Application switching and load balancing are crucial for scaling heavily used databases, Web server farms and IP-based networks. Traffic management appliances generally incorporate some form of inspection at layers 2 through 7, SSL acceleration and high-availability failover options.
F5 Networks, a giant in the world of traffic management, recognized that load balancers can play a significant role in an enterprise's security framework. With that in mind, it beefed up its BIG-IP 5000 Series Application Switch with several new features that complement and enhance existing security solutions.
A FIPS 140-2 Level 3 certified appliance, BIG-IP is a supercharged 24-port 10/100 switch with four gigabit fiber ports. Powered by Broadcom ASICs that work as a switch-on-a-chip and contain their own memory, BIG-IP's speeds and feeds are impressive. The switch fabric is capable of 8 Gbps in one direction and 16 Gbps aggregate. Even using gigabit connections and a packet generator, I was unable to reach the box's theoretical performance limits.
BIG-IP can easily terminate more than 800 SSL sessions, which includes session setups and bulk encryptions. With software add-ons, it can handle 800 transactions per second (including the backend SSL connection requests). It will store certificates from a CA or generate temporary certificates. It's an impressive piece of hardware, but it's BIG-IP's software--now at version 4.5--that separates it from other switches.
Built-in Security Functionality
The F5's Universal Inspection Engine (UIE) and integrated rules--or "iRules"--drive BIG-IP's new software package. These features allow BIG-IP to inspect, switch and maintain client connections based on any portion of the HTTP header.
Most load balancers that do standard layer 7 switching can only inspect the HTTP header or examine cookies. UIE can inspect any part of the header or payload, and can make switching decisions based on rule matching. For example, UIE routes traffic to an appropriate application by looking for specific XML tags; or it can lighten the load on SQL databases by splitting data writing and reading among different servers.
iRules are used to help BIG-IP decide how traffic is balanced. They compare TCP information to admin-created signatures, which then trigger a routing action. For instance, security admins can create iRules for finding and filtering Nimda or Slammer worm traffic.
Prior to v4.5, BIG-IP's decision-making process was text based and not much different from competing solutions. Now, BIG-IP's UIE can inspect much deeper--looking at the protocol, port and the payload--for bytes with specific offsets, substrings and fields. This combination of the UIE and iRules gives the BIG-IP a great deal of flexibility for load balancing firewalls and IDS devices.
And while the ability to inspect payloads may overlap into the functionality of a rudimentary IDS, lookups only occur on the first 16K of data, since providing a full proxy--such as found in firewalls--is too intensive for a load balancer. BIG-IP's focus remains fast switching--particularly at the application layer.
BIG-IP complements existing security solutions with its Intelligent Port Mirroring. Without disrupting traffic flow, BIG-IP can direct traffic to the appropriate security device for intrusion detection, e-mail scanning, virus checking and other application-level security services.
BIG-IP allows enterprises to "pool" multiple backend resources into a single virtual server (similar to a Web server farm) for processing efficiency. The appliance directs traffic to specified pools through its 16 algorithms--including round robin, ratio, least connections, predictive and fastest node address. (F5's TripleDNS add-on module allows for DNS-based load balancing.) Once the iRules are established, BIG-IP can distribute heavy traffic loads to specific processing pools--such as specific IDSes.
Enterprises can create "clone" pools that mirror established pools, allowing for out-of-band security processing, such as an IDS inspecting traffic that's already been parsed by its load balancer. This gives BIG-IP the ability to perform near real-time traffic inspection on fast connections.
F5 includes iControl SDK, an open API based on SOAP/XML. It's C-like and fully scriptable to perform actions identical to what you'd do in the GUI or command line. The iControl SDK includes code samples with prewritten rules that work with specific IDSes and firewalls. With iControl, enterprises can integrate BIG-IP with their security devices, which can share critical information using a secure form of SOAP (or CORBA) to automatically make rule and configuration changes based on feedback sent to BIG-IP. Manual activation is also an option, since it will take a sea change before security admins start allowing automated policy changes.
Dynamic rebinding is also a good example of iControl's capabilities. BIG-IP can copy the state table used by OPSEC-certified firewalls. Should that firewall fail, F5 will take the existing state table, move it to another firewall, and rebind state to the next firewall to take over.
Integration plays an important role in network maintenance and availability. Devices can tell BIG-IP that they're going out of service for software upgrades or patch installations. BIG-IP will redirect traffic until they signal that they're back online. This function also is useful as an intrusion prevention tool, enabling enterprises to direct suspected malicious traffic to a honeypot.
BIG-IP can play a significant role in mitigating denial-of-service (DoS) attacks. Typically, a switch/router can be set to a low timeout for discarding connections, but the appliance's DoS protection has multiple settings that work to intelligently reap connections. Even under a simulation of a heavy load, I averaged 10 percent of BIG-IP's 2 GB memory. Nonetheless, by setting a "low-water mark," and simulating a DDoS attack, I was able to trigger an aggressive reaping of connections in the SYN state.
As the attack intensified and I got closer to the "high-water mark," BIG-IP got more aggressive and looked at open connections and how long the connection had been open. Within 1 to 2 percent of the high-water mark, BIG-IP began terminating idle connections. Only by creating a large number of active sessions and by setting the high-water mark unusually low was it possible to reach BIG-IP's limit at which it no longer allows new connections.
Another feature that can save servers from DoS is BIG-IP's inclusion of "dynamic ratio" load balancing. By looking at a server's load using the Windows Management Instrumentation (WMI) Perfmon agent or via SNMP, admins can weight various performance metrics to help the BIG-IP determine the load passed to specific servers. F5 provides predefined and customizable scripts for testing everything from servers to routers.
Inspection and setup is somewhat harder than it needs to be, mostly due to interface quirks. F5 provides on-site installation support to all customers. But even with F5's engineers' help, I still stumbled across quirks in the Web-based interface that caused minor configuration problems. A lack of configuration foolproofing makes it possible for admins to incorrectly assign IP addresses and effectively lock themselves out of their own system. Additionally, BIG-IP balked when the configuring client machine ran ZoneAlarm. It took a session with TCP Dump to work out the issue, which was resolved by turning off ZoneAlarm.
With a little elbow grease, enterprises can use this high-end load balancer to enhance their security and reap greater performance from existing security solutions.
Snapshot: BIG-IP 5000 Series Application Switch v4.5
BIG-IP is a supercharged 24-port 10/100 switch with four gigabit fiber ports. Version 4.5 performs load balancing, application switching, SSL management and other security functions.
- Universal Inspection Engine checks packets at the bit level.
- Provides SSL acceleration, DoS protection and certificate support.
- iControl provides dynamic interactive control of OPSEC-compliant firewalls and IDSes. APIs available for unsupported solutions.
- Blazingly fast switching.
- Extensible XML scriptable interface for granular, interactive control.
- On-site setup support provided as part of sales agreement.
- Pools and mirrors resources to handle security inspection at high speeds and under heavy loads.
- A good value for the long haul, but can be pricey to implement.
- Minor GUI quirks slowed setup and caused incorrect port address assignments.
- Lack of idiot-proofing makes it possible to inadvertently block your own IP address, which can effectively lock you out of your own system.
BIG-IP is an amazing piece of hardware that provides high-availability load balancing, fast and extremely intelligent layer 7 switching, granular interactive control, DoS protection, resource pooling and a number of other features to help protect an enterprise's Internet presence.
About the author:
Scott Sidel, CISSP, is a technical editor for Information Security and a senior security engineer at Computer Sciences Corp.