BIG-IP Edge Client 2.0.2 for Android
Earlier this week F5 released our BIG-IP Edge Client for Android with support for the new Amazon Kindle Fire HD. You can grab it off Amazon instantly for your Android device. By supporting BIG-IP Edge Client on Kindle Fire products, F5 is helping businesses secure personal devices connecting to the corporate network, and helping end users be more productive so it’s perfect for BYOD deployments. The BIG-IP® Edge Client™ for all Android 4.x (Ice Cream Sandwich) or later devices secures and accelerates mobile device access to enterprise networks and applications using SSL VPN and optimization technologies. Access is provided as part of an enterprise deployment of F5 BIG-IP® Access Policy Manager™, Edge Gateway™, or FirePass™ SSL-VPN solutions. BIG-IP® Edge Client™ for all Android 4.x (Ice Cream Sandwich) Devices Features: Provides accelerated mobile access when used with F5 BIG-IP® Edge Gateway Automatically roams between networks to stay connected on the go Full Layer 3 network access to all your enterprise applications and files Supports multi-factor authentication with client certificate You can use a custom URL scheme to create Edge Client configurations, start and stop Edge Client BEFORE YOU DOWNLOAD OR USE THIS APPLICATION YOU MUST AGREE TO THE EULA HERE: http://www.f5.com/apps/android-help-portal/eula.html BEFORE YOU CONTACT F5 SUPPORT, PLEASE SEE: http://support.f5.com/kb/en-us/solutions/public/2000/600/sol2633.html If you have an iOS device, you can get the F5 BIG-IP Edge Client for Apple iOS which supports the iPhone, iPad and iPod Touch. We are also working on a Windows 8 client which will be ready for the Win8 general availability. ps Resources F5 BIG-IP Edge Client Samsung F5 BIG-IP Edge Client Rooted F5 BIG-IP Edge Client F5 BIG-IP Edge Portal for Apple iOS F5 BIG-IP Edge Client for Apple iOS F5 BIG-IP Edge apps for Android Securing iPhone and iPad Access to Corporate Web Applications – F5 Technical Brief Audio Tech Brief - Secure iPhone Access to Corporate Web Applications iDo Declare: iPhone with BIG-IP Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education,technology, application delivery, ipad, cloud, context-aware,infrastructure 2.0, iPhone, web, internet, security,hardware, audio, whitepaper, apple, iTunesBIG-IP Edge Client v1.0.6 for iOS 7
With all your other iOS 7 updates (if you've made the plunge), if you are running the BIG-IP Edge Client on your iPhone, iPod or iPad, you may have gotten an AppStore alert for an update. If not, I just wanted to let you know that version 1.0.6 of the iOS Edge Client is available at the AppStore with iOS 7 support. Customers who use UDID in their access policies should have users update to this version. The BIG-IP Edge Client application from F5 Networks secures and accelerates mobile device access to enterprise networks and applications using SSL VPN and optimization technologies. Access is provided as part of an enterprise deployment of F5 BIG-IP Access Policy Manager, Edge Gateway, or FirePass SSL-VPN solutions. BIG-IP Edge Client for iOS Features: Provides accelerated mobile access when used with F5 BIG-IP Edge Gateway. Automatically roams between networks to stay connected on the go. Full Layer 3 network access to all your enterprise applications and files. ps Related: Manual: BIG-IP Edge Apps Client Compatibility Matrix BIG-IP Edge Client and BIG-IP Edge Portal for Apple iOS and Android software support policy Release Note: BIG-IP Edge Client for iOS 1.0.6 Advanced Edge Client Installation for Windows–The Mysteries of Windows Installer Revealed F5 BIG-IP Edge Client F5 BIG-IP Edge Portal F5 BIG-IP Edge Client for Android Technorati Tags: f5,big-ip,edge client,ssl-vpn,mobile,smartphone,ios7,apple,iphone,ipad,silva,remote access,security,secure access,apm Connect with Peter: Connect with F5:
WILS: The Importance of DTLS to Successful VDI
One of the universal truths about user adoption is that if performance degrades, they will kick and scream and ultimately destroy your project. Most VDI (Virtual Desktop Infrastructure) solutions today still make use of traditional thin-client protocols like RDP (Remote Desktop Protocol) as a means to enable communication between the client and their virtual desktop. Starting with VMware View 4.5, VMware introduced the high-performance PCoIP (PC over IP) communications protocol. While PCoIP is usually associated with rich media delivery, it is also useful in improving performance over distances. Such as the distances often associated with remote access. You know, the remote access by employees whose communications you particularly want to secure because it’s traversing the wild, open Internet. Probably with the use of an SSL VPN. Unfortunately, most traditional SSL VPN devices are unable to properly handle this unique protocol and therefore run slow, which degrades the user experience. The result? A significant hindrance to adoption of VDI has just been introduced and your mission, whether you choose to accept it or not, is to find a way to improve performance such that both IT and your user community can benefit from using VDI. The solution is actually fairly simple, at least in theory. PCoIP is a datagram (UDP) based protocol. Wrapping it up in what is a TCP-based security protocol, SSL, slows it down. That’s because TCP is (designed to be) reliable, checking and ensuring packets are received before continuing on. On the other hand UDP is a fire-and-assume-the-best-unless-otherwise-notified protocol, streaming out packets and assuming clients have received them. It’s not as reliable, but it’s much faster and it’s not at all uncommon. Video, audio, and even DNS often leverages UDP for speedy transmission with less overhead. So what you need, then, is a datagram-focused transport layer security protocol. Enter DTLS: In information technology, the Datagram Transport Layer Security (DTLS) protocol provides communications privacy for datagram protocols. DTLS allows datagram-based applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented TLS protocol and is intended to provide similar security guarantees. The datagram semantics of the underlying transport are preserved by the DTLS protocol — the application will not suffer from the delays associated with stream protocols, but will have to deal with packet reordering, loss of datagram and data larger than a datagram packet size. -- Wikipedia If your increasingly misnamed SSL VPN (which is why much of the industry has moved to calling them “secure remote access” devices) is capable of leveraging DTLS to secure PCoIP, you’ve got it made. If it can’t, well, attempts to deliver VDI to remote or roaming employees over long distances may suffer setbacks or outright defeat due to a refusal to adopt based on performance and availability challenges experienced by the end users. DTLS is the best alternative to ensuring secure remote access to virtual desktops remains secured over long distances without suffering unacceptable performance degradation. If you’re looking to upgrade, migrate, or just now getting into secure remote access and you’re also considering VDI via VMware, ask about DTLS support before you sign on the dotted line. WILS: Write It Like Seth. Seth Godin always gets his point across with brevity and wit. WILS is an ATTEMPT TO BE concise about application delivery TOPICS AND just get straight to the point. NO DILLY DALLYING AROUND. Related blogs & articles: WILS: Load Balancing and Ephemeral Port Exhaustion All WILS Topics on DevCentral WILS: SSL TPS versus HTTP TPS over SSL WILS: Three Ways To Better Utilize Resources In Any Data Center WILS: Why Does Load Balancing Improve Application Performance? WILS: A Good Hall Monitor Actually Checks the Hall Pass WILS: Applications Should Be Like Sith Lords F5 Friday: Beyond the VPN to VAN F5 Friday: Secure, Scalable and Fast VMware View Deployment Desktop Virtualization Solutions from F5New iOS Edge Client
If you are running the BIG-IP Edge Client on your iPhone, iPod or iPad, you may have gotten an AppStore alert for an update. If not, I just wanted to let you know that version 1.0.3 of the iOS Edge Client is available at the AppStore. The main updates in v1.0.3: URI scheme enhancement allows passing configuration data to the client upon access. For example, you could have a link on the WebTop that invokes the client and forces web logon mode. Other Bug fixes. The BIG-IP Edge Client application from F5 Networks secures and accelerates mobile device access to enterprise networks and applications using SSL VPN and optimization technologies. Access is provided as part of an enterprise deployment of F5 BIG-IP Access Policy Manager, Edge Gateway, or FirePass SSL-VPN solutions. BIG-IP Edge Client for iOS Features: Provides accelerated mobile access when used with F5 BIG-IP Edge Gateway. Automatically roams between networks to stay connected on the go. Full Layer 3 network access to all your enterprise applications and files. I loaded it yesterday on my devices without a hitch. ps Related: iDo Declare: iPhone with BIG-IP F5 Announces Two BIG-IP Apps Now Available at the App Store F5 BIG-IP Edge Client App F5 BIG-IP Edge Portal App F5 BIG-IP Edge Client Users Guide iTunes App Store Securing iPhone and iPad Access to Corporate Web Applications – F5 Technical Brief Audio Tech Brief - Secure iPhone Access to Corporate Web Applications Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, ipad, cloud, context-aware, infrastructure 2.0, iPhone, web, internet, security, hardware, audio, whitepaper, apple, iTunesFrom Car Jacking to Car Hacking
With the promise of self-driving cars just around the corner of the next decade and with researchers already able to remotely apply the brakes and listen to conversations, a new security threat vector is emerging. Computers in cars have been around for a while and today with as many as 50 microprocessors, it controls engine emissions, fuel injectors, spark plugs, anti-lock brakes, cruise control, idle speed, air bags and more recently, navigation systems, satellite radio, climate control, keyless entry, and much more. In 2010, a former employee of Texas Auto Center hacked into the dealer’s computer system and remotely activated the vehicle-immobilization system which engaged the horn and disabled the ignition system of around 100 cars. In many cases, the only way to stop the horns (going off in the middle of the night) was to disconnect the battery. Initially, the organization dismissed it as a mechanical failure but when they started getting calls from customers, they knew something was wrong. This particular web based system was used to get the attention of those who were late on payments but obviously, it was used for something completely different. After a quick investigation, police were able to arrest the man and charge him with unauthorized use of a computer system. University of California - San Diego researchers, in 2011, published a report (pdf) identifying numerous attack vectors like CD radios, Bluetooth (we already knew that) and cellular radio as potential targets. In addition, there are concerns that, in theory, a malicious individual could disable the vehicle or re-route GPS signals putting transportation (fleet, delivery, rental, law enforcement) employees and customers at risk. Many of these electronic control units (ECUs) can connect to each other and the internet and so they are vulnerable to the same internet dangers like malware, trojans and even DoS attacks. Those with physical access to your vehicle like mechanics, valets or others can access the On-Board Diagnostic System (OBD-II) usually located right under the dash. Plug in, and upload your favorite car virus. Tests have shown that if you can infect the diagnostics tools at a dealership, when cars were connected to the system, they were also infected. Once infected, the car would contact the researcher’s servers asking for more instructions. At that point, they could activate the brakes, disable the car and even listen to conversations in the car. Imagine driving down a highway, hearing a voice over the speakers and then someone remotely explodes your airbags. They’ve also been able to insert a CD with a malicious file to compromise a radio vulnerability. Most experts agree that right now, it is not something to overly worry about since many of the previously compromised systems are after-market equipment, it takes a lot of time/money and car manufactures are already looking into protection mechanisms. But as I’m thinking about current trends like BYOD, it is not far fetched to imagine a time when your car is VPN’d to the corporate network and you are able to access sensitive info right from the navigation/entertainment/climate control/etc screen. Many new cars today have USB ports that recognize your mobile device as an AUX and allow you to talk, play music and other mobile activities right through the car’s system. I’m sure within the next 5 years (or sooner), someone will distribute a malicious mobile app that will infect the vehicle as soon as you connect the USB. Suddenly, buying that ‘84 rust bucket of a Corvette that my neighbor is selling doesn’t seem like that bad of an idea even with all the C4 issues. psFreedom vs. Control
No sooner had I posted BYOD–The Hottest Trend or Just the Hottest Term, last week than yet another BYOD survey hit the news. The full results will be released in a webinar tomorrow but SANS announced their First Annual Survey Results on Mobility Security. Last December, SANS launched its first ever mobility survey to discover if and how organizations are managing risk around their end user mobile devices. The survey of 500 IT pros found that a meager 9% of organizations felt they were fully aware of the devices accessing corporate resources, while 50% felt only vaguely or fairly aware of the mobile devices accessing their resources. In addition, more than 60 % of organizations allow staff to bring their own devices. With so many companies allowing BYOD, controls and policies are very important to securing business environments. Courtesy: SANS Mobility BYOD Security Survey Deb Radcliff, executive editor, SANS Analyst Program said, ‘Another interesting note is that organizations are reaching for everything at their disposal to manage this risk,…Among them are user education, MDM (mobile device management), logging and monitoring, NAC and guest networking, and configuration controls.’ Less than 20% are using end point security tools, and out of those, more are using agent-based tools rather than agent-less. According to the survey, 17% say they have stand-alone BYOD security and usage policies; 24% say they have BYOD policies added to their existing policies; 26% say they "sort of" have policies; 3% don't know; and 31% say they do not have any BYOD policies. Over 50% say employee education is one way they secure the devices, and 73% include user education with other security policies. The BYOD challenges, I think, falls under an age old dilemma: Freedom vs. Control. We see this clash in world politics, we’ve seen it pertaining to the internet itself, we may even experience it at home with our offspring. The freedom to select, use, work and play with the desired mobile device of our choosing bumping up against a company’s mandate to protect and secure access to sensitive corporate information. There can be tension between a free and open culture verses the benefits of control and information management. Sometimes people equate freedom with having control over things yet when it comes to controlling others, many of us feel slightly uncomfortable on either end of the leash. Sometimes oversight is necessary if someone does not have self-control. BYOD is a revolution, a drastic change in how organizations manage devices and manage access to information. If you look at revolutions through the years, often it’s about freedom vs. control. I’m certainly not suggesting an employee coup of the executive floor but remember there are two distinct and diverse powers at play here and successful BYOD deployments need to involve both people and technology. ps Resources SANS Mobility BYOD Security Survey Are your employees on a BYOD binge? SANS Survey: BYOD Widespread But Lacking Sufficient Oversight SANS First Annual Survey Results on Mobility Security: Lack of Awareness, Chaos Pervades with BYOD BYOD–The Hottest Trend or Just the Hottest Term Only 9 Percent of Organizations Are Aware of the Devices Accessing Their Corporate Data Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Audio Tech Brief - Secure iPhone Access to Corporate Web Applications Freedom vs Control – important lessons to be learned New security flaws detected in mobile devices Freedom and Control | Psychology Today Devo - Freedom Of Choice (Video)Who In The World Are You?
Steven Wright has said, 'It's a small world, but I wouldn't want to paint it.' The world is getting smaller with today's 24/7 global marketplace. Businesses have offices and employees around the world to serve the needs of the organization's global customers. Those users, whether they are in a branch office, home office or mobile need access to critical information. Data like corporate information, customer information, sales information, financial information, product information and any other sources of business material is important to be able to make smart enterprise decisions. Without access to this data, poor decisions are made and the business can suffer. The recent breaches, especially the intrusions tied to the RSA compromise, has put identity and access management in the spotlight. Once upon a time, users had to be in the office connected to the network to access corporate applications. IT organizations probably knew the user was since they were sitting at a desk; organizations knew the type of device since it was issued by IT and the business applications were delivered quickly and securely since it was from an internal local area network. Then, users needed access to that same information while they were away from the office and solutions like VPNs and Remote Access quickly gained acceptance. As adoption grew, so did requests for access above and beyond the normal employee. Soon partners, contractors, vendors and other 3rd party ecosystems were given access to corporate resources. Employees and partners from around the globe were connecting from a barrage of networks, carriers and devices. This can be very risky since IT might not know the identity of those users. Anonymous networks allow users to gain access to systems via a User ID and password but they cannot decipher exactly who the user actually is; an employee, guest, contractor, partner and the like. Anonymous networks do have visibility at the IP or MAC address level but that information does not equate to a user's identity. Since these networks are unable to attribute IP to identity, the risk is that information may be available to users who are not authorized to see it. There is also no reporting as to what was accessed or where a specific user has navigated within a system. Unauthorized access to systems is a huge concern for companies, not only pertaining to the disclosure and loss of confidential company data but the potential risks to regulatory compliance and public criticism. It is important that only authenticated users gain admission and that they only access the resources they are authorized to see. Controlling and managing access to system resources must be based on identity. A user's identity, or their expressed or digitally represented identity can include identifiers like: what you say, what you know, where you are, what you share, who you know, your preferences, your choices, your reputation, your profession or any other combination that is unique to the user. Access can mean different things - access to an intranet web application to search for materials, access to MS Exchange for email, access to virtualized Citrix, VMware or Remote Desktop deployments, access to a particular network segment for files and full domain network access as if the user is sitting in the office. The resources themselves can be in multiple locations, corporate headquarters, the data center, at a branch office, in the cloud or a mix of them all. When users are all over the world, globally distributed access across several data centers can help solve access and availability requirements. Organizations also need their application and access security solution in the strategic point of control, a centralized location at the intersection between the users and their resources to make those intelligent, contextual, identity based decisions on how to handle access requests. Residing in this important strategic point of control within the network, the BIG-IP Access Policy Manager (APM) for BIG-IP Local Traffic Manager (LTM) along with BIG-IP Edge Gateway (EGW) provide the security, scalability and optimization that's required for unified global access to corporate resources for all types of deployment environments. The ability to converge and consolidate remote users, LAN access and wireless junctions on a single management interface and provide easy-to-manage access policies saves money and frees up valuable IT resources. F5's access solutions secures your infrastructure, creating a place within the network to provide security, scalability, optimization, flexibility, context, resource control, policy management, reporting and availability for all applications. ps Resources: The IP Address – Identity Disconnect Lost Your Balance? Drop The Load and Deliver! Identity Theft: Good News-Bad News Edition F5 Friday: Never Outsource Control Is OpenID too open? F5 Friday: Application Access Control - Code, Agent, or Proxy? Audio White Paper - Streamlining Oracle Web Application Access Control The Context-Aware Cloud Be Our GuestTelecommute your way to a greener bottom line
For the past eight years I've been telecommuting, first for Network Computing Magazine and now for F5. In fact, Don and I have been telecommuters (or teleworkers, depending on whom you ask) for so long that our children don't realize that most people actually have to get dressed and go to work on a daily basis. Granted, that's because we happen to live (and want to stay) in that great technological mecca of the midwest (Green Bay) even though F5 is headquartered in Seattle, but F5 being the best high-tech company in the Pacific Northwest (really, I'm not just saying that) has employees who routinely telecommute despite living in the Seattle area. Obviously there are personal benefits to telecommuting that cannot be measured, particularly if you have a family or hate to shower on a regular basis. But there are also plenty of disbenefits (that is too a word, I just made it up) that come from being "in the office" all the time, particularly with the lure of "getting just one more thing done" constantly in your face and at your fingertips. There are many corporate benefits, as well, and some that are often more far reaching than just saving office space at corporate headquarters. The positive impact of the reduction in carbon emissions saved even by employees telecommuting one or two days a week should not be underestimated, especially given the number of employees who commute to the workplace and the length of time they spend doing so. Mindy S. Lubber at the Harvard Business Online Leading Green blog ponders the effects of physically commuting to work: And it makes me wonder--are we really maximizing the impact of open work as a strategy to combat rising energy use, increased greenhouse gas emissions, and the greater climate change crisis? In my home state of Massachusetts, more than 3 million people commute by car each day--74 percent of those commuters driving alone. Every year, urban commuters in the U.S. waste 2.9 billion gallons of fuel idling in traffic--the equivalent of 58 fully-loaded supertanker ships. But it's more than just environmental consciousness that is driving the march toward more telecommuting options. As Ted Samson of InfoWorld noted last year, there are many financial benefits to telecommuting to consider. For starters, the ITAC found that employers can realize an annual per-employee savings of $5,000 through implementing telecommuting programs. "Your organization could save one office for every three teleworkers (that's about $2,000 per teleworker per year, or $200,000 per 100 teleworkers)," according to the Canadian Telework Assocation(CTA). Case in point: Through Sun's telecommute program, called Sun Open Work Practice, around 2,800 employees work home three to five days a week; another 14,219 work remotely twice weekly, according to reports. The company says its efforts have resulted not only in 29,000 fewer tons of CO2 emissions -- but the company reaped $63 million in the last fiscal year by cutting 6,660 office seats. With those kinds of green savings - both financial and environmental - the question has to be why more corporations aren't jumping on the telecommuting bandwagon. THE TECHNOLOGY FACTOR In the past, the cost and complexity of the PKI (Public Key Infrastructure) necessary to support corporate access via a VPN were often prohibitive and made telecommuting an unfavorable option with corporations. But the advent of SSL VPNs reduced both the cost and complexity of providing secure remote access to corporate resources from remote locations and have virtually eliminated both cost and complexity as a reason to not implement a telecommuting policy. Even in the past few years the ability of SSL VPNs to integrate with the rest of the corporate infrastructure and support connectivity beyond the desktop via Apple's iPhone and Windows Mobile devices has expanded and improved, making corporate connectivity a breeze no matter where a telecommuter or roaming employee might be. THE HUMAN FACTOR The bigger question is, of course, whether employees are good telecommuters or not. A high drop in productivity can offset the savings realized by telecommuting, so it's a somewhat risky proposition. An SSL VPN is perfect for implementing a trial program for telecommuting. Because it requires no hardware or software at remote sites (client connections are proxied through a web-based client in almost all cases at the time the user logs in) there's less time and effort and money invested in giving employees a chance to try out telecommuting and see if it works for them - and you. All you need is an SSL VPN at corporate headquarters and you can implement a trial run to see what works best for you and your employees. Maybe it turns out to be an incentive program, or a reward for service - on par with how most employees accrue more vacation days the longer they are with the organization. IT DOESN'T HAVE TO BE ALL OR NOTHING Even if a telecommuting initiative doesn't work out, having an SSL VPN available will still turn out to be a good investments. Everyone has days when they're too sick to come into the office, but yet could work if they could just do it from home. Likewise, children get sick and need parents at home who could be working off and on rather than losing the entire day. Traveling employees can still have access to corporate resources if need be, which is another great use of the investment, whether it's used for a telecommuting initiative or not. SSL VPNs provide a wide variety of options for secure remote access regardless of the reasons why that access is required. Whether you're into green cash or green grass, there's a good reason to consider deploying (and using) an SSL VPN.F5 Friday: Why SSL VPN Still Matters
#mobile #vdi #infosec Scale and flexibility make SSL VPN an important part of any corporate remote access strategy You might have noticed a couple of news items from F5 this week that appeared related. If you noticed you were right, they are. First, we were very excited to announce recognition of our hard work on our SSL VPN solutions: F5 Positioned in Leaders Quadrant of SSL VPN Magic Quadrant. Second, we were even more excited to announce adding industry-leading support for Android’s 4.x OS, enhancing its SSL VPN capabilities. Why would be excited about that? Because mobile devices and virtualization (desktop, a la VDI, and server, a la cloud) continue to drive the need for secure remote access at a scale never before experienced by most IT organizations. While web monsters and primarily web-focused organizations have long understand the critical nature of scalability to their business, IT shops for whom a web presence was only somewhat important have not necessarily invested in the infrastructure or architecture necessary to truly scale to meet the increasing demand. It is increasingly the case that IT orgs of all shapes, sizes, and concerns must look to the scalability of its infrastructure to ensure its ability to service users inside and outside the data center via an often times dizzying array of clients and technologies. SSL VPNs arose from similar needs many years ago, out of the overwhelming complexity associated with IPSEC and the inability to support every end-user from every platform available. An SSL VPN generally provides two things: secure remote access via a web-top portal and network-level access via an SSL secured tunnel between the client and the corporate network. By providing both modes of access via an established, ubiquitous protocol (SSL), such solutions are better able to provide end users with access to resources regardless of platform. By deploying such a solution on a proven, highly scalable platform (BIG-IP), such solutions are better able to provide IT with the means to scale not only the solution but its requisite infrastructure services. Enhanced Mobile Support BIG-IP ® Edge Client ™ is the industry’s first SSL VPN solution that provides comprehensive security and mobile access for all devices running Android 4.x (codenamed Ice Cream Sandwich). It’s free, and you can get it anytime you like. Right now, if you want – go ahead. Grab it, I’ll wait. Oh, you aren’t running Ice Cream Sandwich yet? If you’ve got a “rooted” device, we’ve got your back there, too, with our BIG-IP Edge Client for “rooted” devices. Additionally, F5 is introducing enhanced support for its BIG-IP Edge Portal™, which provides managed application access to enterprise web applications such as SharePoint, wikis, and Intranet sites. This is that web top access mentioned earlier – a secure means of providing access to resources from any device without giving away the keys to the kingdom via the more open corporate network access route. And ultimately, this two-pronged approach to secure remote access afforded by SSL VPN solutions like BIG-IP Edge Gateway will continue to be important to corporate remote access strategies precisely because of the need to differentiate levels of service and access based on location, device, and user – something only a context-aware solution can provide. This is why validation of external sources of our work in the SSL VPN arena is exciting – because SSL VPN continues to be a significantly more flexible option to traditional IPSEC VPN connectivity and with the continued growth of mobile devices and demand for technology like VDI, it will certainly only continue to expand its applicability in the enterprise as scale and flexibility become more and more necessary to meet the diverse, distributed demand of clients. F5 Positioned in Leaders Quadrant of SSL VPN Magic Quadrant F5 Keeps Android Users Connected and Productive with New Secure Access Solutions F5 SSL VPN Security Solutions – Overview Magic Quadrant for SSL VPNs – Gartner Report I Scream, You Scream, We all Scream for Ice Cream (Sandwich) Scaling VDI Architectures Strategic Trifecta: Access Management F5 Friday: The Mobile Road is Uphill. Both Ways. All F5 Friday Posts on DevCentralF5 Friday: The Dynamic VDI Security Game
Balancing security, speed, and scalability is easy if you have the right infrastructure. A dynamic infrastructure. All the talk about “reusing” and “sharing” resources in highly virtualized and cloud computing environments makes it sound as if IT has never before understood how to leverage dynamic, on-demand services before. After all, while Infrastructure 2.0 (dynamic infrastructure) may only have been given its moniker since the advent of cloud computing, it’s not as if it didn’t exist before then and organizations weren’t taking advantage of its flexibility. It’s a lot like devops: we’ve been talking about bridging that gap between operations and development for years now – we just never had a way to describe it so succinctly until devops came along. The ability to dynamically choose delivery profiles – whether it be those associated with acceleration and optimization or those associated with security – is an important facet of application delivery solutions in today’s highly virtualized and cloud computing environments. Call it “reuse” of policies, or “sharing” of profiles, whatever you like – this ability has been a standard feature of F5’s application delivery platform for a long, long time. This dynamic, on-demand provisioning of services based on context is the defining characteristic of an infrastructure 2.0 solution. In the case of VDI, and specifically VDI implemented using VMware View 4.5 or later, it’s specifically about the ability to dynamically provision the right encryption solution at the right time, which is paramount to the success of VDI when remote access is required. THE CHALLENGE Secure remote access (you know, for us remote and roaming folks who rarely see the inside of corporate headquarters) to hosted desktops that reside behind corporate firewalls (where they belong) requires tunneling all VMware View connections. Not an uncommon scenario in general, right? Tunneling access to corporate resources is a pretty common theme when talking secure remote access. The key here is secure, meaning encrypted which for most applications delivered today via the Web means SSL. For VMware View when RDP (remote desktop protocol) is the protocol of choice, that means a solution that scales poorly due to the intensive CPU consumption for SSL by the View security servers. And if PCoIP is chosen for its enhanced ability to deliver rich-media and perform better over long distances instead of RDP, then the challenge becomes enabling security in an architecture in which it is not supported (PCoIP is UDP based, which is not supported by View security servers). SSL VPN solutions can be leveraged and tunnel PCoIP in SSL, but there’s a significant degradation of performance associated with that decision that will negatively impact the user experience. So the challenge is: enable secure remote access to virtual desktops within the corporate data center without negatively impacting performance or scalability of the architecture. THE SOLUTION This particular challenge can be met by employing the use of Datagram Transport Layer Security (DTLS) in lieu of SSL. DTLS is a derivative of TLS that provides the same security measures for UDP-based protocols as SSL provides for TCP-based protocols, without the performance degradation. F5 BIG-IP Edge Gateway supports both SSL and DTLS encryption tunnels. This becomes important because View security servers do not support DTLS and while falling back to SSL may be an option, the performance degradation for the user combined with the increased utilization on View security servers to perform SSL operations do not make for a holistically successful implementation. BIG-IP Edge Gateway addresses this challenge in three ways: BIG-IP Edge Gateway offloads the cryptographic processing from the servers, increasing utilization and scalability of the supporting infrastructure and improving performance. Because the cryptographic processing is handled by dedicated hardware designed to accelerate and process such operations efficiently, the implementation scales better whether using DTLS or SSL or a combination of both. BIG-IP Edge Gateway can dynamically determine which encryption protocol to use depending on the display protocol and client support for that user and device. It’s context-aware, and makes the decision when the client begins their session. It leverages a dynamic and reusable set of policies designed to aid in optimizing connectivity between the client and corporate resources based on conditions that exist at the time requests are made. Lastly, BIG-IP Edge Gateway automatically falls back to using TCP if a high-performance UDP tunnel cannot be established. This an important capability, as a slower connection is generally preferred over no connection, and there are scenarios in which a high-performance UDP tunnel simply can’t be setup for the client. Infrastructure should support security, not impede it. It’s great to be able to leverage the improvement in display protocol performance offered by PCoIP, but not at the expense of security. Leveraging an intermediary capable of dynamically providing the best security services for remote access to virtual desktops residing within the corporate data center means not having to sacrifice speed or scalability for security. Related blogs & articles: WILS: The Importance of DTLS to Successful VDI F5 Friday: It’s a Data Tsunami for Service Providers F5 Friday: Beyond the VPN to VAN All F5 Friday Posts on DevCentral Some Services are More Equal than Others Service Delivery Networking Presentation Why Virtualization is a Requirement for Private Cloud Computing What is Network-based Application Virtualization and Why Do You Need It? You Can’t Have IT as a Service Until IT Has Infrastructure as a Service
