1 F5 Application Traffic Management Radovan Gibala Senior Solutions Architect r.gibala@f5.com +420 731 137 223 2010 2 Application Delivery Architecture BIG-IP LTM • ASM FirePass App Security & Data Integrity • AAA • Data Protection • Transaction Validation Business Continuity HA Disaster Recovery BIG-IP LTM • GTM • LC • WA FirePass • ARX • WJ • WAN Virtualization • File Virtualization • DC to DC Acceleration • Virtualized VPN Access User Experience & App Performance • Asymmetric & Symmetric Acceleration • Server Offload • Load Balancing People BIG-IP LTM • GTM • WA ARX • WJ Apps Data Managing Scale & Consolidatio n • Virtualized App & Infrastructure • Server & App Offload • Remote, WLAN & LAN • Load Balancing Central Policy Enforcement • End-Point Security • Encryption • AAA • • • • Virtualization Migration Tiering Load Balancing BIG-IP LTM • GTM • LC • WA FirePass • ARX • WJ Unified Security Enforcement & Access Control FirePass BIG-IP LTM • GTM Storage Growth ARX BIG-IP GTM 3 How To Achieve the Requirements ? Multiple Point Solutions Application More Bandwidth Network Administrator Add More Infrastructure? Application Developer Hire an Army of Developers? 4 The Result: A Growing Network Problem Users Mobile Phone Network Point Solutions DoS Protection Rate Shaping SSL Acceleration PDA Laptop Desktop Co-location Applications CRMCRM Server Load Balancer Content Acceleration Application Firewall Connection Optimisation Traffic Compression SFA ERP ERP ERP CRM SFA Customised Application SFA 5 Traditional Infrastructure Model Corporate Employees LAN & wLAN Mobile Employees Remote Employees Branch Employees LAN & wLAN Customer, Partners, or Suppliers How do I connect all these applications and services to the right people, at the right moment in time, using the right amount of resources, meet all my SLAs, ensure security and save money? Cloud Services Hosted Applications Corporate Data Center SAAS Apps and Data in the Branch 6 What is Required to Fill the Gap Unification Corporate Employees Mobile Employees Remote Employees Branch Employees Customer, Partners, or Suppliers Integration Visibility Unified Application and Data Delivery Model: Cloud Infrastructure Context Action Cloud Services Hosted Applications Corporate Data Center SAAS Branch apps and Data Unification Enables the Dynamic Infrastructure 7 F5’s Integrated Solution Users The F5 Solution Applications Application Delivery Network CRM Mobile Phone Database Siebel BEA PDA Legacy .NET SAP Laptop PeopleSoft IBM ERP Desktop Co-location TMOS SFA Custom 8 A New Level of Intelligence Legacy Approach Packet Based React to a Single Communication, One Direction Flow Based TM/OS React to a Real Time, Two-Way Conversation Translate Between Parties 9 Deliver Application Exactly as Intended Manage Entire Application Flows: • • • Independent Connection Control Supporting All IP Applications High Performance Framework • • BI-Directional, Full Payload Inspection Session Level Control Universal Inspection Engine (UIE) TM/OS Fast IP Interception Client Side Server Side 10 The entire solution is built on top of the TMOS operating system that integrates all the tools iRules and iControl Programmable Application Network Programmable Network Language GUI-Based Application Profiles Repeatable Policies Unified Application Infrastructure Services Targeted and Adaptable Functions Security Optimisation Delivery Universal Inspection Engine (UIE) New Service Complete Visibility and Control of Application Flows TMOS Fast IP Interception Client Side Server Side 11 Traffic Management Operating System iRules Rate Shaping / Rate Limiting Resource Cloaking Transaction Assurance Universal Persistence Caching Compression Selective Content Encryption Advanced Client Authentication Application Health Monitors Application Switching Shared Application Services TMOS Operating System Shared Network Services TCP Express Protocol Sanitization High Performance SSL DoS and DDoS Protection VLAN Segmentation Line Rate L2 Switching (Mirroring, Trunking, STP, LACP) IP Packet Filtering IPv6 Dynamic Routing Secure Network Address Translation Port Mapping Common Management Framework 12 TCP Express Server Side OneConnect Client Side Compression TCP Proxy 3rd Party Web Accel XML Caching SSL TCP Express Client Rate Shaping Microkernel TrafficShield Unique TMOS Architecture iRules High Performance HW iControl API TMOS Traffic Plug-ins High-Performance Networking Microkernel Powerful Application Protocol Support iControl – External Monitoring and Control iRules – Network Programming Language Server 13 BIG-IP 14 First Unified Application Infrastructure Services Delivering • • • • DoS and SYN Flood Protection Network Address/Port Translation Application Attack Filtering Certificate Management • DoS and DDos protection • Brute Force Attacks protection • Resource Cloaking • Advanced Client Authentication • Firewall - Packet Filtering • Selective Content Encryption • Cookie Encryption • Content Protection • Protocol Sanitization • Secure and Accelerated DC to DC data flow • Comprehensive Load Balancing • Advanced Application Switching • Customized Health Monitoring • Intelligent Network Address Translation • Advanced Routing • Port Mirroring • IPv6 Gateway • Universal Persistence • Response Error Handling • Session / Flow Switching • SSL Acceleration • Quality of Service • Network Virtualization • System resource Control • Application Templates • Dashboard • Connection Pooling • Intelligent Compression • L7 Rate Shaping • Content Spooling/Buffering • TCP Optimization • Content Transformation • Caching • TCP Express 15 BIG-IP Local Traffic Manager Turn your infrastructure into an agile application delivery network BIG-IP Users Applications Scale the application infrastructure Eliminate downtime Improve application performance Secure your applications and data Increase server capacity, reduce bandwidth Customize the delivery of the app for your needs 16 It Starts with Load Balancing Ensure availability and plan for growth High Performance Hardware Dynamic LB Methods Transaction Assurance Application Health Monitoring Session Persistence LTM load balances at the application level Ensures the best resources are always selected Has deep visibility into application health Proactively inspects and responds to errors Eliminate downtime and scale the application 17 Comprehensive Load Balancing Static – RoundRobin – Ratio Dynamic – – – – – Fastest LeastConnections Observed Predictive Dynamic Ratio Priority Groups 18 Feature Overview/BIG-IP Availability Checking • Check any back-end process using EAV • Will work for any IP based application • Stateful failover between devices Security • Firewall-like device to resist most attacks • All administration is encrypted • Integrated SSL/FIPS and secure NAT 19 Feature Overview/BIG-IP SSL and E-Commerce • Only product with integrated SSL • Single certificate simplifies administration • Lowers certificate costs • Client certificate checking (Authentication) Layer 7 Functionality • Can utilize all HTTP header/content or TCP content in traffic decisions • Can persist on anything • HTTP 1.1 keep-alives dramatically improve performance 20 Feature Overview/BIG-IP Easy to Implement and Support • Can be deployed as either Layer 2 or 3 device • Simple and complete Graphical User Interface • Installation services by F5 and/or partner Flexibility • BIG-IP works with any server or IP based service • iControl enables integration with internal and/or 3rd party applications 21 Powerful and Simplified Management “We have to deal with multiple products. The new user interface makes every other solution in this space look absolutely immature. F5’s solutions are 10 times easier to manage than Cisco.” - Major US Hosting Provider 22 Profile Based Management Profile Based Traffic Management Improved vision of all resources and traffic Deliver Optimize Secure 23 Ensure Higher Availability - Superior System Design Processes Reporting and Control – Granular status, logging and configurable actions for component-level failures. Capable of warm restarts and upgrades. 3-way HA Design – Robust Internal system checking and passthrough design. 24 Extensibility - IPv6 Gateway 25 Network Virtualization Route Domains Consolidation with control Host multiple groups on one BIG-IP without conflicts Granular control to provide separate routing domains and overlapping IPs 26 System Resource Control Module Provisioning Consolidation with control Allocate CPU, memory, and disk per module Customize allocation to meet your needs 27 Simple Application Roll-outs Application Templates 1 SharePoint 2007 VMware VDI Exchange Web Access 2007 IIS 7.0 HTTP BEA WebLogic 5.1, 8.1 Oracle Application Server 10g SAP ERP 6.0 and ERP 2006 Citrix Presentation Server DNS IP Forwarding LDAP RADIUS 2 3 “The Application Templates allowed us to deploy Microsoft IIS in seconds instead of hours” - System Engineer, Fortune 500 Co. 28 Simplified Management Dashboard 29 Secure and Accelerate DC to DC iSessions Secure and accelerate between data centers Integrated and free with BIG-IP LTM v10 Symmetric Compression • Adaptive • Deflate • LZO SSL Encryption Note: Not available on the 1500 and 3400 30 BIG-IP Security Add-On Modules Application Security Module SSL Acceleration Protect applications and data Protect data over the Internet Advanced Client Authentication Module Protect against unauthorised access 31 BIG-IP Software Add-On Modules Quickly Adapt to Changing Application & Business Challenges Compression Module Increase performance Webaccelerator - Fast Cache Module Offload servers Rate Shaping Module Reserve bandwidth 32 Intelligent HTTP Compression Most Intelligent and flexible solution to target HTTP compression where it matters most URI/content filters – allow/disallow lists – Compress only specified file types – Based on URI or MIME type Client-aware compression (patent pending) – Based on TCP latency – observe client RTT – Based on low bandwidth client connections Granular L7 based compression Tunable resource allocation – Devote more memory and CPU cycles for high priority compression jobs Adaptable Compression – Scale back compression based on CPU load 33 Real Time Compression Tool www.f5demo.com/compression 34 Improve the End-User Experience TCP Express Intelligent Compression WebAccelerator (add-on module) iSessions LTM improves the application performance Optimize the connections and prioritize traffic Reduce the amount of data sent, both to the client and across the WAN 35 Secure the Applications and Data Network and Protocol Attack Prevention Selective Encryption Resource Cloaking and Content Security Application Security Manager (add-on module) Application Policy Manager (add-on module) Security at Application, Protocol and Network Level Meet compliance requirements (PCI, HIPAA, etc.) Strong protection without interrupting legitimate traffic Authentication and Authorization (via client cert, AD, LDAP, RADIUS, RSA SecurID agents) Secure Remote Access (SSL-VPN) Optimization (caching, compression, web acceleration) Endpoint Security Policy Engine 36 Let Servers Serve One Connect Fast Cache SSL Offload Compression LTM offloads tasks from application servers Reduce the number of servers required Centralize SSL key management 1/2 of BIG-IP owners have saved 20% or more on their total Capital Expenses with BIG-IP Source: TechValidate Survey of F5 BIG-IP Users 37 TCP Express Behaviors of a good TCP/IP implementation. – Proper congestion detection. – Good congestion recovery. – High bandwidth utilization. • • • Being too aggressive can cause individual connections to consume all of the network. Not being aggressive enough will leave unused bandwidth especially during a low number of connections. Always needs to adapt to changing congestion. – Increased windowing and buffering will often help compensate for latency and can also offload the application equipment more quickly. Most important tuning you can do in TCP typically has to do with window sizes and retransmission logic (aka congestion control behavior). On today’s networks, loss is almost always caused from congestion. – Most TCP stacks are not aggressive enough. 38 F5’s TCP Congestion Control Algorithms Reno Congestion Control – Original TCP fast recover algorithm based on BSD Reno. – Initially grows congestion window exponentially during the slow-start period. – After slow-start, increases CWND by 1MSS for each CWND acked (this is linear growth). – When loss or a recovery episode is detected, the CWND is cut in half. New Reno modifications (this is currently the default mode) – Improves on the Reno behaviour. – When entering a recovery episode, implements a fast retransmit: • Each ACK less than the recovery threshold triggers a one-time resend of the data started by the ACK. • Results in more aggressively sending the missing data and exiting the recovery period. Scalable TCP (added in 9.4) – Improves on the NewReno behaviour. – Upon loss, the CWND is reduced by only 1/8. – Once out of slow start, CWND increases by 1% of an MSS for each CWND ACK’d. HighSpeed (F5's proprietary congestion control added in 9.4) – Similarly improves on the NewReno behaviour in combination with Scalable TCP. – Progressively switches from NewReno to Scalable TCP based on the size of the CWND. • Upon loss, the CWND is reduced by somewhere between ½ and 1/8. • CWND grows somewhere between 1% and 100% of an MSS for each CWND ACK’d. 39 OneConnect ™ – Connection Pooling Increase server capacity by 30% – Aggregates massive number of client requests into fewer server side connections Transformations form HTTP 1.0 to 1.1 for Server Connection Consolidation Maintains Intelligent load balancing to dedicated content servers Good Sources: http://tech.f5.com/home/bigip/solutions/traffic/sol1548.html http://www.f5.com/solutions/archives/whitepapers/httpbigip.html 40 OneConnect ™ New and Improved HTTP Request Pooling b.gif c.asp a.gif 20 index.htm 1 b.gif c.asp a.gif index.htm • Streamlines single client request to BIG-IP • Enabled by HTTP 1.1 • Avg. Reduction is 20 to 1 per Web Page • Intelligent load balancing to dedicated content servers • Maintain Server Logging • Transformation form HTTP 1.0 to 1.1 for Server Connection Consolidation 1) OneConnect ™ Content Switching b.gif c.asp a.gif index.htm index.htm HTML server pool b.gif GIF server pool a.gif c.asp 2) OneConnect ™ HTTP transformations b.gif c.asp a.gif index.htm ASP server pool New One b.gif c.asp a.gif index.htm Many 3) OneConnect ™ Connection Pooling b.gif c.asp a.gif index.htm • Aggregates massive number of client requests into fewer server side connections Server sales.htm e.gif d.gif f.asp b.gif sales.htm c.asp e.gif a.gif d.gif index.htm f.asp 41 Content Spooling Problem: TCP Overhead on Servers – There is overhead for breaking apart…”chunking” content – Client and Server negotiate TCP segmentation – Client forces more segmentation that is good for the server – The Servers is burdened with breaking content up into small pieces for good client consumption Solution Spoon feed clients Slurp up server response Benefit: Increases server capacity up to 15% 42 L7 Rate Shaping Integrated and Fine Grained Bandwidth Control Rate Class Sophisticated Bandwidth Control – Flexible bandwidth limits – Full support for bandwidth borrowing – Traffic queuing (stochastic fair queue, FIFO ToS priority queue) Granular Traffic Classification L2 through L7 – iRules support can initiate a rate class on any traffic flow variable Only Multi Direction Control – Control throughput in any direction Ceiling Rate Burst Base WAN Network Segments Pool of Servers 43 Hardware 45 Actual BIG-IP Platforms BIG-IP 8900 Price 2 x Quad core CPU 16 10/100/1000 + 8x 1GB SFP 2x 320 GB HD (S/W RAID) + 8GB CF 16 GB memory SSL @ 58K TPS / 9.6Gb bulk 6 Gbps max hardware compression BIG-IP 6900 12 Gbps Traffic Multiple Product Modules BIG-IP 3900 Quad core CPU 8 10/100/1000 + 4x 1GB SFP 1x 300 GB HD + 8GB CF 8 GB memory SSL @ 15K TPS / 3.8 Gb bulk 3.8 Gbps max software compression BIG-IP 3600 BIG-IP 1600 Dual core CPU 4 10/100/1000 + 2x 1GB SFP 1x 160GB HD 4 GB memory SSL @ 5K TPS / 1 Gb Bulk 1 Gbps max software compression 2 x Dual core CPU 16 10/100/1000 + 8x 1GB SFP 2x 320 GB HD (S/W RAID) + 8GB CF 8 GB memory SSL @ 25K TPS / 4 Gb bulk 5 Gbps max hardware compression 6 Gbps Traffic Multiple Product Modules 4 Gbps L7 Traffic Multiple Product Modules Dual core CPU 8 10/100/1000 + 2x 1GB SFP 1x 160 GB HD + 8GB CF 4 GB memory SSL @ 10K TPS / 2 Gb bulk 1 Gbps max software compression 2 Gbps Traffic 1 Advanced Product Module 1 Gbps Traffic 1 Basic Product Module Function / Performance VIPRION 46 2008: Hardware Architectur (Single-Board-Design) LCD-Panel TMM: Traffic Management Microkernel HDD1 1/2 FIPS*: Federal Information Processing Standards Hardware Compression Card* * Depends on platform (optional) SSL RAM SSL* CPU CPU* CPU* TMM (Layer4-7) Mgmt Failover Serial AOM Powersupply Powersupply* CFlash* CPU AOM: Always On Module (SCCP in former Versions) BCM: Broadcom Asic HDD2* 1/2 BCM (Layer 2) x*10/100/1000Base-T 10GbEth* Copper/SFP-GBIC 47 High-Performance Application Switches BIG-IP 8900 Consolidate with Purpose-built Hardware Designed specifically for application delivery BIG-IP 6900 Integrated platform for security, acceleration, availability Offload Application Servers BIG-IP 3900 High performance hardware SSL and compression offload Advanced connection management Reduce Operating Costs Simplified management with USB, front panel management, remote boot, and more BIG-IP 1600 - 3600 Increased uptime with hot swappable and redundant components 48 BIG-IP 1600 High performance meets high value High Performance – Dual-core CPU provides 1 Gb/s of L7 throughput Reliable and Adaptable – Options for dual power and DC power – Front-to-back cooling Basic security and acceleration options – Protocol Security Module – 1 Gb/s compression and SSL throughput 49 BIG-IP 3600 Integrated ADC in a 1U platform Advanced security and acceleration options – WebAccelerator option – Application Security Module option High Performance – Dual-core CPU provides 2 Gb/s of L7 throughput Reliable and Adaptable – Options for dual power and DC power – Front-to-back cooling 50 BIG-IP 3900 Integrated ADC in a 1U platform Advanced security and acceleration options – WebAccelerator and Application Security Module can run simultaneously High Performance – Quad-core CPU provides 4 Gb/s of L7 throughput Reliable and Adaptable – 4 SFP slots – Options for dual power and DC power – Front-to-back cooling 51 BIG-IP 6900 Consolidation and Integration High Performance for Consolidation – Dual CPU, Dual Core for 6 Gb/s of L7 throughput – Hardware SSL and Compression offload Multi-module Integration – Run multiple modules and unify application delivery functions onto a single device Reliable and Adaptable – Dual power supplies and dual hard drives standard – Front-to-back cooling 52 BIG-IP 8900 The Foundation of a Unified ADN High Performance for Consolidation – Dual CPU, Quad Core for 12 Gb/s of L7 throughput – Hardware SSL and compression offload 10G Ports for Next-gen Data Centers – Two 10G SFP ports in addition to 1G copper and fiber connections Reliable and Adaptable – Dual power supplies and dual hard drives standard – Front-to-back cooling 53 Platform Performance BIG-IP 1600 Max. throughput BIG-IP 3600 BIG-IP 3900 BIG-IP 6900 BIG-IP 8900 1 Gbps 2 Gbps 4 Gbps 6 Gbps 12 Gbps 60,000 115,000 175,000 220,000 400,000 100,000 135,000 400,000 600,000 1,200,000 Max. conc. conn. 4 Million 4 Million 8 Million 8 Million 16 Million Max. SSL TPS 5,000 10,000 15,000 25,000 58,000 Max. SSL Bulk 1 Gbps 1.5 Gbps 3.8 Gbps 4 Gbps 9.6 Gbps Max. SSL conc. conn. 1 Million 1 Million 1 Million 2 Million 4 Million Max. compression 1 Gbps 1 Gbps 3.8 Gbps 5 Gbps 9.6 Gbps Switch backplane 14 Gbps 24 Gbps 34 Gbps 68 Gbps 112 Gbps Layer 4 New Connections / sec Layer 7 Requests / sec (inf-inf) 54 CMP Super-VIP Servers TMM0 TMM1 Network TMM2 switch TMM3 switch Multitasking means screwing up several tasks at the same time. 55 The World’s Only On Demand ADC 56 VIPRION – On Demand ADC Add application intelligence without adding management cost Market-leading performance Ultimate redundancy TMOS inside 57 Viprion Overview Unmatched Performance – Massive scalability – Processing architecture common with 8800 Intelligent clustering – SuperVIP (Virtuals can seamlessly span blades) – N+M redundancy for all features in cluster High Availability – Automatic failover within cluster – Chassis-to-chassis redundancy Full Modular Chassis – 4 blade slots w/1 blade type – 1 blade type – Any blade can be chassis master Common central management console – Single point of Management – Same user interface as BIG-IP appliances 58 On Demand – Zero Reconfiguration Virtual Machines Servers Physical Server Servers Automatic addition of power No need to overprovision Fixed and predictable OpEx Virtual Machines Physical Server Servers 59 Ultimate Reliability Multi-Level Redundancy Internal blade to blade failover External chassis to chassis Hot swappable power supplies Hot swappable fan trays Hot swappable LCD display Passive, redundant backplane Integrated Lights Out mgmt 60 Ultimate Reliability Client Multi-Level Redundancy Blade failure will not cause chassis failure Redundant and hot swappable components Always Available Server 61 Traditional ADC Scaling WWW. DNS DNS WWW1. Server Farm A WWW2. WWW3. Server Farm B WWW4. Server Farm C GSLB Within the Datacenter Each addition requires DNS changes Physical reconfigurations Routing changes ADC reconfiguration Server Farm D 62 Clustered Multi Processing Scales Performance TMOS 8x 4x SMP 2x Single Processor Time 63 Virtual Processing Fabric Clustered Multi Processing Custom Disaggregator ASICs High Speed Bridge Processing Complex DAG TMM 1 TMM n … … … Client DAG TMM 0 Server 64 The SuperVIP WWW. Pool Virtualization: “Separating the physical characteristics of computing resources from the systems, applications or end users interacting with those resources”. With a SuperVIP, a single virtual server may be processed by all computing resources of the VIPRION. 65 Market Leading Performance L7 Fast HTTP Inf/Inf L7 Full Proxy Inf/Inf SSL TPS SSL Gbps L4 Conn/s (1-1) Compression L4 Throughput L7 Throughput Single Blade 4 Blade System 800,000 Rps 300,000 Rps 50,000 9 Gbps 250,000 cps 4.5 Gbps 10 Gbps 10 Gbps 3,200,000 Rps 1,200,000 Rps 200,000 36 Gbps 1,000,000 cps 16 Gbps 36 Gbps 36 Gbps 66 More detailed measures 67 Avoid Management Nightmare TMOS + Security + Accel + iRules + iControl VIPRION 200,000 SSL TPS 12,000 SSL TPS per blade = 16 Blades 68 Avoid Growing Pains TMOS + Security + Accel + iRules + iControl VIPRION 3,200,000 Layer 7 Requests/Sec 76,000 L7 RPS = 42 Blades 69 VIPRION Management 70 Management continued 71 Management 72 iRules and iControl 73 Complete Control and Flexibility iRules iControl Total Application Control Complete payload inspection and transformation Open API and SDK to integrate with infrastructure 64% of BIG-IP users said that they can respond more quickly to changing business needs after deploying F5 BIG-IP. Source: TechValidate Survey of F5 BIG-IP Users 74 A Better Architecture with iRules Large financial saves over $200k a year with simple iRule Primary Data Center www.web.com BIG-IP sports.web.com webpromo.com iRules with Class Lists web.com sports.web.com webpromo.com Web Servers iRule uses lookup table to match domains to location Simple text file to manage Eliminates need for 3rd party proxies, saving $200k/year 75 What are iRules? Programming language integrated into TMOS Traffic Management Operating System Based on industry standard TCL language Tool Command Language Provide ability to intercept, inspect, transform, direct and track inbound or outbound application traffic Core of the F5 “secret sauce” and key differentiator 76 How do iRules Work? • iRules allow you to perform deep packet inspection (entire header and payload) • Coded around Events (HTTP_REQUEST, HTTP_RESPONSE, CLIENT_ACCEPTED etc.) • Full scripting language allows for extremely granular control of inspection, alteration and delivery on a packet by packet basis Requests iRule Triggered HTTP Events Fire (HTTP_REQUEST, HTTP_RESPONSE, etc.) Modified Responses* *Note: BIG-IP’s Bi-Directional Proxy capabilities allow it to inspect, modify and route traffic at nearly any point in the traffice flow, regardless of direction. 77 The Better Alternative Example Centralized Availability, Security & Acceleration Centralized Transaction Assurance: Proactive Response Error Handling for Higher Availability rule redirect_error_code { when HTTP_REQUEST { set my_uri [HTTP::uri] } when HTTP_RESPONSE { if { [HTTP::status] == 500 } { HTTP::redirect http://192.168.33.131$my_uri } Centralized Data Protection: Rewrite, Remove, Block and or Log Sensitive Content rule protect_content { when HTTP_RESPONSE_DATA { set payload [HTTP::payload [HTTP::payload length]] # # Find and replace SSN numbers. # regsub -all {\d{3}-\d{2}-\d{4}} $payload "xxx-xxxxxx" new_response # # Replace only if necessary. # A Repeatable, Extensible, Flexible Architecture Host to URI mapping: Faster Access to Data through Automatic Redirection when HTTP_REQUEST { # www.A.com -- domain == A.com, company == A regexp {\.([\w]+)\.com} [HTTP::host] domain company If { "" ne $company } { # look for the second string in the data group set mapping [findclass $company $::valid_company_mappings " "] if { "" ne $mapping } { HTTP::redirect "http://www.my_vs.com/$mapping" } } } if {$new_response != 0} { HTTP::payload replace 0 [HTTP::payload length] $new_response } } 78 Solution: Server Resource Cloaking Description To protect from web server signatures exposing from potential security holes to hackers, iRules are used to remove or “cloak” visible web server signatures HOW IT WORKS 1. Client requests information from an application and is routed through BIG-IP 5 rule when HTTP_RESPONSE { # # Remove all but the given headers. # HTTP::header sanitize “ETag” “Connection” “ContentTYPE” } 2. BIG-IP directs request to best performing web server 3. Web server provides application response BUT all responses – by default – include information that indicates the type of server responding 4. BIG-IP looks at traffic and determines it must call the iRule for “Resource Cloaking” 5. iRule runs, removing Apache references, and send request on to client 6. Client only sees “sanitized” response. iRule! Remove Apache v 2.0.49 Reference 2 4 1 HTTP Request HTTP Response 6 3 Response from Apache Web Server includes server signatures 79 What can an iRule do? Read, transform, replace header or payload information (HTTP, TCP, SIP, etc.) Work with any protocol, such as SIP, RTSP, XML, others, whether with native (HTTP::cookie) or generic (TCP::payload) commands Make adjustments to TCP behavior, such as MSS, checking the RTT, deep payload inspection Authentication assistance, offload, inspection and more for LDAP, RADIUS, etc. Caching, compression, profile selection, rate shaping and much, much more 80 iRule Event Taxonomy AUTH AUTH_ERROR AUTH_FAILURE AUTH_RESULT AUTH_SUCCESS AUTH_WANTCREDENTIAL CACHE CACHE CACHE_REQUEST CACHE_RESPONSE CLIENTSSL CLIENTSSL GLOBAL GLOBAL LB_FAILED LB_SELECTED RULE_INIT HTTP HTTP HTTP_CLASS_FAILED HTTP_CLASS_SELECTED HTTP_REQUEST HTTP_REQUEST_DATA HTTP_REQUEST_SEND HTTP_RESPONSE HTTP_RESPONSE_CONTINUE HTTP_RESPONSE_DATA IP IP DNS_REQUEST DNS_RESPONSE NAME_RESOLVED CLIENT_LINE SERVER_LINE RTSP RTSP CLIENTSSL_CLIENTCERT CLIENTSSL_HANDSHAKE DNS DNS LINE LINE CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SERVER_CLOSED SERVER_CONNECTED SERVER_DATA RTSP_REQUEST RTSP_REQUEST_DATA RTSP_RESPONSE RTSP_RESPONSE_DATA SIP SIP SIP_REQUEST SIP_REQUEST_SEND SIP_RESPONSE SERVERSSL SERVERSSL TCP TCP CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SERVER_CLOSED SERVER_CONNECTED SERVER_DATA USER_REQUEST USER_RESPONSE UDP UDP CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SERVER_CLOSED SERVER_CONNECTED SERVER_DATA XML XML SERVERSSL_HANDSHAKE STREAM STREAM STREAM_MATCHED XML_BEGIN_DOCUMENT XML_BEGIN_ELEMENT XML_CDATA XML_END_DOCUMENT XML_END_ELEMENT XML_EVENT 81 Solution: FIX Protocol Persistence Challenges • Business chooses protocol required by industry sector • Implemention on serverside impossible in enterprise HA scenario Solution • iRule provides centralized mechanism for intercept/inspect/route • Solution can be deployed in true HA/multi-server (even data center) mode • Clean code management HOW IT WORKS 3 1. Client requests information from an application and is routed through BIG-IP iRule Query identifies FIX SenderComp ID 2. BIG-IP UIE inspects for specific information identified rule FIX_regexp { when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { if { [regexp "\x0149=(.*)\x01" [TCP::payload] -> SenderCompID] } { persist uie $SenderCompID TCP::release } else { TCP::collect } } } 1 3. iRule runs and queries payload (TCP::collect) for the specific identifier needed (SenderCompID) 4. Based upon rule, client request is persisted to a specific server dedicated to that user Pool A 2 HTTP Request 4 ** Enhanced by community; see CodeShare Pool B 82 What makes iRules so unique? Full-fledged scripts, executed against traffic on the network, at wire-speed Powerful logical operations combined with deep packet inspection The ability to route, re-route, re-direct, retry, or block traffic Community support, tools and innovation 83 Solution: Credit Card Scrubber Challenges • Rapid feature enhancements come at expense of good security practices • Scanning on each server doesn’t perform well HOW IT WORKS 5 1. Client requests information from an application and is routed through BIG-IP Remove Valid Credit Card Numbers when HTTP_REQUEST { # Don't allow data to be chunked if { [HTTP::version] eq "1.1" } { if { [HTTP::header is_keepalive] } { HTTP::header replace "Connection" "Keep-Alive" } HTTP::version "1.0" } } 2. BIG-IP directs request to best performing web server 3. Web server provides application response BUT iRule runs if it sees a string of 16 digits when HTTP_RESPONSE { if { [HTTP::header exists "Content-Length"] } { set content_length [HTTP::header "Content-Length"] } else { set content_length 4294967295 } if { $content_length > 0 } { HTTP::collect $content_length } } when HTTP_RESPONSE_DATA { # Find ALL the possible credit card numbers in one pass set card_indices [regexp -all -inline -indices {(?:3[4-7]\d{13})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})} [HTTP::payload]] 4. iRule fires off MOD-10 algorithm to determine if 16-digit string is a valid credit card number; offending server IP address logged and flagged foreach card_idx $card_indices { set card_start [lindex $card_idx 0] set card_end [lindex $card_idx 1] set card_len [expr {$card_end - $card_start + 1}] set card_number [string range [HTTP::payload] $card_start $card_end] set double [expr {$card_len & 1}] set chksum 0 set isCard invalid Solution • iRule provides centralized mechanism for protection • High-performance at network maintains high end user satisfaction • App teams focus on 1 features, network teams focus on protection 6 # Calculate MOD10 for { set i 0 } { $i < $card_len } { incr i } { set c [string index $card_number $i] if {($i & 1) == $double} { if {[incr c $c] >= 10} {incr c -9} } incr chksum $c } 5. If a valid match, first 12-digits are replaced with Xs # Determine Card Type switch [string index $card_number 0] { 3 { set type AmericanExpress } 4 { set type Visa } 5 { set type MasterCard } 6 { set type Discover } default { set type Unknown } } 6. Client only sees “sanitized” response. # If valid card number, then mask out numbers with X's if { ($chksum % 10) == 0 } { set isCard valid HTTP::payload replace $card_start $card_len [string repeat "X" $card_len] } # Log Results log local0. "Found $isCard $type CC# $card_number" } } 2 4 HTTP Request HTTP Response 3 Response from application server accidentally leaks customer credit card numbers in HTTP response ** Created collaboratively within community 84 Solution: Anti-phishing 5 Challenges • Attacks are directed at users, not the servers themselves • No control of user actions •Can’t force software install Solution • iRule allows for prevention of the scraping required to perform the attack •Preventative approach keeps users safe without need for their interaction •Server load decreased HOW IT WORKS Prevent unwanted referrals of Content 1. Define a list of valid referrers in the form of a class. This is a list of those sites that you expect to be linking to content on your site. 2. Define a list (in the form of a class) of file types that should not be linked to, besides by the referrers listed in item #1. 3. Check to see if an invalid referrer (not someone in class #1) is trying to serve data from your site and what kind of content they shouldn’t be trying to serve. If it matches the file types in Class #2 (block it. If not, insert some custom code to help prevent phishing attempts. lass valid_referers { "http://mydomain.com" "http://mydomain1.com" "http://url1" "http://url2" "http://url3" } class file_types { ".gif" ".jpg" ".png" ".bmp" ".js" ".css" ".xsl" } rule no_phishing { when HTTP_REQUEST { # Don't allow data to be chunked. if {[HTTP::version] == "1.1"} { if {[HTTP::header is_keepalive]} { # Adjust the Connection header. HTTP::header replace "Connection" "Keep-Alive" } HTTP::version "1.0" } if { [matchclass [HTTP::header "Referer"] starts_with $::valid_referers] < 1 } { if { ([string tolower [HTTP::method] ] eq "get") && ([matchclass [HTTP::uri] contains $::file_types] > 0 )} { discard } elseif { ([HTTP::header exists "Content-Type"]) && ([HTTP::header "Content-Type"] starts_with "text" ) } { set respond 1 } } } when HTTP_RESPONSE { if { $respond == 1 } { if { [HTTP::header exists "Content-Length"] } { set content_len [HTTP::header "Content-Length"] } else { set content_len 4294967295 } if { $content_len > 0 } { HTTP::collect $content_len } } } when HTTP_RESPONSE_DATA { set bypass [string first -nocase "<html>" [HTTP::payload] ] if { $bypass != -1 } { HTTP::payload replace $bypass 0 "<script type=\"text/javascript\">\n if (top.frames.length!=0) {\n if (window.location.href.replace)\n top.location.replace(self.location.href);\n else\n top.location.href=self.document.href;\n }\n </script>\n" } else { HTTP::respond 500 } } } 1 HTTP Request HTTP Response 6 2 4 3 Web servers feed content to anyone requesting it, including people who shouldn’t be serving this cotent. 85 F5 iRule Editor First network rule editor optimizes development Includes: – – – – – – – – Syntax checking Auto-complete Template support Doc Links Deployment integration Statistics monitoring Data group editing Optional post to CodeShare feature Available: Now Pricing: Free Download Tutorials: on DevCentral 86 Introducing iControl v9 Open API (SOAP/XML) allows applications to automatically interact with the network Integration with development tools from Microsoft, BEA, and Oracle Online community F5 DevCentral – Developer assistance on F5 DevCentral via developer forums (http://devcentral.f5.com) – iRules forum and code examples 87 iControl Eases Application Integration Leverage the skills and expertise you already have! Key Components Benefits – XML/SOAP interface – Open, standards based integration – Downloadable SDK – Simplified development – Technology partnerships – Proven integration – DevCentral resource centre and community – Sample code, documentation, discussion forums 88 Integration and Extensibility iControl Event API Create Subscription Administrator uses the provided sample application (or custom application) to create Event Subscriptions Select Event Type Choose a specific event to track. Then, create the Subscription name and parameters. Upon Event, message is distributed via log, email, or SMS to phone/PDA Applications can subscribe to 47 different system events Sample application (screenshots) provided with SDK Bulk method support – 100:1 reduction in call, 90% reduction in bandwidth 89 iControl Application Migration to v9 Paste Code Into Analyser Developer visits DevCentral, accesses the Code Analyser, select language, and report format Summary Report Generated report identifies line where conflicts exist, defines the method affected, and enables direct link to online versions of 4.x & v9 SDKs Analyser free for use by all F5 DevCentral members DevCentral Forum available for posting migration questions Additional sample and technical tips will be available 90 DevCentral Technical Community http://devcentral.f5.com/ Forum for F5 customers for building iRules and iControl applications F5 provides technical documentation, tips, free sample downloads, and a confidential discussion forum Monitored by F5 engineers and technical experts that answer technical questions – Design, architecture, troubleshooting and general assistance with iRules and iControl 91 Link Collection Overall Technical www.f5.com www.f5.com ask.f5.com devcentral.f5.com F5 University www.f5university.com/ » » Login: your email Password: adv5tech Partner Informaiotn www.f5.com/partners www.f5.com/training_services/certification/certFAQ.html Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html Important deployment information is available at Data Center Virtualization Application Traffic Management Application Briefs Solution Briefs F5 Compression and Cache Test F5 iControl Alliance Partners F5 Technology Alliance Partners http://www.f5.com/solutions/deployment/ http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdf http://www.f5.com/solutions/technology/pdfs/atm_wp.pdf http://www.f5.com/solutions/applications/ http://www.f5.com/solutions/sb/ http://www.f5demo.com/compression/index.php http://www.f5.com/solutions/partners/iControl/ http://www.f5.com/solutions/partners/tech/ Let us know if you need any clarification or you have any further questions. 92 Thank You