F5 Networks

Traffic Management by Design

Presented by:
Jürg Wiesmann
Field System Engineer, Switzerland
jürg.wiesmann@f5.com
 2

Company Snapshot
Leading provider of solutions
that optimize the security,
performance & availability of
IP-based applications

Founded 1996 / Public 1999

Approx. 1,010 employees

FY05 Revenue: $281M

FY06 Revenue: $394M

– 40% Y/Y Growth

 3

Clear Leader in Application Delivery

Challengers Leaders

Magic Quadrant for

F5 Networks
Application Delivery
Products
• “F5 continues to build on the
Ability to Execute

Citrix Systems (NetScaler) momentum generated by the

release of v9.0. It commands
Cisco Systems over 50% market share in the
advanced platform ADC
Radware segment and continues to pull
Juniper Networks (Redline) away from the competition. ”
Akamai Technologies

Nortel Networks Netli • “F5 is one of the thought

leaders in the market and
Stampede Technologies
Coyote Point Array Networks offers growing feature
Systems Zeus Technology
richness. It should be high on
Foundry NetContinuum every enterprise's shortlist for
Networks
application delivery.”
Niche Players Visionaries
Completeness of Vision

Source: Gartner, December 2005

 4

What CEO´s CFO´s und CIO´s are interested in

Low Investment costs

– Reducing Load on Server infrastructure
Low Servicecosts
– Simple Problem-, Change und Releasemgt.
– Less Service windows
– Reduction of work during Service windows
– Simple secure and stable Environements
High availability
 5

Problem: Networks Aren’t Adaptable Enough

New Security Hole

High Cost To Scale
Slow Performance

?
Application

Network Administrator Application Developer

Traditional Networks Applications Focus on

are Focused on Business Logic and
Connectivity Functionality
 6

How Do You Fix the Problem?

Multiple Point Solutions

Application

More
Bandwidth

Network Administrator Application Developer

Add More Hire an Army of

Infrastructure? Developers?
 7

A Costly Patchwork
Users Point Solutions Applications

DoS Protection
Mobile Phone
IPS/IDS SSL Acceleration
SFA
Rate Shaping/QoS CRM
CRM ERP
PDA

Network Firewall Application

Load Balancer
ERP
Laptop Content Proxy
Acceleration/ ERP
Transformation CRM SFA

WAN Connection
Traffic Compression
Optimization
Desktop
SFA
Application Firewall
Custom
Application

Co-location
 8

The Better Application Delivery Alternative

The Old Way The F5 Way

First with Integrated Application Security

 9

F5’s Integrated Solution

Users The F5 Solution Applications

Application Delivery Network

Mobile Phone

CRM
Database
Siebel
PDA BEA
Legacy
.NET
SAP
Laptop PeopleSoft
IBM
ERP
SFA
Custom
Desktop
TMOS

Co-location
 10

The F5 Application Delivery Network

International
Data Center

TMOS

Users Applications
BIG-IP
Global BIG-IP BIG-IP Local BIG-IP BIG-IP
Link WANJet FirePass Application
Traffic Traffic Web
Manager Controller Manager Accelerator Security
Manager

iControl & iRules

Enterprise Manager
 11

F5 Networks
Remote Access Today

Presented by:
Jürg Wiesmann
Field System Engineer, Switzerland
jürg.wiesmann@f5.com
 12

Current Issues
Unreliable access
Mobile Workforce Worm/virus propagation
High support costs

Employee on Limited application support

Home PC / Lack of data integrity
Public Kiosk Reduced user efficiency

Complex access controls

Business Partners
No application-level audits
High support costs

Systems or Complex API

Applications Unreliable access
High support costs
 13

IPSec provides transparent Network

Access – BUT…

Needs preinstalled Client

Does not work well with NAT
No granular Application Access (Network Level)
Hard to Loadbalance
Is expensive to deploy
 14

On the other hand SSL VPN…

No preinstalled Client Software needed

Works on transport Layer – No problem with NAT
Works on port 80/443 – No problem with
Firewall/Proxy
Easy to Loadbalance
Offers granular Application Access
Is Easy to deploy
 15

Remote Access - Requirements

Any User
Employee
Partner Any
Any Location Application
Supplier
Hotel Web
Kiosk Client/Server
Hot Spot Legacy
Desktop

Any Devices
Laptop Highly Available
Kiosk Global LB
Home PC Stateful Failover
PDA/Cell Phone Disaster Recovery

Secure
Ease of
Data Privacy
Integration
Device Protection
Network Protection AAA Servers
Ease of Use
Granular App Access Directories
Clientless
Instant Access
Simple GUI
Detailed Audit Trail
 16

Why not use IPSec?

Any User
Employee
Partner Any
Any Location Application
Supplier
Hotel Web
Kiosk Client/Server
Hot Spot Legacy
Desktop

Any Devices
Laptop Highly Available
Kiosk Global LB
Home PC Stateful Failover
PDA/Cell Phone Disaster Recovery

Secure
Ease of
Data Privacy
Integration
Device Protection
Network Protection AAA Servers
Ease of Use
Granular App Access Directories
Clientless
Instant Access
Simple GUI
Detailed Audit Trail
 18

FirePass Overview
®

Any User Authorized

Any Device Dynamic Policies Applications

Portal
Access
Secured by
SSL
Laptop

FirePass®

Specific
Internet Application
Kiosk Access

Mobile Device Intranet Network

Access
Partner
 19

Simplified User Access

Standard browser
– Access to applications
from anywhere
Select application
– Shortcuts automate
application connections
No preinstalled client
software required
– All access via a web
browser
 20

Access Types
Network Access
Application Access
– Application Tunnels
– Terminal Server
– Legacy Hosts
– X Windows
Portal Access
– Web Applications
– File Browsing (Windows, Unix)
– Mobile E-Mail
Desktop Access (Webtop)
 21

Access Methods Summary

Portal Access Application Access Network Access

Benefits Benefits Benefits

Most Flexible C/S Application Access Full Network Access (VPN)
Any Device Legacy Application Access No Resource
Any Network Transparent Network Traversal Restrictions
Any OS Any Network
Most Scalable Scalable Deployment Drawbacks
Browser Compatible No Network/Addr. Configuration More Limited Access
Secure Architecture Secure Architecture OS/JVM Compatible
Restricted Resource Access Restricted Resource Access Issues
Host Level Application Proxy Client Security
Installation Privileges
Drawbacks
Limited Resource Access Drawbacks
Enterprise Web Limited Access Flexibility
Apps/Resources OS/JVM Compatible Issues
Webified Enterprise No Transistent Kiosk Access
Resources Client Security
Limited Nonweb Applications
Installation Privileges
 22

Adaptive Client Security

Kiosk/Untrusted PC PDA Laptop

Kiosk Corporate
Policy Mini Browser Policy
Policy
Cache/Temp File Firewall/Virus
Cleaner Check

Client/Server
Application
Full Network
Terminal Files Intranet Email
Servers
 23

Policy Checking with Network Quarantine

Deep Integrity Checking Quarantine Policy Support

– Specific antivirus checks – Ensure Policy Compliance
– Windows OS patch levels – Direct to quarantine network
– Registry settings

Full
FirePass ®
Network

Quarantine
Network
Please update
your machine!
 24

Visual Policy Editor

Graphically associates a policy relationship between end-points, users and resources

 25

Unique Application Compression

Results
Over 50% faster access
Supports compression
for any IP application
Faster email & file
access
Works across both dial-
up and broadband
 26

30 Minute Install
NEW

Quick Setup enables rapid installation and setup even for non-experts
 28

Enterprise SSO Integration

ord Netegrity
w
Dynamic Policies P a ss SiteMinder
ID,
Us er ok
ie
FirePass ® 1. nC
o
es si o
Internet 2. S

3. S
ess Web
ion Servers
Co
oki
e

HTTP forms-based authentication

Single sign-on to all web applications

Major SSO & Identify Mgmt Vendor Support

– Netegrity, Oblix and others
 29

Application Security
Web
ICAP Servers
AntiVirus n
c ti o
Inje
Q L
1. S
FirePass®
X
Internet

Policy-based virus scanning Web application security

– File uploads – Cross-site scripting
– Webmail attachments – Buffer overflow
Integrated scanner – SQL injection
Open ICAP interface – Cookie management
 30

Product Lines

FirePass Product Line
A product sized and priced appropriately for every customer
FirePass 1200
Medium Enterprise
25-100 Concurrent Users
• 25 to 500 employees
• Comprehensive access
• End-to-End security
• Flexible support
• Failover
31
FirePass 4200
Large Enterprise
100-2000 Concurrent Users
• 500+ employees
• High performance platform
• Comprehensive access
• End-to-End security
• Flexible support
• Failover
• Cluster up to 10
 32

FirePass Failover
Redundant pair
– Stateful failover provides
uninterrupted failover for most
Internet applications (e.g. VPN connector)
Single management point
– Active unit is configured
Hot standby – Configuration and state information
Active is periodically synchronized
Separate SKU
– Active unit determines software
configuration and concurrent users

Intranet application servers

 33

FirePass 4100 Clustering

Clustered pair
– Up to 10 servers can be clustered for
up to 20,000 concurrent users
Internet – Master server randomly distributes
user sessions
– Distributed (e.g. different sites) clusters
Intranet application
servers are supported
Single management point
Cluster master – Master server is configured
– Configuration information is periodically
synchronized
Cluster nodes Second FP 4100 Required
– Software features purchased on 2nd
server
 34

Case Study: FirePass vs IPSec Client ®

300 end user accounts, high availability configuration

IPSec Client FirePass® Savings
Rollout Engineering 120 hrs 20 hrs 100 hrs
Help Desk 200 hrs 60 hrs 140 hrs
End User 1 hrs + .5 hrs x 300 150 hrs
Sustaining Engineering 1.5 hrs/day .5 hrs/day 1 hrs/day
Help Desk 5 hrs/day 2 hrs/day 3 hrs/day
End User 0 0 0

Savings: 390 hours for rollout, 20 hours/week sustaining

80% user callback for IPSec Client; 15% for FirePass
25 users unable to use IPSec Client; 2 specific hotel room issues w/FirePass
 35

Summary of Benefits
Increased productivity
– Secure access from any
device, anywhere
– No preinstalled VPN clients

Reduced cost of ownership

– Lower deployment costs
– Fewer support calls

Improved application security

– Granular access to corporate resources
– Application layer security and audit trail
37
38
 40

Partnerships

“F5's BIG-IP has been designed into a number of Oracle's

mission-critical architectures, such as the Maximum Availability
Architecture.”
Julian Critchfield, Vice President, Oracle Server Technologies

“Microsoft welcomes F5 Networks' support of Visual Studio 2005… F5

complements our strategy by providing our mutual customers with a way to
interact with their underlying network.”

Christopher Flores, Group Product Manager in the .NET Developer Product Management Group at Microsoft
Corp.
 41

Services & Support

Expertise – F5 offers a full range of personalized, world-class
support and services, delivered by engineers with in-depth
knowledge of F5 products.

Software Solution Updates – Customers with a support

agreement receive all software updates, version releases, and
relevant hot fixes as they are released.

Flexibility – Whatever your support demands, F5 has a program

to fit your needs. Choose from our Standard, Premium, or
Premium Plus service levels.

Full Service Online Tools – Ask F5 and our Web Support Portal.

Fast Replacements – F5 will repair or replace any product or

component that fails during the term of your maintenance
agreement, at no cost.

F5 Services
SERVICES & SUPPORT
Expertise – World-class
support and services, delivered
by engineers with in-depth
knowledge of F5 products.
Software Solution Updates –
Software updates, version
releases, and relevant hot fixes
as they are released.
Flexibility – Standard,
Premium, or Premium Plus
service levels.
Full Service Online Tools –
Ask F5 and our Web Support
Portal.
Fast Replacements – F5 will
repair or replace any product
or component that fails during
the term of your maintenance
agreement, at no cost.
CERTIFIED GLOBAL TRAINING
Expert Instruction – With highly
interactive presentation styles and
extensive technical backgrounds
in networking, our training
professionals prepare students to
perform mission-critical tasks.
Hands-On Learning –
Theoretical presentations and
real-world, hands-on exercises
that use the latest F5 products.
Convenience – Authorized
Training Centers (ATCs)
strategically located around the
world.
Knowledge Transfer – Direct
interaction with our training
experts allows students to get
more than traditional “text book”
training.
42
PROFESSIONAL SERVICES
Experience – F5 Professional
Consultants know F5 products
and networking inside and out.
The result? The expertise you
need the first time.
High Availability – Our experts
work with you to design the best
possible high- availability
application environment.
Optimization – Our consultants
can help you fine tune your F5
traffic management solutions to
maximize your network’s
efficiency.
Knowledge Transfer – Our
professionals will efficiently
transfer critical product
knowledge to your staff, so they
can most effectively support
your F5-enabled traffic
management environment.
 43

F5 Networks Globally

Seattle
EMEA

Japan

APAC

International HQ – Seattle
Regional HQ / Support Center
F5 Regional Office
F5 Dev. Sites –Spokane, San Jose, Tomsk, Tel Aviv,
Northern Belfast
 44

F5 Networks
Message Security Module

Presented by:
Jürg Wiesmann
Field System Engineer, Switzerland
jürg.wiesmann@f5.com
 45

The Message Management Problem

Out of 75 billion emails sent worldwide each day, over 70% is
spam!
The volume of spam is doubling every 6-9 months!
Clogging networks
Cost to protect is increasing

TrustedSource Reputation Scores

Nov 2005 Oct 2006

Higher score = worse reputation
 46

Typical Corporate Pain

Employees still get spam
Some are annoying, some are offensive
Infrastructure needed to deal with spam is expensive!
– Firewalls
– Servers
– Software (O/S, anti-spam licenses, etc.)
– Bandwidth
– Rack space
– Power
Budget doesn’t match spam growth
Legitimate email delivery slowed due to spam
 47

Why is this happening?

Spam really works!

Click rate of 1 in 1,000,000 is successful
Spammers are smart professionals
– Buy the same anti-spam technology we do
– Develop spam to bypass filters
– Persistence through trial and error
– Blasted out by massive controlled botnets
Professional spammers have
– Racks of equipment
– Every major filtering software and appliance available
– Engineering staff
 48

It’s not just annoying…it can be dangerous.

2% of all email globally contains some sort of

malware.
– Phishing
– Viruses
– Trojans (zombies, spyware)
 49

High Cost of Spam Growth

Spam volume increases
Bandwidth usage increases
Load on Firewalls increases
Load on existing messaging security systems increases
Emails slow down
Needlessly uses up rackspace, power, admin time…

DMZ

Firewall
Messaging
Security Email Servers
 50

MSM Blocking At the Edge

Messaging Security
BIG-IP MSM Server
Emails First Tier Second Tier Mail Servers
e hello

Works with any

Anti-Spam Solution

X
X
X
Terminating
X 70% of the
Spam from the
X “e hello” Filters out 10%
to 20% of Spam
X
X
 51

Why TrustedSource?

Industry Leader
– Solid Gartner reviews & MQ
– IDC market share leader
Superior technology
Stability
 52

TrustedSource: Leading IP Reputation DB

View into over 25% of email traffic

50M+ IP addresses tracked globally
Data from 100,000+ sources; 8 of 10 largest ISPs
Millions of human reporters and honeypots
 53

TrustedSource
GLOBALDATA
GLOBAL DATAMONITORING
MONITORING AUTOMATEDANALYSIS
AUTOMATED ANALYSIS

Messages Analyzed
IntelliCenter per Month
• 10 Billion Enterprise
• 100 Billion Consumer
London
Portland
Atlanta

Hong Kong

Brazil

Dynamic Computation
Of Reputation Score

Bad Good

Global data monitoring is fueled by the network effect of real-time information

sharing from thousands of gateway security devices around the world
Animation slide
 54

Shared Global Intelligence

Deploy agents
Physical officers around the globe
World (Police, FBI, CIA, Interpol.) Interpol

Global intelligence system

Share intelligence information
CIA
Example: criminal history, global finger FBI
printing system Police
Stations
Police Police
Results Stations Stations
Effective: Accurate detection of offenders
Intelligence Pro-active: Stop them from coming in the
Agents country

Cyber Deploy security probes

around the globe (firewall, email gateways,
World web gateways)
IntelliCenter

Global intelligence system

Share cyber communication London
info, Example: spammers, phishers,
hackers Portland
Atlanta Hong Kong
Intelligent Results
probes Effective: Accurate detection of bad IPs,
domains Brazil
Pro-active: Deny connection to intruders
to your enterprise
 55

TrustedSource Identifies Outbreaks

Before They Happen

♦ 11/01/05: This 9/12/05 11/02/05 11/03/05

machine began TrustedSource Other Reputation A/V Signatures
Flagged Zombie Systems Triggered
sending Bagle worm
across the Internet

♦ 11/03/05: Anti-virus
signatures were
available to protect
against Bagle

♦ Two months earlier,

TrustedSource
identified this
machine as not
being trustworthy
 56

Content Filters Struggle to ID certain spam

 57

Image-based spam

Hashbusting
Scratches
 58

Summary of Benefits

Eliminate up to 70% of spam upon receipt of first packet

Reduce Cost for Message Management
– TMOS Module – High performance Cost effective spam blocking
at network edge
– Integrated into BIG-IP to avoid box proliferation

Improved Scaleability and Message Control

– Reputation Based Message Distribution and Traffic Shaping

Slightly increase kill-rate on unwanted email

 59

Packaging License Tiers

MSM for over 100,000 Mailboxes
MSM for up to 100,000 Mailboxes
MSM for up to 75,000+ Mailboxes
BIG-IP LTM Only
MSM for up to 50,000 Mailboxes
Version Support: 9.2 and higher MSM for up to 25,000 Mailboxes
Module May be added to any MSM for up to 10,000 Mailboxes
– LTM or Enterprise MSM for up to 5,000 Mailboxes

– No Module incompatibilities with other Modules MSM for up to 1,000 Mailboxes

Licensed per BIG-IP by number of mailboxes

BIG-IP Platform sizing depends on:
– Email volume
– Number of BIG-IP’s
– Other functions expected of BIG-IP (additional taxes on CPU time)
 60

How BIG-IP MSM Works

Secure Computing Existing

Messaging
Trusted Source™ Security
IP Reputation Score
Slow Pool

DNS 20% Suspicious?

Query
Existing
Messaging
Fast Pool Email Servers
Security
20% Good?
Internet 10% Trusted?

Error Msg
for clean termination

70% Bad? 10% Bad?

Drop first &

Delete
subsequent
Message
packets

Animation slide
 61

Spam Volumes Out of Control

% of Worldwide email that is Spam

85%
Percent Spam

70%

Nov 2005 Oct 2006

 62

Hard-to-detect Image Spam is Growing

35%

30%

25%
Percent of Total Email

20%

15%

10%

5%

0%
th rd th th th st th 6t
h nd 9t
h
2t
h
6t
h
9t
h d
r 5 y
3 10 17 24 31 28 2 2 t 1 1 1 23r
l g c ct ct ct ct
Ap M
a ay ay ay ay Ju
n
Ju Au O O O O O
M M M M

2006
 63

Reputation-based Security Model

Computing Physical World Cyber World
Credit
Businesses & Individuals IPs, Domains, Content, etc.
Track

Business Transactions Cyber Communication

• Purchases • Email exchanges
Compile • Mortgage, Leases • Web transaction
• Payment transactions • URLs, images

Credit Score Reputation Score

Compute • Timely payment • Good IPs, domains
• Late payment • Bad
• Transaction size • Grey – marketing, adware

Allow / Deny Credit Allow / Deny Communication

Use • Loan • Stop at FW, Web Proxy, Mail gateway
• LOC • Allow
• Credit terms • Quarantine
 64

Backup Slides

Firepass
 65

Windows Logon (GINA Integration)

Key Features
– Transparent secure logon to
corporate network from any access
network (remote, wireless and local
LAN)
– Non-intrusive and works with
existing GINA (no GINA
replacement)
– Drive mappings/Login scripts from
AD
– Simplified installation & setup (MSI
package)
– Password mgmt/self-service

Customer Benefits
– Unified access policy mgmt
– Increased ROI
– Ease of use
– Lower support costs
 66

Configuring Windows Logon

 67

Windows Installer Service

Problem
– Admin user
privileges required
for network access
client component
updates

Solution
– Provide a user
service on the client
machine which
allows component
updates without
admin privileges
 68

Network Access Only WebTop

Simplified webtop
Interface

Automatically
minimizes to
system tray
 69

Windows VPN Dialer

Simple way to connect for users familiar with dial-up

 70

FirePass Client CLI

“f5fpc <cmd> <param>”

where <cmd> options
are:
– start
– info
– stop
– help
– profile

Single sign-on from 3rd

party clients (iPass)
 71

Auto Remediation
 72

Dynamic AppTunnels
Feature Highlights
– No client pre-installation
– No special admin rights
for on-demand
component install
– No host file re-writes
– Broader application
interoperability (complex
web apps, static &
dynamic ports)
Benefits
– Lower deployment and
support costs
– Granular access control
 73

Configuring Dynamic AppTunnels

Web Apps

Client/Server
Apps