Thursday, August 31, 2017

Lightboard Lessons: What is BIG-IQ?

In this Lightboard Lesson, I light up many of the tasks you can do with BIG-IQ, BIG-IQ centralizes management, licensing, monitoring, and analytics for your dispersed BIG-IP infrastructure. If you have more than a few F5 BIG-IP's within your organization, managing devices as separate entities will become an administrative bottleneck and slow application deployments.  Deploying cloud applications, you're potentially managing thousands of systems and having to deal with traditionally monolithic administrative functions is a simple no-go. 

Enter BIG-IQ.



ps

Related:

Wednesday, August 30, 2017

Is 2017 Half Empty or Half Full?

Ransomware seems to be this year’s huge trend

With 2017 crossing the half way point, let's look at some technology trends thus far.
Breaches: Many personal records are half empty due to the continued rash of intrusions while the crooks are half full of our personal information along with some ransom payments. According to the Identity Theft Resource Center (ITRC), there have been 7,689 breaches since 2005 (when they started tracking) compromising – get this – 900,315,392 records. Almost 3 times the U.S. population. In 2016, 56% of all Data Breaches began with a user clicking on a phishing email. The big story for 2017 I think, is the rise of ransomware. Kaspersky reports a 250% increase in ransomware for the first few months of 2017. From WannaCry to Petya to Fusob, criminals are holding systems hostage until a ransom is paid…or not. Ransomware seems to be this year’s big trend with backups saving some from total embarrassment.

Cloud Computing: RightScale 2017 State of the Cloud Report notes that Hybrid Cloud Is the preferred enterprise strategy, with 85 percent of enterprises have a multi-cloud strategy (up from 82 percent in 2016) and Cloud Users Are Running Applications in Multiple Clouds. An interesting stat from the report says, cloud users are running applications in an average of 1.8 public clouds and 2.3 private clouds. We got hybrid cars, hybrid corn, hybrid cats and hybrid clouds but The Cloud is Still just a Datacenter Somewhere so no need to freak out. Cloud seems to be more than half full as the security and expertise challenges decline.

DNS: I’ve said it before and I’ll say it again, DNS is one of the most important components of a functioning internet. With that, it presents unique challenges to organizations. 2016 saw record-breaking DNS-based attacks and outages, which thrust DNS management into the spotlight as both a vulnerability and a critical asset. In 2016 DNS provider Dyn experienced a huge DDoS attack taking out many popular websites and internet cameras. And a new attack uncovered this year, DNSMessenger, uses DNS queries to conduct malicious PowerShell commands on compromised computers – a technique that makes the remote access trojan difficult to detect on targeted systems. The need for DNS continues to be half-full with the influx of IoT devices so it’ll continue to be a valuable target for riff-raff.

IoT: What can I say? The cup runneth over…again. Gartner has identified the Top 10 IoT technologies that should be on every organization's radar for 2017 and 2018. They include things like new security risks and challenges to the IoT devices themselves, their platforms and operating systems, their communications, and even the systems to which they're connected. Analytics to understand customer behavior, to deliver services and improve products. Device management, device processors, operating systems, platforms, standards and even the networks IoT devices use are all areas of attention. IoT is really three-quarters full both with the opportunities and potential risks. And the risks can be deadly when monitoring vital information like human vital signs.

Mobile: We are mobile, our devices are mobile and the applications we access are mobile. Mobility, in all its iterations, is a huge enabler and concern for enterprises and it'll only get worse as we start wearing our connected clothing to the office. 5G is still a couple years away but AT&T and Verizon have already lined up trials of their 5G networks for 2017. Mobile is certainly half full and there is no emptying it now.

That's what I got so far and I'm sure 2017's second half will bring more amazement, questions and wonders. We'll do our year-end reviews and predictions for 2018 as we all lament, where did the Year of the Rooster go?

There's that old notion that if you see a glass half full, you're an optimist and if you see it half empty you are a pessimist. I think you need to understand what state the glass itself was before the question. Was it empty and filled half way or was it full and poured out? There's your answer!

ps


This article originally appeared on F5.com.

Tuesday, August 29, 2017

Deploy an Auto-Scaled BIG-IP VE WAF in AWS

Today let’s look at how to create and deploy an auto-scaled BIG-IP Virtual Edition Web Application Firewall by using a Cloud Formation Template (CFT) in AWS. CFTs are simply a quick way to spin up solutions that otherwise, you may have to create manually. The idea behind this CFT is it is going to create BIG-IP VE instances for you. These instances function as a firewall in front of your application. Depending on the limits you specify, when more traffic is going to your application, new instances will launch…and when there is less traffic, instances will terminate.


This solution has a few prerequisites:
  • A Virtual Private Cloud (VPC) with at least two subnets, each in its own availability zone
  • An AWS Elastic Load Balancer (ELB), which serves traffic to the BIG-IP VE instances
  • An SSH key pair which you need to access the instances.
I have these already created, so we’ll proceed to deploying the template.

You have two choices on how you want to deploy. You can go to the AWS Marketplace and search ‘f5 waf’ or you can go to the F5 Networks GitHub site. GitHub usually has the latest and greatest, so we’ll use that.

Click on the f5-aws-cloudformation spot.


And then click Supported.

And then click solutions/autoscale.

Then waf.

We scroll down a little bit and click Launch Stack.

We click Next at the Select Template screen and fill out the template.

When you get to the template, the Deployment Name will be appended to all the instances so you can tell which ones are yours. Since we already set up a VPC with two subnets in two zones (not regions), we’ll select those in the VPC ID field. The Restricted Source Address is available if you only want to allow specific IP addresses to your BIG-IP VE instances.

Next is the AWS Elastic Load Balancer name, then choose your SSH key – which is needed to connect to the instances. And we’ll leave the defaults for the rest.

Then you’ll get to the Auto Scaling Configuration section which is where you’ll determine when to create the new WAF instances. You’ll want to configure the Scale Up & Scale Down Bytes Threshold which will, obviously, determine when one gets launched/added and when it is removed.

Under WAF Virtual Service Configuration, is where you’ll enter the application’s Service Port and DNS. In addition, if you wanted to automatically add application servers to the pool to have traffic will go to those without having to manually configure the BIG-IP, you can also add the Application Pool Tag Values which works great. Next choose your WAF Policy Level (low, medium, high) and click Next and Next.

Also, click the check box with indicates that you have the appropriate credentials to set some IAM roles and create a S3 Bucket. Click Create and the CFT will start creating resources.

This process can take about 15 minutes to complete and when it is done, you’ll get the CREATE_COMPLETE on your dashboard. The resources might be available now but it is recommended to wait at least 30 minutes before digging into things.

To see what the CFT created and confirm completion, go to: Services>EC2>Auto Scaling Groups. You can see that there is a BIG-IP VE instance created and added to the group. Also, be aware that the default for Scaling Policies is to wait 40 minutes to launch a new instance. You may want to adjust that to your preference. However, to be clear, AWS is always monitoring the traffic and want to know if you are exceeding the limits you’ve set. The Scaling Policies setting simply means that after one instance is launched – you hit the limit and one is up – AWS should wait 40 minutes (or whatever your value is) to launch another. It’ll keep going until you’ve hit the max number of instances specified. We put three.

While in Services>EC2, you can also inspect the ELB and see that the BIG-IP VE instance is there and in service. Traffic is going through the Load Balancer and then to the BIG-IP VE, then to the application server.

Lastly, let’s look at the list of instances in Services>EC2>Instances and the instances are there and ready to go!

And then when there is too much traffic, another is added. Since the limit was exceeded, AWS has launched new instances, up to three.

And when the traffic falls, the instance shuts down.

That’s it! Easily scale your BIG-IP application security on AWS. Thanks to our TechPubs group and watch the video demo here.
ps

Wednesday, August 23, 2017

Lightboard Lessons: BIG-IP ASM Layered Policies

In this Lightboard Lesson, I light up some use cases for BIG-IP ASM Layered Policies available in BIG-IP v13.

With Parent and Child policies, you can:
  • Impose mandatory policy elements on multiple policies;
  • Create multiple policies with baseline protection settings; and
  • Rapidly push changes to multiple policies.


ps

Tuesday, August 15, 2017

I’ve Successfully Failed the F5 Certification 201-TMOS Administration Exam

Yup, you read that right. I did not pass the F5 Certified BIG-IP Administrator test I took while at F5 Agility 2017. And I’m not ashamed since it was a challenging test and I will be trying again.

Sure, I went through Eric Mitchell’s (F5er) comprehensive 201 Certification Study Guide along with the TMOS Administration Exam Blueprint. However, I probably should have taken more time ON a BIG-IP messing around…especially for tmsh commands…which is where, I believe, I got tripped up. This is key. Reading and memorizing commands along with some practicing can only get you so far. Doing it regularly is what’s needed. This is a key feature of the exams, particularly as you move up the exam expertise. The exams are designed to test real knowledge and experience, not if you can cram the night before. Pretty sure my errors came with tmsh and the UCS upgrade questions since I had limited experience in those areas.

Going in, I was a bit less confident (than from the 101) but also, less anxious. And about three-quarters through the exam I was feeling pretty good. I might pass this thing. However, the 201 Certification exam is not something to take lightly and is much more challenging than the 101. While the 101 has a 70% pass rate overall, the 201 hovers around 67% pass rate overall. 69% correct is a pass – I got 63%. I probably would have received my diploma from an educational institution but for Dr. Ken, a 63 is not a ‘pass’ with the F5 Certification Program. But that’s OK and why I like the program. At whatever level, a pass is a true achievement. You know your stuff.

At Agility 2017, the F5 Professional Certification team administered 227 exams. They had 245 scheduled so only 18 no-shows for whatever reason. When I took the exam on Monday, there was a constant flow of folks taking the exams and over the course of the event, I spoke to many who were either about to take one or had already completed theirs. No matter pass or fail, all were impressed with the caliber of the exams.

For the week, the disposition is as follows:

So you don’t have to work out the percentages:

Slight edge to the Pass group, congratulations…but still, you got a 50:50 shot.

Even though I failed, I’m glad to have taken it and know what I need to brush up on for my next attempt. For others that also failed, don’t be discouraged. While in Chicago, I was reminded of this Michael Jordan quote:
I've missed more than 9000 shots in my career. I've lost almost 300 games. 26 times, I've been trusted to take the game winning shot and missed. I've failed over and over and over again in my life. And that is why I succeed.
ps

Tuesday, August 8, 2017

Create a BIG-IP HA Pair in Azure

Use an Azure ARM template to create a high availability (active-standby) pair of BIG-IP Virtual Edition instances in Microsoft Azure. When one BIG-IP VE goes standby, the other becomes active, the virtual server address is reassigned from one external NIC to another.

Today, let’s walk through how to create a high availability pair of BIG-IP VE instances in Microsoft Azure. When we’re done, we’ll have an active-standby pair of BIG-IP VEs.

To start, go to the F5 Networks Github repository.


Click F5-azure-arm-templates. Then go to Supported>ha-avset and there are two options. You can deploy into an existing stack when you already have your subnets and existing IP addresses defined but to see how it works, let’s deploy a new stack.


Click new stack and scroll down to the Deploy button. If you have a trial or production license from F5, you can use the BYOL option but in this case, we’re going to choose the PAYG option.


Click Deploy and the template opens in the Azure portal. Now we simply fill out the fields. We’ll create a new Resource Group and set a password for the BIG-IP VEs.

When you get to the questions:

The DNS label is used as part of the URL.

Instance Name is just the name of the VM in Azure.

Instance Type determines how much memory and CPU you’ll have.

Image Name determines how many BIG-IP modules you can run (and you can choose the latest BIG-IP version).

Licensed Bandwidth determines the maximum throughput of the traffic going through BIG-IP.
Select the Number of External IP addresses (we’ll start with one but can add more later). For instance, if you plan on running more than one application behind the BIG-IP, then you’ll need the appropriate external IP addresses.

Vnet Address Prefix is for the address ranges of you subnets (we’ll leave at default).

The next 3 fields (Tenant ID, Client ID, Service Principal Secret) have to do with security. Rather than using your own credentials to modify resources in Azure, you can create an Active Directory application and assign permissions to it.

The last two fields also go together. Managed Routes let you route traffic from other external networks through the BIG-IPs. The Route Table Tag means that anytime this tag is found in the route table, routes that have this destination are updated so that the next hop is the IP address of the active BIG-IP VE. This is useful if you want all outbound traffic to go through the BIG-IP or if you want to send traffic from a bunch of different Vnets through the BIG-IP.

We’ll leave the rest as default but the Restricted Src Address is good way to put IP addresses on my network – the ones that are allowed to connect to the BIG-IP.

We’ll agree to the terms and click Purchase.


We’re redirected to the Dashboard with the Deployment in Progress indicator. This takes about 15 minutes.


Once finished we’ll go check all the resources in the Resource Group.


Let’s find out where the virtual server address is located since this is associated with one of the external NICs, which have ‘ext’ in the name. Click the one you want.


Then click IP Configuration under Settings.


When you look at the IP Configuration for these NICs, whenever the NIC has two IP addresses that’s the NIC for the active BIG-IP. The Primary IP address is the BIG-IP Self IP and the Secondary IP is the virtual server address.


If we look at the other external NIC we’ll see that it only has one Self IP and that’s the Primary and it doesn’t have the Secondary virtual server address. The virtual server address is assigned to the active BIG-IP.


When we force the active BIG-IP to standby, the virtual server address is reassigned from one NIC to the other.

To see this, we’ll log into the BIG-IPs and on the active BIG-IP, we’ll click Force to Standby and the other BIG-IP becomes Active.


When we go back to Azure, we can see that the virtual server IP is no longer associated with the external NIC.


And if we wait a few minutes, we’ll see that the address is now associated with the other NIC.


Basically, how BIG-IP HA works in the Azure cloud is by reassigning the virtual server address from one BIG-IP to another. Thanks to our TechPubs group and check out the demo video.

ps

Tuesday, August 1, 2017

DevCentral’s Featured Member for August – Piotr Lewandowski

Piotr Lewandowski has been working in IT for well over 20 years – and not really conscious decision to go this way – just blind luck. He started in the era without Internet…yes, not so long ago it was possible to live without Internet J…and IBM PC/XT computers. Thanks to self-learning he managed to work as DTP operator on Apple computers (the first in Poland at the time). However, he also had to manage all the other aspects of “network” so he turned into IT guy. Then he worked as CIO for quite a long time but when company started to grow, he figured out the corporate environment is not for him and switched to consulting on his own terms.

About 5 years ago, F5 gear popped up and he had to learn how to use it. It was challenging as he never was network pro – but turned out that it’s interesting and challenging so he’s still there and is DevCentral’s Featured Member for August!

DevCentral: Tell us a little about the areas of BIG-IP expertise you have.
Piotr: It’s a shame but I am still best in Load Balancing related part. I am struggling to improving in more trendy areas – security and AAA but it takes time. Especially security in the WAF area. It is so broad and fast moving that I have problem staying current. I am able to configure most all pieces of BIG-IP LTM and GTM features, but for ASM, APM and AFM it is still a bit of a challenge. 
I am not a programmer but during some projects I learned both iRules and iControl so I am comfortable with those. Lately I started to research iRulesLX – which seems very promising – but not a lot info about real life project can be found.
I’ve also dabbled a bit with BIG-IP/OpenStack topic and have a good idea how it works but still need to deploy in a production environment. 
Recently I decided to improve my skills in dynamic routing protocols (BGP, OSPF etc.) to be able to address DDoS related topics (RTBH, RHI, Anycast). Somewhat challenging but my lab is growing and I am starting to see some light in the tunnel - Polish proverb – don’t know if valid in English.
DC: You are a Technical Consultant at SoftwareDefined. Can you describe your typical workday?
Piotr: I am working for few businesses, right now my most active relations are with SoftwareDefined. To be honest, right now there is plenty of projects including some areas I am not so fluent, so most of my time is devoted to learning and testing. 
Most of my day is filled in with lab work – testing how BIG-IP works behind scenes (which is the only way I can be 100% sure that given implementation will work as expected); recreating different bizarre customer configs to find out how to implement/improve them; and “reverse engineering” BIG-IP features to figure out if impossible is possible. ;-) 
I also stay current with DevCentral stuff. 
There are of course days when it’s necessary to work directly with customer – explain how BIG-IP can be used, why it’s so great and how their life will be easier after buying few, especially VIPRIONs! 
Part of my tasks is a technical support for customers we are working with. Bright side is that we are working with ones that are pretty skillful in the BIG-IP area – so cases are interesting and challenging and always learning something new and useful
DC: You were a CIO right when the internet started to blossom in the mid-1990s thru the 2000s. What are some of the advancements that truly surprised you?
Piotr: Good catch! To be honest I barely remember how it was… but for sure not worse than it is now. 
I guess there are two main topics that I am amazed most. One you can surely call advancement, second is really mystery for me – you can call it advancement but…
Advancement is vast ocean of information out there. Right now – if you know what you are looking for and how to triage search results – one can find info he needs in few minutes. Even if I have no idea at all about given topic it’s always possible to find some starting point and proceed from there. That was not possible without Internet – sure you could call friend and try to find books but it would take ages – and there is no time for that nowadays. 
I do want to express that I love DevCentral (and I am honest here, not just trying to flatter). I know communities of few other big vendors and there is no comparison for my needs. I can’t recall situation when I was not able at least find clue that allowed me to resolve issue. There is so much valuable info and great people on DevCentral that it creates great value by itself! 
“Advancement.” I can’t understand is how easily people are sharing very private info on the Internet and at the same time how fiercely they are finding for their privacy – that is paradox I can’t figure out. 
I am dinosaur here, still prefer few good friends in real life that thousands of virtual friends out there. To be honest, for me social part of the Internet could not exist at all.
Most amazing progress (somehow for sure related to Internet) for me is Big Data, machine learning and AI. What is even more amazing is that those are seldom seen in networking/ADC area. All the networking protocols, security, LB and so on was designed with main goal – computer should be able to understand and use them – not humans. And computers are good at it – opposite to most humans. Share amount of data, speed of changes it is all making reaction by humans almost impossible.
So why still humans are doing all this mundane task of configuring, tuning and adjusting? For me, right direction is handing this all out to computers. Something like IoT. All should be based on intelligent entities that are aware about surrounding environment, can self-tune/reconfigure, self-protect, actively fight for resources and finally self-destroy. 
Even if that is scary and still far away there are areas that should be changed/improved. Simple example the BIG-IP courtyard – TCP optimization. This is very complicated and mundane task to adjust all those settings live. But device processing traffic has all data necessary to do that and understands this data better than most BIG-IP users ever can.
Another, maybe not so obvious area is why network is not aware about business data. Not all traffic is of the same value for business so network/ADC should actively readjust configuration based on business data. It’s is totally possible when whole IT infrastructure works as one conscious, intelligent organism but impossible to be done in real time by humans.
DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.
Piotr: Each new implementation is challenge, but I guess I can recall two that almost make me fall to my knees: 
OpenStack and BIG-IP integration – plenty of new technologies I never touched before. Steep learning curve and relatively small amount of good quality info (it was a year ago, I am pretty sure now it’s much better). 
“Reverse engineering” of BIG-IP APM/SWG to figure out if proxy chaining is possible (especially for HTTPS) or not. Here I had to really harness my iRules skills. Thanks to that, I was able to figure out how things work behind scenes and unfortunately find out that task is impossible to implement in manageable way – to be honest even with v13.0.0 seems to be impossible.
DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?
Piotr: Nothing related to IT. I am not saying it’s not fun but… I guess I would try to be archeologist, revealing secrets of the past always thrilled my mind. Probably not in the human past area, rather few dozen million years back when dinosaurs ruled Earth. I was always curious what would happen if big impact would not happen. And finally this job seems to allow to visit really distant and mysterious parts of the world. 
Thanks Niels! Check out all of Piotr' DevCentral contributions, connect with him on LinkedIn and visit SoftwareDefined.