DNS The F5 Way: A Paradigm Shift
This is the second in a series of DNS articles that I'm writing. The first is: Let's Talk DNS on DevCentral. Internet users rely heavily on DNS, and when DNS breaks, applications break. It's extremely important to implement an architecture that provides for DNS availability at all times. It's important because the number of Internet users continues to grow. In fact, a recent study conducted by the International Telecommunications Union claims that mobile devices will outnumber the people living on this planet at some point this year (2014). I'm certainly contributing to those stats as I have a smartphone and a tablet! In addition, the sophistication and complexity of websites are increasing. Many sites today require hundreds of DNS requests just to load a single page. So, when you combine the number of Internet users with the complexity of modern sites, you can imagine that the number of DNS requests traversing your network is extremely large. Verisign's average daily DNS query load during the fourth quarter of 2012 was 77 billion with a peak of 123 billion. Wow...that's a lot of DNS requests...every day! The point is this...Internet use is growing, and the need for reliable DNS is more important than ever. par·a·digm noun \ˈper-ə-ˌdīm\: a group of ideas about how something should be done, made, or thought about Conventional DNS design goes something like this... Front end (secondary) DNS servers are load balanced behind a firewall, and these servers answer all the DNS queries from the outside world. The master (primary) DNS server is located in the datacenter and is hidden from the outside world behind an internal firewall. This architecture was adequate for a smaller Internet, but in today's complex network world, this design has significant limitations. Typical DNS servers can only handle up to 200,000 DNS queries per second per server. Using the conventional design, the only way to handle more requests is to add more servers. Let's say your organization is preparing for a major event (holiday shopping, for example) and you want to make sure all DNS requests are handled. You might be forced to purchase more DNS servers in order to handle the added load. These servers are expensive and take critical manpower to operate and maintain. You can start to see the scalability and cost issues that add up with this design. From a security perspective, there is often weak DDoS protection with a conventional design. Typically, DDoS protection relies on the network firewall, and this firewall can be a huge traffic bottleneck. Check out the following diagram that shows a representation of a conventional DNS deployment. It's time for a DNS architecture paradigm shift. Your organization requires it, and today's Internet demands it. F5 Introduces A New Way... The F5 Intelligent DNS Scale Reference Architecture is leaner, faster, and more secure than any conventional DNS architecture. Instead of adding more DNS servers to handle increased DNS request load, you can simply install the BIG-IP Global Traffic Manager (GTM) in your network’s DMZ and allow it to handle all external requests. The following diagram shows the simplicity and effectiveness of the F5 design. Notice that the infrastructure footprint of this design is significantly smaller. This smaller footprint reduces costs associated with additional servers, manpower, HVAC, facility space, etc. I mentioned the external request benefit of the BIG-IP GTM...here's how it works. The BIG-IP GTM uses F5's specifically designed DNS Express zone transfer feature and cluster multiprocessing (CMP) for exponential performance of query responses. DNS Express manages authoritative DNS queries by transferring zones to its own RAM, so it significantly improves query performance and response time. With DNS Express zone transfer and the high performance processing realized with CMP, the BIG-IP GTM can scale up to more than 10 million DNS query responses per second which means that even large surges of DNS requests (including malicious ones) will not likely disrupt your DNS infrastructure or affect the availability of your critical applications. The BIG-IP GTM is much more than an authoritative DNS server, though. Here are some of the key features and capabilities included in the BIG-IP GTM: ICSA certified network firewall -- you don't have to deploy DMZ firewalls any more...it IS your firewall! Monitors the health of app servers and intelligently routes traffic to the nearest data center using IP Geolocation Protects from DNS DDoS attacks using the integrated firewall services, scaling capabilities, and IP address intelligence Allows you to utilize benefits of cloud environment by flexibly deploying BIG-IP GTM Virtual Edition (VE) Supports DNSSEC with real-time signing and validates DNSSEC responses As you can see, the BIG-IP GTM is a workhorse that literally has no rival in today's market. It's time to change the way we think about DNS architecture deployments. So, utilize the F5 Intelligent DNS Scale Reference Architecture to improve web performance by reducing DNS latency, protect web properties and brand reputation by mitigating DNS DDoS attacks, reduce data center costs by consolidating DNS infrastructure, and route customers to the best performing components for optimal application and service delivery. Learn more about F5 Intelligent DNS Scale by visiting https://f5.com/solutions/architectures/intelligent-dns-scale
TLS Poodle and RC4 vulnerability : default:!SSLv3:!RC4-SHA
We are running F5 LTM version 11.4.1 hostfix 4 Recently we disabled the RC4 weak CIPHER to remove the Minimal warning from our scan. But due to the recent arrival of Poodle TLS vulnarability we had to introduce !SSLv3:RC4-SHA which brought back the Minimal warning for having RC4 in the acceptable CIPHER. How can we over come this? Removing Poodle TLS padding vulnerability returns RC4 warningUser Group Road Trip!
The esteemed pathological liar John Wagnon and I joined quite a group of F5ers in a three stop road trip through the heart of the Ohio River Valley. The always entertaining and wildly informative David Holmes joined us at all three stops, and we also had some great presentations from security architect Pez Zivic and vCMP product manager Dan Gilbert along the way. But enough about F5…these user groups all had customers presenting, sharing their deployment experiences and passing along all the good, bad, and ugly along the way. You might think we’d bristle at hearing the bad, but not at all. It’s always a good thing to learn from customers where the pain points are so we can lessen or eliminate them. Sometimes those solutions come from a different approach, sometimes in enhancements in future releases, but we can’t address them if we don’t hear about it. So bring it! We have thick skin, we can handle it. Chatham House Rule was invoked at each event, which gave the customers the freedom to share some information they otherwise would remove from their public facing decks. Cincinnati The first stop on the journey, Cincinnati did not disappoint. Maggiano’s Little Italy hosted, serving a nice array of food and providing a monster screen for presentations. David Holmes dove into some DDoS, provided some insights on recent SSL vulns and the potential for some Heartbleed rinse repeat action given the new efforts underway on the LibreSSL fork. Next, a customer presented on their introduction, deployment experience, and lessons learned with BIG-IP Local Traffic Manager and BIG-IP Application Security Manager products. My takeaways from his presentation: "You went technical...you never go full technical!" Hysterical. Over-communicate amongst the technical teams and business units. Don't assume application owners know exactly how their application behaves on the wire. Dan Gilbert, vCMP product manager with F5, dropped some great content (more on that below) on the group, as did F5 security solution architect Pez Zivic. John and I wrapped up the show sharing a little about how to get the most of DevCentral and the demystification of iRules. Cincinnati User Group Video Recap Columbus A couple hours up the road from Cincinnati, we hit stop two in Columbus, OH, at a fancy little restaurant called J Liu. Again, the food was fantastic, but there was some curious near the salad bowl...was that a balsamic vinaigrette, or was that chocolate pudding? One brave tester confirmed it was the vinaigrette, but if you can keep all the contents on the utensil after turning it upside down...it's not a vinaigrette. But I digress. A customer kicked off his presentation on his journey from amateur to advocate on BIG-IP, particularly around their adoption of vCMP. My takeaways from his presentation use the F5 Technology Centers! This customer did, and learned an incredible amount about their new BIG-IP gear during the process. Take the time to understand the changes in default behaviors when adopting new products. A repeated theme from Cincinnati: get tech/business units on board early. tmsh enabled them to build out configurations quickly and cleanly Dan followed the customer presentation with some great 11.5 functionality in vCMP that this customer has to look forward to, as well as some of the forthcoming roadmap. John and I presented again and the David Holmes wrapped up this show. I'm looking forward to getting a Secure Web Gateway lab built so I can try out some of David's recommendations on my kids mobile tech. At happy hour before driving further down the road to Pittsburgh, John and David spent a little time with Taffy the miniature horse. Yep, so that happened. I think it was so disturbing David Holmes had nightmares about it. You should ask him next time you see him. Columbus User Group Video Recap Pittsburgh Last stop on the road trip was in Pittsburgh, where we met with a large group of customers in the 1960 suite at PNC Park to share knowledge with each other, catch up on the great solutions people are cooking up with F5 products, and finally, catch the game between the Pirates and the Reds. Being a Cardinals fan, I had to rub a little salt in the divisional rivalry, so I opened my presentation with a self-reflective analysis of which Cards hat I should wear for the day, my 2011 World Series champs hat, or my 2013 NL champs hat (which the Cards earned by knocking the Pirates out of the playoffs along the way last year.) I went with the latter. Now that I had built strong bonds will all those Pirates fans.. The customer that presented discussed his team's experience with device cluster groups and traffic groups. They are still in the design selection phase, so it was neat to hear their insight into the different approaches one might take to deployment strategies. I need to spend more time digging into the device and traffic groups, it's an area I don't have much experience in beyond the basic HA technologies from my customer days. Anyway, Jack Fenimore updated the crew on all the new goodness in 11.5 across the product lines, and David Holmes again wowed the crowd with all his security goodness. After the game, John and I jumped in my hoopty, a 2003 Honda Pilot, and headed for home. It's funny, we started east, and got more east at each stop, so the final and only trip west was a long one, made 2 hours longer thanks to the rush hour + baseball game ending traffic jam. That was not cool, but the road trip was a success, and I think I learned as much as any of the customers through these experiences. Pittsburgh User Group Video Recap Get Involved! If you have not taken the time in your neck of the woods to attend a user group meeting, then why not? It's an opportunity to share what you know, learn from others who are working through the same problems you're facing, and build relationships with fantastic people in your area. Thanks again to Jack Fenimore and Maurice Gordon, the local FSEs in those markets, Kate Fetherston, the brains and organization around the events, and all the other F5ers that made these events a success.
F5 Synthesis: Fast, Fluent and Flexible
#sdas #sddc #sdn #devops #mobile F5 Synthesis 1.5 brings more performance, greater application fluency and increased flexibility for both application and mobile network providers. Are you ready for millions of mobile visitors? With 20% of web traffic in the US and Canada coming from smartphones and tablets (Chitika) it's time to turn some cycles toward this growing segment and focus on more than just the BYOD. Mobile visitors are just as easily frustrated by poorly performing applications as their traditional laptop and desktop visiting counterparts (and, in fact, they probably are the same consumers transitioning to more modern devices). The growth in device propagation also means its a growth market for attackers. And even if malware and viruses aren't running rampant on mobile device platforms that doesn't mean that applications and services can't leak data to mobile devices or that they can't participate in DDoS attacks. And phishing attacks work just as well in browsers on mobile devices as they do in browsers on the desktop. Interestingly enough, while mobile platforms introduce some new challenges to ensuring security and performance of applications and data, many of the challenges and threats remain the same because they're really about data and applications and networks, not the end user device. Addressing these challenges is made more difficult by the limited domains over which application providers have control. Consider that of the four most likely culprits of poor performance and security breaches, only one and a half are under the complete control of the application provider. If we add cloud into the mix, the areas of control become even smaller. Generally speaking, applications deployed in cloud environments are not deployed along with the critical application services they need to ensure expectations of performance and security by end users and the business alike. Increasingly, consumers often blame mobile network operators for poor performance, so it's important to note that they only have one of the four domains under their control: the mobile network. While they can and do offer services to improve the performance and security of applications traversing their networks, these services are not often capitalized upon by end-users or application providers. F5 Synthesis enables cloud and application providers as well as mobile network operators the architectural framework necessary to ensure the performance, reliability and security of applications. The latest release of Synthesis, v1.5 with a focus on the enterprise, adds performance and security-related capabilities and services along with greater flexibility in management and orchestration to ensure that no matter what domains are under your control, you can deploy the application services appropriate to your applications. This release is about fast, fluent and flexible Software Defined Application Services. Fast We've added a variety of TCP optimizations that improve performance for all applications that have an even greater impact on mobile application delivery. WebP conversion reduces the size of images, a per-application dedicated cache that uses HTML5 Local Storage capabilities and support for MPTCP ensure both application providers and mobile network operators can take advantage of Synthesis' performance services. More SSD-enabled appliances means the F5 Synthesis High Performance Service Fabric gains greater multi-tenancy and improves the performance of application services, which in turn benefits application performance, Simplified DNS deployment and optimized DNS resolution ensure DNS is never a bottleneck. F5 Synthesis' High Performance Service Fabric can support up to 418M DNS resolutions per second. That means it can resolve addresses for the equivalent of every site on the Internet in 2 seconds[1]. Fluent As important as content level visibility is application fluency: the ability to not only inspect, but understand the unique languages of applications. F5 Synthesis now speaks more languages than ever, including TDS/MS SQL, FIX, and BER/DER. We've added support for AES-GCM and ECC ciphers for TLS version 1.2 as well as supporting the ciphers needed for Perfect Forward Secrecy. Our new Secure Web Gateway service speaks the language of the web, filtering URLs and inspecting web content for malware, and can do so even when it's hidden within SSL connections. Flexible New cloud connector capabilities enable services across data centers and clouds supported by VMware, AWS, and OpenStack technologies, ensuring the migration to cloud doesn't result in the loss of critical application services needed for security and performance. Synthesis v1.5 makes available BIG-IQ Device, part of Synthesis' Intelligent Service Orchestration, that enables automated discovery, licensing, inventory and UCS backup and restore capabilities for the Synthesis High Performance Services Fabric. Also announced is the availability of iControl REST, our control plane API in a modern, accessible model. iControl REST enables organizations and mobile network operators to integrate, automate, orchestrate and dynamically manage Synthesis High Performance Service Fabric from virtually any HTTP-capable scripting or programming language. We've taken Synthesis' Simplified Business Models and expanded them to include new streamlined license management for virtual editions of our platforms. License pools enable VE provisioning and decommissioning on-demand to enable broader use of services for burst capacity, testing, proof of concepts, or new development. Synthesis v1.5 has a plethora of new capabilities, services and enhancements that enable application providers and mobile network operators to take advantage of the economy of scale afforded by the combination of a High Performance Service Fabric and Intelligent Service Orchestration to ensure that no matter which parts of the data path between users and applications are under control, they can be optimized and secured. Additional Resources: F5 Synthesis Site iControl REST Wiki on DevCentral F5 Synthesis related posts on DevCentral [1] Based on number of sites collected by Netcraft Web Server Survey, Jan 2014
Accelerating the Transition to Cloud
The benefits of moving to a cloud architecture, whether on premise private cloud or public cloud, include the agility to respond to change, scalability, and ultimately improved efficiency that translates to cost savings. Cloud (or software-defined) architectures have leveraged virtualization and automation to maximize compute, storage, and software ROI, as well as standardize services and applications onto fewer platforms. And now underway, is the same transformation of the network infrastructure, firewalls, switches, routers, and Application Delivery Controllers (ADCs). One of the main concerns in moving to a cloud or virtualized architecture is, no surprise, the security of the underlying network infrastructure as solutions are virtualized. CSOs and security teams for enterprises and cloud providers need to be able to completely assure their downstream customers that their network traffic cannot be seen or manipulated by other customers hosted on the same physical device. F5’s ScaleN virtual Clustered Multiprocessing (vCMP®) technology, part of our market leading BIG-IP application delivery services platform, provides that needed level of security. By combining the agility of virtual application services with the scalability and security of purpose-built ADC hypervisor and hardware, F5 gives cloud providers a virtualization strategy for application delivery and securing multi-tenant environments. The provider can offer performance, scalability, and security to each of their downstream customers by creating discrete virtual BIG-IP® instances (like F5’s Local Traffic Manager or Application Security Manager) on either BIG-IP appliances or VIPRION blades (see Fig 1). You get the agility and flexibility to run different versions and app services for each instance, have complete isolation of traffic and resources, and spin up or down instances as needed. For performance, these virtual instances tap into the same dedicated acceleration hardware used by the hosting platform, including SSL offload, compression, and DDoS protection. In addition, with F5’s RESTful API’s, BIG-IP virtual instances can be managed and integrated into most cloud environments. With the release of BIG-IP v11.6, the security and isolation of vCMP instances has been enhanced through a combination of hardware and software resource isolation methods, including leveraging the cpu memory management capabilities to ensure that the instances can’t access memory from the hypervisor and from each other. vCMP is secure at the system level (hypervisor and guest) and network level (dataplane and management plane), see Figure 2. Enterprises and manage service providers can be assured that vCMP instances cannot snoop or affect traffic in other instances or the host. The “noisy neighbor” problem common to virtualized environments is greatly reduced and promotes a more secure cloud and enables standardization of services on one platform. In addition, 11.6 introduces BIG-IP ASM REST API’s, which allow the manipulation of every aspect of security policy management. When combined with vCMP multi-tenant support, F5 ASM is the leading WAF solution that can be deployed in the cloud or as-a-Service. Lastly, to demonstrate how seriously we take security, and to meet specific government and FSI compliance requirements, vCMP is part of the overall BIG-IP Common Criteria EAL4+ certification that is in process and we are completing a specific vCMP PEN test done by a well-respected 3 rd party testing vendor. You will learn more in future postings how F5’s secure lifecycle development process can help you achieve your security requirements and achieve the benefits of migrating to the cloud. Additional Resources: · vCMP Whitepaper · Multi-Tenant Security with vCMP whitepaper · Peak Hosting uses vCMP for agility and multi-tenancy video
ORACLE AGILE PLM logging out issue
Dear team, We have Agile and PLM setup for SSO and NON SSO users. SSO is listening on Port 80 reaching the backend server port on 7777 (which is actually a file manager) However, for NON SSO, the listening port is 7001 and the backend server port is 7011. We have cookie persistence enabled with Always send cookie enabled keeping rest of them as same. Problem: We are able to log in to the environment and attach the file then upload it. However, when the file is transferred or uploaded its coming back to original screen. Which is an application page. We are not sure where exactly its happening and would highly appreciate if anyone can help.F5 Synthesis: Platform is Strategy. Product is Tactics.
#SDAS Inarguably one of the drivers of software-defined architectures (cloud, SDDC, and SDN) as well as movements like DevOps is the complexity inherent in today's data center networks. For years now we've added applications and services, and responded to new threats and requirements from the business with new boxes and new capabilities. All of them cobbled together using traditional networking principles that adhere to providing reliability and scale through redundancy. The result is complex, hard to manage, and even more difficult to change at a moments notice. Emerging architectural models based solely on cloud computing models or as part of larger, software-defined initiatives, attempt to resolve this issue by introducing abstraction and programmability. To get around the reality that deploying new services in a timely manner takes days if not weeks or even months, we figure that by moving to a programmatic, software-based model we can become more efficient. Except we aren't becoming more efficient, we're just doing what we've always done. We're just doing it faster. We're not eliminating complexity, we're getting around it by adding a layer of scripts and integration designed to make us forget just how incredibly complex our networks really are. One of the primary reasons our networks are the way they are is that we're reactive. What we've been doing for years now is just reacting to events. Threats, new applications, new requirements - all these events inevitably wind up with IT deploying yet another "middle box." A self-contained appliance - hardware or software - that does X. Protects against X, improves Y, enhances Z. And then something else happens and we do it again. And again. And ... you get the point. We react and the result is an increasingly complex topological nightmare we call the data center network. What we need to do is find a better model, a strategic model that enables us to deploy those solutions that protect against X, improve Y and enhance Z without adding complexity and increasing the already confusing topology in the network. We need to break out of our tactical mode and start thinking strategically so we can transform IT to be what it needs to be to align IT results with business expectations. That means we need to start thinking platform, not product. Platform is Strategic. Product is Tactical. We know that the number of services actually in use in the data center has been increasing in response to all the technological shifts caused by trends like security, cloud and mobility. We’ve talked to customers that have more than 20 different services (and vendors) delivering services critical to the security, performance and reliability of applications. Every time a new threat or a new trend impacts the data center, we respond with a new service. That’s one of the reasons you rarely see a detailed architectural diagram at the application flow level – because every single interaction with a customer, partner or employee can have its own unique flow and that flow traverses a variety of services depending on the user, device, network and application and even business purpose. That's the product way. What we need to do is shift our attention to platforms, and leverage them to reduce complexity while at the same time solving problems - and doing so faster and more efficiently. That's one of the primary benefits of Synthesis. Synthesis' High Performance Services Fabric is built by gluing together a platform - the ADC - using new scalability models (ScaleN). The platform is what enables organizations to deploy a wide variety of services but gain operational efficiencies from the fact that the underlying platform is the same. F5 Software Defined Application Services (SDAS) are all deployable on the same, operationally consistent platform regardless of where it might physically reside. Cloud, virtual machine or hardware makes no difference. It's the platform that brings consistency to the table and enables rapid provisioning of new services that protect X, improve Y and enhance Z. In the past year we've brought a number of new services to the Synthesis architecture including Cloud Identity Federation, Web Anti-Fraud, Mobile optimizations and a Secure Web Gateway. All these services were immediately deployable on the existing platform that comprises the Synthesis High Performance Services Fabric. As we add new capabilities and services, they, too, are deployable on the same platform, in the same fabric-based approach and immediately gain all the benefits that come from the platform: massive scalability, high performance, reliability and hardened security. A platform approach means you can realize a level of peace of mind about the future and what might crop up next. Whether it's a new business requirement or a new threat, using a platform approach means no more shoehorning a new box into the topology. It means being able to take advantage of operational consistency across cloud and on-premise deployments. It means being able to expand capabilities without needing to expand budgets to support new training, new services, and new contracts. A platform approach to service deployment in data center networks is strategic. And with the constant rate of change headed our way thanks to the Internet of Things and mobility, the one thing we can't afford to to go without is a sound strategy for dealing with the technological ramifications on the network.
