Upload
raisie
View
64
Download
0
Tags:
Embed Size (px)
DESCRIPTION
F5 User’s Group . Welcome!. Introductions Name Title Company Role Requests (optional). Please introduce yourself Name Title Company Your role Application Network Security Requests? (optional). F5 User’s Group Meeting October 3 rd 2012 Agenda. - PowerPoint PPT Presentation
Citation preview
F5 User’s Group
2
I T a g i l i t y. Yo u r w a y.
Welcome!Introductions
NameTitleCompany
RoleRequests (optional)
Please introduce yourself Name Title Company Your role
• Application• Network• Security
Requests? (optional)
3
F5 User’s Group Meeting October 3rd 2012Agenda
The new F5 Technical Certification Program Ken Salchow, Program Manager
F5 Technology Update – What’s newNathan McMahon – Sr. Solution Architect
10 Minute Break
Creating an ASM (Web Application Firewall) policy using Cenzic HailstormJon Bartlett, Field Systems Engineer
F5 Customer, SE and SA roundtable
KJ (Ken) Salchow, Jr.Program Manager, Technical Certification
F5 TECHNICAL CERTIFICATION PROGRAM CERTIFICATION & TEST OVERVIEW
5
Partner Programs
Guardian Service
Guardian Consulting
Certification
Three Distinct Pieces
F5 Training
Industry Knowledge
Internal
Customer
Individual
6
Increasing Complexity and Risk
7
The Missing Pieces
BIG-IP LTM
BIG-IP LTM
BIG-IP GTM ASM FirePass
ARX Configurati
on
BIG-IP LTM
Advanced
ARXTroublesho
oting
Product Consulta
nt
Engineer
End-to-End Application Delivery Knowledge
Solution KnowledgeMISSING
Basic Application Delivery KnowledgeMISSING
8
NO ADCHANDBOOK
NO COLLEGECOURSES
NO LEARNINGPATH
NO TECHNOLOGYKNOWLEDGE
9
Program Objective
Bring applications and networks together through technologists
rigorously verified to have expertise across the technology
stack.
10
Engineer Certification Track
BIG-IP Administrator
LTM Speciali
st
GTM Speciali
st
ASM Speciali
st
APM Speciali
st
iRules Speciali
st
WAM/ WOM
Specialist
Availability Expert
Security Expert
Optimization
Expert
Service Provider Expert
Application Delivery Architect
Application Delivery Engineer
11
Testing Tracks
Application Delivery Fundamentals100 Level
TMOS Administration200 Level
GTM Speciali
st
ASM Speciali
st
APM Speciali
st
WAM/ WOM
Specialist
iRules Develop
er
300 Level
Application Delivery Architect Lab500
Level iApps Developer
400 Level
Availability Solutions
Security Solutions
Optimization Solutions
Service Provider Solutions
LTM Specialist (b)
LTM Specialist (a)
LTM Specialist (a) - Architect, Setup & DeployLTM Specialist (b) - Maintain & Troubleshoot
12
Course Developme
nt
Test Design
Job Analysis
Blueprint Developme
nt
Item Developme
nt
Beta Publication
Item Analysis
Exam Assembly
Standard Setting
Publication
Development ProcessEach Exam:• 7 Months from Start
to Finish• 1200 Man-Hours
(just SMEs)• ~ $85,000 USD
(direct costs)
Nathan McMahonSolution Architect
BIG-IP V11.2.1
14
•2x 10G Ports•8x 1G Ports•Quad Core CPU•16GB Memory•Triple the SSL 2K key TPS•2.5x the L7 performance•2.5x the throughput•8G Hardware Compression•80+ Gold Power Supply•Future vCMP support (TBD)
BIG-IP 4200vBIG-IP 3600BIG-IP 3900
800K
BIG
-IP 4
200v
L7 RPS SSL TPS (2K) H/W Compression
400K
BIG
-IP 3
900
9000 TPS
BIG
-IP 4
200v
3000 TPSB
IG-IP
390
0
8G
BIG
-IP 4
200v
BIG
-IP 3
900
Software Only
10G
BIG
-IP 4
200v
Throughput
4G
BIG
-IP 3
900
15
Rate Shaping Bandwidth throttling
Connection Limit Maximum connections
Slow Ramp Ramp up the number of new connections per second sent to the server
Set limits for the amount of traffic sent to a server.Useful to mitigate DoS or for less scalable applications
Connection Throttling
16
Connection Throttling
17
18 when RULE_INIT {21 set static::conn_debug 125 set static::conn_rate 1030 set static::interval 132 log local0. "Configured to enforce a rate of [expr {$static::conn_rate / $static::interval}]\33 cps ($static::conn_rate connections / $static::interval second)"36 set static::whitelist_class vsratelimit_whitelist_class40 set static::tbl "vsratelimit"41 }42 when CLIENT_ACCEPTED {45 if {[class match [IP::client_addr] equals vsratelimit_whitelist_class]}{48 return49 }50 set key "[IP::client_addr]:[TCP::client_port]"55 set tbl ${static::tbl}_[virtual name]58 set current [table keys -subtable $tbl -count]59 if { $current >= $static::conn_rate } {62 if { $static::conn_debug }{ log local0. "$key: Connection to [IP::local_addr]:[TCP::local_port]\63 ([virtual name]). At limit, rejecting (current: $current / max: $static::conn_rate)" }66 TCP::close68 } else {72 table set -subtable $tbl $key " " indefinite $static::interval73 if { $static::conn_debug }{ log local0. "$key: Connection to [IP::local_addr]:[TCP::local_port]\74 ([virtual name]). Under limit, allowing (current: [table keys -subtable $tbl -count] / max: $static::conn_rate)" }75 }76 }
Connection Throttling
18
Connection Throttling
Now in the GUI
Virtual Server
Pool Member
19
Specifies the maximum number of connections-per-second allowed for a virtual server, pool member, or node. When the number of number of connections-per-second reaches the limit for a given virtual server, pool member, or node, the system redirects additional connection requests. This helps detect Denial of Service attacks, where connection requests flood a virtual server, pool member, or node. Setting this to 0 turns off connection limits. The default is 0.
Connection Throttling
20
Rate Shaping Bandwidth throttling
Connection Limit Maximum connections
Connection Rate Limit Max new connections / sec
Slow Ramp Ramp up the number of new connections per second sent to the server
Set limits for the amount of traffic sent to a server.Useful to mitigate DoS or for less scalable applications
Connection Throttling
Jon BartlettField Systems Engineer
ASM DEMO
22
Requesting a Scan from the Cenzic Cloud
Running Cenzic Scans from F5 ASM (core usage)
23
Scan Finished
Running Cenzic Scans from F5 ASM (core usage)
24
Selecting a Class of Vulnerabilities
Running Cenzic Scans from F5 ASM (core usage)
25
Selecting Vulnerabilities to Resolve
Running Cenzic Scans from F5 ASM (core usage)
26
Resolving
Running Cenzic Scans from F5 ASM (core usage)
27
Resolving
Running Cenzic Scans from F5 ASM (core usage)
28
Resolved (Mitigated)
Running Cenzic Scans from F5 ASM (core usage)
29
Resolved (Mitigated)
Running Cenzic Scans from F5 ASM (core usage)
30
ASM Parameters View
Running Cenzic Scans from F5 ASM (core usage)
31
• 3 free application scans• Free scans are limited health check services• No time limits once signed up• No other vendors currently provide free scan via our ASM UI• Or “off box” http://www.cenzic.com/f5/reg
Cenzic HealthCheck Scans test for:
F5 Free Scans by Cenzic Find Vulnerabilities and Reduce Exposure
1. Cross-Site Scripting*2. Application Exception3. SQL Injection 4. Open Redirect 5. Password Auto-
Complete*
6. Credit Card Disclosure7. Non-SSL Password*8. Check HTTP Methods9. Basic Auth over HTTP10.Directory Browsing
*Only these three included in non-F5 Free promotions
32
• 30-90 day free application scans pulled into ASM/VE dashboard
• Free assessments are unlimited during eval period
WH Enterprise BE test for:
F5 Free Scans by WhiteHatPersistent Assessment and Reduced Exposure
1. Injection 2. Cross Site Scripting
Insecure Direct Object References
3. Security Misconfiguration
4. Insecure Cryptographic Storage
5. Failure to Restrict URL Access
6. Insufficient Transport Layer Protection
7. Invalidated Redirects and Forwards
33
Manually import vulnerability scan results from:
• IBM AppScan
• Qualys QualysGuard
Single click remediation
Use to build a new policy or add to an
existing policy
34
Roundtable Topics
VDI Gateway Industry News
Security Attacks
Encryption makes me blind
ImprovingPerformance
I thought virtualization
would be more fun
35
Roundtable Topics
BYOD Scale to the Nth
Life in the cloud
Data, Data, Data – I can’t make bricks without clay
Where you come from
matters
Thank You!
Please fill out a survey