Dynamic Data Center Revolution

BIG-IP v11.2

Presenter
 2

F5’s Vision: Dynamic Application Services

Separate Consolidate Aggregate Automate Liberate

Test and Server Capacity Self-Managing Enterprise
Development Consolidation On Demand Datacenters Computing Clouds
On and Off Premise

Private
APP APP
OS OS
APP APP APP APP Public
OS OS OS OS

APP APP APP APP

APP APP APP APP OS OS OS OS
OS OS OS OS
APP APP APP APP
OS OS OS OS

A Reusable and Extensible IT Services Platform from Enterprise to Cloud

© F5 Networks, Inc.
 3

Strategic Points of Control – A Smarter Approach

The Application Delivery Network

Acceleration: Application Delivery Optimization

Introduce 1st integrated SPDY Gateway and new Front End Optimizations to solve the
mobile performance challenges

Security: Global Delivery Intelligence

Introduce new subscription service ecosystem that consolidates all the intelligence
available in the cloud at the ADC to make better decisions

Traffic Management: Dynamic DNS Infrastructure

Best in class DNS infrastructure solutions that allows organization to reduce costs, keep
their applications up, and improve the performance and security of their critical DNS
infrastructure.
© F5 Networks, Inc.
 4

The Shift To The Intelligent Network

We want to leverage the We need to approach Users expect a better

business data security different experience

Business Analytics Personalized

Evolving Threats Experience

© F5 Networks, Inc.
 5

Context leverages information about the

end user to improve the interaction

Who • Who is the user?

What • What devices are requesting access?

Where • When are they allowed to access?

When • Where are they coming from?

How • How did they navigate to the page/site?

© F5 Networks, Inc.
 6

Application Delivery Optimization

© F5 Networks, Inc.
 7

Impact of Slow Performance

500 millisecond delay caused

20% traffic decrease.

100 millisecond delay

caused 1% drop in revenue.

400 millisecond delay caused a

5-9% decrease in traffic.

© F5 Networks, Inc.
 8

Application Delivery / The Evolution

End User Network / App Owner

Many apps via various browsers

delivered to countless devices each
running a different O/S

FRONT END DELIVERY GENERATION

Server /
User Experience Network Demands
© F5 Networks, Inc.
 9

Application Delivery / The Evolution

End User Network / App Owner

FRONT END DELIVERY GENERATION

Server /
User Experience Network Demands
© F5 Networks, Inc.
 10

Application Delivery / Today

End User Network / App Owner

Company’s are spending

upwards of $100,000 per
application just to
“tune” delivery

FRONT END DELIVERY GENERATION

Business Risks:
Tuning costs will continue to
 Losing customers increase with expansion of apps,
 Losing revenue devices and browsers
 Employee Productivity
User Experience Server / Network Demands
© F5 Networks, Inc.
 11

ADO is an End-to-End Problem

End User Network / App Owner

Protocols efficiency Video

BYOD SaaS
Mobile Networks
App Bloat
App Chattiness
Bandwidth
Server Capacity
Browser Choice Virtualization

Latency Cloud

FRONT END DELIVERY GENERATION

Customers expect the business IT departments have the 1000s

to be as good as their of apps and lack the visibility
consumer experience and control
User Experience Server / Network Demands
© F5 Networks, Inc.
 12

Application Delivery Optimization / Rethinking Fast

End User Network / App Owner

With F5 you can optimize your

end user experience without
driving up IT infrastructure costs.

FRONT END DELIVERY GENERATION

Server /
User Experience Network Demands
© F5 Networks, Inc.
 13

F5 Optimization Solution

FAST FAST

SECURE SECURE

AVAILABLE AVAILABLE

TMOS TMOS

© F5 Networks, Inc.
 14

F5 Optimization Solution

N
CACHING

CONTROL
MAINTAI

SECURE
EDGE
ENTERPRISE CDN
CACHING CONTROL SECURE

FAST FAST
APPLICATION OFFLOAD
APPLICATION OFFLOAD

MOBILE OPTIMIZATION
MOBILE OPTIMIZATION

FRONT-END OPTIMIZATION
FRONT-END OPTIMIZATION

NETWORK OPTIMIZATION
NETWORK OPTIMIZATION
SE RV ER O FF LOA
D

SERVER OFFLOAD

S
TMO

S
TMO

S
iRULES

TMO
ANALYTICS
iAPPS

© F5 Networks, Inc.
 15

Next Generation Protocol: SPDY

• SPDY is new application layer

protocol developed by Google Application HTTP
• Overcomes inherent inefficiencies
with HTTP SPDY
• Improved performance
(~ 20-50%). Good for limited SSL
bandwidth mobile networks.
• Chrome, Firefox, Amazon Silk
browser support (50% market
Transport TCP
share) and Android 3.0+ devices

For more information about SPDY, visit www.chromium.org/spdy/spdy-whitepaper.

Amazon Silk Android 3.0+ Chrome Firefox v11+

© F5 Networks, Inc.
 16

App Infrastructure
• Problems :

• Web apps on apache infrastructure would need to be updated to take

advantage of SPDY

• Non apache based apps can’t be accelerated (Oracle, MS, IBM…)

USERS

INTERNET

…
SDPY
HTTP

© F5 Networks, Inc.
 17

Future-proof Your Web Applications

• Solution: Legacy web apps get benefits of SPDY

 Reduce complexity and cost of upgrading

 Support new devices without re-architecture
 Scale existing legacy app infrastructure

USERS DATACENTER

INTERNET

…
BIG-IP

SDPY SPDY GATEWAY

HTTP

© F5 Networks, Inc.
 18

Mobile and Remote Acceleration

Before All Headers—135 KB

QUALITY: 90
SIZE: 102

Location Label Camera Date Exposure Program

Copyright Firmware Digitized Date Thumbnail
ISO Flash Compensation Modified Date JPEG Quality
Shutter Speed Image Number File Date Tags
Exposure Bias Lens Flash Unique ID
Max Aperture Lens ID Focal Length X Resolution
Focal Plane X Resolution Serial Number Focal Length in 35mm film Y Resolution
SOURCE: HTTP Archive (http://www.httparchive.org) Focal Plane Y Resolution Software CCD Width Flash Function Not Present
Focal Plane Resolution Unit Files size Aperture Flash Mode
Custom Rendered Dimensions F Number Supports Red-Eye Reduction
Exposure Mode Camera make White balance Flash Return
Scene Capture Type Camera model Metering Mode

Image Optimization
• Reduce file size of image by
20-40%
• Reduce quality, remove After All Headers—102 KB
extraneous metadata, convert
format (GIF-> PNG)
QUALITY: 70
• Maintain privacy SIZE: 50

Location File Date

File Size JPEG Quality
Dimensions Unique ID © F5 Networks, Inc.
 19

F5 Streamlines Image Intensive

Websites
On average 40%

Original image Size Average image size Image Opt

Site (Homepage) (total image bytes) (total image bytes) Reduction %

788647 16780 30.47%

58919 3682 46.77%

299486 6511 43.53%

494832 10081 49.96%

1959236 14731 24.24%

© F5 Networks, Inc.
 20

Mobile and Remote Acceleration

original re-ordered original re-ordered

original re-ordered original re-ordered

Front-End Optimization: Content Re-Ordering faster (improve start to display time)

• Actual overall page load time doesn’t not change
• Move CSS style sheets to the top of the HTML
• Move JavaScript to the bottom of the HTML
© F5 Networks, Inc.
 21

Real-Time End-User Performance SLAs

From Enterprise to Cloud

Clients

• Server Latency
• Page Load Time
Instrumentation of App Performance • Response Codes
without adding agents, code or servers • URLs
• Client IPs
• Client Geographic
• User Agent
… and much more

Applications
Custom
Private Public

DATACENTER CLOUD © F5 Networks, Inc.

 22

Global Application Performance Visibility

Centralized Analytics and Reporting

© F5 Networks, Inc.
 23

F5: Application Management, Scale, Optimization

App Delivery Optimization lowers costs and delivers faster applications

App and Mobile and Application

Infrastructure Offload Remote Acceleration Performance Monitoring

F5 delivers first F5 provides advanced F5 streamlines

integrated SPDY optimization capabilities application performance
Gateway for emerging for BIG-IP, the worlds monitoring across
web protocol, enabling leading ADC, reducing the multiple datacenters
faster apps and size of web images by up without agents, code or
offloading costly to 50% servers
infrastructure

Server /
User Experience Network Demands
© F5 Networks, Inc.
 24

New Subscription Services

Global Delivery Intelligence

© F5 Networks, Inc.
 25

What’s Required To Build Context

Int • Capture
ell • Analyze
ige • Classify
nc
e
Co
nte
x t
De
liv
• Events ery
• Analysis
• Action © F5 Networks, Inc.
 26
Locate IQ Intelligence

Trust IQ Intelligence

IP Intelligence
Subscription

Free
Location
Free

Today Service

Context

Fast Available Secure

Global Delivery Intelligence

An ecosystem of cloud-based services to make better network decisions.

© F5 Networks, Inc.
 27
Locate IQ Intelligence Site IQ Intelligence

xxx IQ Intelligence
Trust IQ Intelligence

IP Intelligence
Subscription

Free
Location
Free

Today Service Roadmap

Context

Fast Available Secure

Global Delivery Intelligence

An ecosystem of cloud-based services to make better network decisions. © F5 Networks, Inc.

 28

IP Intelligence: Defend Against Malicious

Activity and Web Attacks
Enhance automated application delivery
We need to approach
decisions adding better intelligence and stronger
security different
security based on context.

Layer of IP threat protection delivers context to

identify and block IP threats using a dynamic data
set of high-risk IP addresses.

Visibility into threats from multiple sources

leverages a global threat sensor network

Deliver intelligence in a simple way reveals

inbound and outbound communication

Evolving Threats Real-time updates keep protection at peak

performance refreshing database every five
minutes.

© F5 Networks, Inc.
 29

IP Intelligence

Reputation Scanners
Deny access to infected IPs Probes, scans, brute force

Windows Exploits Denial of Service

Known distributed IPs DoS, DDoS, Syn flood

Web Attacks Phishing Proxies

IPs used for SQL Injection, CSRF Phishing sites host

BotNets Anonymous Proxies

Infected IPs controlled by Bots Anon services, Tor
© F5 Networks, Inc.
 30

IP Intelligence Overview
Service Module IP Intelligence Highlights
• Developed from customer-driven demand
IP Intelligence • Ever-increasing volume of threats
• Dynamic Threat IPs • Improves security stopping known bad traffic Static
and publicly available Black Lists are insufficient
• All BIG-IP appliances
• Near-real-time updates • Compelling value
(up to 5min intervals) • Better appliance efficiency reducing network traffic
• Value-add layer of IP-based security
• Dramatically reduces system • Faster threat response with near-real-time updates
loads
• Provisioned across Multiple Threat Types
• Subscription-based service
• Delivering Dynamic Updates in near real-time

© F5 Networks, Inc.
 31

IP Intelligence
How it works
• Fast IP update of malicious activity
• Global sensors capture IP behaviors
• Threat correlation reviews/ blocks/ releases

Key Threats Sensor Techniques IP Intelligence Service:

Threat Correlation

Internet
Semi-open Proxy Farms
Dynamic Threat IPs
Web Attacks
Exploit Honeypots every 5min.
Reputation
Windows Exploits Naïve User Simulation IP Intelligence
Botnets
Web App Honeypots
Scanners
Network Attacks Third-party Sources
DNS
BIG-IP
System
© F5 Networks, Inc.
 32

IP Intelligence Use Cases for BIG-IP

Use Cases Threat Prevention Scenarios Benefits
Malicious Inbound • Rejecting inbound connection attempts from • Improve security and performance
Connection Attempts known Threat IPs • Enhance perimeter security
• Automatically update real-time feeds • Mitigate DoS attacks
• Increase device throughput

Malicious Outbound • Block outbound communications from • Reduce security risk

Communications infected endpoints (i.e., zombies) to botnet • Prevent frauds
networks • Prevent information leakage

Packet Parsing • Reduce processing time (e.g., form input • Increase performance and scalability of
Reduction parsing and validation overhead) by blocking protected applications
sites from known Threat IPs

Anonymization • Block inbound connections from anonymous • Increase security and performance of
Prevention proxies device
• Prevent frauds

Phishing Protection • Protect high-value websites by preventing • Increase availability and performance of
access of site objects by phishing sites, or protected servers/applications
by any non end-user source • Prevent frauds

Botnets • Block botnet C&C channels and infected • Improve security and performance
zombie machine controlled by Bot master for • Enhance perimeter security
DoS and other attacks • Mitigate DoS attacks
• Increase device throughput

© F5 Networks, Inc.
 33

IP Intelligence
Identify and allow or block IP addresses with malicious activity
Botnet IP Intelligence
Service

IP address feed
updates every 5 min
Attacker Custom
Application

Financial
Application
BIG-IP System
Anonymous
requests

? Geolocation database

Anonymous Internally infected

Proxies devices and servers
Scanners
• Use IP intelligence to defend attacks
• Reduce operation and capital expenses © F5 Networks, Inc.
 34

Dynamic DNS Infrastructure

© F5 Networks, Inc.
 35

Dynamic DNS Infrastructure

• Improve web performance and browsing

• Protect your site and reputation

• Direct customers to right data center and clouds

• Reduce data center costs

© F5 Networks, Inc.
 36

Driving Demand for DNS/HTTP

Increase DNS/HTTP due to query growth

Clients

• Last 5 years, volume of DNS queries 2x+* (.com/.net)

• Average daily query load of 57 billion in the first quarter of 2011*
• Future growth is expected to occur at an even faster pace*
© F5 Networks, Inc.
 37

Larger, More Complex Web = More DNS/HTTP

• Fundamental change in the way apps. are used
• Site requests spawn subsequent DNS requests slowing page loads
• Every image, add button, widget, link, etc. has a potential IP address lookup

© F5 Networks, Inc.
Video by https://www.dnssec-tools.org/
 38

Distributing Requests Across Clouds

Cloud-balancing with DNS and GSLB Services

Simple and Robust Cloud DNS Management:

• Ensure DNS queries routed efficiently to best DC or cloud
• Extend query management and caching to cloud deployments
• Increase productivity with fast app. responses
© F5 Networks, Inc.
Complete DNS and HTTP
39

Services and Protection

BIG-IP Global Traffic Manager
DNSSEC

LE DNS

ATION

S
SECURE DN
SCALAB

GEOLOC
FAST FAST
DNS SERVICES
SCALABLE IP GEO DNSSEC
SECURE SECURE
HIGH PERFORMANCE DNS
HIGH PERFORMANCE DNS
AVAILABLE AVAILABLE
DNS DDoS PROTECTION BIG-IP
TMOS TMOS DNS DDoS PROTECTION
AVAILABLE GTM
AVAILABLE
DNS IPV6 to IPv4
DNS IPv6 to IPv4

COMPLETE DNS CONTROL

COMPLETE DNS CONTROL
GLOBAL AVAILABI
LITY

GLOBAL AVAILABILITY
S
TMO

S
TMO

S
iRULES

TMO
iCONTROL
iAPPS © F5 Networks, Inc.
 40

The Value of Complete DNS / Web Solution

Scalable 10x; 70% Denial of Service Mitigation

Support client requests

Complete DNS control and consolidates IT

Access Denied:
IPv6 to IPv4

Route based on geolocation Secure DNS Query Responses

http://f5.com
© F5 Networks, Inc.
 41

Dynamic Site Response and App. Delivery

DNS Caching and Resolving in BIG-IP GTM.
Data Center

DNS response time:

300ms = Mobile
100ms = PCs

100ms
15ms
15ms BIG-IP
Global Traffic Manager

Cloud
Private Public
400ms = blink of an eye

Internal Clients

• Faster Web browsing from reduced DNS latency

─ 80% reduction in DNS latency delivering faster web
• Reduced DNS infrastructure costs
─ 80% reduction of outbound DNS queries © F5 Networks, Inc.
 42

Slow Response on DNSSEC validation

• Validating secure site responses require lots of steps
that slows response times
• For example:
15 steps!! http://isc.org

A record for is signed by RRSIG record covering is verified by (ZSK) DNSKEY

is signed by
www.isc.org www.isc.org/A record for isc.org

RRSIG record covering is verified by (KSK) DNSKEY record is verified by DS record is signed by
isc.org/DNSKEY for isc.org for isc.org

RRSIG record is verified by (ZSK) DNSKEY is signed by

RRSIG record is verified by
covering isc.org/DS record for org covering org/DNSKEY

(KSK) DNSKEY DS record RRSIG record

is verified by is signed by is verified by
record for org for org covering org/DS

(ZSK) DNSKEY RRSIG record (KSK) DNSKEY

is signed by is verified by
record for . covering ./DNSKEY record for .
© F5 Networks, Inc.
Example provided by infoblox.com
 43

Complete DNS Security

High performance DNSSEC validations

• Rapid validation of DNSSEC responses

• Offload DNSSEC computations
• Consolidate DNS Infrastructure http://f5.com

Data Center

BIG-IP
Global Traffic Manager

Internal Clients

© F5 Networks, Inc.
 44

Dynamic DNS Infrastructure for Rapid Growth

with BIG-IP Global Traffic Manager (GTM)

•Robust, Flexible and Secure DNS Infrastructure

•Easily mitigate DNS DDoS Attacks
•Support hybrid IP Environments
•Complete DNS Security
•Scale and manage DNS and apps globally

© F5 Networks, Inc.
 45

Fast Vuln. Assessment and App. Security

© F5 Networks, Inc.
 46

Unknown Vulnerabilities in Web Apps

• Unable to find or mitigate

vulnerabilities
• Very expensive to fix
by recoding
• Difficult to include scanner
assessments
• Need assurance that app sec.
is deployed properly Web
Application
Vulnerabilities
as a percentage
of all disclosures
in 2011 H1
Web Applications:
37 percent
Others:
63 percent Source: 1BM X-Force Research and Development
© F5 Networks, Inc.
 47

Free App Scan Service to Mitigate Vulnerabilities

• Free application vulnerability scan:

• Cenzic Cloud in ASM UI
• 3 free scans

• Configure vulnerability
Data Center
policy in BIG-IP ASM

• Protection from web app attacks

BIG-IP Application
Security Manager

Web 2.0 Apps

Attacker

Internet Private
BIG-IP Application
Security Manager Cloud Apps
Virtual Edition
Clients

© F5 Networks, Inc.
 48

Free Cenzic Cloud Scans with ASM

Find Vulnerabilities and Reduce Exposure

• 3 free application scans directly from ASM/VE UI

• Free scans are limited health check services
• No time limits once signed up
• No other vendors provide free scan in UI

Cenzic Cloud scans test for:

1. Cross-Site Scripting 6. Credit Card Disclosure

2. Application Exception 7. Non-SSL Password
3. SQL Injection 8. Check HTTP Methods
4. Open Redirect 9. Basic Auth over HTTP
5. Password Auto-Complete 10. Directory Browsing
© F5 Networks, Inc.
 49

Benefits of Cenzic Cloud and BIG-IP ASM

• Narrows window of exposure and reduces operational costs:

– Real-time assessments and virtual patching
– Operationalizes admin. and simplifies mitigation
• Assures app security, availability and compliance:
– Assurance no matter vulnerabilities or policies built
– OWASP protection, compliance, geo blocking
• Improves app performance:
– Availability improves cost effectiveness
• Deploys flexibly with increased agility:
– Deployment in virtual and cloud environments
• Easily integrates with SDLC practices:
– Ongoing website security program

© F5 Networks, Inc.
© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS,
and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries