If you’ve ever heard of F5® I’m sure you’ve come across people referring to their products as “BIG-IP”. This has left a lot of folks asking what is BIG-IP and what does F5 BIG-IP do in a network? I’m going to break it all down for you simply so you can understand exactly what F5 BIG-IP is and the problems you can solve with it around networking & application availability, performance, security, and access control/IAM – in the clouds or in your data centers.
F5 BIG-IP Software
F5 BIG-IP is the overarching marketing name used to identify F5’s software suite of licensed “modules”. All of the modules sit “logically” inside of F5’s Traffic Management Operation System® (TMOS), in other words, they are all enabled via software. Even with the hardware version, there are no special cards you can buy per module, they all just sit logically within the BIG-IP software and get enabled in the provisioning section of the software by the licensing you pay for. I guess F5 could have called it the “F5 TMOS” platform, but BIG-IP just has a better ring to it 😉. Speaking of TMOS, it’s important to note that TMOS is a separate kernel that sits “next to” their enterprise Linux derivative of CentOS, and is F5’s true claim to fame. TMOS is at the heart of F5 and is the only true “Full Proxy” on the market. F5 realized early on that Linux is a good scheduling operating system, but not necessarily built to process packets in real-time, for that you need a FIFO (first in / first out) type operating system – and that’s what TMOS is. A good way to visualize how F5 is a “Full Proxy” is to take a look at the connections table and you will see the separate set of client-side and server-side connections. Having two sets of connections allows you to augment traffic dynamically on both sides of your BIG-IP – this gives you the ultimate swiss-army knife for traffic. For a deeper dive on that check out my article around how to view and delete connections in the F5 BIG-IP.
What’s cool about the BIG-IP modules is that you can license them however you need to. For example, you can have a BIG-IP that is dedicated to a single module, or you can have a BIG-IP that runs all of the modules. That’s the real power of BIG-IP – in short, the F5 BIG-IP is great for consolidating critical functions, this is especially important when we think of processing and protecting secure web traffic, i.e. HTTPS. That’s because terminating SSL/TLS is very expensive computation-wise, and a security risk – i.e. you want to limit who has access to critical “Keys”. Storing them only in the BIG-IP makes a lot of sense and gives you a great way to limit access as well as consolidate the spots where SSL/TLS termination is necessary. F5 is largely regarded as the best in the industry around terminating SSL/TLS – they do it FAST. Why is terminating SSL/TLS necessary? You can’t do any of the advanced functions around HTTP like applying a WAF, without seeing into the network stream. In order to dive into HTTPS, you need the “key” that is paired with the cert. Holding the key and “terminating” ie hosting it on the BIG-IP, allows you to safely see into the stream and provide critical services to your web apps like:
- Intelligently steering traffic based on availability & performance.
- Security to protect your web apps and APIs.
- Identity and access management/control.
- Critical application analytics
F5 BIG-IP Bundled Modules
While you can purchase most of the F5 BIG-IP modules à la carte, you can also save a bit of spend and purchase the primary modules via F5’s “Good”, “Better”, and “Best” software license bundles. It’s important to note, some modules can only be bought a la carte and are not offered within the bundles. But, you can indeed add those “un-bundle-able” modules when buying bundles. It’s also important to mention the LTM is the foundation of all modules. In other words, when you buy other modules like the DNS, AFM, APM, and AWAF as standalone devices, they all still leverage pieces of the LTM to function – albeit they usually limit your use of the LTM functions. For example, the standalone AWAF module will not allow you to do anything with UDP traffic – no worries if you’re just aiming to protect HTTP traffic that is over TCP. But if you want to use your BIG-IP for more than just WAF functionality you’ll need to add LTM – read more about the differences between AWAF and LTM. That’s why the different modules layer so nicely within the BIG-IP platform. Need a WAF? That’s just a security policy you apply to an LTM Virtual Server aka VIP. Need to provide MFA, SAML, or SSO between Apps? Similarly, that’s just one of the various authentication policies that you apply to a VIP. That’s what makes the BIG-IP so powerful – it’s the ultimate consolidation platform that allows you to proxy/load balance, apply security, offload and transform access, and a ton more – all typically at a single endpoint – the virtual IP or “VIP”. As mentioned earlier, this is especially important when dealing with web traffic because you only have to terminate SSL/TLS ONCE!!
Primary F5 BIG-IP modules offered in bundles, and available à la carte:
- F5 Good License Bundle
- Local Traffic Manager (LTM) – Full Proxy load balancing and traffic optimization, the LTM supports a wide range of protocols and allows you to steer traffic based on just about anything you can dream up. Typically known for providing load balancing functions based on application health & performance, but the LTM can do much much more than just act as a load balancer. When I say just about anything you can dream up I mean it, the LTM is the swiss army knife of proxies. It can act as a reverse proxy, forward proxy, and shape/bend traffic around things like security and authentication like no other product. You can even augment client-side and server-side traffic pragmatically with iRules (client-side) and iRules LX (server-side) and is super dev-ops friendly with a full REST-based API for automation and orchestration. The LTM is also the best in the biz when it comes to terminating SSL/TLS for full HTTP traffic inspection and manipulation. Many organizations use the LTM as a virtual machine in the cloud, for very good reason. They provide far more control and features than the native cloud load balancers. Another big reason for LTM cloud use is getting around cloud networking limitations, i.e LTM in the cloud lets you perform traditional network functions vs being limited by the cloud overlay networking. Most folks don’t realize the LTM is indeed an ICSA certified port-based firewall out of the box, lots of big organizations have the LTM right on the edge of their perimeter. There are only so many entrance points in a BIG-IP, which I lay out in this F5 firewall article. Think about it, each Virtual IP endpoint is a port-based firewall that you have control of – the sheer construct of a VIP consists of an IP and a port, well folks – that’s port based firewalling :). As long as the other entrance points are secure (and they are out of the box Mr/Ms trigger fingers 😉) you have yourself a very secure and straightforward firewall. The only drawback to using the LTM as a firewall are the limitations around logging and controlling east/west firewalling. While it can be done with global packet filters, it’s not really what it was meant for. Don’t you worry, that’s what the AFM module is for, it extends the control of the firewall and lets you get real granular at different context levels, and also vastly improves the logging for denied traffic. You can even build IPSEC tunnels with LTM, but you’d likely want to add the AFM for granular ACLs. If that wasn’t enough, you can also perform limited API gateway functionality with the LTM module utilizing a local traffic policy or iRule to perform request routing and basic validation of the request. For example – request method or a particular header being present. Coupling the LTM with the AWAF & APM makes for a very powerful all in one API Gateway & API protection solution. I’ve just scratched the surface around what the LTM can do, contact us to learn more.
- F5 Better License Bundle
- Includes LTM, as well as:
- DNS – Formerly known as the Global Traffic Manager (GTM), F5’s DNS module provides intelligent resolution for high availability and traffic steering on a per URL basis. “Per URL”, is very important to understand, because you can resolve each individual URL differently depending on the metrics you set. And again, you can do this around just about anything you can dream up – i.e. health & performance monitors, GeoIP, EDNS0, you can even base availability on multiple services that make up an app, ie you can have dependency monitors to multiple endpoints to intelligently resolve the DNS request to. F5’s DNS module also has full support for DNSSEC, aka the DNS Security Extensions. Lots of very large enterprises and government entities use the F5 DNS right on their edge as their external primary authoritative name servers, largely because of the security features and the amount of requests per second it can handle. Though, it doesn’t have to be authoritative, you can also implement the DNS module in a very unintrusive way utilizing CNAMES for each URL you want to intelligently resolve – makes for a nice and easy implementation. That’s typically the way folks implement F5 DNS internally in an org, ie NOT Internet facing, as you typically wouldn’t want to make F5’s DNS authoritative internally – but again, no issues doing that Internet facing as your primary DNS. Lots of folks confuse the LTM and DNS module, check out my article on F5 LTM vs DNS to learn more.
- Advanced Firewall Manager (AFM) – F5’s AFM extends all the features of the firewall that’s included in LTM and turns the BIG-IP into a firewall powerhouse. Namely, the AFM extends the logging features for denied traffic and gives you very granular control over the firewall. Opposed to the LTM that only lets you control one big ACL with the global packet filtering, the AFM gives you multiple points where you can apply an ACL. A lot of folks sleep on the AFM module, but the big secret is a lot of VERY large organizations have trashed their traditional firewalls in favor of providing that control right at the BIG-IP where all the rest of the magic happens. Think about it, why would you want to pay for another firewall that is only doing port-based firewalling and is an additional point of failure when you can do it all at the BIG-IP where you’re already terminating SSL/TLS?? It’s easy to realize what a lot of big organizations already have, don’t waste time and money on another firewall when you already have one built into your BIG-IP 😉. Important to note, starting in version 15x the pieces to control the AFM within BIG-IP received a facelift and is now very user-friendly and more familiar looking.
- F5 Best License Bundle
- Includes LTM, DNS, AFM as well as:. This is the software package I recommend most! It’s also going to be your best bang for your buck!
- Access Policy Manager (APM) – In true F5 fashion, the APM is a swiss army knife around all things access- & authentication-related. Want to add multifactor auth (MFA) in front of an app you’re pushing through the BIG-IP? How about multiple forms of auth with a decision tree based on what type of user it is (Internal, external, offshore, domestic, full browser, or thick client)? The APM makes all of that easy with its visual policy editor (VPE). There’s so much you can do with the APM: Federation via SAML, OAuth, and OpenID Connect; SSO; Full SSL VPN; and even gives you the ability to host a webtop similar to something like Okta, but with far more control and visibility. Want to perform a posture assessment on an endpoint? APM can check A/V status, local Firewall status, verify if a mobile device is rooted or jailbroken, and much more. Need to grant secure access from the internet to an app that was never intended to be exposed to the Internet? APM has your back with portal resources. Just acquired another company and their AD is jacked up but you’ve been directed to merge the two? APM can help you Band-Aid that situation with some secure federation until you can properly consolidate. APM is also a great tool when you need to federate with Azure AD and provide hybrid auth between your org and the cloud. Transforming auth is a cakewalk for APM, including complicated auth like Kerberos. Still, using Windows Authentication Proxies (WAP)s? You can replace those with a click of a button with the APM. Access Policy Manager is also great at fronting VDI and offloading authentication, for example with VMware Horizon/View VDI you can eliminate the security servers by using APM. Similarly if you’re using Citrix VDI, you can eliminate Storefront altogether. APM is heavily used in the Federal govt integrating with Common Access Cards (CAC)s. You can even use the APM to pre-authenticate ADFS traffic without the need for the traditional ADFS proxy servers. The APM also plays a hand in protecting APIs and can be used as part of F5’s solution as an API Gateway.
- Advanced Web Application Firewall (AWAF) – Formerly known as the Application Security Manager (ASM), true to its name the AWAF is the most advanced web application firewall on the market. While everyone was resting on their web security laurels, F5 was hard at work building the future of WAFs, extending protection past the application and on to the end-users with features like Behavioral DoS/ BaDoS extending protection to layer 7 – modeling and learning how good actors use applications to block bad actors. The AWAF is a great 1st level of protection for credential stuffing (typically performed by bots), aka account take over attacks, and layers very nicely with F5’s new managed service for bots attacks/credential stuffing protection – SHAPE. Check out my article to see how you can layer AWAF with SHAPE Enterprise Defense. It’s important to mention, the AWAF can also play a role in protecting APIs and has built in policies to protect them – allowing you to do schema validation and ingest OpenAPI specification files – sometimes referred to by folks as “swagger docs”. OpenAPI integration with F5’s WAF is useful in a CI/CD environments. Using a CI/CD pipeline, the security policy can be regularly and automatically updated.
F5 Module Licenses Not Offered In Bundles
F5 BIG-IP Modules not offered in a bundled package – they can be a la carte, but also at times may have a dependency on another module, please contact us if you need more information.
- Secure Web Gateway (SWG) – This module can replace technology like bluecoat and other outbound proxies, with the ability to act as a transparent or explicit forward proxy for your users outbound web surfing. This module extends APMs capabilities around URL filtering by enabling a subscription to the de facto standard for URL reputation and classification – websense, which has now become Forcepoint. SWG essentially enables you to control outbound Internet access for your users around web surfing and specific application access by relying on SWG for intelligence & classification around URLs / websites. For example, you could block all political sites, limit access to social media sites to lunch hours, allow all access and don’t log executive users, etc. Again the sky’s the limit around the intelligence you can build here around your internal users and their access to the Internet. Important to note, this solution also provides protection against malware, as well as real-time content classification.
- SSL Orchestrator (SSLO) – Bulk ingress and egress SSL/TLS termination? Yes please! SSLO is a great budget saver and future proofer, as it allows you to build an intelligent & flexible decryption chain for your security devices. In short, this allows you to put security devices like Palo Alto and FireEye in-line with your traffic without having to worry about terminating SSL/TLS on those 3rd party security devices. This allows you to buy smaller devices/licenses for those security devices, as you’ll be able to send them all clear HTTP while you let SSLO handle all the heavy lifting. Additionally, it makes testing and steering traffic intelligently possible. For example, if you wanted to POC a new security tool with real traffic in your environment, it would be very intrusive to try and get it into your production network. With SSLO you could build a temporary lane for only a subset of users who are testing – pretty slick eh? SSLO also makes it easy to bypass traffic that shouldn’t go through security devices. Again the executive traffic is a good example – the CEO sending emails about earnings is likely not something that anyone should have visibility into.
- Intrusion Prevention System (IPS) – One of the most underrated modules from F5! IPS allows you to perform protocol inspection and compliance to detect potentially malicious packets for TCP & UDP traffic. This module requires the AFM module, and used to be part of the AFM up to version 13x In version 13x it was split out as a separate license (see this article for confirmation). Starting in version 14x you can get continuous signature updates, but you’ll have to also ensure you buy the “Intrusion Prevention System Signature” add-on sub. See the notice here about that change.
- Policy Enforcement Manager (PEM) – Pem is all about giving you the ability to monetize the services you provide based on subscriber levels, plans, location, and even the number and types of devices they’re using. Harnessing all the intelligence that’s built into BIG-IP, PEM can detect and classify traffic very granualry, all while being subscriber aware. You’re also able to enforce policies while being able to dynamically steer traffic and control bandwidth – you can even dynamically chain services depending on subscriber requirements. Check out the datasheet for more information about PEM.
- Carrier-Grade NAT (CGNAT) – It’s no secret that F5 is the leader in the carrier space when it comes to network address translation at scale. The reason that has become the case is because of the flexibility BIG-IP provides with the features carriers need. Most orgs providing carrier services start to look at CGNAT when they run out of IPv4 space, F5’s CGNAT makes that a very easy and straightforward transition process with full support of NAT44 to extend the use of IPv4 addresses in their network, as well as NAT64 to enable IPv6 endpoints to seamlessly and transparently access IPv4 content and destinations – do note, BIG-IP CGNAT also supports 464XLAT and DNS64, which relies on DNS AAAA records. Check out the F5 BIG-IP CGNAT datasheet for more information.
- Virtual Edition Virtualized Network Function (VNF) – aka Network Functions Virtualization (NFV) are available from F5 via packaged NFV solutions, and include the F5 VNF Manager, which touts being able to automate the complete lifecycle management from service instantiation to auto-scaling, and decommission. F5 currently offers 5 NFV solutions: GI Firewall – GI LAN, DNS, DNS Security, and CGNAT. Take a look at this NFV Packaged solutions overview to learn more about F5 and VNF.
- Advanced Routing (RIP, OSPF, BGP, IS-IS, BFD) – Included in Better or above. Required for any dynamic routing
- Full-Box FIPS – Also known as “platform” FIPS, or you may have heard the discouraged term “Sticker FIPS” – they both refer to the recent certification on the 13.1 release code by the NIST. The software by itself provides FIPS 140-2 level 1, and when you add the tamper evident seals it provides FIPS 140-2 level 2. – Read about F5’s Full-Box FIPS in the F5 & FIPS – Full Box FIPS vs Dual FIPS section.
- Virtual Edition FIPS – Allows you to obtain FIPS 140-2 Compliant mode on the Virtual Edition of BIG-IP. You can read all about F5 & FIPs here.
BIG-IP Module Add-On Subscriptions that compliment modules
- Threat Campaigns (TC) – This is an add-on module for F5’s AWAF and has come from all the good work F5’s Threat Research team is doing – monitoring malicious activity around the globe and creating signatures specific to these exploits. While this is important, definitely the bigger reason to ensure you include TC with AWAF is the live updates for Bot signatures. Without TC you will only update your bot signatures through a major upgrade – which is no bueno, you need those live as fingerprints change often.
- IP Intelligence (IPI) – One of the most bang for your buck add-on licenses you can purchase from F5, because it can save you a ton of bandwidth, and subsequently processing power on the downstream equipment and servers / instances. IPI is essentially a subscription for the de facto standard of bad actors database offered by Websense/Forcepoint. Since this traffic is processed at a higher level it can get dropped very early in the life of a packet and reduce a ton of strain on your environment. Read more about IPI and defending against malicious traffic / bad actors.
- Intrusion Prevention System Signature aka IPS signatures – This sub is dependent on having the AFM module, as well as the IPS sub. As mentioned in the IPS sub starting in version 14x you can get continuous signature updates, This is the license you’ll need to buy for that. Read more here.
- Network Hardware Security Module aka Network HSM – If you have a need for FIPS, but can’t purchase a hardware platform from F5 that has the built in HSM, you’re going to need an external HSM from a vendor like nCipher. In order to use that external HSM module, you’re going to need this license. You can read more about F5 and supported 3rd party network HSMs for FIPS here.
- URL Filtering – This add-on subscription license gives the ability to call the same Websense / Forcepoint database (with real time updates) but only via iRules. In other words it does not give the SWG / APM like view to filter URLs – but you can make pragmatic decisions within iRules.
- BIG-IP SovLabs Integration – With the SovLabs F5 Module for vRealize Automation (vRA), you can now dynamically create or include existing F5 BIG-IP VIPs in vRA Blueprints. It also allows you to take advantage of F5 BIG-IP features such as iRules directly within vRA blueprints for consumption. This means that F5 BIG-IP is now a “first-class citizen” in vRealize Automation terminology.
Clouds and Hardware platforms BIG-IP Supports
BIG-IP modules can run virtually on all the popular hypervisors as a virtual machine (VM), or in a co-location/data center, as well in all the popular clouds like Microsoft Azure, Amazon AWS, and Google Cloud Platform (GCP) (and even on some of the not so popular ones). BIG-IP also runs on purpose-built hardware from F5 referred to as the iSeries platform, as well as their chassis-based solution the Viprion platform. BIG-IP is also backward compatible (version limited) on the new cutting edge chassis platform Velos, which was developed for their next-generation software coming soon.
Looking ahead to the future of BIG-IP
With the recent acquisitions of NGINX, SHAPE, Volterra, and now Threat Stack – it’s a likely bet F5 is going to evolve BIG-IP to take advantage of:
- Marketshare as a web AND app server, offering intelligence closer to the app than ever before.
- Lightweight portability.
- Scaling technology.
- #1 solution for Kubernetes orchestration & integration.
- Marketshare as the #1 solution for bot mitigation and credential stuffing attacks.
- AI & ML – this is huge! Shape has some crazy IP around artificial intelligence and machine learning – they’re solving the bot problem today, but there’s so much more that can be done with the tech.
- Their SOC is awesome and fleshes out their Silverline SOC very nicely.
- Serious backbone to obfuscate cross cloud communication and high availability.
- Mature SaaS platform poised to offer BIG-IP features in a SaaSy way.
- Threat Stack’s
- Cloud Security simplified, will likely contribute to their new SaaS offerings.
- Compliance offerings that will open doors to a whole new type of customer and subsequently revenue stream.
- More crazy AI & ML tech.
- More SOC resources to add to what they already have with F5’s Silverline & SHAPE SOC that was recently combined into one team.
I’ve never been more excited about what the future holds for F5 and the next generation of BIG-IP. BIG-IP has long acted as the “traffic cop” within the majority of large organizations – ensuring high availability while securing apps and transforming authentication. They are now uniquely poised to pull off their vision around “Adaptive Applications” – where applications learn to take care of themselves around performance, security, automation, and insights. While that may have sounded pretty pie in the sky a few years ago, that pie isn’t so high anymore, and I’m having myself a slice of it right now 😉