F5 User’s Group

2

I T a g i l i t y. Yo u r w a y.

Welcome!Introductions

NameTitleCompany

RoleRequests (optional)

Please introduce yourself Name Title Company Your role

• Application• Network• Security

Requests? (optional)

3

F5 User’s Group Meeting October 3rd 2012Agenda

The new F5 Technical Certification Program Ken Salchow, Program Manager

F5 Technology Update – What’s newNathan McMahon – Sr. Solution Architect

10 Minute Break

Creating an ASM (Web Application Firewall) policy using Cenzic HailstormJon Bartlett, Field Systems Engineer

F5 Customer, SE and SA roundtable

KJ (Ken) Salchow, Jr.Program Manager, Technical Certification

F5 TECHNICAL CERTIFICATION PROGRAM CERTIFICATION & TEST OVERVIEW

5

Partner Programs

Guardian Service

Guardian Consulting

Certification

Three Distinct Pieces

F5 Training

Industry Knowledge

Internal

Customer

Individual

6

Increasing Complexity and Risk

7

The Missing Pieces

BIG-IP LTM

BIG-IP LTM

BIG-IP GTM ASM FirePass

ARX Configurati

on

BIG-IP LTM

Advanced

ARXTroublesho

oting

Product Consulta

nt

Engineer

End-to-End Application Delivery Knowledge

Solution KnowledgeMISSING

Basic Application Delivery KnowledgeMISSING

8

NO ADCHANDBOOK

NO COLLEGECOURSES

NO LEARNINGPATH

NO TECHNOLOGYKNOWLEDGE

9

Program Objective

Bring applications and networks together through technologists

rigorously verified to have expertise across the technology

stack.

10

Engineer Certification Track

BIG-IP Administrator

LTM Speciali

st

GTM Speciali

st

ASM Speciali

st

APM Speciali

st

iRules Speciali

st

WAM/ WOM

Specialist

Availability Expert

Security Expert

Optimization

Expert

Service Provider Expert

Application Delivery Architect

Application Delivery Engineer

11

Testing Tracks

Application Delivery Fundamentals100 Level

TMOS Administration200 Level

GTM Speciali

st

ASM Speciali

st

APM Speciali

st

WAM/ WOM

Specialist

iRules Develop

er

300 Level

Application Delivery Architect Lab500

Level iApps Developer

400 Level

Availability Solutions

Security Solutions

Optimization Solutions

Service Provider Solutions

LTM Specialist (b)

LTM Specialist (a)

LTM Specialist (a) - Architect, Setup & DeployLTM Specialist (b) - Maintain & Troubleshoot

12

Course Developme

nt

Test Design

Job Analysis

Blueprint Developme

nt

Item Developme

nt

Beta Publication

Item Analysis

Exam Assembly

Standard Setting

Publication

Development ProcessEach Exam:• 7 Months from Start

to Finish• 1200 Man-Hours

(just SMEs)• ~ $85,000 USD

(direct costs)

Nathan McMahonSolution Architect

BIG-IP V11.2.1

14

•2x 10G Ports•8x 1G Ports•Quad Core CPU•16GB Memory•Triple the SSL 2K key TPS•2.5x the L7 performance•2.5x the throughput•8G Hardware Compression•80+ Gold Power Supply•Future vCMP support (TBD)

BIG-IP 4200vBIG-IP 3600BIG-IP 3900

800K

BIG

-IP 4

200v

L7 RPS SSL TPS (2K) H/W Compression

400K

BIG

-IP 3

900

9000 TPS

BIG

-IP 4

200v

3000 TPSB

IG-IP

390

0

8G

BIG

-IP 4

200v

BIG

-IP 3

900

Software Only

10G

BIG

-IP 4

200v

Throughput

4G

BIG

-IP 3

900

15

Rate Shaping Bandwidth throttling

Connection Limit Maximum connections

Slow Ramp Ramp up the number of new connections per second sent to the server

Set limits for the amount of traffic sent to a server.Useful to mitigate DoS or for less scalable applications

Connection Throttling

16

Connection Throttling

17

18 when RULE_INIT {21 set static::conn_debug 125 set static::conn_rate 1030 set static::interval 132 log local0. "Configured to enforce a rate of [expr {$static::conn_rate / $static::interval}]\33 cps ($static::conn_rate connections / $static::interval second)"36 set static::whitelist_class vsratelimit_whitelist_class40 set static::tbl "vsratelimit"41 }42 when CLIENT_ACCEPTED {45 if {[class match [IP::client_addr] equals vsratelimit_whitelist_class]}{48 return49 }50 set key "[IP::client_addr]:[TCP::client_port]"55 set tbl ${static::tbl}_[virtual name]58 set current [table keys -subtable $tbl -count]59 if { $current >= $static::conn_rate } {62 if { $static::conn_debug }{ log local0. "$key: Connection to [IP::local_addr]:[TCP::local_port]\63 ([virtual name]). At limit, rejecting (current: $current / max: $static::conn_rate)" }66 TCP::close68 } else {72 table set -subtable $tbl $key " " indefinite $static::interval73 if { $static::conn_debug }{ log local0. "$key: Connection to [IP::local_addr]:[TCP::local_port]\74 ([virtual name]). Under limit, allowing (current: [table keys -subtable $tbl -count] / max: $static::conn_rate)" }75 }76 }

Connection Throttling

18

Connection Throttling

Now in the GUI

Virtual Server

Pool Member

19

Specifies the maximum number of connections-per-second allowed for a virtual server, pool member, or node. When the number of number of connections-per-second reaches the limit for a given virtual server, pool member, or node, the system redirects additional connection requests. This helps detect Denial of Service attacks, where connection requests flood a virtual server, pool member, or node. Setting this to 0 turns off connection limits. The default is 0.

Connection Throttling

20

Rate Shaping Bandwidth throttling

Connection Limit Maximum connections

Connection Rate Limit Max new connections / sec

Slow Ramp Ramp up the number of new connections per second sent to the server

Set limits for the amount of traffic sent to a server.Useful to mitigate DoS or for less scalable applications

Connection Throttling

Jon BartlettField Systems Engineer

ASM DEMO

22

Requesting a Scan from the Cenzic Cloud

Running Cenzic Scans from F5 ASM (core usage)

23

Scan Finished

Running Cenzic Scans from F5 ASM (core usage)

24

Selecting a Class of Vulnerabilities

Running Cenzic Scans from F5 ASM (core usage)

25

Selecting Vulnerabilities to Resolve

Running Cenzic Scans from F5 ASM (core usage)

26

Resolving

Running Cenzic Scans from F5 ASM (core usage)

27

Resolving

Running Cenzic Scans from F5 ASM (core usage)

28

Resolved (Mitigated)

Running Cenzic Scans from F5 ASM (core usage)

29

Resolved (Mitigated)

Running Cenzic Scans from F5 ASM (core usage)

30

ASM Parameters View

Running Cenzic Scans from F5 ASM (core usage)

31

• 3 free application scans• Free scans are limited health check services• No time limits once signed up• No other vendors currently provide free scan via our ASM UI• Or “off box” http://www.cenzic.com/f5/reg

Cenzic HealthCheck Scans test for:

F5 Free Scans by Cenzic Find Vulnerabilities and Reduce Exposure

1. Cross-Site Scripting*2. Application Exception3. SQL Injection 4. Open Redirect  5. Password Auto-

Complete*

6. Credit Card Disclosure7. Non-SSL Password*8. Check HTTP Methods9. Basic Auth over HTTP10.Directory Browsing

*Only these three included in non-F5 Free promotions

32

• 30-90 day free application scans pulled into ASM/VE dashboard

• Free assessments are unlimited during eval period

WH Enterprise BE test for:

F5 Free Scans by WhiteHatPersistent Assessment and Reduced Exposure

1. Injection 2. Cross Site Scripting

Insecure Direct Object References

3. Security Misconfiguration

4. Insecure Cryptographic Storage

5. Failure to Restrict URL Access

6. Insufficient Transport Layer Protection

7. Invalidated Redirects and Forwards

33

Manually import vulnerability scan results from:

• IBM AppScan

• Qualys QualysGuard

Single click remediation

Use to build a new policy or add to an

existing policy

34

Roundtable Topics

VDI Gateway Industry News

Security Attacks

Encryption makes me blind

ImprovingPerformance

I thought virtualization

would be more fun

35

Roundtable Topics

BYOD Scale to the Nth

Life in the cloud

Data, Data, Data – I can’t make bricks without clay

Where you come from

matters

Thank You!

Please fill out a survey