application centric datacenter management - dfn · 2014-06-06 · application centric datacenter...
TRANSCRIPT
Application centric DatacenterManagementRalf Brünig, F5 Networks GmbH
Field Systems Engineer
March 2014
© F5 Networks, Inc 2
• Application Deliver Controller (ADC)
• Proxy
• ADC Advanced Feature
• Application Management
• Optional: Reference Architectures
Index
© F5 Networks, Inc 4
Network Loadbalancer
Clients
Internet
Server
Server
Server
Spread load over several Server
• Static or dynamic Loadbalancing Algorithm
• Session Persistence per Server
© F5 Networks, Inc 5
Network Loadbalancer
Clients
Internet
Server
Server
Server
Maintenance
• Set server into Maintenance Mode
• Existing Sessions can be allowed or moved to a different Server
Availability
• Monitoring of Server Pool
• Take not available Server out of the loadbalancing
MaintenanceMode
Marked Downby Monitor
© F5 Networks, Inc 6
• Performance:• Perfect adaption to the server side and client side tcp stack• Separate optimisation to channel needs (WAN/LAN optimisation)
• Security:• Malformed tcp/udp packets are dropped• SYN flooding protection
Application Delivery Controller (ADC)TCP/UDP full Proxy
ServersADC
WAN OPTIMISED LAN OPTIMISED
© F5 Networks, Inc 7
• An ADC can offload tasks from the Application Server• Reduce Number of Server• Reduce Power consumption• Centralize SSL key management
Application Delivery Controller (ADC)Offloading
Servers
ADCSSL OffloadFast Cache
CompressionOne Connect
Logging
© F5 Networks, Inc 8
• Traffic steering based on:• Header information• URI• Hostname• Etc.
• Header Enrichment• SSL On• Client Certificate
Information• X-Forwarded-For• User Name• Etc.
Application Delivery Controller (ADC)Traffic Steering and Header Enrichment
Servers PoolADC
Servers Pool
Servers Pool
© F5 Networks, Inc 9
ADC
L7 Message Handling
Application Delivery Controller (ADC)HTTP 1.1
1 TCP Connection, Single Stream, Request Pipelining
Clients
Internet
index.htmllogo.jpg
Web Server
Image Server
Video ServerSingle TCP Connection
© F5 Networks, Inc 10
ADC
L7 Message Handling
Application Delivery Controller (ADC)HTTP 2.0/SPDY
1 TCP Connection, Parallel Streams, Request Pipelining
Clients
Internet
index.htmllogo.jpg
Web Server
Image Server
Video Server
007.mov
Single TCP Connection
© F5 Networks, Inc 11
ADC
L7 Message Handling
Application Delivery Controller (ADC)HTTP 2.0/SPDY – Packet Encoding
1 TCP Connection, Parallel Streams, Request Pipelining
Clients
Internet
index.htmllogo.jpg
Web Server
Image Server
Video Server
007.mov
Single TCP Connection
ResponsePackets
TCP packets contain interlaced fragments from parallel streams – for performance!
© F5 Networks, Inc 13
Internet Datacenter
(servers)
Characteristics• Inbound• SSL Offload and Acceleration• Provide visibility for traffic management• Internet-facing • Front-end to control and protect access to a
server
Two Use Cases
Characteristics• Outbound• Control user activity• Sanitize traffic• Takes requests from an internal network and
forwards them to the Internet or Cloud App
Corporate
(users)
Inbound Outbound
www Hosting
Deployment Models• SSL Offload
• SSL Transformation• Proxy SSL (Split)
Deployment Model• SSL Forward Proxy
Full Intelligence Requires a Full Proxy
• App “point of delivery & definition”• App Intelligence - layer 3- 7 visibility• Distinct client / server control• Unified services / context • Interoperability and gateway functions
Intelligent Full Proxy Benefits
Network
Session
Application
Physical
Client/Server
IT = Complete ControlBusiness = Reduced Delivery Costs
Network
Session
Application
Physical
Client/Server
Web Application Web Application
© F5 Networks, Inc 15
Inbound Secure Application DeliveryDeployment Models
Proxy SSL (Split / Reverse)SSL Offload SSL Transformation
HTTPS HTTP
PerformanceL3-L7
ECC
HTTPS HTTPS
Public
4K Key
RSA
Private
2K Key
ClientCert
SeverCert
SPDY HTTP
© F5 Networks, Inc 16
• Control all aspects of application traffic, even if encrypted
• Gain greater business value through integrated services
• Transparent to the end user experience
SSL Forward ProxyOutbound Use Case
What’s New
SSL Forward Proxy provides the ability to centralize SSL traffic monitoring and management through an SSL forward proxy
Visibility to all SSL traffic with Proxy SSL or SSL Forward Proxy providing complete control for both ingress and egress trafficTransparent to the end user experience
Internal Clients
Internet
Cloud Services
www
Hosting
ClientCert
ClientCert
SeverCert
SeverCert
Visibility and Control for Outbound Encrypted
TrafficEnterprise Network
ICAP ServicesSecure Application Delivery
Services
ICAP Services provides value-added services such as video and image optimization, virus scanning, and content filteringResponse and Request ADAPT profiles, steers traffic to the Internal Virtual Server to encapsulate traffic in ICAP to be modified (or not) by ICAP servers.
• Steer HTTP/S traffic to an ICAP service for content adaptation
• Modify on HTTP/S Request and/ or Response
• Stream connection as match exists• iRules supported for added flexibilityVirus Scanning Video Localization
+ AD
Ad Insertion IDS / DLP Other
Clients
Content Adaptation
Servers
HTTP/S Request
HTTP/S Response
ICAP
ICAP Services SSL Forward Proxy
Services
© F5 Networks, Inc 19
BIG-IP Local Traffic Manager + Access Policy Manager
Directory
SharePoint OWA
Cloud
Web servers
App 1 App n
APPOS
APPOS
APPOS
APPOS
Hosted virtual desktop
Users
ENABLE SIMPLIFIED APPLICATION ACCESSwith BIG-IP Access Policy Manager (APM)
© F5 Networks, Inc 20
Web Application Firewall
• Maintain security at application, protocol, and network levels• Launch secure applications protected from vulnerabilities
Enforcement
Request made BIG-IP ASM security policy checked Server response
BIG-IP ASM applies security policy Vulnerable applicationSecure response delivered
Before F5
With F5
LoadBalancer
Network DDoS
LoadBalancer and SSL
Application DDoS
DNS Security
Protecting the Data Center
Firewall
Web Application Firewall
Web AccessManagement
Before f5
With F5
LoadBalancer
Network DDoS
LoadBalancer and SSL
Application DDoS
DNS Security
Protecting the Data Center
Firewall
Web Application Firewall
Web AccessManagement
WAN Acceleration
Protocol
• HTTP• MAPI• CIFS• HLS
SPDY
Dynamic caching
HTTP compression
Deduplication
Symmetric Adaptive Compression
TCP Optimization
• Congestion control• Buffers• Window size
Forward Error Correction
Bandwidth Allocation
SSL Encryption IPSEC Encryption
AAM BASE
AAM FULL
• Manages traffic between data centers
• Enables dynamic application migration
• Optimizes performance
• Increases availability
Global Service Load Balancing (GSLB)
LondonData Center
New YorkData Center
BIG-IPGlobal Traffic Manager
DNS DDoS ProtectionExternal Firewall
DNS Load Balancing
Array of DNS Servers
Hidden Master DNS
Internal FirewallInternet
DMZ
• Massive performance over 10M RPS!
• Best DoS / DDoS Protection
• Simplified management (partner)
• Less CAPEX and OPEX
• Adding performance = DNS boxes
• Weak DoS/DDoS Protection
• Firewall is THE bottleneck
Datacenter
Conventional DNS Thinking
Master DNS InfrastructureInternet
F5 DNS Delivery Reimagined
DNS Firewall
DNS DDoS Protection
Protocol Validation
Authoritative DNSCaching Resolver
Transparent Caching
High Performance DNSSECDNSSEC Validation
Intelligent GSLB
Paradigm Shift
Secure DNS Query Response
Simple DNSSEC:• Protection from cache poisoning and reduce management costs• Ensure trusted DNS queries with dynamically signed responses• Implement BIG-IP GTM in front of existing DNS servers
Data Center
Apps
DNS Servers
LDNS
example.com example.com
123.123.123.123+Public Key
123.123.123.123+Public Key
DMZ
© F5 Networks, Inc 30
Data Center
Filter and Control Site Access
Internet Site
• Filter outbound DNS queries• Prevent access to malware sites• Eliminate web proxies for DNS• Improve site performance and scalability
F5 DNS iRules: Blacklist
.
.
.
.
Internet
© F5 Networks, Inc 32
BIG-IP V10 Managing Objects & ServicesBIG-IP V11 Managing Application Services
© F5 Networks, Inc 33
BIG-IP V11 Managing Application Services
F5 iAPPs:Managing application services … not network devices or objects.
© F5 Networks, Inc 35
F5 iApp: How it works
• iApp templates allow for business policy-driven configuration and IT collaboration
• iApp drives automation and provisioning
• Changes can quickly be made and re-applied
• iApps are portable between F5 devices enabling rapid migration
• Every service is reusable
© F5 Networks, Inc 36
Completing the SDN Stack
BIG-IQOPEN
REST APIs
LAYER 2-3 LAYER 4-7
SDN Controller
BIG-IQSecurity™
BIG-IQCloud™
BIG-IQDevice™
NBI NBI
NVGRE VXLAN ETC…
Control Plane
Application Plane
Data Plane
Softw
are-
Def
ined
Dat
a Ce
nter
Virtual Networks
Service Chaining
Cisco Application Centric InfrastructureNetwork Fabric for the f5 Application Fabric
Policy Controlled Network Fabric• Automated Isolation Provisioning • Granular L2-L4 Path Decisions• Dynamic QoS and SLAs
L2 – L4 Stateless
Policy Controlled Application Fabric• Automated Device Onboarding• Automatic Network Fabric Provisioning• L4 – L7 Policy Defined in Service Chains • Device and Service Level
Health Checks
L4 – L7 Stateful
© F5 Networks, Inc. 40
BIG-IQ – Abstraction Layer
TenantAdmin
iApps Catalog
Data Plane Mgmt Plane
Admin
1Gbit limit
10Mbit limit
1Mbit limit
Applications
iApps
HR Portal
Team Portal
Spare Part Portal
Users
© F5 Networks, Inc. 41
Private or Public Cloud
(Amazon Web Services)
Cloud Orchestrators
Provider PortalClick to enlarge
BIG-IP Platform
Tenant 3 & 4
AppAppApps
BIG-IP Platform
Tenant 2
AppAppApps
BIG-IP Platform
Tenant 1
Data Centers
iApp Lifecycle Management Cloud Connectors
BIG-IQ and BIG-IP Solution Diagram for Cloud Architectures
Tenant PortalClick to enlarge
© F5 Networks, Inc 44
DDoS protection reference architecture
LegitimateUsers
Threat Feed Intelligence
DDoSAttacker
ISPa/b
CloudScrubbing
Service
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Network attacks:ICMP flood,UDP flood,SYN flood
DNS attacks:DNS amplification,
query flood,dictionary attack,
DNS poisoning
IPS
Next-Generation Firewall
Tier 2
SSL attacks:SSL renegotiation,
SSL flood
HTTP attacks:Slowloris,
slow POST,recursive POST/GET
Application
Corporate Users
FinancialServices
E-Commerce
Subscriber
Tier 2
Threat Feed Intelligence
Strategic Point of Control
Multiple ISP strategy
Network and DNS
Tier 1
© F5 Networks, Inc 45
Optimized DNS
Easy integration into existing DNS infrastructure for high availability
and security
Support over 10 million DNS responses per second (RPS)
Manageable and predictable data center utilization
Offload to the edgeTier 1: DMZ
Applicationhealth
Intelligent and Scalable DNS Services
Strategic Point of Control
LegitimateVisitors
MaliciousAttackers
Context basedon geographical
location
Tier 2: Application Delivery
Legitimate Queries
DNS AttacksLDNS Internet
Web Bot Attacker
IP Intelligence
DNSSECIP geolocation
DNS DDoS protection
TCP Port 80/443
TCP/UDP Port 53
Primary DNS
ApplicationThreat Intelligence
© F5 Networks, Inc 46
F5 Cloud Federation architecture
Strategic Point of Control
On-Premises Infrastructure
CorporateApplications
Users
Attackers
AccessManagement
SaaS Providers
Office 365
GoogleApps
Salesforce
DirectoryServices
Corporate Users
Identity federation
SAMLReal-time access control
Access policy enforcement
SAMLIdentity management
Multi-factor authentication
© F5 Networks, Inc 47
F5 Cloud Migration architectureOn-Premises Infrastructure
Line of Business Applications
Administrators
Line of Business Applications
DNS
Application
Business Unit Application
Manager
Business Unit Application
Manager
Cloud Administrator
User
Beta User
Application
CloudManagement
Global load balancingInfrastructure monitoring
Advanced reporting
Load balancingCustom business logic
Application healthSSL management
Load balancingCustom business logic
Application healthSSL management
Automated Application Delivery NetworkHealth/performance monitoring
BIG-IP VE deployment
Cloud Hosting Provider
Strategic Point of Control