Archive for f5

DevCentral’s Featured Member for December - Kevin Davies

Posted in security, f5, big-ip, silva, devcentral, irules by psilva on December 1st, 2017

Kevin_Picture.jpgWhen we prepare for our Featured Member series, I typically send out a questionnaire and the DevCentral member writes out their answers. With the opening question I'll do a bit of editing and use that for the intro. This month however, airloom's Kevin Davies did such a great job with the opening, I decided to simply let him tell his story. A long-time DevCentral member and always engaged with the community, Kevin Davies is DevCentral's Featured Member to close out 2017. Congrats Kevin!

DevCentral: First, please explain to the DevCentral community a little about yourself, what you do and why it’s important.

Kevin: I suppose my interest in technology came from a desire to know how things work. My first job in computers was doing exactly that, building them at a small computer store in Brisbane. I have always been technical, being the pioneer in my family I immediately saw the potential they would bring and how it might shape the world…

I remember a quiet night alone in the office struggling to understand SCO Unix, as I’d come from a MS-DOS background. Yet I persisted, and using the SLIP protocol with static IP addressing, I successfully connected our business to the University, so we could receive email. This was back when Universities were connected globally and world wide web as we know it today, did not exist… yet.

My next role was to join an ISP as a help desk guy. Always in search of more knowledge, I figured the quickest way to get it was to immerse myself. Dealing with 10,000 users you rapidly discover the problems people are faced with as they try to get a handle on these things called modems! It was a great experience, and I attained my CCNA certification there. By the time I left three and a half years later, I was literally running the network.

Then I joined Unisys in a security role, to further expand my knowledge of firewalls and the way they operated. This required a deeper understanding of protocols, there were some very interesting problems you would come across. I lived for those moments and always found troubleshooting something I really enjoyed. During this job I transitioned from a Brisbane country town to Sydney the big city.

After various contracts and the GFC, I ended up at CSC doing more security, this time Checkpoint firewalls. It was here that I worked with my first BIG-IP. A load balancer, I mean what’s there to learn I thought? You send traffic here, you send traffic there… how little did I know. It wasn’t until I joined Red Education doing professional services that I came to understand the true capability of the device. Where I learned iRules provide customers with tremendous flexibility and iApps, API and automation toolsets make these devices scale and deploy in hybrid environments.

Now I work for airloom, the #1 F5 engineering partner in A/NZ, APJ and joint #1 globally providing solutions that no-one else could deliver. My first week at airloom I sat my 401 exams. My second week I was learning a completely new product. The third was sitting down with customers. They have a consistently high level of expertise that is not found elsewhere in Australia. They recruit and maintain the best, to deliver the outcomes customers need. After eight years F5 experience I thought would arrive here at least on par with the guys within the team. I was wrong.

DC: You are a very active contributor in the DevCentral community. What keeps you involved?

KD: I’ve always enjoyed helping others, it’s part of my DNA being a consultant. It is why I have enjoyed being an instructor as well as doing professional services for the last eight years. I’ve found that giving back to the community that has helped me is my way of saying thank you. From an airloom perspective the team is entirely focused on helping customers being successful so giving is what we do day in and day out.

DC:Tell us a little about the areas of BIG-IP expertise you have.

KD: I have enjoyed making the BIG-IP do magic for customers. It really is a powerful integration toolset in the right hands. Everyone needs to get traffic from A to B. With one of these the capability to add world class protection at any layer, multiple layers of authentication or even inspection becomes possible. That’s on top of providing high availability and redundancy for any application. Its level of detail and control is quite astonishing.

I’ve made stateless applications stateful, one protocol talk to another, the list goes on. My favorite has been iRules, I used to have a motto on the wall when I worked in one place for a few months… “iRules for breakfast, how many do you do?” That stateful piece was all written using iRules and saved the business over a million dollars in project costs whilst delivering projects quicker and with less errors.

I have deployed nearly every product, my most recent has been migrating customers from legacy F5 physical appliances into virtualized appliances running vCMP. Instead of just running one BIG-IP they can have eight of them on a mid-range appliance. F5’s zero contention virtualization platform means customers can have the speed and the flexibility to provision BIG-IP’s with N dedicated processing cores.

One of my favorite F5 product modules is APM. The visual policy editor is a brilliant tool for building your own custom security policy and provides incredibly flexibility. The authentication point to end all authentication points… SAML, OAUTH, OTP, AD, Radius, Tacacs, DIY. You can roll your own N factor auth with built-in/external MFA and have all of it layered using SSO. It really is the authentication cornerstone of the products and is a joy to work with.

DC: You are a Distinguished Engineer at airloom. Can you describe your typical workday and how you manage work/life balance?

airloom_logo.pngKD: On Monday’s I prepare for the weekly briefing, check outcomes from the previous week and start planning the day. Then tee myself up a list of things to do, including client meetings and begin preparation for them. These continue till the end of the day. I might be in the office one day, working remotely or both. We have no local infra except for a printer and wireless access points, everything we do is in the cloud. This means we are free to work from any location be it at home, office or customer site.

The role of an airloom Distinguished Engineer is a pretty awesome one, we report to our CTO Adrian (Nobby) Noblett who was the former F5 Solution Architect for APJ. Our role as DE’s is to help our client’s get the most out of their technology investments, however we are also given the creative license to develop new solutions we believe will help our clients. We have several goals to work towards on a regular basis, and they are not just about projects but also coming up with industry leading solutions no one else is across so we stay ahead of the curve and ensure our clients have access to the best solutions ahead of the entire market.

DC: You have a number of F5 Certifications including Technology Specialist (LTM) certifications. Why are these important to you and how have they helped with your career?

KD: I am certified in LTM, GTM, ASM, APM. I also just recently attained the Security Solutions Expert. F5 certifications are serious business. They provide assessment and recognition of technical skillset. This is valuable to airloom & valuable to my career and on top of my experience shows that someone is serious about maintaining their knowledge level on a product. I appreciate F5 are diligent about detecting and eradicating shortcuts as this maintains the value of the certification. The blueprints and study guide provided with each exam are highly relevant and far more than many other vendors provide to help professionals prepare themselves. From an airloom perspective it is a requirement that all DE’s are 401 level certified to hold the DE title at airloom, and we actually have the equal most number of 401’s in the world in our team!

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

KD: There have been many. The biggest was an iRule solution that a customer refused to implement as a black box solution! The data flow was deemed mission critical so they required on going monitoring. This meant writing another iRule to collect statistics. Then another to display them. The solution itself used about 100 subtables, the statistics around 1000 as it tracked not only the success or failure but all possible execution outcomes, effectively profiling the solution behavior per transaction.

This was then output not only as a html web page showing the effectiveness of the solution, but also available in XML format to be polled by a 3rd party monitoring platform. Their monitoring dashboard had graphs for each transaction type showing its effectiveness over time. It seemed overkill at the time however over three weeks the effectiveness of the solution gradually tapered off from 98% to 0% and by that time we were furiously troubleshooting with F5 support.

It turned out about 1 in 200,000 calls to a certain command would return an undocumented outcome. Once known the code was updated, the problem now was the BIG-IP contained hundreds of invalid table entries that never expire. Failing over was not a solution because the HA device maintained an identical copy through session table mirroring. The most effective solution involved a fourth and final iRule to iterate through every permutation and remove the invalid table entries.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

KD: I think a tour guide. I love talking to people and seeing new things. I could probably travel for ten years and only see half what the world has to offer. Human beings are quite creative people and cultural differences produce an amazing diversity of ideas around the globe.

Thanks Kevin! Check out all of Kevin's DevCentral contributions, connect with him on LinkedIn and visit airloom or follow on Twitter.




The OWASP Top 10 - 2017 vs. BIG-IP ASM

Posted in security, f5, big-ip, application security, asm, compliance, malware, 0day, owasp by psilva on November 29th, 2017

With the release of the new 2017 Edition of the OWASP Top 10, we wanted to give a quick rundown of how BIG-IP ASM can mitigate these vulnerabilities.

First, here's how the 2013 edition compares to 2017.

13to17.png

  

And how BIG-IP ASM mitigates the vulnerabilities.

 

Vulnerability

BIG-IP ASM Controls

A1

Injection Flaws

Attack signatures

Meta character restrictions

Parameter value length restrictions

A2

Broken Authentication and Session Management

Brute Force protection

Session tracking

HTTP cookie protection

A3

Sensitive Data Exposure

Data Guard

A4

XML External Entities (XXE)

Attack signatures (see below)

A5

Broken Access Control

File types

URL

URL flows

Session tracking

URL flows

Attack signatures (Directory traversal)

A6

Security Misconfiguration

Attack Signatures

A7

Cross-site Scripting (XSS)

Attack signatures

Parameter meta characters

Parameter value length restrictions

Parameter type definitions (such as integer)

A8

Insecure Deserialization

Attack Signatures (see below)

A9

Using components with known vulnerabilities

Attack Signatures integration

A10

Insufficient Logging and Monitoring

BIG-IP ASM can help with the monitoring process to detect, alarm and deter attacks

 

Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:

  • 200018018           External entity injection attempt
  • 200018030           XML External Entity (XXE) injection attempt (Content)

Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):

asmclip.jpg

For “A8:2017-Insecure Deserialization” we have many signatures, which usually include the name “serialization” or “serialized object”, like:

  • 200004188           PHP object serialization injection attempt (Parameter)
  • 200003425           Java Base64 serialized object - java/lang/Runtime (Parameter)
  • 200004282           Node.js Serialized Object Remote Code Execution (Parameter)

A quick run-down thanks to some of our security folks.

ps

Related:




Mitigate L7 DDoS with BIG-IP ASM

Posted in security, f5, big-ip, application security, silva, DoS attack, devcentral, infrastructure, waf, ddos by psilva on November 28th, 2017

Today, let’s look at a couple ways to mitigate an application DDoS attack with BIG-IP ASM.

We’ve logged into a BIG-IP ASM and navigated to Security>DDoS Protection>DDoS Profiles. In the General Settings of Application Security, we’ll activate an application DoS iRule event.

l7d2.png

 

We’ll click TPS-based Detection to see the temporarily lowered TPS thresholds to easily simulate an attack. Often, there are multiple mitigation methods that are sequentially applied as you can see with the Source IP settings.

l7d34.png

 

We can also record traffic packet captures during attacks for post analysis.

l7d5.png

 

When the user requests a web application proxied by BIG-IP ASM, ASM will create a unique identifier or a Device ID. ASM will inject JavaScript to register each client device. You can see X-Device-ID: at the bottom.

l7d6.png

 

And JavaScript incapable clients never make it through.

l7d7.png

 

Now that the unit is ready, let’s enable some packet capture and take a go at that damn vulnerable web application.

l7d8a.png

 

Path for the log files is /var/log/ or /shared/log/…the PCAP folder is empty so let’s see the action.

l7d8b.png

 

Attack commence in 3-2-1. Some quick refreshes should do as our thresholds are low.

l7d8c.png

 

The first mitigation is Client Side Integrity Defense. The system issues a client-side integrity challenge that consumes client computation resources and slows down the attack. Next is Built-in Captcha. The third mitigation is Rate Limiting…

l78de.png

 

..then if they’re still not listening, you can instantly transform into a Honeypot.

pot.png

 

The logs below show the IP address and the type of mitigation technique deployed. First Integrity, then Captcha, then Rate Limiting, then Honeypot if they don't stop. The traffic you recorded will be found in the, now populated, PCAP folders.

dvwa_logs_full.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 




Post of the Week: BIG-IP APM Policy Sync

Posted in security, f5, big-ip, silva, lightboard, devcentral, policy by psilva on November 17th, 2017

In this Lightboard Post of the Week, I light up the answer to a question about BIG-IP APM Policy Sync. Posted Question on DevCentral: https://devcentral.f5.com/questions/apm-policy-sync-56330

Thanks to DevCentral user Murali (@MuraliGopalaRao) for the question and special thanks to Leonardo Souza for the answer!

 

 

 

Watch Now:



VDI Gateway Federation with BIG-IP

Posted in f5, big-ip, authentication, vdi, devcentral, access by psilva on November 14th, 2017

Today let’s look at how F5 BIGIP APM can consolidate, secure and federate all the core VDI gateways technology. For instance, if an organization decides move from one VDI technology to another or if you’re consolidating VDI technologies, BIG-IP can help.

On the BIG-IP we’ve set up three VDI environments. Microsoft RDS/RDP with a broker authentication server, VMware Horizon and Citrix ZenApp. With only a corporate account, a user can authenticate to all of them as needed and access all available desktop content.

In this example, we connect to the BIG-IP APM. This is the default view.

vdi1.png

 

And here we’ve put some advanced security fields like OTP or multifactor authentication for instance.

otp.png

 

So here we’d use our username and password and for additional security we'll choose a secondary grid. By default, a grid is not generally available from any of the VDI vendors. When we select grid, BIG-IP APM will present a grid for a PIN entry. This is provided through a partnership with Gemalto. BIG-IP is connecting to Gemalto servers to present the grid to the user. We then enter our confidential PIN.

vdi34.png

 

Upon auth, we’re presented with our BIG-IP APM Webtop and BIG-IP did the necessary single sign on for all the VDI technologies and environments assigned to us.

vdi6.jpg

 

With a single, multifactor authentication we’re able to gain access to our federated BIG-IP Webtop and select the specific VDI resource we need.

From an administrative view, here is the full Visual Policy Editor (VPE) for the overall solution. This also shows where the OTP/Grid is if you follow the Host FQDN path.

fullvpe.png

 

And here are the specific inspections and criteria for the VDI scenario. You can see a path for each VDI vendor along with specific inspections and actions depending on the situation.

vdivpe.png

Special thanks to F5 Sr. Security SE Matthieu Dierick for the explanation and you can watch the demo video.

ps

 

 

 

 

 

 

 

 

 




Lightboard Lessons: What is DDoS?

Posted in security, f5, application security, lightboard, DoS attack, basics, scams, devcentral, 0day, botnet, ddos by psilva on November 1st, 2017

Over the last quarter, there were approximately 500 DDoS attacks daily around the world with some lasting as long as 300 hours. In this Lightboard Lesson I light up some #basics about DoS and DDoS attacks. 

ps

Related:

 

Watch Now:



DevCentral’s Featured Member for November – Nathan Britton

Posted in security, f5, big-ip, devcentral, featured member by psilva on November 1st, 2017

nathan.jpgNathan Britton works as a Principal Security Consultant in the UK for a security solutions provider called NTT Security, part of the NTT Group. They work with customers to design and implement security solutions and his team specializes in application delivery and security in particular. His specific role is focused on solution design and technical governance. Nathan is a BIG-IP ASM SME, a DevCentral MVP and our Featured Member for November!

DevCentral: You are a very active contributor in the DevCentral community. What keeps you involved?

Nathan: Hands down it’s the best community forum I’ve ever participated in and, over the years, I’ve taken a lot from it. As such, I like to ensure that, time and my knowledge permitting, I give back to the community whenever I can. Also, there are always new things to learn, so being active on DevCentral makes sure I see what other community members are doing to solve other peoples’ issues and I keep on top of new features of the products.

DC: Tell us a little about the areas of BIG-IP expertise you have.

NB: My main background has been BIG-IP LTM and ASM. I was a customer of F5 for around 5 years where we had a number of BIG-IPs load balancing internal applications, and also a pair of ASMs protecting our internet facing web applications. I still recall the day I joined the team and was asked to look after the BIG-IP that had been a little bit neglected and not knowing my F5 from my BIG-IP and what was an application delivery controller anyway! Fortunately, some free F5 University training and some lurking on DevCentral soon got me on track.

DC: You are an Engineer at NTT Security. Can you describe your typical workday and how you manage a work/life balance?


NB:
As a consultant there is no typical working day. One day I could be onsite at a customer workshop going through a solution design on the whiteboard, the next day could be working on proposals which we hope will turn into a new customer engagement and other days I could be assisting colleagues with technical governance on one of their projects. Part of the enjoyment of being a consultant, rather than an end user, is the exposure to varied work on a day by day basis.

DC: You have a number of F5 Certifications including Technology Specialist (LTM) certifications. Why are these important to you and how have they helped with your career?

NB: As a consultant working for an F5 partner it is vital for us to have certified members of the team, in fact NTT Security attained the highest partner status in F5’s Guardian Professional Services program. On a personal note I think the certifications have been vital in ensuring I have a breadth of knowledge as you never know what feature or module a customer may choose to implement. To that end, the self-study and lab work needed to achieve the certification has been invaluable. I’ve also helped design questions for the 401 exam so, as you can see, I’m very invested in the certification process. I think Ken and his team, especially Heidi, have done a great job.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

NB: My first challenge was the fact that I did not know anything about F5 or BIG-IP when I first got my hands on them. DevCentral, with its 101 series back in the day was a great starting point, and for that I need to thank the likes of Jason, Colin and Joe. Since then the security sessions with Josh and now John are invaluable and useful to my everyday work. Since being more comfortable with the technology DC has helped enormously when presented with very specific use cases to solve by customers, especially if iRules are required, there’s always a codeshare item that can be used as a basis for a custom solution. It saves a lot of time and head scratching.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

NB: Growing up I was fascinated by true crime books and TV shows. So if I had my time again I would definitely be a lawyer, a barrister perhaps…although I’m not sure how the wig would look on me!

Thanks Nathan! Check out all of Nathan's DevCentral contributions, connect with him on Twitter and visit NTT Security or follow on Twitter.

 




Prevent a Spoof of an X-Forwarded-For Request with BIG-IP

Posted in security, f5, big-ip, application security, http, compliance, scams, devcentral, infrastructure by psilva on October 24th, 2017

Last week, we looked at how to do Selective Compression on BIG-IP with a local traffic policy so this week let’s try something security related using the same procedures.

You can associate a BIG-IP local traffic policy to prevent a spoof of an x-forwarded-for request. This is where bad actors might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP system.

Pre-reqs:

  • We’re using BIG-IP v12 and,
  • We already have a Virtual Server configured to manage HTTP traffic with an HTTP profile assigned to it.

Let’s log into a BIG-IP

xf1.jpg

The first thing we’ll need to do is create a draft policy. On the main menu select Local Traffic>Policies>Policy List and then the Create or + button.

xf2.jpg

This takes us to the create policy config screen. Type a unique Policy Name like PreventSpoofOfXFF and optionally, add a description. Leave the Strategy at the default of Execute First matching rule. Click Create Policy.

xf3.jpg

We’re then directed to the draft policy’s General Properties page and here we can create the rules for the policy. In the Rules area, click Create.

xf4.jpg

We’ll give the rule a unique name like, StopSpoof and the first condition we need to configure is to match all HTTP traffic with the matching strategy. This means we can use the default setting of All Traffic. Then we’ll tell the policy what to do when the All Traffic condition matches. The new action is to Replace the http header named X-forwarded-for with the value of tcl:[IP::client_addr] (to return the client IP address of the connection) at the request time. Click Save.

xf5.jpg

Also, save the draft.

xf6.jpg

And then select the box next to the draft policy and click Publish.

xf7.jpg

We can now associate the published policy with a virtual server that we’re using to manage http traffic. On the main menu click Local Traffic>Virtual Servers>Virtual Server List and click the name of the virtual server you’d like to associate for the policy.

xf8.jpg

On the menu bar click Resources and next to Policies click Manage.

xf9.jpg

Move PreventSpoofOfXFF to the Enabled list and click Finished.

xf9a.jpg

Now, the virtual server with the PreventSpoofOfXFF local traffic policy will prevent any HTTP traffic that attempts to spoof an x-forwarded-for request.

Congrats! You’ve easily added additional security to your local traffic policy! You can also watch the full video demo thanks to our TechPubs team.

ps




Lightboard Lessons: What are Bots?

Posted in security, f5, big-ip, silva, basics, devcentral, botnet, risk by psilva on October 18th, 2017

In this Lightboard Lesson, I light up some #basics about internet bots and botnets. Humans account for less than 50% of internet traffic and the rest is spread between the good bots and bad ones.

 

Watch Now:



Selective Compression on BIG-IP

Posted in f5, big-ip, optimization, application delivery, compression, management, devcentral by psilva on October 17th, 2017

BIG-IP provides Local Traffic Policies that simplify the way in which you can manage traffic associated with a virtual server.

You can associate a BIG-IP local traffic policy to support selective compression for types of content that can benefit from compression, like HTML, XML, and CSS stylesheets. These file types can realize performance improvements, especially across slow connections, by compressing them. You can easily configure your BIG-IP system to use a simple Local Traffic Policy that selectively compresses these file types. In order to use a policy, you will want to create and configure a draft policy, publish that policy, and then associate the policy with a virtual server in BIG-IP v12.

Alright, let’s log into a BIG-IP

c1.jpg

The first thing you’ll need to do is create a draft policy. On the main menu select Local Traffic>Policies>Policy List and then the Create or + button.

c2.jpg

This takes us to the create policy config screen. We’ll name the policy SelectiveCompression, add a description like ‘This policy compresses file types,’ and we’ll leave the Strategy as the default of Execute First matching rule. This is so the policy uses the first rule that matches the request. Click Create Policy which saves the policy to the policies list.

c3.jpg

When saved, the Rules search field appears but has no rules. Click Create under Rules.

c4.jpg

This brings us to the Rules General Properties area of the policy. We’ll give this rule a name (CompressFiles) and then the first settings we need to configure are the conditions that need to match the request. Click the + button to associate file types.

c5.jpg

We know that the files for compression are comprised of specific file types associated with a content type HTTP Header. We choose HTTP Header and select Content-Type in the Named field. Select ‘begins with’ next and type ‘text/’ for the condition and compress at the ‘response’ time. We’ll add another condition to manage CPU usage effectively. So we click CPU Usage from the list with a duration of 1 minute with a conditional operator of ‘less than or equal to’ 5 as the usage level at response time.

c6.jpg

Next under Do the following, click the create + button to create a new action when those conditions are met. Here, we’ll enable compression at the response time. Click Save.

c7.jpg

Now the draft policy screen appears with the General Properties and a list of rules. Here we want to click Save Draft.

c8.jpg

Now we need to publish the draft policy and associate it with a virtual server. Select the policy and click Publish.

c9a.jpg

Next, on the main menu click Local Traffic>Virtual Servers>Virtual Server List and click the name of the virtual server you’d like to associate for the policy.

c9a.jpg

On the menu bar click Resources and for Policies click Manage.

c9b.jpg

Move SelectiveCompression to the Enabled list and click Finished.

c9c.jpg

The SelectiveCompression policy is now listed in the policies list which is now associated with the chosen virtual server. The virtual server with the SelectiveCompression Local Traffic Policy will compress the file types you specified.

c9d.jpg

Congrats! You’ve now added a local traffic policy for selective compression! You can also watch the full video demo thanks to our TechPubs team.

ps





« Older episodes ·