My Top 5 iRules Development Practices
I've been writing iRules now for about eight years and have found many ways around success along the way. But I've also learned a few things as well, many of which save me a lot of time and frustration on the bigger and more complex iRules. Know the Problem You are Trying to Solve I taught a beginning python class last spring and this is the #1 point I drove home in every lesson and in every project. It should be an obvious first step, but eager beavers and mind racers will jump to steps three and four or maybe even 10 before even defining the problem. This is bad news for everyone as they will almost certainly come back to square one frustrated that they built a really cool gizmo that didn't at all line up with the original puzzle that needs solving. Don't move on from step one until the problem is well-defined and further, understood. Map Out the Logic Before Coding This one bites me from time to time, but I'm getting better at slowing down my pace enough to do things right. I recommend working through chicken-scratched pseudo-code or Visio diagrams and getting a second set of eyes for validation when possible. Only after you are convinced your logic is sound should you fire up your trusty iRule Editor. Not adhering to this step will more than likely cost you precious cycles reworking code. Function & Diagnostics First, Optimization Comes Later When coding, I start with all the events and then begin plugging in features. Some are comfortable writing a 100-line iRule without leaving the canvas, but I prefer to start small, testing along the way. I work on one area of my diagram at a time, using placeholders for any logic I might need for that particular function. I also do my best to avoid combining logic in single lines early so I can log each step. And I like to log. Like crazy amounts of logging. Every event, every variable, every conversion. This makes for a far more successful end-game for me. But that kind of iRule would not pass Colin's performance tests, and I would end up wearing the cone of shame. So after all the functionality is working, that's where I start removing variables, combining logic, looking for optimizations and alternatives. Test the Negative What I'm getting at here is not necessarily a literal negative, but testing against the cases your logic solves. If you built code to test if user A has password X, and that works as advertised, great. But what if user B has the wrong password? And what if user C doesn't exist at all? Your logic should account for the obvious negative cases, but also look for the corner cases. It's helpful in this stage to recruit others to test with you as they will not be as familiar with your code and won't make assumptions that are natural to you as the developer. Comment Liberally This step is the hardest. Really. Because at the end of all of that, you have a working thing of beauty that you just want to call your wife (mom, dog, empty chair, whatever) and tell her all about. You don't want to document. Ever. But document you must, because it might not be in a day, but when you least expect it, someone is going to have questions about your code, and it's likely even you will have to study it for a while if you don't pepper that code with information. Remember above when I talked about optimization? Yeah, comments aren't compiled into byte code, so you have no excuses to not document the heck out of your iRules. Just do it! Sound Off Ok community, agree? Disagree? Blind oversights?DevCentral Top 5: Oct 6, 2014
These past two weeks have proven to be more than eventful with the "shock"ing discovery of a critical bash vulnerability that stole the security headlines for several days. Times like these might have you repeating the words of the infamous Ben Jabituya, "I don't know about you, but I am planning to scream and run." Fortunately for all of us, there's no need to scream and run...there's only a need to sit back and read about the most awesome articles that anyone, anywhere has to offer. Check out this edition of the DevCentral Top 5!! CVE-2014-6271 Shellshocked As I stated in the opening paragraph, all our collective worlds got rocked when the Shellshock vulnerability was announced. This vulnerability allows a remote attacker to execute instructions on your computer using a feature of the bash shell. Enter Jeff Costlow; one of the most intelligent guys you'll ever meet when it comes to security. Literally the same day Shellshock was released, Jeff wrote this article to explain all the details of the vulnerability and also outlined ways your BIG-IP could be exploited. In addition, he gave some great advice on how to mitigate the vulnerability using several options available from F5...iRules, LineRate, ASM (with custom signatures), and best practices (like, don't expose your management interface to the Internet). Jeff also participated in a Shellshock guru panel where several F5 security experts talked about the vulnerability, how it works, why it's bad, and how to mitigate it using F5 technology. Sorry, Johnny Five. Yes Disassemble! Jason Rahm takes us back to yesteryear with a metaphor from one of our favorite movies from the 1980s. In that movie, Johnny 5 has a big fear of being disassembled (and rightfully so, I guess). Well, Jason keeps Johnny 5 safe from disassembly, but doesn't afford that same luxury for Tcl code. As you all know, Tcl forms the foundation of several code environments on the BIG-IP (iRules, iCall, iApp, tmsh). Many of us want to know what the Tcl interpreter is actually doing from an instruction standpoint, and Jason shows us that the way to analyze the bytecode is to disassemble it. The command that will show how the interpreter works its magic is tcl::unsupported::disassemble. In one of the most technically-hardcore articles ever written on DevCentral, Jason digs deep into two different solution sets and reminds us that it's always a good idea to fine-tune your code. Less is more. Less objects. Less stack depth. Less instantiation. Reviewing bytecode is good for that, and it's possible with the native Tcl code. APM Security: Protecting Internal Resources Using ACLs Bart Sikkes wrote up a great security solution for the APM in Portal Access mode. The APM in Portal Access mode gives instant access to internal resources for authorized users, but it might also give access to other users if you aren't careful. Bart sets up a test environment using three internal resources: OWA, intranet website, and source code programming website. Two of these should be accessible through the APM but the third should not. Bart walks through some great examples of how someone might find a work around to access the protected internal resource. He also provides a great solution using APM ACLs that will ensure users only access the intended resources. Introducing LineRate Lightning series (and Snippet #1 - HTTP referer blocking) Everyone loves the iRules 20 Lines or Less series, right? LineRate is no exception. The only thing is that the LineRate proxy uses a Node.js scripting engine embedded into the HTTP data path, so it can't directly use iRule scripts. So, the LineRate guys created a new series on DevCentral called "LineRate Lightning" and these articles will contain snippets of code that aim to be quick, powerful, and even a little bit flashy. The inaugural LineRate Lightning post includes a simple snippet of code that does HTTP referrer blocking based on a whitelist of permitted referrers. Simply add the referring domains that you'd like to permit in the domain_whitelist list and change vs_http to match the name of your virtual server. Pretty cool and simple solution, huh?!? Check back often and regularly to read this series that so beautifully complements the iRule 20 LoL! Shellshock mitigation with BIG-IP iRules Some call him the inventor of iControl, some call him the creator of the iRule editor, some call him the most interesting man in the world, I simply call him "Joe the Show." Joe Pruitt fired up two separate iRule solutions to mitigate the Shellshock vulnerability the day after it was released by NIST. This is just another example of the power and flexibility of F5 technology. Who else in the world provides so many options to secure critical infrastructure in such a short amount of time? Joe wrote and tested these Shellshock-mitigating iRules and then posted them on DevCentral for all the world to use. He reminds us that we should set up a plan to ultimately patch the bash shell on all our systems. While you are creating and implementing the patch plan, you can use the iRule solution to protect your servers against attacks.DevCentral Top 5: Sep 22, 2014 [End of Life]
The F5 and Cisco APIC integration based on the device package and iWorkflow is End Of Life. The latest integration is based on the Cisco AppCenter named ‘F5 ACI ServiceCenter’. Visit https://f5.com/cisco for updated information on the integration. Here we are again...that fateful and glorious moment when we get to highlight the "best of the best" articles from DevCentral. As you know, DevCentral produces more awesome content than any other community out there, so sit back, relax, grab that second cup of coffee, and enjoy these amazing articles. You Want Action on a Threshold Violation? Use iCall! You want action? I want iCall! Jason Rahm, the godfather of DevCentral, takes us on an amazing journey of event-based automation with the BIG-IP. As Jason points out in his article, iCall has been around since the glory days of the 11.4 release, yet there seems to be a gap in the awareness of this functionality. A DevCentral member posted a question about toggling interfaces if active pool members in a pool falls below 70% (or whatever percent you choose). Jason used this as motivation to write an iCall script that defines the pools of interest, sets the total number of pool members, sets the available members, checks to see if 70% are available, and then enables/disables the interface based on the result. Jason described each step of the process, and he also shared all the code so you can steal it and use it for yourself! iHealth API Part 2 - An Introduction to REST In his inaugural iHealth article, Jon Gross introduced us to the iHealth API and told us all about the awesome health-check features it includes. Now, in his second article, Jon discusses the REST framework and how it provides a nice clean way of retrieving, modifying, and deleting things using HTTP. Using REST, you can retrieve all sorts of iHealth-related information on your BIG-IP. Jon even uses a goat analogy to make it easy for everyone to understand...get out there and read this one! Under the hood of F5 BIG-IP LTM and Cisco ACI integration – Role of the device package Faraz Siddiqui explains the integration between the Cisco Application Centric Infrastructure (ACI) and F5 BIG-IP LTM. One of the critical components for this integration is the F5 device package, which abstracts the L4-L7 service device in a way that allows the Cisco APIC to automate and provision a network service that attaches to the ACI fabric. Faraz explains the concepts of service graphs, device packages, device scripts, and device package integration workflow with Cisco APIC. We all know that F5 and Cisco are strategic partners, and this article highlights one of the many powerful results of this partnership. The man in your browser What?!? There's a man in my browser?? Seriously, where do these people come from? Lori MacVittie reminds us that, not only is there a man in your browser, it's not good that he's there. Man In The Browser (MITB) is not a new technique, but it's still very dangerous and many instances of powerful Trojan Malware use this capability. Trojans will steal credentials (say, to financial systems) using MITB to inject scripts into legitimate banking web applications. These scripts are dangerous because they become part of the application logic. What's that? You would never fall victim to one of these fake pop-up scripts? Did you know that 73% of users are unable to distinguish between real and fake popup messages? The key to detecting these script-injecting, app modifying monsters is to understand the state of the web application page at the time it's delivered - before the Trojan has a chance to modify it - as well as monitoring for duplicate communication initiated from the web page. Our F5 Security Operations Center (SOC) team has some fantastic analysis of this type of malware...check out all the great things they are doing! 2 Minute Tech Tip: URL Redirects So we started this new video series on DevCentral...it's called "2 minute tech tips." The idea is that, normally, no one has the time to sit through a 30 minute video broadcast to learn all about the greatness of F5 technology. Why not break it into manageable chunks and deliver it 2 minutes at a time? Brilliant, you say? That's exactly what we thought! In this edition of 2 minute tech tips, you can learn how to do URL redirects using BIG-IP Local Traffic Policies. Many people use iRules to redirect URLs, but you can use the built-in functionality of the BIG-IP to do this. iRules are awesome and flexible, but it's always faster and more efficient to use built-in functionality whenever you can. Enjoy the video, and be on the lookout for more 2 minute tech tips in the future!
DevCentral Top 5 01/06/2012
The holidays have passed, the new year is upon us and there is much geeky goodness to be thankful for. I am thankful for the forums and the wikis, the tech tips and blogs. I am thankful for the outstanding community that drives it all, and the supporting cast of hundreds within F5 that helps support this DevCentral thing we get to do. I am so thankful, in fact, that I am here to share five of my favorite recent DevCentral additions with you. Hurried over the holidays? Nagged after the new year? Fall behind on your feeds? Never fear, I'm more than happy to give you my Top5 picks from past weeks to give you a place to start. Keep in mind there will always be more goodness on DevCentral than anyone could pack into a single missive, even someone as wordy as me, so be sure to get out there and check it out for yourselves. For now, though, here is my first DevCentral Top 5 of 2012: $DevCentral += 1; http://bit.ly/yNw8zs We've grown! The team has gained a new face, a new name, and some wicked security chops. Josh joined the team before the holiday season and has been cranking away largely in secret since. His focus has been and will continue to be security. He'll be answering forums, checking in from conferences, keeping you abreast of the most twisted, brutal and/or interesting vulnerabilities out in the wild, hopefully with a means to fix them, and more. Part of said "more" will be contributing to the ever growing content engine that is DevCentral. He has already started, in fact! Check out this latest blog of his wherein he discuses the new(ish) slowread vulnerability along with a helpful fix from F5. He assures me there is more to discuss regarding this vuln, and having gotten to know him a bit I have no doubt this is just one of many helpful, timely, security centric posts to come. Add him to your feeds, drop a note and say hi, and check back often to see what security science Josh is dropping next. Two-Factor Auth with Google Authenticator and LDAP http://bit.ly/yO8G6a Speaking of science, I feel it is a crime that George was not gifted a lab coat and appropriately mad scientist-esque safety goggles over the holidays. He has upped the iRules Tech Tip game to a level that Jason and I agree is both awesome, and inspiring. In this article George documents how to turn your LTM and the inherent beauty within known as iRules into a two-factor auth system, integrated with LDAP, by way of Google Authenticator. In simpler terms: you can scan a QR code, enter a time based secure token, and authenticate into your systems...all via an iRule. That is the very definition of iRules science, kids. I've been raving about this one for weeks, and likely will for weeks to come. So before you hear me tell you again later, go check it out. Not only is the concept outstanding, but the write-up is second to none, so don't be dissuaded by the double black diamond sounding description. George turns this one into a bunny slope compared to what it could be if you tried to tackle it alone. External File Access from iRules via iFiles http://bit.ly/ArfZS6 There is a new tool in iRules town, and it's known as iFiles. Jason does an excellent job writing up this powerful, exciting new feature that was released for iRules in version 11.1. iFiles allow you to, as you might imagine, access files on the file system from within your iRules. This has been a popular request for years now, but there are inherent security and performance issues with giving out file system access to the LTM, something the PD crew here at F5 is understandably hesitant about. They have, however, cracked that proverbial nut and provided us with a solution that is both fast and secure. If you want the details on how it works you'll have to go read Jason's article, which you should do anyway because it rocks. Between v11 and v11.1, the iRules landscape continues to grow and become more hawesome by the version. I'm eager to see what comes next. Until then, though...go learn about iFiles. They rock. The Three Axioms of Application Delivery http://bit.ly/Av5oPf Lori took on what I have often thought an unenviable task: defining Application Delivery. This is more slippery than it sounds as the landscape is constantly changing with new technologies, application concerns and demands, security liabilities and more. Trying to specifically define exactly what one means when using the term "Application Delivery" has proved foolhardy before, and as such Lori's approach is one that appeals to me greatly. Namely, she decided not to define it directly, but instead laid out three axioms that describe the bedrock upon which the term lives and breathes, changing as it is apt to do, based on the needs and solutions of the times. Application Centric, Operational Risk Mitigating, Contextual. Those are effectively the concepts that are conveyed as the root of all things Application Delivery. Of course, many more juicy details and descriptions are a click away. Go see what you think. Do you agree? How would you define it, if you could? iRules Concepts: Connection States and Command Suspension http://bit.ly/wxY5f3 The iRules Concepts series is something I started a couple of months back in order to address some of the more esoteric functionality within iRules. Not everything fits so squarely into a command namespace or man page. Things such as command suspension and connection states within TMM warrant a bit more conversation and explanation. Given that I have seen this question come up multiple times in recent months, it seemed time to delve more deeply into the inner workings and shed some light on just what we're talking about when we use these terms. If you're an iRules geek like me, or frankly if you're curious about how F5 gear does what it does, I believe this is an interesting look at a tiny slice of that picture. If you have questions about how other things within iRules work, this would be a great place to ask. I'm really enjoying discussing the nuts and bolts of how this awesome technology does its thing, and am always keen on taking requests for future articles. There you have it, five ways to spend some time learning about what has been happening on DevCentral. For more frequent updates make sure you're registered and signed up for some of our many groups and feeds.Top5 06/14/2013
This caffeine fueled, bass driven installment of the Top5 is brought to you by our sponsors at “Wait how do I get that all done?” and associates. Fortunately, if I have to be burning the midnight oil, and let’s face it we all do sometimes, there are few things I’d rather be doing than geeking out on wickedly cool technology. It just so happens to work in my favor, then, that I work for a company that produces precisely that. Any time I need reminding of that I need only wander down the richly hewn halls of DevCentral’s vaults of hawesome. It’s not long before I trip over something I didn’t know, didn’t know I wanted to know, but am suddenly glad that I learned. Not convinced, you say? Read on, I answer, and check out my picks for the week. If you’re not convinced by the end, then either I’ve lost my touch, or you’re reading this from your android piloted spacecraft somewhere in low earth orbit. If that’s the case, I concede that you may have cooler toys. For us mere terrestrial beings, however, these will do nicely: iCall – All New Event-Based Automation System http://bit.ly/11M6cNB The very term “Announcement” tends to lend itself to the concept of something that is new, likely exciting, and almost certainly important enough to, well, announce. That term rings true here, to be sure, and as such the announcement of this wicked new technology being added to the F5 arsenal brooks top billing in this week’s listing. Geeks, geekettes, and all non-denominational folk in between, I give unto you, iCall. You’ve conquered the world with iRules, you’ve put some automation into your automation with iControl, and you’ve checked for the unseen servants whisking away your configuration woes after only a few small questions thanks to iApps. This newest addition to the i-Stuff family (That is so not F5 terminology, fyi, and I can hear the letter from marketing on its way already) adds yet another savory spice to the iStew. While iRules allows you control over the data plane in real-time, iCall allows you to have nearly the same level of granular control over the control plane. What’s the difference? Well the data plane is where all the bits of your application pass. That’s where you can do things like header modifications and content re-writing and selective routing and whatnot. The control plane is where the configuration of the devices themselves happens. Things like adding a pool member, setting member priority, changing a monitor, etc. are all performed on the data plane. This is usually iControl’s bailiwick, which is all well and good, but iControl is generally speaking used for automation and building out larger scale integration with F5 devices. With iCall you’re able to get fine toothed control over the data plane in a native, on-board, Tcl based language that looks and feels a heck of a lot like TMSH scripting, iApp scripting, and iRules. The effect is a power packed set of features that you can toy with on box and bend to your whims. There’s so much more to tell, however, and Jason does a darn good job of detailing the hows and whats in this blog post, complete with not only a pretty picture (ooohhh!) but also some code, because all my chattering doesn’t show you the nitty-gritty. This one is worth reading for sure. This is an exciting, powerful new technology unleashed upon F5 community to give them even deeper access to build dynamic solutions. I’m eager to see what comes of this, and it’s time to get the word out. iCall has arrived, will you answer? Web Scraping – Data Collection or Illegal Activity? http://bit.ly/1203nUQ Do you web scrape? Do you know what web scraping is? Whether you’ve been a victim, read an article, tried to perform some actually less-than-underhanded version of web scraping for some reason or another, or otherwise, you should be familiar with this concept. If you’re not, it’s time to get familiar. Fortunately this article from John does a good job of outlining the what, why, problems with and some silver lining surrounding this would be issue. Web scraping is not a particularly fun issue to deal with, but it is something that can be handled if you know what you’re doing it. There are lots of ways to work around this, from custom rolled solutions to products galore, to things like iRules that can step in and solve the problem for you, depending on your deployment. Fortunately, however, there’s a feature built into ASM that’s all packaged up and ready to use with a few keystrokes (or mouse clicks, for the more GUI inclined). John does a great job of outlining the problem, and hinting at one of the possible solutions via ASM in this article. In the rest of the series he digs deeper and provides far more detail and information for those looking to be less vexed by scrapers scraping things with their scrapey bits. This one is a good introduction, and leads to good detail down the road. Check it out, especially you security minded folk. The Application of Everything http://bit.ly/11kdSU7 When I say “Mobile Application” what do you picture? I’ve got money saying it’s your mobile phone, and one of a handful of wildly popular applications wherein you can post your status, watch a video, buy or trade something, post a picture or some other equally pervasively mobile function. What you probably don’t picture, however, is a web browser. That’s interesting, because it shows just how good of a job the UI designers of those “applications” you’re picturing are doing at making you forget that you are, for all intents and purposes, firing up a web browser. A purpose built, custom skinned, highly targeted browser, to be sure, but for all intents and purposes a huge portion of mobile applications are web browsers. Why is that? Well because they are fronting HTTP and HTTPS based web applications. Whether I’m reading my eBook on my computer, my tablet, or my phone, I’m accessing effectively the same back end with shockingly similar front-ends. This isn’t necessarily a bad thing, but it does mean that many of the same HTTP issues that have existed in the computing world since, well, forever, exist. First and foremost amongst those is often performance. Therein lies a bit of a rub, however. We’ve gotten pretty good at HTTP acceleration and performance enhancements, but that is mostly when talking about dealing with a traditional browser on a traditional computer platform. Twist that around to a mobile browser and platform, let alone a mobile network, and the game changes dramatically. The needs and approaches are vastly different, and we’re still figuring things out as we go along, really. This intriguing reminder of precisely that from Lori is thought provoking and points to some of these concepts in a way that makes it extremely easy to follow and understand. It may not solve the problems, but it describes them well and will hopefully get you thinking about them as much as it has me. Two-Factor Authentication using Yubikey, YubiCloud, and BIG-IP LTM http://bit.ly/143oCIL Two factor authentication is nothing new here in the Top5. I’ve talked about it in various forms on several occasions. One of which was even talking about this particular two factor auth method, Yubikey. For a refresher on what Yubikey is, Jason’s article will clarify nicely, but it’s basically a touch activated USB key that generates a one time password on demand. There was a detailed solution showing how to get Yubikey working with APM a while back. This article is just a little bit different, however, in that it is entirely iRules based. What’s that? A touch sensitive USB key interacting with purely iRules to perform the necessary authentication and send off box info as needed to make Yubicloud do its thing, and provide smooth, two factor auth with nothing but some diet Dr. Pepper fueled coding know-how? Yes. Oh sweet merciful Targaeryens yes, that’s what I’m talking about. Jason, as always, does an awesome job of laying out this article complete with big animal pictures (the cow says, moo.) and the code necessary to make this dog hunt in your neck of the woods. I love me some iRules goodness, as anyone that’s been here before is well aware, and this smacks of precisely that. Go take a look for the full scoop, and let me know if anyone tosses this one out there for Yubi-enabled users in the wild. I’d love to see it in action, and let Jason know that he has, yet again, become the hero of the users. DevCentral Weekly Podcast http://bit.ly/16lRJsG The Weekly podcast is no stranger to the Top5. It’s cheating, really. My name is Colin, and I am a cheater. I cheat because I love you, though. You’ll forgive me, won’t you? What if I promise you that in this video there is a video WITHIN a video, that contains an F1 champion crashing and burning in an F5 labeled car? Maybe I’m leaving out the parts about it being a simulator and there being no actual crashing or fire, but hey, it’s still pretty cool. Aside from the gear head squee inducing goodness, this podcast also actually talks about, gasp, technology. John chats about web scraping, Joe gives the dirt on the many events the DevCentral team has been attending, and they both offer some insight and info on what’s going on in DCville these days. As I am only a visitor, and no longer a resident, I tend to glean what I can from these podcasts just like the rest of the DCLovers out there (that’s you…I hope), and I can say that I heartily enjoyed this one. See for yourself if it tickles your fancy, or at the very least share in my jealousy over F1 royalty on an F5 video (That they waited until I wasn’t around to film, I might add…some people). Well folks, that wraps up another installation of the Top5, overdue though it may have been. Things have been a bit crazy ‘round these parts, so my apologies for the lack of broadcasts, but here’s to hoping that’s rectified now and I can resume my regular transmissions. As always if you’ve got feedback, questions, suggestions or “other” please don’t hesitate to drop me a line. I’m at c dot walker at f5, or all over DevCentral with the fancy blue links that say “Colin”. And now, as the refrains of “Blame it on my ADD…” thud in the background, I bid you good reading, and remind you as ever, to code hard. #Colin Technorati Tags: Top5,DevCentral,iRules,iCall,Agility,Security,Two Factor Authentication,Colin WalkerTop5 08/30/2013
From making heroes and rock stars, to a complete interface facelift, to throwing up the horns and rocking out (the dude abides, by the way, most certainly), DevCentral has undergone more than a few small changes since the last Top5 hit the waves of the verse. Fortunately, much like the signal, the goodness that is the community and the many contributors therein cannot be stopped. (No, not even by Reavers, though let’s not talk about such things; they give me the creeps.) As such, there has been an absolute landslide of discussion, banter, content and media to keep up with. Some having to do with getting to know the newer, kinder, sleeker, faster DevCentral, some normal “Let’s do cool stuff with F5 stuff” stuff. Either way, there’s been much to keep up with in a very good way. Even though I’m sure you’ve read every article, comment and post, I’ve taken the liberty of picking a few of my most recent favorites to hand over personally and reiterate the hawesomeness within. You know, as a refresher. Since you’ve read it all. Right? Right. Even so, here’s this week’s Top5: iCall Triggers - Invalidating Cache from iRules http://bit.ly/194zVmE If you’ve ever read the Top5 or any of my other writing, or seen one of my speaking engagements, or my Facebook/Twitter pages, or met me, or frankly been within earshot of me for more than 7 seconds, then you’ve probably heard me ranting and raving about iRules in some fashion or another. While iRules are awesome and wickedly powerful, they are not, however, the only killer language on the F5 block. There are other ways to leverage the extensive programmability of the various F5 platforms beyond the admitted powerhouse that is iRules. iCall, for instance, is the newest kid to the programmability party, and a darn fine one at that. I’ve started beating the iCall drum more and more in recent months, and for good reason. If you’re looking for granular, programmatic ways to affect your control plane, that is, the configuration of the F5 device itself, rather than the traffic being passed through it, iCall is a slick, powerful way to do just that. Jason, in this awesome, get in and get dirty article shows you a great example of just what kinds of things you can do with this exciting new toolset. He steps you through from concept to each chunk of code necessary to string together this cool solution that will let you invalidate your acceleration cache quickly and easily from anywhere. This is a great read and a good place to get started if you’re looking for some concrete examples of what iCall looks like and how it works. The BIG-IP Application Security Manager Part 1: What is the ASM? http://bit.ly/18prLDb If you mention F5 to ten people, I’m willing to bet you’ll hear a mix of answers from “Load Balancers” to “Application Delivery” to, well, your guess is as good as mine. One of the things you will definitely be hearing more and more these days, and going forward, however, is “Security”. F5 has always been very security minded and capable, but you may have noticed the past year or two that we’ve been getting way more security focused as well, and that is an altogether different thing. Security is something we take very seriously, and an arena into which we’ve been pouring a large amount of time, energy and resources, with no intention of stopping. One of the security offerings that F5 brings to the table is Application Security Manager, or ASM for short. If you aren’t familiar with ASM, you’re in luck, as John Wagnon is just embarking on a 10 part article series to illustrate just what ASM is, what it does, how it works and some presumably killer examples of making it do the moonwalk upside down. Except, you know, doing technical security things, rather than dancing. Horrible analogy aside, this article is the first foray into what promises to be a solid series, so I’d keep an eye out, I plan to. VMware Virtualizing the Network on its Way to the Software Defined Data Center http://bit.ly/15DszXm Virtualization. SDDC. SDN. DevOps. ITaaS. NFV. If you’re as confused at the alphabet soup as I am, then this is a good stop on your path to virtualization illumination. Lori, our resident proselytizer of all things cloud and virtualization, digs into some of these terms, how they’re tossed about, what they mean and how the different technologies that they actually represent interact and play off of or with each other. It’s easy to get lost in the rapidly changing world of virtualization and today’s ever shifting datacenter, but there is some sanity to be had in there, I promise. I also dig Lori’s overarching theme in this piece which seems to be “Application Virtualization is great, but what about the network?”. It’s easy to forget the wiring when talking about shifting things around on the fly, elasticity and expansion. If you do forget it, however, I can almost guarantee you’ll be sorry down the road. Instead take a look here and keep an eye peeled towards Lori’s articles for future discussions and thoughts on the matter. There are solid solutions, and we can help without question, so take a look and see what your options are before getting behind the 8-ball. Automating application delivery with BIG-IP and VMware vCenter Orchestrator http://bit.ly/1fnFsWX From the very outset Simon’s article grabs me with, “Orchestration is a growing trend…”. Preach it, brother, is it ever. Applications and the datacenters supporting them are getting ever more flexible, elastic, extensible, dynamic and a host of other terms that basically boil down to “NOT STATIC ANYMORE!". That is all fantastic for application functionality, growth, rapid iteration and deployment and a host of other things. It is often, however, not so awesome for the people trying to keep up with all of the infrastructure and configuration changes that go along with that blistering pace of advancement. The ever present march of technological improvement is something that many an administrator dreads without proper orchestration. The more moving parts, the more rapidly moving those parts are, and the more interconnections there are between different pieces of the constantly growing application delivery fabric, the more important orchestration of those things becomes. This article talks about one way in which your F5 devices can help combat the possibility of being overwhelmed by allowing you to plug directly into VMware’s vCenter Orchestrator to perform some of the more common tasks on your F5 devices. This is a good read for anyone looking at or thinking about management on a larger scale, or anyone that might get there someday. Note: That should cover pretty much everyone, mmkay? So read up. Another FSE iRules Challenge, Even More Surprising Results http://bit.ly/1453qqm You knew there were going to be iRules in here somewhere, didn’t you? Come on, have we met? I got the hugely fun opportunity to present and judge yet another FSE iRules challenge over the last couple of weeks. I truly enjoy each and every one of these experiences, and this was no exception. From dreaming up an interesting (I hope) challenge for the competitors to tackle, to playing the part of the customer and delivering my requirements before fielding a bevy of questions from the eager to quell the problem engineers, to seeing the massive brain power being tossed around to solve said issues; it’s always a good time for a geek like me. This time around we had a ringer, hence the somewhat surprising results, but you’ll have click through to find out the details of his cyborg ways. In the meantime, if you’re looking for some examples of what our engineers are up to in their first weeks at the company while getting up to speed on iRules, here’s your chance to find out. Hint: It’s pretty darn impressive.Top5 06/09/2014
This week’s edition of the Top5 is packed from stem to stern with geeky goodness. I suppose that’s not much of a surprise, given that it is the Top5 and all. That’s kind of our M.O. ‘round these parts, and most weeks are similarly packed. It is not every week, however, that we can boast an international array of characters creating content for your consumption. Whenever I go digging through recently posted content on DevCentral I find myself wishing I were posting the Top17, not the Top5, especially now that we have content pouring in from all over the world. That being the case, 5 is the format, so 5 will have to do. And here they are, this week’s outstanding offerings: BER and DER: Why Encoding and Decoding Matter http://bit.ly/1oGjfLH Shameless self promotion though it may be, I feel strongly that some of the things we’re doing with our programmability offerings (iRules, iControl, tmsh, iCall, LineRate, etc.) are beyond cool. They are among the coolest, most interesting, most compellingly powerful gadgets and gizmos of their type, and if that’s not enough, they’re just plain fun to geek out with. We’re always adding to these features and lately there has been some serious momentum building in this arena, for which I’m both stoked and grateful. One such addition is the ability for iRules to natively encode and decode ASN1 formatted data. This makes some things that were just barely on the fringe of being possible (meaning they were technically feasible, but a giant pain…) suddenly a breeze. Check out this primer on why you might care, how this puts us one step closer to applications everywhere, and just why I’m so excited about this new tech. The State of the APAC Cloud - part1 http://bit.ly/1s1FDTw You’ve heard all about the cloud, of that I have no doubt. You’ve heard good, bad, indifferent and otherwise about what it means to different people, how we’re going to leverage it, the concerns, and more. If you’re like me you’re interested, but tired of hearing the same thing over and over, in many cases. That’s why I was excited to see one of F5’s own giving an insider’s take on a more specific and, for me at least, foreign piece of the cloud puzzle - the APAC cloud. Charles Chong digs into what the cloud situation looks like in his area, what the prevailing concerns in that geography are, and how they lend themselves to being addressed. Given that most major businesses are global, or headed that way, I found this to be a tasty tidbit of info, straight from the horse’s mouth, as it were. If you’re curious what cloud issues might attempt to burst your bubble and what you can do about them in this regional hotbed of technological traction, take a look. I’m betting you won’t regret it. The Internet of Things and mobility driving HTTP and cloud http://bit.ly/1mzEXwv “The Internet of Things” - Now there’s a name that bears explaining. The first time I heard that phrase I thought someone had mis-spoken. As it turns out it is far more straight-forward than expected. It is precisely what the name says - a way for things, and I do mean nearly everything, to get on the internet. From TVs to refrigerators to cars and more, more and more devices that are not purpose built computing resources are attaching themselves to the internet for a myriad of reasons. Call-home functionality, data and usage tracking, web enabled features (Who doesn’t want to tweet from their refrigerator while pouring the morning OJ?) - you name it, the “things” are offering capabilities that were, until somewhat recently, restricted to the computing realm. As this trend continues, and all signs point to the fact that it will not only continue but boom in a major way, it has definite implications for the web. Lori takes a look at just what this might mean for HTTP and the cloud world in a way that had me nodding along and curious to hear more, as is so often the case with her writing. This is a movement that is coming whether you’re ready or not, so I suggest penciling in the time to get up to speed. Lori’s post is a good way to get started. I’ll leave the digging up to you from there. Make Your Cache Work For You http://bit.ly/1ljt6FI Dawn Parzych, our resident acceleration PM/Guru extraordinaire, takes some time out of her busy schedule to share with us some ins and outs of cache usage. This “best practices” (my words, not hers) guide gives you the scoop on the different cache settings and features available to AAM users. From what they do, to when to use them, she demystifies the world of object caching right before your eyes. Well, you know, in text. On her blog. On DevCentral. But still, it’s awesome! This stuff is Greek to a lot of people and Dawn’s easy to grok explanations are quite valuable to newbie and nerd core alike. She even struts her geek cred bolstering chops to show off some handy commands that might be of interest to those looking to track the cache stats on their device. Security Sidebar: Plan For Your Data Breach http://bit.ly/1nuVd5c You’ve seen the announcements everywhere you look “Hackers attack”, “Breech suspected”, “Information compromised” and worse. In this day and age it seems to be far less about ifsensitive data will get compromised and far more about when. Or, more specifically, what the heck are you going to do when it happens? This may sound a bit morose, but honestly it’s more pragmatic than pessimistic. Security is a tricky business and staying ahead of the legion of naughty internet denizens out there is an increasingly difficult task, even for the most seasoned security ninja. While beefing up protection and stopping the attacks is always the first order of business in the security world, it isn’t such a bad idea to have a plan in place in case of an actual leak. The only thing worse than being compromised is being unprepared to deal with it should it occur. DevCentral’s own John Wagnon has put together some thoughts and tips on just what constitutes planning for such an event. Check out his post about it here, and make sure you’re on track for handling this situation should sit arise, unfortunate thought it may be. While we all hope it never happens, trust me, you’ll be far happier if you’re prepared.DevCentral Top5 09/25/2009
Side-projects and behind the scenes activities abound as the DevCentral team works towards the next goal on our plans for world domination, carefully sketched on Jeff's whiteboard. I'm glad to say that the extended DC team has been helping, as always, to keep the content flowing though, and there's plenty to highlight this week. Take a look at this week's Top5: Closing in on the iRules Contest Deadline http://devcentral.f5.com/s/weblogs/jason/archive/2009/09/15/closing-in-on-the-irules-contest-deadline.aspx Jason points out a very important, timely fact. It's nearly the end of your window to submit killer iRules for great prizes! The iRules contest is coming to a close. We've gotten some awesome entries so far and I've personally loved seeing them flow in from all over the world. There is still time, though. If you've got an iRule that you use that is cool and unique and warrants sharing, now is the time! Get it submitted and put your bid in for one of the pretty killer prizes offered to the winners. Check out Jason's post to get the details of what they are, where to apply, and a cool example iRule from the forums that could easily be submitted. Despite Rumors to the Contrary F5 Remains In the Lead http://devcentral.f5.com/s/weblogs/macvittie/archive/2009/09/25/despite-rumors-to-the-contrary-f5-remains-in-the-lead.aspx Lori comes to you this week with an important news bulletin: F5 is still leading the charge in the ADC market, despite the mutterings you may have heard recently. With the release of the new Magic Quadrant from Gartner there is always a fair amount of posturing and hubbub. Lucky are we that our positioning continues to speak for itself, well in the lead. I'm not usually one to go in for marketing type stuff, but the geek in me loves that we have the coolest technology at the party, bar-none. This is one of the many indicators of that, and I was glad to see Lori point it out. DevCentral Weekly Roundup Episode 104 - Guru, Guy, and My BIG-IP http://devcentral.f5.com/s/weblogs/dcpodcast/archive/2009/09/24/devcentral-weekly-roundup-episode-104-guru-guy-and-my.aspx This week's podcast was a particularly cool one, thanks to the caller that decided to join us. A few weeks ago we started dabbling in live-streaming our podcasts as we record them. This week Joe added the functionality to allow users to call in and chat with us in real-time, while we record. I was pleasantly surprised that we had a community member do precisely that, and share with us what they're currently doing with our tech. If you ever doubt that DevCentral is a far-reaching community with active members, an impromptu call from an international user to chat with us about what they're doing should cure what ails you. Turn Your Podcast Into An Interactive Live Streaming Experience http://devcentral.f5.com/s/weblogs/Joe/archive/2009/09/25/turn-your-podcast-into-a-interactive-live-streaming-experience.aspx As I mentioned above, the past few weeks we've been adding functionality to our podcasts. This once simple process has become increasingly more complex as we've tried to leverage new and cool features to make them more engaging and interactive for our users. With Joe at the helm we've incorporated several tools that make this possible. Today he put out a blog post detailing just how these all work together and exactly how it is that he crafted this bigger, better mousetrap. I found it quite interesting and it's a neat peek behind the curtains into one of the things we do here in DC Land. Reduce your Risk http://devcentral.f5.com/s/weblogs/psilva/archive/2009/09/24/reduce-your-risk.aspx In Pete's 13 th of 26 short topics about security he discusses mitigation. He touches on the fact that you should generally assume, if you're dealing with a publicly facing application, that you will eventually be the target of some malicious activity. He also details a few ways in which we all help to mitigate those risks on a daily basis. From firewalls to strong passwords to access cards to secure facilities, there are many hoops we all jump through daily, whether we think about it or not, to try and mitigate the risks inherent in today's IT world. This series is an interesting one and the pieces are easy to digest. I intend to keep following it as it moves towards topic #26, and I recommend you do the same. There you have it, my Top5 picks from DevCentral for the week. Hopefully you enjoyed them, and I'll be back with more soon. Be sure to check out previous editions of the Top5 here - http://devcentral.f5.com/s/Default.aspx?tabid=101 #ColinTop5 02/03/2014
I come to you heavily laden with programmatic gifts, software defined goodies and web based subsidies. I know, that last one is weird, right? Subsidies on the web? Oh yes, it’s a thing, trust me. This week the Top5 is packed with tasty goodness that will get you thinking about the many ways that apps and application development are, or are about to be, driving not only your users’ experience, but your network as well. For those of you that are already in that head space and comfortable with such thought, enjoy the ride. For those that aren’t quite as eager to accept such tomfoolery? Buckle up and dig in, I’ll do my best to not lead you astray. I give to you, this week’s Top5: iControl REST 101: What is iControl REST? http://bit.ly/1n7g9fD iControl REST you say? Awesome and new? What is it? What can it do? How is it different? Who should be using it? Why do you care? These questions and more will be revealed to you, dear reader, should you merely choose to peruse this article. There may even be punch and pie. (Note: There will not be punch and pie.) If you’re API inclined then you’ll definitely want to check this out. F5 moving to support a RESTful API for programmatic access to our devices is a big deal. It’s important for several reasons, that all get outlined in this first installment of the iControl REST 101 series. For the next several weeks follow along as more information, examples and goodness are given, and get yourself familiar with iControl REST. If you’re not yet API savvy and have been considering wading in, now is definitely the time. With iControl REST getting things up and running is easier than ever. So take a look, see what you can figure out, and get to coding. iControl REST Home http://bit.ly/1bn7ofv Precisely zero people should be shocked that, following the release of the above awesome technology, there is now a new home for it on DevCentral. Just like the iRules, iCall, and iControl SOAP wikis, this is a place where you can come to find out what’s new, what info is out there regarding iControl REST, and what people are doing. Perhaps the most useful piece of the Wiki is, or will be, the CodeShare. Here users will be able to view and share examples of iControl REST doing its thing in a myriad of different languages. I’ve pre-populated the Wiki with some cool examples from a handful of rather awesomely smart people her at F5. There are more examples to come, and much more content in general, as well as a little polishing. It may be a hair rough this close after release but it is still very much growing and evolving, and the info is good. It’s just going to keep getting better, so bookmark this one early and get used to checking it out, you won’t be disappointed. If you’ve got things you’d like to see, suggestions, additions or comments, don’t be shy! The Impact of Micro-Architectures and APIs on Data Center Network Design http://bit.ly/1aW88dE Speaking of APIs and just how powerful they are, Lori has an awesome piece portraying the power and importance of APIs, application focused networks and a fancy new term I’d not yet heard, “Micro-Architectures”. Maybe I’ve been living under a rock, but that one’s new to me. Her explanation is, as always, spot on and thought provoking. If you’re paying attention you’ll notice that applications drive the network these days, not the other way around. This means that not only does your network need to be flexible and scalable to suit application needs, but that the very design of your network will likely start to cater to application needs, rather than being the hoop through which applications must jump. Go read more in Lori’s post. It has me thinking which is always a good thing, especially so early in the morning, and these are topics that people are going to face more and more often. The use case of software-defined networking http://bit.ly/1ekwlLg Despite spelling data center funny, Nathan’s not a bad guy. He’s also got some pretty cool thoughts on SDN that you just might want to check out. Armed with a bevy of facts and figures, Nathan’s article might just give you some more insight into where this whole SDN business is heading, what you may hope to see as a benefit from it, and not shockingly from a marketing guy, how we can help you get there. We’ll forgive him that, however, because he’s got some really interesting information in there and it’s very much worth the read if you’ve got the time. Software Defined Networking has some pretty powerful potential, and understanding just how to tap into that can be huge. Articles like this one can go a long ways towards helping with that, so do yourself the favor and go take a look for yourself. 1-800-HTTP http://bit.ly/1lwQjq6 Free bandwidth? Unheard of. Subsidized however…now for that there is decided precedent. It is a twist, however, to see the people doing the subsidizing become the application owners themselves. Facebook, Netflix and the like allowing mobile users free access? That’s cool and all, but think for a moment about what has to happen, technologically, for that to be possible. That means the mobile provider must know that you are accessing SiteA, track all usage to SiteA, send the company that owns SiteA an invoice/bill/something, and get those costs recouped so that they can pull the usage for SiteA out of your bill and not tag it onto your total usage for the payment cycle. It’s a rather complex logic bomb just waiting to go off, and it will without question require a heaping helping of application fluency. Lori talks all about it in this awesome post that you should most certainly go check out. This is a very interesting trend that may have legs, depending on how it’s received, and it can’t hurt to get ahead of the curve, can it? That’ll do it for this week’s Top5. Until next time, code hard.DevCentral Top 5: Feb 25, 2015
The articles on DevCentral have been absolutely fantastic as of late. Understandably, readers can expect to find great F5-related technical content here at DevCentral, but several industry-relevant pieces are also found in this community. These articles provide the perfect blend of technical thought leadership that’s sure to excite and inform. It’s always a fun challenge to select the “top 5” articles, and here are my choices: CVE-2014-3566 POODLE vs. CVE-2014-8730 TLS POODLE In his first DevCentral article, MegaZone lifts the veil of confusion that so prominently exists regarding two recent POODLE CVEs. The first POODLE vulnerability is tied specifically to SSLv3 while the second is tied to TLSv1.x. Officially, F5 refers to the second CVE as the “TLS 1.x Padding Vulnerability” but you know how these things go…many of the scan tools around the world today refer to this CVE as “TLS POODLE” and it’s essentially impossible to put the toothpaste back in the tube on this one. So, as it stands, we have two very different vulnerabilities with two very similar names. Thanks to MegaZone, we also have a fantastic article that explains the differences and even gives mitigation steps for those who are affected by one or both of these critical vulnerabilities. I speak for us all when I say, “Thanks MegaZone…I hope this is the first in a long line of articles we will see from you on DevCentral!” Why You Should Tap the Hardware Random Number Generator in your BIG-IP David Holmes gives us a peek into his existential attitude in this very interesting article about how to achieve true randomness for your cryptography keys. Every time a computer generates a crypto key, it needs hundreds of bytes of entropy. The problem is…computers have a really hard time finding truly random numbers. Some try to make up randomness, but that always turns out to be a bad idea. So, what to do, right? The good news is that you can utilize your BIG-IP to accomplish this much-needed random number generation. David even provides an iRule that will mine the BIG-IP hardware for random data. While humans struggle to find meaning in life, computers struggle to find lack of meaning. Oh, what a tangled web we weave… IE Universal XSS Vulnerability Mitigation Does anyone still use Internet Explorer? Yes they do. Although the usage trend for IE is headed in a downward direction, many thousands of people still use the browser. In this article, Jason Rahm highlights an important and potentially dangerous Cross Site Scripting vulnerability that is known to affect IE 11 (but Jason also confirmed it’s success on IE 10 using Windows 7). The good news is that you can use a simple LTM policy or an iRule to mitigate this vulnerability. You gotta love the flexibility and power of iRules! Who knows when Microsoft will patch this…but you can patch it in about 2 minutes when you follow the steps that Jason lays out in this short but powerful article. Lizard Squad Leaked Database Oz Elisyan is another first-time author on DevCentral…and his article already has 5 upvotes! It’s easy to see why you all like Oz’s inside look at the Lizard Squad database hack. This article is a great example of the breadth of great content you will find on DevCentral because it doesn’t mention F5 at all. It’s just a phenomenal write up about a hack against the not-so-friendly Lizard Squad. Lizard Squad provides a “DDoS for hire” service, and many of their members were recently arrested following a high profile attack against Xbox and others. Well, turnabout is fair play. In this case, someone used several Cross Site Scripting vulnerabilities to gain access to the Lizard Squad database of attacked DDoS targets (dare I suggest that Lizard Squad should have used Jason Rahm’s XSS iRule mentioned in the last article?). Anyway, you can read all about the Lizard Squad database and even check to see if your company is listed among the targets. Great job on this article, Oz! Can network infrastructure be immutable infrastructure? We all love disposable stuff…plates, napkins, contact lenses, batteries, cameras, and…network infrastructure? Lori MacVittie reminds us that we have a tendency to throw away just about everything. As technology trends move from the nucleus of business today - application development - to the very nether regions of the application data path - the network - it makes sense to ask whether or not network infrastructure can ever be immutable? Lori provides a phenomenal, thought-provoking look at reasons you might want to consider implementing a disposable infrastructure (or, at least, pieces of infrastructure) one day.
