StrangeLoopgovernmentvideosolutionsforum.com/pdf/GovTechTalk06-19-12.pdf · Objects in the BIG-IP...

transcript

Citrix

Radware

Fine Ground

ActivNetworks

StrangeLoop

Aptimize

Array Networks

Barracuda

Brocade/Foundry

Crescendo Coyote Point

NetContinuum

Juniper Nortel

Akamai

Swan Labs

Redline

BIG-IP Global Traffic Manager

Enterprise Manager™

TMOS®

iControl®

Applications

& Storage

International

Data Center

BIG-IP®

Traffic

Manager

Virtualization

FirePass®

SSL VPN

BIG-IP®

Gateway

BIG-IP®

Global

Traffic

Manager

BIG-IP®

Controller

BIG-IP®

Optimization

Module

BIG-IP®

Accelerator

BIG-IP®

Application

Security

Manager

BIG-IP®

Access

Policy

Manager

iRules

TMOS Architecture A unified system for application delivery

Microkernel

Users Applications

Full Proxy

Client

Server

High Performance Hardware iControl

ss App S

ecurity

GTM & DNS

BIG-IP Global Traffic Manager (GTM)

BIG-IP GTM:

Is a wide-area load balancer • also known as a Global Server Load Balancer (GSLB)

Uses DNS as the traffic management mechanism

Puts intelligence into the DNS resolution process

Monitors site availability and performance

BIG-IP GTM can be purchased:

As a stand-alone

As a software module add-on

On BIG-IP hardware or as a Virtual Edition

Objects in the BIG-IP GTM Architecture

Primary DC Secondary DC Disaster Recovery DC

GTM GTM GTM LTM LTM LTM

Data Center (DC) objects are physical groupings of devices

Server objects are grouped in Data Centers • BIG-IP GTMs • BIG-IP LTMs and LCs • Standalone servers

and other load balancers

Server Server

Links provide access from the Data Center to the Internet

GTM Pool

Wide IP (WIP) objects • Fully Qualified Domain Names (FQDNs) associated with one or more pools

Server Server

73.37.1.1:80

Virtual Server Virtual Server 68.28.1.1:80

Pool objects Groups of virtual servers to be load balanced

Virtual servers objects • IP address:port combinations on server objects

• Applications to load balance/resolve too • May represent multiple real servers (load balancers) • Or a single physical (standalone) server • Server objects often host multiple virtual servers

73.37.1.11:21

Virtual Server 205.33.1.1:80

Virtual Server

Wide IP: www.f5.com = 73.37.1.1 or 68.28.1.1 or 205.33.1.1

Objects in the BIG-IP GTM Architecture

Metric Collection in the GTM Architecture

Local DNS

GTM GTM LTM LTM LTM

At least two GTMs: • Geographically distributed • Synchronize configurations

and metric collection

Server Server

GTM is authoritative for DNS names to be load balanced

Local DNS

GTM GTM LTM LTM LTM

IQ:get_vips() IQ:vips 1..n IQ:vips 1..n IQ:vips 1..n IQ:SNMP()

Response

… and other servers (through Ping, SNMP, or EAVs)

IQ:SNMP data

Server Server

• Monitors test availability and performance of servers and virtual servers

• BIG-IP devices use iQuery to pass this information

Local DNS

Primary DC

is closest

Server Server

Probes to determine

network proximity between

the DC and the LDNS GTM DNS names can be

resolved based on:

• Availability

• Performance

• Network Proximity

• Topology

Secondary DC Disaster Recovery DC

Local DNS

GTM GTM

Primary DC

GTM LTM LTM LTM

BIG-IP GTM can

persist repeat requests

from a client (even to

another BIG-IP GTM)

to same server for

transaction continuity

1st Query

Server Server

Subdomain Delegation Mode

gtm.mycompany.com mycompany.com

Client

www.mycompany.com

www.gtm.mycompany.com

DNS Request:

www.mycompany.com

Request:

www.gtm.mycompany.com

GTM Responds

With BEST IP

Based on LDNS

• GTM has WIP config and owns

gtm subzone

• DNSSEC only for subzone

• Zone Runner on BIND for NS,

SOA, etc

• Extra Management

• No other features

Screening Mode

Client

mycompany.com

DNS Request:

www.mycompany.com

If match WideIP,

answer… otherwise LB

request and send to

• GTM only manages WIP config

• Simpler configuration

• LTM iRules on DNS VIP

• Dynamically rewrite response

• Add DNSSEC Signature

• Add DNS Express

DNSSEC

F5 DNS Security Securing the DNS Infrastructure with DNSSEC

• Rogue servers can poison

DNS cache and answer

queries

• Need a method for trusted

responses

• Need to meet some

Government mandate for

DNSSEC compliance

Why Secure DNS?

• DNS denial of service (DDoS)

• Redirection

• Phishing and pharming

• Passwords stolen

• Sensitive data revealed

• Loss of sales revenue

Consequences

• Problem: The need to secure your DNS infrastructure from threats

DNS Infrastructure is Vulnerable Local

GTM LTM

Application Servers

example.com

example.com?

123.123.123.123

Poisoning

012.012.012.012

DNSSEC (Domain Name Security

Extensions)

A set of extensions to the Domain Name System (DNS).

Provides an authenticated DNS query response

Uses a “chain of trust.”

Adds a digital signature to DNS data

Addresses a DNS vulnerability to cache poisoning attacks.

Securing the DNS Infrastructure

GTM LTM

Application Servers

example.com

example.com?

123.123.123.123

+ Public Key

123.123.123.123

+ Public Key

Client gets

signed, trusted

response

Configuring DNSSEC on GTM

Ensures all responses comply with the DNSSEC protocol

To configure DNSSEC compliance on GTM: Create a DNSSEC key signing key

Create a DNSSEC zone signing key

Create a DNSSEC zone • Assign at least one key signing key and one zone signing key to

the zone

To view the procedure for completing these tasks, see: Check out the deployment guide

• http://www.f5.com/pdf/deployment-guides/gtm-dnssec-dg.pdf

Or the GTM Manual on the F5 support site • http://support.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/gtm-concepts-

11-1-0/gtm_dnssec.html#1010790

Creating a Key Signing Key Key Name

Bit Width For encryption

algorithm

Type Key Signing Key

Use FIPS Enabled or Disabled

Optional:

• Rollover Period

• Expiration Period

Creating a Zone Signing Key Key Name

Bit Width For encryption

algorithm

Type Zone Signing Key

Use FIPS Enabled or Disabled

Optional:

• Rollover Period

• Expiration Period

Creating a DNSSEC Zone

Global Traffic >> DNSSEC

Set Name to the FQDN

Add at least one key signing

key and one zone signing

Click Finished

Signed Resource Records

After the zone is signed, any Resource Record created in

that zone will automatically be signed

DNSSEC Availability on BIG-IP

DNSSEC is an Add-On to GTM and is an additional cost

Has been available since V10.x

DNSSEC is available on LTM/GTM combination boxes

If the DNSSEC add-on is purchased

DNSSEC is not available on LTM with the DNS Services

add-on license

As of V11.1

DNS Express

High-speed, high response authoritative DNS server

Configuration size for tens of millions of records

Answering millions of queries per second

Zone transfer and notify for updates

Authoritative DNS serving out of RAM

Scalable DNS Performance

Manage

Records

OS Admin

Dynamic

Answer

DNS Express in TMOS

DNS Server

DNS Express Features

Full IPv6 support

Supports TCP or UDP

Record type support:

Unsupported: AXFR and IXFR

Supported: All others (e.g., A, AAAA, NS, CNAME,

HINFO, WKS, MINFO, MX, TXT, MB, MG, AFSDB,

ISDN, RP, RT, X25, PX, LOC, SPF)

Update notification

Allows primary DNS to push updates

Transaction Signature (TSIG)

Authenticates zone transfer request

DNS Express Zone Transfer

DNS Query:

ftp.example.com

ftp.example.com = 209.200.200.10

DNS Servers F5 BIG-IP GTM

ftp.example.com Matches WIP or zone definition? YES

TMM responds with IP address 209.200.200.10

Check DNS Query against

ftp.example.com

Matches Zone definition ?

ZONE Transfer Request

sdfjqsjidfqsoijdfioqsjdfoiqsjfdoijq

sfdoijqsdofijqsodifjoqsidjfoqisjdf

oiqjsdfoijqsdfoijqsodifjqosidfjqo

sijdfqoisjdfqoisjdfqsiodfjoqisjdfoi

qsjdfoijqsdfjoqjsodfjioqsjdfjoqsj

dfjqosidfjoiqsjdfioqjsdfoijqsdfoij

qsdfoqsdfsdqfjoqisdfjqisqjdioqjs

doiqqisjdoiqjsdoiqjsdjoqsjdojqo

sijdoqjsodjqsjodjqjdojqsdjoiqjds

qosijdoiqjdoqijdoiqjdoiqsjdoiqjd

oiqjdoisdjoiqsjdoiqjdqjdoiqjdoiq

dsjqoidjoj

Is DNS Express DNS Caching? No!

DNS Cache

Asks the real authoritative server on each new query

Caches the answer to answer subsequent requests for same

Almost never has the whole config, only the most requested items

Easily beat in a DDoS attack by varying the DNS query on every

request

DNS Express

Has the whole zone already and is authoritative for that zone

More like a high speed slave server, not a cache

Scalable DNS Performance

Enable users to access apps during spikes

Scale with DNS query performance utilizing hardware

CMP enabled, utilizes all processing cores

Up to 6 million qps on VIPRION

Each Core is high performance DNS server = 150k+

QPS 600k

1.5Mil

QPS 2Mil

These are very conservative numbers:

Configuring DNS Express

Begin by creating a custom DNS Profile

DNS profile defaults to DNS Express enabled

Configuring DNS Express Create GTM listener or DNS virtual server

Attach the DNS profile

Optional: add pool

DNS Express Zones are configured under

Local Traffic

Create an Express Zone for each

delegated domain

Testing and Troubleshooting

Verify zone status (e.g., green/blue/red) show ltm dns dns-express zone

nslookup or dig against DNS Express zone names

Review log files Logs relating to zxfrd

Run “dnsxdump” Dumps DNS Express (zxfrd.bin) database

IP AnyCast

What it is and What it’s Not

IS NOT : • Not a protocol

• Does not require special servers, client, or network gear

• DNS centric

IS : • A configuration methodology

• Mentioned in RFCs but not really defined.

• Taking over the core of the DNS Root Infrastructure

• Been in use since mid 90’s for large scale internet deployments!

• Used for all sorts of protocols that ride on IP.

• Can be used in conjunction with GTM

Enable ZebOS® dynamic routing

on BIG-IP

Supported Routing Protocols: BGP-4, IS-IS,

RIPv1&2, OSPFv2&3,& RIPing

Configure a custom DNS profile

Configure a GTM Listener for route

GTM + IP Anycast Integration Steps

How does IP Anycast work

Multiple instances of a service share the same IP address.

The routing infrastructure directs traffic to the nearest instance of the

service.

172.25.25.1

172.25.25.2

192.168.25.25

DNS request for

http://www.foo.com/

Resolves single answer:

www.server.com. IN A

192.168.25.25

Routing Table from Router 1:

Destination Mask Next-Hop

Distance

172.25.25.0 /29 127.0.0.1 0

192.168.25.25 /32 172.25.25.2 1

192.168.25.25 /32 172.25.25.1 2

172.25.25.1

172.25.25.2

192.168.25.25

Logical Topology

GTM Best Practices

Have two or more GTMs geographically

distributed

Have a BIG-IP in each data center to

avoid excess (internet or closed network)

traffic

Synchronize GTMs through network

infrastructure or internet

Complete DNS Protection F5 DNS Firewall Services

Data Center

company.com

GTM & DNS CMP – High-performance DNS

DNS Express – Scalable DNS

IP Anycast – Load balancing across DNS

DNSSEC – Secure DNS queries

Geolocation – Route based on the nearest data center

DNS iRules – Complete DNS control

Benefits of Global Traffic Manager

Ensure Availability and Disaster Recovery

Secure Your DNS Infrastructure with dynamic DNSSEC

Improve & Increase DNS Performance with DNS Express

Direct traffic to the best available datacenter with IP Anycast

StrangeLoopgovernmentvideosolutionsforum.com/pdf/GovTechTalk06-19-12.pdf · Objects in the BIG-IP...

Documents