F5 User’s Group. 2 IT agility. Your way. Welcome! Introductions Name Title Company Role Requests...

F5 User’s Group

2

I T a g i l i t y. Yo u r w a y.

Welcome!Introductions

NameTitleCompany

RoleRequests (optional)

Please introduce yourself Name Title Company Your role

• Application• Network• Security

Requests? (optional)

3

F5 User’s Group Meeting October 3rd 2012Agenda

The new F5 Technical Certification Program

Ken Salchow, Program Manager

F5 Technology Update – What’s new

Nathan McMahon – Sr. Solution Architect

10 Minute Break

Creating an ASM (Web Application Firewall) policy using Cenzic Hailstorm

Jon Bartlett, Field Systems Engineer

F5 Customer, SE and SA roundtable

KJ (Ken) Salchow, Jr.Program Manager, Technical Certification

F5 TECHNICAL CERTIFICATION PROGRAM CERTIFICATION & TEST OVERVIEW

5

Partner Programs

Guardian Service

Guardian Consulting

Certification

Three Distinct Pieces

F5 Training

Industry Knowledge

Internal

Customer

Individual

6

Increasing Complexity and Risk

7

The Missing Pieces

BIG-IP LTM

BIG-IP LTM

BIG-IP GTM ASM FirePass

ARX Configurati

on

BIG-IP LTM

Advanced

ARXTroublesho

oting

Product Consulta

nt

Engineer

End-to-End Application Delivery Knowledge

Solution KnowledgeMISSING

Basic Application Delivery KnowledgeMISSING

8

NO ADCHANDBOOK

NO COLLEGECOURSES

NO LEARNINGPATH

NO TECHNOLOGYKNOWLEDGE

9

Program Objective

Bring applications and networks together through technologists

rigorously verified to have expertise across the technology

stack.

10

Engineer Certification Track

BIG-IP Administrator

LTM Speciali

st

GTM Speciali

st

ASM Speciali

st

APM Speciali

st

iRules Speciali

st

WAM/ WOM

Specialist

Availability Expert

Security Expert

Optimization

Expert

Service Provider Expert

Application Delivery Architect

Application Delivery Engineer

11

Testing Tracks

Application Delivery Fundamentals100 Level

TMOS Administration200 Level

GTM Speciali

st

ASM Speciali

st

APM Speciali

st

WAM/ WOM

Specialist

iRules Develop

er

300 Level

Application Delivery Architect Lab500

Level iApps Developer

400 Level

Availability Solutions

Security Solutions

Optimization Solutions

Service Provider Solutions

LTM Specialist (b)

LTM Specialist (a)

LTM Specialist (a) - Architect, Setup & DeployLTM Specialist (b) - Maintain & Troubleshoot

12

Course Developme

nt

Test Design

Job Analysis

Blueprint Developme

nt

Item Developme

nt

Beta Publication

Item Analysis

Exam Assembly

Standard Setting

Publication

Development ProcessEach Exam:• 7 Months from Start

to Finish• 1200 Man-Hours

(just SMEs)• ~ $85,000 USD

(direct costs)

Nathan McMahonSolution Architect

BIG-IP V11.2.1

14

•2x 10G Ports

•8x 1G Ports

•Quad Core CPU

•16GB Memory

•Triple the SSL 2K key TPS

•2.5x the L7 performance

•2.5x the throughput

•8G Hardware Compression

•80+ Gold Power Supply

•Future vCMP support (TBD)

BIG-IP 4200vBIG-IP 3600

BIG-IP 3900

800K

BIG

-IP

42

00

v

L7 RPS SSL TPS (2K) H/W Compression

400K

BIG

-IP

390

09000 TPS

BIG

-IP

42

00

v

3000 TPSB

IG-I

P 3

900

8G

BIG

-IP

42

00

v

BIG

-IP

390

0

Software Only

10G

BIG

-IP

42

00

v

Throughput

4G

BIG

-IP

39

00

15

Rate Shaping Bandwidth throttling

Connection Limit Maximum connections

Slow Ramp Ramp up the number of new connections per second sent to the server

Set limits for the amount of traffic sent to a server.Useful to mitigate DoS or for less scalable applications

Connection Throttling

16


17

18 when RULE_INIT {21 set static::conn_debug 125 set static::conn_rate 1030 set static::interval 132 log local0. "Configured to enforce a rate of [expr {$static::conn_rate / $static::interval}]\33 cps ($static::conn_rate connections / $static::interval second)"36 set static::whitelist_class vsratelimit_whitelist_class40 set static::tbl "vsratelimit"41 }42 when CLIENT_ACCEPTED {45 if {[class match [IP::client_addr] equals vsratelimit_whitelist_class]}{48 return49 }50 set key "[IP::client_addr]:[TCP::client_port]"55 set tbl ${static::tbl}_[virtual name]58 set current [table keys -subtable $tbl -count]59 if { $current >= $static::conn_rate } {62 if { $static::conn_debug }{ log local0. "$key: Connection to [IP::local_addr]:[TCP::local_port]\63 ([virtual name]). At limit, rejecting (current: $current / max: $static::conn_rate)" }66 TCP::close68 } else {72 table set -subtable $tbl $key " " indefinite $static::interval73 if { $static::conn_debug }{ log local0. "$key: Connection to [IP::local_addr]:[TCP::local_port]\74 ([virtual name]). Under limit, allowing (current: [table keys -subtable $tbl -count] / max: $static::conn_rate)" }75 }76 }


18


Now in the GUI

Virtual Server

Pool Member

19

Specifies the maximum number of connections-per-second allowed for a virtual server, pool member, or node. When the number of number of connections-per-second reaches the limit for a given virtual server, pool member, or node, the system redirects additional connection requests. This helps detect Denial of Service attacks, where connection requests flood a virtual server, pool member, or node. Setting this to 0 turns off connection limits. The default is 0.


20

Rate Shaping Bandwidth throttling

Connection Limit Maximum connections

Connection Rate Limit Max new connections / sec

Slow Ramp Ramp up the number of new connections per second sent to the server

Set limits for the amount of traffic sent to a server.Useful to mitigate DoS or for less scalable applications


Jon BartlettField Systems Engineer

ASM DEMO

22

Requesting a Scan from the Cenzic Cloud

Running Cenzic Scans from F5 ASM (core usage)

23

Scan Finished


24

Selecting a Class of Vulnerabilities


25

Selecting Vulnerabilities to Resolve


26

Resolving


27

Resolving


28

Resolved (Mitigated)


29

Resolved (Mitigated)


30

ASM Parameters View


31

• 3 free application scans

• Free scans are limited health check services

• No time limits once signed up

• No other vendors currently provide free scan via our ASM UI

• Or “off box” http://www.cenzic.com/f5/reg

Cenzic HealthCheck Scans test for:

F5 Free Scans by Cenzic Find Vulnerabilities and Reduce Exposure

1. Cross-Site Scripting*

2. Application Exception

3. SQL Injection

4. Open Redirect

5. Password Auto-Complete*

6. Credit Card Disclosure

7. Non-SSL Password*

8. Check HTTP Methods

9. Basic Auth over HTTP

10.Directory Browsing

*Only these three included in non-F5 Free promotions

http://www.cenzic.com/f5/reg

http://www.cenzic.com/f5/reg

32

• 30-90 day free application scans pulled into ASM/VE dashboard

• Free assessments are unlimited during eval period

WH Enterprise BE test for:

F5 Free Scans by WhiteHatPersistent Assessment and Reduced Exposure

1. Injection

2. Cross Site Scripting Insecure Direct Object References

3. Security Misconfiguration

4. Insecure Cryptographic Storage

5. Failure to Restrict URL Access

6. Insufficient Transport Layer Protection

7. Invalidated Redirects and Forwards

33

Manually import vulnerability scan results from:

• IBM AppScan

• Qualys QualysGuard

Single click remediation

Use to build a new policy or add to an

existing policy

34

Roundtable Topics

VDI GatewayIndustry News

Security Attacks

Encryption makes me blind

ImprovingPerformance

I thought virtualization

would be more fun

35

Roundtable Topics

BYODScale to the

Nth

Life in the cloud

Data, Data, Data – I can’t make bricks without clay

Where you come from

matters

Thank You!

Please fill out a survey

F5 User’s Group. 2 IT agility. Your way. Welcome! Introductions Name Title Company Role Requests...

Documents

Transcript of F5 User’s Group. 2 IT agility. Your way. Welcome! Introductions Name Title Company Role Requests...