber

Challenges • Rapid feature enhancements come at expense of good security practices • Scanning on each server doesn’t perform well Solution • iRule provides centralized mechanism for protection • High-performance at network maintains high end user satisfaction • App teams focus on features, network teams focus on protection

1 6 5

Remove Valid Credit Card Numbers

HOW IT WORKS 1. Client requests information from an application and is routed through BIG-IP when HTTP_REQUEST { # Don't allow data to be chunked if { [HTTP::version] eq "1.1" } { if { [HTTP::header is_keepalive] } { HTTP::header replace "Connection" "Keep-Alive" } HTTP::version "1.0" } } when HTTP_RESPONSE { if { [HTTP::header exists "Content-Length"] } { set content_length [HTTP::header "Content-Length"] } else { set content_length 4294967295 } if { $content_length > 0 } { HTTP::collect $content_length } } when HTTP_RESPONSE_DATA { # Find ALL the possible credit card numbers in one pass set card_indices [regexp -all -inline -indices {(?:3[4-7]\d{13})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})} [HTTP::payload]] foreach card_idx $card_indices { set card_start [lindex $card_idx 0] set card_end [lindex $card_idx 1] set card_len [expr {$card_end - $card_start + 1}] set card_number [string range [HTTP::payload] $card_start $card_end] set double [expr {$card_len & 1}] set chksum 0 set isCard invalid # Calculate MOD10 for { set i 0 } { $i < $card_len } { incr i } { set c [string index $card_number $i] if {($i & 1) == $double} { if {[incr c $c] >= 10} {incr c -9} } } incr chksum $c # Determine Card Type switch [string index $card_number 0] { 3 { set type AmericanExpress } 4 { set type Visa } 5 { set type MasterCard } 6 { set type Discover } default { set type Unknown } } # If valid card number, then mask out numbers with X's if { ($chksum % 10) == 0 } { set isCard valid HTTP::payload replace $card_start $card_len [string repeat "X" $card_len] } } # Log Results } log local0. "Found $isCard $type CC# $card_number"

HTTP Request HTTP Response

2. BIG-IP directs request to best performing web server 3. Web server provides application response BUT iRule runs if it sees a string of 16 digits 4. iRule fires off MOD-10 algorithm to determine if 16-digit string is a valid credit card number; offending server IP address logged and flagged 5. If a valid match, first 12-digits are replaced with Xs 6. Client only sees “sanitized” response.

4 2 3 Response from application server accidentally leaks customer credit card numbers in HTTP response

** Created collaboratively within community

74

Solution: Anti-phishing

5

Prevent unwanted referrals of Content

Challenges • Attacks are directed at lass valid_referers { "http://mydomain.com" "http://mydomain1.com" } "http://url1" "http://url2" "http://url3" users, not the servers themselves • No control of user actions •Can’t force software install class file_types { ".gif" ".jpg" ".png" ".bmp" } ".js" ".css" ".xsl" rule no_phishing { when HTTP_REQUEST { # Don't allow data to be chunked.

if {[HTTP::version] == "1.1"} { if {[HTTP::header is_keepalive]} { } # Adjust the Connection header.

HTTP::header replace "Connection" "Keep-Alive" } HTTP::version "1.0" Solution • iRule allows for prevention of the scraping required to perform the attack •Preventative approach keeps users safe without need for their interaction •Server load decreased } if { [matchclass [HTTP::header "Referer"] starts_with $::valid_referers] < 1 } { if { ([string tolower [HTTP::method] ] eq "get") && ([matchclass [HTTP::uri] contains $::file_types] > 0 )} { discard } elseif { ([HTTP::header exists "Content-Type"]) && ([HTTP::header "Content-Type"] starts_with "text" ) } { } } set respond 1 when HTTP_RESPONSE { if { $respond == 1 } { if { [HTTP::header exists "Content-Length"] } { set content_len [HTTP::header "Content-Length"] } else { } set content_len 4294967295 } if { $content_len > 0 } { HTTP::collect $content_len } } when HTTP_RESPONSE_DATA { set bypass [string first -nocase "" [HTTP::payload] ] if { $bypass != -1 } { HTTP::payload replace $bypass 0 "\n" } else { HTTP::respond 500 }

HTTP Request

4

HTTP Response

6 2

1.

2.

3.

3 Web servers feed content to anyone requesting it, including people who shouldn’t be serving this cotent.

HOW IT WORKS Define a list of valid referrers in the form of a class. This is a list of those sites that you expect to be linking to content on your site. Define a list (in the form of a class) of file types that should not be linked to, besides by the referrers listed in item #1. Check to see if an invalid referrer (not someone in class #1) is trying to serve data from your site and what kind of content they shouldn’t be trying to serve. If it matches the file types in Class #2 (block it. If not, insert some custom code to help prevent phishing attempts.

75

F5 iRule Editor

First network rule editor optimizes development Includes: – Syntax checking – Auto-complete – Template support – Doc Links – Deployment integration – Statistics monitoring – Data group editing – Optional post to CodeShare feature Available: Now Pricing: Free Download Tutorials: on DevCentral

76

Introducing iControl v9

Open API (SOAP/XML) allows applications to automatically interact with the network Integration with development tools from Microsoft, BEA, and Oracle Online community F5 DevCentral

– Developer assistance on F5 DevCentral via developer forums ( http://devcentral.f5.com

) – iRules forum and code examples

77

iControl Eases Application Integration

Leverage the skills and expertise you already have!

78 Key Components

– XML/SOAP interface – Downloadable SDK – Technology partnerships – DevCentral resource centre and community

Benefits

– Open, standards based integration – Simplified development – Proven integration – Sample code, documentation, discussion forums

Integration and Extensibility iControl Event API

Create Subscription Administrator uses the provided sample application (or custom application) to create Event Subscriptions Select Event Type Choose a specific event to track. Then, create the Subscription name and parameters. Upon Event, message is distributed via log, email, or SMS to phone/PDA

79

Applications can subscribe to 47 different system events Sample application (screenshots) provided with SDK Bulk method support bandwidth – 100:1 reduction in call, 90% reduction in

iControl Application Migration to v9

Paste Code Into Analyser Developer visits DevCentral, accesses the Code Analyser, select language, and report format Summary Report Generated report identifies line where conflicts exist, defines the method affected, and enables direct link to online versions of 4.x & v9 SDKs

80

Analyser free for use by all F5 DevCentral members DevCentral Forum available for posting migration questions Additional sample and technical tips will be available

DevCentral Technical Community

http://devcentral.f5.com/ Forum for F5 customers for building iRules and iControl applications F5 provides technical documentation, tips, free sample downloads, and a confidential discussion forum Monitored by F5 engineers and technical experts that answer technical questions – Design, architecture, troubleshooting and general assistance with iRules and iControl

81

Link Collection

www.f5.com

Overall Technical

www.f5.com

ask.f5.com

devcentral.f5.com

F5 University

www.f5university.com/ » »

Login: Password: Partner Informaiotn

your email adv5tech www.f5.com/partners

Gartner Report

www.f5.com/training_services/certification/certFAQ.html

http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html

Important

deployment

information is available at Data Center Virtualization Application Traffic Management Application Briefs Solution Briefs F5 Compression and Cache Test F5 iControl Alliance Partners F5 Technology Alliance Partners http://www.f5.com/solutions/deployment/ http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdf

http://www.f5.com/solutions/technology/pdfs/atm_wp.pdf

http://www.f5.com/solutions/applications/ http://www.f5.com/solutions/sb/ http://www.f5demo.com/compression/index.php

http://www.f5.com/solutions/partners/iControl/ http://www.f5.com/solutions/partners/tech/ Let us know if you need any clarification or you have any further questions.

82

Thank You

83