The DevCentral Chronicles Volume 1, Issue 3

Posted in f5, big-ip, application delivery, devcentral by psilva on March 6th, 2018

If you missed our initial issues of the DC Chronicles, catch up on January Issue 1 and February Issue 2. The Chronicles are intended to keep you updated on DevCentral happenings and highlight some of the cool content you may have missed over the last month. Welcome!

funny-captcha.jpgKicking off this issue is the OWASP Top 10 and the #Lightboard series from @JohnWagnon. Not to be confused with Matthew McConaughey, John drops numbers 6-7-8 of the Top 10 recently. He lights up Security Misconfiguration, Cross Site Scripting and Insecure Deserialization this time around and we have a YouTube Playlist to catch them all. Great series and only two more to go!

One of the most popular articles over the last couple weeks was @dholmesf5 The Top Ten Hardcore F5 Security Features in BIG-IP 13! Always a fun read, David dives in to some of the coolest security functionality in BIG-IP v13 along with sharing some personal stories. David is a master at weaving in personal plight with information security so don’t miss it.

DevCentral_Why_Super-NetOps_min.pngHave you jumped on the #SuperNetOps bandwagon yet? Wondering how it can help you move into the #DevOps realm? We have a section dedicated to Super NetOps and recently, @JasonRahm added a FAQ to help you get past the hump.

We’ve also posted a couple mitigations to some recent vulnerabilities. Security researcher Gal Goldshtein shares how to mitigate the Oracle Tuxedo "JOLTandBLEED" vulnerability (CVE-2017-10269) along with the Jenkins Unsafe Deserialization Vulnerability (CVE-2017-1000353). Gal offers step-by-step instructions on how to set it up on BIG-IP ASM. Also for ASM this month, Nir Ashkenazi shared a couple new Ready Templates, one for SharePoint 2016 and one for Drupal 8. Both help you simplify the configuration process and secure those applications.

Rounding out this issue of the Chronicles has Robbie Stahl covering BIG-IP VE on VMware for Custom Properties and an Ansible Deployment; I write up some goodness on F5’s Application Connector; And, Hannes Rapp is our Featured Member for March. Hannes is an Independent F5 Engineering Consultant focusing on BIG-IP ASM and LTM. According to Hannes, 'if you combine these two modules, you have the best of F5 product portfolio. One without another is incomplete BIG-IP.' We wouldn’t argue that.

As always, You can stay engaged with @DevCentral (and watch how we create our LightBoard Lessons), join our LinkedIn Group or subscribe to our YouTube Channel. Look forward to hearing about your BIG-IP adventures.







DevCentral’s Featured Member for March - Hannes Rapp

Posted in f5, big-ip, application security, application delivery, devcentral by psilva on March 6th, 2018

hannes.pngHannes Rapp is an Independent F5 Engineering Consultant focusing on BIG-IP ASM and LTM. According to Hannes, 'if you combine these two modules, you have the best of F5 product portfolio. One without another is incomplete BIG-IP.' He's also interested in Python, building tools to automate routine administrative tasks on BIG-IP and he sends special thanks to REST API developers and F5-sdk project team who make this task easier.

Hannes is a 2018 DevCentral MVP and our Featured Member for March!

DevCentral: First, please explain to the DC community a little about yourself, what you do and why it’s important.

Hannes: A crook from Eastern Europe, as I like to introduce myself. A guy from Estonia with a track record in online gambling industry. Given the background, potential customers are sure to raise an eyebrow. What if he spies for Russia and drinks vodka with his lunch instead of Cola?

Before my departure from online gambling, I worked as Network and Security Specialist for Playtech. This was the most impactful role for my career progression. There were days we had lots of work to do, and there were days we had insane amounts of work to do. These ever-growing work queues created a situation where some "safe" changes could sneak past Change Management procedures. But what safe is is debatable. So occasionally, some production iRules were modified on the fly without any prior notice. Sometimes customers reported their issues were "magically resolved", and sometimes they reported new issues. I don't know who did those changes. Trust me, I always ask for permissions and not move an inch before the green light.

Anyone just getting started in IT should seek a busy place. If you want to become good at what you do, it's best to be buried under actual work but not under formalities. If you work at a conservative bank where every minor step must be measured and documented, you will not gain much experience. Banks are good when you're a bit older. They ask you to use a fork and a knife when eating. They help uncivil barbarians evolve into humans by giving lessons in ITIL.

DC: You are a very active contributor in the DevCentral community. What keeps you involved?

HR: My participation here is a learning experience. Most of my F5 knowledge comes from here. In particular, I like how official resources blend together with solutions and ideas from users not employed by F5 Networks. A closed echo chamber with one source of information would not be as interesting. Presence of bug complaints and negative remarks about the product drive the credibility of DevCentral and F5 as a vendor. With the addition of light board lessons, learning has been made even easier. It's always worth coming back here.

DC: Tell us a little about the areas of BIG-IP expertise you have.

HR: Anything but BIG-IP APM, SWG, GCNAT and WebSafe/MobileSafe. No matter what needs to be done, there's probably someone else that already had me do the exact same thing. I'm interested in adding WebSafe/MobileSafe to my portfolio but haven't had the opportunity.

DC: You are an Independent F5 Engineering Consultant focusing on BIG-IP LTM & ASM. Can you describe your typical workday and how you manage work/life balance?

HR: Something that is never missing from my typical workday is an argument with somebody. There's a famous quote that applies: "Arguing with an engineer is a lot like wrestling a pig in the mud. After a couple of hours, you realize the pig likes it."

When I'm not arguing, I create optimized WAF policies for online banking frontends and mobile apps. Most BIG-IP ASM configurations I have looked at are needlessly cumbersome and feature bulk not relevant for the application. Among other projects, I work on major BIG-IP upgrades. Large corporations with a lot at stake often want BIG-IP upgrades done so that all existing functionality is retained without alterations. Only, and only when the upgrade is deemed successful should any modifications or new features come in effect. Any forceful configuration changes that are applied must either be denied or made redundant with trickery. For example, the event where default values in base profiles are updated to defaults of a new version must be segregated into a separate change. Segregation into bits and pieces helps with damage control. If an incident occurs, all troubleshooting efforts can be focused on a smaller area of surface.

My last two customers have given me the opportunity to enjoy a better work-life balance. They let me work remotely. Since my area of expertise is so narrow, isolated to F5 BIG-IP, finding projects can be a challenge. Not that long ago I had to travel to another country to be accepted for a project. As far as I'm concerned, work should be about work. If a project is delivered as expected, the place of work is of secondary importance. I appreciate there are corporations who are on the same page in that regard. It's already in the best interest of engineers and consultants to do their job because every new client asks for a recent recommendation.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

HR: The challenge was about converting nearly a hundred BIG-IP ASM policies from Case-Sensitive matching to Case-Insensitive. There's no supported way of changing this once your choice is locked in. After some testing, I found that it's possible to accomplish this by working with raw XML files. There's plenty of room for error but after a few days of scripting and testing, I got a solution I was happy with. From DevCentral, I found information about iControl API and instructions for use. This later proved very helpful for mass policy export and import functions. This was the old SOAP iControl API. Now I'm using iControlREST and would like to give a special mention to F5-sdk project team who work on a fabulous tool that eases automation with Python.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

HR: The only job that made sense to me as a kid was to be a basketball player in NBA! As we were walking around our neighborhood in a group of 3, someone always came up with a rhetorical statement: "We need 1 more to play 2v2". And someone always expanded the scope: "or maybe we can find 3 more so we can play 3v3". This was the end of 90s in Estonia. Basketball was immensely more popular than soccer aka football, a dumb ball game. Now it's the other way around.

Thanks Hannes! Check out all of Hannes' DevCentral contributions and connect with him on LinkedIn.


If there is a DevCentral member you think should be featured, let us know in the comments section!


Application Connector Overview

Posted in f5, big-ip, cloud, devcentral by psilva on February 15th, 2018

Today, let’s take a look at Application Connector. Application Connector connects public clouds to your application service infrastructure within cloud interconnects or data centers. This enables the use of public cloud resources as part of your compute infrastructure while also performing workload discovery and deploying consistent app services across your multi-cloud environments.

The idea behind Application Connector is to have your applications in the cloud but have them considered local to BIG-IP so they don’t have any internet access. BIG-IP gets traffic from the nodes via secure web sockets connection. You can use Application Connector across multiple clouds and you can keep the same virtual server address that you use now. If you’ve been hesitant about moving your applications to the cloud due to worries about security, this is a way to move to the cloud while still using your BIG-IP.


This diagram shows a basic Application Connector set up. You can see it is made up of two components – the Service Center which runs on BIG-IP and the Proxy which runs on a Docker container in the cloud with your application.


This is what a running version of the Proxy looks like. This webpage is running on a Docker container which is running on a lightweight Linux instance in this example on Amazon Web Services. In the top right, you can see we got authentication set up with AWS. Under Proxy Stats, you can also see some details about aggregate traffic passing through the Proxy to the application servers. And under Service Center Connections, you can see the BIG-IP that is associated with the Proxy.


And below that under Published Nodes, you can see the list of Published Nodes. Published means that BIG-IP has these nodes available.


Let’s take a quick look at a few possibilities for adding and removing nodes.

Let’s say that these nodes are used in BIG-IP as pool members, so traffic is going to them. If I want to stop sending traffic to one of the nodes, we can simply disable it temporarily and if we’re done with a node, we can delete it completely. This is useful if you are on the Dev Team and you have access to the Proxy but you don’t have access to the BIG-IP. Without contacting IT, you can start and stop traffic to the application.


What happens if I delete a node? If we scroll down a bit more, there are three options: we can auto-publish nodes to BIG-IP or we can easily auto discover them. This means the Proxy will show you the nodes and you can choose whether to publish to BIG-IP.


We went ahead and deleted one of the nodes and now that node appears under the Auto Discovery selection.


And we can decide if we want to publish to BIG-IP.


You also have the option to manually add nodes so no matter where your nodes live, in Azure, Google, AWS or your data center, you can add them here and they’ll communicate with BIG-IP via secure web sockets connection.


Now let’s turn to the BIG-IP. Here is the Service Center and it’s in the iApps section under Application Services>Applications LX. Here, we can see a visual representation of my active Proxy and its related nodes.


If we click Proxies, we can see the Proxy here and if we want to stop authorizing this Proxy we can. This will stop traffic going to these nodes.


If others in the organization add Proxies, we can go in and authorize them.


In addition, if we click API, we get a list of all the programmatic ways we can interact with Application Connector.


Now, on the BIG-IP, if we go to Local Traffic>Pools>Pool List we can look at the pool associated with this deployment. Let’s click Members. We can see that the nodes we’ve been working with are available for us to add to a Pool.


You'd use Application Connector if you’re multi-cloud since it doesn’t matter where you nodes are, BIG-IP considers them local. From a security perspective, no public IPs need to be associated with your applications and keep your encryption keys on BIG-IP and share them across clouds. And the consistency to have BIG-IP services like load balancing, WAF, traffic manipulation and authentication are all centrally managed on BIG-IP. After your initial configuration, no real management needed for low maintenance.

The licensing is included with the iSeries appliance and available as an add-on for other platforms. You can watch the Application Connector – Part 1: Overview video from our TechPubs team.


The DevCentral Chronicles Volume 1, Issue 2

Posted in f5, big-ip, devcentral by psilva on February 6th, 2018

If you missed our initial issue of the DC Chronicles, check it out here. The Chronicles are intended to keep you updated on DevCentral happenings and highlight some of the cool articles you may have missed over the last month. Welcome.

First up, 2018 will be the year that we publicly open up speaking proposals for our Agility conference this August. Historically, the presenters have been F5 employees or partners but this year, we’d love if you wanted to share your BIG-IP expertise, knowledge and mad-skillz to the greater F5 community. Review the info here and submit your proposal by Friday, Feb 9.

DevCentral_Why_Super-NetOps_min.pngNext up is our exciting new (and FREE!) Super-NetOps training program. The Super-NetOps curriculum teaches BIG-IP administrators how to standardize services and provide them through automation tool chains. For Network Operations Engineers you can learn new skills, improve collaboration and advance your career. For Network Managers and Architects, you can support digital transformation and improve operational practices. As Jason Rahm notes with his Lightboard Lessons: Why Super-NetOps, Super-NetOps is not a technology but an evolutionary journey. Already featuring two complete classes on integrating NetOps expertise into the benefits of a DevOps world, this training program is poised to help the NetOps professional take a well-deserved seat at the continuous deployment table. I’ve taken the training and it is amazing.

Speaking of Lightboard Lessons, John Wagnon is going through the OWASP TOP 10 in his latest series and is already on number 5 of the list, Lightboard Lessons: OWASP Top 10 - Broken Access Control. The OWASP Top 10 is a list of the most common security risks on the Internet today and John has been lighting up each in some cool videos. If you want to learn about the OWASP TOP 10, start here and follow along.

Interested in BIG-IP security? Then check out Chase Abbot’s Security Hardening F5's BIG-IP with SELinux. When a major release hits the street, documentation and digital press tends to focus on new or improved user features, seldom do underlying platform changes make the spotlight. Each BIG-IP release have plenty new customer-centric features but one unsung massive update is SELinux’s extensive enforcing mode policy across the architecture. Chase says that, BIG-IP and SELinux are no strangers, having coexisted since 2009, but comparing our original efforts to our current SELinux implementation is akin to having your kid's youth soccer team shoot penalties against David Seaman. Good one.

Also filed under security for this edition is the Meltdown and Spectre Web Application Risk Management article by Nir Zigler. Nir talks about a simple setting that can reduce the attack surface with the “SameSite” Cookie Attribute. If you’re worried about those vulnerabilities, this is your article.

West_2018.pngThis week, I’ll be at the F5 AFCEA West Tech Day on Wednesday Feb. 7 as part of the AFCEA West 2018 Conference in San Diego. A full day of technical sessions covering the challenges of DoD cloud adoption with a fun Capture the Flag challenge. Our friends at Microsoft Azure will also talk about solutions to address the complex requirements of a secure cloud computing architecture. There is a great article over on MSDN explaining how to Secure IaaS workloads for Department of Defense with Microsoft and F5. #whereisdevcentral

Lastly, don’t forget to check out our Featured Member for February, Lee Sutcliffe, Lori’s take on #SOAD The State of Application Delivery 2018: Automation is Everywhere and the new F5 Editor Eclipse Plugin v2 which allows you to use the Eclipse IDE to manage iRules, iRules LX, iControl LX, and iApps LX development.

You can stay engaged with @DevCentral by following us on Twitter, joining our LinkedIn Group or subscribing to our YouTube Channel. Look forward to hearing about your BIG-IP adventures.



DevCentral’s Featured Member for February - Lee Sutcliffe

Posted in f5, big-ip, application delivery, devcentral by psilva on February 1st, 2018

lee_pic.pngAfter a brief hiatus for the New Year, we're kicking off the 2018 Featured Member series with a new DevCentral MVP: MrPlastic, Lee Sutcliffe. Like Kevin this past December, Lee does a great job with the opening question, so we'll let him tell his story. A long-time DevCentral member and always engaged with the community, Lee Sutcliffe is DevCentral's Featured Member for February 2018. Congrats Lee!

DevCentral: First, please explain to the DevCentral community a little about yourself, what you do and why it’s important.

Lee Sutcliffe: I guess always enjoyed fixing and building things, taking things apart to see how they worked (admittedly, not always being able to put them back together again). From a young age, my younger brother would design something on paper and I’d have to build it with Lego. So it comes as no surprise that he is now an Architect and I’m an Engineer (of sorts).

My first IT job was a sandwich placement; after two years of University you spend a year working in Industry before going back to complete your final year. The idea being, when you graduate you already have some level of experience in the real world as well as your degree to help you get on the job ladder.

My placement was at a local high school as an ICT Technician, doing anything from network cabling to NT4-Windows 2000 migrations.

After going back to University and graduating I spent a year being a typical long haired hedonistic backpacker commonly known as hippie before finally deciding I should stop enjoying life and go earn some money for a change.

Since then worked in another high school as a Network Manager for three years before landing a job in 2009 with Callcredit, a credit reference agency in Leeds UK. It was here where I really cut my teeth and was able to develop my career as a network engineer using Cisco, F5 and Check Point technologies amongst others.

I left the safety permanent employment in 2013 to become a freelance contractor, working for a variety of clients, mostly in the financial sector to where I find myself today at Lloyds Banking Group.

DC: You are a very active contributor in the DevCentral community. What keeps you involved?

LS: DevCentral always is my first port of call for anything I don’t know straight away. Members of the community have really helped me out over the years, especially in the early part of my career. I get a sense of satisfaction helping others and it’s important to give something back. For fear of sounding too altruistic, it is also a good way to keeping up to date and refreshing old skills, as well as learning new ones.

DC: Tell us a little about the areas of BIG-IP expertise you have.

LS: Like a lot of people BIG-IP LTM is my bread and butter and coming from a comms background it’s definitely the product I’m most familiar with, especially given its wide adoption. However, I have also worked a lot with GTM, APM and AFM, at the moment I’m working exclusively with iRules. I’m just starting to look into iRules LX which is a really interesting area.

DC: You are a F5 Consultant at Lloyds Banking Group. Can you describe your typical workday and how you manage work/life balance?

llyods.pngLS: I have been working as a contractor at LBG since July last year. I work within a team that are responsible for the maintenance and development of iRules used within the Bank, mainly for the online banking platform. Without disclosing too much, the use of iRules are vast, easily the most comprehensive I’ve seen anywhere, with custom proc libraries and in-house certificate management APIs to name but a few. For all intents and purposes, it’s a developer role which had quite a steep learning curve but I’m enjoying the challenges. Work life balance can be tricky, mainly because I work away in London during the week and home is over 300km away which means weekends can become a bit rushed and end too quickly.

DC: You have many F5 Certifications including Technology Specialist (LTM) certifications. Why are these important to you and how have they helped with your career?

LS: Having F5 certifications have certainly helped me align my career down a more specific F5 route. They haven’t been plagued by brain dumps so the certifications actually mean something. I also like how the exams are written, you can’t learn parrot fashion and you have to have had hands on experience working with the technology. I’d like to sit my 401 exam eventually but my limited ASM knowledge is currently preventing me getting all four CTS certificates – something I’m keen to resolve!

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

LS: I think my biggest BIG-IP challenge has been the adjustment to my current role. To go from a guy who ‘did wires’ to writing code for a living was a challenge, especially in the first couple of months. My first project at Lloyds was to develop a framework for a micro service which involved multiple separate iRules, hundreds of lines of code for session management and encryption services. However, one of my most memorable challenges was earlier on in my career and was actually quite simple, I do remember feeling particularly pleased with the solution. I had to create a monitor for a webmethod, at the time the required version of NTLM wasn’t supported as standard, I was racking my brains for ages when someone on DevCentral suggested I could use cURL and an external monitor. So I had to use tcpdump to capture the request, rebuild the XML using cURL, test the result then and use an external monitor to check the service. I remember how impressed I was, how customizable the product was and if it didn’t do it out of the box, there’s usually a way to do what you need.

DC: Could you also give the backstory to Mr. Plastic if there is one?

LS: As for my DevCentral handle; MrPlastic well that may take some explaining! I used to produce a form of hard, aggressive dance music called Breakcore under the pseudonym Monster Plastic and ran a club night in Leeds, with my brother where we played our music and booked guest DJs and producers. It was a mixture of jungle, hardcore, gabber and heavy breaks – your mother wouldn’t approve! Monster Plastic soon developed into Lee Plastic. As for the Mr? I don’t know, maybe I just got married and settled down!

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or, when you were a kid – what did you want to be when you grew up?

LS: I’d like to be able to work outside, I’m a keen rock climber and mountaineer and working in London doesn’t lend its self to getting out as much as I’d like. So I’d probably like to work as a climbing and mountaineering instructor. When I was younger I wanted to pilot search and rescue helicopters for the Royal Air Force but after university I was still enjoying partying too much and wasn’t quite ready for a twelve-year commission!

Thanks Lee! Check out all of Lee's DevCentral contributions, connect with him on LinkedIn and visit Lloyds Banking Group or follow on Twitter.


Post of the Week: Two-Factor Auth and SSO with BIG-IP

Posted in security, f5, big-ip, silva, lightboard, authentication, rsa, devcentral, access by psilva on January 26th, 2018

In this Lightboard Post of the Week, I answer a question about 2FA and SSO with AD/RSA on BIG-IP by creating a SSO Credential Mapping policy agent in the Visual Policy Editor, that takes the username and password from the logon page, and maps them to variables to be used for SSO services. Special thanks to for the question and a new 2018 MVP, MrPlastic (Lee Sutcliffe, which I flubbed) for the great answer.

Posted Question on DevCentral:



Watch Now:

Post of the Week: SSL on a Virtual Server

Posted in security, f5, big-ip, application security, silva, video, lightboard, http, ssl, devcentral, certificate by psilva on December 22nd, 2017

In this Lightboard Post of the Week, I answer a few questions about SSL/https on Virtual Servers. BIG-IP being a default deny, full proxy device, it's important to configure specific ports, like 443, to accept https traffic along with client and server side profiles and include your SSL certificates. We cover things like SAN/SNI certificates but I failed to mention that self-signed certificates are bad anywhere except for testing or on the server side of the connection.




Watch Now:

F5 Certified Practice Exams

Posted in f5, big-ip, infrastructure, certification, education by psilva on December 12th, 2017

cert_hat.jpgThinking of taking the F5 Certified 101 or 201 exams but not sure if you are ready? Ease the anxiety by taking a F5 Practice Exam!

That’s what I did, and it sure helped.

If you remember, back in August I attempted the 201-TMOS Administrator exam and successfully failed, missing by a few questions. I’ve been wanting to try again and had an opportunity last week but I hadn’t studied since that initial attempt at Agility. If I failed again, I’d have to wait another 45 days to give it another go.

So instead, I decided to take a practice exam.

Practice exams provide candidates with an accurate prediction of their performance for the live, production exams. Other than the section-level score reports, they are not intended to be used for study or learning purposes. Their entire value is based on their similarity to the production exams and their validity in predicting your performance. If you think you’re getting a sneak peek to real questions, think again. They use entirely different questions on the live exams, so unless you actually learn the underlying knowledge, "knowing" the practice questions is completely useless and becomes waste of time.

The Practice Exams are designed to mimic the real tests with 80 questions timed to 90 minutes. There are exhibits to consider, you can flag questions to review and you get instant feedback on your results. You can complete on your own device and you can ‘alt-tab’ to look up the answers if you so desire. Not that you should – defeats the purpose. While you do not get an actual score, you do get an indication if you Passed or Failed and insight (Below/Borderline/Meets) on how you did on the sections.


As you can see, 4 months of not studying doomed my fate. The 201 is no fly-by and really requires daily hands on experience. If I had done well, I could have taken the real exam the following day. This way, I know exactly where I need to focus and what I need to do to finally pass the 201.

They don't allow unlimited access to the practice exams and recommend using the practice exams no more than two, at most three, times as part of your preparation. Once you become familiar with the questions, the practice exam loses its value.

Practice exams are delivered via their Zoomorphix Exam Studio system and only available to registered candidates. They have 101 and 201 rehearsals with 301a, 302 and 303 practice exams coming soon.

If you’re preparing for a @F5Certified exam, you can review some of the F5 Certification study materials that are available.

Good luck!


DevCentral’s Featured Member for December - Kevin Davies

Posted in security, f5, big-ip, silva, devcentral, irules by psilva on December 1st, 2017

Kevin_Picture.jpgWhen we prepare for our Featured Member series, I typically send out a questionnaire and the DevCentral member writes out their answers. With the opening question I'll do a bit of editing and use that for the intro. This month however, airloom's Kevin Davies did such a great job with the opening, I decided to simply let him tell his story. A long-time DevCentral member and always engaged with the community, Kevin Davies is DevCentral's Featured Member to close out 2017. Congrats Kevin!

DevCentral: First, please explain to the DevCentral community a little about yourself, what you do and why it’s important.

Kevin: I suppose my interest in technology came from a desire to know how things work. My first job in computers was doing exactly that, building them at a small computer store in Brisbane. I have always been technical, being the pioneer in my family I immediately saw the potential they would bring and how it might shape the world…

I remember a quiet night alone in the office struggling to understand SCO Unix, as I’d come from a MS-DOS background. Yet I persisted, and using the SLIP protocol with static IP addressing, I successfully connected our business to the University, so we could receive email. This was back when Universities were connected globally and world wide web as we know it today, did not exist… yet.

My next role was to join an ISP as a help desk guy. Always in search of more knowledge, I figured the quickest way to get it was to immerse myself. Dealing with 10,000 users you rapidly discover the problems people are faced with as they try to get a handle on these things called modems! It was a great experience, and I attained my CCNA certification there. By the time I left three and a half years later, I was literally running the network.

Then I joined Unisys in a security role, to further expand my knowledge of firewalls and the way they operated. This required a deeper understanding of protocols, there were some very interesting problems you would come across. I lived for those moments and always found troubleshooting something I really enjoyed. During this job I transitioned from a Brisbane country town to Sydney the big city.

After various contracts and the GFC, I ended up at CSC doing more security, this time Checkpoint firewalls. It was here that I worked with my first BIG-IP. A load balancer, I mean what’s there to learn I thought? You send traffic here, you send traffic there… how little did I know. It wasn’t until I joined Red Education doing professional services that I came to understand the true capability of the device. Where I learned iRules provide customers with tremendous flexibility and iApps, API and automation toolsets make these devices scale and deploy in hybrid environments.

Now I work for airloom, the #1 F5 engineering partner in A/NZ, APJ and joint #1 globally providing solutions that no-one else could deliver. My first week at airloom I sat my 401 exams. My second week I was learning a completely new product. The third was sitting down with customers. They have a consistently high level of expertise that is not found elsewhere in Australia. They recruit and maintain the best, to deliver the outcomes customers need. After eight years F5 experience I thought would arrive here at least on par with the guys within the team. I was wrong.

DC: You are a very active contributor in the DevCentral community. What keeps you involved?

KD: I’ve always enjoyed helping others, it’s part of my DNA being a consultant. It is why I have enjoyed being an instructor as well as doing professional services for the last eight years. I’ve found that giving back to the community that has helped me is my way of saying thank you. From an airloom perspective the team is entirely focused on helping customers being successful so giving is what we do day in and day out.

DC:Tell us a little about the areas of BIG-IP expertise you have.

KD: I have enjoyed making the BIG-IP do magic for customers. It really is a powerful integration toolset in the right hands. Everyone needs to get traffic from A to B. With one of these the capability to add world class protection at any layer, multiple layers of authentication or even inspection becomes possible. That’s on top of providing high availability and redundancy for any application. Its level of detail and control is quite astonishing.

I’ve made stateless applications stateful, one protocol talk to another, the list goes on. My favorite has been iRules, I used to have a motto on the wall when I worked in one place for a few months… “iRules for breakfast, how many do you do?” That stateful piece was all written using iRules and saved the business over a million dollars in project costs whilst delivering projects quicker and with less errors.

I have deployed nearly every product, my most recent has been migrating customers from legacy F5 physical appliances into virtualized appliances running vCMP. Instead of just running one BIG-IP they can have eight of them on a mid-range appliance. F5’s zero contention virtualization platform means customers can have the speed and the flexibility to provision BIG-IP’s with N dedicated processing cores.

One of my favorite F5 product modules is APM. The visual policy editor is a brilliant tool for building your own custom security policy and provides incredibly flexibility. The authentication point to end all authentication points… SAML, OAUTH, OTP, AD, Radius, Tacacs, DIY. You can roll your own N factor auth with built-in/external MFA and have all of it layered using SSO. It really is the authentication cornerstone of the products and is a joy to work with.

DC: You are a Distinguished Engineer at airloom. Can you describe your typical workday and how you manage work/life balance?

airloom_logo.pngKD: On Monday’s I prepare for the weekly briefing, check outcomes from the previous week and start planning the day. Then tee myself up a list of things to do, including client meetings and begin preparation for them. These continue till the end of the day. I might be in the office one day, working remotely or both. We have no local infra except for a printer and wireless access points, everything we do is in the cloud. This means we are free to work from any location be it at home, office or customer site.

The role of an airloom Distinguished Engineer is a pretty awesome one, we report to our CTO Adrian (Nobby) Noblett who was the former F5 Solution Architect for APJ. Our role as DE’s is to help our client’s get the most out of their technology investments, however we are also given the creative license to develop new solutions we believe will help our clients. We have several goals to work towards on a regular basis, and they are not just about projects but also coming up with industry leading solutions no one else is across so we stay ahead of the curve and ensure our clients have access to the best solutions ahead of the entire market.

DC: You have a number of F5 Certifications including Technology Specialist (LTM) certifications. Why are these important to you and how have they helped with your career?

KD: I am certified in LTM, GTM, ASM, APM. I also just recently attained the Security Solutions Expert. F5 certifications are serious business. They provide assessment and recognition of technical skillset. This is valuable to airloom & valuable to my career and on top of my experience shows that someone is serious about maintaining their knowledge level on a product. I appreciate F5 are diligent about detecting and eradicating shortcuts as this maintains the value of the certification. The blueprints and study guide provided with each exam are highly relevant and far more than many other vendors provide to help professionals prepare themselves. From an airloom perspective it is a requirement that all DE’s are 401 level certified to hold the DE title at airloom, and we actually have the equal most number of 401’s in the world in our team!

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

KD: There have been many. The biggest was an iRule solution that a customer refused to implement as a black box solution! The data flow was deemed mission critical so they required on going monitoring. This meant writing another iRule to collect statistics. Then another to display them. The solution itself used about 100 subtables, the statistics around 1000 as it tracked not only the success or failure but all possible execution outcomes, effectively profiling the solution behavior per transaction.

This was then output not only as a html web page showing the effectiveness of the solution, but also available in XML format to be polled by a 3rd party monitoring platform. Their monitoring dashboard had graphs for each transaction type showing its effectiveness over time. It seemed overkill at the time however over three weeks the effectiveness of the solution gradually tapered off from 98% to 0% and by that time we were furiously troubleshooting with F5 support.

It turned out about 1 in 200,000 calls to a certain command would return an undocumented outcome. Once known the code was updated, the problem now was the BIG-IP contained hundreds of invalid table entries that never expire. Failing over was not a solution because the HA device maintained an identical copy through session table mirroring. The most effective solution involved a fourth and final iRule to iterate through every permutation and remove the invalid table entries.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

KD: I think a tour guide. I love talking to people and seeing new things. I could probably travel for ten years and only see half what the world has to offer. Human beings are quite creative people and cultural differences produce an amazing diversity of ideas around the globe.

Thanks Kevin! Check out all of Kevin's DevCentral contributions, connect with him on LinkedIn and visit airloom or follow on Twitter.

The OWASP Top 10 - 2017 vs. BIG-IP ASM

Posted in security, f5, big-ip, application security, asm, compliance, malware, 0day, owasp by psilva on November 29th, 2017

With the release of the new 2017 Edition of the OWASP Top 10, we wanted to give a quick rundown of how BIG-IP ASM can mitigate these vulnerabilities.

First, here's how the 2013 edition compares to 2017.



And how BIG-IP ASM mitigates the vulnerabilities.



BIG-IP ASM Controls


Injection Flaws

Attack signatures

Meta character restrictions

Parameter value length restrictions


Broken Authentication and Session Management

Brute Force protection

Session tracking

HTTP cookie protection


Sensitive Data Exposure

Data Guard


XML External Entities (XXE)

Attack signatures (see below)


Broken Access Control

File types


URL flows

Session tracking

URL flows

Attack signatures (Directory traversal)


Security Misconfiguration

Attack Signatures


Cross-site Scripting (XSS)

Attack signatures

Parameter meta characters

Parameter value length restrictions

Parameter type definitions (such as integer)


Insecure Deserialization

Attack Signatures (see below)


Using components with known vulnerabilities

Attack Signatures integration


Insufficient Logging and Monitoring

BIG-IP ASM can help with the monitoring process to detect, alarm and deter attacks


Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:

  • 200018018           External entity injection attempt
  • 200018030           XML External Entity (XXE) injection attempt (Content)

Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):


For “A8:2017-Insecure Deserialization” we have many signatures, which usually include the name “serialization” or “serialized object”, like:

  • 200004188           PHP object serialization injection attempt (Parameter)
  • 200003425           Java Base64 serialized object - java/lang/Runtime (Parameter)
  • 200004282           Node.js Serialized Object Remote Code Execution (Parameter)

A quick run-down thanks to some of our security folks.



« Older episodes ·