Distributed Cloud Services Painlessly Upgrade Security for F5.com
After more than five years of protecting the F5.com website with F5 Silverline managed security services, the company migrated to the new and more powerful F5 Distributed Cloud Services. The transition, invisible to users, enhanced security and visibility while providing easy access to a host of additional product and managed service capabilities.
Business Challenge
End-of-life announcements for popular technologies can make IT teams wince. They’re a tough fact of life that requires a transition but doesn’t have to cause headaches.
For instance, with the retirement of the F5 Silverline managed security services planned for 2025, F5 itself needed to migrate its global websites at the F5.com domain to the superior protection and capabilities of F5 Distributed Cloud Services. Other popular F5 portals, such as NGINX.com, were already protected by Distributed Cloud Services when the flagship site’s opportunity arrived.
“We understand our customers’ transition concerns because we sometimes have to do it ourselves,” says Melinda Hansell, the F5 Senior Director of Marketing responsible for the website.
The managed security solution package known as Distributed Cloud Web Application and API Protection (WAAP) was selected as the appropriate replacement. The migration involved the company’s foreign-language sites globally as well as in North America, all hosted on public cloud servers—including the company website in China, which sits behind China’s Golden Shield Project, sometimes called its “Great Firewall.” The change would affect four different environments, from dev and test to staging and production. Each involved different configurations for access and security.
Because a seamless transition was paramount, planning began in late 2023. Key concerns included maintaining constant security in the face of routine attacks while preventing even momentary impact on customers or other users during the transition.
Although not an unusually frequent target of cyberattack, the sites certainly face the automated and other assaults that have plagued most organizations in recent years. “Major DDoS attacks with really high traffic hit us roughly every couple of months and get squashed,” says Ilia Lebedenko, IT Senior Manager. Minor attacks are more frequent. That made DDoS mitigation an important part of the solution.
The project team involved had no previous contact with or knowledge of Distributed Cloud Services, so they faced a learning curve related to solution capabilities, requirements, risks, and impacts.
Solutions
The initial deployment included Distributed Cloud Web Application Firewall (WAF) and Distributed Cloud DDoS Mitigation. The migration mainly required learning how these security products worked, testing functionality, and tuning configurations in the company’s dev and test environments before moving to the higher-stakes stage and production environments.
“We had support,” says Briana Sanchez, an F5 Senior Software Engineer who took a central role. “The Distributed Cloud Services team was very cool on the entire migration process. But our team had to get to know and understand the solution because we are the site owners who know the traffic flows and how everything related to the site works. If we faced issues, it wouldn’t be as easy as, ‘Hey, fix this for me.’”
For instance, Sanchez noticed that the Distributed Cloud solution was handling application firewall rules somewhat differently from how Silverline did. Troubleshooting with the Distributed Cloud Services support team helped clarify what was happening behind the scenes so appropriate adjustments could be made.
The resulting knowledge was invaluable. Sanchez says, “By the time we got to production, we had pretty much everything in place and documented.” The documentation included various use cases, traffic workflows, and configurations. It will help maintain alignment into the future, when the team expects to quickly deploy more Distributed Cloud Services capabilities.
“I got to learn the solution very well and understand it to the point that I don’t really need to reach out for support much now,” Sanchez says. As a result, Distributed Cloud Services protection went live for the production environment without hiccups—or even waiting until business hours were over—in March 2024. By then the change was the equivalent of flipping a switch to the new configuration.
Lebedenko says, “The whole production migration took 20 minutes, max. It was smooth, quick, and simple—almost instantaneous. But weeks and months of work went into that.”
“The process can be much faster,” says Sanchez, explaining that the team was juggling a number of other major projects at the same time. “That delayed us the most. But we wanted zero downtime and zero impact on users, and that’s what we got because of effort we spent on our lower environments.”
Results
Protect global websites from evolving threats
With migration complete, Distributed Cloud Services is protecting all F5.com websites globally.
The word Sanchez uses to describe the resulting security is “powerful.”
“The difference is not just the name of the platform,” she says. “Silverline was a WAF tool. Distributed Cloud Services is not only a WAF but web application and API protection. It’s more robust.”
The technical differences between the solutions include stricter application of firewall rules such as allowlisting. Sanchez says, “That tells me that in terms of security, Distributed Cloud Services is more hardened.”
Enhance visibility and management
She also much prefers the Distributed Cloud Services interface, saying, “The dashboard is way more modern and intuitive. For real-time information and logs or debugging, it’s more complete and you get tons of information, such as whether a request was successful and why rejected requests were rejected. Sometimes you need those details to troubleshoot.” Separate tabs provide per-request performance and security metrics. Sanchez says, “It’s awesome to see all the services and monitoring available to you.”
Lebedenko also appreciates the solution’s rich charting capabilities, another tool for clarifying root causes, correcting problems, and improving IT overall efficiency.
Rely on expert technical support
Sanchez and Lebedenko both praise Dylan Syme, a Site Reliability Engineer on the F5 Distributed Cloud Services team. who took the time to answer questions and discuss scenarios. His lengthy email replies to questions also created documentation available for the future—including when supporting external F5 customers.
“He was back and forth with Briana like ping pong,” says Lebedenko. “She got outstanding, quick replies to deeply technical emails from a really responsive team.”
Easily add new capabilities
Finally, the Distributed Cloud Platform facilitates easy deployment of other integrated functionality.
“The migration opened the door for us to add other capabilities,” says Hansell. For instance, web forms on the site are expected to soon gain the protection of Distributed Cloud Bot Defense, another product in the Distributed Cloud WAAP solution package. This subsequent deployment, which Sanchez calls “pretty easy,” should eliminate previous problems with form submissions.
The team also anticipates deploying Distributed Cloud CDN in the next several months, thereby eliminating the cost of the third-party solution now delivering site content and caching but managed by a separate team. Testing for that implementation, which Sanchez expects to ease monitoring and speed configuration changes because she’ll be able to do them herself, is already underway.
“Having done the Distributed Cloud WAAP migration has helped a lot to speed up the other two efforts because it we already know how the platform works,” Sanchez says. “It’s amazing.”
She concludes, “And another word would be painless.”
Painless solution migrations? Yes, please!
Note: Current Silverline customers interested in making their own painless transitions can find recommendations and support in a free, on-demand webinar, “Making the Move from Silverline to F5 Distributed Cloud Services.”
- Protect global websites from evolving threats
- Enhance visibility and management
- Rely on expert technical support
- Easily add new capabilities
- The imperative of replacing an end-of-life product
- Maintaining security without user impact
- Avoiding disruption of unrelated but simultaneous projects