Modernizing Applications by Replacing F5 with the NGINX Application Delivery Controller and Signal Sciences

Editor's Notes

• #4: - We will
• #5: - We will
• #6: Our portfolio consists of our flagship product NGINX Plus. This is where it all started. It’s a versatile software solution that’s a load balancer, API Gateway, content cache and web server. Based on Popular Open source product, NGINX Plus offers enterprise grade support and features that enable you to deliver applications and APIs in a reliable and secure manner without compromising performance. Extend same Controller is our management plane that lets you configure and deploy NGINX Plus as a load balancer for application delivery and as an API gateway to manage your APIs. NGINX controller’s ADC module lets you configure, validate and monitor your load balancers at scale. NGINX Controller’s API Management module let’s you define, publish, secure, monitor and analyze your APIs. There’s an upcoming service mesh module However you want to configure NGINX Plus, you can do it using Controller. Controller provides deep analytics, configuration and control capabilities. It supports a policy based approach to management, The only all-in-one load balancer, content cache, and web server solution  Earlier this year The NGINX Application Platform is a suite of products that together form the core of what organizations need to modernize their infrastructure and move to microservices. The NGINX Application Platform includes NGINX Plus for load balancing and application delivery, the NGINX WAF for security, and NGINX Unit to run the application code, all monitored and managed by the NGINX Controller. Note: Please mention that this is a vision and not all the pieces are available yet, such Controller controlling Unit. released enhancements all around the application platform.
• #8: - We will
• #9: Age of digital
• #10: According to Amazon, DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enables organizations to better serve their customers and compete more effectively in the market. It’s an approach that breaks down silos between dev and ops teams. They work very closely during app development and especially during rolling out releases and deployments. What are the benefits of this approach: Because of this close collaboration, teams are able to introduce new features very quickly. They are able to achieve high feature velocity which in turn results in rapid innovation. Amazon deploys code every 11.7 seconds! Nordstrom went from twice per year to monthly for their mobile apps. No submitting tickets to IT for infrastructure needs. Through use of a variety of tools such as Chef or Puppet as well as automating common config, deployment and testing tasks, they are able to improv e agility and respond quickly to the needs of their customers. This also results in greater stability and reliability. Going back to the DevOps culture, early detection and rapid correction of erriors
• #11: Toolchain integration, Config is more complex, allocate IP address to create a new virtual server. NGINX Layer 7 to multiplex connections on a single IP address
• #12: Efficiency: On-Demand instances let you pay for compute capacity by the hour or second (minimum of 60 seconds) with no long-term commitments. You can access as much or as little as you need, and scale up and down as required with only a few minutes notice. Agility: In a cloud computing environment, new IT resources can be obtained and deployed with just a few clicks. \which means you reduce the time it takes to make those resources available to your developers from weeks to just minutes. This results in a dramatic increase in agility for the organization, since the cost and time it takes to experiment and develop is significantly lower. It’s also easy to improe scale
• #14: Microservices is an approach to software architecture that builds a large, complex application from multiple small components that each perform a single function, such as authentication, notification, or payment processing. Each microservice is a distinct unit within the software development project, with its own codebase, infrastructure, and database. The microservices work together, communicating through web APIs or messaging queues to respond to incoming events. You break down a monolith into a number of miroservices – each performing a single function. What are the benefits of this approach: Resilience: Better fault isolation; if one microservice fails, the others will continue to work.  whole system is not impacted or goes down when there are errors in an individual part of the system. The Circuit Breaker pattern wraps a protected function call in a circuit breaker object, which monitors for failures. Once a failure crosses the threshold, the circuit breaker trips, and all further calls to the circuit breaker return with an error, without the protected call being made at all for a certain configured timeout. Reusability and Scalability: Better scaling - different parts of the system can be scaled independently Improved agility: Software built as microservices can be broken down into multiple component services, so that each of these services can be deployed and then redeployed independently without compromising the integrity of an application. That means that microservice architecture gives developers the freedom to independently develop and deploy services. Different teams can be working on different components simultaneously without having to wait for one team to finish a chunk of work before starting theirs . This shortens cycle times.
• #15: Big-ip with a separate container that programs BIG-IP to route stuff
• #19: When you look at the legacy WAF solutions that are on the market today – there are several issues that lend them to be inadequate in solving this problem. Initially they were developed over 15 years ago to support monolithic and static web applications that rarely ever changed. Traditionally delivered via bolt-on functionality to network-based choke points such as CDNs and Load Balancers. They require heavy tuning and are very prone to false-positives……and lastly, they are expensive to own and operate. The menu of options has grown for building web applications. A monolithic security solution won’t work for microservices and multi-cloud architecture. Cloud adoption is growing quickly – confirm with prospect their cloud strategy.
• #20: - We will
• #21: Other quote: Overall, If I subscribe to this ruleset, all of it seems like a Blackbox and requests are getting magically blocked, which is not good." WAF User December 2017
• #24: - We will
• #25: Visibility is a critical factor.....and now for the first time developers can see real-time information on Who, what, when, where , and how their applications are being attacked or abused. This now facilitates a holistic application security strategy – where we can use pre-production scanning information where we’re looking to vulnerabilities at the code level – AND PAIR this with live production attack data to make better decisions on where we need to spend time ruggedizing our application. In the end allowing security to be a tool used during the development process.
• #26: Power Rules - A powerful platform with an intuitive user-interface to to define, monitor, and take action any application or API transaction, providing visibility into feature abuse and misuse, account takeover (ATO), bad bots, as well as basic functions like whitelisting, blacklisting and virtual patching. Power Rules are not signatures, and are not needed for OWASP attack coverage, which comes standard out of the box with Signal Sciences SmartParse without any rule configuring or tuning. Signal Sciences NLX – Signal Sciences Network Learning Exchange proactively looks at all malicious traffic across the network. NLX has the unique capability to recognize attack patterns to identify potential threats before they become malicious elsewhere in our customer network. This collective data provides great insight into all attacks that are happening to all customers. Having this collaborative information provides unique insight into attacks that are happening, and have happened across the world. SmartParse – a proprietary detection method designed to make instantaneous decisions in line to determine if there are malicious or anomalous payloads present. By evaluating the context of the request and how it would actually execute, we’re able to make highly accurate decisions. SmartParse is tested at scale with over 150 billion weekly production requests, requires no tuning or configuration, and virtually eliminates false positives. SmartParse is used in the detection of all Signals. When it comes to actually securing an application – as in identifying the bad actors and block them – nobody does it better than Signal Sciences. 95% of our customers have us deployed in full blocking mode. This is a result of our ability to deliver a more sophisticated and dynamic detection engine via SmartParse……but also by enabling business logic-based Power Rules and the Signal Sciences Network Learning Exchange which looks for suspicious events across our network and delivering that to our customers.
• #27: Signal Sciences support your existing tech stack, and your future tech stack. 50% of our installs are on-prem apps – t’s not just a solution for cloud/DevOps but for your entire footprint – today and in the future. When we talk about Scale – we’re not just referring to our ability to scale dynamically with an application, but also the ability to scale across the entire web presence of an organization. Our flexibility from a deployment perspective allows us to scale from legacy applications all the way to the most current development frameworks. Whether it’s a webserver running IIS…..an application running in Node JS……a Pivotal Cloud Foundry workload…..a kubernetes container…….a Kong API Gateway serverless environment......or an application running is AWS…….we can protect it – all through a single pane of glass.
• #28: Our approach is centered on delivering Active Protection Everywhere…..See, Secure, and Scale across – Any App, Any Attack, with integration into Any DevOps Toolchain. Signal Sciences can provide visibility and protection for any application regardless of where it sits and the underlying architecture – any cloud, container, Platform as a Service, or architecture. This level of support is unmatched by any other application security solution. Protection against OWASP Injection based attacks is just the tip of the iceberg – which by the way, we can provide right out of the box with ZERO tuning or customization. The real value that our customers express is our ability to also provide business logic protection – such as Application level DDoS, Brute Force Attacks, Account Takeover, and API misuse and abuse as an example. Lastly, being able to seamlessly integrate into any DevOps Toolchain means development teams can obtain information surrounding their applications via tools they already use during the development process.
• #29: - We will
• #33: We have seen how NGINX can replace/augment F5. Now let’s take a look at what other capabilities NGINX can offer beyond F5’s functionality,
• #36: It provides following capabilities: - Simplifies configuration of load balancers at scale Enables a policy driven approach to configuration to ensure consistency and prevent misconfigurations Helps you Avoid performance issues by providing preemptive recommendations Helps you met your SLAs by enabling you to root cause and troubleshoot performance and security issues quickly
• #37: NGINX Controller is a centralized monitoring and management platform for NGINX Plus. Easily manage multiple NGINX Plus instances from a single, beautiful interface. Uncover performance insights in real time with rich monitoring. Configure application delivery policies from a single point of control. NGINX Controller puts you in strategic command of your entire application.
• #39: It provides following capabilities: - Simplifies configuration of load balancers at scale Enables a policy driven approach to configuration to ensure consistency and prevent misconfigurations Helps you Avoid performance issues by providing preemptive recommendations Helps you met your SLAs by enabling you to root cause and troubleshoot performance and security issues quickly
• #40: NGINX Controller is a centralized monitoring and management platform for NGINX Plus. Easily manage multiple NGINX Plus instances from a single, beautiful interface. Uncover performance insights in real time with rich monitoring. Configure application delivery policies from a single point of control. NGINX Controller puts you in strategic command of your entire application.
• #41: Signal Sciences is doing to the WAF market what next-gen AV and endpoint security solutions like Crowdstrike and Cylance did for the legacy AV/endpoint market – along with a similar architecture. SmartParse – a proprietary detection method designed to make instantaneous decisions in line to determine if there are malicious or anomalous payloads present. By evaluating the context of the request and how it would actually execute, we’re able to make highly accurate decisions. SmartParse is tested at scale with over 150 billion weekly production requests, requires no tuning or configuration, and virtually eliminates false positives. SmartParse is used in the detection of all attack Signals.
• #42: Build Slide: (3 layered images) External Source: SANS Malicious IP List, Known TOR, GEO IP Lists, Bad Bot List Customer Sources: Custom Lists TOR = The Onion Router, used to obfuscate IP addresses to anonymize your source IP (what server you’re coming from) When traffic reaches the server, the module gets invoked and passes the request to the agent. The agent determines whether the request is malicious or anomalous. It responds back to the module to block or log the traffic based on the mode. All detection takes place at the agent level within your infrastructure. The agent collects meta data about the malicious requests it has processed and shares that metadata with the Cloud Engine. The Cloud Engine processes that metadata for the sole purpose of enhancing the agent. The output from the Cloud Engine is used by the agent locally to perform better detection and make more aggressive blocking decisions. In similar fashion to next gen AV products we perform detection locally but offload the computing needed enhance that detection with a cloud based analytics engine.
• #44: - We will
• #45: AppNexus is a technology company that provides trading solutions and powers marketplaces for Internet advertising. They operate the world’s largest independent marketplace for digital advertising and powerful enterprise technology for buyers and sellers of digital ads. AppNexus customers buy and sell ad impressions through a real-time bidding (RTB) application. As a web page loads, each available impression on the page triggers an HTTP retrieval to an AppNexus server, which hosts the ads. Each transaction takes mere seconds, but occurs billions of times every day. AppNexus’ worldwide data centers balance the load of incoming traffic based on network proximity to the client. AppNexus’ success and growth soon revealed problems with its F5 BIG-IP hardware load balancers. With more users being served and greater demand on the RTB application, performance and stability issues began to manifest. The hardware didn't perform up to promised specifications under real-world conditions, and AppNexus experienced high CPU usage and memory leaks. Critical security vulnerabilities required constant patching. F5 simply advised them them to spend more on additional hardware load balancers – specifically $3M extra. Replaced their entire F5 deployment with NGINX. We’re sustaining approximately 75,000 transactions per second through a single instance of NGINX Plus.” 
• #46: Choose your own quotes! “Almost an out-of-the-box solution for a complex footprint. The agent installation took about 10 min, the portal was created in 15 mins, we were seeing true alerts in less than 1hr.” - Enterprise Architect, Manufacturing Industry (Also looked at F5, Imperva) “Best WAF Technology I've Ever Worked With. The Signal Sciences WAF platform has been one of the most effective security technologies I've had the opportunity to work with. It was incredibly easy to implement, required no customization before moving to full blocking mode and does exactly what we need it to do with very little care and feeding. Their technical support is very responsive and always quick to answer a question, fix an issue or escalated to development. Documentation is excellent and their API first approach is incredibly helpful for integrating the platform into existing processes.” - IT, Services Industry “Signal Sciences has been the best WAF experience we’ve implemented: it was easy to see almost immediate results and how much better Signal Sciences was than our previous WAF. Signal Sciences was able to handle traffic that was otherwise unseen, and the configuration options allow us to tweak it perfectly for our environment. Plus, install has been super easy for all of our servers.”— Senior Information Security Analyst, Large Enterprise “Easy onboarding, simple deployment, effective service. Amazing support, amazing product. Signal Sciences WAF has found a permanent place in our environment. It has proven itself as an effective, practical security tool multiple times.” — Knowledge Specialist at Midsize Company “I’ve been really impressed with how Signal Sciences has made the team better developers. We easily have access to constant reinforcement of the data that the software provides — that we’re constantly under attack. Seeing it in a graph makes it real. When we’re making design decisions we now keep security at the forefront of our plans.”— CTO at Midsize Company
• #47: - We will