How To Make A Cloud Bursting System Work For A Business

(1)

Nigel Ashworth

Solution Architect EMEA

Where will your application be in

the future, in the cloud, on

(2)

(3)

Impact on Data Center Architecture: Applications

MICRO-ARCHITECTURES

Each service is isolated and requires its own:

• Load balancing

• Authentication / authorization

• Security

• Layer 7 Services

• May be API-based, expanding services required

API DOMINANCE

Proxies are used in emerging API-centric architectures for:

• API versioning

• Client-based steering

• API Load balancing

• Metering & billing

• API key management

More applications needing services

Service A Service C

Service B Service D

More intelligence needed in services

API v1

(4)

(5)

It’s Now a Complex Matrix

SaaS

Cloud

More delivery models

(6)

Deliver the most secure, fast,

(7)

Agile

Development

Application Environment

Rapid deployment─

network and operations

velocity

(8)

Cloud and

DevOps

Cloud SLA and control

private network agility

Accelerate time

to market

Application Environment

Agile

Development

Rapid deployment─

network and operations

velocity

(9)

SDN and

Private Cloud

Software defined

data centers

Cloud and

DevOps

Application Environment

Cloud SLA and control

private network agility

Accelerate time

to market

Agile

Development

Rapid deployment─

network and operations

velocity

Speed,

customer-driven, and quality of

app development

Failed to Address:

(10)

Software Defined Application Services Elements

High-Performance

Services Fabric

Simplified

(11)

High-Performance Services Fabric

Network [Physical • Overlay • SDN]

(12)

High-Performance Services Fabric

Network [Physical • Overlay • SDN]

Virtual Edition

Appliance

Chassis

Data Plane

Programmability

(13)

High-Performance Services Fabric

Network [Physical • Overlay • SDN]

Virtual Edition

Appliance

Chassis

Data Plane

Programmability

(14)

(15)

High-Performance

Fabric

_Application

Services

(16)

Software Defined Application Services

Software Defined Application Services (SDAS) are a

rich set of services that address the delivery

challenges faced by businesses today. Built and

deployed atop extensible F5 platforms, SDAS are

all application and context-aware, highly scalable,

and programmatic.

Provisioned and managed within the F5 Synthesis

architecture through BIG-IQ, SDAS provides

(17)

SSL

Inspection

LT

E

R

oa

mi

ng

_Autho

rita

tiv

e

DNS

Cloud Federation

Cloud Bridging

Acceleration

Mobile Optimization

Mobile App

Management

SDN

VDI

Diameter

& Routing

Policy

Enforcement

C

aching

O

ptimization

SPDY

Gateway

C

G

N

AT

D

is

as

ter

R

ec

ov

er

y

B

us

in

es

s C

on

tin

uity

Endpoint Inspection

DNSSEC

A

pp

De

liv

er

y

Fi

re

w

al

l

Anti-Fraud

D

oS

S

in

gl

e S

ig

n-On

Access

Control

SAML

Federation

SSL

VPN

Application

Optimization

Traffic

Shaping

and QoS

Global Load Balancing

MDM

Mobile Acceleration

Anti-Phishing

Anti-Malware

VAS Bursting

Enrichment

DNS

Fire

w

al

l

Qu

ota

Management

_{Traffic Control}

Application

Service

Chaining

Subscriber

Traffic Control

Firewall

Compression

Web Performance

Optimization

SSL

Intelligence

NfV

VOL

TE

Web Access Management

_Ac

tiv

e

S

yn

c P

ro

xy

Programmability

Traf

fic

Managemen

t

Secure Web Gateway

Intelligent EPC node

selection

Traf

fic

Managemen

t

SAML Federation

Cloud

Bursting

DNS Caching & Resolving

Web App

Firewall

Global Server

Load

Balancing

Application Services Portfolio

(18)

(19)



Perpetual



Subscriptions



Bundles

Simplified Business Models



BYOL



Cloud Licensing Program

(20)

Synthesis

Offering BIG-IQ for the deployment

of application services, cloud

orchestration one push button

provisioning and all necessary API

management.

Providing capacity- and

volume-based licensing, software modules

of application services.

To provide the most scalable,

high-density, high-performance fabric in the

industry to leave no application behind.

(21)

Public Cloud Hybrid Cloud

BIG-IP

Data Center

Centralized Management Platform

(22)

Agility and Integration

(23)

Automation

Source: Redwood Software survey, October 2012

Cost

savings

Time

savings

80 %

62 %

54 %

Improved SLA delivery

to the business

Reported

benefits of automation

to the IT process:

(24)

It is about applications

Different Approaches

Composed of two or more

interoperable clouds, enabling

data and application portability

Accessible over the Internet for

general consumption

(25)

Provisioning and Deployment Timelines

• Slow time-to-production

• Increasing rate of IT requests

• Repetitive tasks for IT

(26)

Provisioning and Deployment Timelines

Time-to-production for all the

(27)

Cloud Migration Architecture

On-Premises Infrastructure

Line of Business Applications

Administrators

Line of Business Applications

DNS Application Business Unit Application Manager Business Unit Application Manager Cloud Administrator User Beta User Application Cloud Management Global load balancing

Infrastructure monitoring Advanced reporting

Load balancing Custom business logic

Application health SSL management

Automated Application Delivery Network Health/performance monitoring vADC deployment

(28)

Cloud Bursting Architecture

On-Premises Infrastructure

Global load balancing Infrastructure monitoring

Advanced reporting

User

Object caching SSL management

Automated Application Delivery Network Health/performance monitoring vADC deployment DNS Application Cloud Management Finite Resources Cloud Administrator Business Unit Application Manager On-Demand Computing

Cloud Hosting Provider

Application

UI or REST API

(29)

Application delivery

services

• Repeatable

• Integrated

• Orchestrated

• Expedited

Policy Management

Data Center 2

Data Center 1 Data Center 3 Data Center 4

Cloud Manage-ment App Lifecycle Management Cloud Connectors Public Cloud

(Amazon Web Services)

Third-Party Cloud Orchestrators

(VMware vCloud Director)

(30)

F5 Reference

Architectures

(31)

WAF policy (L7)

Service based security

Same policy on premise or cloud.

Firewall policy (L4)

Dynamic IP policy (L3)

DDOS protection (L2-L7)

(32)

F5 DDoS protection reference architecture

Legitimate Users

Threat Feed Intelligence

DDoS Attacker ISPa/b Cloud Scrubbing Service Scanner Anonymous

Proxies AnonymousRequests Botnet Attackers

Network attacks: ICMP flood, UDP flood, SYN flood DNS attacks: DNS amplification, query flood, dictionary attack, DNS poisoning IPS Next-Generation Firewall Tier 2 SSL attacks: SSL renegotiation, SSL flood HTTP attacks: Slowloris, slow POST, recursive POST/GET Application Corporate Users Financial Services E-Commerce Subscriber Tier 2

Strategic Point of Control

Multiple ISP strategy

Network and DNS

(33)

• Protect against DDoS at all

layers – 38 vectors covered

• Withstand the largest

attacks – DNS DDoS

• Gain visibility and

detection of DNS/SSL attacks

(34)

More sophisticated attacks are multi-layer

Application

SSL

(35)

Which DDoS technologies do you use?

CLOUD/HOSTED SERVICE

Content delivery network

Communications service provider

Cloud-based DDoS service

_{• Customers pay, whether attacked or not}

• Bound by terms of service agreement

• Solutions focus on specific layers (not all layers)

• Completely off-premises so DDoS attacks can’t

reach you

• Amortized defense across thousands

of customers

• DNS anycast and multiple data centers

protect you

STRENGTHS

(36)

Which DDoS technologies do you use?

ON-PREMISES DEFENSE

Network firewall with

SSL inspection

Web application firewall

On-premises DDoS solution

Intrusion detection/prevention

• Many point solutions in market, few

comprehensive DDoS solutions.

• Can only mitigate up to max inbound

connection size

• No other value. Only providing benefit when you

get attacked. (excludes F5)

• Direct control over infrastructure.

• Immediate mitigation with instant response and

reporting.

• Solutions can be architected to independently

scale of one another.

STRENGTHS

(37)

F5 DDoS protection reference architecture

Legitimate Users

Network and DNS

(38)

Legitimate Users

Network and DNS

Tier 1

• The first tier at the

perimeter is layer 3

and 4 network firewall

services

• Simple load balancing

to a second tier

• IP reputation database

• Mitigates volumetric and

DNS DDoS attacks

TIER 1 KEY FEATURES

(39)

Legitimate Users

Network and DNS

Tier 1

(40)

Legitimate Users

Network and DNS

Tier 1

• The second tier is for

application-aware,

CPU-intensive defense

mechanisms

• SSL termination

• Web application firewall

• Mitigate asymmetric and

SSL-based DDoS attacks

• Protection is L7 based (not

just a L4 reset)

TIER 2 KEY FEATURES

(41)

Network Based DoS Detection & Mitigation

80+ DoS Vectors

Bad Header – IPv4

• Bad IP Option • Bad IP TTL Value • Bad IP Version

• Header Length > L2 Length • Header Length Too Short • IP Error Checksum • IP Length > L2 Length • IP Option Frames

• IP Source Address == Destination Address • L2 Length >> IP Length

• No L4 • TTL <= 1

Bad Header – IPv6

• Bad IPV6 Hop Count • Bad IPV6 Version

• IPV6 Extended Header Frames • IPV6 Length > L2 Length

• IPV6 Source Address == Destination Address • Payload Length < L2 Length

• Too Many Extended Headers

• No L4 (Extended Headers Go To Or Past End of Frame)

Other

• Host Unreachable • TIDCMP

Bad Header – L2

 Ethernet MAC Source Address == Destination Address

Bad Header – TCP

 Bad TCP Checksum

 Bad TCP Flags (All Cleared and SEQ# == 0)  Bad TCP Flags (All Flags Set)

 FIN Only Set

 Option Present With Illegal Length  SYN && FIN Set

 TCP Header Length > L2 Length

 TCP Header Length Too Short (Length < 5)  TCP LAND

 TCP Option Overruns TCP Header  Unknown TCP Option Type

Bad Header – UDP

 Bad UDP Checksum  UDP LAND

 Bad UDP Header (UDP Length > IP Length or L2 Length)

Bad Header – ICMP

 Bad ICMP Frame  ICMP Frame Too Large

Flood

• ARP Flood

• DNS Response Flood • Ethernet Broadcast Packet • Ethernet Multicast Packet • ICMP Flood

• IPV6 Fragment Flood • IP Fragment Flood • Routing Header Type 0 • TCP ACK Flood

• TCP RST Flood • TCP SYN ACK Flood • TCP SYN Flood • UDP Flood

• Single Endpoint Flood • Single Endpoint Sweeper

Fragmentation

• ICMP Fragment • IPV6 Fragment

• IPV6 Fragment Overlap • IPV6 Fragment Too Small • IP Fragment

(42)

WAF policy (L7)

Service based security

Same policy on premise or cloud.

Firewall policy (L4)

Dynamic IP policy (L3)

DDOS protection (L2-L7)

(43)

BIG-IP

Data Center

Centralized Management Platform

(44)

(45)

Throughput

Connections per second

Sessions

Footprint

F5 (VIPRION 4800) Juniper (SRX 5800) Cisco (ASA 5585-X) Check Point (61000) F5 (VIPRION 4800) Juniper (SRX 5800) Cisco (ASA 5585-X) Check Point (61000) 0 100 200 300 400 500 600 700 G bp s 0 200 400 M illions 0 2 4 6 8 M illions R ac k un it s 0 100 200

3x

_20x

10x

F5 (VIPRION 4800) Juniper (SRX 5800) Cisco (ASA 5585-X) Check Point (61000) F5 (VIPRION 4800) Juniper (SRX 5800) Cisco (ASA 5585-X) Check Point (61000)

For 576M concurrent connections