DNS The F5 Way: A Paradigm Shift
This is the second in a series of DNS articles that I'm writing. The first is: Let's Talk DNS on DevCentral. Internet users rely heavily on DNS, and when DNS breaks, applications break. It's extremely important to implement an architecture that provides for DNS availability at all times. It's important because the number of Internet users continues to grow. In fact, a recent study conducted by the International Telecommunications Union claims that mobile devices will outnumber the people living on this planet at some point this year (2014). I'm certainly contributing to those stats as I have a smartphone and a tablet! In addition, the sophistication and complexity of websites are increasing. Many sites today require hundreds of DNS requests just to load a single page. So, when you combine the number of Internet users with the complexity of modern sites, you can imagine that the number of DNS requests traversing your network is extremely large. Verisign's average daily DNS query load during the fourth quarter of 2012 was 77 billion with a peak of 123 billion. Wow...that's a lot of DNS requests...every day! The point is this...Internet use is growing, and the need for reliable DNS is more important than ever. par·a·digm noun \ˈper-ə-ˌdīm\: a group of ideas about how something should be done, made, or thought about Conventional DNS design goes something like this... Front end (secondary) DNS servers are load balanced behind a firewall, and these servers answer all the DNS queries from the outside world. The master (primary) DNS server is located in the datacenter and is hidden from the outside world behind an internal firewall. This architecture was adequate for a smaller Internet, but in today's complex network world, this design has significant limitations. Typical DNS servers can only handle up to 200,000 DNS queries per second per server. Using the conventional design, the only way to handle more requests is to add more servers. Let's say your organization is preparing for a major event (holiday shopping, for example) and you want to make sure all DNS requests are handled. You might be forced to purchase more DNS servers in order to handle the added load. These servers are expensive and take critical manpower to operate and maintain. You can start to see the scalability and cost issues that add up with this design. From a security perspective, there is often weak DDoS protection with a conventional design. Typically, DDoS protection relies on the network firewall, and this firewall can be a huge traffic bottleneck. Check out the following diagram that shows a representation of a conventional DNS deployment. It's time for a DNS architecture paradigm shift. Your organization requires it, and today's Internet demands it. F5 Introduces A New Way... The F5 Intelligent DNS Scale Reference Architecture is leaner, faster, and more secure than any conventional DNS architecture. Instead of adding more DNS servers to handle increased DNS request load, you can simply install the BIG-IP Global Traffic Manager (GTM) in your network’s DMZ and allow it to handle all external requests. The following diagram shows the simplicity and effectiveness of the F5 design. Notice that the infrastructure footprint of this design is significantly smaller. This smaller footprint reduces costs associated with additional servers, manpower, HVAC, facility space, etc. I mentioned the external request benefit of the BIG-IP GTM...here's how it works. The BIG-IP GTM uses F5's specifically designed DNS Express zone transfer feature and cluster multiprocessing (CMP) for exponential performance of query responses. DNS Express manages authoritative DNS queries by transferring zones to its own RAM, so it significantly improves query performance and response time. With DNS Express zone transfer and the high performance processing realized with CMP, the BIG-IP GTM can scale up to more than 10 million DNS query responses per second which means that even large surges of DNS requests (including malicious ones) will not likely disrupt your DNS infrastructure or affect the availability of your critical applications. The BIG-IP GTM is much more than an authoritative DNS server, though. Here are some of the key features and capabilities included in the BIG-IP GTM: ICSA certified network firewall -- you don't have to deploy DMZ firewalls any more...it IS your firewall! Monitors the health of app servers and intelligently routes traffic to the nearest data center using IP Geolocation Protects from DNS DDoS attacks using the integrated firewall services, scaling capabilities, and IP address intelligence Allows you to utilize benefits of cloud environment by flexibly deploying BIG-IP GTM Virtual Edition (VE) Supports DNSSEC with real-time signing and validates DNSSEC responses As you can see, the BIG-IP GTM is a workhorse that literally has no rival in today's market. It's time to change the way we think about DNS architecture deployments. So, utilize the F5 Intelligent DNS Scale Reference Architecture to improve web performance by reducing DNS latency, protect web properties and brand reputation by mitigating DNS DDoS attacks, reduce data center costs by consolidating DNS infrastructure, and route customers to the best performing components for optimal application and service delivery. Learn more about F5 Intelligent DNS Scale by visiting https://f5.com/solutions/architectures/intelligent-dns-scaleUser Group Road Trip!
The esteemed pathological liar John Wagnon and I joined quite a group of F5ers in a three stop road trip through the heart of the Ohio River Valley. The always entertaining and wildly informative David Holmes joined us at all three stops, and we also had some great presentations from security architect Pez Zivic and vCMP product manager Dan Gilbert along the way. But enough about F5…these user groups all had customers presenting, sharing their deployment experiences and passing along all the good, bad, and ugly along the way. You might think we’d bristle at hearing the bad, but not at all. It’s always a good thing to learn from customers where the pain points are so we can lessen or eliminate them. Sometimes those solutions come from a different approach, sometimes in enhancements in future releases, but we can’t address them if we don’t hear about it. So bring it! We have thick skin, we can handle it. Chatham House Rule was invoked at each event, which gave the customers the freedom to share some information they otherwise would remove from their public facing decks. Cincinnati The first stop on the journey, Cincinnati did not disappoint. Maggiano’s Little Italy hosted, serving a nice array of food and providing a monster screen for presentations. David Holmes dove into some DDoS, provided some insights on recent SSL vulns and the potential for some Heartbleed rinse repeat action given the new efforts underway on the LibreSSL fork. Next, a customer presented on their introduction, deployment experience, and lessons learned with BIG-IP Local Traffic Manager and BIG-IP Application Security Manager products. My takeaways from his presentation: "You went technical...you never go full technical!" Hysterical. Over-communicate amongst the technical teams and business units. Don't assume application owners know exactly how their application behaves on the wire. Dan Gilbert, vCMP product manager with F5, dropped some great content (more on that below) on the group, as did F5 security solution architect Pez Zivic. John and I wrapped up the show sharing a little about how to get the most of DevCentral and the demystification of iRules. Cincinnati User Group Video Recap Columbus A couple hours up the road from Cincinnati, we hit stop two in Columbus, OH, at a fancy little restaurant called J Liu. Again, the food was fantastic, but there was some curious near the salad bowl...was that a balsamic vinaigrette, or was that chocolate pudding? One brave tester confirmed it was the vinaigrette, but if you can keep all the contents on the utensil after turning it upside down...it's not a vinaigrette. But I digress. A customer kicked off his presentation on his journey from amateur to advocate on BIG-IP, particularly around their adoption of vCMP. My takeaways from his presentation use the F5 Technology Centers! This customer did, and learned an incredible amount about their new BIG-IP gear during the process. Take the time to understand the changes in default behaviors when adopting new products. A repeated theme from Cincinnati: get tech/business units on board early. tmsh enabled them to build out configurations quickly and cleanly Dan followed the customer presentation with some great 11.5 functionality in vCMP that this customer has to look forward to, as well as some of the forthcoming roadmap. John and I presented again and the David Holmes wrapped up this show. I'm looking forward to getting a Secure Web Gateway lab built so I can try out some of David's recommendations on my kids mobile tech. At happy hour before driving further down the road to Pittsburgh, John and David spent a little time with Taffy the miniature horse. Yep, so that happened. I think it was so disturbing David Holmes had nightmares about it. You should ask him next time you see him. Columbus User Group Video Recap Pittsburgh Last stop on the road trip was in Pittsburgh, where we met with a large group of customers in the 1960 suite at PNC Park to share knowledge with each other, catch up on the great solutions people are cooking up with F5 products, and finally, catch the game between the Pirates and the Reds. Being a Cardinals fan, I had to rub a little salt in the divisional rivalry, so I opened my presentation with a self-reflective analysis of which Cards hat I should wear for the day, my 2011 World Series champs hat, or my 2013 NL champs hat (which the Cards earned by knocking the Pirates out of the playoffs along the way last year.) I went with the latter. Now that I had built strong bonds will all those Pirates fans.. The customer that presented discussed his team's experience with device cluster groups and traffic groups. They are still in the design selection phase, so it was neat to hear their insight into the different approaches one might take to deployment strategies. I need to spend more time digging into the device and traffic groups, it's an area I don't have much experience in beyond the basic HA technologies from my customer days. Anyway, Jack Fenimore updated the crew on all the new goodness in 11.5 across the product lines, and David Holmes again wowed the crowd with all his security goodness. After the game, John and I jumped in my hoopty, a 2003 Honda Pilot, and headed for home. It's funny, we started east, and got more east at each stop, so the final and only trip west was a long one, made 2 hours longer thanks to the rush hour + baseball game ending traffic jam. That was not cool, but the road trip was a success, and I think I learned as much as any of the customers through these experiences. Pittsburgh User Group Video Recap Get Involved! If you have not taken the time in your neck of the woods to attend a user group meeting, then why not? It's an opportunity to share what you know, learn from others who are working through the same problems you're facing, and build relationships with fantastic people in your area. Thanks again to Jack Fenimore and Maurice Gordon, the local FSEs in those markets, Kate Fetherston, the brains and organization around the events, and all the other F5ers that made these events a success.
F5 Synthesis: Fast, Fluent and Flexible
#sdas #sddc #sdn #devops #mobile F5 Synthesis 1.5 brings more performance, greater application fluency and increased flexibility for both application and mobile network providers. Are you ready for millions of mobile visitors? With 20% of web traffic in the US and Canada coming from smartphones and tablets (Chitika) it's time to turn some cycles toward this growing segment and focus on more than just the BYOD. Mobile visitors are just as easily frustrated by poorly performing applications as their traditional laptop and desktop visiting counterparts (and, in fact, they probably are the same consumers transitioning to more modern devices). The growth in device propagation also means its a growth market for attackers. And even if malware and viruses aren't running rampant on mobile device platforms that doesn't mean that applications and services can't leak data to mobile devices or that they can't participate in DDoS attacks. And phishing attacks work just as well in browsers on mobile devices as they do in browsers on the desktop. Interestingly enough, while mobile platforms introduce some new challenges to ensuring security and performance of applications and data, many of the challenges and threats remain the same because they're really about data and applications and networks, not the end user device. Addressing these challenges is made more difficult by the limited domains over which application providers have control. Consider that of the four most likely culprits of poor performance and security breaches, only one and a half are under the complete control of the application provider. If we add cloud into the mix, the areas of control become even smaller. Generally speaking, applications deployed in cloud environments are not deployed along with the critical application services they need to ensure expectations of performance and security by end users and the business alike. Increasingly, consumers often blame mobile network operators for poor performance, so it's important to note that they only have one of the four domains under their control: the mobile network. While they can and do offer services to improve the performance and security of applications traversing their networks, these services are not often capitalized upon by end-users or application providers. F5 Synthesis enables cloud and application providers as well as mobile network operators the architectural framework necessary to ensure the performance, reliability and security of applications. The latest release of Synthesis, v1.5 with a focus on the enterprise, adds performance and security-related capabilities and services along with greater flexibility in management and orchestration to ensure that no matter what domains are under your control, you can deploy the application services appropriate to your applications. This release is about fast, fluent and flexible Software Defined Application Services. Fast We've added a variety of TCP optimizations that improve performance for all applications that have an even greater impact on mobile application delivery. WebP conversion reduces the size of images, a per-application dedicated cache that uses HTML5 Local Storage capabilities and support for MPTCP ensure both application providers and mobile network operators can take advantage of Synthesis' performance services. More SSD-enabled appliances means the F5 Synthesis High Performance Service Fabric gains greater multi-tenancy and improves the performance of application services, which in turn benefits application performance, Simplified DNS deployment and optimized DNS resolution ensure DNS is never a bottleneck. F5 Synthesis' High Performance Service Fabric can support up to 418M DNS resolutions per second. That means it can resolve addresses for the equivalent of every site on the Internet in 2 seconds[1]. Fluent As important as content level visibility is application fluency: the ability to not only inspect, but understand the unique languages of applications. F5 Synthesis now speaks more languages than ever, including TDS/MS SQL, FIX, and BER/DER. We've added support for AES-GCM and ECC ciphers for TLS version 1.2 as well as supporting the ciphers needed for Perfect Forward Secrecy. Our new Secure Web Gateway service speaks the language of the web, filtering URLs and inspecting web content for malware, and can do so even when it's hidden within SSL connections. Flexible New cloud connector capabilities enable services across data centers and clouds supported by VMware, AWS, and OpenStack technologies, ensuring the migration to cloud doesn't result in the loss of critical application services needed for security and performance. Synthesis v1.5 makes available BIG-IQ Device, part of Synthesis' Intelligent Service Orchestration, that enables automated discovery, licensing, inventory and UCS backup and restore capabilities for the Synthesis High Performance Services Fabric. Also announced is the availability of iControl REST, our control plane API in a modern, accessible model. iControl REST enables organizations and mobile network operators to integrate, automate, orchestrate and dynamically manage Synthesis High Performance Service Fabric from virtually any HTTP-capable scripting or programming language. We've taken Synthesis' Simplified Business Models and expanded them to include new streamlined license management for virtual editions of our platforms. License pools enable VE provisioning and decommissioning on-demand to enable broader use of services for burst capacity, testing, proof of concepts, or new development. Synthesis v1.5 has a plethora of new capabilities, services and enhancements that enable application providers and mobile network operators to take advantage of the economy of scale afforded by the combination of a High Performance Service Fabric and Intelligent Service Orchestration to ensure that no matter which parts of the data path between users and applications are under control, they can be optimized and secured. Additional Resources: F5 Synthesis Site iControl REST Wiki on DevCentral F5 Synthesis related posts on DevCentral [1] Based on number of sites collected by Netcraft Web Server Survey, Jan 2014
Accelerating the Transition to Cloud
The benefits of moving to a cloud architecture, whether on premise private cloud or public cloud, include the agility to respond to change, scalability, and ultimately improved efficiency that translates to cost savings. Cloud (or software-defined) architectures have leveraged virtualization and automation to maximize compute, storage, and software ROI, as well as standardize services and applications onto fewer platforms. And now underway, is the same transformation of the network infrastructure, firewalls, switches, routers, and Application Delivery Controllers (ADCs). One of the main concerns in moving to a cloud or virtualized architecture is, no surprise, the security of the underlying network infrastructure as solutions are virtualized. CSOs and security teams for enterprises and cloud providers need to be able to completely assure their downstream customers that their network traffic cannot be seen or manipulated by other customers hosted on the same physical device. F5’s ScaleN virtual Clustered Multiprocessing (vCMP®) technology, part of our market leading BIG-IP application delivery services platform, provides that needed level of security. By combining the agility of virtual application services with the scalability and security of purpose-built ADC hypervisor and hardware, F5 gives cloud providers a virtualization strategy for application delivery and securing multi-tenant environments. The provider can offer performance, scalability, and security to each of their downstream customers by creating discrete virtual BIG-IP® instances (like F5’s Local Traffic Manager or Application Security Manager) on either BIG-IP appliances or VIPRION blades (see Fig 1). You get the agility and flexibility to run different versions and app services for each instance, have complete isolation of traffic and resources, and spin up or down instances as needed. For performance, these virtual instances tap into the same dedicated acceleration hardware used by the hosting platform, including SSL offload, compression, and DDoS protection. In addition, with F5’s RESTful API’s, BIG-IP virtual instances can be managed and integrated into most cloud environments. With the release of BIG-IP v11.6, the security and isolation of vCMP instances has been enhanced through a combination of hardware and software resource isolation methods, including leveraging the cpu memory management capabilities to ensure that the instances can’t access memory from the hypervisor and from each other. vCMP is secure at the system level (hypervisor and guest) and network level (dataplane and management plane), see Figure 2. Enterprises and manage service providers can be assured that vCMP instances cannot snoop or affect traffic in other instances or the host. The “noisy neighbor” problem common to virtualized environments is greatly reduced and promotes a more secure cloud and enables standardization of services on one platform. In addition, 11.6 introduces BIG-IP ASM REST API’s, which allow the manipulation of every aspect of security policy management. When combined with vCMP multi-tenant support, F5 ASM is the leading WAF solution that can be deployed in the cloud or as-a-Service. Lastly, to demonstrate how seriously we take security, and to meet specific government and FSI compliance requirements, vCMP is part of the overall BIG-IP Common Criteria EAL4+ certification that is in process and we are completing a specific vCMP PEN test done by a well-respected 3 rd party testing vendor. You will learn more in future postings how F5’s secure lifecycle development process can help you achieve your security requirements and achieve the benefits of migrating to the cloud. Additional Resources: · vCMP Whitepaper · Multi-Tenant Security with vCMP whitepaper · Peak Hosting uses vCMP for agility and multi-tenancy videoF5 Synthesis: Platform is Strategy. Product is Tactics.
#SDAS Inarguably one of the drivers of software-defined architectures (cloud, SDDC, and SDN) as well as movements like DevOps is the complexity inherent in today's data center networks. For years now we've added applications and services, and responded to new threats and requirements from the business with new boxes and new capabilities. All of them cobbled together using traditional networking principles that adhere to providing reliability and scale through redundancy. The result is complex, hard to manage, and even more difficult to change at a moments notice. Emerging architectural models based solely on cloud computing models or as part of larger, software-defined initiatives, attempt to resolve this issue by introducing abstraction and programmability. To get around the reality that deploying new services in a timely manner takes days if not weeks or even months, we figure that by moving to a programmatic, software-based model we can become more efficient. Except we aren't becoming more efficient, we're just doing what we've always done. We're just doing it faster. We're not eliminating complexity, we're getting around it by adding a layer of scripts and integration designed to make us forget just how incredibly complex our networks really are. One of the primary reasons our networks are the way they are is that we're reactive. What we've been doing for years now is just reacting to events. Threats, new applications, new requirements - all these events inevitably wind up with IT deploying yet another "middle box." A self-contained appliance - hardware or software - that does X. Protects against X, improves Y, enhances Z. And then something else happens and we do it again. And again. And ... you get the point. We react and the result is an increasingly complex topological nightmare we call the data center network. What we need to do is find a better model, a strategic model that enables us to deploy those solutions that protect against X, improve Y and enhance Z without adding complexity and increasing the already confusing topology in the network. We need to break out of our tactical mode and start thinking strategically so we can transform IT to be what it needs to be to align IT results with business expectations. That means we need to start thinking platform, not product. Platform is Strategic. Product is Tactical. We know that the number of services actually in use in the data center has been increasing in response to all the technological shifts caused by trends like security, cloud and mobility. We’ve talked to customers that have more than 20 different services (and vendors) delivering services critical to the security, performance and reliability of applications. Every time a new threat or a new trend impacts the data center, we respond with a new service. That’s one of the reasons you rarely see a detailed architectural diagram at the application flow level – because every single interaction with a customer, partner or employee can have its own unique flow and that flow traverses a variety of services depending on the user, device, network and application and even business purpose. That's the product way. What we need to do is shift our attention to platforms, and leverage them to reduce complexity while at the same time solving problems - and doing so faster and more efficiently. That's one of the primary benefits of Synthesis. Synthesis' High Performance Services Fabric is built by gluing together a platform - the ADC - using new scalability models (ScaleN). The platform is what enables organizations to deploy a wide variety of services but gain operational efficiencies from the fact that the underlying platform is the same. F5 Software Defined Application Services (SDAS) are all deployable on the same, operationally consistent platform regardless of where it might physically reside. Cloud, virtual machine or hardware makes no difference. It's the platform that brings consistency to the table and enables rapid provisioning of new services that protect X, improve Y and enhance Z. In the past year we've brought a number of new services to the Synthesis architecture including Cloud Identity Federation, Web Anti-Fraud, Mobile optimizations and a Secure Web Gateway. All these services were immediately deployable on the existing platform that comprises the Synthesis High Performance Services Fabric. As we add new capabilities and services, they, too, are deployable on the same platform, in the same fabric-based approach and immediately gain all the benefits that come from the platform: massive scalability, high performance, reliability and hardened security. A platform approach means you can realize a level of peace of mind about the future and what might crop up next. Whether it's a new business requirement or a new threat, using a platform approach means no more shoehorning a new box into the topology. It means being able to take advantage of operational consistency across cloud and on-premise deployments. It means being able to expand capabilities without needing to expand budgets to support new training, new services, and new contracts. A platform approach to service deployment in data center networks is strategic. And with the constant rate of change headed our way thanks to the Internet of Things and mobility, the one thing we can't afford to to go without is a sound strategy for dealing with the technological ramifications on the network.F5 Synthesis for Service Providers: Scaling in Three Dimensions
#MWC14 #SDAS #NFV #SDN It's not just about changing the economy of service scale, it's about operations, too. Estimates based on reports from Google put the number of daily activations of new Android phones at 1.3 Million. Based on reported data from Apple, there are 641 new applications per day added to the App Store. According to Cisco's Visual Networking Index, mobile video now accounts for more than 50% of mobile data traffic. Put them all together and consider the impact on the data, application and control planes of a network. Of a mobile network. Now consider how a service provider might scale to meet the demands imposed on their networks by continued growth, but make sure to factor in the need to maintain a low cost per subscriber and the ability to create new revenue streams through service creation. Scaling service provider networks in all three dimensions is no trivial effort, but adding on the requirement to maintain or lower the cost-per-subscriber and enable new service creation? Sounds impossible - but it's not. That's exactly what F5 Synthesis for Service Providers is designed to do: enable mobile network operators to optimize, secure and monetize their networks. F5 Synthesis for Service Providers F5 Synthesis for Service Providers is an architectural framework enabling mobile network operators to optimize, secure and monetize their networks. F5 Synthesis achieves this by changing the service economy of scale by taking advantage of a common, shared platform to reduce operational overhead and improve service provisioning velocity while addressing key security concerns across the network. F5 Synthesis for Service Providers enables mobile network operators to scale in three dimensions: control, data and application planes. Control Plane The control plane is the heart of a service provider network. Tasked with the responsibility for managing subscriber use and ensuring the appropriate services are applied to traffic, it can easily become overwhelmed by signaling storms that occur due to spikes in activations or an Internet-wide gaming addiction that causes millions of concurrent players to join in. The control plane is driven by Diameter, and F5 Synthesis for Service Providers includes F5's Traffix Signaling Delivery Controller, nominated this year for Best Mobile Infrastructure at Mobile World Congress. With unparalleled performance, flexibility and programmability, F5 Traffix SDC helps mobile network operators scale the control plane while enabling the creation of new control plane services. Less often considered but no less important in the control plane are DNS services. A scalable, highly resilient and secure DNS service is critical to both the performance and security of service provider networks. F5 Synthesis for Service Providers includes DNS services. F5 Synthesis is capable of scaling to 418 million response queries per second (RQPS) and includes comprehensive protection against DNS-targeting DDoS attacks. Data Plane The service provider data plane serves as the backbone between the mobile network and the Internet, and must be able to support millions of consumer requests for applications. Banking, browsing, shopping, watching video and sharing via social media are among the most popular activities, many of which are nearly continuous for some subscribers. Bandwidth hungry applications like video can become problematic for the data plane and cause degradations in performance that hamper the subscriber experience and send them off looking for a new provider. To combat performance, security and reliability challenges, service providers have invested in a variety of targeted solutions that has led to a complex, hyper-heterogeneous infrastructure comprising the Gi network. This complexity increases the cost per subscriber by introducing operational overhead and can degrade performance by adding latency due to the number of disparate devices through which data must traverse. F5 Synthesis for Service Providers includes a high-performance service fabric comprised of any combination of hardware or virtual appliances capable of supporting over 20 Tbps. Hardware and appliances from F5 are enabled with its unique vCMP technology, which allows the creation of right-sized service instances that can be scaled up and down dynamically and ultimately reduce the cost per subscriber of the services delivered. The F5 Synthesis High Performance Service Fabric is built on a common, shared and highly optimized platform on which key service provider functions can be consolidated. By consolidating services in the Gi network on a single, unified platform like F5 Synthesis service fabric, providers can eliminate the operational overhead incurred by the need to manage multiple point products, each with its own unique management paradigm. Consolidation also means services deployed on F5 Synthesis High Performance Service Fabric gain the performance and scale advantages of a network stack highly optimized for mobile networking. Application Plane Value added services are a key differentiator and key revenue opportunity for service providers, but can also be the source of poor performance due to the requirement to route all data traffic through all services, regardless of their applicability. Sending text through a video optimization service, or video through an ad insertion service does not add value, but it does consume resources and time that impact the overall subscriber experience. F5 Synthesis services include policy enforcement management capable of selectively routing data through only the value added services that make sense for a given subscriber and application combination. Using Dynamic Service Chaining, F5 Synthesis optimizes service chains to ensure more efficient resource utilization and improved performance for subscribers. This in turn allows service providers to selectively scale highly utilized value added services that saves time and money and reduces costs to deliver. F5 Synthesis for Service Providers works in concert with virtual machine provisioning systems to enable service providers to move toward NFV-based architectures. Intelligent monitoring of value added services combined with awareness of load and demand enables F5 Synthesis for Service Providers to ensure VAS can be scaled up and down individually, resulting in significant cost savings across the VAS infrastructure. by eliminating VAS silos and the need to scale the entire VAS infrastructure at the same time. F5 Synthesis for Service Providers also offers the most flexible set of programmability features in the industry. Control plane, data plane, management plane. APIs for integration, scripting languages for service creation, iApps and a cloud-ready, multi-tenant services fabric that can be combined with a self-servicing service management platform (BIG-IQ). This level of programmability changes the operational economy of scale through automation and orchestration opportunities. With F5 Synthesis for Service Providers, mobile network operators can simplify their Gi Network while laying the foundation for rapid service creation and deployment on a highly flexible, manageable virtualized service fabric that helps providers execute on NFV initiatives.F5 Synthesis: Hybrid to the Core
#SDAS #SDN #Cloud #SSL #HTTP2.0 F5 continues to pave the way for business to adopt disruptive technologies without, well, as much disruption. The term hybrid is somewhat misleading. In the original sense of the word, it means to bring together two disparate "things" that result in some single new "thing". But technology has adapted the meaning of the word to really mean the bridging of two different technological models. For example, a hybrid cloud isn't really smashing up two cloud environments to form a single, new cloud, rather it's bridging the two technologies in a seamless way so as to make them interoperate and cooperate as if they were a single, unified cloud. This concept is necessary because the way in which data center and computing models evolve. We don't ditch the last generation when the next generation comes along. Rather we graft the new onto the old or combine them in ways that enable the use of both - albeit often times separately. IPv4 and IPv6, for example, pose significant challenges due to incompatibilities. The reliance on the former and the need for the latter drive us to adopt technology such as gateways and brokers to enable a smooth(er) transition from the old to the new. Hybrid is a way to keep organizations moving forward, without sacrificing support for where we are right now. As organizations are challenged to adopt the latest applications and technology based on cutting-edge protocols to improve performance and gain advantages through efficiency, they are simultaneously challenged to scale network infrastructure to handle more traffic, more applications and more "things" connecting to their networks. Cloud offers a path forward, but introduces challenges, too, in managing access, performance, security and scale across an increasingly distributed set of domains. Organizations need hybrid answers to hybrid challenges that threaten the reliability and security of their applications. F5: Hybrid to the Core F5 is no strange to providing hybrid answers to hybrid challenges. F5 Synthesis Software Defined Application Services (SDAS) provide a robust set of services spanning protocol and application layer gateway capabilities that mean you can support a hybrid cloud as easily as a hybrid network that incorporates SDN or emerging protocols like HTTP 2.0. With the release of BIG-IP 11.6 - the platform from which F5 Synthesis High Performance Services Fabric is composed - organizations will be even better positioned to take advantage of new and existing technologies simultaneously while meeting hyperscale challenges arising from even more devices and more applications in need of services. F5 is the first and only vendor to support HTTP 2.0 with BIG-IP 11.6. Like IPv6, HTTP 2.0 is incompatible with the existing de facto standard version (1.1), making it difficult for organizations to move forward and enjoy the proffered benefits of HTTP 2.0 in faster, simpler and more secure applications. F5's approach is hybrid: why be constrained to just one version when you can support both? Too, why must you choose between the performance benefits of hardware-accelerated SSL or the flexibility of a virtual ADC on off-the-shelf hardware? F5 believes you shouldn't have to, and offers another first in the industry - a hybrid SSL offload approach. Organizations can enable 8 times the SSL capacity by taking advantage of the hybrid nature of the F5 High Performance Service Fabric enabled through its unique ScaleN technology. And then, of course, there's cloud and the Internet of Things (or BYOD if you're still focusing just on devices) driving the need for a different kind of access control strategy; a hybrid one. Whether it's things or people, traditional access control techniques that rely on IP address and can't effectively manage both cloud and data center deployed applications isn't going to cut it. Add in the need to hyperscale to meet demand and you need a more hybrid-friendly approach. BIG-IP 11.6 puts the focus on identity-based firewalling into our application delivery firewall services. Combined with existing cloud-identity federation capabilities based on broad SAML support, a seamless hybrid cloud experience for SSO and access is well within reach. As F5 continues to expand and extend the capabilities of its Software-Defined Application Services (SDAS), the notion of "hybrid" architectures, technologies and networks will remain core to its capabilities to ensure organizations can continue to deploy and deliver applications without constraints.Roaming around at Mobile World Congress
#MWC14 #F5 #mobile #sdas Consumers, like fate, are the fickle mistresses of the service provider world. When the multitude of applications they increasingly use on their mobile devices perform poorly, they often blame the network provider irrespective of the real cause. Mobile network operators are stuck between a rock (the consumer) and a hard place (the application provider) trying to satisfy both. F5 recognizes how difficult it can be to not just identify the source of poorly performing applications, but do something about it while simultaneously securing and making reliable those same applications and the networks over which they are delivered. F5 Synthesis addresses core challenges with mobile application delivery with an architectural framework designed to enable mobile network operators to rapidly provision and manage the services they need to optimize, secure and monetize their networks. Our newly announced F5 Synthesis 1.5 includes a number of mobile-focused capabilities and enhancements including new mobile TCP optimizations, support for MPTCP, response steering and Dynamic Service Chaining. Additionally, we announced a modern version of our control plane API - iControl REST - that simplifies integration with cloud management platforms and orchestration systems. Whether enabling a transitory approach to deploying NFV-enabled networks or simply taking advantage of programmability in the data, control and management planes to create new and differentiated services, F5 Synthesis offers mobile network operators a modern, high performance and manageable solution for satisfying consumer's insatiable demand for fast applications while ensuring the security of their networks. If you're roaming around at Mobile World Congress, you'll want to visit F5 at Booth 5G11 (Hall 5) and learn how to capitalize on the changing mobile landscape, transition to an application-driven service delivery model, or learn more about F5 Traffix SDC, nominated this year for Best Mobile Infrastructure at the show. We'll also have a variety of essential demos at the booth you won't want to miss: Essential Demo: Video optimization on @Skyfire platform at F5's booth 5G11 (Hall 5) Essential Demo: BIG-IP PEM virtual orchestration at F5's booth 5G11 (Hall 5) Essential Demo: Global Mobile Best Mobile Infrastructure Nominee F5 Traffix SDC at booth 5G11 (Hall 5) Essential Demo: TCP Optimization at F5's booth 5G11 (Hall 5) If you're not attending the show, you can follow the activities and observations on Twitter #MWC14 or follow along with F5.Beyond Scalability: Achieving Availability
Scalability is only one of the factors that determine availability. Security and performance play a critical role in achieving the application availability demanded by business and customers alike. Whether the goal is to achieve higher levels or productivity or generate greater customer engagement and revenue the venue today is the same: applications. In any application-focused business strategy, availability must be the keystone. When the business at large is relying on applications to be available, any challenge that might lead to disruption must be accounted for and answered. Those challenges include an increasingly wide array of problems that cost organizations an enormous amount in lost productivity, missed opportunities, and damage to reputation. Today's applications are no longer simply threatened by overwhelming demand. Additional pressures in the form of attacks and business requirements are forcing IT professionals to broaden their views on availability to include security and performance. For example, a Kaspersky study[1] found that “61 percent of DDoS victims temporarily lost access to critical business information.” A rising class of attack known as “ransomware” has similarly poor outcomes, with the end result being a complete lack of availability for the targeted application. Consumers have a somewhat different definition of “availability” than the one found in text-books and scholarly articles. A 2012 EMA[2] study notes that “Eighty percent of Web users will abandon a site if performance is poor and 90% of them will hesitate to return to that site in the future” with poor performance designated as more than five seconds. The impact, however, of poor performance is the same as that of complete disruption: a loss of engagement and revenue. The result is that availability through scalability is simply not good enough. Contributing factors like security and performance must be considered to ensure a comprehensive availability strategy that meets expectations and ensures business availability. To realize this goal requires a tripartite of services comprising scalability, security and performance. Scalability Scalability is and likely will remain at the heart of availability. The need to scale applications and dependent services in response to demand is critical to maintaining business today. Scalability includes load balancing and failover capabilities, ensuring availability across the two primary failure domains – resource exhaustion and failure. Where load balancing enables the horizontal scale of applications, failover ensures continued access in the face of a software or hardware failure in the critical path. Both are equally important to ensuring availability and are generally coupled together. In the State of Application Delivery 2015, respondents told us the most important service – the one they would not deploy an application without – was load balancing. The importance of scalability to applications and infrastructure cannot be overstated. It is the primary leg upon which availability stands and should be carefully considered as a key criteria. Also important to scalability today is elasticity; the ability to scale up and down, out and back based on demand, automatically. Achieving that goal requires programmability, integration with public and private cloud providers as well as automation and orchestration frameworks and an ability to monitor not just individual applications but their entire dependency chain to ensure complete scalability. Security If attacks today were measured like winds we’d be looking at a full scale hurricane. The frequency, volume and surfaces for attacks have been increasing year by year and continues to surprise business after business after business. While security is certainly its own domain, it is a key factor in availability. The goal of a DDoS whether at the network or application layer is, after all, to deny service; availability is cut off by resource exhaustion or oversubscription. Emerging threats such as “ransomware” as well as existing attacks with a focus on corruption of data, too, are ultimately about denying availability to an application. The motivation is simply different in each case. Regardless, the reality is that security is required to achieve availability. Whether it’s protecting against a crippling volumetric DDoS attack by redirecting all traffic to a remote scrubbing center or ensuring vigilance in scrubbing inbound requests and data to eliminate compromise, security supports availability. Scalability may be able to overcome a layer 7 resource exhaustion attack but it can’t prevent a volumetric attack from overwhelming the network and making it impossible to access applications. That means security cannot be overlooked as a key component in any availability strategy. Performance Although performance is almost always top of mind for those whose business relies on applications, it is rarely considered with the same severity as availability. Yet it is a key component of availability from the perspective those who consume applications for work and for play. While downtime is disruptive to business, performance problems are destructive to business. The 8 second rule has long been superseded by the 5 second rule and recent studies support its continued dominance regardless of geographic location. The importance of performance to perceived availability is as real as scalability is to technical availability. 82 percent of consumers in a UK study[3] believe website and application speed is crucial when interacting with a business. Applications suffering poor performance are abandoned, which has the same result as the application simply being inaccessible, namely a loss of productivity or revenue. After all, a consumer or employee can’t tell the difference between an app that’s simply taking a long time to respond and an app that’s suffered a disruption. There’s no HTTP code for that. Perhaps unsurprisingly a number of performance improving services have at their core the function of alleviating resource exhaustion. Offloading compute-intense functions like encryption and decryption as well as connection management can reduce the load on applications and in turn improve performance. These intertwined results are indicative of the close relationship between performance and scalability and indicate the need to address challenges with both in order to realize true availability. It's All About Availability Availability is as important to business as the applications it is meant to support. No single service can ensure availability on its own. It is only through the combination of all three services – security, scalability and performance – that true availability can be achieved. Without scalability, demand can overwhelm applications. Without security, attacks can eliminate access to applications. And without performance, end-users can perceive an application as unavailable even if it’s simply responding slowly. In an application world, where applications are core to business success and growth, the best availability strategy is one that addresses the most common challenges – those of scale, security and speed. [1] https://press.kaspersky.com/files/2014/11/B2B-International-2014-Survey-DDoS-Summary-Report.pdf [2] http://www.ca.com/us/~/media/files/whitepapers/ema-ca-it-apm-1112-wp-3.aspx [3] https://f5.com/about-us/news/press-releases/gone-in-five-seconds-uk-businesses-risk-losing-customers-to-rivals-due-to-sluggish-online-experienceF5 Synthesis: All Active ADC Clustering
#SDAS #Cloud ADC clustering isn't enough because you deliver app services, not ADC instances The classic high availability (HA) deployment pattern is hard to break. It's been the keystone upon which data centers have been built since the turn of the century. Redundancy, after all, ensures reliability. But today's data centers are as concerned with efficiency as they are with reliability, and with economies of scale even more so. Assigning pairs of application delivery controllers (ADC) to every application in need of high availability is no longer economically or operationally viable. A fabric-based model cannot be based on the premise of simply extending the HA model to a larger set of devices. The traditional HA model relies on device-level failover; if the primary device fails, simply make the secondary active and voila! Continued availability. This model, of course, required a secondary (and very idle) device. In today's OpEx-aware world, that's not going to fly. And we won't even cite the number of times a primary failed after long years of service only to discover the backup was long dead, too. Active-active seems a logical way to go, except for that whole over-subscribed thing. You know, when the distributed load across the two systems is greater than the capacity of a single system. When 60% load plus 60% load = too much load. Failover? Sure, for some of the load. The rest? Bah! Who needed those thousands of dollars worth of transactions anyway, right? A better model is needed, for sure, and the advances in technology over the past few years have resulted in an awareness that it can't just be about device clustering for ADCs. The increased demand for multi-tenancy in the network has been answered, for the most part. The actual ADC platform today is capable of hosting multiple, multi-tenant (virtual) ADC instances. But if one of those fails, you don't want to impact the others. Device-level failover isn't enough for modern, virtualized networking. Clustering has to be about app services clustering, too Which is what F5 offers with Synthesis' High Performance Services Fabric through its ScaleN technology. ScaleN: Device Service Clustering ScaleN is a scalability and availability model based on the premise that infrastructure is hybrid (physical and virtual), that app services scale (and often fail) elastically and erratically, and operational efficiency is number one. Device Service Clustering (DSC) is designed to meet and exceed those requirements, by enabling a more flexible and efficient model of availability and scalability at the same time. DSC starts with the ability to cluster together (today up to 32) devices, whether physical or virtual (and by virtual we mean on any of the popular hypervisors), and create up to 2560 multi-tenant ADC instances*. Then we enable the ability to group those devices together and synchronize configurations (because you've got better things to do than copy config files from device to device, don't you?). And then we also make sure that each of the ADC instances is isolated from the other. That means if one ADC instance with all its app services has trouble and needs to fail over to another device, it doesn't impact any other instance (and all its app services) on the original device. That's app service isolation. What you end up with is a highly flexible services fabric (a pool of hardware and/or virtual resources) that enables app services to scale beyond the traditional pair of ADC instances (scale out) or to migrate from one instance to another (scale up) without disruption. DSC offers organizations the ability to optimize delivery services across a heterogeneous pool of resources without fear of oversubscribing a device. That's because ScaleN is capable of performing load-aware and user-defined failover. In the past, failover was a strictly static proposition because on a fixed order of devices. Primary to secondary, secondary to tertiary, etc... Using load aware and user-defined failover, however, the order of failover becomes dynamic and based on current conditions. That allows the fabric to maintain as equal a distribution across a cluster as possible. The goal is always to maintain the most efficient use of resources across clusters and avoid disruptive failover events - both at the device and the service level. Because you should be delivering app services, not ADC instances. And while the two are inexorably linked, they shouldn't be chained permanently together. That's the old, static HA model - whether active-standby or active-active. The new, dynamic HA model is all-active, elastic and service-aware clustering. * You can further divide an F5 ADC instance using route domains and administrative partitions. The number of possible "instances" using all three options is, well, really big. Really, really, big.
