The F5 DDoS Reference Architecture - Enterprise Edition

It’s still #ddos season, so let’s take another look at the F5 reference architecture around DDoS protection. The second deployment scenario is the enterprise use case, which has lots of inbound application traffic but also some measure of outbound user-generated traffic as well.

Differences between the Enterprise and Global FSI use cases:

  1. In the network diagram product map above, at the top right you can see the user-generated traffic issuing from the green user icon. It flows through a next generation firewall (or some other device that offers web security) and then out through the main datacenter firewall.
  2. The enterprise case is more likely to have the DNS services either consolidated into tier 1 or at least protected by tier 1’s firewall manager. Here we show the services rolled up into the BIG-IP itself.
  3. As I mentioned in the global FSI case, the FSIs always are reticent terminate SSL at tier 1. Enterprises feel much more free to do so and we find that it’s approximately half-and-half for them.
  4. The enterprise use case can benefit from having an Access Policy Manager (APM) to provide Single-Sign On, VDI, and SSL-VPN services. Not seen as much in the Global FSI case.

The essence of the architecture – targeting network attacks with a DDoS-aware network firewall in tier 1 and application attacks in a scalable tier 2 – is the same for both the use cases we’ve looked at so far.

For access to the full F5 DDoS reference architecture, visit the new F5 Synthesis reference architecture site.

Connect with David:Connect with F5:
Published Dec 23, 2013
Version 1.0

Was this article helpful?

No CommentsBe the first to comment