Upload
vucong
View
230
Download
0
Embed Size (px)
Citation preview
F5 – Applikationsbereitstellung ohne Grenzen
Profi AG Endkunden-Webcast, 27.11.14
Dino Schmid
Major Channel Account Manager
© F5 Networks, Inc 2
Worum geht es in der IT?
© F5 Networks, Inc 3
1000Durchschnittliche Anzahl von
Applikationen in einem
Unternehmen
Das wichtigste in der Unternehmens-IT sinddie Anwendungen
© F5 Networks, Inc 4
Mobility
SDDC/Cloud
Advanced threats
Internet ofThings
“Software defined”everything
HTTP is the new TCP
© F5 Networks, Inc 5
Deliver the most secure, fast,and reliable applications to anyone
anywhere at any time.
F5 MISSION
© F5 Networks, Inc 6
Application
Delivery
Network
AnwenderRechenzentrum,
Cloud, SaaS
F5 - Marktführer - Application Delivery Networking
SAP
Microsoft
Oracle
Homeoffice
Büro
Unterwegs
F5 macht Anwendungen schnell, hochverfügbar und sicher,
und zwar überall, und zu jeder Zeit
© F5 Networks, Inc 7
Software Defined Application Services 4
The Evolution of F5
Application Delivery Controller1
Broadened Application Services2
Cloud Ready3
© F5 Networks, Inc. 7
© F5 Networks, Inc 8
F5 stellt die benötigten Applikationsservices bereit
© F5 Networks, Inc 9
F5 High Performance Services Fabric
VIPRION PlatformBIG-IP PlatformBIG-IP Virtual Edition
High Performance Fabric
TMOS
TMOS:
• Real time Micro-kernel based Operating System
• Developed in conjunction with our Hardware
• Provides unparalleled performance and functionality
• Consistency across all Platforms
• Full Proxy Architecture
Flexible Platform Deployment:
• BIG-IP Appliance available in a range of Sizes and Throughput
• VIPRION Scalable Chassis Solution
• BIG-IP Virtual Edition
High Performance Fabric:
• Device Services Clusters
• ScaleN
• Flexible Licensing
• vCMP
© F5 Networks, Inc 10
F5 Module
VIPRION PlatformBIG-IP PlatformBIG-IP Virtual Edition
High Performance Fabric
TMOS
FAST AVAILABLE SECURE
LTM
GTMAAM
ASM
APM
AFM
F5 Software Modules:
• Local Traffic Manager
• Global Traffic Manager
• Application Acceleration Manager
• Advance Firewall Manager
• Application Security Manager
• Access Policy Manager
To Deliver required Application Services:
• Security
• Availability
• Mobility
• Performance
• Identity & Access
© F5 Networks, Inc 11
DATA CENTER ARCHITECTURESUse case
• Consolidation of
firewall, app security,
traffic management
• Protection for data
centers and
application servers
• High scale for the
most common
inbound protocols
Before f5
with f5
Load
Balancer
DNS Security
Network DDoS
Web Application Firewall
Web Access
Management
Load
Balancer & SSL
Application DDoS
Firewall
© F5 Networks, Inc 12
DATA CENTER CONSOLIDATIONUse case
• Consolidation of
firewall, app security,
traffic management
• Protection for data
centers and
application servers
• High scale for the
most common
inbound protocols
Before f5
with f5
Load
Balancer
DNS Security
Network DDoS
Web Application Firewall
Web Access
Management
Load
Balancer & SSL
Application DDoS
Firewall
© F5 Networks, Inc 13
Die Mehrwerte der F5 Lösung für die Kunden
Hält die Verfügbarkeit Ihrer
Applikationen aufrecht
Spart Geld für Ihr
Unternehmen
(Konsolidierung)
Optimiert Ihre
Netzwerkinfrastruktur
Beschützt die Reputation
Ihrer Marke
Verteidigt Sie gegen
geplante Angriffe
(DDoS, Hacker)
Hilft Ihnen, ein Schritt
voraus zu sein
(Bereitstellung neuer
Applikationen &
Sicherheit)
Die Mehrwerte für den Kunden
© F5 Networks, Inc 14
• Cisco and F5 are partnering to
• Integrate F5 Synthesis into the Cisco Application Centric Infrastructure (ACI)
• Deliver automated L4-7 application service insertion, policy updates, and optimisation within the ACI-enabled fabric
• Cisco is leveraging F5’s Software Defined Application Services (SDAS) to
• Deliver application centric network and services orchestration
Cisco and F5 Partnership
Cisco and F5 look forward to working to integrate our platforms and deliver simple, secure, scalable, and agile infrastructure that responds to the dynamic needs of the business. – Soni Jiandani, SVP, Marketing, Cisco“
© F5 Networks, Inc 15
F5 DEVICE PACKAGE FOR APIC
F5 and Cisco ACI Joint Solution Benefits
ACI Fabric
Programmability (iRule / iApp / iControl)
Data Plane Control Plane Management Plane
F5 Synthesis Fabric
Virtual Edition Appliance Chassis
• Automated layer 4-7 application service insertion, policy updates, and optimization within the ACI-enabled fabric with BIG-IP –Preserves richness of F5 Synthesis offering through policy abstraction offering investment protection
• Accelerated application deployments with reliability, security and consistent scalable network and L4-L7 services - Existing F5 Physical and Virtual appliances, topologies integrate seamlessly with Cisco ACI
• Application agility using policy driven application delivery approach to significantly reduce operating costs - provisioning workflows is efficient and faster while maintaining operational best practices across multiple IT teams
© F5 Networks, Inc 16
Cisco ACE:
• Cisco ACE Systeme sind abgekündigt. Kunden, die diese Systeme noch im Einsatz haben benötige eine alternative Lösung
Cisco ACI:
• Cisco #1 in DC infrastructure, F5 #1 in Application Delivery for L4-L7 – established and trusted team
• Identical Vision - F5 and Cisco sharing the same vision for application delivery with complementary solutions.
• Open & future proof - Cisco’s ACI is an innovative new approach to making the DC infrastructure dynamic and very open. F5’s programmability will enhance ACI capabilities to deliver even better SLAs.
• Consolidation of Services and hardware - smaller footprint
Warum ist das wichtig für den Kunden?
Reference Architecture Intelligent DNS Scale
Solving Customer Issues
© F5 Networks, Inc 18
DNS – lost without it!
DNS IS OUR DIRECTORY FOR LIFE IN THE INTERNET
• Totally lost without it
© F5 Networks, Inc 19
Internet foundation? DNS
DNS DEMANDS
WHEN DNS BREAKS, EVERYTHING BREAKS
DOMAIN NAME SYSTEM (DNS)
Translates a domain name…http://www.google.com
into an IP address:74.125.227.64 (IPv4)
http://www.f5.com =2001:19b8:101:2::f5f5:1d(IPv6)
More people
Mobile devices/apps
Complex sites
Increased latency
Cloud implementations
IPv6 added to IPv4
DDoS attacks
© F5 Networks, Inc 20
DNS demandAvailable and protected
AVERAGE DAILY LOAD FOR DNS (TLD)QUERIES IN BILLIONS
DNSSEC DEPLOYMENT EXPANDING
TYPICAL FOR A SINGLE WEB PAGE TO CONSUME 100+ DNS QUERIES FROM ACTIVE CONTENT, ADVERTISING, AND ANALYTICS
ATTACKS ON DNS BECOMING MORE COMMON;DNS SERVICES MUST BE ROBUST
GLOBAL MOBILE DATA (4G/LTE) IS DRIVING THE NEED FOR FAST, AVAILABLE DNS
DISTRIBUTED, AVAILABLE, HIGH-PERFORMANCE GSLB FOR MULTIPLE DATA CENTERS
’12’11’10’09’087
7
57
39 4
3 50
18X Growth 2011-20164G LTE
2.4GB/mo
Non-4G LTE
86MB/mo
Reflection/amplification DDoS
Cache poisoning attacks
Drive for DNSSEC adoption
Total service availability
Geographically dispersed DCs
DNS capacity close to subscribers
© F5 Networks, Inc 21
Critical: DNS
5SECONDS
74% are willing to wait
5 seconds or less for a single web page to load before leaving the site
Every 100ms delay costs Amazon.com
1% in sales
2012
2007
DNS has grownover 100%in the last 5 years
2012
2007 180%
As of October 2012, there were over 188 million active websites,
a growth of 180% over the last 5 years
© F5 Networks, Inc 22
Traditional DNS
LOAD–BALANCED DNS
• Scale DNS by adding more servers
• Individual servers are not high–performance, so scale with load balancing
• Place firewall in front of DNS infrastructure
ISSUES WITH THIS DEPLOYMENT?
• BIND DNS servers are patched frequently
• Patches are mostly for vulnerabilities
• Under load, firewalls become bottlenecks
Legitimate Clients
Malicious ActorsLocal LoadBalancingTraditional
DNS Firewall
Load Balanced DNS Servers
Access Network
© F5 Networks, Inc 23
True DNS costs
HIGHER OPEX DUE TO MAINTENANCE
BIND by the numbers
• 340 updates since 2004
• 84 issued patches for vulnerabilities and bugs
• 9 patches a year for DNS
COMPANIES DEPLOY FIREWALLS TO PROTECT DNS
But traditional firewalls don’t process DNS, so a vulnerability can still be exploited on the DNS server
0
10
20
30
40
50
60
9.0 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9
BIND HISTORY
Total updates, including beta, release candidates
Critical patches for vulnerabilities
Nu
mb
er
of
up
da
tes i
ssu
ed
BIND VersionF5 DNS Authoritative Model Traditional DNS Authoritative Topology
Total in year 1: $301,280
Total in year 2 onward: $1,280
Total in year 1: $373,688
Total in year 2 onward: $298,688
© F5 Networks, Inc 24
DNS deployments
Conventional DNS Thinking
F5 DNS Delivery Reimagined
InternetExternal Firewall
DNS Load Balancing
Array of DNS Servers
Internal Firewall
Hidden Master DNS
Authoritative DNSCaching Resolver
Transparent Caching
DNS Firewall
DNS DDoS Protection
Protocol Validation
High Performance DNSSECDNSSEC Validation
Intelligent GSLB
DMZ Datacenter
F5 PARADIGM SHIFT
InternetMaster DNS Infrastructure
• Performance = Add DNS boxes
• Weak DoS/DDoS protection
• Firewall is THE bottleneck
• Massive performance over 10M RPS!
• Best DoS/DDoS protection
• Lower CapEx and OpEx
BIG-IP Global Traffic Manager
© F5 Networks, Inc 25
Benefits of BIG-IP integration• Simply and efficiently manage complex networks using one ADC solution
• Route users to available apps and data centers based on business logic
• Constantly monitor health between devices with iQuery
• Use the same geolocation data to reference for all BIG-IP devices
G T M
GOOD BETTER BESTBIG-IP Global Traffic Manager
BIG-IP Local Traffic Manager
Simplified Business Models
Authoritative DNS+ DNS Security
Tier 1: DMZ
Legitimate
Visitors
Malicious
Attackers
Context based
on geographical
location
LDNS Internet
BIG-IP Platform
Absorb and mitigate
DNS attacks
Primary DNS Server+ Application
Availability and Health
Tier 2: Application Delivery
Intelligent delivery based
on business logic
BIG-IP Platform
GTMLTM
Same centralized
management solution
Same purpose-built hardware and
software designed for performance
Same iControl for extending
management control
© F5 Networks, Inc 26
AnswerDNS
Query
AnswerDNS
Query
AnswerDNS
Query
AnswerDNS
Query
AnswerDNS
Query
Efficient DNS
DNS Express
• Delivers high-speed response and DDoS protection with in-memory DNS
• Provides authoritative DNS serving out of RAM
• Supports configuration size for tens of millions of records
• Scale and consolidate DNS servers
Clients
Internet
DNS Express in BIG-IP GTM
DNS Server
OSAdminAuthRoles
NICDynamic
DNSDHCP
ManageDNS
Records
© F5 Networks, Inc 27
Powerful DNS
• Your revenue and your brand are protected
• Use the same IP address for multiple devices
• Geographically separate the DNS request load for all requests
• Scale DNS infrastructure up and out per number of BIG-IP devices
© F5 Networks, Inc 28
The DNS value
Scalable up to 20x
0
3
6
Low
Query
Query
Growth
Query
Spike
Query
Decline
MaxDNS
Complete DNS control
Access Denied:
Denial-of-service mitigation
© F5 Networks, Inc 29
The DNS value
Support client requests and consolidate IT
IPv6 to IPv4
Secure DNS query responses
http://f5.com
Route based on geolocation
© F5 Networks, Inc 30