BIG-IP APMãšPassLogicãé£æºãããŠç«¯æ«åºææ å ±ã®ç»é²ãèªååããæ¹æ³
Technorati ã¿ã°: APM,BIG-IP,iRules SSLVPNå©çšåºç€ã®æ§ç¯ã«ãããŠã¯ã©ã€ã¢ã³ã蚌ææžãçšããã«ããã€ã¹ã®å¶éãç°¡æãªéçšã§å®çŸã§ããä»çµã¿ãæ€èšãããŠãããäžèšã®ãããªèŠä»¶ããã£ããšããŸãã ã»SSLVPNãå©çšããã ã»ãªã¹ãåæ»æã«ããã¢ã«ãŠã³ãä¹ã£åããé²ãç®çã§ã¯ã³ã¿ã€ã ãã¹ã¯ãŒããå©çšããã ã»ã¡ãŒã«ãåä¿¡ãã圢ã®ã¯ã³ã¿ã€ã ãã¹ã¯ãŒãã¯ããããã¡ãŒã«ãåä¿¡ããã·ã¹ãã ãžã®ãã°ã€ã³ã«äœ¿çšãããªã©ãã¡ãŒã«ãåä¿¡ã§ããªãç°å¢ã§ã®ãã°ã€ã³ãã§ããªãããä»åã¯æ€èšå¯Ÿè±¡å€ ã»ãŠãŒã¶ãŒã«èš±å¯ããããã€ã¹ä»¥å€ããã®ã¢ã¯ã»ã¹ã¯çŠæ¢ããã ã»ããã€ã¹ç»é²ã®ããã«ããã€ã¹åºææ å ±ã1å°1å°èª¿ã¹ãŠç»é²ããäœæ¥ã¯é²ããã ã»ããã€ã¹ã®ç¹å®ã®ããã«ã¯ã©ã€ã¢ã³ã蚌ææžã«ããèªèšŒã¯SSLãçµç«¯ããã¿ã€ãã®Proxyçµç±ã§ã®ã¢ã¯ã»ã¹ãããããšãšãéçšç®¡çãããç ©éã«ãªãããè¡ããããªã ã»1ãŠãŒã¶ãŒã䜿çšããããã€ã¹ã¯ã²ãšã1å°ã§ã¯ãªãMac, Windows, Linux, iOS, Androidãããæ倧5å°(ãã¡iOS/Androidã¯æ倧2å°) ã»ãŠãŒã¶ãŒã«çŽã¥ããããã€ã¹ã§ã¯ãªãããããããç»é²ããŠããå ±æçšããã€ã¹ (PC, Windows, iOS, Android)ããã®ãã°ã€ã³ã¯ç¡æ¡ä»¶ã«èªããã ã»ãžã§ã€ã«ãã¬ã€ã¯ãããiOS端æ«ãAndroid端æ«ã®ç»é²ã¯èš±å¯ããªã BIG-IP Access Policy Manager (以äžAPM)ãšãã¹ããžç€Ÿã®PassLogic Enterprise Edition 2.3.0(以äžPassLogic)ããããŠæ¬èšäºã§çŽ¹ä»ããAPMã®Access ProfileãšiRulesã§PassLogicã®APIãšé£æºããããšã§ãããã®èŠä»¶ãæºããããšãã§ããŸãã ã·ã¹ãã èŠä»¶ PassLogic Enterprise Edition 2.3.0 BIG-IP Access Policy Manager (APM) v12.0 HF1 ãã®iRulesã§ã¯ãSideband Connectionã䜿çšããŠAPMã»ãã·ã§ã³å€æ°ã®PassLogicã®RADIUS Attributeç»é²ãå®çŸããŠããŸãã Technorati ã¿ã°: Japan æ¬èšå®ãµã³ãã«ã§ã¯ãåOSã§ååŸå¯èœãªããã€ã¹åºææ å ± ã»(ä»»æã®)NICã®MACã¢ãã¬ã¹ (Windows, Mac, Linux) session.machine_info.last.net_adapter.list.[0].mac_address ã»ãã¶ãŒããŒãã®ã·ãªã¢ã«çªå· (Windowsã®ã¿) session.machine_info.last.motherboard.sn ã»(ä»»æã®)ããŒããã£ã¹ã¯ãã©ã€ãã®ã·ãªã¢ã«çªå· (Windowsã®ã¿) session.machine_info.last.hdd.list.[0].sn 詳ãã㯠About Machine Info https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-12-0-0/4.html ãåãããŠãåç §ãã ããã ã»iOSã®UDID session.client.unique_id 詳ãã㯠Support for using the BIG-IP Edge Client to check identifying information from Apple iOS client devices https://support.f5.com/kb/en-us/solutions/public/12000/700/sol12749.html ãåãããŠãåç §ãã ããã ã»Androidã®Unique ID session.client.unique_id 詳ãã㯠Overview of session variable support for BIG-IP Edge Client for Android devices https://support.f5.com/kb/en-us/solutions/public/13000/700/sol13731.html ãåãããŠãåç §ãã ããã APMã§ã¯äžèšã®ãããªããªã·ãŒãäœæããAccess ProfileããiRulesã€ãã³ããåŒã³åºããŸãã iRulesã§ã¯APMã»ãã·ã§ã³å€æ°ã䜿çšããŠPassLogicã®RADIUS Attributeãžæ å ±ãç»é²ããŸãã when RULE_INIT { # Set the IP:Port of PassLogic Enterprise Edition set static::passlogicip "192.168.10.201" set static::passlogicport 7080 } when ACCESS_POLICY_AGENT_EVENT { # Check Shared Device (Required to set HW Info to DataGroup SharedDevices HWInfo:=DeviceKind) if { [ACCESS::policy agent_id] eq "IsSharedDevice" } { set uname [ACCESS::session data get session.logon.last.username] set hwinfo [ACCESS::session data get session.passlogic.hwinfo] set devkind0 [ACCESS::session data get session.passlogic.devicekind] if { [class match -value $hwinfo eq SharedDevices] eq $devkind0 } { log local0. "User $uname is accessed with shared device kind=$devkind ($hwinfo)" ACCESS::session data set session.isshareddevice "yes" } else { log local0. "User $uname is accessed with non-shared device kind=$devkind0 ($hwinfo)" ACCESS::session data set session.isshareddevice "no" } } # Device HW Information will be registed to PassLogic RADIUS Attribute if { [ACCESS::policy agent_id] eq "RegistHWInfoToPassLogic" } { # Get APM session variables set uname [ACCESS::session data get session.logon.last.username] set dom [ACCESS::session data get session.logon.last.domain] set rattr [ACCESS::session data get session.passlogic.attr] set devkind [ACCESS::session data get session.passlogic.devicekind] set hwinfo [ACCESS::session data get session.passlogic.hwinfo] set rewrite9 [ACCESS::session data get session.passlogi.setrewrite9] set newattr "" log local0. "username = $uname device=$devkind hw=$hwinfo" log local0. "Old Attribute = $rattr" if { $rewrite9 eq "yes" } { log local0. "Rewrite not device kind ($devkind) but any device (9)" set devkind 9 } # flag for change attribute set addd 0 foreach i [split $rattr |] { if { $i eq $devkind } { if { $addd == 0 } { # Generate new attribute data for regist new device set tstr $newattr set newattr "$tstr$hwinfo|" set addd 1 } else { set tstr $newattr set newattr "$tstr$i|" } } else { set tstr $newattr set newattr "$tstr$i|" } } if { $addd == 1 } { log local0. "New DeviceID ($hwinfo) for user $uname will be registered to PassLogic. New RADIUS Attribute=$newattr" set conn [connect -timeout 3000 -idle 30 -status conn_status $static::passlogicip $static::passlogicport ] log local0. "Connect returns: <$conn> and conn status: <$conn_status> " set conn_info [connect info -idle -status $conn] log local0. "Connect info: <$conn_info>" set data "GET /passlogic/api/admin?mode=useredit&uid=$uname&domain=$dom&attribute1=$newattr HTTP/1.0\r\n\r\n" set send_info [send -timeout 3000 -status send_status $conn $data] log local0. "Sent <$send_info> bytes and send status: <$send_status>" set recv_data [recv -timeout 3000 -status recv_status 1024 $conn] log local0. "Recv data: <$recv_data> and recv status: <$recv_status>" close $conn log local0. "Closed; conn info: <[connect info -status $conn]>" log local0. "PassLogic response is correct." if { $recv_data contains "PassLogic" } { set ret [string range [findstr $recv_data " " 0 " "] 6 10] log local0. "Result Code = $ret" ACCESS::session data set session.passlogic.result $ret switch $ret { "50300"{ ACCESS::session data set session.passlogic.error "PassLogic Error: err Invalid input data." log local0. "PassLogic Error: err Invalid input data." } "50301"{ ACCESS::session data set session.passlogic.error "PassLogic Error: err The user does not exist." log local0. "PassLogic Error: err The user does not exist." } "50302"{ ACCESS::session data set session.passlogic.error "PassLogic Error: err Update parameter is required." log local0. "PassLogic Error: err Update parameter is required." } "50400"{ ACCESS::session data set session.passlogic.error "PassLogic Information: notice User information has updated successfully. New DeviceID ($hwinfo) for user $uname was registered." log local0. "PassLogic Information: notice User information has updated successfully. New DeviceID ($hwinfo) for user $uname was registered." } "50499"{ ACCESS::session data set session.passlogic.error "PassLogic Error: crit System error occurred." log local0. "PassLogic Error: crit System error occurred." } } } } else { ACCESS::session data set session.passlogic.result "NG" } } } 詳ããèšå®æé ãAccess ProfileãiRulesãµã³ãã«ã¯äžèšããããŠã³ããŒãã§ããŸãã https://f5.com/Portals/1/PDF/JAPAN/devcentral/PassLogic230_APM12_AP_iRule_v1.zip
Protecting Beyond DNS Flood & DDoS
The recent slate of cyber-attacks involving DNS and NTP systems has again prompted questions about the comprehensiveness of DNS infrastructureâs security protection. Besides mitigating volumetric attacks such as DNS flood & DDoS, many organizations have realized the need for a more comprehensive DNS security protection, which helps in preventing DNS-related security frauds and non-volumetric based attacks such as amplification and cache poisoning attacks. On DNS Amplification & DNS Reflection Attacks You might concur that increasing DNS performance with adequate DNS rate limiting mechanism is probably one of the best approaches to tackle the problem of overwhelming DNS traffic and DNS DoS attacks. However, this does not address the issue of DNS Amplification and DNS reflection attacks, which has been made popular through the Spamhaus-Cyberbunker attack incident. In this incident, CyberBunker took the advantage of open DNS resolvers to launch DNS amplification attacks, causing Spamhaus to be unreachable at times. DNS amplification and reflection attacks are typically sent to DNS servers as legitimate DNS request, in hope to receive large data size responses. The huge data size responses will eventually use up all the available bandwidth causing congestion to genuine DNS queries and responses. As such, DNS query rate limiting mechanism and higher QPS performance will not be able to counter the attack since the attacks typically come in small numbers of DNS requests. One of the ways to limit such attacks is to filter the request based on query type. Typically, DNS amplification and reflection attacks will request for âTXTâ or âANYâ Query Type which tends to return responses with significant data size. By applying bandwidth rate limit to these query type request and large-data-size query responses, we will be able to prevent bandwidth congestion caused by these attacks. Worried about the complexity of the bandwidth rate limiting solution? Well, it only takes less than 10 lines of iRules (shown as below) on F5 DNS platform to get this enforced and implemented. when DNS_REQUEST { if { ([DNS::question type] eq "TXT") } { rateclass dns_rate_shape } } when DNS_RESPONSE { if { ([DNS::len] value > 512) } { rateclass dns_rate_shape } } Diagram 1: DNS Reflection attacks blocking genuine users from accessing LDNS server. Cache Poisoning Attacks DNSSEC is poised as the eventual and ultimate solution to counter DNS cache poisoning attacks. Though the adoption rate of DNSSEC is encouraging, it takes all parties to deploy DNSSEC signing and validation to fully protect against cache poisoning. While waiting for DNSSEC adoption rate to mature, is there any interim solution to reduce or prevent cache poisoning attacks? Based on DNS RFC standards, name servers are required to treat domain names request with case-insensitivity. In other words, the names www.foo.com and WWW.FOO.COM should resolve to the same IP address. However, most name servers will preserve the original case when echoing back the domain name in the response. Hence, by randomly varying the case of characters in domain names queried, we will be able to add entropy to requests. With this verification mechanism, the name server response must match the exact upper and lower case of every character in the name string; for instance, wWw.f5.CoM or WwW.f5.COm, which significantly reduces the success rate of cache poisoning attacks. With F5âs DNS solution, this mechanism can be enabled with just a check box on the management pane. The packet capture of the query case randomization process by F5 DNS is shown as below. As depicted in the diagram, for queries to www.google.com, F5 Cache DNS will randomize the character case of the query prior sending the query to Googleâs authoritative DNS server. This greatly reduces the chances of unsolicited queries matching the domain name and DNS request transaction ID, which causes the poisoning of cached DNS records. Diagram 2: Character case randomizer in F5 DNS solution dramatically reduces the possibilities of DNS cache poisoning attacks DNS is among the hoariest of internet services that is still widely used today. Its usage continues to grow due to its simplicity and proliferation of smart devices. Hence, it is truly important that proper solution design and architecture approach are being put in place to protect the infrastructure. After all, the protection investment might be only a fraction of what you are paying for during an attack.
BIG-IP ASMã§å¯Ÿå¿ããOWASP Top 10 - 2017幎ç
ãã®æçš¿ã¯ãF5ãããã¯ãŒã¯ã¹ã®ã·ãã¢ã»ãœãªã¥ãŒã·ã§ã³ã»ããããããŒã§ããPeter Silva ã®ããã°æçš¿ãThe OWASP Top 10 - 2017 vs. BIG-IP ASM ããå ã«ãæ¥æ¬åãã«åæ§æãããã®ã§ãã OWASP Top 10ã®2017幎æ£åŒçããªãªãŒã¹ãããŸããã®ã§ãBIG-IP ASMã®WAFæ©èœã§ã©ã®ããã察å¿ã§ãããæŠèŠã玹ä»ããããšæããŸãã ãŸãæåã«ã2013幎çãš2017幎çã®æ¯èŒã§ããããã€ãã®æ°èŠé ç®ã®è¿œå ãšãæ¢åé ç®ã®çµ±åãè¡ãããŠããŸãã ã§ã¯ãBIG-IP ASMã®å¯Ÿå¿ç¶æ³ãèŠãŠãããŸãããã Vulnerability BIG-IP ASM Controls A1 Injection Flaws ã€ã³ãžã§ã¯ã·ã§ã³ Attack signatures Meta character restrictions Parameter value length restrictions A2 Broken Authentication and Session Management èªèšŒãšã»ãã·ã§ã³ç®¡çã®äžå Brute Force protection Credentials Stuffing protection Login Enforcement Session tracking HTTP cookie tampering protection Session hijacking protection A3 Sensitive Data Exposure æ©å¯ããŒã¿ã®é²åº Data Guard Attack signatures (âPredictable Resource Locationâ and âInformation Leakageâ) A4 XML External Entities (XXE) XMLå€éšå®äœåç §(XXE) Attack signatures (âOther Application Attacksâ - XXE) XML content profile (Disallow DTD) (Subset of API protection) A5 Broken Access Control ã¢ã¯ã»ã¹å¶åŸ¡ã®äžå File types Allowed/disallowed URLs Login Enforcement Session tracking Attack signatures (âDirectory traversalâ) A6 Security Misconfiguration ã»ãã¥ãªãã£èšå®ã®ãã¹ Attack Signatures DAST integration Allowed Methods HTML5 Cross-Domain Request Enforcement A7 Cross-site Scripting (XSS) ã¯ãã¹ãµã€ãã¹ã¯ãªããã£ã³ã°(XSS) Attack signatures (âCross Site Scripting (XSS)â) Parameter meta characters HttpOnly cookie attribute enforcement Parameter type definitions (such as integer) A8 Insecure Deserialization å®å šã§ãªããã·ãªã¢ã©ã€ãŒãŒã·ã§ã³ Attack Signatures (âServer Side Code Injectionâ) A9 Using components with known vulnerabilities æ¢ç¥ã®è匱æ§ãæã€ã³ã³ããŒãã³ãã®äœ¿çš Attack Signatures DAST integration A10 Insufficient Logging and Monitoring äžååãªãã®ã³ã°ããã³ç£èŠ Request/response logging Attack alarm/block logging On-device logging and external logging to SIEM system Event Correlation æ°èŠã«è¿œå ããããA4: XMLå€éšå®äœåç §ïŒXXEïŒãã®é ç®ã«ã€ããŠãããã§ã«ã·ã°ããã£ã§å¯Ÿå¿ããŠããŸãã 200018018 External entity injection attempt 200018030 XML External Entity (XXE) injection attempt (Content) ãŸããXXEæ»æã¯ãXMLãããã¡ã€ã«ã«ãã£ãŠæ±çšçãªé²åŸ¡ãå¯èœã§ãã ïŒDTDsãç¡å¹ã«ããŠã"Malformed XML data"ãã€ãªã¬ãŒã·ã§ã³ãæå¹ã«ããŸãïŒ ãŸããA8:å®å šã§ãªããã·ãªã¢ã©ã€ãŒãŒã·ã§ã³ãã®å¯Ÿå¿çãšããŠããã¡ããå€ãã®ã·ã°ããã£ããã§ã«æäŸãããŠããŸãã ãããã·ã°ããã£ã®å€ãã¯ãäžèšã®ããã«âserializationâ ãâserialized objectâ ãšãã£ãååãå«ãŸããŠããŸãã 200004188 PHP object serialization injection attempt (Parameter) 200003425 Java Base64 serialized object - java/lang/Runtime (Parameter) 200004282 Node.js Serialized Object Remote Code Execution (Parameter) 以äžãOWASP Top10 2017幎çã®ãªãªãŒã¹ã«ãšããªããBIG-IP ASMã®WAFæ©èœã®å¯Ÿå¿ç¶æ³ã®ã玹ä»ã§ããã é¢é£ãªã³ã¯ïŒ Whatâs New In The OWASP Top 10 And How TO Use It BIG-IP ASM Operations Guide
HTTP/2ãããããããžãã¹äžã®æ矩
ãããã©ãŒãã³ã¹ã®ç¢ºä¿ã¯ãã¢ããªã±ãŒã·ã§ã³ã«ãšã£ãŠéèŠãªèª²é¡ã§ããç¹ã«ã¢ãã€ã« ã¢ããªã±ãŒã·ã§ã³ã§ã¯æéèŠèª²é¡ã ãšèšã£ãŠãéèšã§ã¯ãªãã§ãããããããŸã§è¡ãããŠããæ°ã ã®èª¿æ»çµæãèŠãã°ã誰ã§ããã®çµè«ã«éããããšãã§ããã¯ãã§ããã¢ããªã±ãŒã·ã§ã³ã5ç§ä»¥å ã«åå¿ããªããã°ãäžè¬æ¶è²»è ãäŒæ¥ãŠãŒã¶ããåãããã«èç«ã¡ãŸãããªãã§ãæ¶è²»è ãã¢ãã€ã« ã¢ããªã±ãŒã·ã§ã³ã䜿ã£ãŠè³Œå ¥ãªã©ãè¡ãå Žåã«ã¯ãããã©ãŒãã³ã¹ã®äœããèŽåœå·ã«ãªãå±éºæ§ããããŸãã ããã®ãããªããã©ãŒãã³ã¹ã«å¯ŸããèŠæ±ãžã®å¯Ÿå¿ã念é ã«å ¥ããŠéçºãããã®ãHTTP/2ã§ãã HTTP/2ã«ã¯ããããŸã§éçºè ãHTTP/1.1ã«ãããããã©ãŒãã³ã¹æ¹åçãšããŠé »ç¹ã«äœ¿çšããçµæãæšæºçãªææ³ã«ãªã£ãŠãã£ããã®ãæ°å€ãå®è£ ãããŠããŸããäŸãã°ãå°ããªç»åãæååã«å€æããŠHTMLãCSSã«åã蟌ãããšã§HTTPãªã¯ãšã¹ããåæžããã€ã³ã©ã€ã³åããå°ããªãã¡ã€ã«ã®çµåïŒConcatenationïŒãéçãã¡ã€ã«ãå¥ã®ãã¡ã€ã³ããèªã¿èŸŒãããšã§åææ¥ç¶æ°ã®äžéãæ倧åãããã¡ã€ã³ ã·ã£ãŒãã£ã³ã°ãªã©ã®ææ³ã§ãããããã¯ããããããã©ãŒãã³ã¹æ¹åã«è²¢ç®ããŸããããæ®å¿µãªããéçºè ãšéå¶è ã®åæ¹ã«å¯Ÿãã倧ããªâæè¡çè² åµâãããããçµæãšãªããŸããã HTTP/1.1ãçã¿åºããâæè¡çè² åµâ ãããã§èšãâæè¡çè² åµâãšã¯ãç¹å®ã®æè¡ã補åãã¢ãŒããã¯ãã£ãæ¡çšããããšã§ããããããããã®åŸã®éçºãéå¶ãžã®ãã€ãã¹ã®åœ±é¿ãæå³ããŠããŸãããŸãç¹å®ã®ãœãªã¥ãŒã·ã§ã³ããã¢ãŒããã¯ãã£å ã®ã©ãã«å®è£ ãããã®å€æããæè¡çè² åµã®èŠå ã«ãªãå¯èœæ§ããããŸãã ãäŸãã°ãHTTP/1.1ã®å¶çŽãåé¿ããããã«å©çšãããŠããã€ã³ã©ã€ã³åããã¡ã€ã«çµåã¯ããããã¯ãŒã¯äžã®ãã£ãã·ã¥ã®å©çšãäžå¯èœã«ããŠããŸããŸããããŸããããã®ã€ã³ã©ã€ã³åãããã€ã¡ãŒãžããã¡ã€ã«çµåã¯ããã¹ãŠã®ã¢ããªã±ãŒã·ã§ã³ã«åæ ããå¿ èŠããããããã¢ããªã±ãŒã·ã§ã³ã®ã©ã€ããµã€ã¯ã«ã«ã泚æãæãå¿ èŠããããŸããã€ãŸããããã®ææ³ã䜿ãããšã§ãã¢ããªã±ãŒã·ã§ã³ã®ã¢ãžã¥ãŒã«æ§ã倱ãããŠããŸã£ãã®ã§ãããã®ãããªæè¡çè² åµã¯ã察象ãšãªãã¢ããªã±ãŒã·ã§ã³ã䜿ããç¶ããéããéçºè ãéå¶è ãæ©ãŸãç¶ããããšã«ãªãã§ãããã ãééçè² åµãšåæ§ãæè¡çè² åµã«ã察å¿ãå¿ èŠã§ãããã®ãŸãŸæŸçœ®ããŠããã°âå©åâãçºçããããã§ãããã®å©åã¯ã¢ããªã±ãŒã·ã§ã³ã®å€æŽãã¢ããããŒããè¡ããããã³ã«èç©ãããéçºè ã¯å¿ èŠä»¥äžã®æéãšæ³šæåãè²»ããããšã«ãªããŸãããŸããã¹ãã®ããã®ãªãœãŒã¹ãå¿ èŠã«ãªãããããã¯ãŒã¯ãã³ã³ãã¥ãŒãã£ã³ã°ã®ãªãœãŒã¹ãæ¶è²»ããŸãããã®çµæãäŒæ¥ã¯ã€ãããŒã·ã§ã³ãæé·ã®ããã§ã¯ãªããè² åµãžã®å¯Ÿå¿ã«æéãè²»ããããšã«ãªãã競äºåãçã¿åºãæ°ããæè¡ãææ³ãã¢ãŒããã¯ãã£äžã®ã³ã³ã»ãããªã©ã掻çšããããšãå°é£ã«ãªããŸãã HTTP/2ãžã®ç§»è¡ãå¯èœã«ããè² åµããã®è§£æŸ HTTP/1.1ã§çããæè¡çè² åµã¯ãå°æ¥çã«HTTP/2ãžãšç§»è¡ããããšã§è§£æ¶ã§ããŸããHTTP/2ã¯ãæè¡äžã»ãããã³ã«äžã®å¹ åºãå¶çŽã«åãçµãã çµæãéçºè ãéå»ã®è¿åçãæšãŠãæ°ããªéžæè¢ãæã«å ¥ããããšãå¯èœã«ããããã§ãããããŠãããã®æ°ããªéžæè¢ã«ã¯ãæè¡çè² åµã¯äŒŽããŸããããã¡ããæ¢åã¢ããªã±ãŒã·ã§ã³ã¯ãããŸã§ã®è² åµãæ±ãããŸãŸã«ãªããŸãããHTTP/2察å¿ã®ã¢ããªã±ãŒã·ã§ã³ãžã®ç§»è¡ã眮ãæããé²ããããšã§ãHTTP/1.1ãçã¿åºããŠããå¶çŽãããéçºè ãéå¶è ã解æŸãããŠããã§ãããã ããã®ããã«ãHTTP/2ã®æ矩ã¯é«éåã ãã§ã¯ãããŸãããæè¡çè² åµã«ããå¶çŽããéçºè ãéå¶è ã解æŸããäŒæ¥ã«ããã©ãŒãã³ã¹æ¹åã®ããã®æ°ããªæ段ã掻çšãããã£ã³ã¹ãããããããšããéèŠãªæ矩ã ãšèšããŸããæè¡ãã¢ãŒããã¯ãã£é¢ã§ã®è² åµãçãããã«ããæ段ã掻çšããã°ãäŒæ¥ã¯ã¢ããªã±ãŒã·ã§ã³ç«¶äºã«ãããŠãåå©ãåãããããªãã®ã§ãã æ°èŠäºç®ã®ãã¡ãã€ãããŒã·ã§ã³ã«äœ¿ãããå²åã¯ããã3åã®1æªæºã§ããããã®ä»ã¯åãªãæ¹åã«è²»ããããŠãããšCIOéã¯èªããŠããŸããäžè¬äŒæ¥åãã®F5 DDoSãªãã¡ã¬ã³ã¹ ã¢ãŒããã¯ãã£
ä»åæçš¿ãããããã°ã¯ãF5ãããã¯ãŒã¯ã¹ã®ãã¯ãããžãŒã»ãšãã³ãžã§ãªã¹ãã§ããDavid Holmesã®ããã°æçš¿ãThe F5 DDoS Reference Architecture - Enterprise Editionããå ã«ãæ¥æ¬åãã«åæ§æãããã®ã§ãã DDoSã«ããæ»æã¯äŸç¶ãšããŠç¶ããŠãããçŸåšã§ãDDoSæ»æã«å¯Ÿããé²åŸ¡ã¯éèŠèª²é¡ã§ããç¶ããŠããŸãããã§ã«ãã®DevCentralã§ã¯ãã°ããŒãã«éèæ©é¢åãã®DDoSãªãã¡ã¬ã³ã¹ ã¢ãŒããã¯ãã£ã玹ä»ããŠããŸãããäžè¬äŒæ¥ã«ãšã£ãŠãDDoSæ»æ察çã¯æ¬ ãããŸãããããã§ä»åã¯ãäžè¬äŒæ¥ïŒãšã³ã¿ãŒãã©ã€ãºïŒåãã®DDoSãªãã¡ã¬ã³ã¹ ã¢ãŒããã¯ãã£ãæ瀺ããã°ããŒãã«éèæ©é¢åãã®DDoSãªãã¡ã¬ã³ã¹ ã¢ãŒããã¯ãã£ãšã©ã®ããã«ç°ãªãã®ãã解説ããŸãã ããã®å±éã·ããªãªã¯å€§éã®åä¿¡ãã©ãã£ãã¯ã ãã§ã¯ãªãã瀟å ãŠãŒã¶ããã®éä¿¡ãã©ãã£ãã¯ãããçšåºŠååšããããšãåæã«ããŠããŸãã ã°ããŒãã«éèæ©é¢åããšã®å·®ç° ãã°ããŒãã«éèæ©é¢åãã®ãªãã¡ã¬ã³ã¹ ã¢ãŒããã¯ãã£ãšã¯ã以äžã®ç¹ãç°ãªã£ãŠããŸãã 1.ãŸãå³ã®å³äžã«ç€Ÿå ãŠãŒã¶ïŒEmployeesïŒãæžã蟌ãŸããŠããã瀟å ãŠãŒã¶ãã瀟å€ã«å¯ŸããŠãŠãŒã¶çæãã©ãã£ãã¯ãçºä¿¡ãããŠããŸãããã®ãã©ãã£ãã¯ã¯æ¬¡äžä»£ãã¡ã€ã¢ãŠã©ãŒã«ïŒNext-Generation FirewallïŒããããã¯Webã»ãã¥ãªãã£ãæäŸããäœããã®ããã€ã¹ãééããåŸãããŒã¿ã»ã³ã¿ãŒã®ã¡ã€ã³ã®ãã¡ã€ã¢ãŠã©ãŒã«ãããã€ã³ã¿ãŒããããžãšåºãŠãããŸãã 2.äžè¬äŒæ¥ã®ãŠãŒã¹ã±ãŒã¹ã§ã¯ãDNSãµãŒãã¹ãæ»æé²åŸ¡ã®ç¬¬1段ã«éçŽãããããå°ãªããšã第1段ã®ãã¡ã€ã¢ãŠã©ãŒã« ãããŒãžã£ã«ãã£ãŠä¿è·ãããã±ãŒã¹ãäžè¬çã§ããããã«ç€ºããå³ã§ã¯ãDNSãµãŒãã¹ãBIG-IPã«éçŽãããŠããŸãã 3.ã°ããŒãã«éèæ©é¢åãã®ãªãã¡ã¬ã³ã¹ ã¢ãŒããã¯ãã£ã§ã解説ããããã«ãéèæ©é¢ã§ã¯æå·éµãå€éšãããã¯ãŒã¯ããé ããããSSLã第2段ã®ãšããã§çµç«¯ãã¹ãã§ãããããäžè¬äŒæ¥ã®å Žåã«ã¯ããã»ã©å³å¯ã«èããå¿ èŠã¯ãªããããèªç±åºŠã¯ããé«ããªããŸããSSLã®çµç«¯å Žæã第1段ã«ãªãã第2段ã«ãªããã®å¯èœæ§ã¯ãã»ãŒåã ã«ãªããŸãã 4.äžè¬äŒæ¥ã®ãŠãŒã¹ã±ãŒã¹ã§ã¯ãSingle-Sign OnãVDIãSSL-VPNãµãŒãã¹ãæäŸããAccess Policy ManagerïŒAPMïŒã®æŽ»çšãã倧ããªã¡ãªãããããããå¯èœæ§ããããŸãããããã®ãµãŒãã¹ã«ãã£ãŠã瀟å ãŠãŒã¶ã®å©äŸ¿æ§åäžãšã»ãã¥ãªãã£åŒ·åãäž¡ç«ã§ããããã§ããã°ããŒãã«éèæ©é¢ã®ãŠãŒã¹ã±ãŒã¹ã§ã¯ããã®ã¡ãªããã¯ããã»ã©é¡èã§ã¯ãããŸããã ã°ããŒãã«éèæ©é¢åããšã®å ±éç¹ ããªããã®ã¢ãŒããã¯ãã£ã®æ¬è³ªã§ããã2段æ§æã®é²åŸ¡ãšããç¹ã«ã€ããŠã¯ãã°ããŒãã«éèæ©é¢åãã®ãªãã¡ã¬ã³ã¹ ã¢ãŒããã¯ãã£ãšå ±éããŠããŸãã第1段ã§ã¯DDoSãèªèãããããã¯ãŒã¯ ãã¡ã€ã¢ãŠã©ãŒã«ã«ãã£ãŠãããã¯ãŒã¯æ»æãé²åŸ¡ããæ¡åŒµæ§ã«å¯ãã 第2段ã§ã¢ããªã±ãŒã·ã§ã³æ»æãé²åŸ¡ããŸãã F5ã®DDoSãªãã¡ã¬ã³ã¹ ã¢ãŒããã¯ãã£ã®è©³çŽ°ã«ã€ããŠã¯ãæ°ããF5 Synthesisãªãã¡ã¬ã³ã¹ ã¢ãŒããã¯ã㣠ãµã€ããã芧ãã ãããBIG-IPãšADFSããŒã3 - ãADFSãAPMãããã³Office 365ã·ãã¯ã¯ã©ã€ã¢ã³ãã
ããŒã3ããããšãã話ã¯ããŠããŸããã§ãããããããã®ã·ãªãŒãºã®å 容ã¯ããŒã2ã§æ¢ããŠããã«ã¯é¢çœãããŸãããå®ã¯ã«ããŒããŠããã¹ãéèŠãªã»ã¯ã·ã§ã³ãããã²ãšã€ãããŸããã ãŸããããŒã1ãš2ã«ã€ããŠç°¡åã«åŸ©ç¿ããŸããããŒã1ã§ã¯ADFSãšADFSProxyãã¡ãŒã ã®è² è·åæ£ã«ããããã€ã¢ãã€ã©ããªãã£ãšæ¡åŒµæ§ã®ç¢ºä¿ã«ã€ããŠèª¬æããŸãããããŒã2ã§ã¯ãADFSProxyã¬ã€ã€ã®ä»£æ¿ãšããŠã®Access Policy ManagerïŒAPMïŒïŒè±èªïŒãåãäžããŸããããã®æ¹æ³ã¯ãœãªã¥ãŒã·ã§ã³ã®ã»ãã¥ãªãã£ãšæè»æ§ãé«ããã ãã§ãªããã€ã³ãã©ã¹ãã©ã¯ãã£ã®ç°¡çŽ åã«ãè²¢ç®ããŸãã ãã®ã·ãªãŒãºããã©ããŒããŠããã ããæ¹ãªãïŒãã¶ãïŒèŠããŠããããããã«ãããŒã2ã§ã¯Office 365ããŠãŒã¹ã±ãŒã¹ãšããŠãBig-IPãšAPMãã©ã®ããã«Outlook Web AccessïŒOWAïŒãžã®SSOãµã€ã³ãªã³ãå®çŸãããã瀺ããŸããããããOutlookãšLyncã¯ã©ã€ã¢ã³ããå«ãã·ãã¯ã¯ã©ã€ã¢ã³ãïŒthick client - ã¢ã¯ãã£ããªãããã³ã«ãšã¢ã¯ãã£ããªãããã¡ã€ã«ïŒã®å Žåã«ã¯ããå°ãç¶æ³ãè€éã«ãªããŸãã以äžã«ããã説æããŸãã ããã·ããããã³ã« - ïŒOutlook Web AppïŒ WS-Federationããã·ããããã³ã«ã䜿ãã¯ã©ã€ã¢ã³ãã®ïŒäž»ãšããŠãã©ãŠã¶ããŒã¹ã®ïŒããã»ã¹ã¯ä»¥äžã®ãšããã§ãã ã¯ã©ã€ã¢ã³ããOffice 365ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãè©Šã¿ãŸãã ã¯ã©ã€ã¢ã³ãã¯Microsoft Federation Gatewayã«ãªãã€ã¬ã¯ããããŸãã ã¯ã©ã€ã¢ã³ãã¯ç€Ÿå ã®ãã§ãã¬ãŒã·ã§ã³ãµãŒãã¹ïŒADFSïŒã«ãªãã€ã¬ã¯ããããŸãã ADFSãµãŒãã¯ãã®ã¯ã©ã€ã¢ã³ããã¢ã¯ãã£ããã£ã¬ã¯ããªã«å¯ŸããŠèªèšŒããŸãã ADFSãµãŒãã¯ã¯ã©ã€ã¢ã³ãã«å¯Ÿã眲åæžã¿ã®ã»ãã¥ãªãã£ããŒã¯ã³ãšãªãœãŒã¹ããŒãããŒãžã®ã¯ã¬ãŒã ã»ãããå«ãèªèšŒã¯ãããŒãã¯ã©ã€ã¢ã³ãã«æäŸããŸãã ã¯ã©ã€ã¢ã³ãã¯Microsoft Federation Gatewayã«æ¥ç¶ããããã§ããŒã¯ã³ãšã¯ã¬ãŒã ãæ€èšŒãããŸããMicrosoft Federation Gatewayã¯æ°ããã»ãã¥ãªãã£ããŒã¯ã³ãã¯ã©ã€ã¢ã³ãã«æäŸããŸãã ã¯ã©ã€ã¢ã³ãã¯æ°ããèªèšŒã¯ãããŒãããã«å«ãŸããã»ãã¥ãªãã£ããŒã¯ã³ãšå ±ã«Office 365ãªãœãŒã¹ã«æ瀺ããŠã¢ã¯ã»ã¹ãè¡ããŸãã äžèšã®ã±ãŒã¹ã§ã¯ãADFSã¯WS-Federationãããã³ã«ãšSAMLã䜿çšããŠããŸãããã®ã¿ã€ãã®æ¥ç¶ã¯ãäžè¬ã«BIG-IPã®APMã䜿ã£ãŠADFSãžã®æ¥ç¶ããããã·åããããšã«ãã£ãŠå€§ããæ¹åãããŸãã ã¢ã¯ãã£ããããã³ã« - ïŒOutlookããã³Lyncã¯ã©ã€ã¢ã³ãïŒ OutlookãLyncã®ãããªã¯ã©ã€ã¢ã³ãïŒå€éšã¯ã©ã€ã¢ã³ãïŒã«ããããåãã¯å°ãç°ãªããŸãããã®å Žåã®ããã»ã¹ã¯ã¢ã¯ãã£ããããã³ã«ãWS-Trustãããã³SOAPã䜿çšããŸãã ã¯ã©ã€ã¢ã³ããOffice 365ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãè©Šã¿ãèªèšŒæ å ±ãæäŸããŸãã Office 365ã¯Microsoft Federation Gatewayã«èªèšŒãæ±ããŸãã Microsoft Federation Gatewayã¯ã¯ã©ã€ã¢ã³ãã«ä»£ãã£ãŠADFSãµãŒãã¹ã«é£çµ¡ããèªèšŒæ å ±ãæ瀺ããŸãã ADFSã¯ã¯ã©ã€ã¢ã³ãã®èªèšŒæ å ±ãã¢ã¯ãã£ããã£ã¬ã¯ããªã«ããèªèšŒããŸãã ADFSã¯Microsoft Federation Gatewayã«ããŒã¯ã³ãæäŸããŸãã Microsoft Federation Gatewayã¯Office 365ã«ããŒã¯ã³ãæäŸããã¯ã©ã€ã¢ã³ãã«ãããªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãå¯èœã«ããŸãã ç°¡åã«èšãã°ãã¯ã©ã€ã¢ã³ããADFSã«ããŒã¯ã³ãèŠæ±ããŠååŸããããã®äœæ¥ãè¡ã代ããã«ãMicrosoft Federation GatewayãADFSãšã®ããåããçŽæ¥è¡ããŸããã¯ã©ã€ã¢ã³ãã¯ADFSãšã¯æ¥ç¶ããªããããAPMïŒãŸãã¯ã©ã®ãããã·ãµãŒãã¹ãïŒã¯äœ¿çšã§ããŸããã ããã§åé¡ãçããŸããBig-IP APMã®èåŸã§ADFSãå±éããŠããå Žåãã·ãã¯ã¯ã©ã€ã¢ã³ãïŒOutlookãLyncïŒã®èªèšŒã®ããMicrosoft Federation GatewayãçŽæ¥ã¢ã¯ã»ã¹ãè¡ãããã€ããã·ããªæ¥ç¶ïŒãã©ãŠã¶ããŒã¹ãšç€Ÿå ã®LyncïŒã«ã€ããŠã¯äºåèªèšŒãè¡ããããã«ããã«ã¯ã©ãããã°è¯ãã§ããããïŒããã¯iRuleã䜿ãããšã«ããç°¡åã«è§£æ±ºã§ããŸãã APMã¯iRuleããã€ãã¹ MS Federation Gatewayã«çŽæ¥ã¢ã¯ã»ã¹ã§ãããããiRuleãã²ãšã€äœæãããããæ¬ã·ãªãŒãºã®ããŒã2ã§äœæããADFSä»®æ³ãµãŒãã«å²ãåœãŠãŸãããã®iRuleã¯HTTP_REQUESTïŒè±èªïŒã€ãã³ãïŒã·ã¹ãã ãHTTPãªã¯ãšã¹ãã®ããŒã·ã³ã°ãè¡ãããšã«ãã£ãŠèµ·åïŒã䜿ã£ãŠURIãåæããŸããé©åãªãªã¯ãšã¹ããåé ãããšACCESS::disableïŒè±èªïŒã³ãã³ããåŒã³åºãããŠã¢ã¯ã»ã¹ããªã·ãŒãç¡å¹ã«ãªãããªã¯ãšã¹ãã®ééãèš±å¯ãããŸãããµãŒãããŒãã£è£œãããã·ã®èŠä»¶ã«ã€ããŠã¯ãã€ã¯ããœãããçºè¡ããã¬ã€ããåç §ããŠãã ããã以äžã®åºæ¬çãªiRuleãäœæãã瀟å€ã®ADFSä»®æ³ãµãŒãã«å²ãåœãŠãŠã¿ãŠãã ããã 1: when HTTP_REQUEST { 2: 3: # For external Lync client access all external requests to the 4: # /trust/mex URL must be routed to /trust/proxymex. Analyze and modify the URI 5: # where appropriate 6: HTTP::uri [string map {/trust/mex /trust/proxymex} [HTTP::uri]] 7: 8: # Analyze the HTTP request and disable access policy enforcement WS-Trust calls 9: if {[HTTP::uri] contains "/adfs/services/trust"} { 10: ACCESS::disable 11: } 12: 13: # OPTIONAL ---- To allow publishing of the federation service metadata 14: if {[HTTP::uri] ends_with "FederationMetadata/2007-06/FederationMetadata.xml"} { 15: ACCESS::disable 16: } 17: } 以äžã§ããåçŽæå¿«ã§ããããèªåã§è©ŠããŠã¿ãŠãã®çµæãæããŠãã ãããããã§ã¯ç€Ÿå€ããã®ã¢ã¯ã»ã¹ãåãæ±ã£ãŠãããããå€éšã¢ã¯ã»ã¹ã®èå¥ãšãããã¯ã®ããã®ADFS 2.0ã®ãµããŒãã«ã€ããŠã¯è§ŠããŸããã§ããããã®é«åºŠãªæ©èœã«é¢å¿ãããå Žåã¯ãã€ã¯ããœãããçºè¡ããã¬ã€ãïŒè±èªïŒãåç §ããŠãã ãããBig-IPãšADFSããŒã2 - APM - ADFS Proxyã«ä»£ããéžæè¢
ãã®ããŒãã§ã¯ADCïŒApplication Delivery ControllerïŒã«ã€ããŠèª¬æããŸããå ã®ããŒã1ã§ã¯Big-IPã®åªããè² è·åæ£æ©èœã䜿ã£ãŠç€Ÿå ADFSãã¡ãŒã ãšå¢çéšADFSProxyãã¡ãŒã ã®äž¡æ¹ãå±éããããšã«ããããã€ã¢ãã€ã©ããªãã£ãšæ¡åŒµæ§ã確ä¿ããŸããããããBig-IPã¯ãã以å€ã«ãããŸããŸãªæ¹æ³ã§ã¢ããªã±ãŒã·ã§ã³ããªããªã«è²¢ç®ããŸãããã®ããŒã2ã§ã¯ADFSProxyã¬ã€ã€ã®ä»£ãããšããŠAccess Policy ManagerïŒAPMïŒ ã¢ãžã¥ãŒã«ã䜿çšããŸãããã®ææ³ã®äºäŸãšããŠãæãäžè¬çãªäœ¿çšã±ãŒã¹ã§ãããŠã§ãããŒã¹ã®Microsoft Office 365ïŒè±èªïŒã¢ããªã±ãŒã·ã§ã³ãšãã§ãã¬ãŒã·ã§ã³åãè¡ãããã®ã¢ããªã±ãŒã·ã§ã³ãžã®ã·ã³ã°ã«ãµã€ã³ãªã³ãå¯èœã«ããããADFSãå±éããå ŽåãèããŠã¿ãŸãã ãã®ADFSProxyãµãŒãã®ç®çã¯ãã€ã³ã¿ãŒãããããã¢ã¯ã»ã¹ã§ããªãADFSãµãŒããžã®èŠæ±ãåé ããããã転éããããšã§ããããŒã1ã§è¿°ã¹ãããã«ããã€ã¢ãã€ã©ããªãã£ãå®çŸããã«ã¯å°ãªããšã2å°ã®ãããã·ãµãŒãã«å ããŠè² è·åæ£ãœãªã¥ãŒã·ã§ã³ïŒãã¡ããF5 Big-IPïŒãå¿ èŠã§ããF5ã®ã¢ãã©ã€ã¢ã³ã¹ã«APMãå®è£ ããããšã«ããããããã®ãµãŒããäžèŠã«ãªãã ãã§ãªããå¢çéšã§äºåæ¿èªãè¡ãããŸãã¯ã©ã€ã¢ã³ããµã€ãã§ã®ãã§ãã¯ãªã©é«åºŠãªæ©èœïŒã¢ã³ããŠã£ã«ã¹ã®ããªããŒã·ã§ã³ããã¡ã€ã¢ãŠã©ãŒã«ã®æ€èšŒãªã©ïŒã®å°å ¥ã«ããããããããã»ãã¥ãªãã£ã匷åããå±éãå®çŸããŸãã åæäºé ããã³è£œåå±éã®ããã®è³æ - ãã®å±éã·ããªãªã§ã¯ãèªè ã«BIG-IP LTMã¢ãžã¥ãŒã«ã®ç®¡çã«é¢ããäžè¬çãªç¥èãšãAPMã¢ãžã¥ãŒã«ã«é¢ããåºæ¬çãªç解ãããããšãæ³å®ããŠããŸãã詳现ãã¬ã€ããå¿ èŠãªå Žåã¯F5ã®ãµããŒããµã€ãASKF5ïŒè±èªïŒãåç §ããŠãã ãããäžå³ã¯ç€Ÿå å€ã®ã¯ã©ã€ã¢ã³ããADFSçµç±ã§Office 365ã«ã¢ã¯ã»ã¹ããå Žåã®å žåçãªããã»ã¹ãããŒã瀺ããŠããŸãïŒååçå¶åŸ¡ãããŠã§ãããŒã¹ãã®ã¢ã¯ã»ã¹ïŒã äž¡æ¹ã®ã¯ã©ã€ã¢ã³ããOffice 365ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãè©Šã¿ãŸãã äž¡æ¹ã®ã¯ã©ã€ã¢ã³ãããã®ãªãœãŒã¹ã®ãã§ãã¬ãŒã·ã§ã³ãµãŒãã¹ã«ãªãã€ã¬ã¯ããããŸãïŒæ³šïŒãã®ã¹ãããã¯Microsoft Outlookãªã©ã®ã¢ã¯ãã£ãã¯ã©ã€ã¢ã³ãã®å Žåã«ã¯çç¥ãããããšããããŸãïŒã äž¡æ¹ã®ã¯ã©ã€ã¢ã³ãã¯ç€Ÿå ã®ãã§ãã¬ãŒã·ã§ã³ãµãŒãã¹ã«ãªãã€ã¬ã¯ããããŸãã ADFSãµãŒããã¢ã¯ãã£ããã£ã¬ã¯ããªã«å¯ŸããŠã¯ã©ã€ã¢ã³ããèªèšŒããŸãã ã»ç€Ÿå ã¯ã©ã€ã¢ã³ãã¯ADFSãµãŒããã¡ãŒã ã®ã¡ã³ããŒã«çŽæ¥è² è·åæ£ãããŸãã ã»ç€Ÿå€ã®ã¯ã©ã€ã¢ã³ãã¯ïŒ - APMã®ã«ã¹ã¿ãã€ãºå¯èœãªãµã€ã³ãªã³ããŒãžçµç±ã§Active Directoryã«å¯ŸãäºåèªèšŒãããŸãã - èªèšŒããããŠãŒã¶ã¯ADFSãµãŒããã¡ãŒã ã®ã¡ã³ããŒã«ãªãã€ã¬ã¯ããããŸãã ADFSãµãŒãã¯ã眲åæžã¿ã®ã»ãã¥ãªãã£ããŒã¯ã³ãšãªãœãŒã¹ããŒãããŒãžã®ã¯ã¬ãŒã ã»ãããå«ãèªèšŒã¯ãããŒãã¯ã©ã€ã¢ã³ãã«æäŸããŸãã ã¯ã©ã€ã¢ã³ãã¯Microsoft Federation Gatewayã«æ¥ç¶ããããã§ããŒã¯ã³ãšã¯ã¬ãŒã ãæ€èšŒãããŸããMicrosoft Federation Gatewayãæ°ããã»ãã¥ãªãã£ããŒã¯ã³ãã¯ã©ã€ã¢ã³ãã«æäŸããŸãã ã¯ã©ã€ã¢ã³ãã¯æ°ããèªèšŒã¯ãããŒãããã«å«ãŸããã»ãã¥ãªãã£ããŒã¯ã³ãšå ±ã«Office 365ãªãœãŒã¹ã«æ瀺ããŠã¢ã¯ã»ã¹ãè¡ããŸãã ä»®æ³ãµãŒããšããŒã«ã¡ã³ã㌠- ïŒç€Ÿå ãšç€Ÿå€ã®ïŒãã¹ãŠã®ãŠãŒã¶ã¯åãBig-IPãçµç±ããŠADFSãµãŒããã¡ãŒã ã«ã¢ã¯ã»ã¹ããŸããããã®èŠä»¶ãšãã以éã®ãŠãŒã¶ãšã¯ã¹ããªãšã³ã¹ã¯ããããç°ãªããŸãã瀟å ã®èªèšŒããããŠãŒã¶ã¯ADFSãµãŒããã¡ãŒã ã«çŽæ¥è² è·åæ£ãããŸããã瀟å€ãŠãŒã¶ã¯ïŒAPMçµç±ã§äºåæ¿èªãåŸãåŸã«ADFSãã¡ãŒã ã®ã¡ã³ããŒãžã®ã¢ã¯ã»ã¹ãèš±å¯ãããŸãããã®ãã2ã€ã®ä»®æ³ãµãŒãã䜿çšããããã®1ã€ã¯ç€Ÿå ã¢ã¯ã»ã¹ã«ããã1ã€ã¯ç€Ÿå€ããã®ã¢ã¯ã»ã¹å°çšãšãªããŸãã瀟å ãšç€Ÿå€ã®ä»®æ³ãµãŒãã«ã¯ãããããåã瀟å ADFSãµãŒããã¡ãŒã ããŒã«ãé¢é£ä»ããããŸãã 瀟å ã®ä»®æ³ãµãŒã - 瀟å ADFSãã¡ãŒã ã®ä»®æ³ãµãŒãèšå®ã«ã€ããŠã¯æ¬ã·ãªãŒãºã®ããŒã1ãã芧ãã ããã 瀟å€ã®ä»®æ³ãµãŒã - 瀟å€ã®ä»®æ³ãµãŒãã®ã³ã³ãã£ã°ã¬ãŒã·ã§ã³èšå®ã¯ãæ¬ã·ãªãŒãºã®ããŒã1ã«èšèŒããä»®æ³ãµãŒãã®å Žåãšåæ§ã§ããããã«å ããAPM Access ProfileïŒäžèšèšå®ã®ãã€ã©ã€ãéšåãåç §ïŒãä»®æ³ãµãŒãã«å²ãåœãŠãããŸãã APMã®ã³ã³ãã£ã°ã¬ãŒã·ã§ã³èšå® - 瀟å€ãŠãŒã¶ã瀟å ã®ADFSãã¡ãŒã ãžã®ã¢ã¯ã»ã¹ãèš±å¯ãããã®ã«å ç«ã¡ã以äžã®Access Policy ManagerïŒAPMïŒã³ã³ãã£ã°ã¬ãŒã·ã§ã³ãäœæããã瀟å€åãã®ä»®æ³ãµãŒãã«é¢é£ä»ããããŸããå ã«è¿°ã¹ãããã«ãAPMã¢ãžã¥ãŒã«ã¯äºåæ¿èªã«å ããã¯ã©ã€ã¢ã³ããµã€ãã§ã®ãã§ãã¯ãã·ã³ã°ã«ãµã€ã³ãªã³ïŒSSOïŒãªã©é«åºŠãªæ©èœãæäŸããŸãããã¡ãããããã¯ããŸããŸãªæ©èœã®ã»ãã®äžéšã«éããŸãããASKF5ïŒè±èªïŒã«ã¯ã¯ã©ã€ã¢ã³ããµã€ãã®ãã§ãã¯ã«é¢ãã詳现ãèšèŒãããŠããŸãã AAAãµãŒã - ADFSã¢ã¯ã»ã¹ãããã¡ã€ã«ã¯Active Directory AAAãµãŒãã䜿çšããŸãã ã¢ã¯ã»ã¹ããªã·ãŒ - ADFSã¢ã¯ã»ã¹ãããã¡ã€ã«ã«ã¯ä»¥äžã®ã¢ã¯ã»ã¹ããªã·ãŒãé¢é£ä»ããããŠããŸãã ãã°ãªã³ããŒãžã®è¡šç€ºã«å ç«ã¡ãã¯ã©ã€ã¢ã³ããã·ã³ã«ã¢ããããŒãæžã¿ã®ã¢ã³ããŠã£ã«ã¹ãœãããŠã§ã¢ãååšããããã§ãã¯ããŸããã¯ã©ã€ã¢ã³ãã«ã¢ã³ããŠã£ã«ã¹ãœãããŠã§ã¢ãååšããªããããããã¯ãŠã£ã«ã¹å®çŸ©ãïŒ30æ¥ä»¥å ã«ïŒã¢ããããŒããããŠããªãå ŽåããŠãŒã¶ã¯ãªãã€ã¬ã¯ããããŸãã ãªã³ãã¬ãã¹ãšOffice365 ExchangeãŠãŒã¶ã®ãããã«ãã·ã³ã°ã«URLã®OWAã¢ã¯ã»ã¹ãæäŸãããããADã¯ãšãªãšã·ã³ãã«ãªiRulesã䜿çšãããŸãã SSO ã®ã³ã³ãã£ã°ã¬ãŒã·ã§ã³ - ADFSã¢ã¯ã»ã¹ããŒã¿ã«ã¯è€æ°ã®èªèšŒãã¡ã€ã³ã«ã€ããŠNTLM v1 SSO ãããã¡ã€ã«ã䜿çšããŸãïŒäžå³åç §ïŒãè€æ°ã®SSO ãã¡ã€ã³ã䜿çšããããšã«ãããã¯ã©ã€ã¢ã³ãã¯äžåºŠèªèšŒããã ãã§Exchange OnlineãSharePoint Onlineãªã©ãã¹ããããã¢ããªã±ãŒã·ã§ã³ãšããªã³ãã¬ãã¹ã§ãã¹ããããã¢ããªã±ãŒã·ã§ã³ã®äž¡æ¹ã«ã¢ã¯ã»ã¹ããããšãã§ããŸãããããããã«ä¿é²ããã«ã¯åãSSOã³ã³ãã£ã°ã¬ãŒã·ã§ã³ã䜿ãè€æ°ã®ä»®æ³ãµãŒãïŒADFSãExchangeãSharePointïŒãå±éããŸãã æ¥ç¶ãããã¡ã€ã« - ããã©ã«ãã®æ¥ç¶ãããã¡ã€ã«ãããŒã¹ãšããæ¥ç¶ãããã¡ã€ã«ã瀟å€ä»®æ³ãµãŒãã«é¢é£ä»ããããŸãã ããããã®æ å ±ãå«ãŸããŠããŸããããããã§ããã§ããããããããAPMãè² è·åæ£ä»¥å€ã«Big-IPã䜿ã£ãŠè¡ããããŸããŸãªããšã«ã€ããŠãããã«ç解ãæ·±ãããã£ãããšãªã£ãããšãæåŸ ããŠããŸãããã€ããªããç°å¢ãèŠæ±ããâããã¹ããŒããªâDNS
ãã€ããªããç°å¢ã§å€ããDNSã®åœ¹å² ãã¯ã©ãŠãã¯å®ã«å€ãã®ç°å¢ãå€åãããŠãããç§ãã¡ã¯ããããæ¥åé åã§ITæŠç¥ã®èŠçŽããè¿«ãããŠããŸããã¢ããªã±ãŒã·ã§ã³ã®éçºã»å±éã®æ¹æ³ã¯ãDevOpsãžãšå€åãã€ã€ãããITæ¥çã®ããžãã¹ ã¢ãã«ãåŸæ¥ã®ã©ã€ã»ã³ã¹ ã¢ãã«ãããé»æ°ãæ°Žéã®ãããªäœ¿çšéã«åºã¥ããµãã¹ã¯ãªãã·ã§ã³ ã¢ãã«ãžãšå€ããã€ã€ãããŸãã ãããããå¯çšæ§ãããã©ãŒãã³ã¹ãã»ãã¥ãªãã£ã«å¯ŸããèŠæ±ã¯ãäŸç¶ãšããŠå€ãããŸãããäŒæ¥ITãã¯ã©ãŠãã«ã·ããããŠããã®ãšåæ§ã«ãæ¶è²»è ã«ããã¢ãã€ã«ããŠã§ãã¢ããªã±ãŒã·ã§ã³ã®å©çšãæ¿å¢ããŠããŸããITç°å¢ãåçãªå€åãç¶ããäžãå¯çšæ§ã®äžè¶³ãããã©ãŒãã³ã¹ã®äœãã¯ãã¢ããªã±ãŒã·ã§ã³ã®æåŠãåãã倧ããªèŠå ã«ãªããŸãã ããã€ããªããç°å¢ã®å°å ¥ã»æŽ»çšãé²ãã«ã€ããŠã以åãããå¯çšæ§ãããã©ãŒãã³ã¹ã®ç¢ºä¿ã¯é£ãããªã£ãŠããŸãããã€ããªããç°å¢ã«ãããŠã¯ãè€æ°ã®ãããªã㯠ã¯ã©ãŠããããŒã¿ã»ã³ã¿ãŒã«ã¢ããªã±ãŒã·ã§ã³ãæ¡æ£ããŠããŸãããã®ãããå¯çšæ§ãããã©ãŒãã³ã¹ã¯ãæ§ã ãªå€åèŠå ã«ãã£ãŠå·Šå³ãããããåŸãªãç¶æ³ãçãŸããŠããŸããã ããããããã€ããªããç°å¢ã«ãããŠãå¯çšæ§ãããã©ãŒãã³ã¹ãç¶æããããã«ã¯ãé«ãã€ã³ããªãžã§ã³ã¹ãæ±ããããã®ã§ãã ããã®ã€ã³ããªãžã§ã³ã¹ãæäŸããèŠçŽ ãšããŠçç®ãããã®ããDNSã®ååšã§ãã DNSã¯ã€ã³ã¿ãŒãããã®å šãŠãã«ããŒããé»è©±åž³ã ãšãããŸããèšãæããã°ãäžçäžã®ããããã¢ããªã±ãŒã·ã§ã³ãã¢ããæ©åšãã©ãã«ããã®ããç¹å®ããããã®ããã¯ããŒã³ã§ããDNSããªããã°ããããã¢ããªã±ãŒã·ã§ã³ã¯ããã®æ©èœãæãããªããªããŸããDNSã®åœ¹å²ã¯ã極ããŠã¯ãªãã£ã«ã«ãªãã®ãªã®ã§ãã DNSã«æ±ããããã€ã³ããªãžã§ã³ã¹ãšã¯ DNSãé«ãã€ã³ããªãžã§ã³ã¹ãåããããšã¯ããã€ããªããç°å¢ã«ãããå¯çšæ§ãããã©ãŒãã³ã¹ãã»ãã¥ãªãã£ã確ä¿ããäžã§ãéèŠãªæå³ãæã¡ãŸãããã€ããªããç°å¢ã§ã¯ããç®çã®ã¢ããªã±ãŒã·ã§ã³ãã©ãã«ããã®ãããšããèŠæ±ã«å¿ããã ãã§ã¯ãªããã¯ã©ã€ã¢ã³ãã®ããå Žæãã¢ããªã±ãŒã·ã§ã³ã®ç¶æ³ãæ£ç¢ºã«ææ¡ããå Žåã«ãã£ãŠã¯ãç°ãªããµã€ãã«çœ®ãããã¢ããªã±ãŒã·ã§ã³ã«ã¢ã¯ã»ã¹ãããããšãã£ãå€æãããå¿ èŠã«è¿«ãããããã§ãã ããã®ã€ã³ããªãžã§ã³ããªå€æãå¯èœã«ããŠããã®ããF5ã®BIG-IP DNSã§ããBIG-IP DNSã¯å®¹éã倧ããæ¡å€§ãããã ãã§ã¯ãªãããã€ããªããç°å¢å šäœã«ããã£ãŠã¢ããªã±ãŒã·ã§ã³ã®ç¶æ³ãããã©ãŒãã³ã¹ãç£èŠããä»ã®å šãŠã®BIG-IP DNSãšé£æºããªãããããããã®ã¯ã©ã€ã¢ã³ããã©ããžã¢ã¯ã»ã¹ããããããªã¢ã«ã¿ã€ã ã§å€æããŸãã ãæã«ã¯ãDNS DDoSæ»æãé²æ¢ããããã®å¯Ÿå¿çãšããŠããã¯ã©ã€ã¢ã³ãããã®åãåããã«å¿çããªãããšããå€æãè¡ãããšããããŸãã DNS DDoSæ»æã®è¢«å®³ã¯ãæ¡å€§ã®äžéããã©ã£ãŠããŸããæè¿ã®ãã調æ»ã«ããã°ããDNSããŒã¹ã®DDoSæ»æã¯2014幎ã«æ¿å¢ããŠããã2015幎ãæ»æãæ¿ãããå¢ããŠããããšã¯æçœã§ããããšå ±åãããŠããŸããæ¥æ¬ã§ãã2014幎5æãã7æã«ãããŠãåœå ã®ã€ã³ã¿ãŒããããµãŒãã¹ãããã€ããDNS DDoSæ»æãåããŠãæ°é±éã«ãããéä¿¡é害ãçºçããäºä»¶ããããŸããããŸãå¥ã®ã¬ããŒãã§ã¯ã極ããŠå€§éã®ããŒã¿ãéãã€ããâãã€ããªã¥ãŒã ãªDDoSæ»æâãã2015幎ãç¶ç¶çã«è¡ãããŠãããšææãããŠããŸããæšå¹Žã¯ãDNSãã€ãžã£ãã¯ãã¯ãããšããDNSããŒã¹ã®æ»æã«ãã£ãŠãè€æ°ã®èåäŒæ¥ãé倧ãªåé¡ã«çŽé¢ããŸãããä»åŸããã®ãããªç¶æ³ãããã«æªåããããšã¯ãééããªãã§ãããã ãã€ãŸãDNSã«ã¯ãã¢ããªã±ãŒã·ã§ã³ã«åœ±é¿ãåãŒãåŸãå šãŠã®æ»æãæ€åºãããšåæã«ãé²åŸ¡ããããã®ã€ã³ããªãžã§ã³ã¹ãäžå¯æ¬ ãªã®ã§ãã DNSã®ã»ãã¥ãªãã£ãã©ã確ä¿ããã ãæ¬æ¥ã®å®çŸ©ã«ãããŠãèšèšã»å®è£ ã«ãããŠããDNSã«ã¯ãªãŒãã³ã§ããããšãæ±ããããŸããäžè¬ã®ãŠãŒã¶ãŒãå©çšãããŠã§ãã¢ããªã±ãŒã·ã§ã³ãšåæ§ãDNSããªãŒãã³ãªç¶æ ã«ç¶æããããšãšãã«åžžã«å©çšå¯èœã§ãªããã°ãªããŸããããã€ããªã¥ãŒã ãªDDoSæ»æãåé¿ããããã«DNSãåæ¢ãããã°ãæ¬æ¥ã®æ©èœã倱ãããšã«ãªããŸãããã®ãããªç¶æ³ã«ãããŠDNSã«ã¯ã2ã€ã®æ©èœãåæã«å®çŸããããšãæ±ããããŠããŸãããæ»æãæ€åºããŠèªããä¿è·ãããæ©èœãšãæ£åœãªèŠæ±ã«ã¯è¿ éã«å¯Ÿå¿ãããæ©èœã§ãã ãããã§èšãâè¿ éâãšã¯ãâ極ããŠè¿ éã§ããâãšããããšã§ããã¢ãã€ã« ã¢ããªã±ãŒã·ã§ã³ã®ã¬ã¹ãã³ã¹ãæªåãããèŠå ã®1ã€ãšããŠãDNSã®ã«ãã¯ã¢ããæéã¯ãã°ãã°éé£ãããŠããŸããDNSã®å¿çé床ã¯ãéããã°éãã»ã©å¿«é©æ§ããããããŸããããããæ»æããDNSèªèº«ãå®ãããã®åŠçã¯ãå¿çé床ã®æªåã«ã€ãªãããããŸããã ãäŸãã°ãDNSã¬ã³ãŒãã®ç Žå£ãé²æ¢ããããã®äžè¬çãªææ³ãšããŠããããã³ã«æ€èšŒããããŸãããããããããã³ã«æ€èšŒã«æéãããã£ãŠããŸããšãå¿çé床ãæªåãããŠãŠãŒã¶ãŒã®å¿«é©ãªäœéšãæãªãçµæã«ã€ãªãããããŸããããããã³ã«æ€èšŒã¯å¯èœãªéããé«éãã€æ£ç¢ºã«è¡ãã¹ããªã®ã§ããBIG-IP DNSã¯ããããã³ã«æ€èšŒãããŒããŠã§ã¢ã§è¡ãããšã«ããããã®èª²é¡ãã¯ãªã¢ããŠããŸãããœãããŠã§ã¢ã®ã¿ã®å Žåã«æ¯ã¹ãŠãåŠçé床ã¯7åãé«éåãããŠããŸããBIG-IP DNSã䜿çšããããšã§ãæ»æã«èããã»ãã¥ãªãã£èœåã確ä¿ããªãããå¿«é©ãªã¢ããªã±ãŒã·ã§ã³å©çšãå¯èœã«ãªããŸãã ããŸããBIG-IP DNSã¯ãããŒããŠã§ã¢ã«ãã£ãŠDNSãã£ãã·ã¥ãæ¡åŒµããããšãå¯èœã§ãããœãããŠã§ã¢ã«ãããã£ãã·ã¥ã«æ¯ã¹ãŠããã®å°çšããŒããŠã§ã¢ã¯æ倧5åã®ãµã€ãºã確ä¿ããããšã§ãããé«éãªå¿çãå¯èœã«ããŸããDNSã®å¿çæéãå€§å¹ ã«ççž®ãããã°ãã¢ãã€ã« ã¢ããªã±ãŒã·ã§ã³ãã¹ã¯ã€ãããåŸã®ç»é¢è¡šç€ºãææ°ããŒã¿ãžã®æŽæ°ã«ãããæéãççž®ãããããå¿«é©ãªã¢ããªã±ãŒã·ã§ã³å©çšãå¯èœã«ãªããŸãã ããã®ããã«DNSã¯ãåã«ãã¢ããªã±ãŒã·ã§ã³ãã©ãã«ããã®ãããèŠã€ãåºãããã ãã®ããŒã«ã§ã¯ãããŸãããã©ã®ã¢ããªã±ãŒã·ã§ã³ãã©ã®ãµãŒãã¹ããããã¯ãã©ã®ãµã€ããžãšã¯ã©ã€ã¢ã³ããæ¯ãåãããã«ã€ããŠãã€ã³ããªãžã§ã³ããªå€æãã¹ããŒãã«äžãããã®åºç€ãªã®ã§ãããã€ããªããå±éã®æè»æ§ãç ç²ã«ããããšãªããå¯çšæ§ãããã©ãŒãã³ã¹ãé©åã«ã³ã³ãããŒã«ãããšãšãã«ãé«ãã»ãã¥ãªãã£ã確ä¿ããããã«ã¯ãDNSã®åœ¹å²ãæ·±ãç解ããç©æ¥µçã«æŽ»çšããããšãæ±ããããŠããŸããBig-IPãšADFSããŒã1 - ADFSãã¡ãŒã ã®è² è·åæ£
äŒæ¥ãã¯ã©ãŠããžã®ç§»è¡ãé²ããæ§åã¯ããã€ãŠéæè ãã¡ã次ã ã«å¹éŠ¬è»ãä»ç«ãŠãŠè¥¿ãžã®éã蟿ã£ãããšãæãèµ·ããããŸããä»ã¯ã©ãŠãã«ç§»è¡ããŠããäŒæ¥ã¯ãã¯ãéæè ãšã¯åŒã¹ãªãããç¥ããŸããããã¯ã©ãŠããžã®éå£ç§»æ°ãèµ·ãã£ãŠãããšãŸã§ã¯èšããªããã®ã®ãOffice 365ãã¯ãããšããã¯ã©ãŠãããŒã¹ã®ãµãŒãã¹ãå°å ¥ããäŒæ¥ãå¢ããŠããŠããããšã¯äºå®ã§ãã ãã®ãããªç¶æ³ã«ãããŠã瀟å€ã«ãããªãœãŒã¹ãžã®ã·ãŒã ã¬ã¹ãªããããã¯å°ãªããšãæ¯èŒçã·ãŒã ã¬ã¹ãªã¢ã¯ã»ã¹ãæäŸã§ããã§ããããïŒãã®åçã®ã²ãšã€ã«ãã§ãã¬ãŒã·ã§ã³ãããããã€ã¯ããœããã䜿ã£ãŠããäŒæ¥ãªãADFSïŒActive Directory Federation ServicesïŒããã®ææ°ã®ãœãªã¥ãŒã·ã§ã³ãšããŠå©çšããããšãå¯èœã§ãããã®å ŽåãADFSãµãŒãã¯ã»ãã¥ãªãã£ããŒã¯ã³ ãµãŒãã¹ãšããŠæ©èœãããã£ã¬ã¯ããªã«ãã£ãŠæ¿èªãããã¯ã©ã€ã¢ã³ãã®ã·ã³ã°ã«ãµã€ã³ãªã³ïŒSSOïŒã瀟å€ã®ãªãœãŒã¹ã«ãæ¡å€§ããŸããã¯ã©ãŠãããŒã¹ã®ã¢ããªã±ãŒã·ã§ã³ããã§ãã¬ãŒã·ã§ã³ã®æ®åãšæ©èª¿ãåãããADFSã®åœ¹å²ãéèŠã«ãªã£ãŠããŠããŸãã以äžã«ADFSãµãŒããã¡ãŒã ãšADFS ProxyãµãŒããã¡ãŒã ïŒç€Ÿå ã«çœ®ããADFSãã¡ãŒã ã«å€éšããã¢ã¯ã»ã¹ããå Žåã«æšå¥šïŒã®å žåçãªå±éã·ããªãªã瀺ããŠããŸãã èŠåïŒADFSãµãŒããã¡ãŒã ãå©çšã§ããªãå Žåããã§ãã¬ãŒã·ã§ã³ã«ãããªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ã«ã¯å¶çŽãå ãããŸãããã€ã¢ãã€ã©ããªãã£ãããã©ãŒãã³ã¹ãããã³æ¡åŒµæ§ã確ä¿ããããã«ã¯ãF5 Big-IPãLTMïŒLocal Traffic ManagerïŒãšå ±ã«å±éããADFSãšADFS ProxyãµãŒããã¡ãŒã ã®è² è·åæ£ãè¡ããŸããF5ã®Big-IPã¯è² è·åæ£ãšã¢ããªã±ãŒã·ã§ã³é ä¿¡ã®ããã®éåžžã«åªããæ段ã®ã²ãšã€ã§ãã ããã§ã¯æ¬¡ã«æè¡é¢ã説æããŸãããã®ããã°ã®ããŒã1ã§ã¯ãADFSãšADFS ProxyãµãŒããã¡ãŒã ã®è² è·åæ£ãç®çãšãããBig-IPã®LTMã¢ãžã¥ãŒã«ïŒè±èªïŒã®å±éãšã³ã³ãã£ã°ã¬ãŒã·ã§ã³èšå®ã«ã€ããŠèª¬æããŸããããŒã2ã§ã¯Big-IPã®APMïŒè±èªïŒïŒAccess Policy ManagerïŒãå©çšããããšã«ããããã®å±éäœæ¥ãã¯ããã«ç°¡çŽ åããæ¹åã§ããããšã瀺ããŸãã 瀟å ADFSãµãŒããã¡ãŒã ã®è² è·åæ£ åæäºé ããã³è£œåå±éã®ããã®è³æ - ãã®å±éã·ããªãªã§ã¯ADFSãµãŒããã¡ãŒã ãã€ã³ã¹ããŒã«ããã該åœããã¯ã¬ãŒã ãããã€ãããªã©ã€ã³ã°ããŒãã£ãšã®éã®ä¿¡é Œé¢ä¿ãå«ãã³ã³ãã£ã°ã¬ãŒã·ã§ã³èšå®ãå±éã¬ã€ãïŒè±èªïŒã«åºã¥ããŠè¡ãããŠããããšãåæãšããŠããŸãããŸãèªè ã«ã¯BIG-IP LTMã¢ãžã¥ãŒã«ã®ç®¡çã«é¢ããäžè¬çãªç¥èãããããšãæ³å®ããŠããŸãã詳现ãã¢ããã€ã¹ãå¿ èŠãªå Žåã¯F5ã®ãµããŒããµã€ãASKF5ïŒè±èªïŒãåç §ããŠãã ãããäžå³ã¯ADFSãµãŒããã¡ãŒã ã®è² è·ãBig-IPã«ãã£ãŠåæ£ããå Žåã®å žåçãªïŒãã ãç°¡ç¥åãããïŒããã»ã¹ãããŒã瀺ããŠããŸãã ã¯ã©ã€ã¢ã³ããADFS察å¿ã®å€éšãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãè©Šã¿ãŸãã ã¯ã©ã€ã¢ã³ãã¯ãã®ãªãœãŒã¹ã®ãã§ãã¬ãŒã·ã§ã³ãµãŒãã¹ã«ãªãã€ã¬ã¯ããããŸãã ã¯ã©ã€ã¢ã³ãã¯ç€Ÿå ã®ãã§ãã¬ãŒã·ã§ã³ãµãŒãã¹ã«ãªãã€ã¬ã¯ããããŸãïŒãªãœãŒã¹ã®ãã§ãã¬ãŒã·ã§ã³ãµãŒãã¹ãä¿¡é Œã§ããããŒãããŒãšããŠèšå®ãããŠããããšãåæïŒã ADFSãµãŒããã¢ã¯ãã£ããã£ã¬ã¯ããªã«å¯ŸããŠã¯ã©ã€ã¢ã³ããèªèšŒããŸãã ADFSãµãŒãã¯ã眲åæžã¿ã®ã»ãã¥ãªãã£ããŒã¯ã³ãšãªãœãŒã¹ããŒãããŒãžã®ã¯ã¬ãŒã ã»ãããå«ãèªèšŒã¯ãããŒãã¯ã©ã€ã¢ã³ãã«æäŸããŸãã ã¯ã©ã€ã¢ã³ãã¯ãªãœãŒã¹ããŒãããŒã®ãã§ãã¬ãŒã·ã§ã³ãµãŒãã¹ã«æ¥ç¶ããããã§ããŒã¯ã³ãšã¯ã¬ãŒã ãæ€èšŒãããŸãã該åœããå Žåã«ã¯ãªãœãŒã¹ããŒãããŒãæ°ããã»ãã¥ãªãã£ããŒã¯ã³ãã¯ã©ã€ã¢ã³ãã«æäŸããŸãã ã¯ã©ã€ã¢ã³ãã¯æ°ããèªèšŒã¯ãããŒãããã«å«ãŸããã»ãã¥ãªãã£ããŒã¯ã³ãšå ±ã«ãªãœãŒã¹ã«æ瀺ããŠã¢ã¯ã»ã¹ãè¡ããŸãã ä»®æ³ãµãŒããšããŒã«ã¡ã³ã㌠- ä»®æ³ãµãŒãïŒVIPïŒã¯ããŒã443ïŒhttpsïŒãç£èŠããããèšå®ãããŸããBig-IP SSLããªããžã³ã°ïŒè§£èªãšåæå·åïŒã«äœ¿çšãããå ŽåãBig-IPãšé¢é£ããŠäœæãããã¯ã©ã€ã¢ã³ãSSLãããã¡ã€ã«ã«å€éšåãã®SSLãšããã«äŒŽãç§å¯éµãã€ã³ã¹ããŒã«ããŠããå¿ èŠããããŸãããã ãåŸã«èª¬æããããã«ãSSLããªããžã³ã°ã¯ãã®ã¿ã€ãã®å±éã§ã¯å¥œãŸããæ段ã§ã¯ãããŸããããã®ä»£ãããšããŠSSLãã³ããªã³ã°ïŒãã¹ã¹ã«ãŒïŒãå©çšãããŸãã ADFSã¯Transport Layer SecurityãšSecure Sockets LayerïŒTLS/SSLïŒãå¿ èŠãšããŸãããããã£ãŠããŒã«ã®ã¡ã³ããŒã¯ããŒã443ïŒhttpsïŒãç£èŠããããèšå®ãããŸãã è² è·åæ£ã®ææ³ - ãLeast ConnectionsïŒã¡ã³ããŒïŒãæ¹åŒã䜿çšããŸãã ããŒã«ã¢ãã¿ãŒ - ADFSãµãŒãã¹ãšãŠã§ããµã€ãèªäœãå¿çããŠããããšã確èªãããããã«ã¹ã¿ãã€ãºããã¢ãã¿ãŒã䜿çšããããšãã§ããŸãããã®ã¢ãã¿ãŒã¯ADFSãã§ãã¬ãŒã·ã§ã³ãµãŒãã¹ãå¿çããŠããããšãä¿èšŒããŸãããŸããã®ã¢ãã¿ãŒã¯ééãšã¿ã€ã ã¢ãŠãèšå®ãé«ããŠäœ¿çšããŸãããã®ã«ã¹ã¿ã httpsã¢ãã¿ãŒã«ã¯ããµãŒãã¹ã®ã¹ããŒã¿ã¹ã確èªãããããã¡ã€ã³ã®èšŒææžãå¿ èŠãšããŸãããã®ä»£ãããšããŠæšæºçãªhttpsã¢ãã¿ãŒã䜿çšããããšãå¯èœã§ãã ããŒã·ã¹ãã³ã¹ - ãã®ADFSã·ããªãªã§ã¯ãã¯ã©ã€ã¢ã³ãã¯ã»ãã¥ãªãã£ããŒã¯ã³ã®èŠæ±ãšåé ã®ãããADFSãµãŒããšã®éã«åäžã®TCPæ¥ç¶ã確ç«ããŸãããããã£ãŠããŒã·ã¹ãã³ã¹ ãããã¡ã€ã«ã®æå®ã¯äžèŠã§ãã SSLãã³ããªã³ã°ïŒãã®æ¹æ³ãæšå¥šïŒ - SSLãã³ããªã³ã°ã䜿çšããå Žåãæå·åããããã©ãã£ãã¯ãã¯ã©ã€ã¢ã³ããããšã³ããã€ã³ãã§ãããã¡ãŒã ã®ã¡ã³ããŒã«çŽæ¥æµããŸãããŸãSSLãããã¡ã€ã«ã¯äœ¿çšãããSSL蚌ææžãBig-IPã«ã€ã³ã¹ããŒã«ããå¿ èŠããããŸããããã®å Žåã«ã¯ãã±ããåæãŸãã¯å€æŽïŒäŸïŒå§çž®ããŠã§ãã¢ã¯ã»ã©ã¬ãŒã·ã§ã³ïŒãŸãã¯ãã®äž¡æ¹ãå¿ èŠãšããBig-IPãããã¡ã€ã«ã¯æå³ãæã¡ãŸãããããã«ããã©ãŒãã³ã¹ãé«ããããã«ã¯Fast L4ä»®æ³ãµãŒãã䜿çšããŸãã ADFS ProxyãµãŒããã¡ãŒã ã®è² è·åæ£ åæäºé ããã³è£œåå±éã®ããã®è³æ - ãã®å±éã·ããªãªã§ã¯ADFS ProxyãµãŒããã¡ãŒã ïŒè±èªïŒãã€ã³ã¹ããŒã«ããã該åœããã¯ã¬ãŒã ãããã€ãããªã©ã€ã³ã°ããŒãã£ãšã®éã®ä¿¡é Œé¢ä¿ãå«ããå±éã¬ã€ã(è±èª)ã«åºã¥ãã³ã³ãã£ã°ã¬ãŒã·ã§ã³èšå®ãé©å®è¡ãããŠããããšãåæãšããŠããŸãããŸãèªè ã«ã¯BIG-IP LTMã¢ãžã¥ãŒã«ã®ç®¡çã«é¢ããŠäžè¬çãªç¥èãããããšãæ³å®ããŠããŸãã詳现ãã¬ã€ããå¿ èŠãªå Žåã¯F5ã®ãµããŒããµã€ãASKF5ïŒè±èªïŒãåç §ããŠãã ããã å ã®ã»ã¯ã·ã§ã³ã§ã¯ã瀟å ã®ADFSãµãŒããã¡ãŒã ã察象ãšããè² è·åæ£ã®èšå®ãè¡ããŸããããã®ã·ããªãªã¯ç€Ÿå ãŠãŒã¶ã«ãã§ãã¬ãŒã·ã§ã³åãããSSOã¢ã¯ã»ã¹ãæäŸããå Žåã«æ©èœããŸããããã瀟å€ïŒã€ãŸããªã¢ãŒãç°å¢ïŒã«ãããŠãŒã¶ããã§ãã¬ãŒã·ã§ã³åããããªãœãŒã¹ã«ã¢ã¯ã»ã¹ããããšããå Žåã«ã¯å¯Ÿå¿ã§ããŸããããã®å Žåã«ã¯ADFS ProxyãµãŒãã圹ç«ã¡ãŸããADFS ProxyãµãŒãã䜿çšããããšã«ããã瀟å€ã®ãŠãŒã¶ã¯ç€Ÿå ã®ãã§ãã¬ãŒã·ã§ã³ã«å¯Ÿå¿ãããªãœãŒã¹ã«å ããMicrosoft Office 365ãªã©ã®ããŒãããŒãªãœãŒã¹ã«ãã¢ã¯ã»ã¹ããããšãã§ããŸãã ã¯ã©ã€ã¢ã³ããADFS察å¿ã®ç€Ÿå€ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãè©Šã¿ãŸãã ã¯ã©ã€ã¢ã³ãã¯ãã®ãªãœãŒã¹ã®ãã§ãã¬ãŒã·ã§ã³ãµãŒãã¹ã«ãªãã€ã¬ã¯ããããŸãã ã¯ã©ã€ã¢ã³ãã¯ç€Ÿå ã®ãã§ãã¬ãŒã·ã§ã³ãµãŒãã¹ã«ãªãã€ã¬ã¯ããããŸãïŒãªãœãŒã¹ã®ãã§ãã¬ãŒã·ã§ã³ãµãŒãã¹ãä¿¡é Œã§ããããŒãããŒãšããŠèšå®ãããŠããããšãåæïŒã ADFSProxyãµãŒãã¯ã¯ã©ã€ã¢ã³ãã«ã«ã¹ã¿ãã€ãºå¯èœãªãµã€ã³ãªã³ããŒãžã衚瀺ããŸãã ADFSProxyã¯æ¿èªã®ãããšã³ããŠãŒã¶ã®èšŒææžãADFSãµãŒãã«æ瀺ããŸãã ADFSãµãŒãã¯ãã®ã¯ã©ã€ã¢ã³ããã¢ã¯ãã£ããã£ã¬ã¯ããªã«ã€ããŠèªèšŒããŸãã ADFSãµãŒãã¯ã¯ã©ã€ã¢ã³ãã«å¯Ÿãã眲åæžã¿ã®ã»ãã¥ãªãã£ããŒã¯ã³ãšãªãœãŒã¹ããŒãããŒãžã®ã¯ã¬ãŒã ã»ãããå«ãèªèšŒã¯ãããŒãïŒADFSProxyãµãŒãçµç±ã§ïŒã¯ã©ã€ã¢ã³ãã«æäŸããŸãã ã¯ã©ã€ã¢ã³ãã¯ãªãœãŒã¹ããŒãããŒã®ãã§ãã¬ãŒã·ã§ã³ãµãŒãã¹ã«æ¥ç¶ããããã§ããŒã¯ã³ãšã¯ã¬ãŒã ãæ€èšŒãããŸãã該åœããå Žåã«ã¯ãªãœãŒã¹ããŒãããŒãæ°ããã»ãã¥ãªãã£ããŒã¯ã³ãã¯ã©ã€ã¢ã³ãã«æäŸããŸãã ã¯ã©ã€ã¢ã³ãã¯æ°ããèªèšŒã¯ãããŒãããã«å«ãŸããã»ãã¥ãªãã£ããŒã¯ã³ãšå ±ã«ãªãœãŒã¹ã«æ瀺ããŠã¢ã¯ã»ã¹ãè¡ããŸãã ä»®æ³ãµãŒããšããŒã«ã¡ã³ã㌠- ä»®æ³ãµãŒãïŒVIPïŒã¯ããŒã443ïŒhttpsïŒãç£èŠããããèšå®ãããŸããBig-IP SSLããªããžã³ã°ïŒæå·å解é€ãšåæå·åïŒã«äœ¿çšãããå ŽåãBig-IPãšé¢é£ããŠäœæãããã¯ã©ã€ã¢ã³ãSSLãããã¡ã€ã«ã«ããããªãã¯åŽãåããSSLãšããã«äŒŽãç§å¯éµãã€ã³ã¹ããŒã«ããŠããå¿ èŠããããŸãã ADFSã¯Transport Layer SecurityãšSecure Sockets LayerïŒTLS/SSLïŒãå¿ èŠãšããŸãããããã£ãŠããŒã«ã®ã¡ã³ããŒã¯ããŒã443ïŒhttpsïŒãç£èŠããããèšå®ãããŸãã è² è·åæ£ææ³ - ãLeast ConnectionsïŒã¡ã³ããŒïŒãæ¹åŒã䜿çšããŸãã ããŒã«ã¢ãã¿ãŒ - ADFSãµãŒãã¹ãšãŠã§ããµã€ãèªäœãå¿çããŠããããšã確èªãããããADFSProxyããŒã«ã«ã¯ã«ã¹ã¿ãã€ãºããã¢ãã¿ãŒãé¢é£ä»ããŸãããã®ã¢ãã¿ãŒã¯ééãšã¿ã€ã ã¢ãŠãèšå®ãé«ããŠäœ¿çšããŸãã ãSSLãã³ãã«ã䜿ãã¹ããåŠãã SSLãã³ããªã³ã°ã䜿çšããå Žåãæå·åããããã©ãã£ãã¯ãã¯ã©ã€ã¢ã³ããããšã³ããã€ã³ãã§ãããã¡ãŒã ã®ã¡ã³ããŒã«çŽæ¥æµããŸãããŸãSSLãããã¡ã€ã«ã¯äœ¿çšãããSSL蚌ææžãBig-IPã«ã€ã³ã¹ããŒã«ããå¿ èŠããããŸããããã ããã³ããªã³ã°ã䜿çšããå ŽåãHTTPå§çž®ããŠã§ãã¢ã¯ã»ã©ã¬ãŒã·ã§ã³ãªã©ãå«ãé«åºŠãªæé©åã¯è¡ããŸãããã¯ã©ã€ã¢ã³ãã®æ¥ç¶æ§ãADFSãµã€ã³ãªã³ããŒãžã®ã«ã¹ã¿ãã€ãºãªã©ã®ç¶æ³ã«ãã£ãŠã¯ãADFSProxyå±éã«ãã®ãããªHTTPæé©åãè²¢ç®ããå ŽåããããŸãã以äžã«2çš®é¡ã®éžæè¢ïŒSSLãã³ããªã³ã°ãšSSLããªããžã³ã°ïŒãæ¯èŒããŸãã SSLãã³ããªã³ã° - ãã®å Žåã«ã¯ãã±ããåæãŸãã¯å€æŽïŒäŸïŒå§çž®ããŠã§ãã¢ã¯ã»ã©ã¬ãŒã·ã§ã³ïŒãŸãã¯ãã®äž¡æ¹ãå¿ èŠãšããBig-IPãããã¡ã€ã«ã¯æå³ãæã¡ãŸãããããã«ããã©ãŒãã³ã¹ãé«ããããã«ã¯Fast L4ä»®æ³ãµãŒãã䜿çšããŸããSSLãã³ããªã³ã°ã䜿çšããå Žåã®ãFast L4 Big-IPä»®æ³ãµãŒãã®ã³ã³ãã£ã°ã¬ãŒã·ã§ã³äŸãäžå³ã«ç€ºããŸãã SSLããªããžã³ã° - SSLããªããžã³ã°ã䜿çšããå Žåããã©ãã£ãã¯ã¯æå·åã解é€ããã次ãã§Big-IPããã€ã¹ã«ãŠåæå·åãããŸããããã«ãããæ¥ç¶ã®äžã®ã¯ã©ã€ã¢ã³ãã«å¯Ÿå¿ããéšåãšããŒã«ã¡ã³ããŒã«å¯Ÿå¿ããéšåã®äž¡æ¹ã«ãããŠãã©ãã£ãã¯ã«ããã«æ©èœãé©çšããããšãå¯èœã«ãªããŸããSSLããªããžã³ã°ã䜿çšããå Žåã®ãæšæºçãªBig-IPä»®æ³ãµãŒãã®ã³ã³ãã£ã°ã¬ãŒã·ã§ã³äŸãäžå³ã«ç€ºããŸãã æšæºçãªä»®æ³ãµãŒãã®ãããã¡ã€ã« - ADFSProxyä»®æ³ãµãŒãã®ãããã¡ã€ã«ã®ãªã¹ããäžè¡šã«ç€ºããŠããŸãã ãããã¡ã€ã«ã®ã¿ã€ã ã³ã¡ã³ã ããŒã·ã¹ãã³ã¹ ä»®æ³ãµãŒãã«ã¯ããã©ã«ãã®ã¯ãããŒããŒã·ã¹ãã³ã¹ãããã¡ã€ã«ãé¢é£ä»ã SSLã¯ã©ã€ã¢ã³ã ãããªãã¯åŽãåããSSLãšããã«äŒŽãç§å¯éµãBig-IPã«ã€ã³ã¹ããŒã«ã ããã«ããBig-IPã§ã®ãã©ãã£ãã¯ã®SSLçµç«¯ã容æã« SSLãµãŒã ä»®æ³ãµãŒãã«ã¯ããã©ã«ãã®ãserversslããããã¡ã€ã«ãé¢é£ä»ã ãããã³ã« tcp-lan-optimizedãããã¡ã€ã«ãä»®æ³ãµãŒãã®ãµãŒãåŽã«é¢é£ä»ã tcp-wan-optimized ãããã¡ã€ã«ãä»®æ³ãµãŒãã®ãµãŒãåŽã«é¢é£ä»ã OneConnect ä»®æ³ãµãŒãã«ã¯ããã©ã«ãã®oneconnectãããã¡ã€ã«ãé¢é£ä»ã HTTP ä»®æ³ãµãŒãã«ã¯ããã©ã«ãã®HTTPãããã¡ã€ã«ãé¢é£ä»ã HTTPå§çž® wan-optimized-compressionãããã¡ã€ã«ãä»®æ³ãµãŒãã«é¢é£ä»ã ãŠã§ãã¢ã¯ã»ã©ã¬ãŒã·ã§ã³ optimized-cachingãããã¡ã€ã«ãä»®æ³ãµãŒãã«é¢é£ä»ã ããã§ããŒã1ã¯çµäºã§ãããã®æã®èçš¿ãèªãã§ã³ã¡ã³ããæäŸããŠããããInsightã®åäŒç€Ÿã§ããEnsynchïŒè±èªïŒã®ã±ãã³ ãžã§ã€ã ãºããã€ããã ã©ã³ãã«ãããã³ã«ã ãã¥ãŒã©ãŒ ããããŒã«å¯Ÿãããã€ã¯ããœããã®ã°ããŒãã«ããŒãããŒã·ãããæ åœããF5ããžãã¹éçºããŒã ãšå ±ã«å¿ããæè¬ãæ§ããŸãã Big-IPãšADFSããŒã2ãAPM - ADFSProxyã«ä»£ããéžæè¢ããã楜ãã¿ã«ãåŸ ã¡ãã ãããDevCentral ã®ä»åŸã®æ¹åæ§
DevCentral ã¯ãªããšèªç 11 幎ãè¿ããŸãããããŸã§é 調ã«æé·ããçŽ æŽãããã³ãã¥ããã£ãç¯ãããã®ãã²ãšãã«çæ§ã®ãé°ã§ããåœç€Ÿã§ã¯æè¬ã®æã瀺ããšãšãã«ãä»åŸã®æ¹åæ§ãçæ§ã«ãã¡æ©ããç¥ããããããšèããŠããŸããç¶ç¶çãªæé·ãç®æãåœç€Ÿã§ã¯ãã¡ã³ããŒã®çæ§ããã®ãã£ãŒãããã¯ãåèã«ãåœç€Ÿã®æ±è² ãåŸã ã«å®çŸãããŠããäºå®ã§ããä»åŸæ°ãæã®ãã¡ã« DevCentral ã®æ¬¡ã®äž»èŠããŒãžã§ã³ããç®èŠãããŸãã人ã ãé©ããããšã¯å€§å¥œãã§ãããçžæã«é¢äžããããšãã³ãã³ãå€ããã®ã¯å¥œãŸããããšã§ã¯ãããŸããããã®ãããã³ã³ãã³ããé ä¿¡ããã¡ã³ããŒãçµã³ä»ãã誰ããå¿ èŠãšããçããåŸãããããã«ããåœç€Ÿã®èšç»ã«ã€ããŠïŒ ã€ãã€èª¬æããŸãã 3 ã€ã®C:Clean (ã¯ãªãŒã³)ãConsolidated (çµ±åå)ãClassy (é«å°) éå»æ°å¹ŽéãDevCentral ã«ã¯ããŸããŸãªæ©èœãè¿œå ãããŸããããå¯èªæ§ãçµç¹ã®ã€ã³ã¿ãŒãã§ã€ã¹ãåäžãããæãåã£ãæ段ã¯äœãè¬ããããŸããã§ãããããããŸãããDevCentral ã®é·æã«ããã第äžã®ç®æšã¯ããµããžã§ã¯ãããã²ãŒã·ã§ã³ã簡䟿ã«ããŠãããŒãœãã©ã€ãºãããã³ã³ãã³ããé ä¿¡ããããšã§ããããããããŒãºã«å¯Ÿå¿ããããã«ãããã©ã«ãã®ã©ã³ãã£ã³ã°ããŒãžã®ãã¶ã€ã³ãå€§å¹ ã«å·æ°ããŠããŸããå³ã®ç»åãã¯ãªãã¯ãããšãåœç€Ÿã®ã¢ã€ãã¢ãã芧ããã ããŸãã以äžã¯æ©èœã®æ³šç®ãã¹ãæ¹è¯ç¹ã§ãã å·ŠåŽã®ããŒãžäœçœã«ç€ºããããããã¯/ãã¯ãããžã®ã¯ã€ãã¯ããã²ãŒã·ã§ã³ äžå€®äžéšã«ããææ°ã®å¯å€ã³ã³ãã³ãã®ç°¡åãªããã²ãŒã·ã§ã³ å³åŽã«ããææ°ã®è³ªåãåç §é »åºŠã®é«ã質åã®ç°¡åãªãã©ãŠãº DC ãæ åœããåœç€Ÿã® John Wagnon ãåçã³ã³ãã³ãã¹ã©ã€ãã䜿ã£ãŠãã®ã©ãã³èªèœåãæ«é²ãããã¯ç·æ¥ãã¥ãŒã¹ãå¬ãããç¥ãããé ä¿¡ãããšãã«åœ¹ã«ç«ã¡ãŸã (Heartbleed ã Shellshockãmy birthday ãªã©ã®è匱æ§ãèããŠã¿ãŠãã ãã)ã æ€çŽ¢ã®ç°¡çŽ å:åé¡æ³ã®æŽ»çš F5 ã 9 åã«ããã£ãŠéå¬ããã°ããŒãã«ã¢ãžãªãã£ã«ã³ãã¡ã¬ã³ã¹ã«åå ãããæ¹ã¯ãããŸããŸãªåç§äŒãèšè«äŒã§ F5 ãçŸè¡ããã³æ°çã®æ¥çãœãªã¥ãŒã·ã§ã³ (ã³ã¢/ãã€ããªãã/ã¯ã©ãŠããã»ãã¥ãªãã£ããµãŒãã¹ãããã€ããªã©) ã«æ³šåããŠããããšãããããã«ãªã£ãã®ã§ã¯ãªãã§ãããããåœç€Ÿã§ã¯çŽ¹ä»ããããœãªã¥ãŒã·ã§ã³ã«çç®ãã泚ç®åºŠã®é«ãèšè«ã泚ææ·±ã芳å¯ãããããããœãªã¥ãŒã·ã§ã³ãããŒã¿åé¡ã®é©åãªåºçºç¹ã«ãªããšèããŠããŸãããã ããã³ãã¥ããã£ã®é¢å¿ãèæ ®ããŠããŸãã¯ã¡ã³ããŒãæ±ããäºé ã«åãçµã¿ãŸããåœç€Ÿã§ã¯ãæ€çŽ¢ãã³ã³ãã³ãã®ãã£ã«ã¿ãªã³ã°ãç°¡æœã«ããŠã質åãèšäºãã³ãŒãã®éä¿¡ã«èŠããã¿ã°ä»ãã軜æžãããœãªã¥ãŒã·ã§ã³ãšãã¯ãããžãšãã 2 ã€ã®ã³ã³ãã³ããã¡ã³ããŒã®æçš¿ã®äž»èŠããããã«ããŸããäžéšã«äŸç€ºããé«å°ãªããŒã ããŒãžã§ã¯ãæçš¿è ããããã¯/ãã¯ãããžã®ããããããéžæã§ããããã« 2 ã€ã®ãŠãŒã¶å®çŸ©ã¿ã°ãå©çšã§ããŸããããã«ãããç§ãã¡ã®å€ããç ©ãããŠãã次ã®äºé ãéæãããŸãã äžéšã®æçš¿ã«äŒŽãæ°žé ã®ã¿ã°ä»ããå¶éããã (éå»æå€ã¿ã°æ°ã¯ 23 åã§ãããå€éããŸãã) ã³ã³ãã³ãã®æ€çŽ¢ããã³ãã£ã«ã¿ãªã³ã°ã簡䟿ã«ãªããã©ã®æçš¿ãé·æã«ããã£ãŠåç §ããã ãŠãŒã¶ãã©ã®ãããªã³ã³ãã³ããå¿ èŠãšããåœç€Ÿãã©ã®ãããªããšã«éç¹çã«åãçµãã¹ããã«é¢ããç確ãªæ°å€ææšã瀺ããã F5 ã¢ãžãªã㣠D.C. ã§å€§å¢ã®äººã ããã®ããŒã ããŒãžãå©çšããå€å€§ãªå®å µæãšååããªèšèããã£ãŠè¿ããããŸãããåœç€Ÿã¯æ£ããæ¹åã«é²ãã§ãããã®ãšæãããŸãã ãã£ã«ã¿ãæ Œä»ããNetflix åè¿°ã®ãããã¯ããã²ãŒã·ã§ã³ã®æ¹è¯ãšåæ§ã«ãDevCentral ãæ¢çŽ¢ããã°ãææ°ã®åé¡æ³ãçšããŠè¿ éãã€ç°¡åã«ãã£ã«ã¿ãªã³ã°ããå¿ èŠã«å¿ããŠçµæãããã«ã«ã¹ã¿ãã€ãºã§ããŸãã çã (Q&A)ãã³ãŒãã·ã§ã¢ã¯ãã¹ãŠããããã¯ããã¯ãããžãè¿ éã«ãã£ã«ã¿ãªã³ã°ããããžãã¯ãå ±æããå è¡å ¥åã®ã«ã¹ã¿ã ã¿ã°ãã£ã«ã¿ã§çµæãçµã蟌ã¿ãŸããå³åŽã®ç»é¢ã§ãå®éã®ç»é¢ãã確èªãã ããã ãããŠãæ Œä»ãâŠâŠããã DevCentral ã®é¢ã ã¯Netflix äžæ¯ã§ãç§ãã¡ã®å Žåã人çã«é¢ãã決æã¯ãã¹ãŠãç§ãã¡ãèŠãããš Netflix ãèãããã®ã«å·Šå³ãããŸã (ãã¬ãçªçµãã¹ã¿ãŒã²ã€ã SG-1ãã®æŸæ æš©ãææŸããããšã«ã¯ã€ã©ã€ããŸãã)ãNetflix ãªã©ã«ã¯ããç¥ãããè©äŸ¡ã·ã¹ãã ããããåœç€Ÿã®å€ãã®ã³ã³ãã³ãã«ã掻çšã§ããã®ã§ã¯ãªãããšèããŠããŸãããã¹ãŠã®èšäºãã³ãŒãã·ã§ã¢ãããŠã³ããŒãã«ãã®ç°¡åãªè©äŸ¡ã·ã¹ãã ãå°å ¥ããŠãçŸè¡ã®æ祚ã¡ã«ããºã ã®çµæãåŸ ã€ãŸã§ããªãã人æ°ã®ã³ã³ãã³ããããã«æµ®äžããããã«ããŸãã質åãšçãã«ã¯æ祚æ©èœãç¶æããŸããã1 ã€ã®ã¹ã¬ããã«è€æ°ã®äººã ãæçš¿ããã»ããçã«é©ã£ãŠããŸããQ&A ã«ã€ããŠåŠæ¡ãããã°ããã²ãèãããã ããã ä»ãããæªæ¥ ä»ã«ãå€æ°ã®å€æŽãæ¹è¯ãé²ããŠããŸãããäžèšã®å 容ã¯ä»åŸã®æ¡åŒµã®åºç€ãšãªããã®ã§ããåœç€Ÿã§ã¯è±å¯ãªç¥èãæããæ¹ã ããã®æ å ±ãç°¡åã«éå ã§ããããã«ããäžæ¹ã§ããã®è²¢ç®ããã¡ããšèªèããããŸãããŸããã³ãã¥ããã£ã§çžè«ããŠããçžæããF5 ã®å°éæ åœè ãªã®ããMVP ãªã®ãããšãªãŒãã³ãã¥ããã£ã¡ã³ããŒãªã®ãããããããã«ããŸããä»åŸã楜ãã¿ãªå€æŽãæçãªå€åãå€æ°å®æœãããäžãçæ§ã®ãã£ãŒãããã¯ããåŸ ã¡ããŠããŸãããææ¡ãã質åãããå Žåãããã㯠DevCentral ã®ããŒã ã¡ã³ã㌠John Wagnon ã®ãããã¡ã€ã«åçã«å¯Ÿããã³ã¡ã³ãã§ãã ãããããæ°è»œã«ãé£çµ¡ãã ãããå¿ãã幎ã«ãªãããã§ãã ãããããé¡ãããããŸãã DevCentral ããŒã
