The Intruders of Things

Posted in f5, big-ip, cloud computing, silva, application delivery, privacy, devcentral, iot by psilva on August 23rd, 2016

Gartner predicts that by 2020, IoT security will make up 20 percent of annual securitybudgets.

New-Year-2020-Calender-by-Danilo-Rizzuti

2020seems to be an important milestone for the Internet of Things. That’s the yearthat Ciscosays there will be 50 billion connected devices and also the year Gartner notes that over 50%of major new business processes and systems will incorporate some elementof the Internet of Things.

That’s the good news.

A recent SymantecInternet Security Threat Report says there are 25 connected devices per 100inhabitants in the US. Minimum 25 entry points to your personal information,not counting your front door, personal computers, compromised ATMs and otherdata sources. As your connected devices grow, so will your exposure. And with noclear methods of identifying and authenticating connected devices,enterprises will have a challenging time getting a handle on how many employeeshirts, shoes, fitness trackers, and smartwatches are connected to thecorporate network. And more importantly, what do they have access to?

The sneaky spreadsheet macro malware will soon be a spoofed critical alertrequiring instant attention.

Healthcare is a prime target for IoT attacks and researchers have alreadycompromised several devices revealing personal info and worse, causing thedevices to malfunction. ‘Hey, why isn’t my heart beating any……

The chaos on the feature first consumer side can be frustrating but nothingcompared to industrial and manufacturing.

The Industrial Internet of Things (IIoT) focuses on industrial controlsystems, device to network access and all the other connective sensorcapabilities. These attacks are less frequent, at least today, butthe consequences can be huge – taking out industrial plants, buildings,tractors, and even entire cities.

List-of-640-IoT-projects-min.png

If you think data protection and privacy are hot now, just wait until 2020.Like BYOD, security pros need to be ready for the inevitable not just thepotential of a breach. While the gadgets get all the interest, it’ll be theback end data center infrastructure that will take the brunt of the traffic –good and bad.

Organizations need an infrastructure that can both withstand the trafficgrowth and defend against attacks. Over on F5’s Newsroom, Lori MacVittie talks about the 3Things the Network Must Provide for IoT – delivery, security andvisibility. Things that can communicate securely with back-end apps, ADC’s thatcan understand the languages of things (like MQTT) and the ability to see whatis going on with the things.

Accordingto TechTarget, ensuring high availability of the IoT services will rely onboosting traffic management and monitoring. This will both mitigate businesscontinuity risks, and prevent potential losses. From a project planningstandpoint, organizations need to do capacity planning and watch the growthrate of the network so that the increased demand for the required bandwidth canbe met.

iot_keys.jpg

If you already have BIG-IP inyour back yard, you’re well on your way to being IoTready. You got the networksecurity to protect against inbound attacks; you can offload SSL to improvethe performance of the IoT application servers; you can extend your datacenters to the cloud tosupport IoT deployments; scale IoT applications beyond the data center whenrequired and both encrypt and accelerate IoT connections to the cloud.

A pair of BIG-IPs in the DMZ terminates the connection. They, in turn, intelligentlydistribute the client request to a pool (multiple) of IoT application servers,which then query the database servers for the appropriate content. Each tierhas redundant servers so in the event of a server outage, the others take theload and the system stays available.

The BIG-IP tuning may vary but it is still all about nodes, hosts, members,pools, virtual servers and the profiles and services applied. The BIG-IPplatform is application and location agnostic, meaning the type of applicationor where the application lives does not matter. As long as you tell the BIG-IPwhere to find the IoT application, the BIG-IP platform will deliver it.

ps

Related:




I’m Sorry Sir, You’re Obsolete

Is the rate of obsolescence proportionate to the rate of technologyadvances?

ihome.jpg

Afew years ago, those little iHome alarm clocksstarted to appear in hotel rooms. Cool gadgets that you could mount your mobilephone to battery charge or play the music on the device. We also had a few in ourhome. They worked perfectly for the iPhone4 since the connector was that 1 inchprotruding plug. When I got the iPhone6, those clocks instantly became useless.Obsolete. At least the phone connector part lost its value.

I’ve been thinking about this for a while.

The rate of obsolescence. The state when an object,technology, service or practice is no longer needed or wanted…even though itstill may be in good working order. E-waste is the fastestgrowing segment of the waste stream. With the technological advances, notonly are we buying the latest and greatest electronics but we’re also dumpingperfectly good, working devices at silly rates. There was even a story about a CentralPark mugger who rejected a flip phone during a heist.

Sure, the new gadget is shiny, faster, better or does stuff the other onecouldn’t. All commercial things have the typical emerging, growth, maturity anddecline model and I started wondering if the rate of obsolescence isproportionate to the rate of technology advances.

Moore’s Law and Wright’s Law are generally regarded as the bestformulas for predicting how rapidly technology will advance. They offerapproximations of the pace of technological progress. Moore’s Law (1965)describes the rate of improvement in the power of computer chips –essentially, the number of components doubles every 18 months. Generally,the principle can be applied to any technology and says that, depending on thetechnology, the rate of improvement will increase exponentially over time.

Wright’s Law (1936),says that progress increases with experience. Meaning that each percentincrease in cumulative production (in a given industry) results in a fixedpercentage improvement in production efficiency.

A simple web search of ‘rate of technological advancement’returns scores of images that show a huge ramp going up.

rate_of_advancement.jpg

But is there the same rapid decline chart for ‘out of date, lostfreshness’ technologies gone by?

Nothing with a laptop falling off a cliff but there are certainly chartsshowing the rate of e-waste.

e-waste-management-17-728.jpg

The climb is not as dramatic as technology advances (yet) but itis still growing rapidly.

So there doesn’t seem to be (or I simply can’t find it) a direct correlationor chart that incorporates both technology advances and resulting obsoleteness.There are plenty of articles that do cover thingsthat will be obsolete in the next few years (DVD players, landlines, clockradios); the jobsthat will be obsolete (travel agent, taxi driver); and the things thatbecame obsoleteover the last decade.

There is a patent, US7949581B2, which describes a method of determining an obsolescence rate of atechnology yet that looks more at the life of a technology patent and itseventual decay and depreciation rate. Less citations over the years means patentdecay. This is more about the depreciation of a specific patent rather than howsociety embraces and then ultimately tosses the technology.

The funny thing is that nowadays vintage items and antiquesseem to be hot markets. Nostalgia is a big seller. Longing for the simplertimes I guess.

And lastly, the rate of WorldIQ over time. Is there a connection with technology?

world_IQ_over_time.png

If you feel your infrastructure is becoming obsolete with all thatcloudy talk, F5 cancertainly help by providing the critical application delivery servicesconsistently across all your data centers - private clouds, publicclouds, and hybrid deployments - so you can enjoy the same availability,security and performance you've come to expect.

ps

Related:

 

E-waste image courtesy: www.slideshare.net/SuharshHarsha

World IQ image courtesy: http://uhaweb.hartford.edu/BRBAKER/




I Am an Application Delivery Fundamentalist!

Posted in f5, big-ip, silva, application delivery, devcentral, infrastructure, certification by psilva on August 9th, 2016

Fun and a little mental.

certrockstar.jpg

If you’ve been following along the DevCentral team’s journey toward F5 Certification, then you may be aware that we were in Chicago last week for F5’s Agility 2016 conference and took our 101 Application Delivery Fundamentals exam. I am happy to report that all of us, Jason, John, Chase and I, passed our exams. I gotta tell you, it’s a relief since I didn’t want to title this article, 'Two Out of Three Ain’t Bad.' Good song but wanted to avoid that.

We started this excursion back in April (me in March) with the team deciding to create a study group. Each week we’d tackle a topic with the guidance of Eric Mitchell’s excellent Study Guide. We worked through the sections and decided to test our luck with the Certification Team’s mobile testing center...with the pressure of passing during an F5 event. Imagine the slight pre-test anxiety going through our minds if we didn’t pass. ‘How long have you been at F5?’ the questions would have started. My mouth covering, embarrassing, face-palming, muffled response of, ’12 years,’ would not have been sufficient.

As Ken told us on the way into the exam room, ‘I tell people it is either pass or fail…so don’t worry about your overall score.’ But he also added specifically to me, ‘You know if you fail, I will give you grief.’ No Pressure.

Well, we were prepared and we all passed!

IMG_3439.jpg

Jason, John and I took the exam Tuesday morning. After registering and scheduling with Pearson Vue, we arrived at the mobile test center. You need to sign in and present two forms of ID, one with your picture. Even though the Certification team knew all of us, we still needed to follow the procedure, no exceptions. We liked that we had no special treatment – other than the ‘hello’ hugs – and had to process and pass fair and square.

We were seated in different areas since the exam room was fairly full when we entered. The moderator helped each of us get to the proper test associated with our registration and the timer started. For the 101, you have 90 minutes to answer 80 questions. At 23 minutes in, Jason got up and was finished. ‘Wa?!?’ as I look up seeing him walk by, ‘I’m only on question 28!’ I lamented. At least John was still there and I kept an eye on my time and question count the rest of the way. But I also told myself, ‘I’m in no hurry and if I need the full 90 minutes, I’ll take it to the last tick.’

John finished about a 40 minutes later and I was left for the last 30 to myself. With 10 minutes left, I was done but took that remaining time to review my answers. One tip: you can flag questions for review during the test or make comments for yourself as you move along. Close out the ones you know and go back for the more challenging questions. In the end I think I changed 3 answers. No idea if it swayed the results either way.

IMG_3442.jpg

When you are done, you walk back to the registration room and your preliminary results are already waiting. I felt a quiver when Heidi glanced at my results and gave that ‘I’m sorry,’ look. But that was soon turned to glee as I read, ‘you have Passed.’ We were 3 for 3. Chase took the test on Wednesday and also passed.

I feel it was a very fair test to determine one’s basic application delivery knowledge. Some networking, some security, some infrastructure. And although we did prepare, it was still a challenging test. These exams are not supposed to be cake-walks but a good way to measure your knowledge around a certain topic.

me_hats.jpg

While we passed and may be certifiable in our own right, we are not ‘officially’ F5 Certified. That comes with the 201 exam. The 201-TMOS Administration exam is the second exam required to achieve Certified F5 BIG-IP Administrator status. Candidates must have passed the 101-Application Delivery Fundamentals exam in order to be eligible for the 201 exam.

And wouldn’t you know it, we’re all now shooting for the 201. We plan on doing the team study again but we’ll also need to dig into some on box time for this one. I plan on keeping you posted for the 201 but for now, I’ll just bask in my 101 glory.

Phew!

ps

Related:




Q/A with SpringCM’s Joel Newton - DevCentral’s Featured Member for August

Posted in f5, big-ip, application delivery, devcentral by psilva on August 2nd, 2016

IMG_2995.jpg

Joel Newton is a Senior DevOps System Engineer at SpringCM, a current DevCentral MVP and DevCentral’s Featured Member for August!

SpringCM believes in leveraging technology to deliver immediate savings by automating and accelerating business processes – essentially, bringing the power of the cloud to contract and document management. SpringCM was using BIG-IP LTM to load-balance their application servers when Joel started there four years ago, and he stepped into the role of being the primary BIG-IP admin, managing the VIPs, pools, and iRules. In addition to managing the BIG-IP LTM, he’s also an architect of their continuous delivery and configuration management systems. Outside of work, he enjoys philosophy, genealogy, spending time with his family, and being a craft beer evangelist (as well as drinking craft beer).

DevCentral got a chance to talk with Joel about his work, life and how DevOps & DevCentral have more in common than just the word ‘Dev.’

DevCentral: Hi Joel, thanks for your time! You are a current DevCentral MVP and have been a tremendous contributor to our community over the years. What keeps you involved?

Joel: I think it’s that DevCentral is a very active community, with a lot of smart people trying to solve a lot of interesting problems. Just perusing the most recent questions can be a great way to learn things.

My initial interest in DevCentral was sparked by Joe Pruitt’s docs on iControl and all the PowerShell knowledge and examples he provided. After a while, I realized that having a PowerShell module to manage LTMs might be beneficial, so I developed that and shared it with the community.

DC: Tell us a little about the areas of BIG-IP expertise you have.

JN: SpringCM primarily uses the BIG-IP LTM module and iControl REST. We built and host a large, complex, public-facing web application, and as such we have hundreds of servers that require load balancing. Since we have so many servers, our goal is to do as much of the administration as possible via scripts and command line, which is where iControl REST comes in. With PowerShell and iControl REST, we’re able to configure virtual servers, pools, pool members and iRules.

DC: You are part of a DevOps team at SpringCM. Can you explain how DevCentral helps with DevOps challenges?

springcm.jpg

JN: I think DevOps is just a fancy term for the attempt to achieve better system process automation and better system visibility. Anything that allows one to programmatically change settings and retrieve information about one’s systems (such as iControl and iControl REST, and all the PowerShell /Perl /python snippets shared on DevCentral) aids people doing DevOps.

DC: Describe one of your biggest IT challenges and how DevCentral helped in that situation.

JN: SpringCM has wanted to do continuous delivery for a while. Instead of doing monolithic quarterly deployments of the entire production environment, we want to get to where we’re deploying to select servers during the day with zero downtime, as needed. A big part of this is being able to automate the management of BIG-IP pool members.

We’ve been doing zero-downtime deployments to production on a smaller scale to dozens of servers, but just recently, we accomplished our first “hot” (zero-downtime) deployment of our entire production environment (around 350 servers). This was only possible because we were able to use iControl REST and PowerShell scripts to have pool members disable themselves, wait until their connections dropped below a defined threshold, update their code, and re-enable themselves in their pool.

DC: We’re in your hometown, Chicago, this week for F5 Agility 2016. What are you looking forward to at Agility?

JN: I’ve signed up for some iRules labs, as well as one on BIG-IQ. We have some iRules that I inherited and have tweaked as needed, but I don’t feel that I’ve yet got a comprehensive picture on all that I could be using iRules for in our application. I’m looking forward to that, as well as getting a good intro to BIG-IQ.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

JN: Probably a full-time craft beer evangelist.

DC: Thanks Joel! Check out all of Joel’s DevCentral contributions and follow him on GitHub or connect on LinkedIn. And follow SpringCM: @springcm




DevCentral at F5 Agility 2016

Posted in f5, big-ip, cloud computing, silva, devcentral, 2016 by psilva on July 26th, 2016

Four outta Five DevCentral members will appear in person at #F5Agility 2016.

That’s right! Jason, John, Chase and yours truly will be in Chicago next week for F5’s annual gathering of customers and partners. The DevCentral area will be in the heart of the Solution Expo and we’ll be offering some short technical presentations throughout the event. We’ll also have some t-shirts to give away along with a few other goodies.

Here is where we’ll be:

sol_expo.jpg

And here is our presentation schedule* to lock in to your mobile app.

dc_agility_sessions.jpg

If you will be at Agility 2016, please stop by to see us. 

And here are your Top 10 reasons to visit DevCentral at F5 Agility 2016:

  1. This is your F5 community
  2. Learn some new technical tips
  3. Ask your technical questions
  4. Watch a few technical presentations
  5. Our presentations are only 20 minutes
  6. Meet the team
  7. Grab a T-shirt
  8. Hang with other DC community members
  9. Relax and take a break
  10. Chase Abbott’s Session

Hope to see you there!

ps

*Subject to change 




Is 2016 Half Empty or Half Full?

Updating passwords is a huge trend in 2016

july16.jpg

With 2016 crossing the half way point, let's take a look at some technology trends thus far.

Breaches: Well, many databases are half empty due to the continued rash of intrusions while the crooks are half full with our personal information. According to the Identity Theft Resource Center (ITRC), there have been 522 breaches thus far in 2016 exposing almost 13,000,000 records. Many are health care providers as our medical information is becoming the gold mine of stolen info. Not really surprising since the health care wearable market is set to explode in the coming years. Many of those wearables will be transmitting our health data back to providers. There were also a bunch of very recognizable names getting blasted in the media: IRS, Snapchat, Wendy’s and LinkedIn. And the best advice we got? Don’t use the same password across multiple sites. Updating passwords is a huge trend in 2016.

Cloud ComputingAccording to IDC, public cloud IaaS revenues are on pace to more than triple by 2020.From $12.6 billion in 2015 to $43.6 billion in 2020. The public cloud IaaS market grew 51% in 2015 but will slightly slow after 2017 as enterprises get past the wonder and move more towards cloud optimization rather than simply testing the waters. IDC also noted that four out of five IT organizations will be committed to hybrid architectures by 2018. While hybrid is the new normal remember, The Cloud is Still just a Datacenter Somewhere. Cloud seems to be more than half full and this comes at a time when ISO compliance in the cloud is becoming even more important.

DNS: I’ve said it before and I’ll say it again, DNS is one of the most important components of a functioning internet. With that, it presents unique challenges to organizations. Recently, Infoblox released its Q1 2016 Security Assessment Report and off the bat said, ‘In the first quarter of 2016, 519 files capturing DNS traffic were uploaded by 235 customers and prospects for security assessments by Infoblox. The results: 83% of all files uploaded showed evidence of suspicious activity (429 files).’ They list the specific threats from botnets to protocol anomalies to Zeus and DDoS. A 2014 vulnerability, Heartbleed, still appears around 11% of the time. DevOps is even in the DNS game. In half full news, VeriSign filed two patent applications describing the use of various DNS components to manage IoT devices. One is for systems and methods for establishing ownership and delegation of IoT devices using DNS services and the other is for systems and methods for registering, managing, and communicating with IoT devices using DNS processes. Find that half full smart mug...by name!

IoT: What can I say? The cup runneth over. Wearables are expected to close in on 215 million units shipped by 2020 with 102 million this year alone. I think that number is conservative with smart eyewear, watches and clothing grabbing consumer’s attention. Then there’s the whole realm of industrial solutions like smart tractors, HVAC systems and other sensors tied to smart offices, factories and cities. In fact, utilities are among the largest IoT spenders and will be the third-largest industry by expenditure in IoT products and services. Over $69 billion has already been spent worldwide, according to the IDC Energy Insights/Ericsson report. And we haven’t even touched on all the smart appliances, robots and media devices finding spots our homes. Get ready for Big Data regulations as more of our personal (and bodily) data gets pushed to the cloud. And we’re talking a lot of data.

Mobile: We are mobile, our devices are mobile and the applications we access are mobile. Mobility, in all its iterations, is a huge enabler and concern for enterprises and it'll only get worse as we start wearing our connected clothing to the office. The Digital Dress Code has emerged. With 5G on the way, mobile is certainly half full and there is no empting it now.

dc-logo.jpg

Of course, F5 has solutions to address many of these challenges whether you’re boiling over or bone dry. Our security solutions, including Silverline, can protect against malicious attacks; no matter the cloud -  private, public or hybrid - our Cloud solutions can get you there and back; BIG-IPDNS, particularly DNSExpress, can handle the incredible name request boom as more ‘things’ get connected;and speaking of things, your datacenter will need to be agile enough to handle all the nouns requesting access; and check out how TCP Fast Open can optimize your mobile communications.

That's what I got so far and I'm sure 2016's second half will bring more amazement,questions and wonders. We'll do our year-end reviews and predictions for 2017 as we all lament, where did the Year of the Monkey go?

There's that old notion that if you see a glass half full, you're an optimist and if you see it half empty you are a pessimist. I think you need to understand what state the glass itself was before the question. Was it empty and filled half way or was it full and poured out? There's your answer!

ps 




The Road to F5 Certification

Posted in f5, big-ip, adc, application delivery, devcentral, certification by psilva on July 19th, 2016

dc-logo.jpg

Overthe last 4 months, the DevCentral team has beenpreparing for the F5Certification exam. We’ve met a number of times for group study and foreach session, we reviewed a particular section of the Exam101 - Application Delivery Fundamentals StudyGuide. We prepared and presented a certain topic and had open discussionsabout particular use cases, customer scenarios and even played some guessinggames as to what might be asked on the exam for that section.

Now the time has come to take the test.

Since the DevCentral team will be at Agility2016 in Chicago this year, we decided to take advantage of the Certification Team’s mobiletesting center. While you can certainly go to one of Pearson Vue’s test centers, theCertification Team will be on hand at F5 Agility to administer their variousexams for those looking to get F5 Certified. It’s a pretty cool set up – almostlike a band on a mini regional tour. They’ll have everything you need to takethe test.

I gotta tell you, I’m a little nervous.

f5_cert.jpg

I’msure I’ll be able to nail sections 2-5 since those are the areas I’ve focusedon for the past decade…it’s the first part, OSI, that I’m a little weary. Notthat I don’t know my 7 layers – All People Seem To NeedData Processing – but maybe some of nuances or lack of recentreal world subnetting that concerns me. I’ll use this last month before theexam to keep prepping to make sure I don’t embarrass myself.

But let's look at the stats.

Recently Ken Salchow, F5’s Sr. Manager Professional Certifications, has posted some interesting statisticsabout the program, particularly pass rates and certification by region. Kennotes about the pass rate graph, ‘I am also often asked about exam passrates ... which is not an easy thing to really post. Below is a graph thatshows ALL TIME pass rates by exam. It is important to note that these passrates encompass thousands of exams and even different versions of exams. Assuch, take these with a grain of salt and realize that if I did a 12-monthaverage, 24-month average and last month average, they would all differ fromthe below. Oh ... and have I mentioned how much I distrust data coming from ourcandidate management system?? Yeah ... so ... you've been warned.

And the graph:

pass_rate.jpg

So there's a 70% pass rate on the 101. Fairly decent.

Ken also posted anotherchart which shows the breakdown of certification by region as a percentageof the whole.

cert_region.jpg

Nice mix of global certifications.

We - the DevCentral team - will take some pictures and let you know how wedid. If you are at Agility and taking a Certification exam this year, let'scompare notes for the final wrap. Pass or Fail.

My energy says, 'Success!'

ps

Related:




Q/A with Yann Desmarest - DevCentral’s Featured Member for July

Posted in security, f5, big-ip, silva, application delivery, network, irules, programmability by psilva on July 5th, 2016

YD3.jpg

Yann Desmarest is the Innovation Center Manager at e-Xpert Solutions SA and one of DevCentral’s top contributors. e-Xpert Solutions SA is a F5 Gold Partner, Unity Partner Support and a Guardian Partner. Yann has been a BIG-IP administrator for 6 years and enjoys basketball, table tennis, hacking, cinema and manga (especially Naruto).

And one of his favorite activities is developing complex iRules and that’s why he is DevCentral's Featured Member for July!

We got a chance to chat with Yann about his work, his life and why he enjoys participating in the DevCentral Community.

DevCentral: Hi Yann. Thanks for your time. You’ve been a tremendous contributor to the DevCentral community over the years and wondered what keeps you involved?

Yann: I’m always looking for new challenges and DevCentral is a really good place to solve complex issues and to share knowledge and experiences with peers. It’s also a place that I can find useful information on iControl, iRules and iApps code.

DC: Tell us a little about the areas of BIG-IP expertise you have.

YD: At my earliest stage in the business world, I was involved on basic BIG-IP LTM projects. After some successful experiences, I wondered if I could rise up to another level and decided to learn BIG-IP ASM, APM and GTM modules as well.

Now, I think I’m pretty comfortable with all F5 BIG-IP modules but I’m clearly specialized in security and more precisely the authentication and WebSSO part delivered by BIG-IP APM.

I also acquired some development skills using iRules and iControl.

DC: You often participate and post in the Codeshare area – tell us about some of your favorite submitted iRules/iApps and how they work.

YD: I've had several requests to protect Microsoft Skype for Business Edge services against NTLM brute force and dos attacks. I decided to develop an iRule to intercept the encrypted traffic and identify NTLM authentication attempts on the SIP flow. Then, suspicious IPs and users are blacklisted for a duration that you can define in the RULE_INIT event.

I had also requirements to provide Client certificate authentication on Microsoft Exchange ActiveSync for Apple iOS devices. The main issue is that this kind of authentication requires a Mobile Device Management or Apple Configurator system. Deploying a full MDM for that need may be overkill so we developed an iRule that provisions the Exchange payload to the iOS device. The client certificate is retrieved using SCEP protocol. Now, with the availability of iRulesLX, I will be able to extend this feature to retrieve a certificate using third party APIs.

And finally my favorite is the APM Full Step Up Authentication iRule and Access profile that we published on DevCentral. I had a look at the Step-Up authentication feature on the APM v12.1.0 and found that it’s currently limited. I decided to develop my own configuration to make it more flexible and mainly to have this feature available for older BIG-IP versions. No doubt that my configuration will be deprecated in future releases because APM will enhance its own feature set.

I have many more iRules, iApps and iControl scripts to share with the community in the future.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

logo_pantone.png

YD: I had a requirement to integrate APM with an iOS and Android mobile application. The application use SOAP body to POST credentials and a second factor was required for external users. I had to intercept the SOAP body to retrieve the username and password, then play those credentials through an external REST API web service and if the user is connecting from a public IP address, prompt the end user for a second factor that I send to a third party web gateway. This is a lot of peers and exchanges to integrate in the authentication process. I had also to implement full SOAP responses and handle errors. I consulted DevCentral and the iRules wiki to find how to use sideband connections, ifiles, ACCESS events and some crypto commands. Without the DevCentral community, I would not have been able to face this challenge.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

YD: Computer science was part of my life since the very beginning. Later, I decided to be an IT expert, to solve complex challenges and to help people securing their environments. Now, I’m following my dreams and work hard to be a computer expert.

Just few words to thank all my colleagues and our F5 Field System Engineers that help me a lot to acquire more skills and experience on F5 technologies.

DC: Thanks Yann! Check out all of Yann’s DevCentral contributions and follow him @expertsolch




Orchestrate Your Infrastructure

Posted in security, f5, big-ip, cloud computing, silva, access, programmability by psilva on June 28th, 2016

The digital society has emerged.

Today’s always-connected world and the applications we interact with are changing the way we live. People are mobile, our devices are mobile, and by all accounts, everything that is a noun – a person, place or thing – will soon be connected and generating data... and all that traffic is destined for an application – that could also be portable - located somewhere in a data center.

But not all data traffic is created equally and critical information might need some action that requires automation of the deployment process. At the same time, organizations can’t afford to manually make policy adjustments every time something needs attention. Automated coordination between applications, data and infrastructure from provisioning to applying policies and services which are in-line with business needs must be in place.

This is Orchestration.

thinker.jpg

Humans have always differentiated ourselves from all other creatures by our ability to reason. Today, we’re building reason into systems to make some of these decisions for us. Software that incorporates, ‘What’s the purpose?’ ‘What’s the reason why?

Purpose-driven networking – programmability - means not just recognizing this is Thing 1 or Thing 2 and route requests to the appropriate service, but recognizing what Thing 1 or Thing 2 is trying to do and delivering in such a way as to meet expectations with respect to its performance.

The underlying infrastructure/architecture also needs to understand the purpose or reason for the data traffic adjustment and enable the scale and speed of deployments necessary for business success.

There is a ton of communication between us, our devices and the things around us, along with the applications that support us. It takes an agile and programmable infrastructure which is able to intercept, evaluate and interpret each request with an eye toward user, device, location and, now, purpose.

Orchestration is the glue that holds together all the quick networking decisions, ensures the provisioning of policies go where they need to go and provides the intelligence for the architecture to make automatic decisions and adjustments based on policy.

There could be many good reasons to automatically adjust the system and the F5 proxy architecture can augment application delivery functionality in tune with many other frameworks.

Because everyone has a unique environment, we’ve built custom integrations for a variety of 3rd party solutions including Cisco APIC, Amazon EC2, VMware NSX, and OpenStack. It begins when an administrator creates a custom integration based on Application Templates.

 1load.jpg

These templates can contain any configuration for a BIG-IP – from firewalls to local traffic management or anything else. Many configurations are seamless but with Cisco APIC, the configuration is then turned into a custom plug-in. The device package can then be uploaded directly to Cisco APIC, where application developers can deploy their targeted configuration correctly without using lots of knobs, but only the knobs they need to configure their application.

 2import.jpg

The application developer only has to specify a couple of parameters because when the administrator created the templates, they pre-configured everything the application developer needs in order to correctly deploy their application. This is different from other vendor’s integrations, which simply expose a large series of configuration clicks that then users have to get correct…and they’re easy to get wrong.

3device.jpg 

At this point, iWorkflow translates this small set of parameters into the complete configuration needed by the BIG-IP. And it deploys it on the BIG-IP. The BIG-IP is now completely configured for your application.

 5finish.jpg

But we’re not done yet.

This is a dynamic integration since environments are always changing. When new application servers are added, or removed from your network, APIC will notice this, inform the BIG-IP, and BIG-IP’s configuration will update to reflect the new application servers and the associated application services. Now that the BIG-IP is aware of these application servers, it will immediately start directing traffic to those servers allowing your application to expand.

Likewise, when application servers are removed, the BIG-IP’s configuration will immediately be updated and will stop passing traffic to those application servers, allowing you to take a maintenance window or decrease the capacity provided to your application.

And while this all happening, the iWorkflow is collecting application level statistics, to provide a complete view of your infrastructure and reporting them upstream to the Cisco APIC in this example.

That’s it, we’re done right?!?!

WRONG!! What about security? What happens when you’re under attack?!?

As you know, it is critically important that the security services dynamically follow the application also, no matter where it lives or how it got there. And in some cases, an old application needs a new home.

The idea is that you start with the (figurative) castle protecting the queen's treasure – The Data - and we drop in the different service pieces to keep the application secure, available and resilient. The wall and moat around the castle represent BIG-IP AFM perimeter protection; there’s a satellite dish for signaling to Silverline DDoS Service; BIG-IP APM's draw bridge to thwart unauthorized access. The whole point is that F5 can add these services around all your 'castled' applications to protect them from threats. This is especially true for ‘older’ applications that may have issues adding security services. F5 can be deployed with the latest security services to protect your entire environment.

Orchestration gives organizations the automated provisioning processes of application policies in our hybrid, dynamic, mobile and risky world. And check out Nathan Pearce's great iWorkflow Series!

ps




Your Applications Deserve iApps

Posted in f5, big-ip, cloud, saml, federation, saas, office 365 by psilva on June 21st, 2016

enterprise-cloud-secureappsanywhere.png

F5iApps are user-customizable frameworks for deploying applications that enablesyou to ‘templatize’ sets of functionality on your F5 gear. You can automate theprocess of adding virtual servers or build a custom iApp to manage your iRulesinventory.

Applicationready templates were introduced in BIG-IP v10 and the goal was to provide awizard for the often deployed applications like Exchange, SharePoint, Citrix,Oracle, VMware and so forth. This allowed the abstraction some of theconfiguration details and reduced the human error when following the pages ofthe thick deployment guides for those applications. Application templates weregreat but there was no way to customize the template either during thedeployment or adjust it after.

Then came iApps®.

Introducedin TMOS v11, iApps is the current BIG-IP system framework for deployingservices-based, template-driven configurations on BIG-IP systems. iApps bundlesall of the configuration options for a particular application together.

Roughly athird of F5 customers use iApps and they are especially popular for morecomplex configurations, like Microsoft Exchange, for example, which requires upto 1200 mouse clicks to configure manually and only 50 mouse clicks toconfigure with the iApp. iApps are also often used to roll out similarconfigurations to multiple BIG-IP's. Some customers run hundreds of iApps, somerun none--the choice is yours.

Hereis one example of iApp customization and its evolution. When we released SAMLsupport in v11.3, many customers wanted to use BIG-IP APM as a SAML IdentityProvider (IdP) for Office365 but there are a few steps to configure that inBIG-IP. Configure Active Directory, then SAML, then the access policy and soforth. One of our very smart Security Architects, Michael Koyfman, wanted tomake that task simple, repeatable and accurate.

o365-logo.jpg

He decidedto write an O365 iApp and posted it to DevCentral where there was immediateinterest from the community. From that, Product Development engineers rewroteit to follow their libraries and best practices and then moved to the supportedstatus.  You can now use this F5supported iApp template to configure the BIG-IP system as a SAML IdP toMicrosoft Office 365 applications, such as Exchange and SharePoint. Thistemplate configures the BIG-IP APM system as an IdP for Office 365 to performsingle sign-on (SSO) between the local Active Directory user accounts andOffice 365-based resources such as Microsoft Outlook Web App and MicrosoftSharePoint.

But we didn’tstop there.

Since it isthe same framework and easily extensible to add more services to an iApp, theytook it a step further. With the O365 iApp as the basis, the team then built a SaaS FederationiApp which allows you to configure BIG-IP APM as SAML IdP to 11 commonlyused SaaS applications including Salesforce, Concur, WebEx, O365 and others.Now, with a single iApp, you can federate your employees to many SaaSapplications easily, efficiently and securely. This iApp also went through abeta period on DevCentral and was recently released as a F5 supported iApp.

ui_saas_iapp.png 

UI configurations for the SaaS iApp

 

saas_iapp_after.png 

Summary of configurations for the SaaSiApp

So if youneed quick and easy way to deploy your applications, look no further than F5iApps. You can use the F5 built iApps, you can customize F5 built iApps or youcan build your own iApps. Your applications, infrastructure and business willthank you.

ps





« Older episodes ·