It's an inline swiss-army-network appliance that can do a fuckton of things at the speed of packets or nearly so up to 100Gbs.
load balancing? check.
stateful load balancing? check.
ssl-termination? check.
HSM-enabled ssl-termination? check.
hardware accelerated ssl-termination? check.
firewall? check.
NG firewall? check.
compiled Lua/tcl (i forget which) scripts so you can program something insanely complicated? check.
SAML? check.
ISP sized NATs? check.
etc.
Plus, way more configuration knobs and options than you'd ever want at each network layer. Like, come up with a load balancing scheme where Tls1.2 clients using Poly1305-chacha20 get sent to a specific pool of servers while everything else goes to another pool, except for clients trying to use QUIC and who are coming from a specific range of IP. They go to another set of servers.
Maybe a better way to think of it is that it's a single device for tweaking anything L3-L7 for your server and parts of your network.
(used to work for f5, too, but i'm not sure how specific i can get with the nda).
As the industry [0] continues to put its weight behind NFV [1] and SDNs [2] along with the rise of IDNs [3], do you see network-appliances keeping up the share of the market against those solutions? I believe @Edge network might continue to require these appliances for WAF, Firewall/DPI (and other things I don't know about)... but that'd be a niche?
L4-L7 load balancing, distributed DNS, SSL offload, WAF, DPI, data centre firewall and other things. With a nice WebUI to configure all that.
The Tcl iRules allow you to hook into pretty much any stage of the request or the response L4-L7 at FPGA speeds to do whatever you wanted to the request / response data.
> any stage of the request or the response L4-L7 at FPGA speeds
I also work at F5, and used to work on the FPGA. This is unfortunately not true for TCL iRules. The FPGA basically only operates on L2-4, L7 is all software.
There was some talk about doing L7/iRules in an FPGA but prototypes never produced compelling enough performance gains to make it worth it.
It is the corporate internet. The internet exists in the box, as far as your employees / security model are concerned. (as far as the security model is concerned, There Are Always Bugs - this is a feature).
If it weren't for the need for remote backups, email and such would be hosted there as well, and you could run a company on one of these with no access to the public internet at all. Accounting, finance, etc: all of it.
joshAg|7 years ago
load balancing? check.
stateful load balancing? check.
ssl-termination? check.
HSM-enabled ssl-termination? check.
hardware accelerated ssl-termination? check.
firewall? check.
NG firewall? check.
compiled Lua/tcl (i forget which) scripts so you can program something insanely complicated? check.
SAML? check.
ISP sized NATs? check.
etc.
Plus, way more configuration knobs and options than you'd ever want at each network layer. Like, come up with a load balancing scheme where Tls1.2 clients using Poly1305-chacha20 get sent to a specific pool of servers while everything else goes to another pool, except for clients trying to use QUIC and who are coming from a specific range of IP. They go to another set of servers.
Maybe a better way to think of it is that it's a single device for tweaking anything L3-L7 for your server and parts of your network.
(used to work for f5, too, but i'm not sure how specific i can get with the nda).
ignoramous|7 years ago
As the industry [0] continues to put its weight behind NFV [1] and SDNs [2] along with the rise of IDNs [3], do you see network-appliances keeping up the share of the market against those solutions? I believe @Edge network might continue to require these appliances for WAF, Firewall/DPI (and other things I don't know about)... but that'd be a niche?
[0] http://opennetworking.org/
[1] https://www.opnfv.org/
[2] https://opencord.org/
[3] https://www.apstra.com/
unknown|7 years ago
[deleted]
gbuk2013|7 years ago
L4-L7 load balancing, distributed DNS, SSL offload, WAF, DPI, data centre firewall and other things. With a nice WebUI to configure all that.
The Tcl iRules allow you to hook into pretty much any stage of the request or the response L4-L7 at FPGA speeds to do whatever you wanted to the request / response data.
It's a very powerful product.
zinkem|7 years ago
I also work at F5, and used to work on the FPGA. This is unfortunately not true for TCL iRules. The FPGA basically only operates on L2-4, L7 is all software.
There was some talk about doing L7/iRules in an FPGA but prototypes never produced compelling enough performance gains to make it worth it.
tommu|7 years ago
I challenge that assertion!
powera|7 years ago
If it weren't for the need for remote backups, email and such would be hosted there as well, and you could run a company on one of these with no access to the public internet at all. Accounting, finance, etc: all of it.
unknown|7 years ago
[deleted]