How to achieve a fast, secure and available virtualization infrastructure

How to achieve a fast, secure and available virtualization infrastructure

Luuk Dries

© F5 Networks

3

Why virtualization – a small recap

• Efficiency– Maximize CPU, RAM and Disk resources– Energy savings

• Flexibility– Quick response to business needs– Quickly adding and removing applications

© F5 Networks

4

Why virtualization ?

• Business Continuity

• Disaster Recovery

• Security

• Test and Development

© F5 Networks

5

Each Application has its own specific requirements:

99,999% Availability, Performance over the WAN, High Security, ....

Available

Fast Secure

SharePoint

Database

Siebel

BEA

.NET

SAP

PeopleSoft

IBM

ERP

SalesForce

Custom

Application Delivery Networking

Applications

http://www.myiphone.be/

© F5 Networks

6

Availability for the Web Tier…

99%

99%

99%

99%

99.99%

99.9999%

Internet

•Unmatched scalability and transparency•High Availability and Load Balancing•Centralized SSL offloading

© F5 Networks

7

… and for the Application Tier

99%

99%

99%

ApplicationWWW

99%

99%

99%

99% 98%

Accumulated Availability

Internet

•Full L7 application visibility •L7 content processing and switching •Application monitoring

© F5 Networks

8

Flexibility:Data Center Automation Real-time interfacing with vCenter to add new VMs to the load balancing pool (iControl) Advanced Health Checks to ensure that newly provisioned VMs are ready for traffic

© F5 Networks

9

Availability and Performance across ISP Links

Internet

ISP2ISP1

Select link on:

- Availability- Cost of route- Protocol- Source/Destination- Time

And apply:

- Bandwith Management- Traffic Prioritization

© F5 Networks

10

Availability and Performance across Datacenters

Internet

Local DNS

Primary DC Backup DC

© F5 Networks

11

My Web Applications are Slow..First time visits are slow

Users are increasingly remote and/or mobile

Dynamic Web content Network latency, packet loss,

verbose protocols

IT Manager & App Architect

Data center consolidation

=

Difficult to accelerate SSL content

© F5 Networks

12

Web Browser

MyWebApp.comWeb Servers

TimeWAN Latency

WAN Latency

WAN Latency

WAN Latency

A web page load with about 100 objects generates at least 100 round-trips

LAN: 100/2 x 1 ms = 50 ms WAN: 100/2 x 250 ms = 12.5 seconds!

Chatty Apps & Latency = Slow Apps

Get / HTTP/1.1

Index.html

Get /javascript.js HTTP/1.1

javascript.js

Get /stylesheet.css HTTP/1.1

stylesheet.css

Get /image(n).jpg HTTP/1.1

image(n).jpg

250 ms

250 ms

250 ms

250 ms

© F5 Networks

13

With Without

Impact of Web Acceleration

© F5 Networks

14

F5 Approach – Three Tiers of Acceleration

• Tier 1 Acceleration – Network Offload– Re-use downloaded objects/content (IBR)– Reduce data transferred (Compression)

• Tier 2 Acceleration – Server Offload– Servers are busy serving same data over and over (Caching)– Too many connections to back-end servers (OneConnect & spooling)– Overflow of connections to back-end servers (RateShape & conn limit)– SSL offload– Compression offload

• Tier 3 Acceleration – Application Offload– Browser re-downloads same content over and over (IBR)– Force multiple connections (MultiConnect)– Web apps are slow over the WAN (ESI, Compression, PDF linear..)

© F5 Networks

15

Effect of 3 Tiers of AccelerationPage Load Time

Up to 90% reduction in

Page load time

© F5 Networks

16

Effect of 3 Tiers of AccelerationCPU Utilization

Up to 90% reduction in

CPU utilization

© F5 Networks

17

Intelligent Browser Referencing

This is the onlydynamic content

Problem

Repeated Content Retrieval Slows Web ApplicationDynamic pages contain mostly static content that is retrieved repeatedly

© F5 Networks

18

Intelligent Browser ReferencingInitial Request

CompressionCache

SolutionWebAccelerator Enables Browser Re-use of Cacheable Contents

No client to downloadNo changes to browser

Subsequent Client Requests Cache

Apply IBR cache expiration

RepeatVisits

Retrieve from Browser Cache

© F5 Networks

19

Easy to Deploy – Easy to Integrate

• Validated in vendor application labs– Certified policies pre-configured

© F5 Networks

20

Web Acceleration Performance

SharePoint 2007 Portal

Siebel

PeopleSoft

SAP Portal

Ecommerce

IBM Websphere

Plumtree

Outlook Web Access

BEA Weblogic

0.00 5.00 10.00 15.00 20.00 25.00 30.00 35.00

Without Acceleration With Asymmetric Acceleration With Symmetric Acceleration

Seconds

2X to10XPerformance

Increase

© F5 Networks

23

…of a virtualized application and its storage

F5 and VMware can enable a secure, live migration

…from one siteto another

…without downtime and without user disruption.

© F5 Networks

24

BIG-IP LocalTraffic Manager

Initial Environment

BIG-IP Global Traffic Manager


vCenter A vCenter B

© F5 Networks

25


Step 1: F5 BIG-IP Local Traffic Manager Opens WAN Optimization Tunnel



vCenter A vCenter B

1• Compressed• De-Duplicated• Encrypted

© F5 Networks

26


Step 2: Storage vMotion Executed Across WAN Optimized Tunnel



vCenter A vCenter B

2 This step can be avoided if storage is already being synchronously

replicated between sites

© F5 Networks

27


Step 2: Pending App vMotion, transactions rely on VM in Site A, but Storage in Site B



vCenter A vCenter B

vCenter A still managing VM

© F5 Networks

28


Step 3: Application vMotion Executed Over WAN Optimized Tunnel



vCenter A vCenter B

3

© F5 Networks

29


Step 4: vCenter Instructs F5 BIG-IP Global Traffic Manager to Cut Over to Site-B



vCenter A vCenter B

4

© F5 Networks

30


F5 BIG-IP Global Traffic Manager Routes All NEW Application Connections/Sessions Directly to Site B.



vCenter A vCenter B

© F5 Networks

31


F5 BIG-IP Local Traffic Manager in Site A Redirects EXISTING Sessions Temporarily to Site B Until Clients Register DNS Change



vCenter A vCenter B

© F5 Networks

32


Eventually, ALL Connections Go Directly to Site B. The Process Can Be Reversed When Necessary.


vCenter B


vCenter A

Successful Application Migration Complete

© F5 Networks

33

Web Application Security

!UnauthorisedAccess

WAF allowslegitimate requests

Stops badrequests /responses

Browser

UnauthorisedAccess

!

Non-compliantInformation

!

InfrastructuralIntelligence

!

Who is this??

What is he doing ??

© F5 Networks

34

Challenges of Web Application Security

• HTTP attacks are valid requests• HTTP is stateless, application is stateful• Web applications are unique

– there are no signatures for YOUR web application• Good protection has to inspect the response as well• Encrypted traffic facilitates attacks…• Organizations are living in the dark

– missing tools to expose/log/report HTTP(s) attacks

© F5 Networks

35

• Provides comprehensive protection for all web application vulnerabilities

• Provides out of the box security• Logs and reports all application traffic • Provides L2->L7 protection• Unifies security and acceleration services• Stop attacks unseen by traditional WAFs (anti-evasion)• Provide On-Demand WAF scaling• Sees Application level performance

ASM: Powerful Adaptable Solution

© F5 Networks

36

Layer 7 DoS and Brute Force Unique Attack Detection and Protection

• Unwanted clients are remediated and desired clients are serviced• Improved application availability

© F5 Networks

38

Why F5? The F5 Advanced ADN

Available

Fast Secure

SharePoint

Database

Siebel

BEA

.NET

SAP

PeopleSoft

IBM

ERP

SalesForce

Custom

Application Delivery Networking

Applications

http://www.myiphone.be/

© F5 Networks

41

Gartner Magic Quadrant for ADC

niche players visionaries

challengers leaders

| completeness of vision |

| a

bilit

y to

exe

cute

|

F5 Networks• Offers the most feature-rich AP ADC,

combined with excellent performance and programmability via iRules and a broad product line.

• Strong focus on applications, including long-term relationships with major application vendors, including Microsoft, Oracle and SAP.

• Strong balance sheet and cohesive management team with a solid track record for delivering the right products at the right time.

• Strong underlying platform allows easy extensibility to add features.

• Support of an increasingly loyal and large group of active developers tuning their applications environments specifically with F5 infrastructure.

Source: Gartner (July 2008)

F5 Networks

Citrix Systems

Cisco Systems

Foundry Networks

Nortel NetworksZeus Technology

Radware

© F5 Networks

42

BIG-IP Hardware Line-upPrice

Function / Performance

BIG-IP 3600

Dual core CPU8 10/100/1000 + 2x 1GB SFP1x 160 GB HD + 8GB CF4 GB memorySSL @ 10K TPS/2 Gb bulk1 Gbps max software compression1.5 Gbps Traffic1 Advanced Product Module

2 x Quad core CPU16 10/100/1000 or 2 10GE SFP+2x 320 GB HD + 8GB CF16 GB memorySSL @ 58K TPS/ 9.6 Gb Bulk8 Gbps max hardware compression12 Gbps TrafficMultiple Product Modules

BIG-IP 8900 36 Gbps TrafficMultiple Product ModulesUltimate redundancy in a single chassis

VIPRION

BIG-IP 1600

Dual core CPU4 10/100/1000 + 2x 1GB SFP1x 160GB HD4 GB memorySSL @ 5K TPS/1 Gb Bulk750 Mbps max software compression750 M Traffic1 Basic Product Module

2 x Dual core CPU16 10/100/1000 + 8x 1GB SFP2x 320 GB HD (S/W RAID) + 8GB CF8 GB memorySSL @ 25K TPS/ 4 Gb bulk5 Gbps max hardware compression6 Gbps TrafficMultiple Product Modules

BIG-IP 6900

© F5 Networks

43

F5’s Data Center Vision – Unified Application & Data Delivery

EMC

PC - Home

App. Server

App. ServerWeb Server

Web Server

App. Server

App. Server

Web Server

Web Server

PC - LAN

WLAN

Windows file storage

Windows file storage

NetApp

Cell

Remote - WAN

File

Sto

rage

Virt

ualiz

ation

: Ser

vice

s & P

olic

y

Appl

icati

on S

erve

r Virt

ualiz

ation

: Ser

vice

s & P

olic

y

Web

Ser

ver V

irtua

lizati

on: S

ervi

ces &

Pol

icy

Data

Cen

ter &

Link

Virt

ualiz

ation

: Ser

vice

s & P

olic

y

Link 1

Link 2

Link 3

DC 2: U.K.

DC 1: U.S.

Link 1

Link 2

Link 3

BIG-IP LTM,GTM & LC BIG-IP LTM, WA, ASM BIG-IP LTM, SAM F5 ARX

© F5 Networks

44

ARX – File Virtualization

User / application access tightly coupled to physical file storage – Inflexible: change is disruptive– Complex: multiple mappings to

heterogeneous storage devices– Inefficient: low aggregate utilization

File access decoupled from physical storage location– Flexible: change is non-disruptive– Simple: single mapping to unified

storage pool – Efficient: maximize utilization

BEFORE AFTER

© F5 Networks

45

Tiering / ILM / Data Migration

• Match cost of storage to business value of data– Files are automatically

moved between tiers based on flexible criteria such as age, type, size, etc.

• Drivers:– Storage cost savings, backup

efficiencies, compliance• Benefits:

– Reduced CAPEX– Reduced backup windows

and infrastructure costs

© F5 Networks

46

Summary

F5 offers you the scalability both in performance and functionality to optimize all your applications

F5 makes your applications– SECURE– FAST– AVAILABLEin the most flexible and stable solution

F5 optimizes your storage environment

Documents

How to achieve a fast, secure and available virtualization infrastructure