Archive for programmability

DevCentral’s Featured Member for May – NTT Security’s Leonardo Souza

Posted in security, f5, big-ip, interview, silva, devcentral, irules, programmability by psilva on May 2nd, 2017

leonardo.jpgLeonardo Souza lives in the United Kingdom, with his partner, 5-year-old daughter, and a (very) recently newborn son. He’s Brazilian and lived in Portugal for quite a while. He then moved to UK about 5 years ago ‘because of the amazing weather,’ he jokes.

Leonardo started to work with computers when he was 18 years old (he’s not 18 anymore), so he’s worked with many technologies. Fast forward a bit (he’s not that old) and while working as a network engineer, he was working on a project to migrate applications from Alteon load balancers to F5 BIG-IP LTMs. He completed his LTM Essentials and LTM Advanced training during that time (2011) and with the migration project, he was impressed with BIG-IP.

He even applied for a job at F5 in 2012 and joined as a Network Support Engineer. That moved him from Portugal to UK, and has been doing F5 products exclusively ever since.

With all that, Leonardo is DevCentral’s Featured Member for May and we got a chance to talk with Leonardo about his life, work and scripting prowess.

DevCentral: You were an F5er from 2012-15 and continue to be a very active contributor in the DevCentral community. What keeps you involved?

Leonardo: I often say that 1 year in F5 support is equal to 5 years as a F5 customer.

While in F5 support, I had multiple technical challenges every day, and I would typically go to DevCentral to check iRules documentation and get ideas for uncommon cases. After I left F5, I started using DevCentral to stay up to date about what is going on in the F5 world by reading the DevCentral articles. Then I started to go there daily and answer some questions myself.

Short answer: to keep me updated, both about F5 news and my F5 knowledge.

DC: Tell us a little about the areas of BIG-IP expertise you have.

LS: Is difficult to know all F5 products, because some are for very specific networks/scenarios, but I know the common ones:

BIG-IP BIG-IP LTM, GTM/DNS, AFM, APM, ASM, EM, BIG-IQ, and iRules.

I had been a little bit lazy about the F5 certifications but recently I have done all level 300 exams. I have started study for the 401, so that should be done in the next couple months.

DC: As a Security Consultant at NTT Security, what’s your typical workday?

LS: First to clarify, the company recently changed names from NTT Com Security to NTT Security.

nttlogo.jpgI work in professional services, doing projects that use F5 products. My daily work includes doing some pre-sales activities advising pre-sales team about the F5 products, doing projects, and finding solutions or writing scripts to automate some F5 tasks.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

LS: I have been using DevCentral for many years, and iRules, to a point where it is part of my daily job. Flexibility is a major advantage for F5 and people ask all the time “Can you do this with an iRule?”

Recently, I was working in a project to upgrade many F5 devices. We had to perform an extensive inventory for each device which was taking about 3 days per device. I wrote a Python script using iControl SOAP to perform that task. (I still prefer bash script, but there is no iControl SOAP for bash)

It would take around 240 days to do that manually, and we did in around 3 days using the script.

DC: Finally, if you weren’t in technology – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

LS: I am doing the job I wanted since I was young and I can’t picture myself doing any other type of job.

Thanks Leonardo! Check out all Leonardo’s DevCentral contributions or connect with him on LinkedIn. And visit NTT Security on the web or follow on Twitter and LinkedIn.

 




Q/A with Yann Desmarest - DevCentral’s Featured Member for July

Posted in security, f5, big-ip, silva, application delivery, network, irules, programmability by psilva on July 5th, 2016

YD3.jpg

Yann Desmarest is the Innovation Center Manager at e-Xpert Solutions SA and one of DevCentral’s top contributors. e-Xpert Solutions SA is a F5 Gold Partner, Unity Partner Support and a Guardian Partner. Yann has been a BIG-IP administrator for 6 years and enjoys basketball, table tennis, hacking, cinema and manga (especially Naruto).

And one of his favorite activities is developing complex iRules and that’s why he is DevCentral's Featured Member for July!

We got a chance to chat with Yann about his work, his life and why he enjoys participating in the DevCentral Community.

DevCentral: Hi Yann. Thanks for your time. You’ve been a tremendous contributor to the DevCentral community over the years and wondered what keeps you involved?

Yann: I’m always looking for new challenges and DevCentral is a really good place to solve complex issues and to share knowledge and experiences with peers. It’s also a place that I can find useful information on iControl, iRules and iApps code.

DC: Tell us a little about the areas of BIG-IP expertise you have.

YD: At my earliest stage in the business world, I was involved on basic BIG-IP LTM projects. After some successful experiences, I wondered if I could rise up to another level and decided to learn BIG-IP ASM, APM and GTM modules as well.

Now, I think I’m pretty comfortable with all F5 BIG-IP modules but I’m clearly specialized in security and more precisely the authentication and WebSSO part delivered by BIG-IP APM.

I also acquired some development skills using iRules and iControl.

DC: You often participate and post in the Codeshare area – tell us about some of your favorite submitted iRules/iApps and how they work.

YD: I've had several requests to protect Microsoft Skype for Business Edge services against NTLM brute force and dos attacks. I decided to develop an iRule to intercept the encrypted traffic and identify NTLM authentication attempts on the SIP flow. Then, suspicious IPs and users are blacklisted for a duration that you can define in the RULE_INIT event.

I had also requirements to provide Client certificate authentication on Microsoft Exchange ActiveSync for Apple iOS devices. The main issue is that this kind of authentication requires a Mobile Device Management or Apple Configurator system. Deploying a full MDM for that need may be overkill so we developed an iRule that provisions the Exchange payload to the iOS device. The client certificate is retrieved using SCEP protocol. Now, with the availability of iRulesLX, I will be able to extend this feature to retrieve a certificate using third party APIs.

And finally my favorite is the APM Full Step Up Authentication iRule and Access profile that we published on DevCentral. I had a look at the Step-Up authentication feature on the APM v12.1.0 and found that it’s currently limited. I decided to develop my own configuration to make it more flexible and mainly to have this feature available for older BIG-IP versions. No doubt that my configuration will be deprecated in future releases because APM will enhance its own feature set.

I have many more iRules, iApps and iControl scripts to share with the community in the future.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

logo_pantone.png

YD: I had a requirement to integrate APM with an iOS and Android mobile application. The application use SOAP body to POST credentials and a second factor was required for external users. I had to intercept the SOAP body to retrieve the username and password, then play those credentials through an external REST API web service and if the user is connecting from a public IP address, prompt the end user for a second factor that I send to a third party web gateway. This is a lot of peers and exchanges to integrate in the authentication process. I had also to implement full SOAP responses and handle errors. I consulted DevCentral and the iRules wiki to find how to use sideband connections, ifiles, ACCESS events and some crypto commands. Without the DevCentral community, I would not have been able to face this challenge.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

YD: Computer science was part of my life since the very beginning. Later, I decided to be an IT expert, to solve complex challenges and to help people securing their environments. Now, I’m following my dreams and work hard to be a computer expert.

Just few words to thank all my colleagues and our F5 Field System Engineers that help me a lot to acquire more skills and experience on F5 technologies.

DC: Thanks Yann! Check out all of Yann’s DevCentral contributions and follow him @expertsolch




Orchestrate Your Infrastructure

Posted in security, f5, big-ip, cloud computing, silva, access, programmability by psilva on June 28th, 2016

The digital society has emerged.

Today’s always-connected world and the applications we interact with are changing the way we live. People are mobile, our devices are mobile, and by all accounts, everything that is a noun – a person, place or thing – will soon be connected and generating data... and all that traffic is destined for an application – that could also be portable - located somewhere in a data center.

But not all data traffic is created equally and critical information might need some action that requires automation of the deployment process. At the same time, organizations can’t afford to manually make policy adjustments every time something needs attention. Automated coordination between applications, data and infrastructure from provisioning to applying policies and services which are in-line with business needs must be in place.

This is Orchestration.

thinker.jpg

Humans have always differentiated ourselves from all other creatures by our ability to reason. Today, we’re building reason into systems to make some of these decisions for us. Software that incorporates, ‘What’s the purpose?’ ‘What’s the reason why?

Purpose-driven networking – programmability - means not just recognizing this is Thing 1 or Thing 2 and route requests to the appropriate service, but recognizing what Thing 1 or Thing 2 is trying to do and delivering in such a way as to meet expectations with respect to its performance.

The underlying infrastructure/architecture also needs to understand the purpose or reason for the data traffic adjustment and enable the scale and speed of deployments necessary for business success.

There is a ton of communication between us, our devices and the things around us, along with the applications that support us. It takes an agile and programmable infrastructure which is able to intercept, evaluate and interpret each request with an eye toward user, device, location and, now, purpose.

Orchestration is the glue that holds together all the quick networking decisions, ensures the provisioning of policies go where they need to go and provides the intelligence for the architecture to make automatic decisions and adjustments based on policy.

There could be many good reasons to automatically adjust the system and the F5 proxy architecture can augment application delivery functionality in tune with many other frameworks.

Because everyone has a unique environment, we’ve built custom integrations for a variety of 3rd party solutions including Cisco APIC, Amazon EC2, VMware NSX, and OpenStack. It begins when an administrator creates a custom integration based on Application Templates.

 1load.jpg

These templates can contain any configuration for a BIG-IP – from firewalls to local traffic management or anything else. Many configurations are seamless but with Cisco APIC, the configuration is then turned into a custom plug-in. The device package can then be uploaded directly to Cisco APIC, where application developers can deploy their targeted configuration correctly without using lots of knobs, but only the knobs they need to configure their application.

 2import.jpg

The application developer only has to specify a couple of parameters because when the administrator created the templates, they pre-configured everything the application developer needs in order to correctly deploy their application. This is different from other vendor’s integrations, which simply expose a large series of configuration clicks that then users have to get correct…and they’re easy to get wrong.

3device.jpg 

At this point, iWorkflow translates this small set of parameters into the complete configuration needed by the BIG-IP. And it deploys it on the BIG-IP. The BIG-IP is now completely configured for your application.

 5finish.jpg

But we’re not done yet.

This is a dynamic integration since environments are always changing. When new application servers are added, or removed from your network, APIC will notice this, inform the BIG-IP, and BIG-IP’s configuration will update to reflect the new application servers and the associated application services. Now that the BIG-IP is aware of these application servers, it will immediately start directing traffic to those servers allowing your application to expand.

Likewise, when application servers are removed, the BIG-IP’s configuration will immediately be updated and will stop passing traffic to those application servers, allowing you to take a maintenance window or decrease the capacity provided to your application.

And while this all happening, the iWorkflow is collecting application level statistics, to provide a complete view of your infrastructure and reporting them upstream to the Cisco APIC in this example.

That’s it, we’re done right?!?!

WRONG!! What about security? What happens when you’re under attack?!?

As you know, it is critically important that the security services dynamically follow the application also, no matter where it lives or how it got there. And in some cases, an old application needs a new home.

The idea is that you start with the (figurative) castle protecting the queen's treasure – The Data - and we drop in the different service pieces to keep the application secure, available and resilient. The wall and moat around the castle represent BIG-IP AFM perimeter protection; there’s a satellite dish for signaling to Silverline DDoS Service; BIG-IP APM's draw bridge to thwart unauthorized access. The whole point is that F5 can add these services around all your 'castled' applications to protect them from threats. This is especially true for ‘older’ applications that may have issues adding security services. F5 can be deployed with the latest security services to protect your entire environment.

Orchestration gives organizations the automated provisioning processes of application policies in our hybrid, dynamic, mobile and risky world. And check out Nathan Pearce's great iWorkflow Series!

ps




Control It All with iControl

Posted in f5, big-ip, cloud computing, silva, application delivery, api, programmability, sddc by psilva on June 14th, 2016

The concept of Application programming interfaces (APIs) has been around for a while.

According to CSC Distinguished Engineer & Chief Product Architect (and bass player) Martin Bartlett,

'The concept of an API pre-dates even the advent of personal computing, let alone the Web, by a very long time! The principal of a well-documented set of publicly addressable "entry points" that allow an application to interact with another system has been an essential part of software development since the earliest days of utility data processing. However, the advent of distributed systems, and then the web itself, has seen the importance and utility of these same basic concepts increased dramatically.’ (Courtesy: http://history.apievangelist.com/)

An API is a set of routine definitions, protocols, and tools for building software and applications. It is software written to function as a communication bridge between Web applications. That’s how iControl started according to Joe Pruitt – as a way for the early versions of BIG-IP LTM (BIG-IP) and BIG-IP DNS (3-DNS/GTM) to communicate with each other to ensure they were making the right traffic management decisions. And this was 16 years ago!

Today, APIs are all over place running behind the curtains without any direct user interaction. They are primarily used for computer consumption and typically absorbed by web applications. APIs make services available for developers to build those same services into their applications. eBay, Amazon & AWS, Facebook, Twitter and Google Maps are some examples you might be familiar with. For instance, Google Maps has an API so developers can use the backend services to create their own ‘maps.’ Maybe it is a map of restaurants in the vicinity of a hotel. The hotel website could use the Google maps API to show different shopping, eating or recreational activities in the area. They wouldn’t need to develop the maps nor house the data themselves.

With the Internet of Things (IoT), APIs allow you to share, manage, access and interact with your previously unconnected items like cameras, bicycles and even medicine bottles. And there are many IoT APIs that are available.

And that’s really the point with iControl.

f5_programmability.png

Whether you’re looking to tweak a feature or spin up 500 new pool members, iControl can do it. Anything you can do via the command line or GUI, you can accomplish via iControl. And, you can do it programmatically so you don’t have to enter in every single command in the chain, or wake up someone at 3am during the change control window just to bleed the servers off a pool.

iControl is F5’s open, web services-based API that allows complete, dynamic, and programmatic control of control over nearly every aspect of both execution and configuration on BIG-IP systems. With iControl you can work like a wizard—add, modify, or configure your F5 device in real time. It is the primary means through which BIG-IP is integrated into both commercial management offerings and cloud computing environments. In short, iControl is a simple, light weight API that allows you programmatic access via Traffic Management Shell (tmsh) commands.

And now you can say, 'I control my infrastructure with iControl.'

ps

Related:




The Double Whammy of Scripting

Posted in f5, big-ip, silva, devcentral, irules, programmability by psilva on June 7th, 2016

Many of you are very familiar with iRules, our Tool Command Language (Tcl) based scripter. It’s a powerful application delivery tool to have a programmable proxy that allows you to manipulate – in real time - any network traffic passing through the BIG-IP. Many BIG-IP fans have used it to address their specific needs and some iRules have even been productized as features. For example, the cool ASM Data Mask feature that blocks sensitive info like SSN or credit card numbers from leaking out was once an iRule. Aw, our baby made it to the BIGs.

And by now you may have heard the trumpets about iRules LX, available in our most recent BIG-IP v12.1 release. So I was wondering if you were wondering what’s the difference between iRules and iRules LX? Why would you use one or the other?

iRules is based on Tcl and is an extremely stable and well-documented solution. We introduced it in BIG-IP v9.0 and we continue ongoing feature development for it. iRules Language eXtensions (where the LX comes from) is the next-generation of network programmability based on JavaScript. IRules LX is not intended to replace or antiquate Tcl, but provide additional functionality in certain situations.

Say you are writing a rule in Tcl that looks for some piece of data. When you find that data, you then need to make a database call to verify the parameters. That could get messy with many lines of code. You may even say to yourself, ‘Geeze, this would be a whole lot easier if I had a parser…wouldn’t that be nice.’ This is where IRules LX can be handy. Toss it over to a Node.js extension and let it do the work. With the proper node package manger (npm), of which there are some 280,000 (and counting), iRules LX will process and send back to Tcl so you can go on your merry way.

F5_Programmability-ISC_2015-v1_1b.jpg

Essentially, that last 10% is 90% of the work so why not have a proper engine run it.

IRules LX is a simple way to solve tough challenges…another tool to use when you need it. Granted, it is not necessarily a hammer but that particular hex tool for precise jobs. It also bridges into the new world of programming. Tcl is still very relevant yet Node.js a popular, cutting edge language that the development community has eaten up. It offers more flexibility when you need it and a new tool in your arsenal of application delivery solutions.

You should also check out Eric Flores' Getting Started with iRules LX series which covers some concepts, use cases, configurations and workflows.

ps

Related:




Are People Programmable?

Posted in silva, music, devcentral, emotions, humans, family, predictions, programmability by psilva on June 1st, 2016

For the month of June, DevCentral is highlighting our Programmability Month and Codeshare Challenge. A fantastic opportunity to catch up on the power of programmability and learn how the BIG-IP platform can transform your infrastructure with a few lines of code.

Since my coding ability is still in the infancy stage, I thought of looking at programmability from a different angle. Can we code a human?

First, the word 'Programmability.' According to multiple sources including dictionary.com, it is derived from the adjective ‘Programmable’ or capable of being programmed. As a noun, it can be an electronic device that can be programmed to perform specific tasks. We hear the word Program in many different contexts – a plan of action to accomplish something, a schedule of events, a television/entertainment program, a planned group of activities for a purpose and so forth. In computing, of course, we hear the word programmer as someone who writes code to facilitate certain functionality within a computer program or application.

But can code be applied to humans? Are we programmable?

dna_spiral_dark_lines_figure_38174_800x6

DNA is our personal genetic code. It determines our eye and hair color, gender, and all of the traits, characteristics and personality that make you, you. Every cell in our body contains a complete set of our DNA. While 99.9% of the DNA from two people will be identical, it’s the 0.1% of DNA code sequences that vary from person to person. This is what make us unique. This is our genetic marker and what scientists look for to use when doing a DNA test.

Genetic disorders are situations where there’s a bug in the DNA code. The gene mutated. For instance, the GLUD1 gene is a Protein Coding gene that encodes mitochondrial enzyme glutamate dehydrogenase (GDH) and is used to control insulin secretion in the pancreas. But if the gene is mutated, then the person could produce too much insulin. The pancreas server works perfectly but it is the gene’s code telling the pancreas what to accomplish that is flawed. My daughter has this genetic disorder – HI/HA GDH. Her GLUD1 code has an insulin bug.

Doctors have been able to flip genes. In lab studies, researchers at The Children’s Hospital of Philadelphia have reprogramed gene expression, showing a proof-of-concept for potential therapy. Reprogramming the gene expression to reverse a biological switch. Imagine being able to reprogram a gene to function properly. Diagnosed with a certain ailment? Let’s change the code with an i{Human}Rule to 0.

It's also interesting and partially scary to think that in the future, instead of getting colored contacts to change your eye color, you could insert the color code into your DNA for a particular look.

And now for something slightly different…

In 1942 Nikola Tesla said, ‘If you want to find the secrets of the Universe, think in terms of energy, frequency and vibration.’ There is a frequency or vibration of energy that fills the Universe. It's alive.

peter_aura_sm051708.jpg

The Universe is energy and each basic element of the atomic chart consists of energy at different rates of vibration. Each person also has their own frequency. With this in mind, I recently went to have some Quantum Biofeedback ‘new age’ therapy due to some back/neck issues. I already see a chiropractor and acupuncturist and thought this might help me delay back surgery.

The idea behind Quantum Biofeedback is that the body is electric and therefore reactivity in the body can be measured electrically since every cell, organ, meridian and emotion has a characteristic electro-magnetic signature. You get hooked up to a few electrodes and it takes a bunch of measurements to determine the electrical factors of the body. It calculates combinations of impedance, amperage, voltage, capacitance, inductance, and resistance. If the frequency of your lungs are off, the system can send the exact frequency of healthy lungs until your lungs respond with that frequency. Essentially reprogramming your lungs to the correct frequency to function properly.

There's also the notion that the 520Hz frequency is the Love frequency. Supposedly it is the 'Miracle' note of the original Solfeggio musical scale. These core creative frequencies were used by ancient priests and healers in advanced civilizations to manifest miracles and produce blessings. The claim is that listening to 528Hz tones/music will heal your DNA. Amazon has a whole section of 528Hz music and if you didn't know, John Lennon's 'Imagine' was recorded in 528Hz. That's why you feel good when listening to the song.

As with any of these non-traditional techniques, there are the pseudoscience naysayers, those who feel it is a scam and those who received no benefit from the therapy session. Their body simply didn’t respond. Happens often in medicine and science. For me, it helped a little but I’m still looking at getting cut and wearing a neck brace for a couple weeks to fix my back issue. As with anything like this, your mileage may vary and I'm not endorsing this technique, I have my wonders too. But the idea of being able to reprogram the human body via energy, frequency and vibrations is interesting. At least to me.

There are a few folks, of course, studying this.

In 2008, scientists looked at Free Will vs. The Programmed Brain to determine if we have a choice about anything. If our actions are determined by prior events and if people believe that they don’t have free will, what will the consequences be for moral responsibility? Do we have any responsibility for what we do since our actions are inevitable consequences of the events leading up to the action? Essentially, what happens when we think our choices have already been predetermined for us and we cannot change that? They found that we hold ourselves responsible when we think that our actions come from free will and we behave less responsibly if we feel our actions as beyond our control. If we think that there’s no point in trying to be good, then we’re less likely to try.

The World Bank has discovered that people are programmable from an economic perspective. In 2014, they released the 2015 World Development Report looking at mind, society and behavior. The assumption for many economic policies is that human behavior arises from “rational “choice with people considering all readily available information, and making decisions on their own. In recent decades, however, novel policies based on a more accurate understanding of how people actually think and behave have shown great promise in addressing some of the most difficult development challenges. They seem to conclude that people are programmable, and some (poor people) are more programmable than others. A number of folks are critical of the report as you can imagine.

emerging-tech-hc.png

Lastly, Gartner’s 2015 hype cycle for Emerging Technologies gives a hint of our programmable future. While IoT is currently riding the top, you can see a few coming up in the next decade that have programmable humans in sight. They got Human Augmentation and Brain-Computer interface neck and neck. Want to become an expert in no time? Simply connect your brain to your laptop and download all the knowledge. Personally I think the brain interface is more about thinking what you want done (click the mouse), and the computer does it with no hand interaction. We’ll shall see.

This article started as an idea about humans, habits and if we can be programmed to change behavior. As I dug in, it became apparent that it wasn’t so simple to concretely conclude but appreciate you coming along this far. As you engage with this month’s Programmability features and how they can help with your environment, think about how programmability may impact all our lives in the near future. Or you can watch this gem from The Office: The Office Classical Conditioning.

ps




Velocity 2014 – BIG-IP Image Optimization (feat Parzych)

Dawn Parzych, F5 Sr. Product Manager, returns to demo BIG-IP’s Image Optimization solution. Web images can consume up to 60% of a site load and BIG-IP can significantly reduce the image file size and deliver those pictures much faster to the viewer.

Watch Now:



Velocity 2014 – LineRate Storefront

Posted in f5, acceleration, silva, optimization, programmability, velocity, linerate by psilva on June 25th, 2014

Cyrus Rafii, F5 Director of Business Development for LineRate, shares what LineRate is, the challenges that it solves and the benefits it provides DevOps. He also walks us through the new LineRate Storefront allowing organizations to download & deploy LineRate quickly and easily. Learn more at: linerate.f5.com

Watch Now:



CloudExpo 2014: Future of the Cloud

Lori MacVittie, Sr. Product Manager Emerging Technologies, discusses the future of the cloud and where do we go from here. She talks about some of barriers, tools and solutions to take cloud adoption to the next level along with how DevOps and Cloud play together.

 

ps

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]
Watch Now:



RSA 2014: API Integration (feat Marshall)

Posted in security, f5, big-ip, silva, video, management, rsa, api, icontrol, programmability by psilva on February 26th, 2014

With software defining everything these days, Corey Marshall, F5 Security Solution Architect, discusses F5 API’s and how they integrate with other technology solutions. He talks about iCall, iRules, iControl and iApps and where each is applicable. BIG-IP Programmability.

   

ps

Related

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]