Post on 09-Jul-2018
transcript
Citrix
Radware
Fine Ground
ActivNetworks
StrangeLoop
Aptimize
Array Networks
Barracuda
Cisco
A10
Brocade/Foundry
Crescendo Coyote Point
NetContinuum
Juniper Nortel
Akamai
Inkra
Netli
Zeus
Swan Labs
Redline
© F5 Networks, Inc.
5
BIG-IP Global Traffic Manager
(GTM)
Enterprise Manager™
TMOS®
iControl®
Applications
& Storage
Users
International
Data Center
BIG-IP®
Local
Traffic
Manager
ARX®
File
Virtualization
FirePass®
SSL VPN
BIG-IP®
Edge
Gateway
BIG-IP®
Global
Traffic
Manager
BIG-IP®
Link
Controller
BIG-IP®
WAN
Optimization
Module
BIG-IP®
Web-
Accelerator
BIG-IP®
Application
Security
Manager
BIG-IP®
Access
Policy
Manager
iRules
TMOS Architecture A unified system for application delivery
Microkernel
Users Applications
Full Proxy
Client
Side
Server
Side
High Performance Hardware iControl
Ra
te S
ha
pin
g
TC
P E
xpre
ss
SS
L
Ca
chin
g
XM
L
Com
pre
ssio
n
OneC
on
ne
ct
TC
P E
xpre
ss App S
ecurity
Web A
ccel
3rd
Part
y
GTM & DNS
BIG-IP Global Traffic Manager (GTM)
BIG-IP GTM:
Is a wide-area load balancer • also known as a Global Server Load Balancer (GSLB)
Uses DNS as the traffic management mechanism
Puts intelligence into the DNS resolution process
Monitors site availability and performance
BIG-IP GTM can be purchased:
As a stand-alone
As a software module add-on
On BIG-IP hardware or as a Virtual Edition
Objects in the BIG-IP GTM Architecture
Primary DC Secondary DC Disaster Recovery DC
GTM GTM GTM LTM LTM LTM
Data Center (DC) objects are physical groupings of devices
Server objects are grouped in Data Centers • BIG-IP GTMs • BIG-IP LTMs and LCs • Standalone servers
and other load balancers
Server Server
Links provide access from the Data Center to the Internet
GTM Pool
Wide IP (WIP) objects • Fully Qualified Domain Names (FQDNs) associated with one or more pools
Primary DC Secondary DC Disaster Recovery DC
GTM GTM GTM LTM LTM LTM
Server Server
73.37.1.1:80
Virtual Server Virtual Server 68.28.1.1:80
Pool objects Groups of virtual servers to be load balanced
Virtual servers objects • IP address:port combinations on server objects
• Applications to load balance/resolve too • May represent multiple real servers (load balancers) • Or a single physical (standalone) server • Server objects often host multiple virtual servers
73.37.1.11:21
Virtual Server 205.33.1.1:80
Virtual Server
Wide IP: www.f5.com = 73.37.1.1 or 68.28.1.1 or 205.33.1.1
Objects in the BIG-IP GTM Architecture
Metric Collection in the GTM Architecture
Primary DC Secondary DC Disaster Recovery DC
Local DNS
GTM GTM LTM LTM LTM
At least two GTMs: • Geographically distributed • Synchronize configurations
and metric collection
Server Server
GTM is authoritative for DNS names to be load balanced
Primary DC Secondary DC Disaster Recovery DC
Local DNS
GTM GTM LTM LTM LTM
IQ:get_vips() IQ:vips 1..n IQ:vips 1..n IQ:vips 1..n IQ:SNMP()
SNMP
Response
… and other servers (through Ping, SNMP, or EAVs)
IQ:SNMP data
Server Server
• Monitors test availability and performance of servers and virtual servers
• BIG-IP devices use iQuery to pass this information
Metric Collection in the GTM Architecture
Primary DC Secondary DC Disaster Recovery DC
Local DNS
GTM GTM GTM LTM LTM LTM
Primary DC
is closest
Server Server
Probes to determine
network proximity between
the DC and the LDNS GTM DNS names can be
resolved based on:
• Availability
• Performance
• Network Proximity
• Topology
Metric Collection in the GTM Architecture
Secondary DC Disaster Recovery DC
Local DNS
GTM GTM
Primary DC
GTM LTM LTM LTM
BIG-IP GTM can
persist repeat requests
from a client (even to
another BIG-IP GTM)
to same server for
transaction continuity
1st Query
Server Server
Metric Collection in the GTM Architecture
Subdomain Delegation Mode
gtm.mycompany.com mycompany.com
LDNS
Client
LDNS
Client
CNAME
www.mycompany.com
To
www.gtm.mycompany.com
DNS Request:
www.mycompany.com
Request:
www.gtm.mycompany.com
GTM Responds
With BEST IP
Based on LDNS
• GTM has WIP config and owns
gtm subzone
• DNSSEC only for subzone
• Zone Runner on BIND for NS,
SOA, etc
• Extra Management
• No other features
Screening Mode
GTM
LDNS
Client
mycompany.com
DNS Request:
www.mycompany.com
If match WideIP,
answer… otherwise LB
request and send to
pool
• GTM only manages WIP config
• Simpler configuration
• LTM iRules on DNS VIP
• Dynamically rewrite response
• Add DNSSEC Signature
• Add DNS Express
DNSSEC
F5 DNS Security Securing the DNS Infrastructure with DNSSEC
• Rogue servers can poison
DNS cache and answer
queries
• Need a method for trusted
responses
• Need to meet some
Government mandate for
DNSSEC compliance
Why Secure DNS?
• DNS denial of service (DDoS)
• Redirection
• Phishing and pharming
• Passwords stolen
• Sensitive data revealed
• Loss of sales revenue
Consequences
• Problem: The need to secure your DNS infrastructure from threats
DNS Infrastructure is Vulnerable Local
DNS
GTM LTM
Application Servers
example.com
example.com?
example.com?
123.123.123.123
Cache
Poisoning
012.012.012.012
DNSSEC (Domain Name Security
Extensions)
A set of extensions to the Domain Name System (DNS).
Provides an authenticated DNS query response
Uses a “chain of trust.”
Adds a digital signature to DNS data
Addresses a DNS vulnerability to cache poisoning attacks.
Securing the DNS Infrastructure
Local
DNS
GTM LTM
Application Servers
example.com
example.com?
example.com?
123.123.123.123
+ Public Key
123.123.123.123
+ Public Key
Client gets
signed, trusted
response
Configuring DNSSEC on GTM
Ensures all responses comply with the DNSSEC protocol
To configure DNSSEC compliance on GTM: Create a DNSSEC key signing key
Create a DNSSEC zone signing key
Create a DNSSEC zone • Assign at least one key signing key and one zone signing key to
the zone
To view the procedure for completing these tasks, see: Check out the deployment guide
• http://www.f5.com/pdf/deployment-guides/gtm-dnssec-dg.pdf
Or the GTM Manual on the F5 support site • http://support.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/gtm-concepts-
11-1-0/gtm_dnssec.html#1010790
Creating a Key Signing Key Key Name
Bit Width For encryption
algorithm
Type Key Signing Key
Use FIPS Enabled or Disabled
Optional:
• Rollover Period
• Expiration Period
Creating a Zone Signing Key Key Name
Bit Width For encryption
algorithm
Type Zone Signing Key
Use FIPS Enabled or Disabled
Optional:
• Rollover Period
• Expiration Period
Creating a DNSSEC Zone
Global Traffic >> DNSSEC
Zones
Set Name to the FQDN
Add at least one key signing
key and one zone signing
key
Click Finished
Signed Resource Records
After the zone is signed, any Resource Record created in
that zone will automatically be signed
DNSSEC Availability on BIG-IP
DNSSEC is an Add-On to GTM and is an additional cost
Has been available since V10.x
DNSSEC is available on LTM/GTM combination boxes
If the DNSSEC add-on is purchased
DNSSEC is not available on LTM with the DNS Services
add-on license
As of V11.1
DNS Express
DNS Express
High-speed, high response authoritative DNS server
Configuration size for tens of millions of records
Answering millions of queries per second
Zone transfer and notify for updates
Authoritative DNS serving out of RAM
Scalable DNS Performance
Manage
DNS
Records
NIC
OS Admin
Auth
Roles
Dynamic
DNS
DHCP
Answer
DNS
Query
Answer
DNS
Query
Answer
DNS
Query
Answer
DNS
Query
Answer
DNS
Query
DNS Express in TMOS
DNS Server
DNS Express Features
Full IPv6 support
Supports TCP or UDP
Record type support:
Unsupported: AXFR and IXFR
Supported: All others (e.g., A, AAAA, NS, CNAME,
HINFO, WKS, MINFO, MX, TXT, MB, MG, AFSDB,
ISDN, RP, RT, X25, PX, LOC, SPF)
Update notification
Allows primary DNS to push updates
Transaction Signature (TSIG)
Authenticates zone transfer request
DNS Express Zone Transfer
TMOS
DNS Query:
ftp.example.com
ftp.example.com = 209.200.200.10
DNS Servers F5 BIG-IP GTM
ftp.example.com Matches WIP or zone definition? YES
TMM responds with IP address 209.200.200.10
Check DNS Query against
WIP
ftp.example.com
Matches Zone definition ?
ZONE Transfer Request
1
sdfjqsjidfqsoijdfioqsjdfoiqsjfdoijq
sfdoijqsdofijqsodifjoqsidjfoqisjdf
oiqjsdfoijqsdfoijqsodifjqosidfjqo
sijdfqoisjdfqoisjdfqsiodfjoqisjdfoi
qsjdfoijqsdfjoqjsodfjioqsjdfjoqsj
dfjqosidfjoiqsjdfioqjsdfoijqsdfoij
qsdfoqsdfsdqfjoqisdfjqisqjdioqjs
doiqqisjdoiqjsdoiqjsdjoqsjdojqo
sijdoqjsodjqsjodjqjdojqsdjoiqjds
qosijdoiqjdoqijdoiqjdoiqsjdoiqjd
oiqjdoisdjoiqsjdoiqjdqjdoiqjdoiq
dsjqoidjoj
2
Is DNS Express DNS Caching? No!
DNS Cache
Asks the real authoritative server on each new query
Caches the answer to answer subsequent requests for same
query
Almost never has the whole config, only the most requested items
Easily beat in a DDoS attack by varying the DNS query on every
request
DNS Express
Has the whole zone already and is authoritative for that zone
More like a high speed slave server, not a cache
Scalable DNS Performance
Enable users to access apps during spikes
Scale with DNS query performance utilizing hardware
CMP enabled, utilizes all processing cores
Up to 6 million qps on VIPRION
Each Core is high performance DNS server = 150k+
qps
125k
QPS 600k
QPS
1.5Mil
QPS
3Mil
QPS
6Mil
QPS 2Mil
QPS
These are very conservative numbers:
Configuring DNS Express
Begin by creating a custom DNS Profile
DNS profile defaults to DNS Express enabled
Configuring DNS Express Create GTM listener or DNS virtual server
Attach the DNS profile
Optional: add pool
Configuring DNS Express
DNS Express Zones are configured under
Local Traffic
Configuring DNS Express
Create an Express Zone for each
delegated domain
Testing and Troubleshooting
Verify zone status (e.g., green/blue/red) show ltm dns dns-express zone
nslookup or dig against DNS Express zone names
Review log files Logs relating to zxfrd
Run “dnsxdump” Dumps DNS Express (zxfrd.bin) database
IP AnyCast
What it is and What it’s Not
IS NOT : • Not a protocol
• Does not require special servers, client, or network gear
• DNS centric
IS : • A configuration methodology
• Mentioned in RFCs but not really defined.
• Taking over the core of the DNS Root Infrastructure
• Been in use since mid 90’s for large scale internet deployments!
• Used for all sorts of protocols that ride on IP.
• Can be used in conjunction with GTM
Enable ZebOS® dynamic routing
on BIG-IP
Supported Routing Protocols: BGP-4, IS-IS,
RIPv1&2, OSPFv2&3,& RIPing
Configure a custom DNS profile
Configure a GTM Listener for route
advertisement
GTM + IP Anycast Integration Steps
How does IP Anycast work
Multiple instances of a service share the same IP address.
The routing infrastructure directs traffic to the nearest instance of the
service.
172.25.25.1
172.25.25.2
192.168.25.25
DNS request for
http://www.foo.com/
Resolves single answer:
www.server.com. IN A
192.168.25.25
Routing Table from Router 1:
Destination Mask Next-Hop
Distance
172.25.25.0 /29 127.0.0.1 0
192.168.25.25 /32 172.25.25.2 1
192.168.25.25 /32 172.25.25.1 2
172.25.25.1
172.25.25.2
192.168.25.25
192.168.25.25
Logical Topology
GTM Best Practices
Have two or more GTMs geographically
distributed
Have a BIG-IP in each data center to
avoid excess (internet or closed network)
traffic
Synchronize GTMs through network
infrastructure or internet
Complete DNS Protection F5 DNS Firewall Services
LDNS
Data Center
Q A X
x
i
company.com
GTM & DNS CMP – High-performance DNS
DNS Express – Scalable DNS
IP Anycast – Load balancing across DNS
DNSSEC – Secure DNS queries
Geolocation – Route based on the nearest data center
DNS iRules – Complete DNS control
x
X
A
Q
i
Benefits of Global Traffic Manager
Ensure Availability and Disaster Recovery
Secure Your DNS Infrastructure with dynamic DNSSEC
Improve & Increase DNS Performance with DNS Express
Direct traffic to the best available datacenter with IP Anycast