To upgrade or not. That is the question. Every IT administrator knows upgrading infrastructure is not trivial. It's time consuming, requires planning, working off-hours, and sometimes impacts business operations. And we’ve all experienced an ‘upgrade’ that actually degraded the functionality of our day-to-day operations.

But as bugs, found vulnerabilities, or the need for new capabilities continue to impact business IT, avoiding upgrades has become more problematic than ever. Whereas before businesses didn’t think too much about sitting out a round, today every business has to weigh the costs of upgrade avoidance vs. upgrading. And also accept it when they make these calculations even though they can’t always know all the true costs beforehand. That said, the practice of avoiding upgrades rarely if ever leads to innovation and business success.

Networking vendors develop software functionality that drives their products using a combination of the following inputs to deliver the best possible releases:

  • Innovative new or improved product features
  • Support for new or evolving industry protocols
  • 3rd party integration
  • To ensure system security
  • Customer or industry feature requests

Here at F5, product management and engineering go to great pains to plan BIG-IP software releases, designed to balance these inputs to meet customers' infrastructure needs and applications requirements while keeping security front and center. Balancing innovation and integration with security has become a requirement given the continual rise in hacking and attacks. This complexity is compounded as sometimes customers or certain industries require modification or a variant of existing product functionality to more accurately meet their needs. These requests for enhancement (RFE) are important to meet customer or market segment needs.

Introducing BIG-IP v12.1. Why upgrade to it?

On May 19th F5 released BIG-IP v12.1 and this version makes the decision on whether to upgrade a pretty easy choice. Firstly, v12.1 is a hardened, long-term maintenance release (5 years with hot fixes) which IT organizations can rely on for support for the next five years (along with hot fixes).

Secondly there are significant new features delivered in this release that can help businesses drive their operations into the future. Below are just a few of the new capabilities in BIG-IP v12.1 that are important to driving IT innovation:

BIG-IP Core

BIG-IP v12.1 introduces an updated Local Traffic Policies application that simplifies the way in which you can manage your traffic. BIG-IP local traffic policies are a simple prioritized list of rules that match defined conditions and run specific actions, directing your traffic accordingly. F5 has optimized these local traffic policies focusing on performance and operational simplicity.

Another great reason to upgrade is the expanded programmability of core services that are enabled with iRules LX. With BIG-IP v12.1, F5 enables utilization of Node.js packages (250,000 libraries) in conjunction with TCL. This lets JavaScript programmers utilize iRules LX to easily integrate proven and reusable Node.js libraries resulting in new powerful ways to manipulate and direct traffic.

Public & Private Cloud

BIG-IP v12.1 also significantly builds on F5’s support for public cloud integration. F5 web application firewall (WAF) capabilities are now supported for Azure Security Center for faster installation and protection of critical business applications. Support for Amazon Web Services is expanded though support of stateful failover and Auto Scaling of VE to provide increased reliability and scalability.

Cloud integration is, also further expanded with greater OpenStack support. BIG-IP v12.1 enables OpenStack-based orchestration with F5 developed open source LBaaS plug-ins, Heat orchestration templates, and certified partner integrations. This OpenStack integration enables increased agility and reduced time to market with automated deployment of comprehensive L4–L7 app services.

Security

F5 BIG-IP Application Security Manager (ASM) provides WAF protection and is enhanced with two unique capabilities. It now provides visibility and protection for WebSocket-based streaming data feeds to mitigate data theft or attacks. F5 is the first and only WAF vendor to provide strong protection of WebSocket flows.

The second enhancement is deeper identification and tracking of devices driving attacks. ASM tracks unique client app footprints across multiple requests to provide greater protection against web scraping, volumetric L7DoS, and brute force login. This deeper device tracking capability also helps with session awareness and policy builder trust scoring, and uniquely assists in the prevention of session hijacking. No other WAF protection solution has a deep device-ID tracking capability that follows a rogue server or device during an attack.

F5 BIG-IP Advanced Firewall Manager (AFM) has been extended to deliver some unique services as well. SSH Channel Proxy has been added to prevent backdoor access. Admins can easily configure AFM to act a SSH proxy filtering commands that are executed in the SSH channel to block or allow request based on user and group. This allows AFM to guard against unauthorized access to systems and resources and protect against the spread of malware across the datacenter.

Another addition to F5 AFM is the reduction of the attack surface with protection against port evasive apps such as instant messaging, P2P programs, and unauthorized tunneling to the network. AFM’s enhanced capabilities distinguish which layer 7 protocols are permitted for each destination port, tracks port use and indicates action to take when port misuse is detected. It uses less overhead than competitors and is easy to configure with a port misuse policy that attaches to security policies specifying expected layer 7 protocol, detecting mismatches, and logging/dropping mismatches.

DDoS protection built into AFM is also enhanced with v12.1 via simplification and greater accuracy of DDoS settings with auto-learning for DDoS threshold settings on global DoS vectors. Thresholds will be set based on historic traffic patterns that even persist across a reboot.

To ease the upgrade to BIG-IP v12.1 and future releases, F5 has introduced BIG-IP Upgrade Advisor. This tool is designed to identify potential issues that would impact BIG-IP upgrades—helping administrators make decisions about when and how to upgrade. Utilizing data from BIG-IP iHealth, Upgrade Advisor provides guidance that is specific to a BIG-IP based on its configuration, the version of software it is currently running and the version you are planning to upgrade to.  Upgrade Advisor is a continually evolving application so keep in mind that when you sit down to perform analysis, results from Upgrade Advisor are going to evolve over time with additional data coming into the system. This will make upgrading to later BIG-IP releases even easier as the application builds a deep knowledgebase from which it can better pinpointing issues.

At the end of the day, the question is not to upgrade or not but more of ‘to innovate or not.' Innovation is stifled if network infrastructure is not up to date.

To find out more about the BIG-IP v12.1 release and the enhancements to the F5 Security application modules and iRules LX, please review the following: