Archive for silva

Social Login to Enterprise Apps using BIG-IP & OAuth 2.0

Posted in security, f5, big-ip, cloud, silva, authentication, social media, devcentral by psilva on March 14th, 2017

 

social_login_gigya.jpgPassword fatigue is something we’ve all experienced at some point. Whether it’s due to breaches and the ever present, ‘update password’ warnings, the corporate policy of a 90-day rotation or simply registering for a website with yet another unique username and password. Social login or social sign-in allows people to use their existing Google, Twitter, Facebook, LinkedIn or other social credentials to enter a web property, rather than creating a whole new account for the site. These can be used to authenticate, verify identity or to allow posting of content to social networks and the main advantage is convenience and speed.

With v13, BIG-IP APM offers a rich set of OAuth capabilities allowing organizations to implement OAuth Client, OAuth Resource Server and OAuth Authorization Server roles to implement social logins.

Let's look at BIG-IP’s capabilities (from the user's perspective) as an OAuth Client, OAuth Resource Server. We’ll navigate to our BIG-IP login screen and immediately you’ll notice it looks slightly different than your typical APM login.

sl1.jpg

Here, you now have a choice and can authenticate using any one of the 4 external resources. Azure AD Enterprise and AD B2C along with Google and Facebook. Google and Facebook are very popular social login choices - as shown in the initial image above - where organizations are looking to authenticate the users and allow them to authorize the sharing of information that Google and Facebook already have, with the application.

In this case, we have an application behind BIG-IP that is relying on getting such information from an external third party. For this, we’ll select Facebook. When we click logon, BIG-IP will redirect to the Facebook log into screen.

sl23.jpg

Now we’ll need to log into Facebook using our own personal information. And with that, Facebook has authenticated us and has sent BIG-IP critical info like name, email and other parameters.

sl4.jpg

BIG-IP has accepted the OAuth token passed to it from Facebook, extracted the info from the OAuth scope and now the application knows my identity and what resources I’m authorized to access.

We can do the same with Google. Select the option, click logon and here we’re redirected to the Google authentication page. Here again, we enter our personal credentials and arrive at the same work top.

sl564.jpg

Like Facebook, Google sent an authorization code to BIG-IP, BIG-IP validated it, extracted the username from the OAuth scope, passed it to the backend application so the application knows who I am and what I can access.

Let's look at Microsoft. For Microsoft, we can authenticate using a couple editions of Azure AD – Enterprise and B2C. Let’s see how Enterprise works. Like the others, we get redirected to Microsoftonline.com to enter our MS Enterprise credentials.

In this instance, we’re using an account that’s been Federated to Azure AD from another BIG-IP and we’ll authenticate to that BIG-IP. At this point that BIG-IP will issue a SAML assertion to Azure AD to authenticate me to Azure AD. After that, Azure AD will issue an OAuth token to that BIG-IP. BIG-IP will accept it, extract the user information and pass it to the application.

sl7894.jpg

Finally, let’s see how Azure AD B2C works. B2C is something that companies can use to store their non-corporate user base. Folks like partners, suppliers, contractors, etc. B2C allows users to maintain their own accounts and personal information. In addition, they can login using a typical Microsoft account or a Google account. In this case, we’ll simply use a Microsoft account and are directed to the Microsoft authentication page.

slb2c_all.jpg

We’ll enter our personal info, the servers communicate and we’re dropped into our WebTop of resources.

Social logins can not only help enterprises offer access to certain resources, it also improves the overall customer experience with speed and convenience and allows organizations to capture essential information about their online customers.

ps

Related:

 




Blog Roll 2016

Posted in security, f5, big-ip, cloud computing, silva, application delivery, devcentral, infrastructure, access, iot by psilva on December 20th, 2016

dc-logo.jpgIt’s that time of year when we gift and re-gift, just like this text from last year. And the perfect opportunity to re-post, re-purpose and re-use all my 2016 entries.

After 12 years at F5, I had a bit of a transition in 2016, joining the amazing DevCentral team in February as a Sr. Solution Developer. You may have noticed a much more technical bent since then…hopefully. We completed our 101 Certification Exam this year and will be shooting for the 201 next quarter. We started highlighting our community with Featured Member spotlight articles and I finally started contributing to the awesome LightBoard Lessons series. I also had ACDF surgery this year, which is why November is so light. Thanks to the team for all their support this year. You guys are the best!

If you missed any of the 53 attempts including 7 videos, here they are wrapped in one simple entry. I read somewhere that lists in articles are good. I broke it out by month to see what was happening at the time and let's be honest, pure self-promotion. I truly appreciate the reading and watching throughout 2016.

Have a Safe and Happy New Year!

 

January

February

March

April

May

June

July

August

September

October

November

December

 

And a couple special holiday themed entries from years past.

ps

Related

 




Lightboard Lessons: BIG-IP in Hybrid Environments

Posted in security, f5, big-ip, ssl vpn, cloud, silva, application delivery, lightboard, devcentral, remote access, saml, aws, azure, saas by psilva on October 12th, 2016

A hybrid infrastructure allows organizations to distribute their applications when it makes sense and provide global fault tolerance to the system overall. Depending on how an organization’s disaster recovery infrastructure is designed, this can be an active site, a hot-standby, some leased hosting space, a cloud provider or some other contained compute location. As soon as that server, application, or even location starts to have trouble, organizations can seamlessly maneuver around the issue and continue to deliver their applications.

Driven by applications and workloads, a hybrid environment is a technology strategy to integrate the mix of on premise and off-premise data compute resources. In this Lightboard Lesson, I explain how BIG-IP can help facilitate hybrid infrastructures.

ps

Related:

 

Watch Now:



F5 Access for Your Chromebook

Posted in security, f5, big-ip, ssl vpn, cloud, silva, application delivery, mobile, devcentral by psilva on October 12th, 2016

My 5th grader has a Chromebook for school. She loves it and it allows her access to school applications and educational tools where she can complete her assignments and check her grades. But if 5th grade is a tiny dot in your rear-view and you’re looking to deploy Chromebooks in the enterprise, BIG-IP v12 can secure and encrypt ChromeOS device access to enterprise networks and applications. With network access, Chromebook users can run applications such as RDP, SSH, Citrix, VMware View, and other enterprise applications on their Chrome OS devices.

From an employee’s perspective, it is very easy to get the SSLVPN configured. Log on to a Chromebook, open Chrome Web Store, search for ‘F5 Access’ and press the +ADD TO CHROME button. Add app when the dialogue box pops and F5 Access will appear in your ‘All Apps’ window.

f5_access.jpg

Next, when launched, you’ll need to accept the license agreement and then add a server from the Configuration tab:

add_server.jpg 

Next, give it a unique name, enter the BIG-IP APM server URL and optionally add your username and password. Your password will not be cached unless that’s allowed by the APM Access Policy. You can also select a client certificate if required. Once configured, it’ll appear in the list. You can also have multiple server configurations if needed:

added_server.jpg 

To connect, click the bottom tray bar and select the tile that says, ‘VPN Disconnected.’

f5access_tile.jpg

And select the server configured when setting up the app. Depending on the configuration, you’ll either get the native login window or the WebTop version:

f5access_login.jpg 

Once connected, there won’t be any indication in the tray but if you click it, you’ll see the connection status in the same VPN area as above and it’ll show ‘connected’ within the F5 Access app:

f5access_connected.jpg 

As you can see in the above image, you can also check Statistics and Diagnostics if those are of interest. To end the connection, click the tray again, select the VPN tile and click Disconnect.

For administrators, it’s as simple as adding a ‘ChromeOS’ branch off the ClientOS VPE action:

f5access_clientos.jpg

Then add a Connectivity Profile to BIG-IP:

f5access_connectivity_profile.jpg 

In addition to generic session variables, client session variables are also available. Check out the release notes and BIG-IP Access Policy Manager and F5 Access for Chrome OS v1.0.0 manual for more info.

ps

Related:




Q/A with ExITeam’s Security Engineer Stanislas Piron - DevCentral’s Featured Member for October

Posted in security, f5, big-ip, silva, devcentral, irules by psilva on October 4th, 2016

stanislas1.jpg

Stanislas Piron is a Security Engineer for ExITeam. 16 years ago, Stanislas started out with Firewalls, email and Web content security. His first F5 deployment was with LTM and Link Controller 10 years ago and he is DevCentral’s Featured Member for October!

He started to focus on F5 products as pre-sales engineer for a IT security distributor in charge of F5 development. 4 years ago, he joined Exiteam, a small company of two security engineers helping resellers audit, design and deploy security solutions for their customers. To provide real expertise, they both focus their skills on a small set of products. He works with F5 products about 80% of his time.

DevCentral got an opportunity to chat with Stanislas about his work, life and if European organizations have unique security requirements.

DevCentral: You’ve been an active contributor to the DevCentral community and wondered what keeps you involved?

Stanislas Piron: When I started working with F5 products, I created my DevCentral account to search piece of iRules and write my own iRules according to customer’s needs.

As the needs grew, I had some unanswered questions. Searching DevCentral, I found another approaches to solving issues, helping me to solve my own challenges. Each time I find a better way to solve my problems, I try to share my code.

I often read question and try to solve them thinking, “This can solve an issue of a customer I didn’t think about before”

DevCentral is a place where every time you help someone, you learn something.

DC: Tell us a little about the areas of BIG-IP expertise you have.

SP: My favorite BIG-IP product is APM (LTM+APM mode), which covers almost everything about authentication. It’s also the product we must configure as simple as possible if we do not want the customer to have headaches reading the access policy.

I often deploy BIG-IP with multiple modules including LTM, APM, AFM, GTM and ASM to offer high datacenter security.

Most of my deployments use the local traffic policies for standard admin tasks, iRules for application compatibility, and the tcl codes in APM to assign variable boxes.

DC: You are a Security Engineer with Exiteam, a security consulting practice. Can you explain how DevCentral helps with your daily challenges? Where does BIG-IP fit in the services you offer or within your own infrastructure?

exiteam_logo.jpg

SP: iRules is a great tool to solve problems BIG-IP is not addressing, but iRules is nothing without the developer’s community. DevCentral experts share experience not only about tcl coding but protocol knowledge, iRule events orders, and working iRules. And on the other side, some IT admins ask about new needs that I may answer for the next customer.

Each time I have a new challenge, I first search on DevCentral to see if someone already solved it. If not, I’ll create my own iRule.

DC: I understand you are in France and wondered, what are some of the unique information security challenges for European organizations?

SP: Information security challenges are not unique for European organizations as security risks are the same for all countries.

DC: Describe one of your biggest challenges and how DevCentral helped in that situation.

SP: With Microsoft Forefront TMG End of sale, most of my customers migrated to F5 products.

One of my customers, a SAAS provider, with almost exclusively Microsoft products (TMG, Exchange, Sharepoint, etc.) and with more than 20K concurrent users was evaluating how to migrate to BIG-IP LTM, ASM, APM and AFM.

During POC (and then deployment) we worked to get the same behavior with APM as TMG with SharePoint about office editing documents. I found some question on DevCentral with parts of an answer, but not the full answer. I wrote an iRule optimized for such a deployment (20K users) answering all the customer needs and shared it. Some DevCentral experts, who had the same needs, commented on it to make it simpler, generic and optimized.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

SP I don’t remember what I wanted to be when I was child and IT is not a dream job if you don’t evolve. What I expect in my job is to not do the same job as the day before, and I think I found it. Every day, I meet new customers, I have new challenges and I learn something increasing my knowledge.

DC: Thanks Stanislas and congratulations! You can find Stanislas on LinkedIn and also check out his DevCentral contributions.

Related:




Lightboard Lessons: Secure & Optimize VDI

Posted in security, big-ip, virtualization, silva, vmware, lightboard, vdi, devcentral, access by psilva on September 28th, 2016

Virtualization continues to impact the enterprise and how IT delivers services to meet business needs. Desktop Virtualization (VDI) offers employees anywhere, anytime, flexible access to their desktops whether they are at home, on the road, in the office or on a mobile device. In this edition of Lightboard Lessons, I show how BIG-IP can secure, optimize and consolidate your VMware Horizon View environment, providing a secure front end access layer for VMware’s VDI infrastructure.

ps

Related:

Watch Now:



Lock Down Your Login

Posted in Uncategorized, security, f5, big-ip, application security, silva, authentication, banking, malware, devcentral by psilva on September 27th, 2016

login.png

Last week we talked about WebSafe and how it can help protect against phishing attacks with a little piece of code. This is important since malware can steal credentials from every visited web application from an infected machine. This time we’re going to look at how to protect against credential grabbing on a BIG-IP APM login page with WebSafe encryption layer.

You’ll needtwo modules for this, BIG-IP APM andof course, WebSafe FraudProtection Service. The goal is to protect the laptop from any malware thatgrabs sensitive login credentials. In this case, the malware would beconfigured to grab the login page along with the username and passwordparameter fields. Command and control could also be set to retrieve anycredentials from the infected machine at certain intervals, like every 5minutes.

The first goal would be to encrypt the password. Within your BIG-IP admin GUI, you would navigate to Security>Fraud Protection Service> Anti-Fraud Profiles>URL List. APM’s logon page usually ends with ‘/my.policy’.

mfraudurl.jpg

Create then click that URL to open the configuration page and enable Application Layer Encryption.

mapplayerencrypt.jpg

And select the Parameters tab to configure the fields you want to protect. In this case it is password and username.

mparameters.jpg

In the screen grab, you can see ‘Obfuscate’ is selected and to both ‘Encrypt’ and‘Substitute Value’ for the password field.

Now when the user goes to the page, a bit a JavaScript is injected in the page to protect the specified fields. If you run a httpwatch or wire shark on the page, you’ll see that the values for those parameters are obfuscated. This makes it incredibly difficult for the bad actor to determine the correct value.

mobfuscape.jpg

And if the malware also grabs the password, since we set that to encrypt, all they get is useless information.

mpwuseless.jpg

At this point, the BIG-IP will decrypt the password and pass on the traffic to appropriate domain controller for verification. This is a great way to protect your login credentials with BIG-IP. If you’d like to see a demonstration of this, check out F5’s Security Specialist Matthieu Dierick’s demo video. Pretty cool.

ps




Lightboard Lessons: DNS Scalability & Security

Posted in security, f5, big-ip, silva, video, dnssec, lightboard, devcentral, dns by psilva on September 21st, 2016

The Domain Name Service (DNS) is one of the most important components in networking infrastructure, enabling users and services to access applications by translating URLs (names) into IP addresses (numbers). Because every icon and URL and all embedded content on a website requires a DNS lookup, loading complex sites necessitates hundreds of DNS queries.

DNS lookups has exploded in recent years with mobile, IoT and the applications to support the growth. It is also a vulnerable target. In my first Lightboard Lesson, I show you how to scale, secure and consolidate your DNS infrastructure.

ps

Related:

Watch Now:



750th Blog Spectacular - Lessons of the LightBoard

Posted in f5, big-ip, silva, application delivery, lightboard, devcentral by psilva on September 13th, 2016

IMG_3526.jpg

I recently built out a LightBoard Studio for my home office so I can start contributing to the awesome LightBoard Lessons on DevCentral. These are short, informative videos explaining various technologies and often, how to implement on a BIG-IP system. Instead of writing on a whiteboard and looking over your shoulder into the camera as you explain something, Lightboards allow you to draw on and look through the crystal clear glass (into the camera) while discussing technical concepts. A transparent whiteboard. The LEDs that surround the glass accompanied with neon markers make the images pop. It’s pretty darn cool.

So the story goes, a college professor was looking for a better way to deliver lessons to his students both on campus and online without a chalkboard. He called it the Learning Glass and now there are Lightboards all over the world, especially in universities. Incidentally, there is cool video of Picasso painting on glass from 1949.

He had the right idea.

IMG_3525.jpg

You may have read or watched Jason & John’s Lightboard Lessons: Behind the Scenes and I wanted to report on my own experiences. First, I followed Jason’s bill of materials (except the camera) and it provides most everything you need to get started. I initially thought about a 3’ x 5’ pane of glass due to my smaller venue but couldn’t find an appropriate frame for that size. Well, to be clear, there may have been one but it was way outside my budget. I looked at various saw horses, ladder frames and other apparatus thinking I could ‘make’ something that could properly hold the glass in place. No dice.

So I decided to go a little larger with the 4’ x 6’ size since there is a frame specifically built for this purpose. Rahm is correct about ordering the frame first since you’ll need to carefully measure the mounting holes so the glass can be drilled perfectly. It also takes a few weeks to order and have the glass delivered - at least in my area. This was fine since it allowed me to set up the other equipment like the lights, back drop and camera location. In addition, make sure you have the delivery folks help you place it on the frame…depending on the size, this is not a pick up and install yourself deal. The glass is large, heavy and certainly needs a few people to carry and properly align with the holes.

IMG_3524.jpg

Once the glass is installed (and cleaned) you can wrap the LEDs around the edge. There are a couple ways to go with this step. You could use large binder clips to hold the lights at the edge or, like Jason, I got 3/8” shower u-channels to go around the glass and hold the lights in place. Instead of silicon to hold the u-channel, I used clamp clips to hold the outer metal. This allows me to easily change and adjust the LEDs if needed.

The Expo Neon markers do make a greasy mess and I’ve got the same Sprayway glass cleaner. I also got one of those magic erasers to help clean and old hotel room keys work well on dried ink. It’s not that difficult to have a clean slate but any smudges will certainly appear if it’s not sparkle-city.e binder clips to hold the lights at the edge or, like Jason, I got 3/8” shower u-channels to go around the glass and hold the lights in place. Instead of silicon to hold the u-channel, I used clamp clips to hold the outer metal. This allows me to easily change and adjust the LEDs if needed.

This week I’ll be moving around the lights and doing some test shots for audio and visual screen tests and look forward to publishing my first LightBoard Lesson very soon. Shooting for next week if all tests go well. I’m excited.

It’s always been a dream of mine to have a home studio. Some guys want a man-cave, some want a game room, others a high end home theatre or a rack of computer equipment. Me? A studio.

And for my 750th DevCentral article I wanted to say: Thanks Gang!!

ps




Q/A with Secure-24’s Josh Becigneul - DevCentral’s Featured Member for September

Posted in f5, big-ip, adc, interview, silva, application delivery, devcentral by psilva on September 6th, 2016

Josh.jpg

Josh Becigneul is the ADC Engineer for Secure-24 and DevCentral’s Featured Member for September!

Josh has been working in the IT industry in various positions for a little over 10 years. He’s moved through various disciplines including MS server administration, Linux, Networking, and now has been working primarily with F5 BIG-IPs. For the past 3 years he has focused on F5’s products and growing a team of engineers to manage them. Secure-24 delivers managed IT operations, application hosting and managed cloud services to enterprises worldwide.

DevCentral got an opportunity to talk with Josh about his work, life and the importance of being F5 Certified.

DevCentral: You’ve been an active contributor to the DevCentral community and wondered what keeps you involved?

Josh Becigneul: DevCentral has helped me greatly over the years as I’ve worked with F5 products, so I feel like it’s worth some of my time to spend both reading posts and helping others in the community. When I started off it helped to be able to explain a need and have someone create a basic iRule, or point me towards documentation explaining something. Now that my skills have grown, I want to pay it forward.

DC: Tell us a little about the areas of BIG-IP expertise you have.

JB: I started off on just BIG-IP LTM but over the years have grown into managing APM, GTM, ASM, and sometimes a mix of each. I’ve worked with 1500’s, 1600s, 3600’s, 3900’s and VIPRION. As well as Enterprise Manager and now BIG-IQ too.

DC: You are an ADC Engineer with Secure-24, an application hosting and cloud services organization. Can you explain how DevCentral helps with your daily challenges? Where does BIG-IP fit in the services you offer or within your own infrastructure?

secure24.jpg

JB: At Secure-24, BIG-IP has grown into an essential product for many portions of our organization, along with many of our customers utilizing its services to deliver their applications. We’ve got a large number of LTM customers, APM customers and we’ve been growing into ASM. GTM provides advanced DNS services for many of our customers around the globe. Most deployments using BIG-IP are custom tailored to suit the needs of the particular customer. These can vary from basic load balancing to advanced content steering, or small deployments of a few virtual services to large ones comprised of hundreds.

With the variety of F5 products in use, having a resource like DevCentral is invaluable to our team. From being able to ask my peers questions about things, or utilizing the codeshare and wiki to learn more about iRules and iControl, I couldn’t imagine it not being available.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.

JB: One of the most useful things iRules allow us to do is virtual hosting; running many services behind a virtual service. Coupling this with APM allowed us to greatly simplify remote access for us and our customers. For several customers, we used APM to migrate them away from MS Forefront.

DC: I understand you are an F5 Certified Professional. Can you tell us about that and why you feel it is beneficial?

JB: Yes, I first became F5 Certified in 2015 with my 201 Certified BIG-IP Administrator, and followed that up at 2016’s F5 Agility conference by obtaining my 304 APM Specialist. I feel it is beneficial because it helps to reinforce what I’ve learned over the years, and (hopefully) lets my customers feel like they are in good hands. (DC: Josh also recently passed the 302 GTM Exam!)

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

JB: I’d probably be a roadie, and tour the world doing lights and sound for a huge band!

DC: Thanks Josh and get us backstage passes! Check out all of Josh’s DevCentral contributions, connect on LinkedIn and follow both Josh @vsnine and @secure_24.

And if you'd like to nominate someone to be the DevCentral Featured Member, please send your suggestions to the DevCentral Team!





« Older episodes · Newer episodes »