1 / 36

F5 User’s Group

F5 User’s Group . Welcome!. Introductions Name Title Company Role Requests (optional). Please introduce yourself Name Title Company Your role Application Network Security Requests? (optional). F5 User’s Group Meeting October 3 rd 2012 Agenda.

raisie
Télécharger la présentation

F5 User’s Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. F5 User’s Group

  2. Welcome! Introductions Name Title Company Role Requests (optional) • Please introduce yourself • Name • Title • Company • Your role • Application • Network • Security • Requests? (optional)

  3. F5 User’s Group Meeting October 3rd 2012Agenda The new F5 Technical Certification Program • Ken Salchow, Program Manager F5 Technology Update – What’s new • Nathan McMahon – Sr. Solution Architect 10 Minute Break Creating an ASM (Web Application Firewall) policy using Cenzic Hailstorm • Jon Bartlett, Field Systems Engineer F5 Customer, SE and SA roundtable

  4. F5 Technical Certification Program Certification & Test Overview KJ (Ken) Salchow, Jr. Program Manager, Technical Certification

  5. Individual Three Distinct Pieces • Internal • Partner Programs • Certification F5 Training • Customer Guardian Service Guardian Consulting Industry Knowledge

  6. Increasing Complexity and Risk

  7. The Missing Pieces • End-to-End Application Delivery Knowledge MISSING • Solution Knowledge • BIG-IP LTM Advanced • BIG-IP LTM • ARX • Troubleshooting Engineer • BIG-IP LTM • BIG-IP GTM • ASM • FirePass • ARX Configuration Product Consultant • Basic Application Delivery Knowledge MISSING

  8. NO COLLEGE COURSES NO ADC HANDBOOK NO LEARNING PATH NO TECHNOLOGY KNOWLEDGE

  9. Program Objective Bring applications and networks together through technologists rigorously verified to have expertise across the technology stack.

  10. Engineer Certification Track • Application Delivery Architect • Application Delivery Engineer • Service Provider Expert • Security Expert • Availability Expert • Optimization Expert • LTM Specialist • WAM/ WOMSpecialist • iRules Specialist • GTM Specialist • ASM Specialist • APM Specialist • BIG-IP Administrator

  11. Testing Tracks • iApps Developer • Application Delivery Architect Lab • Availability Solutions • Security Solutions • Optimization Solutions • Service Provider Solutions 500 Level 400 Level • GTM Specialist • ASM Specialist • APM Specialist • WAM/ WOMSpecialist • iRules Developer • LTM Specialist (b) 300 Level • LTM Specialist (a) • TMOS Administration 200 Level • Application Delivery Fundamentals 100 Level LTM Specialist (a) - Architect, Setup & Deploy LTM Specialist (b) - Maintain & Troubleshoot

  12. Development Process Each Exam: • 7 Months from Start to Finish • 1200 Man-Hours (just SMEs) • ~ $85,000 USD (direct costs) • Course Development • Test Design • Publication • Job Analysis • Standard Setting • Blueprint Development • Exam Assembly • Item Development • Item Analysis • Beta Publication

  13. BIG-IP v11.2.1 Nathan McMahon Solution Architect

  14. BIG-IP 3600 BIG-IP 3900 BIG-IP 4200v • 2x 10G Ports • 8x 1G Ports • Quad Core CPU • 16GB Memory • Triple the SSL 2K key TPS • 2.5x the L7 performance • 2.5x the throughput • 8G Hardware Compression • 80+ Gold Power Supply • Future vCMP support (TBD) 800K 9000 TPS 10G 8G 3000 TPS 4G 400K Software Only BIG-IP 4200v BIG-IP 4200v BIG-IP 4200v BIG-IP 3900 BIG-IP 3900 BIG-IP 4200v BIG-IP 3900 BIG-IP 3900 H/W Compression SSL TPS (2K) L7 RPS Throughput

  15. Connection Throttling Set limits for the amount of traffic sent to a server. Useful to mitigate DoS or for less scalable applications

  16. Connection Throttling

  17. Connection Throttling 18 when RULE_INIT { 21 set static::conn_debug 1 25 set static::conn_rate 10 30 set static::interval 1 32 log local0. "Configured to enforce a rate of [expr {$static::conn_rate / $static::interval}]\ 33 cps ($static::conn_rate connections / $static::interval second)" 36 set static::whitelist_classvsratelimit_whitelist_class 40 set static::tbl "vsratelimit" 41 } 42 when CLIENT_ACCEPTED { 45 if {[class match [IP::client_addr] equals vsratelimit_whitelist_class]}{ 48 return 49 } 50 set key "[IP::client_addr]:[TCP::client_port]" 55 set tbl ${static::tbl}_[virtual name] 58 set current [table keys -subtable $tbl -count] 59 if { $current >= $static::conn_rate } { 62 if { $static::conn_debug }{ log local0. "$key: Connection to [IP::local_addr]:[TCP::local_port]\ 63 ([virtual name]). At limit, rejecting (current: $current / max: $static::conn_rate)" } 66 TCP::close 68 } else { 72 table set -subtable $tbl $key " " indefinite $static::interval 73 if { $static::conn_debug }{ log local0. "$key: Connection to [IP::local_addr]:[TCP::local_port]\ 74 ([virtual name]). Under limit, allowing (current: [table keys -subtable $tbl -count] / max: $static::conn_rate)" } 75 } 76 }

  18. Connection Throttling Now in the GUI Virtual Server Pool Member

  19. Connection Throttling Specifies the maximum number of connections-per-second allowed for a virtual server, pool member, or node. When the number of number of connections-per-second reaches the limit for a given virtual server, pool member, or node, the system redirects additional connection requests. This helps detect Denial of Service attacks, where connection requests flood a virtual server, pool member, or node. Setting this to 0 turns off connection limits. The default is 0.

  20. Connection Throttling Set limits for the amount of traffic sent to a server. Useful to mitigate DoS or for less scalable applications

  21. ASM Demo Jon Bartlett Field Systems Engineer

  22. Requesting a Scan from the Cenzic Cloud • Running Cenzic Scans from F5 ASM (core usage)

  23. Scan Finished • Running Cenzic Scans from F5 ASM (core usage)

  24. Selecting a Class of Vulnerabilities • Running Cenzic Scans from F5 ASM (core usage)

  25. Selecting Vulnerabilities to Resolve • Running Cenzic Scans from F5 ASM (core usage)

  26. Resolving • Running Cenzic Scans from F5 ASM (core usage)

  27. Resolving • Running Cenzic Scans from F5 ASM (core usage)

  28. Resolved (Mitigated) • Running Cenzic Scans from F5 ASM (core usage)

  29. Resolved (Mitigated) • Running Cenzic Scans from F5 ASM (core usage)

  30. ASM Parameters View • Running Cenzic Scans from F5 ASM (core usage)

  31. F5 Free Scans by Cenzic Find Vulnerabilities and Reduce Exposure 3 free application scans Free scans are limited health check services No time limits once signed up No other vendors currentlyprovide free scan via our ASM UI Or “off box” http://www.cenzic.com/f5/reg CenzicHealthCheck Scans test for: • Cross-Site Scripting* • Application Exception • SQL Injection • Open Redirect  • Password Auto-Complete* • Credit Card Disclosure • Non-SSL Password* • Check HTTP Methods • Basic Auth over HTTP • Directory Browsing • *Only these three included in non-F5 Free promotions

  32. F5 Free Scans by WhiteHatPersistent Assessment and Reduced Exposure 30-90 day free application scans pulled into ASM/VE dashboard Free assessments are unlimited during eval period WH Enterprise BE test for: • Injection • Cross Site Scripting Insecure Direct Object References • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Invalidated Redirects and Forwards

  33. Use to build a new policy or add to an existing policy Manually import vulnerability scan results from: IBM AppScan QualysQualysGuard Single click remediation

  34. Roundtable Topics VDI Gateway Improving Performance Industry News Security Attacks I thought virtualization would be more fun Encryption makes me blind

  35. Roundtable Topics Life in the cloud Where you come from matters Data, Data, Data – I can’t make bricks without clay BYOD Scale to the Nth

  36. Please fill out a survey

More Related