DevCentral Weblogs

F5 Friday: What’s Inside an F5?

Lori MacVittie — Fri, 02 Mar 2012 12:57:00 GMT

Is it Linux? Is it third-party? Is it proprietary? Isn’t #vcmp just a #virtualization platform? Just what is inside an F5 BIG-IP that makes it go vroom?

Over the years I’ve seen some pretty wild claims about what, exactly, is “inside” a BIG-IP that makes it go. I’ve read articles that claim it’s Linux, that it’s based on Linux, that it’s voodoo magic. I’ve heard competitors make up information about just about every F5 technology – TMOS, vCMP, iRules – that enables a BIG-IP to do what it does.

There are two sources of the confusion with respect to what’s really inside an F5 BIG-IP. The first stems, I think, from the evolution of the BIG-IP. Once upon a time, BIG-IP was a true appliance – a pure software solution delivered pre-deployed on pretty standard hardware. But it’s been many, many years since that was true, since before v9 was introduced back in 2004. BIG-IP version 9 was the beginning of BIG-IP as not a true appliance, but a purpose-built networking device. Appliances deployed on off the shelf hardware generally leverage existing operating systems to manage operating system and even networking tasks – CPU scheduling, I/O, switching, etc… but BIG-IP does not because with version 9 the internal architecture of BIG-IP was redesigned from the ground up to include a variety of not-so-off-the-shelf components. Switch backplanes aren’t commonly found in your white-box x86 server, after all, and a bladed chassis isn’t something common operating systems handle.

TMOS – the core of the BIG-IP system – is custom built from the ground up. It had to be to support the variety of hardware components included in the system – the FPGAs, the ASICs, the acceleration cards, the switching backplane. It had to be custom built to enable advances in BIG-IP to support the non-disruptive scale of itself when it became available on a chassis-based hardware platform. It had to be custom built so that advances in internal architectures to support virtualization of its compute and network resources, a la vCMP, could come to fruition.

The second source of confusion with respect to the internal architecture of BIG-IP comes from the separation of the operational and traffic management responsibilities. Operational management – administration, configuration, CLI and GUI – resides in its own internal container using off-the-shelf components and software. It’s a box in a box, if you will. It doesn’t make sense for us – or any vendor, really – to recreate the environment necessary to support a web-based GUI or network access (SSH, etc…) for management purposes. That side of BIG-IP starts with a standard Linux core operating system and is tweaked and modified as necessary to support things like TMSH (TMOS Shell).

That’s all it does. Monitoring, management. It generates pretty charts and collects statistics. It’s the interface to the configuration of the BIG-IP. It’s lights out management. This “side” of BIG-IP has nothing to do with the actual flow of traffic through a BIG-IP aside from configuration. At run time, when traffic flows through a BIG-IP, it’s all going through TMOS – through the purpose and very custom built system designed specifically to support application delivery services.

This very purposeful design and development of technology is too often mischaracterized – intentionally or unintentionally – as third-party or just a modified existing kernel/virtualization platform. That’s troubling because it hampers the understanding of just what such technologies do and why they’re so good at doing it.

Take vCMP, which has sometimes been maligned as little more than third-party virtualization. That’s somewhat amusing because vCMP isn’t really virtualization in the sense we think about virtualization today. vCMP is designed to allow the resources for a guest instance to span one or multiple blades. It’s an extension of multi-processing concepts as applied to virtual machines. If we analogized the technology to server virtualization, vCMP would be the ability to assign compute and network resources from server A to a virtual machine running on server B. Cloud computing providers cannot do this (today) and it’s not something that’s associated with today’s cloud computing models; only grid computing comes close, and it still takes a workload-distributed view rather than a resource-distributed view.

vCMP stands for virtual CMP – clustered multi-processing. CMP was the foundational technology introduced in BIG-IP version 9.4 that allowed TMOS to take advantage of multiple multi-core processors by instantiating one TMM (Traffic Management Microkernel) per core, and then aggregating them – regardless of physical location on BIG-IP – to appear as a single pool of resources. This allowed BIG-IP to scale much more effectively. Basically we applied many of the same high-availability and load distribution techniques we use to ensure applications are fast and available to our internal architecture. This allowed us to scale across blades and is the reason adding (or removing) blades in a VIPRION is non-disruptive.

Along comes a demand for multi-tenancy, resulting in virtual CMP. vCMP isn’t the virtual machine, it’s the technology that manages and provisions BIG-IP hardware resources across multiple instances of BIG-IP virtual machines; the vCMP guests, as we generally call them. What we do under the covers is more akin to an application (a vCMP guest) being comprised of multiple virtual machines (cores), with load balancing providing the mechanism by which resources are assigned (vCMP) than it is simple virtualization.

So now you know a lot more about what’s inside a BIG-IP and why we’re able to do things with applications and traffic that no one else in the industry can. Because we aren’t relying on “standard” virtualization or operating systems. We purposefully design and develop the internal technology specifically for the task at hand, with an eye toward how best to provide a platform on which we can continue to develop technologies that are more efficient and adaptable.

Connect with Lori:	Connect with F5:

Related blogs & articles:

Technorati Tags: F5,MacVittie,F5 Friday,vCMP,virtualization,BIG-IP,scalability,network,hardware,blog

F5 - iApp for VMware View

F5 Networks News — Thu, 09 Feb 2012 11:44:34 GMT

#VDI Deploying virtual desktops involves many different elements and be complex.

Rolling out your deployment across data centers is time-consuming and prone to human error. F5 iApp technology is a user-customizable framework for deploying application. With iApp for VMware View, you can easily roll out configuration across your F5 devices, to cut deployment time from hours to minutes. F5 can help by making VMware View secure, fast, scalable, and available.

More information about F5's solution for VMware View can be found at http://www.f5.com/view

F5 - iApp for VMware View

Resources:

Connect with F5:

Latest F5 Information

Technorati Tags: F5,F5 News,VDI,virtualization,VMware,iApp,video,VMware View

Does Social Media Reflect Society?

Pete Silva — Wed, 08 Feb 2012 13:37:21 GMT

A Community within our Society

You are what you eat; You become what you believe; I am not my art. A 2011 study from the University of Texas at Austin's Department of Psychology titled "Manifestations of Personality in Online Social Networks: Self-Reported Facebook-Related Behaviors and Observable Profile Information" found that Facebook users are no different online than they are offline. The study also declared a strong connection between someone’s real personality and their Facebook-related behavior. Social and personality processes, according to the study, accurately mirror non-virtual environments. It was published in the academic journal Cyberpsychology, Behavior, and Social Networking. Professor Samuel D. Gosling and his team looked at the big five personality traits - openness, conscientiousness, extraversion, agreeableness and neuroticism and found that self-reported personality traits are accurately reflected in online social networks such as Facebook. Extroverted users reported the most friends and the highest engagement while conscientious types had the least. Simply, extroverts engaged more than introverts.

Merriam-Webster defines society in part as, companionship or association with one's fellows : a voluntary association of individuals for common ends : an organized group working together or periodically meeting because of common interests, beliefs, or profession : an enduring and cooperating social group whose members have developed organized patterns of relationships through interaction with one another : a community, nation, or broad grouping of people having common traditions, institutions, and collective activities and interests.

Social media has changed society in many ways. We used to just live in a society – our neighborhood, town, city – and (hopefully) looked out for each other, cared for each other and got together for specific causes. This is our community. The human social creature needed human contact/interaction and participated within that society…but the circle was somewhat limited to a geographic region. Granted, some societies are nationwide clubs, groups, memberships or associations that span greater distances – Toastmasters, Kiwanis or college alumni for instance. Now, our circle of friends or association with one’s fellows requires no physical gathering. We live in our physical geographic society but also engage in our cyber communities that span cities, states, countries and with SETI, universes. Years ago I often wondered if the internet would create a society of hermits since no one really needed to go outside and interact with others in the real world. But we are social creatures and our survival requires us to participate in a non-cyber way. Of course there are people that do not want anything to do with society and live in secluded locations to avoid any human interaction. Most of us, however, like it or not, must interact in society on a daily basis.

Often our social cyber-interaction is in response to events in the physical society. We use social media as a way to report, learn and engage with those who are experiencing anything from turmoil to joy in their physical society. World events. Even the Occupiers, who have used social media to great extent, still came together physically – within their geographic circle(s) – to form their mini-societies. In some situations, social media has been the only avenue for ‘breaking’ news getting out to the masses. (Incidentally, it seems like every story on news websites is ‘breaking’ these days – it seems to have lost it’s power)

Breaking Bad, on the other hand, is a darn good show.

In societies we often share – information, goods, ideas, secrets – for the benefit of the society. Many of us have heard the warnings from security experts about keeping passwords a secret. Now, as a form of affection and devotion, teens are sharing their passwords to email, social networks and other accounts. Since it is risky and relationships can quickly sour via social media, they feel that the symbolism is powerful. Apparently, the world’s first divorce by Facebook occurred back in 2009 and more recently Deion Sanders announced his divorce on Facebook this past December. In addition, a survey conducted by UK divorce website www.divorce-online.co.uk in December 2009 found that 20% of behavior petitions contained the word “Facebook.” A follow up survey in December 2011 found that number has greatly increased during 2011 to 33% of behavior allegations in petitions.

Even the crooks are involved. We’ve seen the stories about hijacked accounts, malware distribution and the ever popular, ‘I’m stuck in some foreign country, lost my wallet and need to pay the hotel’ scam. I’m amazed that just a decade ago, security experts warned that you shouldn’t say, ‘We’re not home right now,’ on your answering machine. That tells riff-raff that the property is ripe for the pickings. Yet, just a few years later people are posting that they are over the river and through the woods to grandmother’s house some 300 miles away. Their coordinates are available, their home town and sometimes a picture of the actual empty home are posted on the social network. And then they wonder how they could have been burglarized. It’s has also caught/captured the idiot criminals who feel the need to share their misdeeds. In some cases, we share too much and don’t even realize that we’re diminishing our own privacy. And, of course, there are some who can’t get enough exposure with 24 hour cams following their every move.

Social networks have become one of our society’s primary tools for communication and as a society it is important to communicate effectively. I’ve always felt that the internet, particularly the web, was a reflection of society. It’s chronicled, reflected and magnified our lives along with automatically storing and archiving almost every move we make. People have fallen in love, ordered goods, started movements, spread rumors, gotten arrested/fired/dumped, done banking, filed complaints/kudos, kept in touch, tracked progress, committed crimes, shared ideas and pretty much anything else that didn’t require physical contact. It’s our journal, reminder, mirror, confidant and has certainly wiggled it’s way into and become part of society. A community within our society. But remember, What Happens on the Internet, Stays on the Internet.

Technorati Tags: blog, social media, comscore, music, statistics, society, web traffic, digital media, mobile device, analytics

Connect with Peter:	Connect with F5:

The Potential Ramifications of Platform-Based Vulnerabilities on Cloud Computing

Lori MacVittie — Wed, 08 Feb 2012 13:26:00 GMT

#infosec #adcfw #cloud Alternate title: How to take out an entire PaaS cloud with one vulnerability

Apache Killer.

Post of Doom.

What do these two vulnerabilities have in common? Right, they’re platform-based vulnerabilities. Meaning they are vulnerabilities peculiar to the web or application server platform upon which applications are deployed. Mitigations for such vulnerabilities generally point to changes in configuration of the platform – limit post size, header value sizes, turn off some value in the associated configuration.

But they also have something else in common – risk. And not just risk in general, but risk to cloud providers whose primary value is in offering not just a virtual server but an entire, pre-integrated and pre-configured application deployment stack. Think LAMP, as an example, and providers like Microsoft (Azure) and VMware (CloudFoundry), more commonly adopting the moniker of PaaS. It’s an operational dream to have a virtual server pre-configured and ready to go with the exact application deployment stack needed and offers a great deal of value in terms of efficiency and overall operational investment, but it is – or should be – a security professional’s nightmare. It’s not unlike the recent recall of Chevy Volts – a defect in the platform needs to be mitigated. The only way to do it, for car owners, is to effectively shut down their ability to drive while a patch is applied. It’s disruptive, it’s expensive (you still have to get to work, after all), and it’s frustrating for the consumer. For the provider, it’s bad PR and negatively impacts the brand. Neither of which is appealing.

A vulnerability in the application stack, in the web or application server, can be operationally devastating to the provider – and potentially disruptive to the consumer whether the vulnerability is exploited or not.

STANDARDIZATION is a DOUBLE-EDGED SWORD

Assume a homogeneous cloud environment offering an application stack based on Microsoft ASP. Assume now an exploit, oh say like Post of Doom, is discovered whose primary mitigation lies in modifying the configuration of each and every instance. Virtualization of any kind provides a solution, of course, but introduces the possibility of disruption in the impact to consumer applications from the configuration change. A primary mitigation for the Post of Doom is to limit the size of data in a POST to under 8MB. Depending on the application, this has to potential to “break” application functionality, particularly those for which uploading big data is a focus. Images, video, documents, etc… These all may be impacted negatively, disrupting applications and angering consumers.

Patching, of course, is preferred, as it eliminates the underlying vulnerability without potentially breaking applications. But patching takes time – time to develop, time to test, time to deploy. The actual delivery of such patches in a PaaS environment is a delicate operation. You can’t just shut the whole cloud down and restart it after the patches are applied to the base images, can you? Do you wait, quiesce the vulnerable images and only force the patched ones when new instances are provisioned? A configuration-based mitigation, too, has these same issues. You can’t just shut down the whole cloud, apply the change, and reboot.

It’s a delicate balance of security versus availability that must struck for the provider, and certainly their position in such cases is one not to be envied. Damned if they do, damned if they don’t.

Then there is the risk of exploitation before any mitigation is applied. If I want to wreak havoc on a PaaS, I may be able to accomplish simply by finding one with the appropriate platform vulnerable to a given exploit, and attack. Cycling through applications deployed in that environment (easily identified at the network layer by the IP ranges assigned to the provider) should result in a wealth of chaos being wrought. The right vulnerability could take out a significant enough portion of the environment to garner attention from the outages caused.

Enterprise organizations that think they are immune from such issues should think again, as even a cloud provider is often not as standardized on a single application platform as an enterprise is, and it is that standardization that is at the root of the potential risk from platform-based vulnerabilities. Standardization, commoditization, these are good things in terms of many financial and operational benefits, but they can also cause operational risk to increase.

MITIGATE in the MIDDLE

There is a better solution, a better strategy, a better operational means of mitigating platform-based risks.

This is where the role of a flexible, broad-spectrum layer of security applies. One that enables security professionals to broadly apply security policies to quickly mitigate potentially disastrous vulnerabilities. Without disrupting a single running instance, an organization can deploy a mitigating solution that detects and prevents the effects of such vulnerabilities. Applying security policies that mitigate such vulnerabilities before they reach the platform is critical to preventing a disaster of epic (and newsworthy) proportions.

Whether stop gap or a permanent solution, by leveraging the application delivery tier of any data center – enterprise or cloud provider – such vulnerabilities can be addressed without imposing harsh penalties on applications and application owners, such as requiring complete shutdown and reboots.

Leveraging such a flexible data center tier insulates the platform from exploitation while insulating customers from the disruption required to mitigate immediately on the platform layer, allowing time to redress through patches or, at least, understand the potential implication to the application from the platform configuration changes required to mitigate the vulnerability.

In today’s data center, time is perhaps the biggest benefit afforded to IT by any solution, and yet the one least likely to be provided. A flexible application delivery tier capable of mitigating threats across the network and application stack without disruption is one of the few solutions available that offers the elusive and very valuable benefit of time. Providers and enterprises alike need to consider their current data center architecture and whether it supports the notion of such a dynamic tier. If not, it’s time to re-evaluate and determine whether a strategic change of direction is necessary to ensure the ability of operations and security teams to address operational risk as quickly and efficiently as possible.

Connect with Lori:	Connect with F5:

Related blogs & articles:

Technorati Tags: F5,MacVittie,security,architecture,availability,cloud computing,virtualization,devops,threat mitigation,application delivery,blog

Mobile Device Support for VMware View

Nick Bowman — Tue, 07 Feb 2012 15:57:06 GMT

End user computing means that a wide range of mobile devices from laptops to tablets and from desktops to smartphones are being used. The diversity of these mobile devices and the sheer number of them in the workplace can overwhelm IT and strain your resources. Access and performance are key support concerns. And, since many mobile devices are personal, security is absolutely critical. F5 provides intelligent mobile device support for VMware View. This benefits IT with greater access and compliance control, while at the same time, allowing your employees the freedom to use their mobile device of choice. F5 can help by making VMware View secure, fast, scalable, and available.

More information about F5’s solution for VMware View can be found at http://www.f5.com/view

Making VMware View fast, secure and available

Nick Bowman — Tue, 07 Feb 2012 15:55:05 GMT

VMware View is a leading solution for desktop virtualization offering simplified administration while increasing security and control. When deploying VMware View, there are several issues your business must deal with: from the management of a wide range of devices, to ensuring availability, scalability, and performance. F5 can help by making VMware View secure, fast, scalable, and available.

More information about F5’s solution for VMware View can be found at http://www.f5.com/view

1024 Words: Honey IT Badger Don’t Care

Lori MacVittie — Tue, 07 Feb 2012 18:24:05 GMT

The reaction in IT when there’s something wrong with a core router is to avoid disruption and its associated costs to the business.	The reaction in IT when a user has problems is to embrace disruption and its associated costs to the business.

There’s something wrong with this model.

Thanks, I know VMware tote a 3:1 Desktop/Thin Client ratio in terms of support burden, i.e. one engineer can service 100 fat clients or 300 thin clients (in user terms). Would you say that this is realistic?

I have a school district with 3 tech's who support 5k devices. Its powerful. 90% of problems can be finished with "log out, login get a new desktop".

-- SpiceWorks, Virtualization Adoption Thread

Connect with Lori:	Connect with F5:

Technorati Tags: 1024 Words,MacVittie,honey badger,IT,VDI,reboot,productivity,blog

Technische und organisatorische Rahmenbedingungen moderner Cloud-Dienste

Ralf Sydekum — Mon, 06 Feb 2012 10:37:53 GMT

Moderne Unternehmen befinden sich zunehmend im verschärften Wettbewerb zur Konkurrenz und nur diejenigen, die bei stetigen Kostensenkungen dennoch den Profit steigern können, werden sich langfristig am Markt behaupten können. Diesen Kostendruck spürt natürlich auch die interne IT und auf der Suche nach flexiblen und gleichzeitig günstiger werdenden IT-Services wird man zwangsläufig auf Cloud-Dienste stoßen. Entscheidet man sich die Cloud-Services bei einem Dienstleister zu beauftragen, so ergeben sich eine Vielzahl von Fragen, die einerseits eine technische Realisierung beinhalten, andererseits aber auch eine organisatorische, sowie eine sicherheits- und regulatorische Dimension haben.

Hier nun ein paar Beispiele, die ein Projektleiter „Cloud-Services“ unter Berücksichtigung von Sicherheitsaspekten beachten sollte:

- Wie steht es um den Datenschutz (Vertraulichkeit, Integrität)?

- Welche regulatorische Anforderungen bestehen an das Löschen von Daten?

- Ist Mandantentrennung gewährleistet?

- Beachtung von Complianceanforderungen in verschiedenen Ländern

- Besteht mittel-/langfristig eine Insolvenzgefahr des Cloud Providers?

- Arbeitet der Cloud Provider mit Subunternehmern?

- Wie hoch ist das Risiko der Erpressbarkeit?

Damit Cloud Provider ihrerseits hocheffizient und kostengünstig ihre Dienste anbieten können, sind diverse Grundtechniken eine zwingende Voraussetzung. Die Virtualisierung spielt hierbei eine ganz entscheidende Rolle, aber auch hier müssen potentielle Kunden ein Verständnis für Vertraulichkeit, Integrität, Verfügbarkeit, Kontrolle und Zuverlässigkeit entwickeln und dies weitestgehend in SLAs umsetzen lassen. Im Folgenden sei hier eine kleine Stichwortliste gegeben, die bei der Ausarbeitung von Serviceverträgen berücksichtigt werden sollten:

- Architectural Framework

- Governance, Enterprise Risk Management

- Legal, e-Discovery

- Compliance & Audit

- Information Lifecycle Management

- Portability & Interoperability

- Security, Business Continuity, Disaster Recovery

- Data Center Operations

- Incident Response Issues

- Application Security

- Encryption & Key Management

- Identity & Access Management

- Virtualization

F5 unterstützt mit einer Vielzahl unterschiedlichster Technologien wesentliche Ziele der Verfügbarkeit, Sicherheit und auch schnellstmöglichen Zugang zu Anwendungen. Als einige Beispiele seien schlagwortartig der Schutz vor DDoS- (netz- und anwendungsseitig) und Web-Attacken, Authentifizierung und Autorisierung der Anwender, Schutz der DNS-Infrastruktur, High-Speed-Logging, flexibles Deployment durch Virtual Editions (VE) und viele weitere Funktionalitäten der BIG-IP erwähnt.

Desktop VDI May Be Ready for Prime Time but Is the Network?

Lori MacVittie — Mon, 06 Feb 2012 12:20:00 GMT

#VDI #quasar #mobile The proliferation of mobile devices is pushing VDI closer to being “the solution” of the year to resolve the increasing complexity – and costs – associated with consumerization.

Considering the innate differences between just the two most popular mobile operating systems – Android and iOS – gives rise to understanding how costly and complex an infrastructure might need to be to support both. It’s not at all unlike the issues with server virtualization. Management and delivery architectures require different solutions depending on the platform, so despite potentially costly investments to scale, organizations are often staying single-vendor with respect to its virtualization platform strategy.

Organizations had taken that approach – standardized on a single mobile platform – only to discover that employees blatantly ignored such mandates and began using whatever they brought from home. Worse, they expected support when applications didn’t work quite right.

Thus IT is stuck trying to figure out how to efficiently deliver, secure, and manage applications to multiple operating systems right now. Not tomorrow, not next week. Today.

VDI is thus rearing its head as a viable solution; one that promises consistency regardless of platform, without worry about Bob wanting to access corporate resources via his Internet-enabled HDTV. For the most part, experts and implementers deem VDI ready to meet the challenge. But what they haven’t asked, nor considered, is whether the network is ready for VDI.

Desktop Virtualization Ready for Prime Time

The appeal of VDI remains the same: it improves flexibility, simplifies administration and boosts security. What has changed are ongoing price drops and a growing need to seamlessly manage an IT infrastructure that includes desktops running Windows, Mac laptops using Apple OS X and mobiles devices using iOS and Android. In many cases, VDI streamlines data exchange and accessibility in an increasingly bring-your-own device (BYOD) IT world.

VDI OFFLOADS the PROBLEMS to the INFRASTRUCTURE

Interestingly enough, the problems with delivering applications to multi-endpoint environments do not actually disappear with the introduction of VDI. Oh, the problem of supporting every device under the sun is neatly resolved, but other problems quickly arise, and these are not necessarily easy problems to solve.

Roaming

The issue with roaming isn’t just that of a device roaming across service boundaries or WiFi networks, it’s roaming geographically. VDI deployments carry with them some strict and often constraining infrastructure requirements that are not easily overcome without the assistance of infrastructure. Typical network environments are ill-prepared to deal with not just the basic constraints but the resolution to those constraints. They lack the flexibility of an application delivery tier to mediate between roaming users and virtual desktop infrastructure.

A user that roams between two completely different network types may in fact appear to be two different network users from an IP perspective. While we know we must one day eliminate our dependency on IP addressees, today it remains a factor that must be addressed. Users who suddenly move from one network to another may cause undue stress along the entire infrastructure – but especially on VDI servers that maintain their understanding of users based on connections, which base their identification on IP addresses. A mediating connectivity layer such as an application delivery tier eliminates not the dependency, but the impact on the actual VDI servers and applications by becoming the endpoint and handling the possible volatility in device identification on behalf of the services, mitigating the impact by absorbing and managing it itself.
Network Impact on Performance

What, exactly, is the network over which the mobile device is connecting? Is it WiFi? Is it the mobile network? The network over which a device is connecting has a significant impact on performance, particularly from the perspective of the end-user. It isn’t so much a question of whether or not the network is fat enough, it’s whether or not the external (read: out of IT control) network is fat enough, or fast enough.

Latency is the biggest concern among networking pros considering a VDI deployment, according to an informal survey of 1,197 VMworld 2010 attendees conducted by storage vendor Xiotech and WAN optimization vendor Silver Peak. The vendors say 62% of respondents named latency as their top VDI network consideration.
A minority named other WAN-related issues as concerns, such as the ability to shape or prioritize traffic (7%) and bandwidth (6%).

-- VDI over the WAN: How latency affects virtual desktop performance

While WAN Optimization and similar technologies can certainly address issues when a WAN is involved, it won’t necessarily be of assistance when mobile devices experience issues over WiFi or mobile networks or any configuration in which there is no control over both endpoints. Yet the same network problems will plague these devices, and likely with more frequency than remote desktops over IT controlled WAN channels.
Scale of Dependent and Primary Services

Likely the most overlooked of all is the scalability of dependent network services. Simple things like NAT, like application access control, like network security infrastructure that must deal with the possibility that users will be logged in from several places at the same time, trying to access different resources. It’s the scalability of network security devices that suddenly must contend with connections coming from a wide variety of networks and locations, and must decide – quickly – which of those connections will be allowed, and which should – and must – be denied.

It’s also about the ability of applications themselves to scale when faced with suddenly very different network profiles that significantly impact the capacity and load on existing services. Applications that have performed well with capacity X suddenly perform poorly even though concurrent user counts have not changed. This is because the network characteristics may have changed in such a way as to change the way in which the applications are served. Users connecting over the LAN are able to receive content quickly and thus reduce the overall burden on server infrastructure by clearing queues and releasing connections that can be used by other users. Users connecting over mobile networks are not able to receive content as quickly and thus increase the burden on server infrastructure by receiving content more slowing and taking more time to complete a session. This reduces the capacity of server infrastructure and may require additional scaling to ensure consistent, acceptable performance levels across all device types and users.

Thus, while VDI may be ready for prime-time, and is certainly a valid solution to the problem of consumerization with respect to mobile device proliferation in the enterprise, the network may not be ready for VDI – regardless of endpoint form factor.

VDI, like server virtualization and cloud computing , will necessarily change the way in which we architect and ultimately view the network because of the very characteristics that make these technologies appealing – abstraction, elasticity, dynamism. These characteristics make it more difficult to deliver applications and services like VDI because of the volatility and diversity they introduce into the data center and impose on the network.

New architectural and technological solutions will be required in the network to manage such issues as they arise.

Connect with Lori:	Connect with F5:

Related blogs & articles:

Technorati Tags: F5,MacVittie,mobile,VDI,virtualization,scalability,performance,network,optimization,blog

DevCentral Top5 02/03/2012

Colin Walker — Sat, 04 Feb 2012 00:16:58 GMT

We're putting the band back together. And by band, I mean team. And by "putting back together" I mean we're all going to be in the same place, physically. This is a rarity for our remotely distributed team, but next week it is happening, and that is a great thing. It means planning, policies, preparation, prognostication and many other things that don't begin with the same letter. It also means that there will be some new, cool things to look forward to in what will likely be the near future, from a DevCentral perspective. Rarely do we get the whole team together to brainstorm and plan without something hawesome coming out of it. For that, I recommend you keep your eyes peeled the next few weeks. In the meantime, however, there is nowhere near a shortage of killer content on DevCentral just waiting for your perusal. So much so, in fact, I find myself again compelled to pick a few of my favorites and disseminate them to you in a format that takes the guess work out for those of you not neck deep in DC goodness, as I am. For the fun of it I'll pick only 5 topics this week, and here they are. Oh, and there might be some iRules involved. A lot of iRules. All over the place. Once you recover from your shocked state, given my lack of a propensity for sharing iRules topics, read on:

Transparent Web Bot Application Protection

http://bit.ly/zRt5TF

Joe takes us out of the gates this week with an awesome new take on an old problem. Forms being abused by web bots is a story as old as ... well ... forms and web bots. It has been "solved" or worked around or just plain dealt with through gritted teeth for years. One of the most common, reliable ways of stopping bots from abusing the forms on your site is to implement captchas. Captchas, in case you haven't been on the web since 14.4 was blistering, have gotten pretty advanced these days, asking you to input multiple phrases, playing back audio to help you decipher them, etc. There are even some iRules on DevCentral to help you implement them seamlessly. Also? I hate them. I am not a captcha fan. They are annoying, time consuming, and just plain not fun. Necessary bits of not fun that I tolerate, certainly, but I, much like Joe it would seem, am not a fan. So, when Joe presents a solution to provide what is effectively a transparent captcha, meaning the user has no interaction but the functionality is very much similar to a traditional captcha, I sat up and took notice. I suggest you do the same, it's worth the read.

Introduction to iStats Part1: Overview

http://bit.ly/AAmDhv

I'm kind of in the business of documenting iRules. Along with talking about them to anyone that will listen, or is in earshot, or is passing by, or sits next to me on the plane or ... well you get the idea. In addition to talking about them and writing them and working with the wicked smart folks in the depths of F5 to better them for future generations of iRulers, I document them a fair amount, as do my DC compatriots. That process is great and all, but every so often one of the software engineers will produce a chunk of documentation that allows an article to all but write itself. That is what happened here. One of our iRules engineers put together a simply outstanding document detailing what iStats are, how they work, how to use them, etc. and sent it off to the iRules experts. I couldn't help myself, so I wrote it up in more detail, with some more background, etc. and put it out on DevCentral for the masses to consume. iStats will change the way many people are using iRules. They will allow things that were previously impossible. iStats are cool, but you'll have to read the document to find out just how cool and why.

Populating Tables With CSV Data Via Sideband Connections

http://bit.ly/wqtg8f

George is off in his own world these days. It's a world wherein awesome iRule ideas leap from the walls, complex code lays itself out at his feet, and outstanding Tech Tips come flowing out as the result. If you find where that place is, send me directions, would you? I have serious article envy. George continues making it absolutely rain wicked solutions with his newest installment of applications hawesomeness by way of the new super powers garnered to iRules in v11, namely Sideband Connections. In this example George shows off an iRule that will connect to an out of band server to look up CSV data pertinent to the connection before processing the client request, then cache that data as necessary within the BIG-IP. Yeah, if you're not impressed and thinking that's pretty darn cool, you're doing it wrong. That or I'm just bonkers for this stuff. Perhaps both. Seriously folks, go read this article right now. It's worth it. I'll be over re-mapping the keys on George's keyboard to slow him down a bit so he stops making me look bad.

Advanced Load Balancing for Developers. The Network Dev Tool.

http://bit.ly/zfWnuM

Hitting near and dear to my heart, Don dusts off his Load Balancing for Developers series and dives straight into one of my favored topics: Business logic offloading to the network. He draws you the picture, first, of ZapnGo (a make believe company) and their growth, the struggles brought with it, and how they're working to address them. This is something that is very real to many businesses in a similar place as ZapnGo. Growth is fantastic but it brings along very real issues that need addressing, and doesn't always provide the extra cycles to deal with them. Offloading some of the functionality that might traditionally go into the back-end to the network layer can be an extremely effective way of saving cycles, both in man-hours and processing time. This is something that I've spoken with droves of people about over the years, and I love seeing it brought up in another light and hearing someone else's take on it. This is a good read and very well may give you some insight into how to solve some issues you're having, if you're in a similar place as ZapnGo.

Enterprise Apps are Not Written for Speed

http://bit.ly/wK84ib

Another topic that will often times quickly lead to a soap-box being produced out of thin air and those perhaps unfortunate people near enough to be caught in the path of the diatribe that follows is performance vs. maintainability. Lori hits the nail on the head with her topic, and the ensuing discussion she presents in this blog post. The reality is, most developers building enterprise level applications are focused on reliability, maintainability, and functionality. Performance is a nice to have in a world of strict requirements. That's not even taking into account the real time killer - security. Back in the day when I was writing such apps and automation tools in an enterprise environment the concept of "performance" was relegated to "Does it work? Does it work twice? Awesome..." and that was about it. In a world of more and more web accessible or hosted apps, increasing numbers of mobile users, larger object counts and sizes, and a host of other performance degrading factors, now more than ever the ability to up the performance outside of the application is a valuable one. The network layer can help with that, if you let it, and Lori talks about how in this post.

There are five more picks from the past couple weeks of content surging through DevCentral. It shows no signs of stopping, so I guess I'll have to come back in a week or so to give you some more hints on where to look for the pieces that were my favorite. Until then, happy coding, configuring, networking or whatever else it is that you do when not cruising DevCentral.

#Colin

Technorati Tags: DevCentral,Top5,iRules,Performance,Security,Networking,Sideband Connections,iStats,Colin Walker

Advanced Load Balancing For Developers. The Network Dev Tool

Don MacVittie — Fri, 03 Feb 2012 18:54:59 GMT

It has been a while since I wrote an installment of Load Balancing for Developers, and now I think it has been too long, but never fear, this is the grad-daddy of Load Balancing for Developers blogs, covering a useful bit of information about Application Delivery Controllers that you might want to take advantage of. For those who have joined us since my last installment, feel free to check out the entire list of blog entries (along with related blog entries) here, though I assure you that this installment, like most of the others, does not require you to have read those that went before.

ZapNGo! Is still a growing enterprise, now with several dozen complex applications and a high availability architecture that spans datacenters and the cloud. While the organization relies upon its web properties to generate revenue, those properties have been going along fine with your Application Delivery Controller (ADC) architecture.

Now though, you’re seeing a need to centralize administration of a whole lot of functions. What worked fine separately for one or two applications is no longer working so well now that you have several development teams and several dozen applications, and you need to find a way to bring the growing inter-relationships under control before maintenance and hidden dependencies swamp you in a cascading mess of disruption.

With maintenance taking a growing portion of your application development manhours, and a reasonably well positioned test environment configured with a virtual ADC to mimic your production environment, all you need now is a way to cut those maintenance manhours and reduce the amount of repetitive work required to create or update an application. Particularly update an application, because that is a constant problem, where creating is less frequent.

With many of the threats that your ZapNGo application will be known as ZapNGone eliminated, now it is efficiencies you are after. And believe it or not, these too are available in an ADC. Not all ADC’s are created equal, but this discussion will stay on topics that most ADCs can handle, and I’ll mention it when I stray from generic into specific – which I will do in one case because only one vendor supports one of the tools you can use, but all of the others should be supported by whatever ADC vendor you have, though as always, check with your vendor directly first, since I’m not an expert in the inner workings of every one.

There is a lot that many organizations do for themselves, and the array of possibilities is long – from implementing load balancing in source code to security checks in the application, the boundaries of what is expected of developers are shaped by an organization, its history, and its chosen future direction. At ZapNGo, the team has implemented a virtual test environment that as close as possible mirrors production, so that code can be implemented and tested in the way it will be used. They use an ADC for load balancing, so that they don’t have to rewrite the same code over and over, and they have a policy of utilizing a familiar subset of ADC functionality on all applications that face the public.

The company is successful and growing, but as always happens in companies in that situation, the pressures upon them are changing just by virtue of their growth. There are more new people who don’t yet have intimate knowledge of the code base, network topology, security policies, whatever their area of expertise is. There are more lines of code to maintain, while new projects are being brought up at a more rapid pace and with higher priorities (I’ve twice lived through the “Everything is high priority? Well this is highest priority!” syndrome while working in IT. Thankfully, most companies grow out of that fast when it’s pointed out that if everything is priority #1, nothing is). Timelines to complete projects – be they new development, bug fixes, or enhancements are stretching longer and longer as the percentage of gurus in the company is down and the complexity of the code and the architecture it runs on is up.

So what is a development manager to do to increase productivity? Teaming newer developers with people who’ve been around since the beginning is helping, but those seasoned developers are a smaller and smaller percentage of the workforce, while the volume of work has slowly removed them from some of the many products now under management. Adopting coding standards and standardized libraries helps increase experience portability between projects, but doesn’t do enough.

Enter offloading to the ADC. Some things just don’t have to be done in code, and if they don’t have to be, at this stage in the company’s growth, IT management at ZapNGo (that’s you!) decides they won’t be. There just isn’t time for non-essential development anymore.

Utilizing a policy management tool and/or an Application Firewall on the ADC can improve security without increasing the code base, for example. And that shaves hours off of maintenance projects, while standardizing on one or a few implementations that are simply selected on the ADC. Implementing Web Application Acceleration protocols on the ADC means that less in-code optimization has to occur. Performance is no longer purely the role of developers (but of course it is still a concern. No Web Application Acceleration tool can make a loop that runs for five minutes run faster), they can allow the Web Application Acceleration tool to shrink the amount of data being sent to the users’ browser for you. Utilizing a WAN Optimization ADC tool to improve the performance of bulk copies or backups to a remote datacenter or cloud storage… The list goes on and on.

The key is that the ADC enables a lot of opportunities for App Dev to be more responsive to the needs of the organization by moving repetitive tasks to the ADC and standardizing them. And a heaping bonus is that it also does that for operations with a different subset of functionality, meaning one toolset gives both App Dev and Operations a bit more time out of their day for servicing important organizational needs. Some would say this is all part of DevOps, some would say it is not. I leave those discussions to others, all I care is that it can make your apps more secure, fast, and available, while cutting down on workload.

And if your ADC supports an SSL VPN, your developers can work from home when necessary. Or more likely, if your code is your IP, a subset of your developers can. Making ZapNGo more responsive, easier to maintain, and more adaptable to the changes coming next week/month/year. That’s what ADCs do. And they’re pretty darned good at it.

That brings us to the one bit that I have to caveat with F5 only, and that is iApps. An iApp is a constructed configuration tool that asks a few questions and then deploys all the bits necessary to set up an ADC for a particular application. Why do I mention it here? Well if you have dozens of applications with similar characteristics, you can create an iApp Template and use it to rapidly bring new applications or new instances of applications online. And since it is abstracted, these iApp templates can be designed such that AppDev, or even the business owner, is able to operate them Meaning less time worrying about what network resources will be available, how they’re configured, and waiting for operations to have time to implement them (in an advanced ADC that is being utilized to its maximum in a complex application environment, this can be hundreds of networking objects to configure – all encapsulated into a form). Less time on the project timeline, more time for the next project. Or for the post deployment party. One of the two. That’s it for the F5 only bit.

And knowing that all of these items are standardized means less things to get mis-configured, more surety that it will all work right the first time. As with all of these articles, that offers you the most important benefit… A good night’s sleep.

Technorati Tags: Application Delivery Controllers,VPN,Security,Applicaiton Development,Acceleration,WAN Optimization,Encryption,F5 Networks,Load Balancing For Developers,Don MacVittie,blog

Connect with Don:	Connect with F5:

F5 Friday: New Services from F5 Ease Migration and Upgrades

Lori MacVittie — Fri, 03 Feb 2012 13:14:00 GMT

I get by with a little help from my friends…

While cloud and virtualization primarily focus on improving the provisioning process, there is a lot more to managing a data center and its critical components than just deployment. There’s upgrades – both software and hardware – and migration to new solutions as well as tweaking knobs and buttons to optimize and troubleshoot issues. While public cloud computing may alleviate much of the pain associated with forward movement, private and hybrid environments as well as traditional data center models must face the reality of dealing with these admittedly often tedious tasks.

It’s a foregone conclusion that new technology and devices like mobile, tablets, unified application delivery and cloud computing as well as an evolving threat spectrum put pressure on IT to maintain a healthy and modern set of services to ensure availability, performance, and security. As pressures increase on infrastructure services, vendors respond with new and or updated solutions to help IT combat the growing complexity of data center architectures.

But sometimes, IT needs a little help from its friends to get there, and that’s where professional service organizations enter into the picture.

One of F5’s top priorities is a world-class service organization. From implementation and ongoing support to migration and upgrades, our professional services organization continues to evaluate the technology landscape and address the most pressing issues facing IT through new offerings designed to ease those pain points introduced by a need to upgrade or migrate to new platforms.

New Services Offerings from F5

F5 is introducing three new services offerings that address many of these issues. Each assessment covers four phases: planning, analysis, a detailed report, and review with recommendations.

BIG-IP Local Traffic Manager (LTM) Upgrade Assessment

Understand Your Infrastructure’s Readiness for Change

The flexible infrastructures made possible by BIG-IP LTM can drive efficiencies, support business growth, and optimize new capabilities that become available as the infrastructure devices evolve. Nonetheless, version upgrades require planning and analytical validation that new functionality will align with the organization’s infrastructure vision.

The BIG-IP LTM configuration is assessed in four broad categories:

Platform, including current TMOS release level, device health, network configuration, and system monitoring and management

Availability, including HA configuration, active/standby preferences, network redundancy, connection mirroring, and persistence settings

Performance, including optimized service profiles, CPU throughput, simple F5 iRules scripting, virtual server types, and health monitors

Security, including secure socket layer (SSL) cipher strengths, port lockdown settings, and administrative access configurations

Firepass to BIG-IP Access Policy Manager (APM) Migration Assessment

Migrate to BIG-IP APM for Faster, Flexible Access

The rapid proliferation of mobile devices, an increasingly dispersed workforce, and the need to secure and optimize content delivery combine to make high-performance, high-concurrency remote access solutions crucial to organizations. Migrating now from a FirePass device to BIG-IP APM ensures your applications remain fast, secure, and available. BIG-IP APM provides a flexible, high-performance access and security solution within an agile infrastructure that will position your organization to effectively support today’s mobile workforce.

The F5 Professional Services consultant reviews your current FirePass configuration and conducts a high-level design discussion to understand the target architecture requirements for meeting your organization’s remote access needs. The configuration review includes analysis of web services, landing URIs, authentication method, certificates, master and resource groups, and network, portal, and application access.

Proactive Assessment

Assess Your F5 Infrastructure Agility

An F5 Proactive Assessment Service audits your F5® BIG-IP® products to ensure optimal configuration. Specifically, the Proactive Assessment Service reviews your current environment to uncover potential issues or areas for improvement and makes recommendations that help optimize F5 technologies. The result is an action plan designed to boost your BIG-IP platform performance, strengthen security, and increase availability.

Network configuration is assessed with a comprehensive review of infrastructure characteristics in five categories:

Operating system, including hotfix level and consistency within products and across BIG-IP device high-availability (HA) pairs

Architecture, including virtual servers, pools, network address translation, and address resolution protocol (ARP) settings

Security, including password policy, authentication methods, and network forwarding

Availability, including fail-over, mirroring, HA configuration, health monitors, and backup policies

Performance, including CPU performance graphs, memory consumption, and throughput

Another great self-service resource can be found in iHealth, which enables you to verify the proper operation of your BIG-IP system and ensure your hardware and software function at peak efficiency. New to iHealth is a comparison feature that can assist with assessments as well as troubleshooting. iHealth requires registration, but is a free service from F5 designed to ease the support process as well as providing organizations with the means to self-support when desired.

Additional Resources:

Connect with Lori:	Connect with F5:

Related blogs & articles:

Technorati Tags: F5,F5 Friday,MacVittie,professional Services,BIG-IP,LTM,APM,iRules,iHealth,blog

F5 - Mobile Device Support for VMware View

F5 Networks News — Fri, 03 Feb 2012 13:07:00 GMT

#mobile #vdi #virtualization

F5 provides intelligent mobile device support for VMware View. This benefits IT with greater access and compliance control, while at the same time, allowing your employees the freedom to use their mobile device of choice. F5 can help by making VMware View secure, fast, scalable, and available.

More information about F5's solution for VMware View can be found at http://www.f5.com/view

F5 - Mobile Device Support for VMware View

Resources:

Connect with F5:

Latest F5 Information

Technorati Tags: F5,F5 News,VMware,VMWare view,virtualization,vdi,mobile,video

5 Stages of a Data Breach

Pete Silva — Fri, 03 Feb 2012 00:53:19 GMT

One thing I’ve noticed over the last couple years is that there are 5 Stages of a Data Breach:

Denial: We do not believe these attacks breached our critical servers.

Anger: We want to make it clear that we take security seriously!

Bargaining: We’d like to offer our affected customers a credit monitoring service.

Depression: We wish we could have done things differently.

Acceptance: Well, it just shows that no one is safe from hackers.

Technorati Tags: F5, cyber-crime, trojan, Pete Silva, security, business, education, 5 stages, cyber war, hackers, breach, verisign, internet, security, privacy,

Connect with Peter:	Connect with F5:

Come Join DevCentral for the Seattle DotNetNuke User Group Meeting

Jason Rahm — Thu, 02 Feb 2012 16:07:20 GMT

If you didn’t know, the DevCentral platform runs on DotNetNuke, the leading open source ASP.Net CMS. It’s a great development platform for turning out rich sites, and we’re excited to be hosting the next Seattle DNN User Group meeting next Wednesday, February 8th, beginning at 6pm at 401 Elliot Ave West, Seattle, WA.

Agenda

6:00 - Arrive Sign in
6:10 - Tour F5 facilities
6:30 – Presentation Begins

Steven – Introductions and DC/DNN Overview
April – Managing a Community
Jason – Overview of the infrastructure we run

7:20 – Q & A
7:30 – Social Hour – Buckley’s

We’re super excited to be involved in this next DNN user group, hope to see you there!

Technorati Tags: F5 DevCentral,DotNetNuke,DNN,Seattle DNN User Group,Buckley's

The Harvest Season is Just Around the Corner

Or Katz — Thu, 02 Feb 2012 11:48:06 GMT

One year ago an online dating site called Lovely-Faces.com was lunched with over 250,000 profiles. These profiles were scraped from Facebook without the permission of the users. This incident illustrates exactly what web scraping is all about.

Another good example when a web scraping attack may occur is when a web application contains cataloged content, for example, electronic equipment with a catalog number and the price for each item. Let’s say that competitors would like to know the price of each item in the catalog in order to sell the same products for one dollar cheaper (because customers buy the product with the lowest price).

Defending against a “Web scraping” attack (also known as “Web harvesting”) is very challenging. In most cases the motivation behind this attack is business driven, and the attacker tries to steal web application content that is publicly available without the approval of the content owner.

This attack is different from other well-known attacks since:

1. In this case the information that is stolen is not sensitive; it is presented to all web application users.

2. Access to this information from the same user more than once is permitted (because customers may want to browse the web application before choosing the item they want).

These characteristics make protection your web application from this attack more of a non-deterministic kind of protection. Blocking suspicious users is not recommended since losing business as a result of false detection is not acceptable; therefore, another more sophisticated approach is needed here. We want to delay the attacker to the point where his harvesting will become ineffective, while still keeping the web application available to all users. In order to do that and to make sure that the “attacker” is a legitimate customer using his browser, we have to be intrusive and inject JavaScript into the web application response.

F5 BIG-IP Application Security Manager has a unique protection for this type of attack. By injecting JavaScript to suspicious users we can perform the following checks:

i. Is it a real user? Make sure JavaScript was executed on the customer’s browser.

ii. Is it a scraper? Delay the user’s next request to the extent of not making it noticeable to the genuine user while making the attack slow and therefore ineffective for the harvester.

Communities Will Lead the Way

Colin Walker — Wed, 01 Feb 2012 18:19:41 GMT

Competitive advantage for network technologies will be determined by a vendor’s ability to allow its customers to create custom features through a programmable front end and then share these ideas with a broader community. The community will become a self feeding ecosystem that will create a higher level of stickiness with network technologies.

- Zeus Kerravala

A blog post by Zues over at Network World describes just how important community is to innovation these days. He focuses specifically on the networking world, as that's his focus, but the concept is a solid one in general. Group like minded people together and innovation accelerates. Community for me is all about getting to communicate (go figure, right?) with people looking to achieve similar things. Whether that is writing code, playing video games, cooking or pretty much anything else, I know that I am personally inspired and driven more when engaged with others that are supporters or fanatics of whatever interest it is that is capturing my time at the moment.

The same seems to hold true for many people, though I am no expert on the matter and have no empirical evidence to lay before you. I can tell you that in my experience, whenever a community of like minded technologists amass themselves to solve a particular problem, great things happen. It really is as simple as the cliché "2 minds are better than 1". Well, in our case, 90,000+ minds are certainly better than one. Keep in mind it is not just processing power gained by those minds, but also experience. While brute force processing power to solve problems is great, far more powerful still is bringing in someone that has solved the problem before to educate on how it was done. This is a theme we see time and time again in our community here at DevCentral.

Personally I'm a fan. A big fan. I've been a geek and working with technology for quite a while, and in that time it has become so routine and commonplace for me to seek out and throw in with the community of whatever new technology I'm trying to learn about that I sometimes forget that some people don't understand just how valuable and important community as a tool can be. Zeus addresses it very well in his post, and I highly recommend going and taking the time to read it. He even had some very nice things to say about DevCentral and iRules:

The concept of programmability and communities isn’t a new concept. F5 Networks has set the gold standard for all scripting environments combined with a community site with its TCL based iRules and DevCentral community. iRules used to be this geeky thing that was used by only a handful of administrators. Over the past few years though, use of iRules has exploded so now it’s a geeky thing used by thousands of administrators and is easily the reason F5 has it’s 65%+ share in the ADC market.

That is the power of community. The power that each person that reads this, joins DevCentral, shares a link, posts to a forum, contributes a CodeShare example or takes part in any other form of community interaction lends to this community to achieve a common set of goals.

How powerful is community to you? What other communities are you an active member of and why? How has it changed the way you learn or do business?

#Colin

Technorati Tags: DevCentral,Community,Zeus Kerravala,Network World,iRules,Colin Walker

F5 - Simplifying Access for VMware View

F5 Networks News — Wed, 01 Feb 2012 13:18:00 GMT

#vdi #fasterapp #infosec End-user acceptance will suffer if access to desktops is complicated or slow.

In addition, without strong security, confidential information might be exposed, critical data lost, or regulatory compliance requirements unmet. F5 BIG-IP Access Policy Manager (APM) offers users unified, secure access as well as broad support for authentication, authorization, and accounting (AAA) mechanisms and stringent access policies. These features are combined with security endpoint check, plus multi gigabit-per-second SSL encryption, thousands of logins per second, and optimized connections. F5 can help by making VMware View secure, fast, scalable, and available.

More information about F5's solution for VMware View can be found at http://www.f5.com/view

F5 - Simplifying Access for VMware View

Resources:

Connect with F5:

Latest F5 Information

Technorati Tags: F5,F5 News,VMware,VMware View,VDI,virtualization,application delivery,performance,availability,video

The Cloud API is Pseudo-Consolidation of Infrastructure

Lori MacVittie — Wed, 01 Feb 2012 13:00:00 GMT

It’s about operational efficiency and consistency, emulated in the cloud by an API to create the appearance of a converged platform

In most cases, the use of the term “consolidation” implies the aggregation (and subsequently elimination) of like devices. Application delivery consolidation, for example, is used to describe a process of scaling up infrastructure that often occurs during upgrade cycles. Many little boxes are exchanged for a few larger ones as a means to simplify the architecture and reduce the overall costs (hard and soft) associated with delivering applications. Consolidation.

But cloud has opened (or should have opened) our eyes to a type of consolidation in which like services are aggregated; a consolidation strategy in which we layer a thin veneer over a set of adjacent functionalities in order to provide a scalable and ultimately operationally consistent experience: an API. A cloud API consolidates infrastructure from an operational perspective. It is the bringing together of adjacent functionalities into a single “entity.” Through a single API, many infrastructure functions and services can be controlled – provisioning, monitoring, security, and load balancing (one part of application delivery) are all available through the same API. Certainly the organization of an API’s documentation segments services into similar containers of functionality, but if you’ve looked at a cloud API you’ll note that it’s all the same API; only the organization of the documentation makes it appear otherwise.

This service-oriented approach allows for many of the same benefits as consolidation, without actually physically consolidating the infrastructure. Operational consistency is one of the biggest benefits.

OPERATIONAL CONSISTENCY

The ability to consistently manage and monitor infrastructure through the same interface – whether API or GUI or script – is an important factor in data center efficiency. One of the reasons enterprises demand overarching data center-level monitoring and management systems like HP OpenView and CA and IBM Tivoli is consistency and an aggregated view of the entire data center.

It is no different in the consumer world, where the consistency of the same interface greatly enhances the ability of the consumer to take advantage of underlying services. Convenience, too, plays a role here, as a single device (or API) is ultimately more manageable than the requirement to use several devices to accomplish the same thing. Back in the day I carried a Blackberry, a mobile phone, and a PDA – each had a specific function and there was very little overlap between the two. Today, a single “smart”phone provides the functions of all three – and then some. The consistency of a single interface, a single foundation, is paramount to the success of such consumer devices. It is the platform, whether consumers realize it or not, that enables their highly integrated and operationally consistent experience.

The same is true in the cloud, and ultimately in the data center. Cloud (pseudo) consolidates infrastructure the only way it can – through an API that ultimately becomes the platform analogous to an iPhone or Android-based device.

Cloud does not eliminate infrastructure, it merely abstracts it into a consolidated API such that the costs to manage it are greatly reduced due to the multi-tenant nature of the platform. Infrastructure is still managed, it’s just managed through an API that simplifies and unifies the processes to provide a more consistent approach that is beneficial to the organization in terms of hard (hardware, software) and soft (time, administration) costs.

The cloud and its requisite API provide the consolidation of infrastructure necessary to achieve greater cost savings and higher levels of consistency, both of which are necessary to scale operations in a way that makes IT able to meet the growing demand on its limited resources.

Connect with Lori:	Connect with F5:

Related blogs & articles:

Technorati Tags: F5,MacVittie,cloud,cloud computing,API,architecture,mobile,operational consistency,blog

Like Cars on a Highway.

Don MacVittie — Tue, 31 Jan 2012 21:31:38 GMT

Every once in a while, as the number of people following me grows (thank you, each and every one), I like to revisit something that is fundamental to the high-tech industry but is often overlooked or not given the attention it deserves. This is one of those times, and the many-faceted nature of any application infrastructure is the topic. While much has changed since I last touched on this topic, much has not, leaving us in an odd inflection point. When referring to movies that involve a lot of CGI, my oldest son called it “the valley of expectations”, that point where you know what you’d like to see and you’re so very close to it, but the current offerings fall flat. He specifically said that the Final Fantasy movie was just such a production. The movie came so close to realism that it was disappointing because you could still tell the characters were all animations. I thought it was insightful, but still enjoyed the movie.

It is common to use the “weakest link in the chain” analogy whenever we discuss hardware, because you have parts sold by several vendors that include parts manufactured by several more vendors, making the entire infrastructure start to sound like the “weakest link” problem. Whether you’re discussing individual servers and their performance bottlenecks (which vary from year to year, depending upon what was most recently improved upon), or network infrastructures, which vary with a wide variety of factors including that server and its bottlenecks.

I think a better analogy is a busy freeway. My reasoning is simple, you have to worry about the manufacture and operation of each vehicle (device) on the road, the road (wire) itself, interchanges, road conditions, and toll booths. There is a lot going on in your infrastructure, and “weakest link in the chain” is not a detailed enough comparison.

In fact, if you’re of a mathematical bent, then the performance of your overall architecture could be summarized by the following equation:

Where n is the number of infrastructure elements required for the application to function correctly and deliver information to the end user. From databases to Internet connections to client bandwidth, it’s all jumbled up in there. Even this equation isn’t perfect, simply because some performance degradation is so bad that it drags down the entire system, and other issues are not obvious until the worst offender is fixed. This is the case in the iterative improvement of servers… Today the memory is the bottleneck, once it is fixed, then the next bottleneck is disk, once it is improved, the next bottleneck is network I/O… on and on it goes, and with each iteration we get faster overall servers.

And interestingly enough, security is very much the same equation, with the caveat that a subset of infrastructure elements is likely to be looked at for security, just because not everything is exposed to the outside world – for example, the database only need be considered if you allow users to enter data into forms that will power a DB query directly.

So what is my point? well simply put, when you are budgeting, items that impact more than one element – from a security or performance perspective – or more than one application, should be prioritized over things that are specific to one element or one application. The goal of improving the overall architecture should trump the needs of individual pieces or applications, because IT – indeed, the business – is built upon the overall application delivery architecture, not just a single application. Even though one application may indeed be more relevant to the business (I can’t imagine that eBay has any application more important than their web presence, for example, since it is their revenue generation tool), overall improvements will help that application and your other applications.

Of course you should fix those terribly glaring issues with either of these topics that are slowing the entire system down or compromising overall security, but you should also consider solutions that will net you more than a single-item fix.

<blatant marketing>Yes, I think an advanced ADC product like F5’s BIG-IP is one of these multi-solution products, but it goes well beyond F5 into areas like SSDs for database caches and such. </blatant marketing>

So keep it in mind. Sometimes the solution to making application X faster or more secure is to make the entire infrastructure faster or more secure. And if you look at it right, availability fits into this space too. Pretty easily in fact.

Technorati Tags: Performance,Security,Architecture,Server,F5 BIG-IP,F5 Networks,Don MacVittie,Blog

Connect with Don:	Connect with F5:

Juice-Jacking Revisited

Jason Rahm — Tue, 31 Jan 2012 16:22:09 GMT

It’s a crazy world out there. I ran (well, by “ran” I mean jogged slowly enough to pass the old ladies on the track) this morning at the YMCA, lifted weights for a little while, and then hit the elliptical for 20 minutes before heading home. My gym’s ellipticals have the Nike+ package where you can store your workouts on your iPhone/iPod, and without thinking I jacked in. Approximately 38 ms later (my internal meter is not calibrated) I facepalmed and disconnected my iPhone in shame. Have I learned nothing?

Turns out, after closer inspection, the cable was a standard cable plugged into a standard elliptical trainer, but I didn’t inspect it initially. I just trusted that everything was as it should be. Josh wrote about this trust back in December. This offense, of course, would be fine if it was my iPod, which holds nothing of value on it. But my iPhone? Well, it has quite a bit more I’d rather not share with Mr. or Mrs. Hacker. So what am I worried about?

Juice-Jacking is another physical security attack vector. With smartphones battery charging capabilites tied also to the data access port, any maliciously minded individual could stand up a charging booth, offer it up for free, and the lambs would willingly head to the slaughter. As power surges into their batteries, their data surges into the hands of the enemy. Such was the case at DefCon this year, where at least 360 attendees, made acutely aware of connecting in any way to anything within a 2 mile radius of the conference, still powered up. Brian Krebs had a good post-DefCon write-up on Juice-Jacking you should check out. Be careful out there.

Technorati Tags: F5 DevCentral,Security,Juice-Jacking,Jason Rahm,Josh Michaels

Vulnerability Assessment with Application Security

Pete Silva — Tue, 31 Jan 2012 16:04:16 GMT

The longer an application remains vulnerable, the more likely it is to be compromised.

Protecting web applications is an around-the-clock job. Almost anything that is connected to the Internet is a target these days, and organizations are scrambling to keep their web properties available and secure. The ramifications of a breach or downtime can be severe: brand reputation, the ability to meet regulatory requirements, and revenue are all on the line. A 2011 survey conducted by Merrill Research on behalf of VeriSign found that 60 percent of respondents rely on their websites for at least 25 percent of their annual revenue.

And the threat landscape is only getting worse. Targeted attacks are designed to gather intelligence; steal trade secrets, sensitive customer information, or intellectual property; disrupt operations; or even destroy critical infrastructure. Targeted attacks have been around for a number of years, but 2011 brought a whole new meaning to advanced persistent threat. Symantec reported that the number of targeted attacks increased almost four-fold from January 2011 to November 2011.

In the past, the typical profile of a target organization was a large, well-known, multinational company in the public, financial, government, pharmaceutical, or utility sector. Today, the scope has widened to include almost any size organization from any industry. The attacks are also layered in that the malicious hackers attempt to penetrate both the network and application layers. To defend against targeted attacks, organizations can deploy a scanner to check web applications for vulnerabilities such as SQL injection, cross site scripting (XSS), and forceful browsing; or they can use a web application firewall (WAF) to protect against these vulnerabilities. However a better, more complete solution is to deploy both a scanner and a WAF. BIG-IP Application Security Manager (ASM) version 11.1 is a WAF that gives organizations the tools they need to easily manage and secure web application vulnerabilities with multiple web vulnerability scanner integrations.

As enterprises continue to deploy web applications, network and security architects need visibility into who is attacking those applications, as well as a big-picture view of all violations to plan future attack mitigation. Administrators must be able to understand what they see to determine whether a request is valid or an attack that requires application protection. Administrators must also troubleshoot application performance and capacity issues, which proves the need for detailed statistics. With the increase in application deployments and the resulting vulnerabilities, administrators need a proven multi-vulnerability assessment and application security solution for maximum coverage and attack protection. But as many companies also support geographically diverse application users, they must be able to define who is granted or denied application access based on geolocation information.

Application Vulnerability Scanners

To assess a web application’s vulnerability, most organizations turn to a vulnerability scanner. The scanning schedule might depend on a change control, like when an application is initially being deployed, or other factors like a quarterly report. The vulnerability scanner scours the web application, and in some cases actually attempts potential hacks to generate a report indicating all possible vulnerabilities. This gives the administrator managing the web security devices a clear view of all the exposed areas and potential threats to the website. It is a moment-in-time report and might not give full application coverage, but the assessment should give administrators a clear picture of their web application security posture. It includes information about coding errors, weak authentication mechanisms, fields or parameters that query the database directly, or other vulnerabilities that provide unauthorized access to information, sensitive or not. Many of these vulnerabilities would need to be manually re-coded or manually added to the WAF policy—both expensive undertakings.

Another challenge is that every web application is different. Some are developed in .NET, some in PHP or PERL. Some scanners execute better on different development platforms, so it’s important for organizations to select the right one. Some companies may need a PCI DSS report for an auditor, some for targeted penetration testing, and some for WAF tuning. These factors can also play a role in determining the right vulnerability scanner for an organization. Ease of use, target specifics, and automated testing are the baselines. Once an organization has considered all those details, the job is still only half done. Simply having the vulnerability report, while beneficial, doesn’t mean a web app is secure. The real value of the report lies in how it enables an organization to determine the risk level and how best to mitigate the risk. Since re-coding an application is expensive and time-consuming, and may generate even more errors, many organizations deploy a web application firewall like BIG-IP ASM.

A WAF enables an organization to protect its web applications by virtually patching the open vulnerabilities until it has an opportunity to properly close the hole. Often, organizations use the vulnerability scanner report to then either tighten or initially generate a WAF policy. Attackers can come from anywhere, so organizations need to quickly mitigate vulnerabilities before they become threats. They need a quick, easy, effective solution for creating security policies. Although it’s preferable to have multiple scanners or scanning services, many companies only have one, which significantly impedes their ability to get a full vulnerability assessment. Further, if an organization’s WAF and scanner aren’t integrated, neither is its view of vulnerabilities, as a non-integrated WAF UI displays no scanner data. Integration enables organizations both to manage the vulnerability scanner results and to modify the WAF policy to protect against the scanner’s findings—all in one UI.

Integration Reduces Risk

While finding vulnerabilities helps organizations understand their exposure, they must also have the ability to quickly mitigate found vulnerabilities to greatly reduce the risk of application exploits. The longer an application remains vulnerable, the more likely it is to be compromised. F5 BIG-IP ASM, a flexible web application firewall, enables strong visibility with granular, session-based enforcement and reporting; grouped violations for correlation; and a quick view into valid and attack requests. BIG-IP ASM delivers comprehensive vulnerability assessment and application protection that can quickly reduce web threats with easy geolocation-based blocking—greatly improving the security posture of an organization’s critical infrastructure.

BIG-IP ASM version 11.1 includes integration with IBM Rational AppScan, Cenzic Hailstorm, QualysGuard WAS, and WhiteHat Sentinel, building more integrity into the policy lifecycle and making it the most advanced vulnerability assessment and application protection on the market. In addition, administrators can better create and enforce policies with information about attack patterns from a grouping of violations or otherwise correlated incidents. In this way, BIG-IP ASM enables organizations to mitigate threats in a timely manner and greatly reduce the overall risk of attacks and solve most vulnerabilities.

With multiple vulnerability scanner assessments in one GUI, administrators can discover and remediate vulnerabilities within minutes from a central location. BIG-IP ASM offers easy policy implementation, fast assessment and policy creation, and the ability to dynamically configure policies in real time during assessment. To significantly reduce data loss, administrators can test and verify vulnerabilities from the BIG-IP ASM GUI, and automatically create policies with a single click to mitigate unknown application vulnerabilities.

Security is a never-ending battle. The bad guys advance, organizations counter, bad guys cross over—and so the cat and mouse game continues. The need to properly secure web applications is absolute. Knowing what vulnerabilities exist within a web application can help organizations contain possible points of exposure. BIG-IP ASM v11.1 offers unprecedented web application protection by integrating with many market-leading vulnerability scanners to provide a complete vulnerability scan and remediate solution. BIG-IP ASM v11.1 enables organizations to understand inherent threats and take specific measures to protect their web application infrastructure. It gives them the tools they need to greatly reduce the risk of becoming the next failed security headline.

Resources:

Technorati Tags: F5, big-ip, virtualization, cloud computing, Pete Silva, security, waf, web scanners, compliance, application security, internet, TMOS, big-ip, asm

Connect with Peter:	Connect with F5:

Events, Messen, Meetings,... voller Kalender und wenig Zeit und Budget – was tun?

Claudia Kraus — Tue, 31 Jan 2012 12:44:45 GMT

Wir alle erhalten täglich neue Einladungen zu Veranstaltungen, Meetings und Events und es ist schwer zu entscheiden, wo man die benötigten Informationen erhält. Wo ist mein Return on Investment, wenn ich zur Veranstaltung „x“ gehe oder erhalte ich diese Information genauso im Internet?

Viele Menschen möchten gar nicht auf Messen gehen und von Hostessen und engagierten Vertriebsmitarbeitern auf den Ständen überfallen werden und mit Informationen versorgt werden, die sie eigentlich gar nicht brauchen.

Wir alle kennen noch die „goldenen“ Zeiten, in denen sich Menschenmassen durch die Messehallen mit Tüten voller toller Spielzeuge geschoben haben und es weder eine Frage der Zeit noch des Reisebudgets war, ob man eine Veranstaltung besuchte oder nicht. Diese Zeiten sind allerdings schon lange vorbei.

Kunden wollen heute dedizierte Lösungen auf Ihre Probleme und Herausforderungen erhalten, ohne viel Schnick-Schnack und lauter Musik auf Messeständen. Sie wollen wissen, welcher Hersteller bietet mir die beste Lösung zum besten Preis und garantiert mir eine lange Laufzeit dieser Lösung gerade im Hinblick auf Wachstum und Entwicklung des Unternehmens.

Genau aus diesem Grund haben wir bereits seit 2007 begonnen monatliche Webinare zu einem jeweils speziellen Thema anzubieten. In etwa 30 Minuten erfährt der Teilnehmer, welche Lösung gibt es beispielsweise, wenn ich meine Microsoft Exchange Umgebung optimieren möchte, was muß ich tun und mit welchem Ergebnis kann ich rechnen. Die Teilnehmerzahlen steigen stetig und das bekräftigt uns in unserer Strategie kurz, knapp, ohne viel Zeit-Investment und kostenfrei unsere Interessenten, Kunden und Partner über aktuelle Themen und Lösungen zu informieren.

Mein Fazit ist, daß es immer Veranstaltungen geben wird, bei denen es sich lohnt teilzunehmen, sei es um zu Netzwerken oder aber auch, weil es sich um eine Veranstaltung zu einem festgelegten und thematisch eng abgesteckten Themengebiet handelt. Nach dem Motto: Klein aber fein…

Ich lade Sie herzlich ein, eines unserer monatlichen Webinare zu besuchen! Das nächste Webinar findet am 24. Februar um 9.00 Uhr statt und Sie erfahren hier, wie Sie durch Advanced Application Delivery schnelle, sichere und hochverfügbare Microsoft Anwendungen erhalten.

Ihre Anmeldung dazu kann hier erfolgen:

http://www.delegate.com/f5/2010/display.php?view=2&eventId=10969

Weitere Webinare finden Sie hier: http://www.delegate.com/f5/2010/index.php

Ihre Claudia Kraus

Einladung zum F5 Networks Webinar : Schnelle, sichere und hochverfügbare Microsoft Anwendungen durch Advanced Application Delivery

Claudia Kraus — Tue, 31 Jan 2012 10:12:45 GMT

Hiermit lade ich Sie zu unserem monatlichen Webinar am Freitag, 24.02.2012 um 09:00 Uhr ein. In dem 30-minütigen Webinar erfahren Sie, wie Ihre Microsoft Exchange 2010 Umgebungen optimiert werden können.

Microsoft empfiehlt für MS Exchange 2010 Hardware Load Balancer einzusetzen. In diesem Webinar werden Möglichkeiten aufgezeigt, wie mit F5 Lösungen mittels Advanced Application Delivery weit über klassisches Load Balancing hinaus Microsoft Exchange 2010 Umgebungen optimiert werden können.

Sie wollen für Ihre Exchange Installation:

maximal Verfügbarkeit – bei Bedarf auch Rechenzentrums übergreifend?
schnelle Antwortzeiten, zufriedene Anwender auch für OWA?
Unterstützung der Architektur Vorteile von MS Exchange 2010?

Sie können sich hier direkt anmelden:

http://www.delegate.com/f5/2010/display.php?view=2&eventId=10969

Wir freuen uns auf Ihre Teilnahme!

Rackspace - F5 Case Study

F5 Networks News — Mon, 30 Jan 2012 13:05:00 GMT

Rackspace Hosting wanted to broaden its product portfolio by offering customers an easy way to link dedicated managed servers to cloud-based servers. The company used Application Delivery Networking devices from F5 to help build a hybrid service called RackConnect. Now, Rackspace customers can mix and match dedicated managed and cloud hosting platforms for ultimate scalability, flexibility, efficiency, and lower costs.

As part of its standard hosting infrastructure, Rackspace uses BIG-IP devices to accomplish a number of tasks. BIG-IP LTM automatically directs customers’ traffic among web and application servers. It offloads CPU-intensive content caching and TCP connections from the servers to the BIG-IP devices to boost server performance. It also monitors application health and seamlessly redirects traffic away from potentially problematic servers or network components. The company also takes advantage of F5 Enterprise Manager to centralize management of multiple BIG-IP devices in its network through a single interface, significantly reducing the amount of time spent administering devices.

Rackspace - F5 Case Study

More Resources:

Rackspace

Connect with F5:

Latest F5 Information

Technorati Tags: F5,F5 News,integration,cloud computing,load balancing,performance,availability,video

Performance in the Cloud: Business Jitter is Bad

Lori MacVittie — Mon, 30 Jan 2012 12:46:00 GMT

#fasterapp #ccevent While web applications aren’t sensitive to jitter, business processes are.

One of the benefits of web applications is that they are generally transported via TCP, which is a connection-oriented protocol designed to assure delivery. TCP has a variety of native mechanisms through which delivery issues can be addressed – from window sizes to selective acks to idle time specification to ramp up parameters. All these technical knobs and buttons serve as a way for operators and administrators to tweak the protocol, often at run time, to ensure the exchange of requests and responses upon which web applications rely. This is unlike UDP, which is more of a “fire and forget” protocol in which the server doesn’t really care if you receive the data or not.

Now, voice and streaming video and audio over the web has always leveraged UDP and thus it has always been highly sensitive to jitter. Jitter is, without getting into layer one (physical) jargon, an undesirable delay in the otherwise consistent delivery of packets. It causes the delay of and sometimes outright loss of packets that are experienced by users as pauses, skips, or jumps in multi-media content.

While the same root causes of delay – network congestion, routing changes, time out intervals – have an impact on TCP, it generally only delays the communication and other than an uncomfortable wait for the user, does not negatively impact the content itself. The content is eventually delivered because TCP guarantees that, UDP does not.

However, this does not mean that there are no negative impacts (other than trying the patience of users) from the performance issues that may plague web applications and particularly those that are more and more often out there, in the nebulous “cloud”. Delays are effectively business jitter and have a real impact on the ability of the business to perform its critical functions – and that includes generating revenue.

BUSINESS JITTER and the CLOUD

David Linthicum summed up the issue with performance of cloud-based applications well and actually used the terminology “jitter” to describe the unpredictable pattern of delay:

Are cloud services slow? Or fast? Both, it turns out -- and that reality could cause unexpected problems if you rely on public clouds for part of your IT services and infrastructure.

When I log performance on cloud-based processes -- some that are I/O intensive, some that are not -- I get results that vary randomly throughout the day. In fact, they appear to have the pattern of a very jittery process. Clearly, the program or system is struggling to obtain virtual resources that, in turn, struggle to obtain physical resources. Also, I suspect this "jitter" is not at all random, but based on the number of other processes or users sharing the same resources at that time.

-- David Linthicum, “Face the facts: Cloud performance isn't always stable”

But what the multitude of articles coming out over the past year or so with respect to performance of cloud services has largely ignored is the very real and often measurable impact on business processes. That jitter that occurs at the protocol and application layers trickles up to become jitter in the business process; a process that may be critical to servicing customers (and thus impacts satisfaction and brand) as well as on the bottom line. Unhappy customers forced to wait for “slow computers”, as it is so often called by the technically less adept customer service representatives employed by many organizations, may take to the social media airwaves to express displeasure, or cancel an order, or simply refuse to do business in the future with the organization based on delays experienced because of unpredictable cloud performance.

Business jitter can also manifest as decreased business productivity measures, which it turns out can be measured mathematically if you put your mind to it.

Understanding the variability of cloud performance is important for two reasons:

You need to understand the impact on the business and quantify it before embarking on any cloud initiative so it can be factored in to the overall cost-benefit analysis. It may be that the cost savings from public cloud are much greater than the potential loss of revenue and/or productivity, and thus the benefits of a cloud-based solution outweigh the risks.
Understanding the variability and from where it comes will have an impact and help guide you to choosing not only the right provider, but the right solutions that may be able to normalize or mitigate the variability. If the primary source of business jitter is your WAN, for example, then it may be that choosing a provider that supports your ability to deploy WAN optimization solutions would be an appropriate strategy. Similarly, if the variability in performance stems from capacity issues, then choosing a provider that allows greater latitude in load balancing algorithms or the deployment of a virtual (soft) ADC would likely be the best strategy.

It seems clear from testing and empirical (as well as anecdotal) evidence that cloud performance is highly variable and, as David puts it, unstable. This should not necessarily be seen as a deterrent to adopting cloud services – unless your business is so highly sensitive to latency that even milliseconds can be financially damaging – but rather it should be a reality that factors into your decision making process with respect to your choice of provider and the architecture of the solution you’ll be deploying (or subscribing to, in the case of SaaS) in the cloud.

Knowing is half the battle to leveraging cloud successfully. The other half is strategy and architecture.

I’ll be at CloudConnect 2012 and we’ll discuss the subject of cloud and performance a whole lot more at the show!

Sessions

Connect with Lori:	Connect with F5:

Related blogs & articles:

Technorati Tags: F5,MacVittie,jitter,cloud,performance,latency,WAN optimization,application delivery,cloud computing,blog

F5 - Availability and Scalability for VMware View

F5 Networks News — Mon, 30 Jan 2012 12:08:00 GMT

#virtualization #vdi Scaling VMware View from hundreds to thousands of devices can strain the network and data center connectivity. Additionally, if poor performance hinders access to virtual desktops, end-user productivity will suffer. F5 BIG-IP LTM and BIG-IP GTM Application Delivery Controllers support redundant tiers of infrastructure within and across data centers, for maximum availability. In addition, the patented, unified F5 TMOS product platform provides tremendous scalability -- from thousands to millions of transactions per second. F5 can help by making VMware View secure, fast, scalable, and available.

More information about F5's solution for VMware View can be found at http://www.f5.com/view

F5 - Availability and Scalability for VMware View

Related resources:

Connect with F5:

Latest F5 Information

Technorati Tags: F5,F5 News,VMware,VMware View,VDI,virtualization,performance,availability,security,video,application delivery

F5 Friday: Goodbye Defense in Depth. Hello Defense in Breadth.

Lori MacVittie — Fri, 27 Jan 2012 12:45:00 GMT

#adcfw #infosec F5 is changing the game on security by unifying it at the application and service delivery layer.

Over the past few years we’ve seen firewalls fail repeatedly. We’ve seen business disrupted, security thwarted, and reputations damaged by the failure of the very devices meant to prevent such catastrophes from happening. These failures have been caused by a change in tactics from invaders who seek no longer to find away through or over the walls, but who simply batter it down instead. A combination of traditional attacks – network-layer – and modern attacks – application-layer – have become a force to be reckoned with; one that traditional stateful firewalls are often not equipped to handle. Encrypted traffic flowing into and out of the data center often bypasses security solutions entirely, leaving another potential source of a breach unaddressed. And performance is being impeded by the increasing number of devices that must “crack the packet” as it were and examine it, often times duplicating functionality with varying degrees of success. This is problematic because the resolution to this issue can be as disconcerting as the problem itself: disable security. Seriously. Security functions have been disabled, intentionally, in the name of performance.

IT security personnel within large corporations are shutting off critical functionality in security applications to meet network performance demands for business applications.

SURVEY: SECURITY SACRIFICED FOR NETWORK PERFORMANCE

What the company [NSS Labs] found would likely startle any existing or potential customers: three of the six firewalls failed to stay operational when subjected to stability tests, five out of six didn't handle what is known as the "Sneak ACK attack," that would enable attackers to side-step the firewall itself. Finally, according to NSS Labs, the performance claims presented in the vendor datasheets "are generally grossly overstated."

Independent lab tests find firewalls fall down on the job

Add in the complexity from the sheer number of devices required to implement all the different layers of security needed, which increases costs while impairing performance, and you’ve got a broken model in need of repair. This is a failure of the defense in depth strategy; the layered, multi-device (silo) approach to operational security. Most importantly, it’s one that’s failing to withstand attacks.

What we need is defense in breadth – the height of the stack –to assure availability and security using a more intelligent, unified security strategy.

DEFENSE in BREADTH

While it’s really not as catchy as “defense in the depth” the concept behind the admittedly awkward sounding phrase is sound: to assure availability and security simultaneously requires a strong security strategy from the bottom to the top of the networking stack, i.e. the application layer. The ability of the F5 BIG-IP platform to provide security up and down the stack has existed for many years, and its capabilities to detect, prevent, and withstand concerted attacks has been appreciated by its customers (quietly) for some time. While basic firewalling functions have been a part of BIG-IP for years, there are certain capabilities required of a firewall – specifically an ICSA certified firewall – that it didn’t have. So we decided to do something about that.

The result is the ICSA certification of the BIG-IP platform as a network firewall. Combined with its existing

ICSA certification for web application firewall (BIG-IP Application Security Manager) and SSL-TLS VPN 3.0 (BIG-IP Edge Gateway), the BIG-IP platform now supports a full-spectrum security solution in a single, unified system. What is unique about F5’s approach is that the security capabilities noted above can be deployed on BIG-IP Application Delivery Controllers (ADCs)—best known for providing industry-leading intelligent traffic management and optimization capabilities. This firewall solution is part of F5’s comprehensive security architecture that enables customers to apply a unified security strategy. For the first time in the industry, organizations can secure their networks, data, protocols, applications, and users on a single, flexible, and extensible platform: BIG-IP.

Combining network-firewall services with the ability to plug the hole in modern security implementations (the application layer) with a platform-based solution provides the opportunity to consolidate security services and leverage a shared infrastructure platform resulting in a more comprehensive, strategic deployment that is not only more secure, but more cost effective.

Resources:

Connect with Lori:	Connect with F5:

Related blogs & articles:

Technorati Tags: MacVittie,F5,F5 Friday,firewall,ICSA,security,BIG-IP,network,application security,DDoS,threat mitigation,blog

Overview: F5 for VMware View

F5 Networks News — Fri, 27 Jan 2012 12:02:38 GMT

#virtualization #vdi VMware View is a leading solution for desktop virtualization offering simplified administration while increasing security and control. When deploying VMware View, there are several issues your business must deal with: from the management of a wide range of devices, to ensuring availability, scalability, and performance. F5 can help by making VMware View secure, fast, scalable, and available.

More information about F5's solution for VMware View can be found at http://www.f5.com/view

Overview: F5 for VMware View

Connect with F5:

Latest F5 Information

Technorati Tags: F5,F5 News,VMWare,VMware View,virtualization,application delivery,integration,video

Blitzkrieg and VDI Edge Protection.

Don MacVittie — Thu, 26 Jan 2012 21:19:26 GMT

By now, everyone even vaguely familiar with information security knows the military maxim of blitzkrieg – burst through the hardened defense at a single point and then rush pell-mell to the rear where the soft underbelly of any static army lies. It is a good military strategy, provided you have the resources to break through the defenses and follow up with a rapid advance into the rear areas. While there are variants of this plan, and a lot of discussion about how/when it is strategically worth the risk, historically speaking it has been a smashing success. Germany did it to France and the Low Countries in 1940, to Russia in 1941, Russia returned the favor in 1943, and the western allies joined used it successfully at Normandy in late 1944. Sherman’s March to the Sea in the American Civil War was just such a ploy (though Sherman was more willing to hit civilian targets than a 20th century general would have been, it was still a rush to the soft rear), and the first Gulf War had the coalition forces doing much the same. These are just the large-scale instances of this theory in operation, but you have to admit it works. The risk is high though, as the Germans found out at Prokhorovka, and that alone makes generals cautious that they have the resources and intelligence reports to burst through in the first place.

The difference between the military maxim and the theory that information security should follow it is an important one. In military theory, you only harden behind the lines if there is a high likelihood that the enemy forces will find a weak spot in your lines and exploit it to get at the rear areas. The conundrum for the defensive leader finding themselves in such a situation is that every combat soldier placed to the rear is one less combat soldier on the front, increasing the likelihood that there will be a breakthrough. In information security, the problem is that the resources of the attacker are theoretically unlimited. Unless they are apprehended by the authorities in their home country, there is no penalty for attacking over and over and over. The limiting factor for the attacker – that they might smash themselves upon their opponent – does not exist at this time in Internet parlance. An attack fails, that merely means the attacker marshals the same exact set of resources and tries again.

The defense, on the other hand, still has a limited number of resources (dollars and staff hours) to defend themselves with. And they must make the most of them. Defense in depth is an absolute necessity, simply because the attacker can continue ad-infinitum to try attacking, and the number of attackers is unknown but large. That leaves a heavy burden on information security staff, who have settled into the glum belief that it is “not if, but when” they will be defeated. While the ultimate solution to this problem rests outside the purview of corporate security, in the interim, it is necessary to do what can be done to simplify and strengthen the fortifications that are between ne’er do wells and corporate resources.

Just to add fuel to the fire, this is all happening at the same time that organizations are facing increasing pressure to expose more and more of their internal architecture to the Internet so that users can access their applications from essentially anywhere. So to put it into military terms, there are numerous hostile entities, an ever increasing front length, and a static number of defenders and resources. That is not a recipe for success in most scenarios.

So what is the serious information security professional to do? Well the first steps have already been taken. Defense in depth is just a fact that most organizations live with, down to firewalls between departments for some organizations. Anti-virus tools and encryption are the norm, not the exception, and external access is generally protected by a VPN. But new technologies bring new challenges, or more frequently make old but low likelihood challenges into higher priority issues.

As we deploy VDI – and we are deploying VDI at a faster rate than I’d expected – the issue of edge security becomes more and more of an issue. If you expose VDI desktops to the world so that your workers can log in at any hour and get some work done, or an employee who’s sick can stay home to avoid infecting others but is well enough to work can do so, you will have to find a way to lock that interface to the world down so that users can get in, but hackers cannot. This is more important than most interfaces because the interface sits in front of user desktops, and they generally have more access than a server.

While there are a variety of ways to attack such an inlet, DDoS – to keep employees from working remotely – and Trojans are the two most likely to be successful. What you’ll want on this inlet is a way to check that the client – be it PC or iPad or whatever – complies with security policy that includes at least rudimentary virus checking (since the client device is outside your network and possibly not even a corporate resource), and a way to resist DDoS attacks. A network level tool that shunts detected DDoS attacks off to neverland, like F5’s own BIG-IP is going to be the best solution, since traditional firewalls are aimed at detecting more traditional attacks and can become victims of a DDoS. Regardless of what you choose to protect against this type of attack, it should be something you can guarantee will stay standing when hit with thousands of dropped connections a second.

And you’ll want to be able to apply more generally corporate security policies. That’s a tough call in a VDI environment. While a product like BIG-IP can be set up to use your corporate security policies for access and authentication purposes, it is difficult – both legally and technologically - to force corporate security policy on employee-owned devices. Legally you can limit access based upon the status of the machine requesting it, the user name, and the geographic location, but you can’t insure that the device meets with the same stringent policies you would require on your internal network. And that’s a problem, because VDI is your internal network. Time will tell how large this threat looms, but I wouldn’t ignore it, since we know it’s a threat. Legally you can ask employees to agree to be bound by corporate security policy when accessing the corporate network from a home machine, but I honestly don’t know of anyone doing that today – and I am not a lawyer, so maybe there’s a good legal reason I haven’t heard of anyone doing just that.

In the end, the benefits of allowing some or all users to access their desktop remotely is a huge benefit, but be careful out there, the number of attackers isn’t going down, and while we’re working all of this out is their opportunity to take advantage of weaknesses. So protect yourself. I’d recommend F5 products, but there are other ways to try and resist the hoards should they come knocking at your public VDI interface. Whatever you choose, just make certain it is implemented well.

Technorati Tags: Information Security,VDI,Defense In Depth,DDoS,iPad,F5 Networks,Don MacVittie

Connect with Don:	Connect with F5:

Evolving (or not) with Our Devices

Pete Silva — Thu, 26 Jan 2012 20:28:27 GMT

When I talk on the phone, I’ve always used my left ear to listen. Listening in the right ear just doesn’t sound right. This might be due to being right handed, doing the shoulder hold to take notes when needed. As corded turned to cordless and mobile along with the hands-free ear-plugs, that plug went into the left ear whenever I was on the phone. Recently, I’ve been listening to some music while walking the dog and have run into an issue. The stereo ear plugs do not fit, sit or stay in my right ear. I have no problem with the nub in my left ear but need to keep re-inserting, adjusting and holding the plug in my right ear. I’m sure I was born with the same size opening for both ears years ago and my only explanation is that my left ear has evolved over the years to accommodate an ear plug. Even measuring each indicates that the left is opened more ever so slightly. I seem to be fine, or at least better, with the isolation earphone style but it’s the ear-bud type that won’t fit in my right ear. I realize there are tons of earplug types for various needs and I could just get one that works for me but it got me thinking. If my ears or specifically my left ear has morphed due to technology, what other human physical characteristics might evolve over time.

As computers became commonplace and more people started using keyboards, we started to see a huge increase of carpal tunnel syndrome. Sure, other repetitive tasks of the hand and wrist can cause carpal tunnel but typing on a computer keyboard is probably the most common cause. Posture related injuries like back, neck, shoulder and arm pain along with headaches are common computer related injuries. Focusing your eyes at the same distance over extended periods of time can cause fatigue and eye strain. It might not do permanent damage to your eyesight but you could experience blurred vision, headaches and a temporary inability to focus on faraway objects. Things like proper design of your workstation and taking breaks that encourage blood flow can help reduce computer related injuries. Of course, every profession has their specific repetitive tasks which can lead to some sort of injury and, depending on your work, the body adjusts and has it’s own physical memory to accomplish the task. Riding a bike. Often smokers who are trying to quit can tolerate the nicotine deduction but it’s the repetitive physical act of bringing the dart up that causes grief. That’s why many turn to straws or toothpicks or some other item to break the habit.

We’ve gotten use to seeing people walking around with little blue-tooth ear apparatus attached to their heads and think nothing of it. They’ll leave it in all day even if they are not talking on the phone. Many probably feel ‘naked’ if they forgot it one day, almost like a watch or ring that we wear daily. I mentioned a couple years ago in IPv6 and the End of the World that with IPv6, each one of us, worldwide, would be able to have our own personal IP address that would follow us anywhere. Hold on, I’m getting a call through my earring but first must authenticate with the chip in my earlobe. That same chip, after checking my print and pulse, would open the garage, unlock the doors, disable the home alarm, turn on the heat and start the microwave for a nice hot meal as soon as I enter. Who would have thought that Carol Burnett's ear tug would come back.

Now that many of us have mobile devices with touch-screens, we’re tapping away with index fingers and thumbs. I know my thumb joints can get sore when tapping too much. Will our thumbs grow larger or stronger over time to accommodate the new repetitive movement or go smaller and pointy to make sure we’re able to click the the correct virtual keypad on the device. We got video eyewear so it’s only a matter of time that our email and mobile screens could simply appear while wearing shades or as heads up on the car windshield. With special gloves or an implant under our hand, we can control the device through movement or tapping the steering wheel.

Ahhh, anyway, I’m sure things will change again in the next decade and we’ll have some other things happening within our evolutionary process but it’ll be interesting to see if we can maintain control over technology or will technology change us. In the meantime, I’ll be ordering some new earphones.

Technorati Tags: F5, humans, people, Pete Silva, security, behavior, education, technology, mobile, earphone, ipv6, computer injury, iPhone, web,

Connect with Peter:	Connect with F5:

Human Kinetics - F5 Case Study

F5 Networks News — Thu, 26 Jan 2012 13:01:00 GMT

Human Kinetics publishes and sells print, online, and multimedia materials related to kinesiology. It hosts its own e-commerce website and nearly 40 other educational and storefront sites, which together get about half a million unique visits per month. A year after its deployment, HK's third-party network solution had become unstable, was inflexible and difficult to support, and impaired performance. HK replaced the solution with F5 BIG-IP Local Traffic Manager and BIG-IP Application Security Manager.

Human Kinetics - F5 Case Study

More resources:

Human Kinetics

Connect with F5:

Latest F5 Information

Technorati Tags: F5,F5 News,case study,performance,security,video

2012 steht ganz im Zeichen der Mobilität

Claudia Kraus — Thu, 26 Jan 2012 09:20:26 GMT

"2010 wurden in Europa erstmals mehr Smartphones als PCs verkauft, so stieg der Absatz der cleveren Endgeräte gegenüber dem Vorjahr um 83 Prozent an. Gleichzeitig wächst der Anteil der mobilen Mitarbeiter in deutschen Unternehmen jährlich um etwa fünf Prozent, in Europa ist heute bereits gut die Hälfte aller europäischen Arbeitnehmer "mobilisiert". IT-Abteilungen haben längst erkannt, dass Personal Devices, wie etwa Smartphones, Tablets und Apps zu wichtigen Tools für die tägliche Arbeit in ihren Unternehmen geworden sind und zwischenzeitlich strategischen Wert erreicht haben. Folgerichtig werden Unified Communications und Mobility in den nächsten Jahren zunehmend zur treibenden Kraft im Wettbewerb, indem sie die Zusammenarbeit der Mitarbeiter untereinander fördern, die Zufriedenheit der Mitarbeiter und die Agilität von Geschäftsprozessen steigern sowie Innovationen vorantreiben. Unified Communications und Mobility sind künftig die tragenden Säulen einer jeden Enterprise Mobility-Strategie […]," schreibt Nicholas McQuire Research Director beim renommierten Marktbeobachtungsinstitut IDC EMEA, in seinem Begrüßungstext zur IDC Unified Communications & Mobility Conference 2012.

Auch wir von F5 haben in den letzten Jahren im Rahmen unserer externen Kommunikation sowie auch an dieser Stelle im NotizBlog immer wieder darauf hingewiesen, dass der „Mobile User Access“ bereits Realität und „Bring Your Own Device“ ein erkennbarer Trend ist, dem IT-Abteilungen gewachsen sein müssen. Arbeitnehmer sind viel unterwegs, Mobilität und räumliche Flexibilität sind in vielen Berufen mittlerweile eine Voraussetzung, um Geschäftsziele zu erreichen. Auch der demographische Wandel macht es erfolgreichen Unternehmen nahezu unmöglich, sich mobilen, externen Arbeitsformen, ein einfaches Beispiel ist das Home Office, zu verschließen.

Allerdings erleben wir bei F5 immer wieder, dass es vielen Unternehmen an einer Strategie fehlt, diese Herausforderungen zu meistern. Der externe Zugriff auf das Firmennetzwerk ist häufig noch zu langsam, zu unsicher oder lückenhaft. Viele Arbeitnehmer beschweren sich darüber, neben privaten Geräten auch noch das dienstliche Notebook und das Diensthandy mit sich führen zu müssen. Ein ziemlich unnötiger Ballast, macht es doch gerade unsere vereinheitlichte Zugangslösung möglich, einen sicheren, optimierten und globalen Zugang zum Firmennetzwerk herzustellen.

Im Rahmen der zu Anfang erwähnten IDC Konferenz, wird unser geschätzter Kollege Frank Thias, Field Systems Engineer einen spannenden Vortrag (Titel: Advanced Dynamic Services for Unified Access Control) zum Thema halten. Ich kann diese Präsentation jedem interessierten Besucher nur wärmstens ans Herz legen – wer nicht vor Ort ist, den informiere ich gerne persönlich zu dem Thema…

Viele Grüße,

Ihre Claudia Kraus

The Mobile Chimera

Lori MacVittie — Wed, 25 Jan 2012 11:56:00 GMT

#mobile #vdi #IPv6 In the case of technology – as with mythology - the whole is often greater (and more challenging) than the sum of its parts.

The chimera is a mythological beast of scary proportions. Not only is it fairly large, but it’s also got three, independent heads – traditionally a lion, a goat, and a snake. Some variations on this theme exist, but the basic principle remains: it’s a three-headed, angry beast that should not be taken lightly should one encounter it in the hallway.

Individually, one might have a strategy to meet the challenge of a lion or a goat head on. But when they converge into one very angry and dangerous beast, the strategies and tactics employed to best any one of them will almost certainly not work to address all three of them simultaneously.

The world of mobility is rapidly approaching its own technological chimera, one comprised of three individual technology trends. While successful stratagem and tactics exist which address each one individually, when taken together they form a new challenge requiring a new strategic approach.

THE MOBILE CHIMERA

Three technology trends - VDI, mobile, and IPv6 - are rapidly converging upon the enterprise. Each is driven in part by the other, and each requires in part functionality and support of another. Addressing the challenges accompanying this trifecta requires a serious evaluation of the enterprise infrastructure with an eye toward performance, scalability, and flexibility, less it be overwhelmed by demand originating both internally and externally.

Mobile

The myriad articles, blogs, and editorial orations on mobile device growth have to date focused on the need for organizations to step up and accept the need for device-ready enterprise applications. This focus has thus far ignored the reality of the diversity of the device client base, the ramifications of which those with long careers in IT will painfully recall from the client-server era. Thus it is no surprise that interest in and adoption of technology such as VDI is on the rise, as virtualization serves as a popular solution to the problem of delivering applications to a highly-diverse set of clients.

But virtualization, as popular a solution as it may be, is not a panacea. Security and control over corporate resources and applications is a growing necessity today because of the ease with which users can take advantage of mobile technology to access them.

Access control does not entirely solve the challenges of a diverse mobile client audience, as attackers turn their attention on mobile platforms as a means to gain access to resources and data previously beyond their reach. The need for endpoint security inspection continues to grow as the threat posed by mobile devices continues to rear its ugly head.

VDI

It was inevitable that the growth of mobile device usage in the enterprise continued to grow that so, too, would the solution of VDI grow as the most efficient way to deliver applications without requiring mobile platform-specific versions. The desire by business owners and security practitioners to keep data securely within the data center "walls", too, is a factor in the rising desire to deploy VDI. VDI enables organizations to deliver applications remotely while maintaining control over data inside the data center, preserving enforcement of corporate security policies and minimizing risk.

But VDI deployments are not trivial, regardless of the virtualization platform chosen. Each virtualization solution has its challenges and most of those challenges revolve around the infrastructure necessary to support such an initiative. Scalability and flexibility are important facets of VDI delivery infrastructure, and performance cannot be overlooked if such deployments are to be considered successful.

IPv6

Who could forget that the Internet is being pressured to move to IPv6 sooner rather than later, in part because of the growth of mobile clients? The strain placed on service providers to maintain IPv4 support as a means to not "break the Internet" can only be borne so long before IPv6 becomes, as has been predicted, the Y2K for the network.

The ability to deliver applications via VDI to mobile devices will soon require support for IPv6, but will not obviate the need to support IPv4 just yet. A dual stack approach will be required during the transition period, putting delivery infrastructure again front and center in the battle to deploy and support applications for mobile devices.

With all accounts numbering mobile devices in the four billion range across multiple platforms and effectively 0 IPv4 addresses left to assign to those devices, it should be no surprise that as these three technology trends collide the result will be the need for a new mobility strategy.

This is why solutions are strategic and technology is tactical. There exist individual products that easily solve each of these problems individually, but very few solutions that address the combined juggernaut that is the three combined. It is necessary to coordinate and architect a solution that can solve all three challenges simultaneously as a means to combat complexity and its associated best friend forever, operational risk.

A flexible and scalable delivery strategy will be necessary to ensure performance and security without sacrificing operational efficiency.

Connect with Lori:	Connect with F5:

Related blogs & articles:

Technorati Tags: F5,MacVittie,mobile,vdi,ipv6,application delivery,strategy,performance,security,availability,architecture,quasar,blog

Daily implications of cyber-attacks

Or Katz — Wed, 25 Jan 2012 10:29:43 GMT

I don’t know if you had the chance to hear about it but in the last couple of weeks a mini cyber-attack campaign was being held in the Middle East. It all started a couple weeks ago when a hacker (allegedly from the Arabian Peninsula) published several thousand Israeli credit card numbers and email addresses. This was the first round in a potential multi-round skirmish that at its highest peak included Distributed Denial of Service (DDoS) attacks from both parties on both Saudi Arabian and Israeli stock exchange web sites. How did all this transpire? Let’s look at the details and I’ll share how I think it unfolded:

1. Attack method – as far as I understand, the attackers used these attack techniques:

i. SQL injection on each other’s web applications, penetrating into the applications’ databases and stealing sensitive information.

ii. Web Application DDoS attacks, according to information that was published over the media. These attacks involved up to 10,000 different sources (computers that were infected by malware and controlled by attackers).

2. Source of the attack – according to information that was published in the Israeli media, 50% of the sources of the attacks were from Israel.

3. Attack complexity – service of DDoS attacks can be bought for money, and renting an army of infected computers controlled remotely doesn’t require technical skills. SQL injection is a well known vulnerability for more than 10 years and unfortunately it is here to stay. On the web you can find many free tools that can find the vulnerability and create an exploit for it.

What can be learned from it?

While from the common web user’s point of view this seems like a major incident that should be addressed on a nationwide scale (which is probably true), this kind of incident happens all the time on commercial web applications, but in many cases never reaches the news. Protecting your application, allowing confidentiality of customers’ stored data (for example, credit card numbers), supplying 24/7 accessibility to the web application, and maintaining a secure reputation are key objectives for web application administrator.

Here is something to think about: the biggest impact of this affair was on the public’s state of mind. It got a lot of the media attention, it raised public awareness regarding the use of credit cards on the web, and started new discussions on threats that we may encounter as a nation in future cyber warfare.

F5 Networks’ BIG-IP Application Security Manager supplies the answer for these challenges by allowing the web application administrator to deploy a layer 3 to layer 7 unified security architecture that includes network and application DoS and DDoS protection, while at the same time prevents SQL injection attacks.