F5 BIGIP LTM原厂培训资料-1.ppt

What is FIPS? FIPS 140-2 standard : “Security Requirements for Cryptographic Modules”. Standard SSL Server Keys? Can’t login to Servers, can’t get at keys. Isn’t Standard SSL good enough? Want keys in tamper-proof hardware. Who needs FIPS-140? Companies regulated by U.S. government Configuring FIPS Epoxied card Switch (MOI) Card Reader Change Key Note – old picture Generate Certificate Create SSL Profile Point VS to Profile SSL Termination Labs Client SSL : Generate Certificate Custom Client SSL profile vs_ssl 10.10.X.102:443 using Client SSL profile Test: Connect :443 to :80 web? Server SSL (Optional): Custom Server SSL profile vs_ssl using both Client and Server SSL profiles Test again: Internet 10.10.X.102:443 80 7 Course Outline Installation Load Balancing Health Monitors Profiles Persistence Processing SSL Traffic Lab Project NATs and SNATs iRules Redundant Pair High Availability Maintaining BIG-IP LTM Day 1 Day 2 Let’s look at insert mode cookie persistence in more detail: Client connects the first time: the web browser has yet to receive a cookie for this site. BIG-IP detects that no cookie is present, and forwards the connection to the most appropriate available node. The node issues its http reply to the client. BIG-IP inserts a cookie with the appropriate expiration value and specific node information. Client connects back a second time. This time the web browser inserts the cookie in its http request. BIG-IP reads the cookie, and forwards the connection to the specified server The node issues its http reply to the client. BIG-IP updates the expiration value in the cookie. The advantage of insert mode cookie persistence is that the web servers remain untouched. The drawback is that the BIG-IP controller has an increased workload. Note that the BIG-IP controller is unable to forward the incoming connection to the appropriate node until it receives the cookie. As such, it needs to perform the initial TCP handshake with the connecting client.