There are 32 main features in the 11.6 release of the BIG-IP family of products and 29 of those are security features. That’s right; 91% of the features in the 11.6 release are security-related. Many of them are hardcore, infrastructure doodads that go unmentioned in press releases. This is the blog where I’ll try to give these hardcore doodads some public attention.

The selection criteria is somewhat subjective because there’s no IEEE standard for hardcore. The real difficulty with this blog entry is choosing among the 29 features to select only the Top Ten Hardcore Security Features of 11.6.


Number 10: DNS Firewall Services

The 11.6.0 version of GTM includes two DNS security knobs for DNS firewall services. The first is Rapid Response Mode, which instructs GTM to respond more quickly in zones for which it is authoritative and then to drop the rest. The second knob is Response Policy Zones which allows for customized handling of the resolution of domain names. With RPZ, you can filter DNS queries for domains that are known to be malicious and returns custom responses that direct those queries away from the malicious domain.


Brian McHenry, one of F5’s Security Solution Architects says this about the DNS Firewall services: “The world's only wire-rate application layer DNS Firewall now integrates seamlessly with an industry standard. Add to it improvements in DNS flood protection, and the fastest DNS firewall just got faster.”

To read more about the RPZ, see Jonathan George’s blog here.

GTM, The Global Traffic Manager, is F5’s most senior module. It is responsible for global server load-balancing and DNS services

Number 9: Hardware DDoS Integration for vCMP Guests

When vCMP was first developed, each virtual instance was given a slice of access to the underlying cryptographic offload and compression hardware. This feature continues the tradition by giving each virtual instance access to the underlying network DDoS hardware. Not all platforms have the chips that do this. If you want to know which platforms have it, leave a comment and one of my lovely assistants will post a follow-up.Technical


You went full technical, man. Never go full technical.”

vCMP is the virtual clustered multi-processor technology and is already about as hardcore as it gets. vCMP is F5’s answer to everyone who wants the flexibility of virtualization but the performance of F5 hardware.


Number 8: Geo-location-based anomaly mitigation

Imagine this conversation in the war room.

“Sir, we’re being attacked by Elbonia.”
“Ensign, have you blocked all the traffic coming from Elbonia?”
“Um, no, sir.”
“Well, make it so!”

That’s a conversation that need not happen with this new feature. You can now tell ASM to automatically mitigate DDoS or brute-force anomalies by the geographic location of the source. How cool is that?

“The planet just exploded, sir.”

David Holmes - Slash The Seats. - YouTube