Migrate, Scale, And Secure Your OpenShift Kubernetes Deployments With .
1y ago
17 Views
1 Downloads
1.82 MB
36 Pages
Report/dmca
Download PDF

Transcription

Migrate, Scale, and Secure Your OpenShiftKubernetes Deployments with F5 and Red HatMartin PetersenSolutions Engineer, F5Ralf BrünigSolutions Engineer, F5

Ansible – Automated Application ServicesCODE TO CUSTOMER VISIONAPPSCODENGINX ControllersBIG-IQNGINX control planeBIG-IP control planeSource to alancerAppsecurityDDoSDNSCDNContainers Public cloud Virtual machines Colocation Commodity hardware Purpose-built hardware2 2020 F5CUSTOMER

BIG-IP and NGINX Plus in OpenShiftBIG-IPAdvanced ApplicationServices with BIG-IPAUTO SERVICEDISCOVERYWorker 1Worker NF5 ContainerIngress ServiceIngress controlMANAGING ANDSECURINGAPPLICATIONS .Microservices ADCwith NGINX Plus3 2020 F5Containerised applicationEND TO END APPLICATION VISIBILITYAUTOMATED APPSERVICES FORINBOUND TRAFFIC

Advanced Application Serviceswith BIG-IP4 2020 F5

Adapting access and authenticationUsersAppsAdaptive AuthSSO SelectionSAML Pass-throughFederation (SAML)Endpoint ValidationSimple AssertionTokenKerberos DelegationPasswordStep-Up AuthDynamic FormsCertificatesFraud ProtectionCertificatesPrivate/PublicCloudTransform one type of authentication into another so an application may understand and use it withoutinstalling additional agentsAllow flexible selection of SSO technique appropriate to the application5 2018 F5 NETWORKS

BIG-IP APM Identity Aware Proxy architectureZERO TRUST OPERATIONAL MODELAWSUsersPosture CheckAccess ApprovedAzureAccess DeniedAzure Active DirectoryIDaaS ProviderSAML / OIDCGoogleMac / Windows / MobilePosture CheckPosture CheckSingle Sign-OnSAML / OIDCContinuous PostureAssessmentOn-premisesSSOReverse Proxy6 2018 F5 NETWORKSThird-partyRisk Engines

CompetitorsPhishers andIP ntScrapers

Use Case: DoS AttacksDoSManaged ServicesSilverlineAlways OnProblemDoS attacks are growing,but your resources are not.Mitigation time is slow due to manualinitiation and difficult policy Layer 3DDoS ProtectionLayer 7DoS ProtectionMitigation with layered defensestrategy and cloud services.F5 SOC monitoring with portal.Protection against all attackswith granular control.BenefitsDDoS s hardware actsimmediately and automatically.Silverline cloud-based servicesminimizes risk of larger attacks.

1MachineLearningLearns normaltraffic baselines.2StressMonitoringDetects abnormalserver stress.3DynamicSignaturesIdentifies bad trafficand bad actors.4AttackMitigationShuns bad trafficautomatically.

Goes beyond TLS/SSL088373be1 lsdkwe90x8xb28 pei57TLS User userPassword 12345App-level EncryptionApplication LayerEncryptionObfuscation andEvasion DetectionComprehensive BruteForce MitigationDataSafeEncryptionUSERNAMEStolen credentialsare encrypted andcannot be re-usedUsersAttackersField Name ObfuscationField Value EncryptionAJAX JSON SupportvBotsNo appupdatesrequired

NGINX App Protect11 2020 F5

From Monolithic to MicroservicesNGINX AND RED HAT ARE THERE FOR YOUR JOURNEY12 2020 F5

YoY Increase in CVEs16000New vulnerabilities arediscovered in allmanner of software allthe timeThey are exploited by bothmalicious bots and human attackersDo you know how many affect yourapplication stack(s)?Can you keep up with the pace ofpublished 10 2011 2012 2013 2014 2015 2016 2017 2018 2019Do you want to?Note: Excludes any rejections or disputes.

The Pipeline isBuilt for Speed,Not SecurityREALITY: THE AGILE l” security policiesoften don’t translate well toAgile and cloud environmentsSecurity control objectivescan’t be adequately appliedand enforced

VulnerabilitiesActive attacksRisk and addresscompliance

VulnerabilitiesActive attacksRisk and addresscompliance

VulnerabilitiesActive attacksRisk and addresscompliance

But why NGINX App Protect?Strong AppSecurityBuilt forModern AppsCI/CDFriendly

Comprehensive security policy has no impact on latency, and offers better throughput andrequests/second when compared to ModSec ModSec Configuration: OWASP Top 10 (enable all CRS 3v rules) NGINX App Protect Configuration: OWASP Top 10 (Enable signatures), Evasion technique, Data Guard, Disallowed file types, HTTPprotocol compliance Throughput (MB/sec)2,5Latency 040060001300400020020001000,50No ProtectionNGINX App ProtectModSec0No Protection0NGINX App ProtectModSecNo ProtectionNGINX App ProtectModSec

Integration into application security rightfrom the startAutomates security gates to keep theDevOps workflow from slowing downEnables DevOps to consume SecOpsmanaged policiesDEVSECOPS

INFRASTRUCTURE AND SECURITY AS CODESource Code RepositoryCI/CD Pipeline ToolApplication code/config for App Xsecurity policy/config for App XPipeline for build/test/deploy of App XOwned by SecOps{"entityChanges": {"type": "explicit"},"entity": {"name": etypestate","action": "delete","description": "Delete Disallowed File Type"}IT AutomationAnsible playbook for deploymentof App X with its app servicesOperated by DevOps

F5 and OpenShift23 2020 F5

Certified Operators for both BIG-IP and NGINX Plus24 2020 F5

BIG-IP and NGINX Plus in OpenShiftAdvanced ApplicationServices with BIG-IPAUTO SERVICEDISCOVERYWorker 1Worker NF5 ContainerIngress ServiceIngress controlMANAGING ANDSECURINGAPPLICATIONS .Microservices ADCwith NGINX Plus25 2020 F5Containerised applicationEND TO END APPLICATION VISIBILITYAUTOMATED APPSERVICES FORINBOUND TRAFFIC

F5 Container Integrations: Use CasesFrictionless AppServices InsertionDynamic App Servicesfor container environments Integrate natively withContainers and PaaS foringress control appperformance and security Enable self-service for DevOps– deploy app services inseconds within orchestration Automated discovery andservices insertion –dynamically create, modify,and remove app services26 2020 F5Align DevOps Velocity withAutomated App ServicesAuto-Scale and Secure CloudContainer Apps Spin up/down app deliveryservices automatically acrossmulti-cloud Advanced security protectionsand mitigate expensive cloudattack traffic Flexibility in consuming appservices with hourly andsubscription Virtual EditionsSimplify and CentraliseSecurity ServicesAdvanced ContainerApp Protection Manage app protection withadvanced security services Automatically create and scaleprotection by subscribing tocontainer events Integrate with vulnerabilityassessment for patching andgain attack insights from F5and 3rd party solutionsScale Multiple App VersionsSimultaneouslyStreamlined App Migration Leverage A/B testing andBlue/Green trafficmanagement Engage many load balancingmethods and customisetraffic streams Protect applications indevelopment and productionfrom malicious attacks andDDoS threats

Key Use Cases27 2020 F5

Blue-Green vs. Canary Release Methodology28 2020 F5

Resiliency Architecture for Multi-Cluster, Multi-Site AppsGSLBCloud Services or BIG-IP DNS29 2020 F5

Multi-Cloud App/Cluster Migration ResiliencyF5 DNS LOAD BALANCING CLOUD SERVICESLegacy ApplicationTransformed ApplicationPlatform MigrationLift and Shift to CloudScriptBIG-IP Intelligent Blue-Green Deployment (DNS)30 2020 F5

Blue-Green EfficienciesF5 DNS LOAD BALANCER CLOUD SERVICESapp1.thebizdevops.comCloud ServicesClientELB/LTMAPP1APP1V1V1appsCluster Blue31 2020 F5GSLBELB/LTMAPP1APP1V2V2appsCluster Green

Site Resiliency Engineering Use CaseLAYERED APPLICATION SECURITYStandard security policyOWASP Top 10 & Generic attackTelemetryApplication specific security policyBase Policy File Types Control.jpg(O) / .pdf(X)Internet NGINXApp ProtectCommand InjectionSQL InjectionCross Site ScriptingServer Side RequestForgeryDVWA01F5 Container IngressServicesNGINXApp ProtectApplication specific security policy32 2020 F5Base Policy File Types Control.jpg(X) / .pdf(O)DVWA02

Summary and Key Takeaways33 2020 F5

Key TakeawaysScale and Secure YourContainer Deploymentswith F5 and Red Hat34 2020 F5Provide Site ResiliencyAligned with AgileDevelopment Best PracticesEnable Best-in-ClassADC with LeadingContainer Platform

Resources SRE Demo mo GSLB l About F5 & Red Hathttps://www.f5.com/redhat35 2020 F5

DEMO36 2018 F5 NETWORKS

F5 SOC monitoring with portal. Protection against all attacks with granular control. Benefits On-premises hardware acts immediately and automatically. Silverline cloud-based services minimizes risk of larger attacks. DDoS Hybrid Defender Layer 3 DDoS Protection Layer 7 DoS Protection Advanced WAF DoS Managed Services Silverline Always On Under .

Related Books

From Oracle When Migrating Stumbling Stones - Fosdem

From Oracle When Migrating Stumbling Stones - Fosdem

Secure PDF Completing the One-Time Registration Process Setting Up Your

Secure PDF Completing the One-Time Registration Process Setting Up Your

Administrative Systems Roadmap - Massachusetts Institute of Technology

Administrative Systems Roadmap - Massachusetts Institute of Technology

Secure FTP Server Specification

Secure FTP Server Specification

Electronic Food Scale - Weight Watchers

Electronic Food Scale - Weight Watchers

CONAIR WW912F Weight Watchers Bluetooth Bathroom Scale Instruction .

CONAIR WW912F Weight Watchers Bluetooth Bathroom Scale Instruction .

Digital Body Fat Scale Manual

Digital Body Fat Scale Manual

Energy-conservation in Fine Pore Diffuser Installations in Activated .

Energy-conservation in Fine Pore Diffuser Installations in Activated .

Developing Quizzes and Assessments for

Developing Quizzes and Assessments for "CME that counts for MOC"

Model EMS Protocol for Prehospital Pain Management - NASEMSO

Model EMS Protocol for Prehospital Pain Management - NASEMSO

Scale-Up of Escherichia coli Fermentation from Small Scale . - Eppendorf

Scale-Up of Escherichia coli Fermentation from Small Scale . - Eppendorf

Supplement to Secure Acceptance Hosted Checkout and Secure Acceptance .

Supplement to Secure Acceptance Hosted Checkout and Secure Acceptance .

PopularTags

Recent Views