application firewall
advertisement
Introduction to F5 Networks Andreas Guggenbichler Regional Manager Eastern Europe June 21st, 2005 Company 2 Company Snapshot • Leading provider of technology to secure, optimise and deliver IP-based applications • Founded 1996, public 1999, Nasdaq listed (FFIV) • HQ in Seattle, offices around the globe • More than 9,000 customers • Approx. 700 employees • FY2004 revenue $171M – 48% year-over-year growth • More than 30,000 systems shipped 3 Undisputable Leader in Application Delivery Magic Quadrant for WebEnabled Application Delivery, 2H04 Source: Gartner Research Note, January 2005 • “F5 Networks, with the milestone release of v9.0, has a strong platform on which to build additional features.” • “The focus on application delivery and secure access has been a significant contributor to F5's success leading up to the v9.0 release. F5 is one of the thought leaders in the market and offers growing feature richness. Add F5 to your shortlist for application delivery.” 4 SSL VPN Market Leadership SSL Virtual Private Networks METAspectrumSM Evaluation • “A core group of market leaders continues to rapidly innovate and drive increasing degrees of functionality. Other contenders must often scramble to keep up.” • “SSL VPNs are already capable of delivering great value to organizations and have even further up-side potential going forward.” 5 Financial Trends Cash & Investments 60,0 Revenue 60 50,2 31,6 28,0 27,1 27,1 27.3* 27,1 35 29,2 36,1 40 $ Millions 40,6 45 44,2 50 27,0 $ Millions 55 30 254 250 225 200 175 150 125 100 75 50 25 Cash Flow from Operations 5,6 4 2 3,3 2,7 2,9 2,8 1,9 3,4 1,5 0 (Pro Forma) ,26 0,25 0,20 $ 8 6 96 84 89 80 79 79 72 76 0,30 8,4 1Q 02 2Q 0 3Q 2 02 4Q 02 1Q 0 2Q 3 03 3Q 03 4Q 0 1Q 3 04 2Q 04 3Q 0 4Q 4 04 1Q 05 $ Millions 13,5 10,2 10,5 10 222 EPS 11,4 12 211 ,18 0,15 ,11 0,10 ,08 0,05 0,00 ,13 ,02 ,02 ,03 ,04 .00* -0,05 -.05 -,04-,03 1Q 0 2Q 2 0 3Q 2 0 4Q 2 0 1Q 2 0 2Q 3 0 3Q 3 0 4Q 3 0 1Q 3 0 2Q 4 0 3Q 4 0 4Q 4 0 1Q 4 04 14 205 1Q 0 2Q 2 0 3Q 2 0 4Q 2 0 1Q 2 0 2Q 3 0 3Q 3 0 4Q 3 0 1Q 3 0 2Q 4 0 3Q 4 0 4Q 4 0 1Q 4 05 02 02 02 02 03 03 03 03 04 04 04 04 05 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 227 6 F5 Expansion in Europe • 80+ employees in EMEA • Sequential growth • Increasing country presence • Strong regional channel • Large customer base – – – – – – Financial Media Transportation Technology Telecommunications Service providers 7 F5 Customers in Europe (1 of 2) Banking, Financial Insurance, Investments Telco, Service Providers, Mobile 8 F5 Customers in Europe (2 of 2) Transport, Travel Media, Technology, Online Manufact., Energy Governm., Other Health, Consumer 9 Product and Technology Leadership BIG-IP FirePass TrafficShield Traffic Management SSL VPN Remote Access Application Firewall Local, Global & Link Application Traffic Management Secure Application Access Application Firewall iControl Software Development Kit iControl Services Manager Standards Based Interface (SOAP/XML) Centralised Management for F5 Devices 10 Partner Programme 11 Advantage Programme Categories • Resellers – – – – Authorised Advantage Partner Premier Advantage Partner Gold Advantage Partner Global Advantage Partner • Distributors – Gold Advantage Distributor 12 EMEA Advantage Channel Model Customer Gold Partner Premier Partner Authorised Partner Global Partner Gold Distributor 13 Certification Programme • F5 Certified Product Consultant – Pre-sales specialist • F5 Certified Configuration Professional – Level 1 post-sales specialist • F5 Certified Systems Engineer – Level 2 post-sales specialist • F5 Certified Product Consultant FirePass – Pre-sales specialist 14 Customer Focused Services Support centres in London, Singapore, Washington D.C. and Seattle Level 1/2/3 24-hour global technical support support 4-hour RMA Training centres Premium Plus in London and services around the globe Installation Sell-through services Consulting Advantage certification programme Ask F5 knowledge base F5’s global service strategy means reliable application delivery – anytime, anywhere 15 Professional Services Offerings • Premium Service – – – – – 7x24 telephone support Access to Ask F5 technical database WebSupport portal Software updates Advance hardware replacement • Standard Service – Same as above, but 5x10 16 Application Traffic Management BIG-IP 17 Application Delivery Challenge Application Network Administrator Deploy point solutions • • Faster and centralised fix, applications are offloaded Costly, complex and hard to manage Application Developer ? Code fix in the application • • • Expensive (Code, Manage, Maintain) Consumes server cycles Often not possible 18 Result: A Growing Network Problem Users Network Point Solutions Applications DoS Protection Mobile Phone Rate Shaping SSL Acceleration SFA CRM PDA ERP CRM Server Load Balancer ERP Laptop ERP Content Acceleration Application Firewall Connection Optimisation Traffic Compression CRM Desktop SFA SFA Custom Application Co-location 19 What the Customer Wants “How do I make my applications run better without rewriting them, or incurring major infrastructure cost and adding significant management overhead?” “I need to be as optimized as I can be, as simply as possible and with minimal resource impacts” -Director of Infrastructure for a major U.S. airline 20 Groundbreaking New Architecture Users Unified Network & Application Infrastructure Services Applications CRM Database Mobile Phone Deliver Siebel BEA Legacy PDA .NET Optimise Secure SAP PeopleSoft Laptop IBM Desktop Traffic Management Operating System (TM/OS) ERP SFA Custom Co-location 21 Comprehensive Single Solution Users The F5 Solution Applications CRM Database Mobile Phone Siebel BEA Legacy PDA .NET Laptop BIG-IP 3400 with Performance Pack SAP PeopleSoft IBM ERP Desktop SFA Custom Co-location 22 TM/OS Architecture is Built from the Ground Up A revolutionary new architecture that provides organisations with a unified system for optimal application delivery TM/OS Fast Application Proxy Client Side Key Components 1. TM/OS Fast Application Proxy 2. Universal Inspection Engine 3. iRules Server Side Benefits 1. Unifies multiple functions into one 2. Manages entire application flows 3. Delivers applications as intended 4. Granular, session level control 23 An Intelligent and Flexible Solution iRules Programmable Network Language Programmable Application Network GUI-Based Application Profiles Repeatable Policies Unified Application Infrastructure Services Targeted and Adaptable Functions Security Optimization Delivery Universal Inspection Engine (UIE) New Service Complete Visibility and Control of Application Flows TM/OS Fast Application Proxy Client Side Server Side 24 Secure Optimised Application Delivery Application performance optimised by F5: 25 BIG-IP Delivers Applications Faster 100 90 80 Seconds 70 60 50 126% 40 30 55% 20 121% 125% 70% 10 0 IIS 6.0 OWA 2003 SharePoint Without BIG-IP Siebel Weblogic BIG-IP Optimized *Percentage of Improvement With BIG-IP Optimizing the Applications 26 Fast Cache – Dramatic Server Offloading IIS 6.0 Standard Web Content 98% Siebel eBusiness Suite Call Center 7.7 72% WebLogic 78% Portal 8.1 27 Real World Performance and Results 350 Million Page Hits in 1 Week 1/3 Reduction in Servers 95% Fewer Connections 114.8 5 Million Million 1/3 Reduction in Licenses 1/3 Reduction in Management Time 66% 1.87 621 Terabyte Gigabytes 3 Seconds End-to-End Page Load Time Reduction in Bandwidth 300% Faster 1 Seconds 28 Customer Example: Airline Customer Problem: Portal Applications are too Slow • • • • • Unusable Web portal applications – 5 to 30+ second page load times, limited scale, costly infrastructure Executive level visibility; end-user complaints Too costly to change the applications Difficult to manage growing number of point solutions in the network Need to selectively compress based on client connection, application, and servers Market Pervasiveness: • $25 billion lost annually in e-business due to poor web performance • Over half global users are still dialup High Latency Connection Dial-UP Bandwidth Bottleneck Fast Connection and application Too many Point Solutions • Internet latency on average is 2x in Europe and 4x in ASIA compared with the US (91 MS) • Average Web application can be 20x chattier than traditional clientserver application 29 Customer Example: Airline The BIG-IP Solution: Intelligent and Adaptable Optimization BIG-IP Features & Functions Utilized 1. 2. 3. 4. 5. Client-Aware Compression (Patent Pending) – Target compression for high latency or dial-up users Application Switching – High availability and cost-effective scale TCP Offload & Optimization – Client-side & Server-side Content Transformation – Eliminate need for application proxies TM/OS & iRules – Unified framework for application services enabling an integrated approach to consolidation of services Detect High TCP Latency = Compress! Detected Dial-up Client = Compress! Fast Connection and application Business Benefit: • 10x application performance improvement (20 to 2.5 seconds) • 70% bandwidth reduction (thousands of dollars in Telco costs per month) • Lower management cost (4 vendors/ Boxes unified into 1 cohesive solution) Payback Time, 3 Months • Organizational adaptability (can now easily offer standardized services across all application types) 30 Sales Tool: Gomez • Gomez Testing Results: http://www.f5.com/solutions/gomez_testing.pdf 31 Sales Tool: Compression Calculator http://www.f5demo.com/compression/ 32 BIG-IP Platforms Measurement BIG-IP 1500 BIG-IP 3400 BIG-IP 6400 BIG-IP 6800 Layer 4 Requests/sec 30,000 110,000 220,000 220,000 Layer 7 Requests/sec 22,000 50,000 75,000 110,000 Max. throughput 500 Mbps 1 Gbps 2 Gbps 4 Gbps 2,000 8,000 15,000 20,000 100 Mbps 500 Mbps 2 Gbps 2 Gbps Max. SSL TPS Max. compression Options • LTM, GTM, & LBL-to-LTM Software Modules • SSL TPS Add-on’s •Compression Add-ons •Advanced Routing Modules •Advanced Client Authentication •L7 Rate Shaping •Performance Package Bundles •OCSP Modules •IPV6 •SSL / FIPS SSL • Memory • 10/100 NIC •GB Fiber/Copper NIC • Redundant Power Supply • 48v DC Power Supply •SFP / SFP LX Fiber Optics •Mid-Mount Kits • Failover Cables 33 SSL VPN FirePass 34 Remote Access Realities End User Chief Security Officer “I’m in a different city every few days. I just need to be able to access my email, critical files, and sales application.” “My job is to protect our network and applications from our known users AND intruders.” “My remote access has to work without calling IT helpdesk twice each week!” “Poor access impacts my paycheck directly.” Requires Ubiquitous Access • Any client • Any application “ Users distribute viruses – not because they mean to – and intruders attack us every day.” “Failing to protect us can cost us millions and me my job.” Requires Strong Security Control • Email worms and viruses • Web application attacks IT Manager “I already have too many systems to manage. More users and systems only increase the problem.” “Products that are hard to manage are likely to be avoided by my staff.” “But, if maintenance doesn’t happen, users get angry and it shows on my performance review.” Requires Easy Deploy & Management • Existing auth server support • 1000s of users, 100s of apps 35 Remote Access - Requirements Any Location Hotel Kiosk Hot Spot Any User Employee Partner Supplier Any Devices Laptop Kiosk Home PC PDA/Cell Phone Secure Data Privacy Device Protection Network Protection Granular App Access Any Application Web Client/Server Legacy Desktop Highly Available Global LB Stateful Failover Disaster Recovery Ease of Integration Ease of Use Clientless Simple GUI Detailed Audit Trail AAA Servers Directories Instant Access 36 2003-2007 Forecast individual SSL/HTTPS individual IPSec/PPTP site to site IPSec (not individual remote access) 2001 2003 2005 2007 Source: Gartner 2003 (Unofficial) 37 SSL VPN Secure Application Access Ubiquitous Delivery Laptop Dynamic Policies Any Application HTTPS Transport Mainframe Internet Mobile Device Kiosk FirePass Remote Access Controller Server Desktop 38 Dynamic Policy Engine • User / Device Security Default Policy Kiosk Policy Wireless Policy Laptop Policy SSL Policy Access Engine SSL VPN Connector AppTunnel Connector Webifyer Desktop Webifyer Authentication LDAP RADIUS WIN NT/2K Web-based Group Sales Financial Auditors etc…. – Dynamically adapt user policy based on device used • Seamless Integration – Utilize existing AAA servers – Automatic user mapping from directory • Detailed audit trail – Application level visibility Access Rights Intranet SAP Siebel File Shares Audit Usage Reporting Who accessed What was accessed From Where 39 Adaptive Client Security Kiosk PDA Laptop Kiosk Policy Mini Browser Policy Corporate Policy Firewall / Virus Check Cache / Temp File Cleaner Terminal Servers Files Intranet Email Client/Server Application Full Network 40 Customer Example Data Centre FirePass Sales Person High Availability of Servers with BIG-IP High Availability for Data Centres with 3-DNS Engineers Consultants FirePass Backup Data Centre 41 Web Application Security TrafficShield 42 Security’s Gaping Hole “64% of the 10 million security incidents tracked targeted port 80.” DATA Information Week 43 TrafficShield Application Firewall 44 TrafficShield Application Firewall 1. Web application firewall - Protect web applications against known & unknown attacks Uses positive security logic – All traffic is illegal unless known to be legal 2. Content scrubbing - Prohibit delivery of sensitive data 3. Application cloaking - Hide the identity of web applications from outside probing 45 The Application Flow Model 46 The Application Flow Model <script> Actions not known to be legal can now be blocked - Wrong page order - Invalid parameter - Invalid value - etc. 47 Protecting Web-based Applications CONTENT SCRUBBING ATTACK FILTERING APPLICATION FIREWALL Social Security Numbers Scrubbed Credit Card Numbers Blocked Out-of-box Protection Included Scrubbed Unvalidated Input Manipulation Blocked Account Numbers Scrubbed Script Kiddies, Known Worms & Vulnerabilities Blocked Broken Access Control (Forceful Browsing) Patient Health ePHI Scrubbed Buffer Overflow Blocked Requests for Restricted Object and File Types Blocked Phone Numbers Scrubbed Cross-Site Scripting Blocked Non-RFC-Compliant Traffic Blocked Any other identifiable text pattern Scrubbed SQL/OS Injection Blocked Illegal HTTP Format, Method Blocked Cookie Poisoning Blocked Unknown Worms and Vulnerabilities Blocked 15 min Set-Up Time SSL ACCELERATION & KEY MANAGEMENT CLOAKING NETWORK FIREWALL OS and Web Server Fingerprinting Blocked HTTP Error Messages Blocked IP/Port Filtering Included Application Error Messages Blocked Securing TCP/IP Session Included Leakage of Server Code Blocked Reverse Proxy Included SSL Accelerator Included Key Management & Failover Handling Included SSL Termination and Re-encryption to Servers Included 48 Competition 49 Growing Fast in a Growing Market Non-Modular L4-7 Switch Market – Q4’CY04 Total L4-7 Market Foundry Networks Cisco Systems 3% 7% Other 8% $529 Million F5 Networks 40% Year/Year Growth L4-7 Market 27% F5 Networks 57% Radware 16% Nortel Networks 26% Change in Market Share (1Q’03 - 4Q’04) Cisco Systems F5 Networks Nortel Networks Radware SOURCE: Dell’Oro Group / F5 Networks (February 2005) -21% 58% -10% -7% Total L4-7 Switch Market – Q4’CY04 Foundry Networks Other 6% 7% Radware 9% Cisco Systems 38% Nortel Networks 15% F5 Networks (w/Appliances) 25% 50 SSL Market Share Leader For 15th Consecutive Quarter (Q3‘04) Worldwide L4–L7 Switch/Load Balancer with SSL Market Share (Revenue) Nortel Networks 10% Other 13% F5 Networks 49% Cisco Systems 28% Source: Infonetics (November 2004) “F5 released the next generation of their BIG-IP platform, which utilizes a proxy architecture (called Traffic Management Operating System) to speed up application performance; some of the highlights include improved SSL performance, as well as IPv6.” Matthias Machowinski, Analyst at Infonetics Research 51 Highest Growth and Momentum Worldwide Application Security Gateway (SSL VPN) Market Share Q3‘04 Unit Market Share (Revenue) Aventail 11% F5 13% Nokia 5% Juniper 42% Other 29% Source: Infonetics (November 2004) “SSL VPN products attempt to solve deployment and management problems that many IPSec VPN users have already encountered; IPSec clients can be a pain, and many users only need access to specific applications, not networklevel access.” “F5 seems very committed to the success of this product and is putting significant resources behind the acquisition, and have now acquired Magnifire and will be adding application security to their growing suite of VPN and security solutions.” Jeff Wilson, Principal Analyst at Infonetics Research 52 Fastest Growing SSL VPN Vendor Network Security Solutions Surpass $1 Billion for Quarter Source: Synergy Research Group (December 2004) “What’s more, these markets continue to be driven by the need to protect corporate and service provider networks from a growing and perpetually changing number of threats. Moreover, investment in security solutions is being led by emerging solutions like application firewalls, High-End and Next Gen Firewalls, IPS, and SSL VPNs.” Aaron Vance, Senior Analyst at Synergy Research Group 53 Summary 54 App Traffic Management’s Unique Positioning Intelligent Clients Network Plumbing Intelligent Applications Routers iControl Switches BIG-IP FirePass Functionality Firewalls TrafficShield Application Traffic Management Application Access Application Security 55 Product Roadmap BIG-IP TS Enforcer FirePass BIG-IP v4.x TM/OS BIG-IP O/S BIG-IP v9 TM/OS FirePass FirePass FirePass O/S TM/OS TrafficShield TrafficShield TrafficShield O/S TM/OS TM/OS is the foundation moving forward 56 Why F5? 1. The leader in Application Traffic Management 2. Secure, optimised, and reliable delivery of applications to any user, anywhere 3. Maximising technology investment 4. Strong financial track record 5. World-class support 57
