Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
BIG-IP Access Policy Manager Web Access Management 2 F5 Delivers Access and Auth. Services • Security and identity is an integral part of an F5 ADC – Integrate Web access control services – Innovative and scalable web security – Drive user and group identity into the network with policybased control to applications 3 Anonymous Networks with Low Security Mission Critical Apps. IP address does not equal identity HR Guest Finance Contractor SharePoint Employee “Most enterprise networks are anonymous. Network managers gain visibility and control by adding identity awareness to their networks.”* * “Introducing the Identity-Aware Network,” Lawrence Orans, Gartner 4 Authentication Alternatives Today 1 Proxy Web Servers • • 1 3 2 App 1 App 2 Code in the Application 2 Agents on servers • • • App 3 Costly, difficult to change Not repeatable, less secure Difficult to manage Not interoperable or secure Decentralized and costly App n 3 Policy Manager Specialized Access Proxies • Directory • Doesn’t scale and basic reliability More boxes and expensive 5 A Better Alternative – BIG-IP LTM + APM Proxy Web Servers App 1 LTM + APM App 2 App 3 App n Policy Manager Directory BIG-IP benefits: • Reduce costs and complexity • Gain superior scalability and high availability • Better security with Dynamic L4 – L7 ACL control at LTM speeds • Save up to 10x on capex and opex 6 Richer Application Delivery Web Servers LTM + APM + App 1 ASM or WA App 2 Additional benefits: • Endpoint inspection • Virtualization for Application and Directory App 3 • Web application security App n Endpoint Security Checks Virtualization (HA, Scale, LB) Policy Manager Directory • Web application acceleration 7 BIG-IP Access Policy Manager (APM) Authentication and Authorization Services for BIG-IP BIG-IP® APM ROI Benefits: • Consolidates infrastructure • Reduces AAA management costs • Simplifies Web access BIG-IP® APM Features: • • • • • Centralizes web single sign on and access control services Full proxy L4 – L7 access control at BIG-IP speeds Adds endpoint inspection to the access policy Visual Policy Editor (VPE) provides policy based access control VPE Rules – programmatic interface for custom access policies *AAA = Authentication, Authorization and Accounting (or Auditing) 8 F5 Application Delivery Networking International Data Center Applications & Storage Enterprise Manager™ Users BIG-IP® Local Traffic Manager BIG-IP® Global Traffic Manager BIG-IP® WebAccelerator BIG-IP® Link Controller BIG-IP® WAN Optimization Module BIG-IP® Application Security Manager BIG-IP® Edge Gateway BIG-IP® Access Policy Manager FirePass® SSL VPN iControl® TMOS® ARX® File Virtualization 9 Access Policy with AAA Servers – Fully integrated to TMOS • CMP enabled • UI/CLI (bigip.conf) • Enterprise Manager – All HTTP based LTM features can be combined with Access Policy • iRules (events/cmds) • Session DB • SSL offloading – Compatible with add-ons (ASM/PSM) 10 Access Policy Design • Industry-leading advanced Visual Policy Editor (VPE) – Flexible – Easy to understand, visual representation of policy – VPE Rules (TCL-based) for advanced functions – Trigger TMM iRules events • Usability features – Macros – Visual cues to aid configuration 11 Dynamic ACL Control • Cost effective alternative for policy based access control • Before: Expensive and complicated control of resources • After: Layer 7 ACLs with access profiles – Provide advanced authentication and access control for web based applications 12 Advanced authentication and access control Web based applications with Dynamic ACL Control news.example.com (LTM + APM for access control) www.example.com (LTM for public http traffic) 1 2 HTTP traffic for visitors/guests, access profile manages access 3 HTTP traffic for public with no access control HTTPS traffic for subscribers, access profile provides login page and authentication 13 Customized User Interface • Updated End-User Interface with Full Customization – Stylesheet (CSS) based customization eliminates the need to customize each page individually – Form location (left, center, right) – Font style/sizes – Header and footer 14 Easy Access Policy Deployment Wizards • • • • Deployment-specific wizards for Web Access Management for LTM virtuals, Network Access , and Web Applications Access Step-by-step configuration, context sensitive help, review and summary Creates base set of objects and access policy for common deployments Automatically branches to necessary configuration (e.g., DNS) 15 Reporting and Statistics • • • • Native BIG-IP TM Stats and RRD integration Dashboard integration for real-time monitoring New Reports section covering active and expired user sessions Easy navigation/view of user session variables 16 Dashboard Executive Summary • Administrators quickly view the BIG-IP APM Dashboard • Real-time understanding of access health • View the default template of Active Sessions, Network Access Throughput, New Sessions, and Network Access Connections • Optionally, administrators create customized views using the Dashboard Windows Chooser • Drag and drop selections onto the window pane with the type of statistics desired for fast comprehension of session health. 17 F5 and Oracle Announcement • F5 and Oracle Announce Plans to Unify Access Management for Web Applications • Solution will combine F5’s BIG-IP system with Oracle Access Manager • Enhance single sign-on (SSO) capabilities and simplify access control • Available in 1H2010 calendar year – http://www.f5.com/news-press-events/press/2009/20091006.html 18 APM – v10.1 Features • Authentication and Authorization Services – SSO/Credential Caching: HTTP Basic, HTTP NTLMv1/v2, Cookie, Form, and HTTP Header – Dynamic per-session layer 4 - 7 (HTTP) ACLs – Native RSA SecurID – RADIUS accounting – Authentication server redundancy 19 APM – v10.1 Features • Optional Client – Web-based and Standalone – Modern look and feel – Mobility: Roaming and smart connection – QoS on Windows machines (client side) – Acceleration: Adaptive compression • Endpoint Security – Windows and Macintosh checks – Protected Workspace (Parity with FP 6.1) with encryption and Virtual File System – Group policy integration – Virtual Keyboard 20 APM – v10.1 Features • Miscellaneous – – – – Set-up wizards Dashboards Policy import/export Splunk for F5 logging and reporting – Win7 Support POWERED 21 APM – Packaging and Pricing • Add-on module for LTM Platforms # of Users List Price* 3600-8900 500 $7,495 • Additional CC Users # of Users List Price* 100 $1,495 500 $5,495 1,000 $7,995 5,000 $29,995 10,000 $44,995 *NA pricing Jan. 1, 2010. For local pricing check your regional price lists. 22 APM – Packaging and Pricing • Maximum APM user SKUs Platform Max Conc. Users List Price* 3600 5,000 $19,995 3900 10,000 $34,995 6900 25,000 $79,995 8900 40,000 $115,995 *NA pricing Jan. 1, 2010. For local pricing check your regional price lists. 23 APM Module on LTM 3600 3900 6900 690 0 FIP S X X X X X X X X X LTM + APM + • Web access management WA X X X LTM + APM LTM + APM + ASM X 8900 – Dynamic per-session L4 – L7 ACLs at X X LTM +speeds WOM up to 12 XGbps X – Up to 600 logins-per-second – Supports up to 40,000 users X 24 What is the value of F5 access? Access value proposition • Integrates with existing enterprise infrastructure and applications • Authentication and access to networks, applications and portals • Comprehensive end-point security for corporate compliance • Powerful, easy to use management interface • Scalability, Performance and Reliability • Better security driving identity into the network Reduce costs of managing AAA with integrated authentication Only ADC that effectively provides Web Access Management capabilities 26 APM v10.1 Features • Better Authentication and Authorization – – – – • – • Web-based and standalone client Mobility: Roaming and smart connection Acceleration: Dynamic data compression Strong Endpoint Security – – – – Endpoint Inspection checks Protected Workspace with encryption and Virtual File System Group policy integration Virtual Keyboard • Customizeable user interface Set-up deployment wizards Dashboard executive summary Reporting and stats Policy import/export QoS on Windows machines (client side) Win7 Support Interoperability and Integration – – – Easy User Access – – – • HTTP Basic, HTTP NTLMv1/v2, Cookie, Form, and HTTP Header Auth.: Native RSA SecurID, RADIUS accounting, AD, Auth. server redundancy Manageability / Usability – – – – – – Forms Based Authentication Dynamic per-session layer 4 - 7 (HTTP) ACLs Visual Policy Editor (VPE) SSO/Credential Caching: • – • ASM and WA interoperability APM events in iRules Splunk for F5 logging and reporting Virtualization Architecture – – – – – Multiple virtual APMs Targeted at Service Providers and large enterprises Separate access policy grouping for each virtual APM Can have separate security administrators Master administrator control 27 Credential Caching (CC) Services Behind example.com for SSO TMM Credential Caching APM Virtual Socialmedia. example.com CC Virtual example..com Client • Fast access to applications with Credential Caching for Single Sign On (SSO) CC Virtual Internal Local Traffic Virtuals -Credential Caching (CC) proxies multiple backend logins - ACL enforcement - When on the same BIG-IP Support.exam ple.com 28 Advanced authentication and access control Web based applications with Dynamic ACL Control BIG-IP LTM+APM money.example.com (access control) login.example.com money.example.com www.example.com LTM + APM Virtual www.example.com Client (public) LTM + APM Virtuals • login.cnn.com • money.cnn.com LTM Virtual • www.cnn.com HTTPS traffic HTTP traffic iRules: • Bounceback • Access