How to achieve a fast, secure and available virtualization infrastructure

makeshiftklipInternet and Web Development

Oct 31, 2013 (3 years and 10 months ago)

62 views

How to achieve a fast, secure
and available virtualization
infrastructure

Luuk Dries



© F5 Networks


3

Why virtualization


a small recap


Efficiency


Maximize CPU, RAM and Disk resources


Energy savings



Flexibility


Quick response to business needs


Quickly adding and removing applications

© F5 Networks


4

Why virtualization ?


Business Continuity



Disaster Recovery



Security



Test and Development


© F5 Networks


5

Each Application has its own specific requirements:



99,999% Availability, Performance over the WAN, High Security, ....




Available

Fast

Secure

SharePoint


Database


Siebel


BEA


.NET


SAP


PeopleSoft


IBM


ERP


SalesForce


Custom

Application Delivery
Networking

Applications

© F5 Networks


6

Availability for the Web Tier…

99
%

99
%

99
%

99%

99.99
%

99.9999%

Internet


Unmatched scalability and transparency


High Availability and Load Balancing


Centralized SSL offloading


© F5 Networks


7

… and for the Application Tier

99
%

99
%

99
%

Application

WWW

99
%

99
%

99
%

99%

98%

Accumulated
Availability

Internet


Full L7 application visibility


L7 content processing and switching


Application monitoring

© F5 Networks


8

Flexibility:Data

Center Automation



Real
-
time interfacing with
vCenter

to add new VMs to the load
balancing pool (
iControl
)



Advanced Health Checks to ensure that newly provisioned VMs are
ready for traffic




© F5 Networks


9

Availability and Performance across ISP Links

Internet

ISP2

ISP1

Select link on:


-

Availability

-

Cost of route

-

Protocol

-

Source/Destination

-

Time


And apply:



-

Bandwith


Management

-

Traffic Prioritization

© F5 Networks


10

Availability and Performance across
Datacenters

Internet

Local
DNS

Primary DC

Backup DC

© F5 Networks


11


My Web Applications are Slow..

First time visits are slow

Users are increasingly remote
and/or mobile

Dynamic Web
content

Network latency, packet loss,
verbose protocols

IT Manager &
App Architect

Data center consolidation

=

Difficult to accelerate SSL content

© F5 Networks


12

Web

Browser

MyWebApp.com

Web Servers

Time

WAN

Latency

WAN

Latency

WAN

Latency

WAN

Latency

A web page load with about 100 objects generates at least 100 round
-
trips

LAN: 100/2 x 1 ms = 50 ms

WAN: 100/2 x 250 ms =
12.5 seconds!

Chatty Apps & Latency = Slow Apps

250 ms

250 ms

250 ms

250 ms

© F5 Networks


13

With





Without


Impact of Web Acceleration

© F5 Networks


14

F5 Approach


Three Tiers of Acceleration


Tier 1 Acceleration


Network Offload


Re
-
use downloaded objects/content (IBR)


Reduce data transferred (Compression)




Tier 2 Acceleration


Server Offload


Servers are busy serving same data over and over (Caching)


Too many connections to back
-
end servers (OneConnect & spooling)


Overflow of connections to back
-
end servers (
RateShape

&
conn

limit)


SSL offload


Compression offload




Tier 3 Acceleration


Application Offload


Browser re
-
downloads same content over and over (IBR)


Force multiple connections (
MultiConnect
)


Web apps are slow over the WAN (ESI, Compression, PDF linear..)

© F5 Networks


15

Effect of 3 Tiers of Acceleration

Page Load Time

Up to 90%
reduction in
Page load time

© F5 Networks


16

Effect of 3 Tiers of Acceleration

CPU Utilization

Up to 90%
reduction in
CPU utilization

© F5 Networks


17

Intelligent Browser Referencing

This is the only

dynamic content

Problem

Repeated Content Retrieval Slows Web Application

Dynamic pages contain mostly static
content
that
is
retrieved
repeatedly

© F5 Networks


18

Intelligent Browser Referencing

Initial
Request

Compression

Cache

Solution

WebAccelerator Enables Browser Re
-
use of Cacheable Contents

No client to download

No changes to browser

Subsequent
Client
Requests

Cache

Apply IBR cache
expiration

Repeat

Visits

Retrieve from
Browser Cache

© F5 Networks


19

Easy to Deploy


Easy to Integrate



Validated in vendor application labs


Certified policies pre
-
configured

© F5 Networks


20

Web Acceleration Performance

0.00
5.00
10.00
15.00
20.00
25.00
30.00
35.00
SharePoint 2007 Portal
Siebel
PeopleSoft
SAP Portal
Ecommerce
IBM Websphere
Plumtree
Outlook Web Access
BEA Weblogic
Without Acceleration
With Asymmetric Acceleration
With Symmetric Acceleration
Seconds

2X to10X

Performance

Increase

© F5 Networks


23

…of a virtualized
application and its
storage

F5 and VMware can enable a secure, live migration




…from one site

to another

…without downtime

and

without user disruption.


© F5 Networks


24

BIG
-
IP Local

Traffic Manager

Initial Environment

BIG
-
IP Global

Traffic Manager

BIG
-
IP Local

Traffic Manager

vCenter

A

vCenter

B

© F5 Networks


25

BIG
-
IP Local

Traffic Manager

Step 1: F5 BIG
-
IP Local Traffic Manager Opens

WAN Optimization Tunnel

BIG
-
IP Global

Traffic Manager

BIG
-
IP Local

Traffic Manager

vCenter

A

vCenter

B

1



Compressed



De
-
Duplicated



Encrypted

© F5 Networks


26

BIG
-
IP Local

Traffic Manager

Step 2: Storage
vMotion

Executed Across

WAN Optimized Tunnel

BIG
-
IP Global

Traffic Manager

BIG
-
IP Local

Traffic Manager

vCenter

A

vCenter

B

2

This step can be
avoided if storage

is already being
synchronously
replicated
between sites

© F5 Networks


27

BIG
-
IP Local

Traffic Manager

Step 2: Pending App
vMotion
,

transactions rely on VM in Site A, but Storage in Site B

BIG
-
IP Global

Traffic Manager

BIG
-
IP Local

Traffic Manager

vCenter

A

vCenter

B

vCenter

A
stil
l
managing VM

© F5 Networks


28

BIG
-
IP Local

Traffic Manager

Step 3: Application
vMotion

Executed Over

WAN Optimized Tunnel

BIG
-
IP Global

Traffic Manager

BIG
-
IP Local

Traffic Manager

vCenter

A

vCenter

B

3

© F5 Networks


29

BIG
-
IP Local

Traffic Manager

Step 4:
vCenter

Instructs F5 BIG
-
IP Global Traffic Manager
to Cut Over to Site
-
B


BIG
-
IP Global

Traffic Manager

BIG
-
IP Local

Traffic Manager

vCenter

A

vCenter

B

4

© F5 Networks


30

BIG
-
IP Local

Traffic Manager

F5 BIG
-
IP Global Traffic Manager Routes All
NEW

Application
Connections/Sessions Directly to Site B.


BIG
-
IP Global

Traffic Manager

BIG
-
IP Local

Traffic Manager

vCenter

A

vCenter

B

© F5 Networks


31

BIG
-
IP Local

Traffic Manager

F5 BIG
-
IP Local Traffic Manager in Site A Redirects
EXISTING

Sessions Temporarily to Site B Until Clients Register DNS Change

BIG
-
IP Global

Traffic Manager

BIG
-
IP Local

Traffic Manager

vCenter

A

vCenter

B

© F5 Networks


32

BIG
-
IP Local

Traffic Manager

Eventually, ALL Connections Go Directly to Site B.

The Process Can Be Reversed When Necessary.


BIG
-
IP Global

Traffic Manager

vCenter

B

BIG
-
IP Local

Traffic Manager

vCenter

A

Successful
Application

Migration

Complete

© F5 Networks


33

Web Application Security

!

Unauthorised

Access

WAF
allows

legitimate requests

Stops bad

requests /

responses

Browser

Unauthorised

Access

!

Non
-
compliant

Information

!

Infrastructural

Intelligence

!

© F5 Networks


34

Challenges of Web Application Security


HTTP attacks are valid requests


HTTP is stateless, application is
stateful


Web applications are unique


there are no signatures for YOUR web application


Good protection has to inspect the response as well


Encrypted traffic facilitates attacks…


Organizations are living in the dark


missing tools to expose/log/report HTTP(s) attacks


© F5 Networks


35


Provides comprehensive protection for all web
application vulnerabilities


Provides out of the box security


Logs and reports all application traffic


Provides L2
-
>L7 protection


Unifies security and acceleration services


Stop attacks unseen by traditional WAFs (anti
-
evasion)


Provide On
-
Demand WAF scaling


Sees Application level performance

ASM: Powerful Adaptable Solution

© F5 Networks


36

Layer 7
DoS

and Brute Force

Unique Attack Detection and Protection


Unwanted clients are remediated and desired clients are serviced


Improved application availability

© F5 Networks


38

Why F5? The F5 Advanced ADN

Available

Fast

Secure

SharePoint


Database


Siebel


BEA


.NET


SAP


PeopleSoft


IBM


ERP


SalesForce


Custom

Application Delivery
Networking

Applications

© F5 Networks


41

Gartner Magic Quadrant for ADC

niche players

visionaries

challengers

leaders

| completeness of vision |

| ability to execute |

F5 Networks


Offers the
most feature
-
rich
AP ADC
,
combined with
excellent
performance

and programmability

via
iRules

and a
broad product line
.


Strong focus on applications
,
including
long
-
term relationships with
major application vendors
, including
Microsoft, Oracle and SAP.


Strong balance sheet

and
cohesive
management team

with a
solid track
record

for delivering the right
products at the right time.


Strong underlying platform

allows
easy extensibility

to add features.


Support of
an
increasingly loyal and
large group of active developers

tuning their applications
environments specifically with F5
infrastructure.

Source: Gartner (July 2008)

F5 Networks

Citrix Systems

Cisco Systems

Foundry Networks

Nortel Networks

Zeus Technology

Radware

© F5 Networks


42

BIG
-
IP Hardware Line
-
up

Price

Function / Performance

BIG
-
IP 3600

Dual core CPU

8 10/100/1000 + 2x 1GB SFP

1x 160 GB HD + 8GB CF

4 GB memory

SSL @ 10K TPS/2 Gb bulk

1 Gbps max software compression

1.5 Gbps Traffic

1 Advanced Product Module



2 x
Quad
core CPU

16
10/100/1000 or
2 10GE SFP+

2x 320
GB HD +
8GB
CF

16
GB memory

SSL @
58K
TPS/
9.6
Gb

Bulk

8
Gbps

max hardware
compression

12
Gbps

Traffic

Multiple Product Modules


BIG
-
IP
8900

36
Gbps

Traffic

Multiple Product
Modules

Ultimate redundancy in a
single chassis


VIPRION

BIG
-
IP 1600

Dual core CPU

4 10/100/1000 + 2x 1GB SFP

1x 160GB HD

4 GB memory

SSL @ 5K TPS/1 Gb Bulk

750 Mbps max software compression

750 M Traffic

1 Basic Product Module





2 x Dual core CPU

16 10/100/1000 + 8x 1GB SFP

2x 320 GB HD (S/W RAID) + 8GB CF

8 GB memory

SSL @ 25K TPS/ 4
Gb

bulk

5
Gbps

max hardware compression

6
Gbps

Traffic

Multiple Product Modules

BIG
-
IP 6900

© F5 Networks


43

F5’s Data Center Vision


Unified Application & Data Delivery

EMC

PC
-

Home

App. Server

App. Server

Web Server

Web Server

App. Server

App. Server

Web Server

Web Server

PC
-

LAN

WLAN

Windows file
storage

Windows file
storage

NetApp

Cell

Remote
-

WAN

File Storage
Virtualization: Services & Policy

Application Server
Virtualization: Services & Policy

Web Server
Virtualization: Services & Policy

Data Center & Link
Virtualization: Services & Policy

Link 1

Link 2

Link 3

DC 2: U.K.

DC 1: U.S.

Link 1

Link 2

Link 3

BIG
-
IP LTM,GTM & LC

BIG
-
IP LTM, WA, ASM

BIG
-
IP LTM, SAM

F5 ARX

© F5 Networks


44

ARX


File Virtualization

User / application access tightly
coupled to physical file storage


Inflexible
: change is disruptive


Complex
: multiple mappings to
heterogeneous storage devices


Inefficient
: low aggregate utilization

File access decoupled from physical
storage location


Flexible
: change is non
-
disruptive


Simple
: single mapping to unified
storage pool


Efficient
: maximize utilization

BEFORE

AFTER

© F5 Networks


45

Tiering

/ ILM / Data Migration




Match cost of storage to
business value of data


Files are automatically
moved between tiers based
on flexible criteria such as
age, type, size, etc.


Drivers:


Storage cost savings, backup
efficiencies, compliance


Benefits:


Reduced CAPEX


Reduced backup windows
and infrastructure costs

© F5 Networks


46

Summary


F5
offers

you

the
scalability

both

in
performance
and
functionality

to
optimize

all
your

applications



F5
makes

your

applications


SECURE


FAST


AVAILABLE

in the
most

flexible and stable solution




F5
optimizes

your

storage

environment