#v11 #F5agility The next generation of infrastructure from F5 is ready and ABLE to meet the challenge
Today F5 has introduced the next generation of its application delivery infrastructure, v11. This new generation of BIG-IP is ready to meet the challenges arising from a variety of external forces driving IT toward a dynamic data center by being more able – manageable, scalable and mitigating preventable attacks while being more adaptable than ever.
One of the hallmarks of an F5 infrastructure solution is that it offers the ability to take advantage of contextual intelligence at a strategic point of control in the network. Whether shielding applications or critical DNS infrastructure from attacks or enabling the unique architectural solutions necessary for the implementation of a more scalable and dynamic application delivery ecosystem, an F5 solutions contribute heavily toward a more operationally secure and efficient data center.
If we had to sum up briefly the core themes of what’s new in v11 (and we do lest we end up with a book) we’d say it’s more manageable, more scalable, more adaptable and with specific features designed to prevent myriad security challenges.
Along with the recent introduction of our mid-market chassis, VIPRION 2400, came vCMP (virtual clustered multi-processing), which takes advantage of virtualization internal to the BIG-IP system to make it possible to provision multiple instances of BIG-IP. But in addition to the architectural advantages vCMP offers IT organizations and service providers, it also sets the stage for the introduction of capabilities in v11 designed to make not just BIG-IP but the applications and services it delivers more manageable, and move IT another step (or two) closer to being able to deliver on IT as a Service.
MANAGEABLE : APPLICATION CONTROL PLANE ARCHITECTURE
This next generation of BIG-IP both makes applications and itself more manageable with a combination of application-focused features: iApp and iApp Analytics. The former is a revolutionary way of managing the policies that govern every aspect of application delivery. iApp enables IT to rapidly deploy and provision application services—such as authentication, data protection, traffic management, and acceleration—on a per-application basis. It’s a completely application-focused view and method of managing application services.
But it’s not just manageable, it’s also adaptable. iApp not only changes the game in terms of how you manage application delivery policies, it changes the game in terms of how you create and deploy them, as well. iApp templates provide business, policy-driven configuration and encourage collaboration. Building off our experience with iRules, iApp drives automation and provisioning in a services-focused way, making them reusable and supporting the ability to duplicate success with repeatable deployment architectures. This significantly reduces the time required to configure application delivery policies critical to meet operational and business application goals. Deploying application delivery policies with iApp is 10-100 times faster than it used to be, reducing the time required from weeks to hours.
iApp isn’t just about encapsulating F5’s Application Ready Solution guides – though that’s certainly a boon for IT – it’s also about the ability to share an iApp, as well. v11 includes more than 20 iApp templates but customers aren’t restricted to waiting for official F5 templates. Much in the same way we share iRules and iControl-based solutions on DevCentral, F5 engineers and customers will be able to share iApp templates designed for specific applications and infrastructure.
F5’s new iApp Analytics brings to manageability the operational data and view of that data necessary to better manage applications based on context. iApp Analytics provide real-time visibility into application and user performance, allowing administrators to assess, isolate and address problem areas, and track the impact of adjustments. This data is presented based on a per-application basis rather than nebulously named configuration objects, and allows operators to see at a glance holistic performance and usage data that can better enable troubleshooting, capacity planning and identify potential security issues. When combined with iApp and its flexibility, and supplemented with the programmability of BIG-IP via iRules, organizations now have a more powerful, flexible system powered by actionable data upon which application delivery policies can be quickly deployed and rapidly adapted based on business and operational conditions.
PREVENTABLE: APPLICATION and INFRASTRUCTURE VULNERABILITIES
Complexity is the enemy of good security and the way in which datacenters have been designed along with security infrastructure topological choices is now becoming a huge factor in the inability to adequately protect ourselves. Whether it’s DDoS targeting infrastructure – DNS – or applications, a more complete security solution is required to meet the challenge of these often overwhelming attacks. Too often firewalls or other infrastructure components have failed in the face of overwhelming demand, reducing or eliminating availability of web sites and applications. That demand comes from both legitimate and illegitimate sources, but both often inadvertently take advantage of the complex network of security and application delivery infrastructure by simply overwhelming the least capable device in the application delivery chain. BIG-IP v11 is not only more capable of handling such demand, but it is also more capable of recognizing and addressing attacks that may be the source.
Both BIG-IP Local Traffic Manager (LTM) and Global Traffic Manager (GTM) benefit from our core CMP (Clustered Multi-Processing) technology as well as new features specifically designed to address attacks based on protocol flooding. DNS is particularly vulnerable because by its nature it must be public and it is one of the few infrastructure components that has not previously followed the software –> appliance –> hardware path of its routing and switching cousins. Solutions designed to address DNS flooding attacks are generally based around the idea of caching, but we know that this solution is also vulnerable. v11 addresses the vulnerability and inadequacies in subsequent solutions by providing a high-speed, high-capacity DNS front-end capable of handling millions of queries per second and combining it with a globally-minded architecture that ensures availability by maintaining multi-site resilience at all times.
It’s not just about resilience in scale, however, it’s also about preventing the increasingly ingenious means of subverting security used by attackers today. It’s about evolving security solutions to meet new challenges from layer 2 to layer 7, up and down and across the entire stack of application and networking technology. AJAX is the darling du jour of interactive applications today. It’s used to exchange data in real time between client – mobile or fixed – and server to promote a more responsive, interactive and real-time application experience. The data increasingly is exchanged via JSON, which appears to be winning the API and application format war with XML. BIG-IP Application Security Manager (ASM) has long been capable of protecting XML, and with v11 it’s capable of protecting JSON-based data exchanges, as well.
The ability to parse JSON payloads and protect AJAX applications that use JSON for data transfer between the client and server has become an important area to focus defenses and yet aside from targeted XML gateways, very few web application firewall solutions are capable of enforcing JSON-based policies. With JSON payloads becoming more and more common as the format of choice for APIs and integration across applications – both social and enterprise – it is imperative that security-focused infrastructure be capable of identifying threats that may be buried within exchanged messages. That’s why BIG-IP ASM v11 includes the ability to parse JSON and enforce security policies on messages, to ensure the integrity of those messages is not compromised nor its growing use as a means of application integration exploited.
SCALABLE: SCALEN and ARCHITECTURE
Generally speaking if scalability is being discussed the focus is applications. And while we certainly wouldn’t discount the importance of such a discussions, we do need to remember that infrastructure also needs to be scalable – especially given the increasing mix of form-factors and deployment models (read: cloud computing) being used to deploy infrastructure solutions.
v11 breaks the traditional high-availability (HA) pair paradigm with Device Service Clusters. Device Service Clusters are able to run multiple, simultaneous active devices, with load on each device segmented by application or multiple applications. ScaleN allows multiple active devices to look like one and provides the ability to distribute load across ADCs on an application-by-application basis. Applications can be individually migrated or fail-over between devices in a device service cluster. Not only can you fail over a device, but now customers can spread the load of a failed system to any available devices in the device service cluster. This capability provides the ability to leverage the redundancy benefits of active-standby while maximizing utilization. It also enhances fault-isolation – the ability to isolate applications from failures in other applications by moving dependencies that previously required failover at the device level to the application level. An application failure – or application delivery misconfiguration – in one application need never impact the entire device on which that application is deployed. This approach combines a hybrid virtual-physical application delivery network architecture with vCMP to enable a much less topologically complex deployment while reducing CapEx and OpEx by decreasing the number of systems sitting idle.
Scalability can also be achieved through architectural solutions that more efficiently leverage existing resources while optimizing access. Traditional architectures comprise multiple solutions, each providing specific infrastructure services: acceleration, optimization and access management. These individual solutions required tiers of scalability, each of which increases the number of devices or server hardware required and ultimately results in an inefficient deployment model in which each tier must be carefully provisioned to ensure the scalability of the overall application. This often results in over-provisioning – an inefficient use of resources - or ultimately in an outage or performance degradation that negatively impacts business productivity.
Consolidation of application delivery requires support, however, for a wide variety of services including access management. Access management requires integration and collaboration with identity management systems as well as with the various methods of authentication and authorization implemented by applications today. That means a consolidated solution must not only support a variety of back-end access management systems, but be able to translate between available methods on clients. This is increasingly difficult as the promulgation of tablets and mobile devices continues to harry operations and security staff, because these devices are in flux when it comes to support for enterprise-class application access management systems.
BIG-IP Access Policy Manager (APM) v11 combines application delivery capabilities like acceleration and optimization with access policy management and enforcement to provide a more scalable option for securing applications regardless of client-device and method of authentication. With the ability to take credentials from forms-based authorization, e.g. HTTP BasicAuth, and transition to Kerberos and other identity management protocols, APM v11 can effortlessly provide a single tier of access management that eliminates many of the scalability issues arising from traditional architectures and the proliferation of access management tiers to support both application and client-device differences.
This enables scalability by eliminating complexity and components and when combined with ScaleN is a powerful means of scaling applications and infrastructure more efficiently and with less overall cost – and risk.
THE NEXT GENERATION of BIG-IP is READY and ABLE
This next generation of BIG-IP, v11, is expansive. With a wealth of new features, new platforms and new functionality there’s too much to dive into in a single post so we’ve chosen to focus on a just a few key features today. Overall, this release is all about being able to meet the demands of today’s data centers while enabling organizations to continue to evolve toward IT as a Service; toward a dynamic data center. With a focus on flexibility, scalability and productivity for IT, this version of BIG-IP is more able than ever to address both the common and unique challenges faced by enterprise IT organizations of all sizes in every industry.
Whether through simplification of infrastructure architecture or a services-based configuration model that encourages collaboration, v11 is about improving operational efficiency and thus reducing budgets, errors, and outages across applications and services.
There are sure to be blogs and technical tips and other discussions of v11 in the coming days, so be sure to stay tuned – and welcome to the next generation of ABLE infrastructure!
Latest F5 Information
Technorati Tags: F5
,web application firewall