Filip Kolář Major Account Manager
[email protected] +420 720 704 746 © F5 Networks, Inc
1
PARTNEŘI F5 © F5 Networks, Inc
2
Růst dat
Útoky z internetu
Internet of Things:
Int. traffic shaping Konsolidace
L4-L7 bezpečnost DDoS ochrana
Škálovatelnost IPv4/IPv6
ISP TRENDY © F5 Networks, Inc
3
DoS = Denial of Service DDoS = Distributed Denial of Service “znepřístupnění služeb cílovým uživatelům”
Policy Enforcement “kontrola řízení přístupu do sítě pomocí inteligentního traffic shapingu”
DNEŠNÍ TÉMATA © F5 Networks, Inc
4
POZICE F5 © F5 Networks, Inc
5
TETRIS?
© F5 Networks, Inc
6
...NE, PORTFOLIO F5
HYBRIDNÍ DDoS OCHRANA
SILVERLINE Cloud DDoS ochrana
CLOUD SERVICE
ZAŘÍZENÍ V LOKALITĚ ZÁKAZNÍKA: Local Traffic Manager (LTM)
Global Traffic Manager (GTM)
Advanced Firewall Manager (AFM)
Application Security Manager (ASM)
BIG-IP® Access Policy Manager (APM)
BIG-IP® Carrier Grade NAT (CGNAT)
BIG-IP® Policy Enf. Manager (PEM)
TMOS iRules
EAL2+ EAL4+ (in process) © F5 Networks, Inc
7
CLOUD DDoS ochrana “Silverline” Scrubbing Center Inspection Plane Inspection Toolsets
Traffic Actioner Route Management
Flow Collection
Portal Visibility
Signaling
Tier 1
Management
Data Plane Copied traffic for inspection Netflow
Netflow
GRE Tunnel
BGP signaling
Legitimate Users
Proxy
Cloud Scrubbing Service
IP Reflection Switching
Routing
Routing/ACL Switching
DDoS Attackers
© F5 Networks, Inc
Proxy and Asymmetric Mitigation Tier
(Customer VRF)
X-Connect
Customer
Volumetric attacks and floods, operations center experts, L3-7 known signature attacks
8
DDoS
www.digitalattackmap.com
© F5 Networks, Inc
9
ISP – TOP3 cíl pro DDoS útoky © F5 Networks, Inc
Source: http://www.stateoftheinternet.com/downloads/pdfs/2014-internet-security-report-q4.pdf
10
DDoS V MÉDIÍCH © F5 Networks, Inc
11
http://www.securityweek.com/real-storybehind-kate-upton-nude-ddos-attack
DDoS V MÉDIÍCH © F5 Networks, Inc
12
DDoS V CZ+SK MÉDIÍCH © F5 Networks, Inc
13
Application SSL DNS Network Výhružný mail, který obdržel zákazník F5
TYPY DDoS ÚTOKŮ © F5 Networks, Inc
14
120,000
EXP.
RŮST PROVOZU
GLOBALNÍ INTERNETOVÝ PROVOZ VE FIXNÍCH SÍTÍCH [PB/MĚSÍC]
100,000
80,000
60,000
40,000
20,000
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997
1996
1995
1994
1993
1992
1991
1990
0
* © F5 Networks, Inc
Source: Cisco, The Zettabyte Era—Trends and Analysis
15
STRUKTURA PROVOZU
Klíčové prioritizovat „viditelný“ provoz (http, video), který rozhoduje o uživatelské zkušenosti, před provozem „na pozadí“ (P2P, filesharing, ...)
*
© F5 Networks, Inc
16 Source: Sandvine
Mobilní vs. Fixní ISP
RŮST PROVOZU
© F5 Networks, Inc
17
ZNALOST: Uživatel, Zařízení, Aplikace, Síť KONTROLA SÍTĚ A OPTIMIZACIE MONETIZACE SÍTĚ
INTELIGENTNI TRAFFIC SHAPING © F5 Networks, Inc
18
UŽIVATEL
ZAŘÍZENÍ
APLIKACE
TYP SÍTĚ
GEO
ZATÍŽENÍ
2G 3G 4G
KONTEXTY © F5 Networks, Inc
19
NÁHRADA CISCO SCE GLOBALNÍ Overall P2P = 10 Mbps
Uživatel
Sub B “P2P” = 4 Mbps
Sub A + B + C “P2P” = 10 Mbps
PER-UŽIVATEL Gold Subscriber = 20 Mbps
Uživatel
Rest = 10 Mbps
Rest = 10 Mbps
P2P = 4 Mbps
P2P = 512 kbps
PRINCIP INTELIGENTNÍHO TRAFFIC SHAPINGU © F5 Networks, Inc
20
Kategorizace URL
• Vestavění DB Webroot ~20M sitů • iRule whitelist/blacklist • Custom DB 1. Trying to access blocked URL
PGW/ GGSN
Internet
RTR
3. Access Denied
2. Integrated Webroot URL Filtering / Blacklist
L4–L7
2010–2015
DNS Policy Enforcement
DNS POLICY ENF. L7 STEERING
Firewall
FW/DDOS/CGN CGNAT
HTTP HE
L3/L4/L7 Steering
Dedicated platforms, different vendors
© F5 Networks, Inc
Unified platform, L4–L7 consolidation
Konsolidace síťových prvků
22
FW, NAT, DDoS ochrana, Inteligentní traffic shaping
Attacker
Internet
Web Bot
=> Úspora investičních a provozních nákladů, jednodušší správa infrastruktury
Konsolidace síťových elementů na jeden “box” F5
© F5 Networks, Inc
23
Konsolidace core prvků – F5 zákazníci -
-
-
-
© F5 Networks, Inc
VoIP provider in Australia Usecase - Broadband aggregation - F5 solution – load balancer, bandwidth manager and firewall in one box - Traditional model – dedicated boxes Benefit for the customer - Costs savings - More than US$100,000 CAPEX, (alternative solution US$250,000) - Further savings on OPEX (maintenance, training) - Simpler troubleshooting ISP (cable operator) in Israel Usecase - Lack of IPv4 and Web cache servers loadbalancing - F5 solution - Traffic Steering (for web caches) and CGNAT Benefits for the customer - NAT (IDM is able to NAT https traffic behind a specific IP subnet and treat this traffic uniquely.; high speed logging) - Costs savings for internet connectivity due to web caches - Network management improvement thanks to iRules - “We can seamlessly add a new cache in one click on the F5 platform. We don’t have to change anything at the network level. This is definitely something we couldn’t do before,” says El Khoury. 24
MageMojo Webhosting – DDoS ochrana a web aplikační firewall MageMojo is a webhosting provider in the U.S. with 2500 hosted websites
Usecase - Cyber Monday, DDoS attack, outage for several hours - Requirements – Attacks elimination, low latency and high performance, Network FW with PCI DSS - F5 solution – DDoS, AFM ICSA certified FW for DC protection, WAF for L7 attacks, LTM for scalability Benefits for the customer - Cost savings of 70% thanks to the consolidated solution - “In the end,” Hileman says, “we saved over 70 percent consolidating with F5 instead of buying all the individual components or going with a third-party mitigation service.” - In comparison to other DDoS solutions, F5 includes the app security as well - Thanks to full proxy, the DDoS attack is discovered before reaching the app servers - Scalability of the VIPRION for season peaks (inet connectivity savings) - Comparable solution to the competition “Even the base performance of a single blade is equal to the new connections per second of the largest firewalls at Cisco and Juniper,” © F5 Networks, Inc
25
Datametrix DC a Cloud
Loadbalancing virtualních serverů, bezpečn s DC, autentiz ce uživ e ů, DR Datametrix is a Cloudu provider in Norway (Telenor’s daughter company)
Usecase - Requirements - LB of virtual servers, DC FW, system for subscribers’ authentication, Disaster recovery - F5 solution - 2xVIPRION 2400 chassis for DC, modules: Local Traffic Manager (LTM) to balance traffic across virtualised servers Advanced Firewall Manager (AFM) to filter incoming customer communications and DDoS Access Policy Manager (APM) to manage user authentication / SSO Global Traffic Manager (GTM), Virtual Edition, to balance traffic across its two datacentres and implement automatic fail-over in the event of a disaster. Benefits
- Security, Availability, Scalability
© F5 Networks, Inc
26
Filip Kolář
[email protected] +420 720 704 746
