Presentation Transcript

1. F5 ADC Implementation Project Overview

   9/24/13
2. Scope The scope of this project is to implement F5 Application Delivery Controllers into the Illinois and New Jersey collocation facilities to support enhanced load balancing, protocol optimization and application security for Guggenheim applications. Key Driving Factors Currently there is no standard for high availability deployments for Guggenheim applications. Application delivery and performance can be enhanced though protocol tweaks, SSL offload, and application-aware security and DDOS threat mitigation. Application outages can be minimized though intelligent server load balancing, global load balancing across multiple data centers (colos, B+M sites, and the cloud). Enhanced scalability and environment growth potential via chassis-based hardware ADC solution. 2
3. Project Work Streams and Communication Plan Core Project Team Audience Information Needs: Application migration tasks, project plan, status, notifications Distribution Method: Weekly Call Frequency of Distribution: Weekly or as needed as the project progresses Deliverable: Project Status, Updated Project Plan, Meeting Notes Communication Owner: Working Groups Audience Information Needs: Application migration tasks, requirements, notifications Distribution Method: Weekly Call Frequency of Distribution: Weekly or as needed as the project progresses Deliverable: Planning and Design Documents, Tasks Lists, Status Reviews Communication Owner: 3
4. Timeline and Key Dates Project Kickoff 8/05/2013 Milestone One – ADC installation in NJ Colo 9/28/2013 – Target Completion Date for all Groups Milestone Two – ADC installation in IL Colo 10/7/2013 – Target Completion Date for all Groups Milestone Three – ADC GTM integrated into DNS, LTM/ASM ready for application migrations. 10/21/2013 – Target Completion Date for all Groups 4
5. Project Phases Phase One – Application & Infrastructure Discovery and Analysis Identify Key Applications that Need to be Migrated first to the ADCs Current applications identified include SharePoint, Exchange, OpenText, Lync and Rydex Identify All Dependencies such as Circuits, Backups, Databases, Firewall Rules, etc. Phase Two – Design and Build out Phase Design ADC implementation in colos Install Viprion chassis pairs and stand alone 2000 series platforms in IL and NJ collocation facilities Phase Three – Build virtual ips and wide-ips on ADCs for applications Create new virtual IP and server pool for each application in each applicable environment Create new wide-ip (FQDN) for each application globally load balanced across multiple DCs Test new vips using host file entries alongside their current analogs with the help of the application teams to ensure full application functionality. Cut over application via DNS change. 5
6. Discovery and Classification Application Classification Four Options – Local hardware ADC with server load balancing and application firewall – configure new virtual application with server HA and WAF. Ideal for applications which only live in one particular location, and do not yet have a footprint in multiple DCs or colos. Local and Global ADC – Configure local ADCs as above for each colo or location, in addition to configuring new wide-ip FQDN on the GTMs to provide GSLB across multiple environments. Ideal for applications which have footprints in multiple locations and desire faster and more controlled fail-over and/or better global distribution of traffic. Virtual ADC with SLB – Ideal for locations other than the colos which have applications running on virtual servers. Virtual ADC apps can also be integrated into GSLB via the GTMs. No ADC enhancement – For applications identified which will not be locally or globally load balanced, and for which we do not feel will be enhanced by protocol enhancements or application security. 6
7. Closing and Questions Closing and Questions 7
8. LTM Concepts F5 LTM: Enhanced security Full proxy architecture Separate client/server facing tcp stacks Client packet terminates at the LTM on one stack LTM re-creates packet on the other stack if applicable F5 LTM is an ICSA certified network firewall LTM default action is to drop packets arriving at the LTM which don’t match: A vip address A SNAT (secure network address translation) LTM protects against DDOS and other layer 3 attacks Connection reaping, tcpsyn cookies, flood attack defense Added flexibility of iRules for ‘virtual patching’ Layer 4-7 application awareness and protection offered in ASM and GTM modules (discussed later) F5 LTM: protocol optimization TCP/UDP optimization via profiles Can offer different optimization at the client side and server side tcpstacks F5 LTM: application optimization http(s) / FTP / SSL / LDAP / RADIUS / Kerberos / persistence via profiles Customizable profiles for each application or vip SSL offload to LTM using dedicated ASIC’s for hardware-based SSL encryption / decryption on either/both client/server side tcp stacks. 8
9. LTM Concepts (continued) iRules: provide fully customizable strategies for security via event-based, packet manipulation Manipulate header information or packet data Filter packets based on source/content/protocol/ Enforce protocol standards Fix application-induced packet issues Insert or delete cookies And more F5 LTM: local load balancing Load balance across one or multiple pools per vip Consolidate server connections via OneConnect to reduce server connection load Enhance server productivity by offloading SSL intelligently caching data at the LTM, and/or protocol optimization Servers get to focus solely on serving content Other tasks offloaded to the LTM to be better handled by dedicated hardware One application can span many vips Each vip represents a socket Each pool or node can have it’s own health monitor to ensure traffic only goes to healthy servers 9
10. Example: Application Flow 10
11. GTM Overview Global load balancing across multiple and/or geographically dispersed networks and data centers. Works as an adjunct to local load balancing, or can be implemented on it’s own. Can be implemented on the same hardware as LTM/ASM or can be implemented on it’s own hardware/VMs Uses DNS as it’s core protocol GTM is DNS on PEDs Uses standard zone files (SOA, A records, etc) Combines functionality of DNS with load balancing/health monitoring characteristics of LTM Can be integrated easily into existing DNS infrastructure (BIND / AD / Infoblox / Etc) Existing DNS can forward to GTMS for given subdomains Existing DNS can list GTMs as authoritative for individual FQDNS 11
12. GTM Overview (Continued) GTMs basic object is a Wide-IP Wide-Ips load balance a pool(s) of IP addresses These can be LTM vips, or regular, stand-alone hosts These can be in the same or distant data centers. There can be more than one pool balanced by a given wide-ip Wide Ips can have primary, secondary and fallback LBAs Primary LBA is the one used 99% of the time Secondary is used if for some reason the primary LBA is invalid Fallback is what a given wide-ip will respond with in the event none of it’s pools/pool members are valid Typical Load Balancing Algorithms Global Availability Always resolve with the first listed pool member if it is ‘alive’. Used in situations where one site is the designated ‘production’, the other is the ‘DR’ or ‘Standby’ location. Used where the expectation is that 100% traffic goes to the production site, unless it’s down, then 100% goes to the other site Topology Chooses with ip address to resolve a wide-ip to based on topology table We build topology table to suit our needs Example; anything on 10.10.2.x network resolves to a vip in data center close to 10.10.2.x network Ratio Round Robin Least connections This can be deceiving, a gtm typically sees DNS resolvers as ‘clients’ There can be 100 users behind one LDNS ‘client’, 5 users behind another LDNS ‘client’, and the GTM will consider them equally balanced, because from it’s perspective, it only has two clients, not 105 actual clients (unless the GTM is configured to be a LDNS)
13. GTM integration into DNS: Example: GTM authoritative for subdomain in DNS: ILXXXGTM1 IN A 10.10.10.4 NJXXXGTM1 IN A 10.10.14.4 Oldapp1 IN A 10.10.9.100 newapp1 IN NS ILXXXGTM1 IN NS NJXXXGTM1 newapp2 IN A 10.10.9.210 Example: Forwarding zone in DNS: zone “gtm.guggenheim.com" { type forward; forwarders { 10.10.10.4; 10.10.14.4; }; }; newapp1.guggenheim.com. CNAME newapp1.gtm.guggenheim.com Newapp1.gtm.guggenheim.com exists as an ‘A’ record on the GTMs 13
14. GTM Fallback: Fallback is the option of last resort for a wide-ip Purpose is so that the GTM always has something to resolve a wide-ip to In absence of a fallback method, the GTM responds to a wide-ip query with no surviving members the same way a DNS server responds to a query for which it’s not configured! NXDOMAIN Fallback is an IP address This can be the ip address of a “were sorry” webpage (or anything else) This can be the ip address of one of the pool members
15. Example: GTM Querry 15
16. Overview: ASM F5 ASM application firewall bimodal approach: Negative security model protects against known attacks and exploits (sql injection, buffer overflow, screen scraping, clickjacking, cross-site scripting etc) Positive security model protects by limiting user interaction to known/expected methods, objects, etc. Flexible enforcement scenarios Can deploy ASM policies in ‘transparent’ mode: ASM sends alerts based on activity ASM does not actually block suspicious traffic in transparent mode. Deploy ASM policies in ‘blocking’ mode: ASM blocks nonconforming traffic ASM logs nonconforming activity and directs users to customizable page, giving them a tracking number for the incident. We can use the tracking number to see what they did We can use the incidents tracking number to quickly modify the ASM ruleset by ‘whitelisting’ that specific incident (and allowing any which follow) Flexible deployment methodology Apply ASM policy on a per-vip basis Different vips can have their own policies Different vips can be either transparent or blocking, or learning.
17. Overview: ASM (Continued) Automatic or manual application learning and profiling Offers greater control Offers granular rulesets and customizable API Easy-to-update attack signature database Download new attack signatures directly from GUI Apply new signatures according to company SOP F5 ASM offers additional security Protect against data leakage by masking credit card numbers, social security numbers, or other recognizable patterns Validating/enforcing http protocol compliance Enforce application flows, alert or block when users attempt to bypass login pages Protect against additional evasion techniques by policy Determine which http responses are allowed to be seen by a user prevent users from seeing application specific errors makes it harder to profile a webserver to discern potential vulnerabilities Offer company branded, nontechnical response to server errors
18. Security at application, protocol and network level How Does It Work? Security at application, protocol and network level Request made Security policy checked Server response Content scrubbing Application cloaking Enforcement Actions: Log, block, allow Response delivered Security policy applied BIG-IP enabled us to improve security instead of having to invest time and money to develop a new, more secure application. 18
19. Detailed Logging with Actionable Reports At-a-glance PCI compliance reports Drill-down for information on security posture 19
20. Attack Expert System in ASM 1. Click on info tooltip Attack expert system makes responding to vulnerabilities faster and easier: Violations are represented graphically, with a tooltip to explain the violation. The entire HTTP payload of each event is logged. 20
21. Beyond Security Application analytics for assured availability Additional statistics integrated into ASM logs provide deeper intelligence grouped by application and user Rules can be applied based on user behavior Latency monitoring provides: Business intelligence/capacity planning Troubleshooting and performance tuning Anomalous behavior detection 21
22. DDoS MITIGATION Increasing difficulty of attack detection OSI stack Physical (1) Data Link (2) Network (3) Transport (4) Session (5) Presentation (6) Application (7) OSI stack Network attacks Session attacks Application attacks SYN Flood, Connection Flood, UDP Flood, Push and ACK Floods, Teardrop, ICMP Floods, Ping Floods and Smurf Attacks DNS UDP Floods, DNS Query Floods, DNS NXDOMAIN Floods, SSL Floods, SSL Renegotiation OWASP Top 10 (SQL Injection, XSS, CSRF, etc.), Slowloris, Slow Post, HashDos, GET Floods BIG-IP SynCheck, default-deny posture, high-capacity connection table, full-proxy traffic visibility, rate-limiting, strict TCP forwarding. Packet Velocity Accelerator (PVA) is a purpose-built, customized hardware solution that increases scale by an order of magnitude above software-only solutions. BIG-IP LTM and GTM High-scale performance, DNS Express, SSL termination, iRules, SSL renegotiation validation BIG-IP ASM Positive and negative policy reinforcement, iRules, full proxy for HTTP, server performance anomaly detection F5 mitigation technologies F5 mitigation technologies 22
23. Automatic HTTP/S DOS Attack Detection and Protection Detect a DOS condition Identify potential attackers Drop only the attackers 23 Accurate detection technique—based on latency Three different mitigation techniques escalated serially Focus on higher value productivity while automatic controls intervene