Transcript F5 Application Traffic Management
F5 Application Traffic Management
Radovan Gibala
Senior Solutions Architect [email protected]
+420 731 137 223
2009 1
Business Continuity HA Disaster Recovery App Security & Data Integrity Managing Scale & Consolidatio n
• • • • WAN Virtualization File Virtualization DC to DC Acceleration Virtualized VPN Access • • • AAA Data Protection Transaction Validation
People People Apps Apps Data
• • • Asymmetric & Symmetric Acceleration Server Offload Load Balancing • • • Virtualized App & Infrastructure Server & App Offload Load Balancing • • • •
Data
Remote, WLAN & LAN Central Policy Enforcement End-Point Security Encryption AAA • • • • Virtualization Migration Tiering Load Balancing
User Experience & App Performance Storage Growth Unified Security Enforcement & Access Control 2
Application Delivery Network Business Continuity HA Disaster Recovery BIG WJ IP LTM • GTM • LC • WA FirePass • ARX • BIG-IP LTM • ASM FirePass App Security & Data Integrity BIG IP LTM • GTM • LC • WA FirePass • ARX • WJ Managing Scale & Consolidatio n
• • • •
WAN Virtualization File Virtualization DC to DC Acceleration Virtualized VPN Access
• • •
AAA Data Protection Transaction Validation People
• • •
Asymmetric & Symmetric Acceleration Server Offload Load Balancing Apps Data
• • •
Virtualized App & Infrastructure Server & App Offload Load Balancing
• • • •
Remote, WLAN & LAN Central Policy Enforcement
• • • •
End-Point Security Encryption AAA Virtualization Migration Tiering Load Balancing User Experience & App Performance Storage Growth BIG IP LTM • GTM • WA ARX • WJ ARX BIG-IP GTM Unified Security Enforcement & Access Control FirePass BIG IP LTM • GTM 3
How To Achieve the Requirements ?
Multiple Point Solutions
4
More Bandwidth
Network Administrator Add More Infrastructure?
Application Application Developer Hire an Army of Developers?
The Result: A Growing Network Problem
5 Users Network Point Solutions Applications
Mobile Phone PDA Laptop Desktop DoS Protection Rate Shaping SSL Acceleration Server Load Balancer Content Acceleration Application Firewall Connection Optimisation Traffic Compression CRM CRM SFA ERP ERP CRM ERP SFA Customised Application SFA Co-location
F5’s Integrated Solution
Users The F5 Solution
Application Delivery Network
Mobile Phone PDA Laptop Desktop TMOS
Applications
CRM Database Siebel BEA Legacy .NET
SAP PeopleSoft IBM ERP SFA Custom Co-location
6
A New Level of Intelligence
Legacy Approach
Packet Based React to a Single Communication, One Direction Flow Based TM/OS React to a Real Time, Two-Way Conversation Translate Between Parties 7
Deliver Application Exactly as Intended
Manage Entire Application Flows:
• Independent Connection Control • Supporting All IP Applications • High Performance Framework • BI-Directional, Full Payload Inspection • Session Level Control
8 Universal Inspection Engine (UIE) TM/OS Fast Application Proxy Client Side Server Side
The Most Intelligent and Adaptable Solution
9 Client Side Security iRules Programmable Network Language GUI-Based Application Profiles Repeatable Policies Unified Application Infrastructure Services Programmable Application Network Targeted and Adaptable Functions Optimisation Delivery Universal Inspection Engine (UIE) New Service Complete Visibility and Control of Application Flows TM/OS Fast Application Proxy
Compression
News Website
TCP Offloading Load Balancing
Server Side
Traffic Management Operating System
iRules Rate Shaping / Rate Limiting Resource Cloaking Transaction Assurance Universal Persistence Caching Compression Selective Content Encryption Advanced Client Authentication Application Health Monitors Application Switching
Shared Application Services
TMOS
Operating System
Shared Network Services
TCP Express Protocol Sanitization High Performance SSL DoS and DDoS Protection VLAN Segmentation Line Rate L2 Switching (Mirroring, Trunking, STP, LACP) IP Packet Filtering IPv6 Dynamic Routing Secure Network Address Translation Port Mapping Common Management Framework
10
Unique TMOS Architecture
Client Microkernel TCP Proxy Client Side Server Side iRules High Performance HW iControl API
TMOS Traffic Plug-ins High-Performance Networking Microkernel Powerful Application Protocol Support iControl – External Monitoring and Control iRules – Network Programming Language
Server 11
BIG-IP
12
First Unified Application Infrastructure Services Delivering
• DoS and SYN Flood Protection • Network Address/Port Translation • Application Attack Filtering • Certificate Management • •
DoS and DDos protection Brute Force attacks protection
• Resource Cloaking • Advanced Client Authentication • Firewall - Packet Filtering • Selective Content Encryption • Cookie Encryption • Content Protection • Protocol Sanitization •
Secure and Accelerated DC to DC data flow
• Comprehensive Load Balancing • Advanced Application Switching • Customized Health Monitoring • Intelligent Network Address Translation • Advanced Routing • Intelligent Port Mirroring • IPv6 Gateway • Universal Persistence • Response Error Handling • Session / Flow Switching • • • •
Network Virtualization System resource Control Application Templates Dashboard
• SSL Acceleration • Quality of Service • Connection Pooling • Intelligent Compression • L7 Rate Shaping • Content Spooling/Buffering • TCP Optimization • Content Transformation • Caching • TCP Express
13
Comprehensive Load Balancing
Static
– RoundRobin – Ratio
Dynamic
– Fastest – LeastConnections – Observed – Predictive – Dynamic Ratio
Priority Groups
14
Feature Overview/BIG-IP
Availability Checking
•
Check any back-end process using EAV
•
Will work for any IP based application
•
Stateful failover between devices Security
•
Firewall-like device to resist most attacks
•
All administration is encrypted
•
Integrated SSL/FIPS and secure NAT 15
Feature Overview/BIG-IP
SSL and E-Commerce
•
Only product with integrated SSL
•
Single certificate simplifies administration
•
Lowers certificate costs
•
Client certificate checking (Authentication) Layer 7 Functionality
•
Can utilize all HTTP header/content or TCP content in traffic decisions
•
Can persist on anything
•
HTTP 1.1 keep-alives dramatically improve performance 16
Feature Overview/BIG-IP
Easy to Implement and Support
•
Can be deployed as either Layer 2 or 3 device
•
Simple and complete Graphical User Interface
•
Installation services by F5 and/or partner Flexibility
•
BIG-IP works with any server or IP based service
•
iControl enables integration with internal and/or 3 rd party applications 17
Powerful and Simplified Management
18
“We have to deal with multiple products. The new user interface makes every other solution in this space look absolutely immature. F5’s solutions are 10 times easier to manage than Cisco.”
- Major US Hosting Provider
Profile Based Management
Profile Based Traffic Management Improved vision of all resources and traffic
19 Deliver Optimize Secure
Ensure Higher Availability - Superior System Design
Processes Reporting and Control
– Granular status, logging and configurable actions for component-level failures. Capable of warm restarts and upgrades.
3-way HA Design
– Robust Internal system checking and pass through design.
20
Extensibility - IPv6 Gateway
21
Network Virtualization
Route Domains
Consolidation with control
Host multiple groups on one BIG-IP without conflicts Granular control to provide separate routing domains and overlapping IPs
22
System Resource Control
Module Provisioning
Consolidation with control
Allocate CPU, memory, and disk per module Customize allocation to meet your needs
23
Simple Application Roll-outs
Application Templates 1 2 3
SharePoint 2007 VMware VDI Exchange Web Access 2007 IIS 7.0
HTTP BEA WebLogic 5.1, 8.1
Oracle Application Server 10g SAP ERP 6.0 and ERP 2006 Citrix Presentation Server DNS IP Forwarding LDAP RADIUS “The Application Templates allowed us to deploy Microsoft IIS in
seconds instead of hours
”
- System Engineer, Fortune 500 Co .
24
Simplified Management
Dashboard 25
Secure and Accelerate DC to DC
iSessions
Secure and accelerate between data centers Integrated and free with BIG-IP LTM v10
26
Symmetric Compression • Adaptive • Deflate • LZO SSL Encryption
Note: Not available on the 1500 and 3400
BIG-IP Security Add-On Modules
Application Security Module
Protect applications and data
SSL Acceleration
Protect data over the Internet
27 Advanced Client Authentication Module
Protect against unauthorised access
BIG-IP Software Add-On Modules
Quickly Adapt to Changing Application & Business Challenges Compression Module
Increase performance
Webaccelerator - Fast Cache Module
Offload servers
28 Rate Shaping Module
Reserve bandwidth
Intelligent HTTP Compression
Most Intelligent and flexible solution to target HTTP compression where it matters most
URI/content filters – allow/disallow lists – Compress only specified file types – Based on URI or MIME type Client-aware compression (patent pending) – Based on TCP latency – observe client RTT – Based on low bandwidth client connections Granular L7 based compression Tunable resource allocation – Devote more memory and CPU cycles for high priority compression jobs Adaptable Compression – Scale back compression based on CPU load
29
Real Time Compression Tool
www.f5demo.com/compression 30
TCP Express
Behaviors of a good TCP/IP implementation.
– – –
Proper congestion detection.
Good congestion recovery.
–
High bandwidth utilization.
• • •
Being too aggressive can cause individual connections to consume all of the network.
Not being aggressive enough will leave unused bandwidth especially during a low number of connections.
Always needs to adapt to changing congestion.
Increased windowing and buffering will often help compensate for latency and can also offload the application equipment more quickly.
Most important tuning you can do in TCP typically has to do with window sizes and retransmission logic (aka congestion control behavior).
On today’s networks, loss is almost always caused from congestion.
–
Most TCP stacks are not aggressive enough.
31
F5’s TCP Congestion Control Algorithms
Reno Congestion Control
–
Original TCP fast recover algorithm based on BSD Reno.
– – –
Initially grows congestion window exponentially during the slow-start period.
After slow-start, increases CWND by 1MSS for each CWND acked (this is linear growth).
When loss or a recovery episode is detected, the CWND is cut in half.
New Reno modifications (this is currently the default mode)
–
Improves on the Reno behaviour.
–
When entering a recovery episode, implements a fast retransmit:
•
Each ACK less than the recovery threshold triggers a one-time resend of the data started by the ACK.
•
Results in more aggressively sending the missing data and exiting the recovery period.
Scalable TCP (added in 9.4)
–
Improves on the NewReno behaviour.
–
Upon loss, the CWND is reduced by only 1/8.
–
Once out of slow start, CWND increases by 1% of an MSS for each CWND ACK’d.
HighSpeed (F5's proprietary congestion control added in 9.4)
–
Similarly improves on the NewReno behaviour in combination with Scalable TCP.
–
Progressively switches from NewReno to Scalable TCP based on the size of the CWND.
•
Upon loss, the CWND is reduced by somewhere between ½ and 1/8.
•
CWND grows somewhere between 1% and 100% of an MSS for each CWND ACK’d.
32
OneConnect ™ – Connection Pooling
Increase server capacity by 30% – Aggregates massive number of client requests into fewer server side connections Transformations form HTTP 1.0 to 1.1 for Server Connection Consolidation Maintains Intelligent load balancing to dedicated content servers
33
Good Sources: http://tech.f5.com/home/bigip/solutions/traffic/sol1548.html
http://www.f5.com/solutions/archives/whitepapers/httpbigip.html
OneConnect ™ New and Improved
HTTP Request Pooling b.gif
c.asp
a.gif
index.htm
b.gif c.asp
a.gif
index.htm
20 1
• • •
Streamlines single client request to BIG-IP Enabled by HTTP 1.1
Avg. Reduction is 20 to 1 per Web Page 34 1) OneConnect ™ Content Switching index.htm
b.gif c.asp
a.gif
index.htm
b.gif
a.gif
c.asp
3) OneConnect ™ Connection Pooling b.gif c.asp
a.gif
index.htm
HTML server pool
•
GIF server pool
•
Intelligent load balancing to dedicated content servers Maintain Server Logging ASP server pool 2) OneConnect ™ HTTP transformations b.gif
c.asp
Many a.gif
index.htm
New One b.gif c.asp
a.gif
index.htm
•
Transformation form HTTP 1.0 to 1.1 for Server Connection Consolidation
•
Aggregates massive number of client requests into fewer server side connections Server sales.htm
e.gif
d.gif
f.asp
b.gif
sales.htm
c.asp
e.gif
a.gif
d.gif
index.htm
f.asp
Content Spooling
Problem: TCP Overhead on Servers – There is overhead for breaking apart…”chunking” content – – Client and Server negotiate TCP segmentation Client forces more segmentation that is good for the server – Solution The Servers is burdened with breaking content up into small pieces for good client consumption
Slurp up server response Spoon feed clients
35
Benefit: Increases server capacity up to 15%
L7 Rate Shaping
Integrated and Fine Grained Bandwidth Control Sophisticated Bandwidth Control – Flexible bandwidth limits – Full support for bandwidth borrowing – Traffic queuing (stochastic fair queue, FIFO ToS priority queue) Granular Traffic Classification L2 through L7 – iRules support can initiate a rate class on any traffic flow variable Only Multi Direction Control – Control throughput in any direction Rate Class Ceiling Rate Burst Base
WAN Pool of Servers Network Segments 36
Hardware
37
Actual BIG-IP Platforms
Price BIG-IP 8900 BIG-IP 1600
Dual core CPU 4 10/100/1000 + 2x 1GB SFP 1x 160GB HD 4 GB memory SSL @ 5K TPS / 1 Gb Bulk 1 Gbps max software compression
1 Gbps Traffic
1 Basic Product Module
BIG-IP 6900 BIG-IP 3600
Dual core CPU 8 10/100/1000 + 2x 1GB SFP 1x 160 GB HD + 8GB CF 4 GB memory SSL @ 10K TPS / 2 Gb bulk 1 Gbps max software compression
2 Gbps Traffic
1 Advanced Product Module 2 x Dual core CPU 16 10/100/1000 + 8x 1GB SFP 2x 320 GB HD (S/W RAID) + 8GB CF 8 GB memory SSL @ 25K TPS / 4 Gb bulk 5 Gbps max hardware compression
6 Gbps Traffic
Multiple Product Modules 2 x Quad core CPU 16 10/100/1000 + 8x 1GB SFP 2x 320 GB HD (S/W RAID) + 8GB CF 16 GB memory SSL @ 58K TPS / 9.6Gb bulk 6 Gbps max hardware compression
12 Gbps Traffic
Multiple Product Modules VIPRION
39 Function / Performance
2008: Hardware Architectur (Single-Board-Design)
LCD-Panel CFlash* SSL TMM: Traffic Management Microkernel HDD1 1 / 2 HDD2* 1 / 2 RAM SSL* FIPS*: Federal Information Processing Standards AOM: Always On Module (SCCP in former Versions) Hardware Compression Card* CPU CPU CPU* CPU* BCM: Broadcom Asic Powersupply AOM TMM (Layer4-7)
40
Powersupply* * Depends on platform (optional) BCM (Layer 2) x*10/100/1000Base-T Copper/SFP-GBIC 10GbEth*
High-Performance Application Switches
BIG-IP 8900 BIG-IP 6900 BIG-IP 1600 - 3600
Consolidate with Purpose-built Hardware
Designed specifically for application delivery Integrated platform for security, acceleration, availability
Offload Application Servers
High performance hardware SSL and compression offload Advanced connection management
Reduce Operating Costs
Simplified management with USB, front panel management, remote boot, and more Increased uptime with hot swappable and redundant components
41
BIG-IP 1600
High performance meets high value
High Performance
– Dual-core CPU provides 1 Gb/s of L7 throughput
Reliable and Adaptable
– Options for dual power and DC power – Front-to-back cooling
Basic security and acceleration options
– Protocol Security Module – 1 Gb/s compression and SSL throughput
42
BIG-IP 3600
Integrated ADC in a 1U platform
Advanced security and acceleration options
– WebAccelerator option – Application Security Module option
High Performance
– Dual-core CPU provides 2 Gb/s of L7 throughput
Reliable and Adaptable
– Options for dual power and DC power – Front-to-back cooling
43
BIG-IP 6900
Consolidation and Integration High Performance for Consolidation
– Dual CPU, Dual Core for 6 Gb/s of L7 throughput – Hardware SSL and Compression offload
Multi-module Integration
– Run multiple modules and unify application delivery functions onto a single device
Reliable and Adaptable
– Dual power supplies and dual hard drives standard – Front-to-back cooling
44
BIG-IP 8900
The Foundation of a Unified ADN High Performance for Consolidation
– Dual CPU, Quad Core for 12 Gb/s of L7 throughput – Hardware SSL and compression offload
10G Ports for Next-gen Data Centers
– Two 10G SFP ports in addition to 1G copper and fiber connections
Reliable and Adaptable
– Dual power supplies and dual hard drives standard – Front-to-back cooling
45
Platform Performance
Max. throughput Layer 4 Connections/sec Layer 7 Requests/sec (inf-inf) Max. conc. conn.
Max. SSL TPS Max. SSL Bulk Max. SSL conc. conn.
Max. compression Switch backplane BIG-IP 1600 BIG-IP 3600
1 Gbps 60,000 2 Gbps 115,000 100,000 4 Million 5,000 1 Gbps 1 Million 1 Gbps 14 Gbps 135,000 4 Million 10,000 1.5 Gbps 1 Million 1 Gbps 24 Gbps
BIG-IP 6900 BIG-IP 8900
6 Gbps 220,000 12 Gbps 400,000 600,000 8 Million 25,000 4 Gbps 2 Million 5 Gbps 68 Gbps 1,200,000 16 Million 58,000 9.6 Gbps 4 Million 9.6 Gbps 112 Gbps
46
CMP Super-VIP
Servers Network TMM0 TMM1 TMM2 TMM3 switch switch
Multitasking means screwing up several tasks at the same time.
47
The World’s Only
On Demand ADC
48
VIPRION – On Demand ADC
Add application intelligence without adding management cost Market-leading performance Ultimate redundancy TMOS inside
49
Viprion Overview
Unmatched Performance – Massive scalability – Processing architecture common with 8800 Intelligent clustering – SuperVIP (Virtuals can seamlessly span blades) – N+M redundancy for all features in cluster High Availability – Automatic failover within cluster – Chassis-to-chassis redundancy Full Modular Chassis – 4 blade slots w/1 blade type – 1 blade type – Any blade can be chassis master Common central management console – Single point of Management – Same user interface as BIG-IP appliances
50
On Demand – Zero Reconfiguration
Virtual Machines Servers Servers Physical Server Virtual Machines 51
Automatic addition of power No need to overprovision Fixed and predictable OpEx
Servers Physical Server
Ultimate Reliability Multi-Level Redundancy
Internal blade to blade failover External chassis to chassis Hot swappable power supplies Hot swappable fan trays Hot swappable LCD display Passive, redundant backplane Integrated Lights Out mgmt
52
Ultimate Reliability
Client Multi-Level Redundancy
Blade failure will not cause chassis failure Redundant and hot swappable components
Always
Available
Server 53
Traditional ADC Scaling
WWW.
WWW1.
WWW2.
WWW3.
WWW4.
GSLB Within the Datacenter
Each addition requires DNS changes Physical reconfigurations Routing changes ADC reconfiguration
Server Farm A Server Farm B Server Farm C Server Farm D 54
Clustered Multi Processing Scales
TMOS
8x 4x SMP 2x
Single Processor Time 55
Virtual Processing Fabric
Clustered Multi Processing Custom Disaggregator ASICs High Speed Bridge
Processing Complex TMM 0 TMM 1 Client Server TMM n
56
The SuperVIP
WWW.
Pool
Virtualization:
“Separating the physical characteristics of computing resources from the systems, applications or end users interacting with those resources”.
With a SuperVIP, a single virtual server may be processed by all computing resources of the VIPRION.
57
Market Leading Performance
L7 Fast HTTP Inf/Inf L7 Full Proxy Inf/Inf SSL TPS SSL Gbps L4 Conn/s (1-1) Compression L4 Throughput L7 Throughput
Single Blade
800,000 Rps 300,000 Rps 50,000 9 Gbps 250,000 cps 4.5 Gbps 10 Gbps 10 Gbps
4 Blade System
3,200,000 Rps 1,200,000 Rps 200,000 36 Gbps 1,000,000 cps 16 Gbps 36 Gbps 36 Gbps
58
More detailed measures
59
Avoid Management Nightmare
TMOS
+ Security + Accel + iRules + iControl
60
VIPRION 200,000 SSL TPS 12,000 SSL TPS per blade = 16 Blades
Avoid Growing Pains
TMOS
+ Security + Accel + iRules + iControl VIPRION 3,200,000 Layer 7 Requests/Sec 76,000 L7 RPS = 42 Blades
61
VIPRION Management
62
Management continued
63
Management
64
iRules and iControl
65
What are iRules?
Programming language integrated into TMOS
Traffic Management Operating System
Based on industry standard TCL language
Tool Command Language
Provide ability to intercept, inspect, transform, direct and track inbound or outbound application traffic Core of the F5 “secret sauce” and key differentiator
66
How do iRules Work?
• iRules allow you to perform deep packet inspection (entire header
and
payload) • Coded around
Events
(HTTP_REQUEST, HTTP_RESPONSE, CLIENT_ACCEPTED etc.) • Full scripting language allows for extremely granular control of inspection, alteration and delivery on a packet by packet basis
Requests
67 iRule Triggered HTTP Events Fire (HTTP_REQUEST, HTTP_RESPONSE, etc.)
Modified Responses*
*Note: BIG IP’s Bi-Directional Proxy capabilities allow it to inspect, modify and route traffic at nearly any point in the traffice flow, regardless of direction.
The Better Alternative Example
Centralized Availability, Security & Acceleration
Centralized Transaction Assurance: Proactive Response Error Handling for Higher Availability Centralized Data Protection: Rewrite, Remove, Block and or Log Sensitive Content
rule
redirect_error_code
{ when HTTP_REQUEST { set my_uri [HTTP::uri] } when HTTP_RESPONSE { rule
protect_content
{ when
HTTP_RESPONSE_DATA
{ set payload [HTTP::payload [HTTP::payload } if { [HTTP::status] == 500 } { length]]
A Repeatable, Extensible, Flexible Architecture
#
Find and replace SSN numbers
.
#
Host to URI mapping: Faster Access to Data through Automatic Re direction
regsub -all {\d{3}-\d{2}-\d{4}} $payload "xxx-xx xxxx" new_response # # Replace only if necessary.
# when HTTP_REQUEST { # www.A.com -- domain == A.com, company == A regexp {\.([\w]+)\.com} [HTTP::host] domain company If { "" ne $company } { # look for the second string in the data group set mapping [findclass $company $::valid_company_mappings " "] } if { "" ne $mapping } { HTTP::redirect "http://www.my_vs.com/$mapping" } } } if {$new_response != 0} { HTTP::payload replace 0 [HTTP::payload length] $new_response }
68
Solution: Server Resource Cloaking
Description To protect from web server signatures exposing from potential security holes to hackers, iRules are used to remove or “cloak” visible web server signatures HOW IT WORKS 1. Client requests information from an application and is routed through BIG-IP
5
iRule! Remove Apache v 2.0.49 Reference
2. BIG-IP directs request to best performing web server } rule when HTTP_RESPONSE { # # Remove all but the given headers.
# HTTP::header sanitize “ETag” “Connection” “Content TYPE” 3. Web server provides application response BUT all responses – by default – include information that indicates the type of server responding
1
HTTP Request
4 2 3 Response from Apache Web Server includes server signatures
4. BIG-IP looks at traffic and determines it must call the iRule for “Resource Cloaking”
6
HTTP Response
5. iRule runs, removing Apache references, and send request on to client 6. Client only sees “sanitized” response.
69
What can an iRule do?
Read, transform, replace header or payload information (HTTP, TCP, SIP, etc.) Work with any protocol, such as SIP, RTSP, XML, others, whether with native (HTTP::cookie) or generic (TCP::payload) commands Make adjustments to TCP behavior, such as MSS, checking the RTT, deep payload inspection Authentication assistance, offload, inspection and more for LDAP, RADIUS, etc.
Caching, compression, profile selection, rate shaping and much, much more
70
iRule Event Taxonomy
AUTH_ERROR AUTH_FAILURE AUTH_RESULT AUTH_SUCCESS AUTH_WANTCREDENTIAL CACHE_REQUEST CACHE_RESPONSE CLIENTSSL_CLIENTCERT CLIENTSSL_HANDSHAKE DNS_REQUEST DNS_RESPONSE NAME_RESOLVED LB_FAILED LB_SELECTED RULE_INIT CLIENT_LINE SERVER_LINE HTTP_CLASS_FAILED HTTP_CLASS_SELECTED HTTP_REQUEST HTTP_REQUEST_DATA HTTP_REQUEST_SEND HTTP_RESPONSE HTTP_RESPONSE_CONTINUE HTTP_RESPONSE_DATA RTSP_REQUEST RTSP_REQUEST_DATA RTSP_RESPONSE RTSP_RESPONSE_DATA SIP_REQUEST SIP_REQUEST_SEND SIP_RESPONSE CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SERVER_CLOSED SERVER_CONNECTED SERVER_DATA SERVERSSL_HANDSHAKE STREAM_MATCHED CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SERVER_CLOSED SERVER_CONNECTED SERVER_DATA USER_REQUEST USER_RESPONSE CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SERVER_CLOSED SERVER_CONNECTED SERVER_DATA XML_BEGIN_DOCUMENT XML_BEGIN_ELEMENT XML_CDATA XML_END_DOCUMENT XML_END_ELEMENT XML_EVENT
71
Solution: FIX Protocol Persistence
Challenges • Business chooses protocol required by industry sector • Implemention on server side impossible in enterprise HA scenario Solution • iRule provides centralized mechanism for intercept/inspect/route • Solution can be deployed in true HA/multi-server (even data center) mode • Clean code management
3
iRule Query identifies FIX SenderComp ID
1
} rule FIX_regexp { when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { if { [regexp "\x0149=(.*)\x01" [TCP::payload] -> SenderCompID] } { persist uie $SenderCompID TCP::release } } else { TCP::collect }
2
HTTP Request
4
** Enhanced by community; see CodeShare HOW IT WORKS 1. Client requests information from an application and is routed through BIG-IP 2. BIG-IP UIE inspects for specific information identified 3. iRule runs and queries payload (TCP::collect) for the specific identifier needed (SenderCompID) 4. Based upon rule, client request is persisted to a specific server dedicated to that user
Pool A Pool B
72
What makes iRules so unique?
Full-fledged scripts, executed against traffic on the network, at wire-speed Powerful logical operations combined with deep packet inspection The ability to route, re-route, re-direct, retry, or block traffic Community support, tools and innovation
73
Solution: Credit Card Scrubber
Challenges • Rapid feature enhancements come at expense of good security practices • Scanning on each server doesn’t perform well Solution • iRule provides centralized mechanism for protection • High-performance at network maintains high end user satisfaction • App teams focus on features, network teams focus on protection
1 6 5
Remove Valid Credit Card Numbers
HOW IT WORKS 1. Client requests information from an application and is routed through BIG-IP when HTTP_REQUEST { # Don't allow data to be chunked if { [HTTP::version] eq "1.1" } { if { [HTTP::header is_keepalive] } { HTTP::header replace "Connection" "Keep-Alive" } HTTP::version "1.0" } } when HTTP_RESPONSE { if { [HTTP::header exists "Content-Length"] } { set content_length [HTTP::header "Content-Length"] } else { set content_length 4294967295 } if { $content_length > 0 } { HTTP::collect $content_length } } when HTTP_RESPONSE_DATA { # Find ALL the possible credit card numbers in one pass set card_indices [regexp -all -inline -indices {(?:3[4-7]\d{13})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})} [HTTP::payload]] foreach card_idx $card_indices { set card_start [lindex $card_idx 0] set card_end [lindex $card_idx 1] set card_len [expr {$card_end - $card_start + 1}] set card_number [string range [HTTP::payload] $card_start $card_end] set double [expr {$card_len & 1}] set chksum 0 set isCard invalid # Calculate MOD10 for { set i 0 } { $i < $card_len } { incr i } { set c [string index $card_number $i] if {($i & 1) == $double} { if {[incr c $c] >= 10} {incr c -9} } } incr chksum $c # Determine Card Type switch [string index $card_number 0] { 3 { set type AmericanExpress } 4 { set type Visa } 5 { set type MasterCard } 6 { set type Discover } default { set type Unknown } } # If valid card number, then mask out numbers with X's if { ($chksum % 10) == 0 } { set isCard valid HTTP::payload replace $card_start $card_len [string repeat "X" $card_len] } } # Log Results } log local0. "Found $isCard $type CC# $card_number"
HTTP Request HTTP Response
2. BIG-IP directs request to best performing web server 3. Web server provides application response BUT iRule runs if it sees a string of 16 digits 4. iRule fires off MOD-10 algorithm to determine if 16-digit string is a valid credit card number; offending server IP address logged and flagged 5. If a valid match, first 12-digits are replaced with Xs 6. Client only sees “sanitized” response.
4 2 3 Response from application server accidentally leaks customer credit card numbers in HTTP response
** Created collaboratively within community
74
Solution: Anti-phishing
5
Prevent unwanted referrals of Content
Challenges • Attacks are directed at lass valid_referers { "http://mydomain.com" "http://mydomain1.com" } "http://url1" "http://url2" "http://url3" users, not the servers themselves • No control of user actions •Can’t force software install class file_types { ".gif" ".jpg" ".png" ".bmp" } ".js" ".css" ".xsl" rule no_phishing { when HTTP_REQUEST { # Don't allow data to be chunked.
if {[HTTP::version] == "1.1"} { if {[HTTP::header is_keepalive]} { } # Adjust the Connection header.
HTTP::header replace "Connection" "Keep-Alive" } HTTP::version "1.0" Solution • iRule allows for prevention of the scraping required to perform the attack •Preventative approach keeps users safe without need for their interaction •Server load decreased } if { [matchclass [HTTP::header "Referer"] starts_with $::valid_referers] < 1 } { if { ([string tolower [HTTP::method] ] eq "get") && ([matchclass [HTTP::uri] contains $::file_types] > 0 )} { discard } elseif { ([HTTP::header exists "Content-Type"]) && ([HTTP::header "Content-Type"] starts_with "text" ) } { } } set respond 1 when HTTP_RESPONSE { if { $respond == 1 } { if { [HTTP::header exists "Content-Length"] } { set content_len [HTTP::header "Content-Length"] } else { } set content_len 4294967295 } if { $content_len > 0 } { HTTP::collect $content_len } } when HTTP_RESPONSE_DATA { set bypass [string first -nocase "" [HTTP::payload] ] if { $bypass != -1 } { HTTP::payload replace $bypass 0 "\n" } else { HTTP::respond 500 }
HTTP Request
4
HTTP Response
6 2
1.
2.
3.
3 Web servers feed content to anyone requesting it, including people who shouldn’t be serving this cotent.
HOW IT WORKS Define a list of valid referrers in the form of a class. This is a list of those sites that you expect to be linking to content on your site. Define a list (in the form of a class) of file types that should not be linked to, besides by the referrers listed in item #1. Check to see if an invalid referrer (not someone in class #1) is trying to serve data from your site and what kind of content they shouldn’t be trying to serve. If it matches the file types in Class #2 (block it. If not, insert some custom code to help prevent phishing attempts.
75
F5 iRule Editor
First network rule editor optimizes development Includes: – Syntax checking – Auto-complete – Template support – Doc Links – Deployment integration – Statistics monitoring – Data group editing – Optional post to CodeShare feature Available: Now Pricing: Free Download Tutorials: on DevCentral
76
Introducing iControl v9
Open API (SOAP/XML) allows applications to automatically interact with the network Integration with development tools from Microsoft, BEA, and Oracle Online community F5 DevCentral
– Developer assistance on F5 DevCentral via developer forums ( http://devcentral.f5.com
) – iRules forum and code examples
77
iControl Eases Application Integration
Leverage the skills and expertise you already have!
78 Key Components
– XML/SOAP interface – Downloadable SDK – Technology partnerships – DevCentral resource centre and community
Benefits
– Open, standards based integration – Simplified development – Proven integration – Sample code, documentation, discussion forums
Integration and Extensibility iControl Event API
Create Subscription Administrator uses the provided sample application (or custom application) to create Event Subscriptions Select Event Type Choose a specific event to track. Then, create the Subscription name and parameters. Upon Event, message is distributed via log, email, or SMS to phone/PDA
79
Applications can subscribe to 47 different system events Sample application (screenshots) provided with SDK Bulk method support bandwidth – 100:1 reduction in call, 90% reduction in
iControl Application Migration to v9
Paste Code Into Analyser Developer visits DevCentral, accesses the Code Analyser, select language, and report format Summary Report Generated report identifies line where conflicts exist, defines the method affected, and enables direct link to online versions of 4.x & v9 SDKs
80
Analyser free for use by all F5 DevCentral members DevCentral Forum available for posting migration questions Additional sample and technical tips will be available
DevCentral Technical Community
http://devcentral.f5.com/ Forum for F5 customers for building iRules and iControl applications F5 provides technical documentation, tips, free sample downloads, and a confidential discussion forum Monitored by F5 engineers and technical experts that answer technical questions – Design, architecture, troubleshooting and general assistance with iRules and iControl
81
Link Collection
www.f5.com
Overall Technical
www.f5.com
ask.f5.com
devcentral.f5.com
F5 University
www.f5university.com/ » »
Login: Password: Partner Informaiotn
your email adv5tech www.f5.com/partners
Gartner Report
www.f5.com/training_services/certification/certFAQ.html
http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html
Important
deployment
information is available at Data Center Virtualization Application Traffic Management Application Briefs Solution Briefs F5 Compression and Cache Test F5 iControl Alliance Partners F5 Technology Alliance Partners http://www.f5.com/solutions/deployment/ http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdf
http://www.f5.com/solutions/technology/pdfs/atm_wp.pdf
http://www.f5.com/solutions/applications/ http://www.f5.com/solutions/sb/ http://www.f5demo.com/compression/index.php
http://www.f5.com/solutions/partners/iControl/ http://www.f5.com/solutions/partners/tech/ Let us know if you need any clarification or you have any further questions.
82
Thank You
83