Professional Documents
Culture Documents
F5 Solutions Playbook September 2016 PDF
F5 Solutions Playbook September 2016 PDF
APPLICATION DELIVERY
SECURITY
SERVICE PROVIDER
MANAGED SERVICES
F5 NETWORKS
SOLUTIONS PLAYBOOK
CONTENT
APPLICATION
07 Server resources cost control
08 Firewalls scalability
09 DNS scalability solutions
10 Federation and simplification of VDI environments
DELIVERY
11 Integration of hyperconvergent platforms – Nutanix
12 Migrating Exchange environments
13 Optimization of DC access based on geolocation
14 Optimized cache balancing (CARP)
15 TCP optimization
16 Rewriting gateway domains
17 HTTP/2 gateway
18 IPv6 gateway
19 Geo-location solution with EDNS
20 HA and DC solution in HUB & spoke topologies
21 Interconnect solution for overlapping networks
22 Data centre persistence solution
23 Customized portals solution
24 DNS64 solution
25 Multi-Language solution in web environments
26 NAT64 solution
27 Intelligent packet brokering solution
28 Cisco ACE replacement
01
APPLICATION DELIVERY
GLOBAL TRAFFIC
BALANCING
BALANCING
LOCAL TRAFFIC
BALANCING ENVIRONMENTS
THROUGH MULTI-HOMING
By using iControl, it is possible to integrate the management of these data structures with third party tools, which
makes it possible, for example, to import data files for «VIP» users into the solution.
ALTERNATIVES
• Manual procedures do not ensure business REFERENCE ARCHITECTURE | BUSINESS CONTINUITY WITH DPC MINIMUM BACK-UP SERVICES
continuity, and require «human» intervention.
• Building back-up «mirroring» centres impacts DMZ DMZ
DNS DNS
BIG-IP Platform
BIG-IP Platform
Internet
ALTERNATIVES
Cloud Hosted Apps
• Manual redirecting of IPs to cover the RTO.
This is time consuming and are prone to
delays due to network convergence.
• Increasing the number of lines or expanding Data Center 2
ALTERNATIVES
• Outage during peak traffic.
Avalanche
• Investment in additional hardware to process
peak traffic correctly.
• Users making repeated attempts to access “ Waiting room ”
COST CONTROL
OF SERVER RESOURCES
Compression
Usuarios
FIREWALLS SCALABILITY
ALTERNATIVES DDoS
Attack
Firewall/NGFW
DNS SCALABILTY
SOLUTIONS
Some 41% of the time, loss of web service REFERENCE ARCHITECTURE | DNS SCALABILITY SOLUTIONS
infrastructure is due to DNS-related problems,
so it is essential to maintain the availability of the
DNS service. The loss (or degradation) of the
service adversely affects service users, leading to
loss of revenue and loss of productivity for users
attempting to access corporate resources such as
e-mail.
ALTERNATIVES
• Risking losing the DNS service, thus
endangering business continuity and the
productivity of the company’s employees, is
difficult to justify.
• Adding more and more DNS servers, without
intelligent balancing which can monitor
server performance, is also not particularly
advisable.
10
APPLICATION DELIVERY
ALTERNATIVES
Load Hypervisor
Balancing
VPN
• Having VDI solutions from multiple vendors, User
Brokers
Virtual
which represents an increase of CAPEX and Applications
INTEGRATION OF HYPERCONVERGENT
PLATFORMS – NUTANIX
MIGRATING EXCHANGE
ENVIRONMENTS
ALTERNATIVES
HR Outlook
Anywhere
Exchange
2010
ALTERNATIVES
Data Center Data Center
• Failure to make use of a global rolling method EUROPA AMERICA
OPTIMIZED CACHE
BALANCING (CARP)
content, this also creates a more scalable service Internet Dynamic requests
Caching BIG-IP
SSL
Compresión
ALTERNATIVES
• No other manufacturer of ADC is capable
of implementing the CARP algorithm. The
alternative is to have a content-delivery system,
which is less efficient in terms of scalability, Cripto Offloader
TCP OPTIMIZATION
ALTERNATIVES Radio
Internet
Access
REWRITING GATEWAY
DOMAINS
• Proprietary applications: in most cases, F5 also allows for efficient management, which is optimized at a single point on the encrypted traffic,
programmers do not contemplate the need undertaking the downloading and compression of traffic through hardware which is specifically designed for
to differentiate between internal and external
addresses and introduce direct references to this purpose.
internal URLs, which are not reachable from the
REFERENCE ARCHITECTURE | REWRITING GATEWAY DOMAINS
outside.
• Commercial applications: often it is necessary
to use a pair of reverse proxies for each
application, these perform the rewrites and
sometimes undertake some pre-authentication
work. Each application typically requires the
deployment of at least two proxies, which are
also not compatible between different versions Clients
ALTERNATIVES
https://portal.f5se.com/training/2011/
• Deployment of multiple systems of reverse
proxies on a per-application basis, such as
Microsoft TMG, ISA servers, BlueCoat, or
other business solutions such as WebMarshal,
WebSEAL, etc.
• The problem with these solutions is that
they do not allow for the consolidation of
functionality, there is no guarantee of the level
of performance, they require general-purpose
operating systems and do not support recent
encryption requirements, etc.
17
APPLICATION DELIVERY
HTTP/2 GATEWAY
Optimization
Reporting
Security
inefficiency of HTTP/1.1. A change is needed.
ALTERNATIVES
HTTP/2 HTTP/1.x
Not adopting efficient protocols such as HTTP/2 Protocol/Cipher
means that web services cannot benefit from
01101101 Gateway GET /images/
the best user experience. This means that 01100101 cat.jpg
the performance of these web services is at a
disadvantage compared to the services offered
by those who have already adopted these Client Server
BIG-IP Platform
improved protocols. This impacts negatively on
the business.
18
APPLICATION DELIVERY
IPV6 GATEWAY
GEO-LOCATION SOLUTION
WITH EDNS
ALTERNATIVES
+ EDNS OPT RR
IP: A.B.C.D
• The use of global DNS servers is a common IP: A.B.C.D
practice among internet users, so not DNS: 8.8.8.8
implementing these mechanisms of extending
DNS (EDNS) jeopardizes the accuracy and
performance of services based on geo-
location.
• Using CDN, which can lead to increased
operating costs for the service.
20
APPLICATION DELIVERY
HA AND DC SOLUTION
IN HUB & SPOKE TOPOLOGIES
ALTERNATIVES In case of the failure of one of the devices in the remote data centres, the corresponding vCMP «guest»
will take up an active role, thus ensuring continuity of service.
• Providing redundancy for all the equipment
at each site data centre or remote site (spoke)
REFERENCE ARCHITECTURE | HA AND DC SOLUTION IN HUB & SPOKE TOPOLOGIES
implies a high potential cost of purchasing
equipment.
Data Center
LTM VCMP :
Each VE has several
HA in remote DC
BIG-IP Platform
Data Center
LTM Internet
VIPRION Platform
[Data Center]
BIG-IP Platform
21
APPLICATION DELIVERY
ALTERNATIVES
Network Firewall Services
• Re-engineering of IP addressing. Places + NAT Rules
serious demands on time, money and Company A Company B
resources, and does not guarantee a solution 10.128.12.0/22 10.128.12.0/24
0.12
for all scenarios. C BIG-IP Platform C
• NAT solution: are expensive, have little
flexibility (traceability, logging, etc) and have 10.128.14.0/24
0.12 10.128.24.0/24
0.12
scalability issues in terms of pools of IP D Router Router D
addresses and ports. Standard NAT solutions
have a high impact on CAPEX/OPEX.
22
APPLICATION DELIVERY
ALTERNATIVES
User
Currently there is no alternative to this solution. Cookie
SYNC SYNC
CUSTOMIZED PORTALS
SOLUTION
ALTERNATIVES
Adapted content
• Ad-hoc developments, which are non-reusable
and which require applications to be modified.
• Development costs and time required to
perform these customizations.
APPLICATION DELIVERY
DNS64 SOLUTION
24
PROBLEM F5 | DNS SOLUTION
The progressive introduction of IPv6 means that DNS64 is a mechanism for creating DNS records in the form of AAAA (IPv6) from records of type A
the coexistence of IPv4 and IPv6 networks is a (IPv4). This domain name resolution between IPv6 and IPv4 is a key element in the communication
reality which will continue to exist for quite some between clients which only use IPv6 and servers which only use IPv4, without requiring changes to any
time. of them.
Migration to an IPv6 world should be The DNS module can perform the DNS64 functions in a manner which is both autonomous
a transparent process for users and this and transparent to the standard DNS solutions, which have already been deployed; alternatively it can
transition should definitely not lead to the loss of also be integrated and used to complement another third party DNS64 solution. In the latter case, the
access to IPv4 services for users who already BIG-IP intercepts, manages and optimizes DNS client requests in IPv6 before sending them to external
have IPv6 addressing. DNS64 servers.
While the configuration of IPv6 among users is REFERENCE ARCHITECTURE | DNS64 SOLUTION
gradually becoming a common practice, not all
services are available in IPv6 (and many never
IPv6 Clients DNS64
will be). Communication between IPv6 and IPv4 IPv6 DNS Query
worlds has become a problem. IPv4 Internet
DNS
DNS64 Reply
DNS
25
APPLICATION DELIVERY
MULTI-LANGUAGE SOLUTION
IN WEB ENVIRONMENTS
ALTERNATIVES
• While it is true that certain manufacturers have tried to Clients 2
BIG-IP
plagiarize iRules technology, they are far from what has
actually been achieved by F5, as the scripts are much
more powerful and operate at many layers of traffic.
Moreover, none of them has a community which can
compare to DevCentral.
• The alternative to iRules technology is applying this
intelligence in the same application, which requires an Adapted content
extended time commitment for the development and
maintenance of new code.
APPLICATION DELIVERY
NAT64 SOLUTION
26
PROBLEM F5 | LTM/CGNAT SOLUTION
The progressive introduction of IPv6 means that the IPv6 clients who want access to «legacy» IPv4 services need a solution which translates the IPv6 address into
coexistence of IPv4 and IPv6 networks is a reality an IPv4 address. This solution is NAT64.
which will continue to exist for quite some time.
The NAT64 solution only applies to traffic from IPv6 clients accessing services in IPv4. Both the LTM module
Migration to an IPv6 world should be a transparent
and the CGNAT module support NAT64 functionality.
process for users and this transition should definitely
not lead to the loss of access to IPv4 services for REFERENCE ARCHITECTURE | NAT64 SOLUTION
users who already have IPv6 addressing.
It is possible to configure flows of online traffic (IPS, etc.) and/or offline traffic (IDS etc.), which means
Specific technical solutions do not scale
that each specific solution can be sized and scaled independently and in a way which is both technically
in an efficient manner and costs skyrocket.
and economically effective.
There is little flexibility when deploying and
PEM provides the necessary monitoring to check the availability and performance of all of the solutions
integrating new solutions within the data centre. integrated in the various flows, allowing these to be dynamically changed.
ALTERNATIVES
SOLUTIONS PLAYBOOK
CONTENT
CLOUD
33 Integration with Cloud Access Brokers (CASBs)
34 Migration to cloud environments
35 Protection of services in cloud environments
COST CONTROL
‘IN THE CLOUD’ BURSTING
• Manually direct traffic into the cloud, this is Global load balancing
Infrastructure monitoring
Advanced reporting
Application
User Cloud
UI o Administrator
REST API
Cloud
Management
Load balancing
Custom business logic On-Demand Computing
Object caching
SSL management
Application
Strategic Point of Control
Cloud Hosting Provider
30
CLOUD (PRIVATE AND PUBLIC)
FEDERATION OF IDENTITIES
IN CLOUD ENVIRONMENTS
ALTERNATIVES
Multi-factor
Authentication
Users
SAML
• Different proprietary development solutions, Access control
Applying real-time
Attackers
which trigger higher maintenance costs and access control policy Directory
Services
Corporate
Applications
Today, provisioning a new virtual machine can This is to say that F5 can not only provision a load balancer as a service (LBaaS) but also multiple capabilities,
take a matter of minutes, but configuring the such as WAF, authentication, DNS, etc.
network associated with that virtual machine
(setting up VLANs, routing, QoS policy, firewall REFERENCE ARCHITECTURE | INTEGRATION WITH SDN CISCO ACI
rules, configuring load balancers) can take hours,
or even days.
BIG-IQ
ALTERNATIVES
F5 Synthesis Fabric
• Alternatives to VMware NSX include Cisco
ACI, Nuage, and OpenStack.
• Alternatives to F5 are only able to provide very
ACI Fabric Virtual Edition Appliance Chassis
Today, provisioning a new virtual machine can This is to say that F5 can not only provision a load balancer as a service but also multiple capabilities, such as
take a matter of minutes, but configuring the WAF, authentication, DNS, etc.
network associated with that virtual machine
In addition, NSX can be used to create instances of F5 VE virtual machines and these will be automatically
(setting up VLANs, routing, QoS policy, firewall
configured and licensed.
rules, configuring load balancers) can take hours,
or even days.
REFERENCE ARCHITECTURE | INTEGRATION WITH SDN VMWARE ARCHITECTURES
ALTERNATIVES Admin
Application Services
User NSX
NSX Application
Edge vSwitch
Workloads
BIG-IP Generic
Platform Platform
ALTERNATIVES
Authorize Access
• The alternative is to use several solutions and dUsers Management
User Devices
integrate them, for example proxy chaining Directory
Services
and NAC, this increases complexity and costs
Google
Salesforce Office 365 Apps
~
Corporate
1,000’s of SaaS Apps Applications
34
CLOUD (PRIVATE AND PUBLIC)
MIGRATION TO CLOUD
ENVIRONMENTS
BIG-IP Platform
35
CLOUD (PRIVATE AND PUBLIC)
PROTECTION OF SERVICES
IN CLOUD ENVIRONMENTS
attacks?
Origin Content Fetch
1.2.3.4
Cloud
Customer/ISP
Transit
5.6.7.8 Proxy/WAF NAT Pool
ALTERNATIVES
ISP Customer
Internet 9.9.9.0/24 Router Network Router
1.2.3.6
SOLUTIONS PLAYBOOK
CONTENT
SECURITY
44 Integration with MdM – MobileIron
45 Integration with DAST and WAF solutions
46 HSM integration solutions
47 Optimization of Google ranking using TLS/SSL
48 Reverse proxy gateway
49 Anti-Bot protection in OWA environments
50 Protection with smart reputation lists
51 DNS infrastructure protection
52 Protection of Public-Service portals
53 DNS protection through DNSSEC
54 Transparent fraud protection for e-commerce transactions
55 Juniper SSL VPN replacement
56 Microsoft Forefront TMG replacement
57 Replacement of DNS platforms based on bind
58 Always-on solution for mobile environments
59 Kerberos authentication solution for mobile devices
60 Remote VPN SSL access solution
61 SSL/TLS offloading solution
62 SSL/TLS visibility solution
63 Single Sign-On solution
64 Web Application Firewall (WAF) solution
65 Proxy solution for safe navigation for employees
66 Enhanced Web Application Firewall (e-WAF) solution
36
SECURITY
The increasing frequency of attacks means Access to the application takes into account the context of the user, who they are, from where they are
that more intelligence is required to allow user requesting access and to which group they belong.
access to a particular resource, a password is This solution validates the user against multiple types of repositories (LDAP, RADIUS, AD, etc.), checks
not enough, the user’s context also needs to be the security status of the device, undertakes authentication using advanced mechanisms such as SAML,
considered, where, how, when, etc. Kerberos, NTLM, etc. and supports multi-factor authentication to applications according to the user’s context.
REGULATORY COMPLIANCE
PCI-DSS
Partners
ISPb BIG-IP Platform
ISP provides
volumetric DDoS
DDoS Attack service
ALTERNATIVES
Data Center
• Network operators can provide equipment at Customers
PHISHING ATTACK
DETECTION
HTTPS Inspection
DDoS Attack
42
SECURITY
Decrypted
Data
ALTERNATIVES
BIG-IP Platform Load Traffic inspection
Balancing and risk analysis
• Leave the FireEye equipment without SSL
Decrypted
visibility Data
Encrypted
• Scale the FireEye by putting one in each of Data
Tablet
ALTERNATIVES
Load Balancing Servers
+ DDoS Protection
+ Firewall
Firewal
Fir
Fi alll “Compliance”
Tablet with
AAA Server No “Compliance”
• Let MDM solutions perform their function Apps MDM
Policies
independently, doubling the security Safe but no
"Compliance"
management of access from mobile devices.
• Double authentication in two different
solutions, with consequent «inconvenience»
to the user.
44
SECURITY
SSO
ALTERNATIVES
Smartphone
Servers
BIG-IP Platform
• Let MDM solutions perform their function Internet
HSM INTEGRATION
SOLUTIONS
SSL OFFLOAD
Web Server/
Internet
Application
BIG-IP
ALTERNATIVES
• F5 is the only manufacturer of an ADC, which has
the functionality to integrate with external HSMs and
to coexist with them in high-security environments
where the certificates are in a single external
HSM
repository, and thus fulfil FIPS standards. Even a VE
could work in a FIPS environment.
• The alternative is to use an ADC with internal HSM
equipment (FIPS), apart from the expensive price,
this solution no longer follows the standard practices
of companies which use HSMs and can therefore no
longer be the sole repository of corporate certificates.
47
SECURITY
Visibility/Control
Data Protection
which is very poor. It is far from easy to implement
Key Mgmt
TLS in old web infrastructure. * Https://www.
ssllabs.com/ssltest/index.html.
ALTERNATIVES HTTP/1.x
HTTP/2
• Renew the entire infrastructure of the web Protocol/Cipher
service and dimension it to support the latest Gateway
TLS 1.3 SSL 3.0
encryption standards; this entails considerable
investment in terms of cost and implementation
time. Client Server
BIG-IP Platform
48
SECURITY
REVERSE PROXY
GATEWAY
develops or manages regularly. More points of Endpoint security check Local Traffic Management
Access Policy Management
App 1
failure and more complexity. Application Security
Application Acceleration
Virtualization
HA, LB
App 2
ALTERNATIVES App 3
ANTI-BOT PROTECTION
IN OWA ENVIRONMENTS
ALTERNATIVES
BIG-IP Platform
Active
• You can configure the Active Directory to Directory
increase the number of attempts permitted User
before a user is blocked or leave it
unprotected, which is not a solution which can
protect users from these DDoS attacks
50
SECURITY
DNS INFRASTRUCTURE
PROTECTION
• Traditional DNS solutions are difficult and costly DNS tunneling Network Firewall Services
to scale, there are no flexible and/or advanced Attacker Proxy Anonimo + DNS Services
+ DNSSEC
User
DDoS
Attacker
IP Intelligence
Attackers
52
SECURITY
PROTECTION
OF PUBLIC-SERVICE PORTALS
DNS PROTECTION
THROUGH DNSSEC
While DNSSEC does not encrypt data, cryptographic authentication prevents users/customers from suffering
This has made this critical service vulnerable to
cache poisoning attacks relating to the protected DNS zone.
attacks such as cache poisoning, which basically
consists of spoofing responses to DNS queries BIG-IP uses hardware to perform DNSSEC signing, this results in a solution that is highly scalable.
to maliciously redirect users. There are several Additionally, it supports offloading certificates using our own cryptographic cards or we can integrate with
forms of attack which exploit the vulnerability of external HSMs so that they can confirm the certificates.
cache poisoning, such as the «Birthday Attack».
The attacker’s objective is to modify the contents
REFERENCE ARCHITECTURE | DNS PROTECTION THROUGH DNSSEC
of the DNS cache such that it does not return
the actual IP address of a FQDN, but another
IP address, usually that of a server which the
[Data Center]
attacker controls, and where they can host
malicious content. BIG-IP DNS con
DNSSEC ACTIVADO
Example.com Example.com
ALTERNATIVES
User xxx.xxx.xxx.xxx+public key LDNS Servers
xxx.xxx.xxx.xxx+public key
DNS
• Not using DNSSEC exposes our DNS servers BIG-IP Platform
Servers
Faced with such attacks, users and companies WebSafe is a clientless anti-fraud solution, enabling seamless integration with existing web applications and all
face two problems: The economic impact of the existing web browsers.
attack (at both user and enterprise level) and the The solution safeguards the ROI, avoiding economic losses and the loss of information relating to users,
reputational impact of the attack (at enterprise applications and web platforms, thereby safeguarding the company’s reputation.
level).
REFERENCE ARCHITECTURE | TRANSPARENT FRAUD PROTECTION FOR E-COMMERCE TRANSACTIONS
ALTERNATIVES
Network Application
Account Firewall
Amount
F5 Security
Online Customers Operations Center
Automated
Transactions
and
Transfer Funds
Transaction integrity
SECURITY
MICROSOFT FOREFRONT
TMG REPLACEMENT
REPLACEMENT OF DNS
PLATFORMS BASED ON BIND
ALWAYS-ON SOLUTION
FOR MOBILE ENVIRONMENTS
ALTERNATIVES
• In-house development.
Mobile users BIG-IP LTM +APM
INTERNET
-OR- Hypervisor
Branch office users
INTERNAL LAN
VLAN2 Virtual desktops
Wireless users
INTERNAL LAN
LAN users VLAN1
59
SECURITY
KERBEROS AUTHENTICATION
SOLUTION FOR MOBILE DEVICES
ALTERNATIVES
User + Web Security
+ Categorization Database Web APIs
• URL + Reporting
categorization/
filtering Policy-
Violatio
be discontinued by Microsoft..
A Context-Aware Web Security Malicious
SWG Secure Web Gateway Services Simplified Business Models
B Acceptable Use Policy Controls Server
GOOD BETTER BEST
APM BIG-IP Access Policy Manager
C Bandwidth Controls
+ Secure Web Gateway Services
Malware
60
SECURITY
The traditional approach of installing local agents When providing access via an SSL-encrypted VPN tunnel remote access can be supported even from behind
on devices involves additional management a web proxy or firewall.
overheads, versioning, and multiple constraints APM offers the option of using a software VPN client which facilitates the configuration of automatic session
due to the traditional IPSEC encapsulation establishment and supports most operating systems, both desktop (MS Windows, Mac OS X, Linux) and
(which is often blocked when accessing the mobile (Android, IOS, Windows Phone...).
internet via a proxy or when within 3rd party
environment). REFERENCE ARCHITECTURE | REMOTE VPN SSL ACCESS SOLUTION
ALTERNATIVES
• Using the client’s IPSec tunnels does not
Access Rules
work in certain environments (behind a web
proxy, firewalls, etc.), which reduces the
versatility and value of the solution.
Access Portal (optional)
• Solutions which require a software client to be
installed on the access devices do not always
cover the needs of the environment (e.g.
BYOD), and also require the clients to be
managed, which reduces the scalability and Apps
agility of the solution.
AAA
Client Software (optional) server
User = HR Red Internal
61
SECURITY
SSL/TLS OFFLOADING
SOLUTION
ALTERNATIVES Internet
TLS/SSL OFFLOAD
Web Server/
Application
BIG-IP
Increasing the number of front-end or application servers
to address the increase in resources required to process
Integration with external HSM
the SSL/TLS traffic is an alternative which is expensive
(Optional)
both economically and operationally.
In addition, the independent management of the
certificates in each of the servers is not efficient, and
increases the risk of errors in cases where it is necessary HSM
to manage potentially dozens of certificates per server.
Acceleration solutions based general-purpose hardware
liberate the servers from the computational load but are
limited by the same factors and do not scale properly.
62
SECURITY
SSL/TLS VISIBILITY
SOLUTION
ALTERNATIVES
Traditional security service architecture is usually Completion and Inspection SSL
sub-optimal and is generally based on solutions + Cipher Agility + SSL Transformation
+ Intelligent Traffic Management
with a high CPU consumption (and are therefore + SSL Re-Encryption
Firewall RON
Internet Firewall
costly) and cannot inspect more secure key de Red
LTM
de Red
exchanges such
as Elliptic Curve Diffie-Hellman (ECHDE). BIG-IP
SECURITY
ALTERNATIVES ASM
DDoS
Attack HTTPS/HTTP
• Implementation of more secure policies for HTTP
HTTPS
application development, which may result Clients BIG-IP Platform
in organizational conflict, long delays in the
development of applications and a substantial
OWASP
increase in development costs. Attacks
• Taking no action poses a huge risk and means
non-compliance with regulations.
65
SECURITY
• Integration with A B
corporate directory Secure Web B2B Server
ALTERNATIVES
for user Gateway
identification Access Policy
User + Web Security
+ Categorization Database Web APIs
• URL + Reporting
categorization/
• F5 is the only solution on the market which filtering Policy-
Violation
provides access control of both «inbound» traffic NGFW
and/or
Firewall Internet E-Commerce Sites
• Malware scanning User
(APM: VPN, SSL, VDI, Mobility) and «outbound»
IPS
Inspection BIG-IP Platform
Kerberos
traffic (safe browsing). • SSL interception NTLM
Basic Auth
Remote Users
Facebook
Facebook
Games
407
• The combination of F5 & Websense, outperforms • Federated Single
Active
Directory
C
Malware
66
SECURITY
ASM + WebSafe
HTTPS/HTTP
HTTP
ALTERNATIVES HTTPS
BIG-IP Platform
SOLUTIONS PLAYBOOK
CONTENT
SERVICE
70 PEM analytics solution
71 CGNAT solution
72 Interconnected signalling solution
73 Solution for monetizing OTT services
PROVIDER
74 Intelligent DNS firewall solution
75 Gi firewall solution
76 LTE-Roaming solution
77 SIP/IMS signalling solutions
78 On demand bandwidth availability solution
67
SERVICE PROVIDERS
OPTIMIZATION
OF VoIP SOLUTIONS
In general, these solutions were not intended to Tier 1: Global DNS and Protecting L3-4
Corporate
Users
Voice Tier
Tier 2: App Delivery and AAA
take into account the location of the customer’s Network Attacks: Network Firewall Services
phone nor the condition of the organization’s global
ICMP flood, UDP flood, SYN flood
Customers
+ SIP Load Balancing
ALTERNATIVES
Virtual Data Center
REPLACEMENT
OF CITRIX BYTEMOBILE
ALTERNATIVES OCS
TCP
Optimization
Traffic
Steering PCRF
PEM ANALYTICS
SOLUTION
ALTERNATIVES
• Competing with simple plans, differentiating on
price alone.
• Tools which are complex and difficult to integrate
71
SERVICE PROVIDERS
CGNAT SOLUTION
The challenge for operators is to support and It allows full connectivity and a smooth migration to IPv6
manage content and devices using IPv4, while
simultaneously facilitating the transition to the
new devices, services and applications in IPv6.
ALTERNATIVES
ALTERNATIVES
It is also necessary to ensure user protection and Finally, BIG-IP DNS provides statistics and reports, and includes functionality for high speed logging for DNS to
the integrity of the service against DDoS attacks, facilitate capacity planning, service optimization and the monetization of services.
DNS cache poisoning and DNS tunnelling.
REFERENCE ARCHITECTURE | INTELLIGENT DNS FIREWALL SOLUTION
ALTERNATIVES
• BIND-based solutions are expensive to
operate due to the frequent updates required
to counter the constant threats.
• Traditional DNS solutions are difficult and
costly to scale, there are no flexible and/
or advanced integrated security solutions
specific to DNS.
75
SERVICE PROVIDERS
GI FIREWALL
SOLUTION
ALTERNATIVES
The use of traditional firewalls has proved itself
to be a poor alternative because of its low level
of performance and high operating costs. Its
drawbacks include:
• poor performance in mobile environments or
where there is a large number of connections.
• poor energy efficiency.
• poor space efficiency.
• high cost per user.
The use of CGNAT platforms to protect IPv4
environments puts the CGNAT platform itself in
danger of flooding-type attacks. Furthermore, in
IPv6 environments, user traffic does not require
NAT, which makes it necessary to have an element
specifically for protection – the Gi Firewall.
76
SERVICE PROVIDERS
LTE-ROAMING
SOLUTION
ALTERNATIVES
• Multiple solutions from different
manufacturers with high OPEX.
• Solutions with less flexibility and scalability,
which are difficult to adapt to changing
needs, making it difficult to plan ahead.
78
SERVICE PROVIDERS
ON DEMAND BANDWIDTH
AVAILABILITY SOLUTION
• Oversize networks.
• More restricted service portfolios, i.e. less Bandwidth increase based on the time of day
competition, lower incomes.
F5 NETWORKS
SOLUTIONS PLAYBOOK
CONTENT
MANAGED
82 MSP offering a WAF as a service solution
83 MSP offering a Federation as a service solution
84 MSP offering a LB as a service solution
SERVICES
79
Managed Services
MSP OFFERING A
DDOS AS A SERVICE SOLUTION
ALTERNATIVES
Network attacks:
ICMP flood, SSL attacks: Financial
UDP flood, SSL renegotiation, Services
Multiple ISP SYN flood SSL flood
strategy
Legitimate
Users
E-Commerce
• Deployment of on-premises DDoS-prevention ISPa/b
Network
solutions which offer no other added value. Tier 1 DNS attacks:
and DNS
HTTP attacks:
Application
DDoS DNS amplification, Slowloris,
DNS
• Inability to manage volumetric attacks, Attacker query flood, slow POST,
dictionary attack, recursive POST/GET
DNS poisoning Subscriber
layer or the encryption layer, with consequent Scanner Anonymous Anonymous Botnet Attackers
Proxies Requests
loss of service.
80
Managed Services
MSP OFFERING A
DNS AS A SERVICE SOLUTION
The combination of F5’s ASM and WebSafe modules protects both enterprise applications and those who use
This protection is particularly complex, since we have
no access to our customers’ computers (fixed and/or them without the need to install any clients, modify applications, or access devices, either fixed or mobile.
mobile) and therefore cannot install any clients on these
devices, which also use a multitude of different operating
systems and browsers. REFERENCE ARCHITECTURE | MSP OFFERING AN ENHANCED WAF AS A SERVICE SOLUTION
ALTERNATIVES
WEBSAFE Security Manager + WEBSAFE Vulnerable
application
of clients on the server and/or on the client machine, 6.- Malware & RAT detection to
• Response inspection for errors
and leakage of sensitive
which is not feasible in most cases due to the protect users, phising detection
and application layer encryption information
interaction between the client and the application to avoid user credentials theft • JavaScript injection for security
software itself (in the case of servers) or due to the SERVICE PROVIDERS checks, application encryption,
phishing detection
use of devices, which are outside our organizational
remit (for customers).
• Trusting only in the WAF module does not protect
the users of our applications.
82
Managed Services
MSP OFFERING A
WAF AS A SERVICE SOLUTION
ALTERNATIVES
• Implementing more secure application- On Premises BIG-IP Application
Security Manager
development policies, which may result Vulnerable
application
in organizational conflict, long delays in 5.- Secure response SILVERLINE
the development of applications and a delivered 4.- BIG-IP ASM / SILVERLINE
security policy checked
substantial increase in development costs. • Response inspection for errors
F5 Cloud and leakage of sensitive
• Taking no action poses a huge risk and SILVERLINE MANAGED information
WAF SERVICE
means non-compliance with regulations.
83
Managed Services
MSP OFFERING A
FEDERATION AS A SERVICE SOLUTION
Integrating all these services requires access BIG-IP APM can perform both roles: it can control access to an external service (in the case of an MSP
control and control of the identity of the users serving their customers) and/or it can act as a local IdP, creating an advanced system of authentication for
who consume those services. Allowing the user SaaS services, independent of the chosen SaaS platform. In this way it is possible to avoid exposing the
to manage their access and their password to local directory to the MSP / SaaS provider, while also offering SSO functionality.
the service, will generate multiple problems from
the point of view of security (repeat passwords,
REFERENCE ARCHITECTURE | MSP OFFERING A FEDERATION AS A SERVICE SOLUTION
change management, different policies, etc.).
Synchronizing corporate directory services means On-Premise Infrastructure
ALTERNATIVES
Access
Control
• Exposing the internal directory to external SAML
attackers Access control
service providers. in real time
Application access control
Directory
Services
Corporate
Applications
policy
• Business solutions which are not compatible
between different vendors (e.g. ADFS) and Office 365
services via specific passwords for each service, SaaS Suppliers Strategic Point of Control
each of which has its own policies on password
strength and renewal.
84
Managed Services
MSP OFFERING A
LB AS A SERVICE SOLUTION