DevCentral Weblogs

Self Serve Security

Pete Silva — Wed, 17 Mar 2010 14:10:32 GMT

Education of users has become a hot topic of late. The final keynote at the recent RSA Conference was all about using education to combat cybercrime. This article has statistics showing that, when Small and Mid-Market companies were asked, ‘what would help improve the level of security at their companies,’ 75% (48% for employees & another 25% for senior management) said Security Awareness. And, the recent issue of SC Magazine featured an article where Dan Beard, the Chief Administration Office for the House of Representatives says that organizations must educate end users and that end user education is the weakest link in cyber security. In that same article, Stephen Scharf, CISO at Experian explains:

“The human element is the largest security risk in any organization,”…“Most security incidents are the result of human errors and human ignorance and not malicious intent. Therefore, it is critical that significant effort is focused on education and awareness to reduce these occurrences.”

The human element has always played a role in security, cyber or otherwise. Growing up in Rhode Island, we used to always leave the keys in the ignition of the vehicles parked in our driveway. We felt safe were we lived – and granted, we lived in a rural area so the main crimes committed were things like stealing eggs from Carpenter’s Farm. Certainly, there are still plenty of areas and towns that have that type cocoon. As I went off to college in Milwaukee, I had to remind myself early on – ‘you’re not in Wakefield anymore,’ since I’d instinctively leave my wallet crammed in the sun visor of my Rabbit Diesel. I had to change my behavior when I moved from a small rural area to a larger city. Internet users must do the same but we are creatures of habit. Similar to leaving a wallet in the car, since that’s what I did most of driving life up to that point, many internet users still behave as if it’s 1995 and they are still on Prodigy. The threats are different and more severe but behavior is the same. Times change but sometimes people don’t, won’t or can’t.

As all those articles point out, End User Education is vitally important to any organization and should be a key part of the overall IT security strategy. Users knowing what and what not to do when something seems fishy is an important part of your defense – especially when it’s something your firewalls, WAFs, IDS/IPS and other perimeter mechanisms might have missed. Education needs to be ongoing however and not a one shot deal since, according to Dr. Maxwell Maltz, it takes 21 days to make or break a habit. This has since been deemed a myth and everyone is different but it does bring up a good point. Security education, training and knowledge is not an overnight cram session – any security professional will attest to that. A single afternoon meeting going over ‘corporate policies for end users’ regarding information security will not help those who already have bad habits. It needs to be ongoing, consistent and relevant to their daily lives, including the serious consequences of poor behavior. Help users understand the risks/threats, break the bad habits that might lead to exposure and secure your infrastructure in a way that no piece of hardware/software can. Help users help themselves.

While not directly security related, F5 recently started offering Free Web Based Training for our end users. IT admins are end users too, ya know. F5 Networks Web-Based Training (WBT) courses introduce you to basic technology concepts related to F5 technology, recent changes to F5 products and basic configurations for BIG-IP Local Traffic Manager (LTM). These are self-paced and you can access them at any time and as many times as you like. The cool thing is if you complete all of the lectures and labs for the LTM Essentials WBT, you have met the prerequisite requirements for the Advanced Topics, Troubleshooting, and iRules classes.

F5 Improves Customers’ IT Infrastructure Agility with BIG-IP Local Traffic Manager Virtual Edition

F5 Networks News — Wed, 17 Mar 2010 10:45:28 GMT

As the virtualization boom continues, many practitioners are looking to expand beyond the server and into other aspects of their architecture. Their intent is simple: if server virtualization provides such flexible and simple deployment, then virtualizing other aspects of the network should provide even more flexibility and simplicity; you could run an entire application segment, including switches, routers and firewalls all with the confines of a single physical hardware device. Moving that application segment to a new datacenter or backup facility would be as simple as copying files. Consequently, many manufacturers of network and application delivery equipment have rushed virtual versions of their products to market; some completely replacing their physical counterparts and others providing scaled down virtual versions in order to have a product, but not one that cannibalizes their traditional product sales.

Unfortunately, many of these offerings were developed simply in the face of virtualization hype and little thought seems to have been put into exactly how these devices would or should work, where it might make sense to use a virtual appliance in lieu of a physical one or when a physical appliance still makes the most sense. There are certainly many cases where virtual instances of physical appliances make perfect sense: development and testing labs, for training purposes and even for proof-of-concept deployments for new projects. All of these situations can be vastly improved by the ease of deployment, lower cost and flexibility offered by virtual solutions, but there is still a lot of debate about their place in realm of production deployment.

I have to say – and I have said it before – I am not a great fan of the ‘virtual appliance’ model for delivering enterprise management software. Specifically, I have ongoing concerns about how these software appliances break compliance, security, and other important management and policy requirements. – Andi Mann,Virtual Appliances – More Risk than Reward?, October 29, 2009.

Of course this doesn’t even take into account that many physical appliances started out on general computing hardware and evolved over years to include special purpose silicon and other unique hardware in order to achieve the speed an performance required by today’s applications; many of which simply aren’t available to virtual incarnations.

It seems that there is definitely a place in the enterprise for virtual versions of network and application delivery appliances, but there are some basic requirements that must be met. The virtual version must be completely compatible with its physical counterparts and have essentially the same capabilities—this makes it easy to use virtual instances in dev/test and move configuration files in bulk to their physical counterparts in production; the corollary being that virtual versions are still likely to be compliments to their physical brethren, not wholesale replacements. Finally, given the constantly changing needs of the environments mostly likely to benefit from virtual appliances, there needs to be a great deal of flexibility and leeway in licensing that meets this need.

F5 recently announced availability of a free trial version of its new virtual appliance, the BIG-IP^® Local Traffic Manager^™ (LTM^™) Virtual Edition (VE). This virtual version of F5’s flagship application delivery control helps address the immediate needs of customers while not eliminating their existing appliance investment or relegating them to only basic functionality; giving customers a choice of the how these devices best fit within their environment.

Developers can now easily work directly with the services provided by the LTM while developing applications, integrating iRules and iControl components to take advantage of centralized network services. These components can be easily moved with the applications directly into production because the LTM VE is an integrated component of the overall application delivery network, not simply a one-off solution. This includes free access to the support portal and resources on DevCentral to make it easier to break the traditional barriers between development and the network.

While application architects and developers don’t necessarily care about the final implementation of ADC services, they require a flexible infrastructure that can easily be integrated into the application development and deployment process, and can adapt quickly to business operations and opportunities. Soft ADCs give customers the flexibility to deploy ADCs in whole new ways to test, develop, and integrate more tightly into an overall Enterprise Cloud Architecture. - Mark Fabbi, VP and Distinguished Analyst at Gartner

In addition, F5 is now offering free BIG-IP LTM web-based training as a flexible learning tool to help users get the most from F5 solutions. This makes the LTM VE a perfect vehicle for development, testing and proof-of-concept use, particularly with organizations who may be unfamiliar with the benefits and breadth of services offered in today’s application delivery solutions. It also minimizes the cost of education and training for organization standardizing on F5 technology.

This is simply the first step towards an overall Enterprise Cloud Architecture strategy that began back in 2007 with the introduction of F5’s unique Clustered Multiprocessing (CMP) technology. This strategy and vision was recently bolstered by the new BIG-IP Edge Gateway^™ and BIG-IP Access Policy Manager^™ products, which can serve as application access control points for internal and external enterprise cloud services. These solutions simplify and unify application access control while ensuring high levels of quality of service. Tight integration between physical appliances that can provide consistent, reliable control, virtual appliances which can easily be moved between datacenters and cloud peering-points and advanced services which ensure the availability, security and performance of applications is a critical component of future cloud development.

Press Release

Support for BIG-IP LTM VE

Technorati Tags: BIG-IP,LTM,LTM VE

F5 and VMware Solution Yields 10x Improvement in Long Distance Live Migration Performance Using VMware VMotion

F5 Networks News — Tue, 16 Mar 2010 19:22:07 GMT

Server virtualization is booming. Enterprise organizations and mom-n-pop operations alike are experiencing a whole new level of flexibility within their IT operations. Server virtualization not only provides cost savings through consolidation, but also provides reduced deployment times and greater control over the use of finite resources. The sophisticated tools provided by today’s leading hypervisor vendors create the ability to dynamically balance the resource needs of applications across the available resources. Instead of having to invest in resources to meet the needs of every application’s peak requirements, they can dynamically move unused resource to augment applications experiencing peak traffic. For instance, accounting systems often need significantly more processing resources at the end of the month, quarter or year than they do to handle day-to-day operations. Instead of having to deploy static resources to meet the needs of this peak usage, as traditionally done, server virtualization allows you to move workloads around to meet this need.

Increased demands of mobile users and talk of cloud computing architectures, however, are driving organizations to push these capabilities even further. Enterprise’s want the ability to move applications closer to the users, move processing to dormant resources in international datacenters during off-peak hours and are increasingly interested in dynamically provisioning resources in third-party locations such as cloud providers and managed hosting providers. This requires the ability to move massive virtual image files between distant locations in near real-time and the capability of dynamically rerouting application requests from one location to another—all with no impact to the users of those applications. These demands go way beyond the scope of server virtualization tools.

In January of 2009, F5 released BIG-IP v10.0. With it came a new functionality called iSessions. iSessions, included as part of the TMOS platform, provided the ability to create dynamic, optimized and secure tunnels between BIG-IP devices even ones in geographically disparate locations. In August of that year, F5 announced and demoed the ability to use this functionality in conjunction with VMWare to provide uninterrupted access to applications as they were moved ‘live’ from one datacenter to another. With the release of BIG-IP v10.1 and the WAN Optimization Module, F5 continues to extend the capabilities and integration with VMWare to enable organizations to rapidly respond to changing application and business requirements by seamlessly migrating live applications across geographically dispersed data centers.

Now, F5 continues to lead the industry by publishing deployment guidance and test results that illustrate and validate the value of deploying F5^® and VMware solutions in concert to extend live migration capabilities across long distances for VMware vSphere^™ 4 environments in a secure, accelerated manner.

“VMware VMotion^™ and Storage VMotion capabilities are significant differentiators for VMware vSphere^™.F5’s technology complements VMware solutions, making it possible to execute live workload migrations over greater distances. Combining VMware vSphere with BIG-IP^® solutions expands the many use cases possible, and adds to the value we’re able to offer customers.”- Parag Patel, Vice President, Alliances at VMware.

By integrating elements of F5’s application delivery solutions, Local Traffic Manager (LTM), Global Traffic Manager (GTM) and the new WAN Optimization Module (WOM), the F5 solution provides several benefits to the overall solution. WOM provides the secure and optimized datacenter-to-datacenter connection that enables the workload to be migrated in a fraction of the time. Once the workload has been transferred, GTM directs new user requests to the new location of the application. LTM, again utilizing the WOM services, enables existing user sessions to continue with minimal impact even though the application is now actually served from the other datacenter by routing user’s requests until they terminate.

According to recent ESG research, increasing server virtualization usage is the top overall IT priority facing organizations over the next 12 to 18 months. The mobility of virtual machines now provided by F5 and VMware will help companies distribute workloads across data centers, relocate applications closer to the end-user, and perform live data center migrations.” - Mark Bowker, Senior Analyst with Enterprise Strategy Group.

This solution enables customers of both F5 and VMware to see the benefits and possibilities of taking an integrated and holistic approach to their virtualization efforts and receive the full value of their investment.

Press Releases:

Additional Resources:

VMware Information:

Technorati Tags: F5,WOM,LTM,GTM,VMware,VMotion,vSphere,BIG-IP

Mobility Can Be a Pain in the aaS

Lori MacVittie — Tue, 16 Mar 2010 01:59:49 GMT

What does a 2-year old and cloud-based applications have in common?

The Toddler has recently decided that he can navigate the stairs by himself. Insists on it, in fact. That’s a bit nerve-wracking, especially when he decides that 2:30am is a good time to get up, have a snack, and recreate a Transformers battle in the family room.

It’s worse when you’re asleep and don’t know about it.

Oh eventually you hear him and you get up and try to convince him it’s time for sleep (see? all the grown ups are doing it) but it takes a while before he finally agrees and you can climb back into bed yourself.

Mobility. It’s a double-edged sword that can bite not only parents of Toddlers testing out their newly discovered independence but the operators and administrators trying to deal with applications that, thanks to virtualization, have also discovered they have wings – and they want to use them.

IT’S 2:30AM, DO YOU KNOW WHERE ALL YOUR APPLICATION INSTANCES ARE?

When ~~Toddlers~~ application instances auto-launch themselves at 2:30am in any cloud computing environment it’s important to know where they are. While the worst the Toddler will likely do is try to raid the refrigerator the application may be doing far worse – it may be running up charges for merely existing while not doing anything substantially beneficial for you, like responding to application requests. In that respect you could say a virtualized application is more like The Teenager than The Toddler, because it seems to absorb money without any kind of return on investment.

Applications have never been islands but their reliance on the rest of the infrastructure to provide value, to respond to requests, to execute their functions, has never been more evident than when they’re dumped virtually into a cloud computing style environment. Without integration – either from within the application or from within its controlling management systems – with the rest of the infrastructure the application really is just wracking up charges without providing any real value to you or the users for whom it was launched.

And when applications become mobile, popping up at odd hours of the day and night in response to events and demands, this integration is absolutely required to ensure that the very raison d’etre of the application instance isn’t lost in the ~~kitchen~~ myriad virtual images humming happily in the data center (wherever that may be).

ORCHESTRATION REQUIRED

This is why orchestration is so important in ensuring a smoothly running virtualized infrastructure. Without someone paying attention, governing the instances, and making sure they are integrated with the right infrastructure components at the right time the entire value proposition of cloud computing and “fluid” architectures is rendered null and void. In the enterprise data center this process can be simpler than you might think, as the application can be directly integrated with the upstream components necessary to ensure it’s included in the process of increasing capacity through elastic scalability. When you “own” the infrastructure and you have the ability to integrate through standards-based mechanisms, you can ensure that no application is ever left behind when it enters the fray.

When you don’t own the infrastructure you need to be more choosy about the environment, ensuring that there are processes in place and means by which application instances will not be “lost” and incurring charges without providing benefit. What you don’t want is a manual process that requires you to manually integrate the application into the provider’s high-availability infrastructure (or yours in a true IaaS environment). You need Infrastructure 2.0 enabled components and operational processes that allow you to automatically ensure application instances are always being utilized when they’re available and not “powered on” when they aren’t.

Efficiency is about orchestrating operational processes, about eliminating manual tasks that could – and should – be handled through operational integration within the broader cloud computing ecosystem.

If that’s not the case, then the mobility of applications really is nothing less than a giant pain in aaS.

Related blogs & articles:

Technorati Tags: MacVittie,F5,cloud computing,infrastructure 2.0,mobility,XaaS,integration,collaboration,virtualization,orchestration

F5 Week in Review March 8th – 12th, 2010

F5 Networks News — Mon, 15 Mar 2010 10:29:17 GMT

A complete guide to news and media coverage for F5 Networks for the week of March 8th, 2010.

Notable Quotes:

Nathan Meyer, product manager at F5, said the benefits in upgrading systems during the deployment will be new systems that provide policy automation and key management. For example, Meyer said F5; a mid-level enterprise has over 100 different zones making the process of managing them a fairly daunting task.

"The task of managing each zone individually with individual keys and maintaining all the roll over periods would be a very daunting task," Meyer said. – Nathan Meyer, as quoted in Search Security

F5’s new enterprise Big-IP edge gateway is based on SSL as well. It uses the web application acceleration features that F5 usually deploys in front of web servers to allow faster access to those applications in a secure manner.—Forbes

TWST: Let's look at F5. Where are they positioned? What makes them appealing?

Mr. Shea: They have their BIG-IP product, which does load balancing, optimization, SSL; they do live migration with VMware (VMW), V-machines. So you essentially have F5 as the data control point within the data center. One of the things that I've been talking a lot about to our clients is that there is an increase in server virtualization DAP. A lot of customers before were maxing out at about 30% virtualized within their environment, and that has been steadily increasing. And now people are talking more about getting to a 70% virtualized level. What that means is that there is greater risk within that environment if you are not able to appropriately balance the traffic that's requesting data from those virtual machines. So F5 is right at the forefront of that, where it's able to balance the traffic among the virtual machines. -- Kevin Shea, CFA, joined MKM Partners LLC as quoted in The Wall Street Transcript.

F5 Networks (FFIV) may not be as big a name as competitor Cisco(CSCO), but the smaller Seattle gear maker could spell upside for investors eager to tap into the IT spending rebound.

F5's stock has risen more than 200% in the last 12 months and is currently trading at about $62. Ryan Hutchinson, an analyst at Lazard Capital Markets, recently rated F5 a buy and raised his price target from $60 to $75.—James Rogers, TheStreet.com

Press Coverage:

SearchSecurity.com: Experts See DNSSEC Deployments Gaining Traction

CTOEdge:

Breaking Down Data Center Boundaries

The Death of Load Balancing?

The VARGuy:

Westcon Lets Resellers Test Hosted Solutions

Storage Specialist Isilon Systems Makes Partner Program Moves

Forbes: Best of Show RSA Conference 2010

TMC:

Westcon Group Unveils Virtual Demonstration Lab

Demonstration Lab to Help Customers to Test Hosted Solutions in a Virtualized Network

The Wall Street Transcript: Blue Coat Systems (BSCI) Forecasted To See Increased Investments As WAN Optomization Becomes A Highly Focused-on Area Of Growth

Financial Coverage:

TheStreet.com:

F5 Spells Upside: Analyst

Cramer's 'Mad Money' Recap: Tech Has Come a Long Way

CNBC:

Lightning Round: Hershey, Cisco Systems, Visa and More

'Mad Money Lightning Round': Cisco Shines

Your First Move for Thursday March 11th

Cramer on Tech: Time to Take Profits?

Tech: The Next Decade

Seeking Alpha: Cramer's Mad Money - Are We Headed for another Tech Bust?

MSNMoney:

Health Care Could Derail Stock Rally

Market Report

SmarTrend: F5 Networks Upward Momentum Looks to Continue

Options Insider: Unusual Options Activity Review - RF, NWL, VLO, FFIV, STI, ZION, MHP, BPOP, .VIX, EEM

Benzinga:

Fast Money Picks for March 11th (SUN, YUM, DELL, FFIV)

Bookkeeping: Restarting Riverbed Technology

"Mad Money:" Jim Cramer Believes Current Tech Rally Is Justified

Market Intellisearch: Options Activity for F5 Networks

Jim Cramer’s Mad Money: Jim Cramer’s Mad Money Stock Picks for Thursday March 11 2010

Blog Coverage:

Seeking Alpha: Network Automation Will Turn the Tables on Vendors and Careers

Cloud Computing Journal: My 2010 RSA Conference & Kaminsky Interview

Web Security Journal: The Corollary to Hoff's Law

Cloud Computing Journal: If I Had a Hammer . . .

Virtualization Journal: I Can Has Definishun of SoftADC and vADC?

Up to the Minute Resources:

F5 News Articles

F5 Press Releases

F5 Events

F5 Web-Media

Technorati Tags: F5,Press Release,News,Events,Web-Media,Blog,Financial Coverage

Nobody Puts Baby in a Corner

Lori MacVittie — Mon, 15 Mar 2010 02:15:14 GMT

In this case “baby” is load balancing and the corner is cloud computing.

SocialCloudNow recently wrote up a pretty darn accurate (which is hard to find these days) description of “cloud computing” by walking through the components required. The author did an excellent job – especially where he dove into the relationship between orchestration and cloud computing. Loved that a lot – most folks ignore that piece of cloud computing even though it’s very, very important. But I was a bit put off (okay, a lot put off) at one statement:

An honorable mention goes out to the Load balancer – which does the obvious.

Honorable mention? It’s an afterthought that certainly one of the key enabling technologies of cloud computing does not deserve. Shortly after reading the post and debating this point with Paul Richards (the author) I came to the realization that he was looking at cloud computing from the view point of the consumer, i.e. the organization, the customer, an administrator/developer looking for a cloud in which to deploy applications. That made his statement make a lot more sense. If you’re looking at cloud services offered and trying to decide which one to jump on then perhaps a load balancer isn’t your primary concern at all (although that makes me want to say, “Inconceivable!”). But from the perspective of the definition of cloud computing and the folks who are implementing (internal/external, public/private) such environments, a load balancer is certainly a lot more than just window dressing.

So I will say that as far as cloud services go, load balancing may be – based solely on consumer need, or perception of need – worthy of only honorable mention. But as far as implementing a cloud computing environment goes, it’s a requirement.

LOAD BALANCING is in the CLOUD DNA: FROM CPU to NETWORK to APPLICATION to DATA CENTER

Let’s just get right down to brass tacks: in today’s cloud computing environments, without load balancing there is no scale. None. You can’t scale applications in the current technological environment without load balancing. Whether that load balancing comes from hardware, software, virtual ware, or a Cracker Jack box is irrelevant. What’s important is that the ability to load balance applications – to virtualize applications and services – is an absolutely essential component of cloud computing.

Until we figure out how to vertically scale resources on-demand and past the physical limitations of the hardware* (i.e. we can “reach out” to other pools of pure compute resources and expand the logical memory and CPU of the primary hardware) we are going to be wholly reliant on load balancing to implement on-demand scalability in any environment, cloud computing or traditional. Thinking about that a bit more it even in the case we break the physical barrier we need some form of load balancing. If pools of compute resources and RAM are going to be used across physical devices there needs to be a way to manage those resources as though it were…a single, aggregated set of resources.

Which is what a load balancer does.

It would certainly be a completely new form of load balancer, but it would still likely be a load balancing capable “something” nonetheless. Load balancing is a lot like CPU-scheduling, after all, and that’s been around for, well, as long as there have been CPUs. So extending the concept out into the network, using high-speed interconnects as the bus between CPUs and blocks of memory isn’t all that far-fetched. But I digress – the point here is that even scaling ‘up’ will almost certainly require load balancing of some kind. It’s just that core to scalability; it’s native at the CPU level, at the machine level, at the network level, at the application level, even at the data center level (GSLB, a.k.a. global application delivery, a.k.a. intercloud). Scale without load balancing is simply inconceivable, and one of the core identifying characteristics of cloud computing is, yes, scale.

If you remove a firewall from a cloud computing architecture does it impact the core behavior of a cloud computing environment? Nope. Not at all. It leaves it very insecure and I certainly wouldn’t build a cloud computing environment without one, but from a purely technical point of view it isn’t adding to the core behavior expected of cloud computing. Now take out the load balancer. What happens? Scalability is lost. You end up with a bunch of cloned application instances, each with their very own IP address, with no way to distribute requests to them. Removing a load balancer from a cloud computing environment breaks the cloud, ergo a load balancer is a requirement.

Note it doesn’t matter whether the load balancing is provided by software or hardware or virtualware. It is the concept of load balancing that is integral to cloud computing and elastic scalability. Taking “load balancing” out of the equation changes the behavior of the cloud computing environment such that it isn’t very elastic any more.

If we were going to write a “cloud computing RFC” the term “load balancer” would be preceded by a MUST INCLUDE and firewall would be preceded by a SHOULD INCLUDE. If we were going to write a “cloud computing RFP”, such as would be written by a customer looking to compare offerings, then these two might be juxtaposed.

*There are a couple offerings out there that actually do this – it’s some awesome stuff – but they aren’t being leveraged by most cloud providers today.

Related blogs & articles:

Users use Applications. Applications use Clouds.

Get your SaaS off my cloud

Elemental Cloud-o-gram: elemental cloud computing

The Cloud Is Not A Synonym For Cloud Computing

Dynamic Infrastructure: The Cloud within the Cloud

NIST Working Definition of Cloud Computing

Putting the Cloud Before the Horse

If You Focus on Products You’ll Miss the Cloud

How do you get the benefits of shared resources in a private cloud?

Your Cloud is Not a Precious Snowflake (But it Could Be)

Cloud computing is not Burger King. You can’t have it your way. Yet.

The Revolution Continues: Let Them Eat Cloud



Technorati Tags: MacVittie,F5,cloud computing,load balancing,orchestration,load balancer,scalability

DNSSEC-tacular

Mel Ruby — Sat, 13 Mar 2010 00:03:54 GMT

I know, I am always trying to find spiffy ways to talk about the latest and greatest with F5 Networks. A gem this year has been what we are offering for DNSSEC.

While our BIG-IP LTM tends to get its fair share of spotlight for obvious reasons, BIG-IP GTM, or Global Traffic Manager (those following F5 for years now would know this product as our former 3-DNS Controller) is hot right now with our Government customers.

The scrutiny of claiming we are the only global server balancer with rock solid DNSSEC features…well, I will make it! We are the only one and now we are getting even more recognition with our InfoBlox partnership, announced last Monday at RSA.

Now for the marketing speak: F5 streamlines encryption key generation and distribution by signing DNS responses in real-time. And F5 combines this DNSSEC technology with GSLB to provide high availability, maximum performance, and centralized management for applications running across multiple and globally dispersed data centers

See 5 minutes or less: Secure DNS In 5 Minutes or Less with BIG-IP v10.1 DNSSEC

Addicted to Open Source.

Ryan Corder — Fri, 12 Mar 2010 22:26:39 GMT
Hello, my name is Ryan Corder and I'm addicted to Open Source.

Hi Ryan...

A tired joke, but the truth if there ever was one. Free/Libre/Open Source software is a passion of mine and I'm proud of it. This is hopefully the first of many, many posts that I will make dedicated to the topic of all things Open Source.

I'm not new here, just new to blogging at F5 Networks. I've actually worked at F5 for almost three years now. Prior to my current position, I worked at companies of varying size; from a I-am-the-IT-department-sized web startup to a 5000+ employee tech company. At the latter, one of my responsibilities was to manage F5 BIG-IP devices and probably didn't hurt my chances of getting my job here. I moved across the country to work here and haven't regretted a minute of it.

One of the first things I started checking into upon my arrival was how involved we were with the Open Source community. Sorry to say, it wasn't much. We use parts of Open Source software in our platforms; we have customers that use our platforms in conjunction with their own Open Source deployments; we even have our own successful community in DevCentral, where we encourage users to share in the forums, publish their solutions and iRules, and generally give back to the community. As for the larger Open Source community, it didn't seem we had a role.

I mean to change that.

My goal here is to help. I want us to have a role in the Open Source community. I want us to be involved in Open Source projects. I want us to help people out by providing real guidance in using our technology with their deployments. With any luck it will be a smashing success and I'll be able to keep advocating the benefits and joys of Free, Libre, and Open Source Software. Fortunately, I have support. My boss has been incredibly patient and receptive to the constant stream of advocacy about the benefits of Open Source; and not just in terms of tangible things such as code, but also the philosophy behind it. I am thankful that they put up with my never-ending opinions on what is "the right thing to do" and my general hippy-esque views on software freedom. As you can probably guess, my views don't always line up with those of a company that makes it's money by selling non-free software and hardware :) I also can't thank them enough for sending me to OSCON the last few years. It is something I always wanted to attend but was never able to until I started working here at F5.

So, what are we doing? The good news is that we've already started.

I am working on several Open Source-related projects and will be following up this post with others soon (I'm sure they will excite at least a few people).

My teammate and fellow Open Source co-conspirator, Nojan Moshiri, has already published a deployment guide for the Apache Web Server (pdf). This guide serves as a set of best-practices for deploying Apache behind F5 BIG-IP LTM and WebAccelerator. This is our only application-specific deployment guide concerning Open Source at the moment, but I promise there will be more coming.

I generally annoyed a certain set of people, trying to convince them that Open Source is a good thing, and they bought it. The result? Our very own Open Source forum on DevCentral. In all honesty, the DevCentral team is a good bunch of folks and didn't need much convincing. In fact, one of them said "OK!" before I even finished my sentence :)

This weblog, along with Nojan's will serve as a space to discuss and announce things that are Open Source related.

And last but not least, is the DevCentral wiki. We will be posting iRules and other useful things there as they get developed.

That's it for now. Thanks everyone and remember to keep FLOSSing.

DevCentral Top5 03/12/2010

Colin Walker — Fri, 12 Mar 2010 20:09:58 GMT

This week I bring to you a full house of content, docs over blogs. To say there have been more than a few pairs on DevCentral lately though would be an understatement. The rush of content could be likened to an avalanche but without the messy death and destruction bits to deal with. From interviews to tech tips to blog posts to original songs pertaining to cloud computing (no, I'm not joking, and no, the link isn't in here…go find it yourself), DevCentral never seems to sleep these days, which is just how we like it. In case you're overwhelmed and looking for a place to get started, here are my Top5 picks for the week:

Citrix XenApp 5.0 Implementation Tips

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1082335

Naladar, one of the esteemed MVPs of the DevCentral community, comes to us with this piece on XenApp this week. He's looking to share his recent experiences and given his track record, he's the kind of person you want to listen to when he decides to share something with the community. While there are deployment guides out there for Presentation Server 4.5, Naladar takes the time to walk you through the differences in implementation that you'll need to pay attention to for v5. With some almost immediate positive feedback it's obvious that other people out there have found this one useful already. Combine that with the fact that I'm always eager for a chance to show off how awesome our users are, even to the point of contributing killer content for the masses, and this one had to be my top pick this week.

Configuring a multi-tier Testing Environment with VMware Teams and BIG-IP LTM VE

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1084344

There have been many a post about LTM VE over the past few weeks, many of them very cool, but Don took a slightly different angle by showing you how to set up a VMware team so you can spin up and down your entire test team (VE, client, server) with the push of a single button. Pretty neat stuff. Not only that, but he goes into enough detail with screenshots and step by step instructions that you should be able to re-create the environment pretty easily if you're still looking for a way to get up and running with your VE deployment. Whether you were waiting for the right walk-through on setting up LTM VE to come along or you're just interested in seeing yet another way of doing things, this article was a goodie.

BIG-IP Logging and Reporting Toolkit - part two

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1084341

The second installment of Joe Malek's awesome Logging and Reporting Toolkit series is out, and worth a read. Here he talks about the two vendor options he investigated when looking into advanced options for BIG-IP logging and reporting, Splunk and Q1 Labs. He talks a bit about each of their offerings, their strengths and what to expect from them. He then goes onto give us an extensive list of the different information these systems are going to be made to handle in the soon to come resolution to this technological tease wherein we'll finally get to see the results of his testing, his analysis of the options, and some fun charts. If you didn't catch the first installment yet, I highly recommend going and checking that one out as well.

If I Had a Hammer…

http://devcentral.f5.com/weblogs/macvittie/archive/2010/03/10/if-i-had-a-hammer.aspx

Despite the title Lori does not go on to talk about carpentry or construction. Instead she fills us in on her take on Carr's analogy and why the "pay as you use" model is really more like a "pay for the minimum required in CASE you need it" model. It's not a negative slant on things, just realistic, to remember that there is an inherent cost in things that have to be running before requests actually come in. To fool ourselves into thinking that we're paying only for what we use, like electricity, when we're paying a set cost just to have the resources available when needed is..well..just that, fooling ourselves. I like her points here and thought it was worth passing on. The cloud can be awesome and effective and even cheap for many people, but don't get caught off-guard thinking it's going to be free until you need it while really being billed.

20 Lines or Less #37 - Hex, HTTPS, and SNATing

http://devcentral.f5.com/weblogs/cwalker/archive/2010/03/12/20-lines-or-less-37.aspx

I'm so sorry, 20LoL, I didn't mean to leave you out last time, there was just too much good stuff! I never meant to hurt you, you know how I love you, I just couldn't justify bumping one of the other hawesome topics for your iRuley goodness. You're back, though, this week, with 3 more examples of iRules fu at its finest. *cough* Check out what the forums & samples section have to offer this week in less than 21 lines of code. We've got payloads being converted to hex, yet another take on https redirection and some pretty nifty snating stuff happening. These are always a cool look at what people in the community are up to, so check it out.

Well, there it is, another week, another 5 from DC. Hopefully you liked reading as much as I liked writing. Come back next week for more, and feel free to drop me a line with any feedback.

Technorati Tags: DevCentral,F5,Top5,Colin Walker

#Colin

There Are Several I’s in This Team

Don MacVittie — Fri, 12 Mar 2010 19:18:51 GMT

Posted a new article last night on configuring BIG-IP LTM VE In a VMWare Team environment with servers (DevCentral login required) and just wanted to let you all know.

It’s a relatively complex topic, considering that the pieces all work well separately, but if you’ve configured networks in VMWare before it isn’t too bad to get going. I chose CENT-OS as the server OS because then if any of you decide you want to toy with the team, you can email me and I’ll get you a copy somehow. You’ll need VMWare, and a license key for the BIG-IP VM, but otherwise you should be able to mess with it as-is. I prefer though that you use the article, which tells you how to set up the same environment, so if you’ve already got BIG-IP LTM VE and VMWare, just follow the steps.

For my part, I’d like to thank Jason and Lori for their JIT help with two different issues I ran into. They’re smart cookies, read their stuff.

There’s plenty of great LTM VE content on DevCentral, so check it out if you have an interest.

Until Next Time – when I’ll be talking about shadow copies…

Don.

ps: There are several I’s in this team because it’s running a BIG-IP, so there are definitely I’s in it.

Cloud Connect 2010: Got a Question About Infrastructure Interoperability But You Can’t Attend? I Got Your Back…

Lori MacVittie — Fri, 12 Mar 2010 19:16:49 GMT

Hey there! CloudConnect is next week (already?) and while some of us are already on a plane heading to the Bay area to kick things off (Shlomo Swidler is already on his way, according to his tweets at 36,000 feet) some of us will be lounging preparing for our various workshops and panels until early next week.

That being the case, if you’re not going to be attending and thus missing the panel I’m moderating (what? How could you miss that?) but had a burning question you wanted to ask one of the panelists, let me know. Leave a comment, send a tweet, compose an e-mail, write me a letter (better hurry, Green Bay is a long way from everywhere). If we can fit it in (how many people actually ask live questions during the Q&A, right?) we’ll get it answered, and tweet or post a follow-up next week.

Come to think of it, even if you are attending and just can’t make the panel, or you’re like me and don’t like asking questions in public, send your question anyway.

I

NFRASTRUCTURE INTEROPERABILITY in a CLOUDY WORLD
Interoperability between networks has fueled the growth of applications that has in turn spurred the growth of networks and internetworking. This cycle has led to increasing strain on networks, applications, and people who manage them. The 'virtualization' of networks, servers, storage, and applications as well as cloud computing not only quickens growth rates, but changes the nature of demand placed on infrastructure. Virtualization and cloud computing ultimately require new kinds of interoperability to reduce the burdens imposed by these technologies. This panel of cloud computing vendors and users will review the challenges of dynamic infrastructure design -- infrastructure capable of sustaining growth while relieving stress -- and will suggest the types of standards necessary to make those infrastructures a reality.

Our notable panel includes (in order of the value of the bribes they sent to ensure I was nice to them*):

Rich Miller, General Manager and Principal, Telematica Inc.

Surendra Reddy, Vice President, Cloud Computing, Yahoo

Glenn Dasmalchi, Technical Chief of Staff, Cisco

Bob Grossman, Managing Partner, Open Data Group

Apurva Dave, Vice President, Product Marketing and Alliances, Riverbed Technology

So if you’ve got a question, let me know! I’ll do my best to get it answered.

*Not really true, the order is from the panel listing on the CloudConnect site. No one has bribed me to be nice. Yet. :-)



Technorati Tags: MacVittie,F5,CloudConnect,Infrastructure 2.0,interoperability

20 Lines or Less #37 - Hex, HTTPS, and SNATing

Colin Walker — Fri, 12 Mar 2010 19:14:32 GMT

What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.

I bring to you your weekly dose of short yet cool iRule goodness. Check out what these iRule fu masters have crammed into less than 21 lines of code. This week we’ve got hex translation of HTTP payloads, intelligent redirection including port handling, and some snat intelligence in just a few lines of code. Dig it.

Log binary HTTP payload in hex

http://devcentral.f5.com/wiki/default.aspx/iRules/Log_binary_HTTP_payload_in_hex.html

Here’s one that we touched on briefly in the podcast last week. Hoolio decided that it would be fun or handy or…something, to convert and log the entire HTTP payload in hex for every response. I couldn’t tell you when this would be needed, but it was a pretty darn cool thought, and I thought I’d share it. Maybe he’ll come tell us what it was for. ;)

when HTTP_REQUEST {

   # Log debug? 1=yes, 0=no
   set debug 1

   # Collect up to the first 1MB of POST data
   if {[HTTP::method] eq "POST"}{

      set clength 0

      # Check if there is a content-length header and the value is set to less than 1Mb
      if {[HTTP::header exists "Content-Length"] && [HTTP::header Content-Length] <= 1048576}{
         set clength [HTTP::header Content-Length]
      } else {
         set clength 1048576
      }
      if {[info exists clength] && clength > 0} {
         if {$debug}{log local0. "[virtual name]: Collecting $clength bytes"}
         HTTP::collect $clength
      }
   }
}

when HTTP_REQUEST_DATA {

   # Log the payload converted to hex
   binary scan [HTTP::payload] H* payload_hex

   if {$debug}{log local0. "[virtual name]: $payload_hex: $payload_hex"}
}

SNAT based on incoming IP

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1170490&view=topic

Matt dished out a great little example of how to effectively control which snat address a connection is assigned based on the IP range the request is coming in from. It’s simple, it’s efficient, it’s effective, and it’s short. Those are a few of my favorite things in iRules, so here you go.

when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.9.9.0/26] }{
    snat 1.1.1.1
} elseif { [IP::addr [IP::client_addr] equals 10.9.9.65/26] }{
      snat 2.2.2.2
} elseif { [IP::addr [IP::client_addr] equals 10.9.9.128/26] }{
    snat 3.3.3.3
} else {
    forward
}
}

Intelligent HTTP to HTTPS redirection…now with port handling!

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1168453&view=topic

This is a topic (HTTP to HTTPS redirection) that I’ve shown off at least a few times in the 20LoL, but that’s because it comes up so darn often in the forums and elsewhere. Here is yet another take on how to do it, and a darn good one at that. Note the use of string map, which I heart, and the fact that this one can actually handle requests that specifically have the port declared in the hostname. If you try to redirect to HTTPS but still have a :80 in your host, things might not go as swimmingly as you’d like.

when HTTP_RESPONSE {
# Check if server response is a redirect
if { [HTTP::header is_redirect]} {
    # Log original and updated values
    log local0. "Original Location header value: [HTTP::header value Location],\
           updated: [string map -nocase "http:// https:// :80/ /" [HTTP::header value Location]]"
    # Do the update, replacing http:// with https:// and :80/ with /
    HTTP::header replace Location \
        [string map -nocase "http:// https:// :80/ /" [HTTP::header value Location]]
}
}

There you go, 3 more examples of iRules goodness in 20 Lines or Less each. See ya next time.

Technorati Tags: DevCentral,F5,iRules,20LoL,20 Lines or Less,HTTP,SNAT,Logging,hex,Colin Walker

#Colin

F5 Announces Flexible New Management Solutions

F5 Networks News — Fri, 12 Mar 2010 18:32:02 GMT

With each new incarnation of IT architecture and design, complexity and management seem to continually be a point of contention. The advent of server virtualization and ‘VM sprawl’ has certainly highlighted the need for new ways to tackle the existing dilemma. If managing a datacenter full of physical machines was difficult, managing the increasing number of virtual machines is another challenge all together.

In fact, one in four poll respondents admits to using the “wink and a
prayer” method of managing VMs and hypervisor hosts.(Hernick, 2008, p. 7)

This challenge is complicated even more when talk of virtualization turns to talk of dynamic provisioning of resources, cloud computing models which potentially push virtual instances outside the locally-owned datacenter and, now, the use of virtualized infrastructure components, virtual appliances and ‘infrastructure in a box’ application deployments. Without proper management practices and the systems/software to support them, this new world is quickly going to get out of hand and need more than just “a wink and a prayer”

F5 recently announce a new version of Enterprise Manager(tm) (EM); v2.0. EM is a centralized management platform designed to give customers a consolidated, real-time view of their application delivery network (ADN) as well as the tools to manage the efficiency and performance of that network. This is an important differentiation. EM provides two sets of tools to manage application delivery regardless of where the devices are physically located.

The first set of tools is designed to manage the application delivery infrastructure itself. This provides a simplified way to manage configuration, version control, policy enforcement and general maintenance of the application delivery controllers deployed throughout a customer’s infrastructure. Now, tasks like ensuring updated SSL certificates across all devices serving the same application can be done quickly with little risk of error over traditional manual processes; and changes are implemented across the infrastructure at the same time. Software version control and automated update facilities ensure that an organization can tell, at a moments notice, what the current state of their ADN is as well as seamless tools to correct issues if necessary.

The second set of tools provides a direct view into the health and efficiency of the ADN and the individual applications that are being delivered. This allows organizations to better manage the deliver of their application by giving them the information they need. More than 160 customizable metrics capture current and historical data from your F5 BIG-IP devices. With total visibility into your application delivery infrastructure over time, you can analyze the data to troubleshoot performance and availability issues and provide better information for budgeting and capacity planning.

As enterprises look to scale, consolidate, and automate network functions, solutions like F5’s Enterprise Manager continue to demonstrate attractive ROI for customers. Unified device management capabilities, comprehensive visibility into application delivery environments, and granular control over application resources should be primary considerations as organizations seek to minimize IT complexity or evaluate cloud and other resource-on-demand computing models. -- Zeus Kerravala, Senior Vice President of Enterprise Research at Yankee Group.

At the same time, F5 also announced the new 4000 series platform in support of the new version of EM. The 4000 hardware platform allows customers with as few as eight devices to take advantage of Enterprise Manager’s sophisticated reporting, device monitoring, and performance management capabilities.

Together, the new capabilities of EM and the new hardware platform help F5 customers get a handle on managing the increasingly diverse and complex world of application delivery; even when those applications become virtualized and escape the confines of the local datacenter.

Press Release

Product Information:

Enterprise Manager Product Page

Enterprise Manager Data Sheet

References:
Hernick, J. (2008). The New Sprawl: ManagingVirtual Server Environment. Information Week. Retrieved March 13, 2010 from http://www.eginnovations.com/web/news/InformationWeek_VMSprawl.pdf

Technorati Tags: F5,EM,Management,Enterprise_Manager



Might As Well Face It You’re Addicted to Cloud

Lori MacVittie — Fri, 12 Mar 2010 11:30:29 GMT

Because it’s Friday and sometimes you just have to get it out of your head.

Your app is slow, demand has grown
the hardware is not your own
your heart sweats, your body shakes
another clone is all it takes

Compute is cheap, it can’t be beat
there was no doubt, you’d take the leap
your budget’s tight, exec’s decreed
another cloud is all you need

Whoa, you like to think that you’re immune to the stuff, oh Yeah
it’s closer to the truth to say you can’t get enough,
you know you’re gonna have to face it, you’re addicted to cloud

there’s no 5 9s, but you don’t need,
the systems run at different speeds
requests arrive in double time
another clone and you’ll be fine, a one-click mind

you can’t be saved
compute is all you crave
if there’s a need, an image new
you don’t mind if bills accrue

whoa, you like to think that you’re immune to the stuff, oh Yeah it’s closer to the truth to say you can’t get enough,
you know you’re gonna have to face it, you’re addicted to cloud
Might as well face it, you’re addicted to cloud Your app’s still slow, demand has grown
the hardware is not your own your heart sweats, your body shakes another clone is all it takes

whoa, you like to think that you’re immune to the stuff, oh Yeah
it’s closer to the truth to say you can’t get enough,
you know you’re gonna have to face it, you’re addicted to cloud

might as well face it, you’re addicted to cloud

Addicted to cloud? Then surely you’re attending CloudConnect next week…

With perhaps a few apologies to Robert Palmer

Related blogs & articles:

‘Twas Two Weeks Past (Cloud) Deployment

Putting a Price on Uptime

Securing the Other Side of the Cloud

Cloud Changes Cost of Attacks

Cloud outages don’t bother Stanley

The Thing Private Clouds Can Do that Public Clouds Can’t

The Cloud Is Not A Synonym For Cloud Computing

May I Mambo Dogface to the Banana Patch?

Users use Applications. Applications use Clouds.



Technorati Tags: MacVittie,F5,cloud computing,humor,parody

DevCentral Weekly Roundup Episode 126 - I Have More Terabytes Than You Do!

DevCentral Weekly Podcast — Thu, 11 Mar 2010 23:41:07 GMT

   Welcome to the one hundred and twenty fifth edition of the DevCentral Weekly Roundtable Podcast! A weekly recap of the interesting things that have been going on within the DevCentral community.

Hosts: Colin Walker, Don Mac Vittie, Jason Rahm, Joe Pruitt, and Scott Koon.
In this weeks podcast we discussed APM, Perl, Transferring iRules, Don's ARX config, Citrix XenApp implementation tips, BIG-IP Logging and Reporting part 2, definishun of softADC and vADC, The F5 Dogfood Program, System.Services call for HTTPD, apachebench, Building and app for apps with Titanium, Fixing slow performance, and Proxy SSL from loadbalancer.

All of the links from this recording can be found with the dcpodcast126 tag at Delicious.com. You can also watch the video recording from our UStream.TV channel: DevCentral Podcast 126.

Get the Flash Player to see this player.

Technorati Tags: F5,DevCentral,APM,Perl,iRules,ARX,Citrix,XenApp,BIG-IP,Dogfood,Titanium,Apache,SSL,Colin Walker,Don Mac Vittie,Jason Rahm,Joe Pruitt,Scott Koon

F5 Talks With Evan Loats From CSC About Remote Access

F5 Networks News — Thu, 11 Mar 2010 22:21:10 GMT

Founded in 1959, Computer Sciences Corporation is a leading global IT services company. CSC provides innovative solutions for industry and government customers around the world by applying leading technologies and CSC's own advanced capabilities. These include systems design and integration; IT and business process outsourcing; applications software development; Web and application hosting; and management consulting.

In this podcast, we talk to Evan Loats, Remote Access Product Manager, Australia and Asia CSC, about the requirements of remote access users in today’s rapidly evolving mobile environment and the solution F5 Networks provides to their customers.

Podcast:
http://devcentral.f5.com/weblogs/interviews/archive/2010/01/22/talk-with-evan-loats-from-csc-about-remote-access.aspx

Product Information:
BIG-IP Edge Gateway: http://www.f5.com/pdf/products/big-ip-edge-gateway-overview.pdf
BIG-IP Access Policy Manager (APM): http://www.f5.com/pdf/products/big-ip-access-policy-manager-overview.pdf

Technorati Tags: F5,CSC,Podcast,Remote Access,Edge Gateway,APM,Firepass,SSL VPN



Post of the Week – High Speed Logging, iRules and you

DevCentral TV — Thu, 11 Mar 2010 21:18:22 GMT

This week Jason suggested a pretty awesome post regarding High Speed Logging (HSL). I thought I'd take this as an opportunity to briefly talk about HSL in iRules since it's a pretty cool feature that didn't get a ton of press when it went live. I then, of course, went on to talk about the post in particular and some of the questions being asked, and share a bit of Spark's ever awesome insight into iRules fu.

Technorati Tags: DevCentral,iRules,HSL,High Speed Logging,PotW,Post of the Week,Spark,F5,Colin Walker

The F5 Dog Food Program

DevCentral Interview — Thu, 11 Mar 2010 20:39:29 GMT


F5 Networks, the global leader in Application Delivery Networking (ADN), focuses on ensuring the secure, reliable, and fast delivery of applications. In this Podcast we talk to one of our toughest critics, Casey Scott a Network Engineer representing F5’s own internal IT department responsible for implementing F5’s “dog food” program. Find out how F5 is planning on using the latest technology in-house to solve our own IT challenges.

Get the Flash Player to see this player.

Technorati Tags: F5,DevCentral,ADN,BIG-IP,IT,Dogfood,Casey Scott

In 5 Minutes Video - How I Create an ‘In 5 Minutes or Less’ Video

Pete Silva — Thu, 11 Mar 2010 17:39:15 GMT

Thought it would be fun to produce one of these even though I got a new timer now. I show how I create an In 5 Minutes Video, In 5 Minutes or Less. Behind the scenes in 5 Minutes.   :-)

ps

Technorati Tags: Pete Silva,F5,security,application security,network security, education, technology, social networking, webinar, video

In 5 Minutes Video - Smart Connection with the BIG-IP Edge Client

Pete Silva — Thu, 11 Mar 2010 13:54:06 GMT

Watch how the F5 Networks BIG-IP Edge Client solution gets you connected automatically when you boot/start up your computer along with seeing browser based access of the F5 BIG-IP Edge Gateway.

ps

Technorati Tags: Pete Silva,F5,security,application security,network security, business, banks, education, technology, social networking, webinar, video

I CAN HAS DEFINISHUN of SoftADC and vADC?

Lori MacVittie — Thu, 11 Mar 2010 11:31:57 GMT

In the networking side of the world, vendors often seek to differentiate their solutions not just based on features and functionality, but on form-factor, as well. Using a descriptor to impart an understanding of the deployment form-factor of a particular solution has always been quite common: appliance, hardware, platform, etc… Sometimes these terms come from analysts, other times they come from vendors themselves. Regardless of where they originate, they quickly propagate and unfortunately often do so without the benefit of a clear definition.

A reader recently asked a question that reminded me that we’ve done just that as we cloud computing and virtualization creep into our vernacular. Quite simply the question was, “What’s the definition of a Soft ADC and vADC?” That’s actually an interesting question as it’s more broadly applicable than just to ADCs. For example, the last several years we’ve been hearing about “Soft WOC (WAN Optimization Controller)” in addition to just plain old WOC and the definition of Soft WOC is very similar to Soft ADC. The definitions are, if not well understood and often used, consistent across the entire application delivery realm – from WAN to LAN to cloud.

So this post is to address the question in relation to ADC more broadly, as there’s an emerging “xADC” model that should probably be mentioned as well. Let’s start with the basic definition of an Application Delivery Controller (ADC) and go from there, shall we?

ADC
An application delivery controller is a device that is typically placed in a data center between the firewall and one or more application servers (an area known as the DMZ). First- generation application delivery controllers primarily performed application acceleration and handled load balancing between servers.
The latest generation of application delivery controllers handles a much wider variety of functions, including rate shaping and SSL offloading, as well as serving as a Web application firewall.

If you said an application delivery controller was a “load balancer on steroids” (which is how I usually describe them to the uninitiated) you wouldn’t be far from the truth. The core competency of an ADC is load balancing, and from that core functionality has been derived, over time, the means by which optimization, acceleration, security, remote access, and a wealth of other functions directly related to application delivery in scalable architectures can be applied in a unified fashion. Hence the use of the term “Unified Application Delivery.”

If you prefer a gaming metaphor, an application delivery controller is like a multi-classed D&D character, probably a 3e character because many of the “extra” functions available in an ADC are more like skills or feats than class abilities.

SOFT ADC

So a "Soft ADC" then is simply an ADC in software format, deployed on commodity hardware. That hardware may or may not have additional hardware processing (like PCI-based SSL acceleration) to assist in offloading compute intense processes and the integration of the software with that hardware varies from vendor to vendor.

Soft ADCs are sometimes offered as “softpliances” (many people hate this term) or an “appliance comprised of commodity hardware pre-loaded and configured with the ADC software.” This option allows the vendor to harden and optimize the operating system on which the Soft ADC runs, which can be advantageous to the organization as it will not need to worry about upgrades and/or patches to the solution impacting the functionality of the Soft ADC. This option can also result in higher capacity and better performance for the ADC and the applications it manages, as the operating system’s network stack is often “tweaked” and “tuned” to support the application delivery functions of the Soft ADC.

VIRTUAL ADC (vADC)

A "vADC" is a virtualized version of an ADC. The ADC may or may not have first been a "Soft ADC", as in the case of BIG-IP which is not available as a "Soft ADC" but is available as a traditional hardware ADC or a virtual ADC. vADCs are ADCs deployed in a virtual network appliance (VNA) form factor, as an image compatible with modern virtual machines (VMware, Xen, Hyper-V).

ADC as a SERVICE

There is an additional "type" of ADC emerging mainly because of proprietary virtual image formats in clouds like Amazon, the "ADC as a service" which is offered as a provisionable service within a specific cloud computing environment that is not portable (or usable) outside the environment. In all other respects the “ADC as a service” is indistinguishable from the vADC as it, too, is deployed on commodity hardware and lacks integration with the underlying hardware platform or available acceleration chipsets.

A PLACE for EVERYTHING and EVERYTHING in its PLACE

In the general category of application delivery (and most networking solutions as well) we can make the following abstractions regarding these definitions:

“Solution” Soft “Solution” v”Solution” “Solution” as a Service*

A traditional hardware-based “solution”
A traditional hardware-based solution in a software form-factor that can be deployed on an “appliance” or commodity hardware A traditional hardware-based solution in a virtualized form-factor that can be deployed as a virtual network appliance (VNA) on a variety of virtualization platforms. A traditional hardware-based solution in a proprietary form-factor (software or virtual) that is not usable or portable outside the environment in which it is offered.

So if we were to tackle “Soft WOC”, as well, we’d find that the general definition – traditional hardware-based solution in a software form-factor – also fits that category of solution well.

It may seem to follow logically than any version of an ADC (or network solution) is “as good” as the next given that the core functionality is almost always the same regardless of form factor. There are, however, pros and cons to each form-factor that should be taken into consideration when designing an architecture that may take advantage of an ADC. In some cases a Soft ADC or vADC will provide the best value, in others a traditional hardware ADC, and in many cases the highly-scalable and flexible architecture will take advantage of both in the appropriate places within the architecture.

*Some solutions offered “as a service” are more akin to SaaS in that they are truly web services, regardless of underlying implementation, that are “portable” because they can be accessed from anywhere, though they cannot be “moved” or integrated internally as private solutions.

Related blogs & articles:

It’s like load balancing. On steroids.

Your load balancer wants to take a level of fighter and wizard

The House that Load Balancing Built

The Application Delivery Deus Ex Machina

Microsoft Hops Into Infrastructure 2.0

The Devil is in the Details

As Deep as a Puddle

That Whole Concept is Broken

The Question Shouldn’t Be Where are the Network Virtual Appliances but Where is the Architecture?

VM Sprawl is Bad but Network Sprawl is Badder



Technorati Tags: MacVittie,F5,ADC,application delivery controller,vADC,soft adc,ADC as a Service,virtualization,vmware,xen,hyper-v,microsoft,amazon,vna,virtual network appliance

BIG-IP LTM VE: Transfer your iRules in style with the iRule Editor

Colin Walker — Wed, 10 Mar 2010 23:52:28 GMT

The new LTM VE has opened up the possibilities for writing, testing and deploying iRules in a big way. It’s easier than ever to get a test environment set up in which you can ~~break things~~ develop to your heart’s content. This is fantastic news for us iRulers that want to be doing the newest, coolest stuff without having to worry about breaking a production system.

That’s all well and good, but what the heck do you do to get all of your current stuff onto your test system? There are several options, ranging from copy and paste (shudder) to actual config copies and the like, which all work fine. Assuming all you’re looking for though is to transfer over your iRules, like me, the easiest way I’ve found is to use the iRule editor’s export and import features. It makes it literally a few clicks and super easy to get back up and running in the new environment.

First, log into your existing LTM system with your iRule editor (you are using the editor, right? Of course you are…just making sure). You’ll see a screen something like this (right) with a list of a bagillionty iRules on the left and their cool, color coded awesomeness on the right. You can go through and select iRules and start moving them manually, but there’s really no need.

All you need to do is go up to the File –> Archive –> Export option and let it do its magic. All it’s doing is saving text files to your local system to archive off all of your iRuley goodness. Once that’s done, you can then spin up your new LTM VE and get logged in via the iRule editor over there. Connect via the iRule editor, and go to File –> Archive –> Import, shown below.

Once you choose the import option you’ll start seeing your iRules popping up in the left-hand column, just like you’re used to. This will take a minute depending on how many iRules you have archived (okay, so I may have more than a few iRules in my collection…) but it’s generally pretty snappy. One important thing to note at his point, however, is that all of your iRules are bolded with an asterisk next to them. This means they are not saved in their current state on the LTM. If you exit at this point, you’ll still be iRuleless, and no one wants that. Luckily Joe thought of that when building the iRule editor, so all you need to do is select File –> Save All, and you’ll be most of the way home.

I say most of the way because there will undoubtedly be some errors that you’ll need to clean up. These will be config based errors, like pools that used to exist on your old system and don’t now, etc. You can either go create the pools in the config or comment out those lines. I tend to try and keep my iRules as config agnostic as possible while testing things, so there aren’t a ton of these but some of them always crop up. The editor makes these easy to spot and fix though. The name of the iRule that’s having a problem will stay bolded and any errors in that particular code will be called out (assuming you have that feature turned on) so you can pretty quickly spot them and fix them.

This entire process took me about 15 minutes, including cleaning up the code in certain iRules to at least save properly on the new system, and I have a bunch of iRules, so that’s a pretty generous estimate. It really is quick, easy and painless to get your code onto an LTM VE and get ~~hacking~~ coding. An added side benefit, but a cool one, is that you now have your iRules backed up locally. Not only does this mean you’re double plus sure that they won’t be lost, but it means the next time you want to deploy them somewhere, all you have to do is import from the editor. So if you haven’t yet, go download your BIG-IP LTM VE and get started. I can’t recommend it enough. Also make sure to check out some of the really handy DC content that shows you how to tweak it for more interfaces or Joe’s supremely helpful guide on how to use a single VM to run an entire client/LTM/server setup. Wicked cool stuff.

Happy iRuling.

#Colin

Technorati Tags: DevCentral,BIG-IP LTM VE,iRules,iRule Editor,Colin Walker

F5 Joins NetApp Alliance Partner Program

F5 Networks News — Wed, 10 Mar 2010 13:05:40 GMT

Data growth continues unbounded. This is easily demonstrated by comparing the 10MB disk available for the original IBM PC with the 320GB, 500GB and even 1TB drives that are often standard today. If personal data has grown this tremendously you can only imagine the growth of enterprise data as more and more information is created, digitized and stored for longer periods.

Amount of information created will grow from 1.1EB in 2010 to ~50EB in 2020; 25 Quintillion Files – IDC Directions 2010 Key Note Presentation

This staggering growth can cause significant impacts on CapEx as organizations struggle to keep up with the required amount of storage and even more so on OpEx in terms of backup, recovery and simply moving data from old, exhausted disk systems to new ones and the resultant client impact.

Growth of unstructured data continues to accelerate and data center administrators are tasked to optimize access, provide increased mobility, and deliver solid cost-containment benefits. Looking forward, vendors that can extend their solutions’ data management and virtualization capabilities through strong industry solution partnerships should rank highly on organizations’ wish lists.” - Dave Russell, Research Vice President at Gartner, Inc

F5’s ARX solutions provide the same kind of flexible, scalable and adaptable solution for storage systems that our BIG-IP solutions provide for applications. By enabling file virtualization and separating the physical location of files from the way users and systems access them, ARX can provide tremendous benefit to customers dealing with the exponential growth in data.

By partnering with a recognized leader in storage like NetApp, F5 continues to provide real value that integrates with customer’s existing environments instead of simply providing point solutions that only address point problems.

The NetApp Alliance Partner Program brings like-minded solution providers together to provide cost-effective and validated solutions to our customers to help them simplify their data infrastructure. By joining the NetApp Alliance Partner Program, F5 will provide a complementary solution to NetApp storage that will help customers eliminate the many problems typically associated with data migration. Together, we’ll help customers boost productivity and increase the agility of their infrastructure. - Patrick Rogers, Vice President, Solutions Marketing at NetApp.

Press Release:
http://www.f5.com/news-press-events/press/2010/20100121.html

Solution Documentation:
http://www.f5.com/solutions/technology-alliances/infrastructure/netapp.html

Product Information:
http://www.f5.com/products/arx-series/



If I Had a Hammer…

Lori MacVittie — Wed, 10 Mar 2010 11:43:06 GMT

Or Why Carr’s Analogy is Wrong. Again.

Nicolas Carr envisioned compute resources being delivered in a means similar to electricity. Though providers and consumers alike use the terminology to describe cloud computing billing and metering models, the reality is that we’ve just moved from a monthly server hosting model to a more granular hourly one, and the delivery model has not changed in any way as we’ve moved to this more “on-demand” model of IT resources.

There’s very little difference between choosing amongst a list of virtual “servers” and a list of physical “servers” with varying memory capacity and compute power. Instead of choosing “Brand X Server with a specific memory and CPU spec”, you’re choosing “generic image with a specific memory and CPU spec.” You are still provisioning based on a concrete set of resources, though arguably the virtual kind can be much more easily modified than its physical predecessors. Still, you are provisioning – and ultimately paying – for a defined set of resources and you’re doing so every hour that it remains active. You may provision the smallest amount of resources possible as a means to better perform capacity planning and keep costs lower, but you’re still paying for unused resources no matter how you slice it (pun intended).

PAY ONLY for WHAT you ~~USE~~ NEED

The pay for what you consume concept doesn’t actually apply to cloud computing today unless you look at “use” from the application or virtual machine point of view, and even then it breaks down. True, the application is using resources as long as it is powered on, but it’s not using all the resources it is allocated (likely) and thus you aren’t paying for what you use, you’re paying for the minimum you need. The difference is significant. Bandwidth can be metered in a way similar to electricity and its delivery model is almost exactly the same as the electrical grid. You can, in fact, deliver and consume bandwidth based on the same model – pay only for what you use. We don’t, but we could.

Compute resources, however, are not (yet) available for “delivery” or use in such a model. The granularity is at the virtual machine, not the compute resource layer, and thus you are paying for discrete chunks of compute resources, not necessarily what you use at any given time. You’re also paying on the basis of time, in intervals usually of one hour. Even if you only fired up the virtual server and served one request, using perhaps three minutes of time, you’re still paying for an entire hour. That’s not paying for what you use, it’s simply a more granular version of billing models that have always existed: you rent X capacity for Y time. Even cloud computing providers that allow on-demand resizing of virtual machines to provision more (or less) compute resources are still falling into the same bucket because the billing model doesn’t change. This kind of capability is more about elasticity than it is the billing model and while it’s an excellent example of how providers are moving forward toward an even more dynamic and fluid provisioning and capacity management system, it doesn’t change the line-items on the monthly bill.

Like cell phones, there’s a minimum cost at work here, and that minimum cost is always incurred whether you use it all or not. It’s not as granular as an electrical grid, and probably won’t be anytime in the near future.

STILL CHEAPER than ROLL YOUR OWN

In most cases, this is probably true. This is not an argument about whether cloud is more financially or operationally efficient, it’s just a reminder that there is overhead in a public cloud computing environment. Considering that according to IDC analysts at Directions 2010, the primary driver for adopting cloud computing is all about “pay per use” with “monthly payments” also in the top four reasons to adopt cloud, that’s an important point to remember. If the billing model is the primary driver then it behooves organizations to understand just how “pay per use” really works. Organizations must recognize that while it will reduce total overall costs there will be overhead associated with cloud computing, just not nearly as much as is generally associated with on-premise solutions. But you don’t want to assume that a business application that’s really used during business hours isn’t incurring costs the rest of the day. Unless it’s “powered down” it’s still “using” compute resources in the form of memory and disk and that means it’s incurring costs.

The last thing you want is to get that “monthly bill” and be as surprised as parents receiving their teenager’s first cell phone bill. Cause the cloud is fluffy and probably won’t even notice the hammer.

Related blogs & articles:

Cloud is the Gift That Keeps On Giving

To Take Advantage of Cloud Computing You Must Unlearn, Luke.

Putting a Price on Uptime

Virtual Machine Density as the New Measure of IT Efficiency

The Myth of 100% IT Efficiency

How do you get the benefits of shared resources in a private cloud?

Mathematical Proof of the Inevitability of Cloud Computing

Cloud is Not a Big Switch



Technorati Tags: MacVittie,F5,cloud computing,cost,billing,metering,provisoning

Dan Kaminsky Interview Part I

Pete Silva — Tue, 09 Mar 2010 21:49:36 GMT

Peter Silva of F5 sits down with IOActive's Dan Kaminsky. In this extremely informative and lively discussion, the Domain Name System is the topic. DNS infrastructure, DNS vulnerabilities including DNS Cache Poisoning, DNSSEC and what's happened since the discovery of the flaw are all discussed. In 3-10 minute segments.

ps

Technorati Tags: Pete Silva,F5,security,application security,network security, business, banks, education, economy, technology, blogging, blogs, social networking, webinar, video, partners

Dan Kaminsky Interview Part II

Pete Silva — Tue, 09 Mar 2010 21:43:44 GMT

Peter Silva of F5 continues his conversation with IOActive's Dan Kaminsky. Please see Part 1 for complete description. In this segment, Dan talks about the discovery of DNS Cache Poisoning, DNSSEC and the overall importance of DNS to the Internet.

ps

Technorati Tags: Pete Silva,F5,security,application security,network security, business, banks, education, economy, technology, blogging, blogs, social networking, webinar, video, partners

Dan Kaminsky Interview Part III

Pete Silva — Tue, 09 Mar 2010 21:37:31 GMT

Peter Silva of F5 finishes his chat with IOActive's Dan Kaminsky. Please see Part 1 for complete description. In this segment, DNSSEC conversation continues and Dan explains what's happened since his discovery of DNS Cache Poisoning vulnerability. And info on an upcoming DNSSEC Webinar.

ps

Technorati Tags: Pete Silva,F5,security,application security,network security, business, banks, education, economy, technology, blogging, blogs, social networking, webinar, video, partners

F5 Networks Partner Spotlight - Splunk

Pete Silva — Tue, 09 Mar 2010 20:48:46 GMT

Peter Silva interviews Will Hayes of Splunk during the 2010 RSA Conference. Part of F5 Networks Partner Spotlight Week at RSA.

ps

Technorati Tags: Pete Silva,F5,security,application security,network security, business, banks, education, economy, technology, blogging, blogs, social networking, webinar, video, partners

F5 Networks Partner Spotlight - Layer 7 Technologies

Pete Silva — Tue, 09 Mar 2010 20:41:30 GMT

Peter Silva interviews Scott Morrison, CTO of Layer 7 Technologies during the 2010 RSA Conference. Part of F5 Networks Partner Spotlight Week at RSA.

ps

Technorati Tags: Pete Silva,F5,security,application security,network security, business, banks, education, economy, technology, blogging, blogs, social networking, webinar, video, partners

F5 Networks Partner Spotlight - OPSWAT

Pete Silva — Tue, 09 Mar 2010 20:32:16 GMT

Peter Silva interviews Benny Czarny, CEO of OPSWAT during the 2010 RSA Conference. Part of F5 Networks Partner Spotlight Week at RSA. f5.oesisok.com

ps

Technorati Tags: Pete Silva,F5,security,application security,network security, business, banks, education, economy, technology, blogging, blogs, social networking, webinar, video, partners

F5 Networks Partner Spotlight - Secure Passage

Pete Silva — Tue, 09 Mar 2010 20:18:15 GMT

Peter Silva talks with Jody Brazil, President & CTO of Secure Passage during the 2010 RSA Conference. Part of F5 Networks Partner Spotlight Week at RSA.

ps

Technorati Tags: Pete Silva,F5,security,application security,network security, business, banks, education, economy, technology, blogging, blogs, social networking, webinar, video, partners

The Order of (Network) Operations

Lori MacVittie — Tue, 09 Mar 2010 11:41:38 GMT

Thought those math rules you learned in 6^thgrade were useless? Think again…some are more applicable to the architecture of your data center than you might think.

Remember back when you were in the 6^th grade, learning about the order of operations in math class? You might recall that you learned that the order in which mathematical operators were applied can have a significant impact on the result. That’s why we learned there’s an order of operations – a set of rules – that we need to follow in order to ensure that we always get the correct answer when performing mathematical equations.

Rule 1:   First perform any calculations inside parentheses.

Rule 2:   Next perform all multiplications and divisions, working from left to right.

Rule 3:   Lastly, perform all additions and subtractions, working from left to right.

Similarly, the order in which network and application delivery operations are applied can dramatically impact the performance and efficiency of the delivery of applications – no matter where those applications reside.

HERE COMES the ~~SCIENCE~~ MATH

Let’s do some math to prove our theory, shall we? Consider the following “table” of the time it takes to execute certain network operations. Note that these are completely arbitrary in that they do not represent actual performance statistics, though the values are relative to one another based on real metrics. The actual time to execute a given operation will be highly dependent on load and device performing the operation, thus it will be variable. However, what is static is that each operation will consume “time” on a given system to execute, and this table is designed to represent that basic truism.

Architecture #1

Let’s assume for a moment that our architecture is simple: two network devices, both will need to inspect the payload to apply security or routing policies, and an application. Assuming that the application is responsible for compression and SSL operations, this means that on the ingress (inbound) requests, both network devices must necessarily decrypt and then re-encrypt the request in order to apply policies. The application, because it is assuming it handled the SSL, also needs to decrypt.

Based on our completely arbitrary and fictitious table of operational costs, this means the time to execute on ingress is:

SSL: 25 units + Compression: 9 units + Inspection: 14 units = 48 units

and our total CPU cycle utilization is:

SSL: 50 units + Compression: 21 units + Inspection: 16 units = 87 units

On egress (outbound) our total time to execute will be:

SSL: 25 units + Compression: 15 units + Inspection: 14 units = 54 units

and total CPU cycle utilization at:

SSL: 50 units + Compression: 35 units + Inspection: 16 units = 101 units

Our total time to execute 1 transaction using this order of operations is 102 units with a total CPU cycle utilization of 188 units. Now let’s compare that with a more strict order of operations in the architecture, delegating responsibility for compression and SSL operations to Network Device #1.

Architecture #2

Let us now assume that we are moving those functions that must be repeated throughout the architecture closer to the “edge” of the flow of traffic such that we reduce the number of times the functions must be repeated due to the need to inspect data. Based on our completely arbitrary and fictitious table of operational costs, this means the time to execute using our new order of operations on ingress is:

SSL: 5 units + Compression: 3 units + Inspection: 14 units = 22 units

and our total CPU cycle utilization is:

SSL: 10 units + Compression: 7 units + Inspection: 16 units = 33 units

On egress (outbound) our total time to execute will be exactly the same:

SSL: 5 units + Compression: 3 units + Inspection: 14 units = 22 units

and our total CPU cycle utilization is:

SSL: 10 units + Compression: 7 units + Inspection: 16 units = 33 units

Our total time to execute 1 transaction using this order of operations is 44 units with a total CPU cycle utilization of 66 units. Let’s compare the two side by side:

Architecture #1 Architecture #2

Time to Execute 102 44

CPU cycles consumed 188 66

That pretty much says it all. Note that we’re not comparing costs as the cost per “unit” to execute will vary from device to device, although it is almost certainly true that execution on the network device will cost more per “CPU cycle” than on the application server because network devices are usually more expensive. Note, however, that the time to execute and CPU cycles consumed does not reflect the fact that when executed on specialized hardware the processing is more efficient, so the total cost will likely not be too much higher because it’s offset by the reduction in number of cycles required.

Just as is true for mathematical operations the order in which capabilities are applied dramatically impacts the end result.

APPLICATION DELIVERY ORDER of OPERATIONS RULES

The point of this little exercise was twofold. First, it’s a reminder to pay attention to the application delivery architecture you are employing – no matter where it might be located. That means from point of ingress through the network to the application and back again. Every point at which packets and/or payloads must be inspected is a potential point at which the efficiency and performance of your application will be affected by the order in which application delivery security and acceleration policies are applied. Second, it’s to mathematically illustrate the impact of offloading compute intense calculations and processes such as SSL and compression to network-hosted application delivery platforms, especially those enabled with specialized hardware designed to improve the execution performance of such processes.

Now, given this data we should be able to abstract what we’ve learned into a basic set of rules regarding the application delivery network order of operations:

Rule 1:   Offload all cryptographic or obfuscating (like compression) functions to the last device in the delivery network which needs to inspect the payload to reduce the impact of redundant operations.

Well, there you have it. One simple rule takes care of the application delivery network order of operations. It’s more efficient, will be more cost effective, and in your application performance will thank you for it (because we all know your users won’t, even though they should).

Related blogs & articles:

When Did Specialized Hardware Become a Dirty Word?

Square Infrastructure Pegs Don’t Fit in Round Network Holes

Virtual Network Infrastructure: Virtually Good Enough?

I am wondering why not all websites enabling this great feature GZIP?

Pay No Attention to the Infrastructure Behind the Cloudy Curtain

The Devil is in the Details

The Question Shouldn’t Be Where are the Network Virtual Appliances but Where is the Architecture?

VM Sprawl is Bad but Network Sprawl is Badder

A Green Architectural Strategy That Puts IT in the Black [PDF]



Technorati Tags: MacVittie,F5,infrastructure,architecture,performance,math,operations,network,application delivery,offload,SSL,compression

ARX Config: Finally.

Don MacVittie — Mon, 08 Mar 2010 18:28:27 GMT

Last week was golden for me. Three of my projects had major blocking issues, all three were resolved in the course of the week. That makes this week writing time, since two of the three projects were to support writing I want or need to do.

This is the start of that process. The first item to get a break last week was my ARX configuration. When I left off, some of the storage could join the domain and some could not. I needed everything to play nice in the Domain so that I could pull them all together under the ARX. On Wednesday evening, RDP just dropped to the ADS server. I walked over to the lab and checked from the console what was going on, and it couldn’t get to the local network, let alone anywhere else. I rebooted, and it was better, could get to some things but not everything. Finding this to be terribly odd behavior with no real obvious symptoms like messed up routes or anything, I traced the ethernet cable. And found that it was plugged into a place it shouldn’t have been. While this is clearly a leftover from a previous bit of testing Lori and I were doing, I’m a little confused how it ever communicated. And yet most of the machines I was using for testing were joined to the domain, so it certainly was communicating. Sometimes.

I moved the cable, and everything started playing much more nicely. In fact, that cleared up most of the remaining issues.

Since I had a lot of non-functional items left in the ARX configuration, I opted to wipe the user level configuration on the ARX and start cleanly. It’s pretty easy to wipe an ARX config, it’s simply deletion of a startup file and reboot, so I did that, removed everything from the domain and rejoined it while the ARX was rebooting just to make certain all was communicating cleanly, and 20 minutes later the ARX was configured with both NAS devices behind it, and exposing shares to the domain.

Ta-Daaaa!

So I went through and snapped you some screenshots. I kept saying I thought my problems were not the ARX, and the speed with which everything was added and working explains what I meant. Here come the screenshots with everything basically configured. It is not set up to do anything fun yet… I understand you may have forgotten this by now, but the point of this blog series was to show you what that cool stuff was and how to do it. So the rest of this blog shows some screenshots and talks about the architecture, and the next blog will hop right in with configuring shadow-copy.

All of my config was done with the UI. While I did trouble-shooting command-line, the UI gave me the opportunity to show you some pretty pictures, so I used it.

First thing you do is configure a namespace – a container for most of the other items you need to create. It holds publicly advertised shares and back-end filer shares, tells how to communicate with the filers and how to expect end users to communicate with you. It also holds the location that all shares are to use for metadata storage. My namespace is ingeniously named “ARXStorage”. The interface for the namespace is CIFS – I turned of NFS completely in this namespace because if it is included as a communications option, every NAS must have NFS access to every share. For simplicity, I disabled it. Some of our shares do support NFS, but we didn’t need NFS access through the ARX. And trust me, after the pain I went through with ADS, this device was going to use it.

The Namespace then contains “Managed Volumes” – exports from NAS devices that are going to be (eventually) presented by the ARX. I have two of them in this configuration – backup (which maps to one NAS device), and Dell (which maps to the other). Lori and I normally immediately back up the primary to a new NAS when we receive one so that a single PDU failure doesn’t drop our storage environment cold. More on why I bothered to tell you that in a moment. First, the Managed Volumes in Namespace ARXStorage.

There you have it, not much to see. Currently neither is listed as a shadow-copy target, both are enabled and online.

These are shares the ARX is going to manage for us, The /backup share is mapped to /backup1 and is actually actively used – hazards of a growing and changing network – but the name is all over so I’m unwilling to change it. The /Dell share is the default share on Powervault servers - /NASShare.

If we take a look at the volume by drilling down in, we can see…

As you can see, there is a lot going on here. The “files” line is way off base (there is over a terabyte of data on the disk), but I took this screenshot as soon as it was up, so import was likely still going on. Notice that Metadata Free Space and Free Space are the same – this is on a NAS that uses thin provisioning, so I would expect them to be very close.

At this point the back-end is set up. We have two shares imported from two filers, the ARX knows how to communicate with them, and it is doing so well enough to tell us how much space is used and free on the disks. Next we need to add the front-end, a way for users to access these shares through the ARX.

So we first create a Virtual. You don’t have to create a virtual first, you can just start defining exports and if there is no Virtual it will ask you to create one (okay, require you to, not ask, but you know). I’m showing you the Virtual first to keep things logically consistent and understandable. No matter how you create one, you must have the Virtual “first” or there is no way to export shares.

You will need an IP address for each Virtual you create. This is the entry point where users will access your shares – it masquerades as a Filer, in essence. Using my expansive wit, I chose to name this Virtual “ARXStore”. Note that it is already joined to the domain and is up and running. This screen shot was taken after all was configured.

Finally, we are ready to set up the exports. These are publicly exposed shares and/or mount points. I’ve made mine all CIFS for the reasons noted above, and here they are…

So they have a “Domain Name” which is the Virtual name in the domain, what Namespace they’re in (which impacts which backend shares they can see), Volume and Virtual Volume Path. The volume is the backend share, the path is the path that it will present to users.

Once those and the Virtual show online, you’re in!

Now if you go to any machine that is authenticated to the domain, and type in \\ARXStore in the Explorer (or equivalent) Address bar, you will see this:

There you have it, the two shares exposed in the Virtual. They are accessible and can be mapped or mounted from any machine that can authenticate to internal (which is purposefully few, we don’t like giving out actual information about our network, so it’s locked down).

Next we can start using these exports to do some interesting stuff. Remember I said that we normally block-copy the backup1 share (and a couple of others) to a new NAS? Well we’re going to try setting up shadow-copy next on the ARX to see if that will just copy it for us in the background. But that’s the next blog, not this one.

Until then,

Don.

The Corollary to Hoff’s Law

Lori MacVittie — Mon, 08 Mar 2010 13:07:28 GMT

“Security” concerns continue to top every cloud computing related survey. This could be because, well, CIOs and organizations in general are concerned about security. It could be because the broader question of control over the infrastructure – including security – is never proffered as a reason for reluctance to jump into the fray known as cloud computing.

Forty-nine percent of survey respondents from enterprises and 51 percent from small and medium-size businesses cited security and privacy concerns as their top reason for not using cloud computing. – Survey: Security Concerns Hinder Cloud Computing Adoption, NetCentric Security, December 2009

In a survey of 312 IT professionals, Unisys found that just over half of them cited security and data privacy as the key concerns around cloud computing. – Security Key Concern in Cloud Computing, Unisys Survey Finds

According to Forrester Research’s Cloud Computing study 2009, about 44 per cent of large enterprises are interested in building an internal cloud. “Enterprises are more attracted to private cloud compared to public, due to security concerns about mission critical applications and data,” Kumar [Sushil Kumar, Oracle’s vice president of Product Strategy and Business Development System Management Product Group] noted. -- And finally Oracle is on Cloud

Interestingly, IDC’s latest Cloud Survey (December 2009) actually seems to show that broader “control” issues are coming to light. 76% of respondents indicated that “not enough ability to customise” was a challenge in their quest to adopt cloud computing models.

Visibility, while also a concern, can also be a side-effect of control. If you have control over the infrastructure you also have visibility. It could be argued that providers could enable the means by which customers could have visibility into infrastructure, especially the network, by exposing reporting but the truth is most network infrastructure solutions are not capable of providing the isolation of data required (they are not inherently mutli-tenant) and thus it’s not as easy as it might sound.

IT’S NOT ALL PUPPIES and RAINBOWS

Whether the primary concern regarding cloud computing is “security” or “visibility” or “any form of performance/availability guarantee, a.k.a. SLA”, the larger, more encompassing concern is directly about control.

Organizations want and need to control (among other infrastructure services):

access to application and data

rate of inbound requests (prevention of accidental or intentional DDoS)

inbound content (defense against exploitation)

outbound content (stop data leaks)

architecture, to ensure the proper security and application delivery mechanisms that support all of the above are in place

The problem is that “cloud” doesn’t really allow much of this control at all. Not yet. That means that there is a corollary to Hoff’s Law* which states: “If your security practices suck in the physical realm, you’ll be delighted by the surprising lack of change when you move to Cloud.” That corollary is “If your security practices don’t suck in the physical realm, you’ll be concerned by the inability to continue that practice when you move to Cloud.”

Even if an organization has – and executes upon – a good security strategy that does not mean that they’ll be able to carry all of their related tactical implementations into the cloud. Certainly if the organization is looking at IaaS (Infrastructure as a Service) and many of those tactical implementations are software or virtual appliances they will be able to carry those into the cloud with them. But if the tactical implementations are not in a form-factor deployable in the target environment, well, the organization is out of luck.

Security practices manifest themselves in most cases as the implementation of a solution. Whether that’s using SSL or a web application firewall to secure a web application, or a DLP (data leak prevention) solution to prevent customer data loss, or fine grained application access controls via an external identity store – it’s still a physical manifestation that needs either to be transportable to the cloud environment or the provider should offer similarly capable services. The organization must, in other words, be capable of customizing their deployment in the cloud computing environment to meet their various needs of scalability (mostly covered today), security, and performance. It’s the latter two that aren’t readily available today and where providers need to focus next.

To be fair to providers, vendors need to recognize the need for these solutions in the cloud and provide one of two things - ideally both:

A virtual appliance (if it is a solution for which this form factor makes sense)

A mechanism that easily allows providers to offer solution services to customers (Infrastructure 2.0 enabled, APIs, multi-tenant support, etc… )

DISMISSING CONCERNS is a MISTAKE

Too many cloud cheerleaders seem overly dismissive of the concerns organizations have. Whether the concerns are real (many are) or simply perceived (some are) as a problem is irrelevant: the customer is speaking to you and they are saying they are concerned. That may be inhibiting adoption, therefore such concerns should be addressed by providers if they are to convince customers to sign on.

One would hope that providers would choose to address those concerns through service offerings or expanded partnerships with solutions’ vendors, but it could be as simple as being more transparent and open about their own security practices and the tactical solutions the provider is using to secure its infrastructure. Hoff and some extremely talented folks have started up CloudAudit.org in an attempt to forward a model and ultimately an API that would provide customer access to just this type of information. That’s certainly a step in the right direction. The bigger question, however, is whether providers who have been reluctant to provide any visibility into their infrastructure and security practices thus far will be willing to implement and support an effort like CloudAudit once it’s complete.

Conversely, we need to stop portraying cloud computing environments as though they are sieves. Providers certainly do have security measures in place, whether we know what they are or not. It’s not as if they’re running out of a basement, after all, and they understand the need for security not just for their customers, but to protect their own infrastructure and investments. In that respect Hoff’s Law holds true: the security of applications you place in the cloud has just as much to do with your security practices as it does the providers’.

*Rational Survivability, December 2009, “Cloud Computing Public Service Announcement – Please Read”

Related blogs & articles:

The IP Address – Identity Disconnect

Microsoft Hops Into Infrastructure 2.0

Pay No Attention to the Infrastructure Behind the Cloudy Curtain

As Deep as a Puddle

When Everything is a Threat Nothing is a Threat

What if users could specify their own SLAs?

Infrastructure 2.0: Squishy Name for a Squishy Concept

Scaling Security in the Cloud: Just Hit the Reset Button

Infrastructure 2.0 Is the Beginning of the Story, Not the End



Technorati Tags: MacVittie,F5,cloud computing,infrastructure,infrastructure 2.0,security,application delivery and data services,cloudaudit,Hoff

My 2010 RSA Conference & Kaminsky Interview

Pete Silva — Sun, 07 Mar 2010 15:22:01 GMT

I hung out at the 2010 RSA Conference last week and wanted to share some observations from the show. Rain early in the week reminded me of why the organizers moved it later in the Spring the past couple years but the sky’s cleared and the remainder of the week, we got the nice, crisp, sunny Bay Area weather. F5 decided not to exhibit this year but we did attend in full force, meeting with analysts and customers along with focusing our video camera on partners and doing a Partner Spotlight Week at RSA. It was kinda fun to attend as a typical participant.

I got there around 11am on Tuesday, just as the Expo floor was opening. I easily got my badge without any delay. I remember the long lines a few years ago when we all gathered in the main entrance. They’ve improved the check-in process over the years but I’m also guessing most attendees got their badges on Monday. Met with some F5’ers between analyst meetings, saw a very cool demo of our BIG-IP Edge Gateway Client solution and made my way to the Expo floor. All the usual companies were displaying their wares but I’m always amazed by all the company names I’ve never heard of along with lots of color companies – Blue that, Red this, Black the other thing. There were many ‘systems management’ companies and a whole ton of ‘token’ companies. I even overheard another attendee mention how many token companies there were. And of course, Cloud. Everyone’s got some ‘cloud’ solution, even those who really do nothing in the cloud, except maybe store your info, added ‘cloud’ to their signage. I don’t have any official attendance numbers but it did seem a bit fuller this year verses last.

Since we didn’t have a booth, I decided to do a ‘Partner Spotlight Week at RSA’ shooting video segments of the various F5 partners at the show.   Something I’ve been thinking about for a while and with many all in one place, it made the task easy. Every partner was very accommodating and excited to participate. The basic premise would be, introduce the company – talk about the integration both technically and business wise – then show a quick demo if one was available. Even with short notice (most I just walked up to and asked on the spot) they were very engaging and all were done in a single take. I want to thank Splunk, Layer 7 Technologies, OPSWAT and Secure Passage. Great job guys!

The highlight of my week came on Thursday. F5 and Infoblox will be offering a Webinar on March 10th called DNSSEC: Compliance is Easier than You Think. I was lucky to get one of the webinar speakers, Dan Kaminsky, Director of Penetration Testing at IOActive (and the guy who exposed the serious DNS vulnerability, DNS Cache Poisoning) who was gracious to participate in an interview with me – and boy what an experience! We talked all about the DNS infrastructure including how DNS works, his discovery, DNSSEC and many other interesting topics. What I thought would be a quick 5 minute chat turned into a full blown half hour conversation about many things Internet related. Great stories about the discovery and some of the challenges he faced along the way. It was awesome – thanks so much Dan – good times!!

The Videos

Dan Kaminsky Interview Part I

Dan Kaminsky Interview Part II

Dan Kaminsky Interview Part III

F5 Networks Partner Spotlight – OPSWAT

F5 Networks Partner Spotlight – Splunk

F5 Networks Partner Spotlight - Layer 7 Technologies

F5 Networks Partner Spotlight - Secure Passage

ps

Technorati Tags: Pete Silva,F5,security,application security,network security, business, banks, education, economy, technology, blogging, blogs, social networking, dnssec, dns, kaminsky, webinar, video, partners

“Solution”	Soft “Solution”	v”Solution”	“Solution” as a Service*
A traditional hardware-based “solution”	A traditional hardware-based solution in a software form-factor that can be deployed on an “appliance” or commodity hardware	A traditional hardware-based solution in a virtualized form-factor that can be deployed as a virtual network appliance (VNA) on a variety of virtualization platforms.	A traditional hardware-based solution in a proprietary form-factor (software or virtual) that is not usable or portable outside the environment in which it is offered.

	Architecture #1	Architecture #2
Time to Execute	102	44
CPU cycles consumed	188	66