Objective 2.01 Determine a combination of features and functionality necessary to mitigate accessibility risks within an application architecture.* (e.g., APM, LTM, AFM, ASM, IPI, iRules, Silverline)

  • Accessibility
    • The quality of being:
      • able to be reached or entered
      • easy to obtain or use
      • Easily understood or appreciated

Objective 2.02 Determine a combination of features and functionality necessary to mitigate availability risks within an application architecture. *(e.g., LTM, GTM, ASM, AFM, IPI, iRules, Silverline)

  • Availability
    • The quality of being able to be used or obtained
    • The state of being otherwise unoccupied; freedom to do something

Objective 2.03 Determine a combination of features and functionality necessary to mitigate confidentiality and privacy risks within an application architecture. *(e.g., LTM, APM, ASM, SWG, AFM, GTM, iRules, FPS)

  • Confidentiality
    • The state of keeping or being kept secret or private
  • Privacy
    • The ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively

Objective 2.04 Determine a combination of features and functionality necessary to mitigate integrity risks within an application architecture.*(e.g., LTM, APM, ASM, SWG, AFM, GTM, iRules, FPS)

  • Integrity
    • The quality of being honest and having strong moral principles; moral uprightness
    • The state of being whole and undivided

Objective 2.05 Differentiate security features and functionality required to address resource-based and volumetric availability risks within an application architecture

 

Objective 2.06 Explain features and benefits of AFM (e.g., network firewall, anti-DDoS)

  • Network Firewall
    • L3-4 policy-based firewall management
    • Rules, address lists, port lists, schedules
    • Geolocation, stale and redundant rule notification
    • Firewall iRules
  • Denial of Service
    • 100+ L2-4 attacks
    • Rate limiting
    • Per virtual security profiles
    • DoS white lists
    • DoS sweep/flood protection
  • IP Intelligence
    • Dynamic custom black/white lists
    • BrightCloud IP Reputation Database
    • Dynamic IP Shunning
  • Reporting and logs
    • Firewall and DoS reporting
    • Firewall and Dos event logs
    • Local and remote syslog streaming
    • SNMP
  • AFM firewall processing
    • L3-4 firewall based on BIG-IP full-proxy architecture
    • Stateful – no flow to back end user unless secure
    • Firewall rules are applied at access points
    • Logging is performed at access points
  • AFM default firewall actions
    • ADC mode (aka application mode): all traffic allowed; rules block – this is the default mode
    • Firewall mode: all traffic blocked; rules allow
  • AFM firewall rules
    • Inline (managed by linux)
      1. Management port rules
    • Policy-based (managed by TMOS)
      1. Global rules
      2. Route domain rules
        1. Virtual Server rules
        2. Self-IP rules

Objective 2.07 Explain features and benefits of SWG (e.g.URLF, anti-Malware)

  • Outbound APM allows corporate enterprise users controlled access o the web
  • Outbound APM combines a forwarding virtual server with an access policy
  • SWG builds on outbound APM to provide URL classification to:
    • Increase security with advanced threat detection
    • Increase regulatory compliance with data loss prevention
    • Enforce Corporate AUP with logs that provide forensic level details
    • Increase employee productivity when combined with single sign-on
    • Lower TCO by simplifying on-premise infrastructure
  • Allow granular policies at the user or group level
  • Manage user with authentication or by IP address
  • SWG filtering engine has Real-Time URL classification for Policy-Based blocking of:
    1. Offensive webpages
    2. Explicit webpages
    3. Malware webpages
    4. Phishing webpages
    5. Time-wasting webpages
    6. 41 categories and 124 subcategories

Objective 2.08 Determine the most appropriate deployment method (e.g., global, route domain, virtual server) for a given AFM policy and application architecture

  • Global
    • Global policy rules are collected in this firewall context. Global rules apply to all traffic that traverses the firewall, and global rules are checked first.
  • Route Domain
    • Route domain policy rules are collected in this context. Route domain rules apply to a specific route domain defined on the server. Route domain policy rules are checked after global rules. If you have not configured a route domain, you can apply route  domain rules to Route Domain 0, which is effectively the same as the global rule context, however, if you configure another route domain after this, Route Domain 0 is no longer usable as a global context.
  • Virtual Server
    • VS policy rules are collected in this context. VS policy rules apply to the selected existing virtual server only. Virtual server rules are checked after route domain rules.
  • Self IP
    • Self IP policy rules apply to a specified self IP address on the device. Self IP policy rules are checked after route domain rules.
  • Management Port
    • The management port context collects firewall rules that apply to the management port on the BIG-IP device. Management port rules are checked independently of any other rules.
  • Global Reject
    • The global reject rule rejects all traffic that does not match any rule in a previous context, excluding management port traffic, which is processed independently.
  • Global –>> Route Domain–>> Virtual Server –>> Self-IP –>> Mgmt IP –>> Default (Drop)

Objective 2.09 Explain the uses of application framework components

  • Protocol
    • Parsing, translating, and manipulating network and application protocols. Examples: IPv4 to IPv6 translation (NAT64), HTTP to SPDY gateway services, FIX traffic parsing, SIP Call ID extraction
  • Encryption
    • Encrypting and decrypting application traffic for security, inspection, and server offload. Examples: SSL decryption, SSL re-encryption, HTTP cookie encryption, SSL traffic visibility, and key protection
  • Context
    • Providing contextual information about the application traffic. Examples: device identification, location awareness, reputation awareness, connection metrics, and application and server health monitoring
  • Optimization
    • Altering some aspect of the application traffic or connection to improve the performance of the application. Examples: HTTP object compression, TCP connection multiplexing, adaptive traffic distribution based on server health scores, and TCP protocol optimization
  • Content
    • Parsing and manipulating application traffic. Examples stripping credit card numbers from server responses, and reading and logging FIX transaction IDs
  • Analytics
    • Providing statistics and logging for application traffic. Examples: HTTP application load times, logging application events, and client-side latency

Objective 2.10 Analyze web services components to establish or locate client security zones, application security zones, and common workflows

  • Web Services
    • Is available over the Internet of private (intranet) networks
    • Uses a standardized XML messaging system
    • Is not tied to any one operating system or programming language
    • Is self-describing via a common XML grammar
    • Is discoverable via a simple find mechanism
  • Web Services Components
    • SOAP (Simple Object Access Protocol) – transfers messages
    • UDDI (Universal Description, Discovery and Integration)
    • WSDL (Web Services Description Language) – describes the availability of the service
  • Security Zones
    • Logical entities to which one or more interfaces are bound. Security zones provide a means of distinguishing group of hosts (user systems and other hosts, such as servers) and their resources from one another in order to apply different security measures to them

Objective 2.11 Determine BIG-IP deployment methodology (e.g., Bridge, Routed, One Arm, Reverse Proxy) as it relates to network topologies/segments, security zones, and protocols

  • Routed Mode (inline)
    1. Request comes in the load balancer from the client destined for a VIP
    2. Load balancer selects the back-end server to handle the request
    3. Load balancer changes the destination IP on the packet to point to the back-end server, then transmits it. The client IP is maintained.
    4. The server responds to the client, sending the reply back to the load balancer. (Generally, this is accomplished by making the load balancer the default gateway for the back-end servers)
    5. The load balancer changes the source IP on the packet back to the VIP, then transmits the packet back to the client
    • Pros
      • Client IP is maintained
    • Cons
      • Load balancer becomes part of the infrastructure by routing
      • Network design/troubleshooting can be more difficult
      • Routing can be challenging by requiring unusual solutions to traffic pattern problems like PBR/static routing
  • One-Arm mode
    1. The client initiates a session
    2. A WAN router redirects traffic to the BIG-IP system
    3. The BIG-IP processes traffic and sends it back to WAN route
    4. The router forward traffic across the WAN
    • Pros
      • More flexibility in the network design
    • Cons
      • Difficult to log files accurately
      • Some apps may not work behind NAT
  • Bridged mode (transparent)
    • Cons
      • Spanning tree challenges in redundant configurations
    • Pros
      • Allows deployment where re-IP is challenging
  • Reserve Proxy Mode
    • Is a device or service placed between a client and a server in a network infrastructure
    • A full reserve proxy is capable of intercepting, inspecting, and interacting with requests and responses. Interacting with requests an responses enables more advanced traffic management services such as application layer security, web acceleration, page routing and secure remote access

Objective 2.12 Assess traffic profile to recommend class of platform (e.g., VE, small appliance, large appliance, chassis)

  • VIPRION
    • Reduce Costs
    • Maximize performance
    • Consolidate devices
    • Achieve ultimate reliability
    1. Simplify your network
    2. Maximize large-scale application and firewall performance
      1. On-demand scaling improves performance
      2. Operational scaling enables consolidation
      3. Application  scaling boosts capacity and resiliency
      4. Virtualized processing fabric shares the load across blades
      5. Clustered management cuts administration time
      6. Super VIP simplifies the network
      7. TMOS delivers performance and flexibility
      8. Hardware DDoS approach mitigates attacks
      9. Blade options enable superior performance and security
  • VE
    • Deploy with increased agility
    • Achieve automation and orchestration in cloud architectures
    • Optimize application services more efficiently
    • Provide the ultimate in flexibility
    1. Primary cloud scenarios
    2. Private cloud using software-defined architectures
      1. Flexibility and high performance in a two-tier hybrid architecture
      2. Deploy applications in the leading public clouds environments
      3. Application mobility across hybrid cloud environments
      4. Integration with SDN frameworks
      5. Automation and orchestration through granular programmability
      6. Centralized management and licensing with BIG-IQ
  • BIG-IP
    • Obtain the lowest TCO
    • Protect critical data
    • Secure applications
    • Ensure the easiest deployment for private clouds
    • Maximize investment protection
    • Maximize uptime
    1. Standardize your app delivery services
    2. Intelligent performance where it matters
    3. The advantages of BIG-IP hardware
      1. F5 ScaleN
      2. Gain agility and control in private clouds
      3. Two-tier architecture
      4. Programmability
      5. BIG-IQ centralized management
      6. Simplified and enhanced diagnostics and troubleshooting
      7. FIPS compliance at scale

Objective 2.13 Determine network architectural requirements to accommodate capacity requirements or changes (e.g., growth)

 

Objective 2.14 Establish strategies of a comprehensive management plan to address operational and compliance requirements