Archive for Uncategorized

Lightboard Lessons: The BIG-IP Profiles

Posted in Uncategorized, f5, big-ip, application delivery, lightboard, devcentral by psilva on April 19th, 2017

BIG-IP can manage application-specific network traffic in a variety of ways, depending on the protocols and services being used. On BIG-IP, Profiles are a set of tools that you can use to intelligently control the behavior of that traffic.

In this Lightboard Lesson, I light up the BIG-IP Profiles. What they are, what they do and why you should care.

 

ps

Related:

Watch Now:



What is a Proxy?

Posted in Uncategorized, security, big-ip, silva, application delivery, devcentral, proxy by psilva on March 28th, 2017

devcentral_basics_article_banner.png

 

The term ‘Proxy’ is a contraction that comes from the middle English word procuracy, a legal term meaning to act on behalf of another. You may have heard of a proxy vote. Where you submit your choice and someone else votes the ballot on your behalf.

In networking and web traffic, a proxy is a device or server that acts on behalf of other devices. It sits between two entities and performs a service. Proxies are hardware or software solutions that sit between the client and the server and does something to requests and sometimes responses.

The first kind of proxy we’ll discuss is a half proxy. With a Half-Proxy, a client will connect to the proxy and the proxy will establish the session with the servers. The proxy will then respond back to the client with the information. After that initial connection is set up, the rest of the traffic with go right through the proxy to the back-end resources. The proxy may do things like L4 port switching, routing or NAT’ing but at this point it is not doing anything intelligent other than passing traffic.

halfvsfull.jpg
Basically, the half-proxy sets up a call and then the client and server does their thing. Half-proxies are also good for Direct Server Return (DSR). For protocols like streaming protocols, you’ll have the initial set up but instead of going through the proxy for the rest of the connections, the server will bypass the proxy and go straight to the client. This is so you don’t waste resources on the proxy for something that can be done directly server to client.

A Full Proxy on the other hand, handles all the traffic. A full proxy creates a client connection along with a separate server connection with a little gap in the middle. The client connects to the proxy on one end and the proxy establishes a separate, independent connection to the server. This is bi-directionally on both sides. There is never any blending of connections from the client side to the server side – the connections are independent. This is what we mean when we say BIG-IP is a full proxy architecture.

The full proxy intelligence is in that OSI Gap. With a half-proxy, it is mostly client side traffic on the way in during a request and then does what it needs…with a full proxy you can manipulate, inspect, drop, do what you need to the traffic on both sides and in both directions. Whether a request or response, you can manipulate traffic on the client side request, the server side request, the server side response or client side response. You get a lot more power with a full proxy than you would with a half proxy.

reverseproxy_thumb.jpgWith BIG-IP (a full proxy) on the server side it can be used as a reverse proxy. When clients make a request from the internet, they terminate on the reverse proxy sitting in front of application servers. Reverse proxies are good for traditional load balancing, optimization, server side caching, and security functionality. If you know certain clients or IP spaces are acceptable, you can whitelist them. Same with known malicious sources or bad ranges/clients, you can blacklist them. You can do it at the IP layer (L4) or you can go up the stack to Layer 7 and control an http/s request. Or add a BIG-IP ASM policy on there. As it inspects the protocol traffic if it sees some anomaly that is not native to the application like a SQL injection, you can block it.

forwardproxy_2.jpgOn the client side, BIG-IP can also be a forward proxy. In this case, the client connects to the BIG-IP on an outbound request and the proxy acts on behalf of the client to the outside world. This is perfect for things like client side caching (grabbing a video and storing locally), filtering (blocking certain time-wasting sites or malicious content) along with privacy (masking internal resources) along with security.

You can also have a services layer, like an ICAP server, where you can pass traffic to an inspection engine prior to hitting the internet. You can manipulate client side traffic out to the internet, server side in from the internet, handle locally on the platform or or pass off to a third party services entity. A full proxy is your friend in an application delivery environment.

If you'd like to learn more about Proxies, check out the resources below including the Lightboard Lesson: What is a Proxy?

Related:

 




Q/A with Admiral Group’s Jinshu Peethambaran - DevCentral’s Featured Member for March

Posted in Uncategorized, security, f5, big-ip, devcentral, irules by psilva on March 1st, 2017

 

jinshu_p.jpgJinshu Peethambaran is a security architect currently working with Admiral Insurance. He started his career 9 years ago, managing network security operations and started working on F5 products about 5 years ago.

He is also a 2017 DevCentral MVP and DevCentral’s Featured Member for March! DevCentral got a chance to talk with Jinshu about his work, life and his dream of being 100 million miles in space.

DevCentral: Hi Jinshu, thanks for you time. You’ve been a very active contributor to the DevCentral community. What keeps you involved?

Jinshu: DevCentral has helped me greatly over the years as I’ve worked with F5 products, so I feel like it’s worth spending some of my time both reading posts and helping others in the community. Searching DevCentral, I found another approaches to solving issues, helping me to solve challenges. Just checking the most recent questions is a great way to learn things.

DC: Tell us a little about your areas of BIG-IP expertise.

JP: At earliest stage in my career, I was involved on basic BIG-IP LTM projects. After some successful experiences, I started working on another level and learn different BIG-IP modules.

Now, I think I’m pretty comfortable with all F5 BIG-IP modules but I’m clearly specialized in security. Now I’m pretty confident on BIG-IP LTM, DNS (formerly GTM), ASM, APM and AFM modules. I have implemented multiple solutions using these combinations for different customers, all these years.

DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.


admirallogo.jpgJP:
iRules are great tool to solve unique BIG-IP challenges, but iRules are nothing without the developer’s community. DevCentral experts share experience not only about tcl coding but protocol knowledge, iRule events orders, and working iRules. And on the other side, some IT admins ask about new needs that I may answer for the next customer.

Security is a vast area and we get new requirements and challenges every time. Each time I get a new challenge, I first search on DevCentral to see if someone already solved it. If not, I’ll create my own iRule.

 

DC: Can you tell us a little about your blog, Secure Leaves and why it is important to Know your network before a hacker does?

JP: Since I started working on security domain, I through to give a helping hand for others as well. So I started this blog explaining small technical challenges and solutions for that. This blog focus on security products and hence the title “Know your network before a hacker does”.

 

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

JP: I’d probably be an Astronaut or a professional space traveler searching for external life and doing experiments in Mars. J When I was a kid I always dreamt about being an Astronaut, staring at the stars.

Thanks Jinshu! Check out all of Jinshu’s DevCentral contributions, check out his blog, or connect on LinkedIn. And visit Admiral Group plc on the web and LinkedIn

Related:

 




Deploy BIG-IP VE in AWS

Posted in Uncategorized, f5, big-ip, cloud, cloud computing, devcentral, aws, access by psilva on January 23rd, 2017

aws_logo.jpgCloud is all the rage these days as it has matured into a bona fide, viable option to deploy your applications. While attractive, you may also want to apply, mimic or sync your traditional data center policies like high availability, scalability and predictability in the cloud.

 




OK 2017, Now What?

Posted in Uncategorized, big-ip, application delivery, mobile, devcentral, 2017 by psilva on January 4th, 2017

year_of_the_rooster.pngThe Year of the (Fire) Rooster will soon be upon us and the talkative, outspoken, frank, open, honest, and loyal Rooster could influence events in 2017. Whether you were born under the symbol or not, Roosters strive on trust and responsibility, essential for any organization especially in these times.

2016 (Year of the Monkey) brought us a crazy year of high profile breaches, a 500% increase in ransomware, a 0-day per day and slick malware each looking to cause havoc on all parts of society including your mobile device. The monkey’s shenanigans exhausted many of us in 2016 and 2017 will require some quick thinking and practical solutions to battle the ongoing, ever-growing threats.

A year ago I noted, Mobility, both the state of being and the devices we use, will continue to grow and be an immense enabler and/or inhibitor for organizations. Today, we are the devices, controllers and data generators and we’re interacting, even socially, with a growing list of robots and objects. Security continues to flummox folks both from a development standpoint – talking to you IoT manufacturers – and from a purely personal realm. The more connected devices we have in and around our lives, homes and offices the more opportunities for the bad guys to take advantage.

This is sure to continue as our digital, software-defined lives connect and intersect with the things around us. We’ll likely see a number of significant IoT security discussions coming out of CES this week too with cars and robots the starring attraction this year.

And as our lives – personal and professional – continue to be chronicled on the internet, the various thieves, nation states, and activists will continue to be one step ahead, probing data and looking for that golden slab of info. Making money, causing disruptions, or orchestrating outright take-downs through online attacks are big motivations for those seeking notoriety or simply a big score. But it’s not always from the crook or spy half a globe away. Insider threats, malicious or not, have made traditional concepts of the perimeter almost useless.

dc-logo.jpgHere at DevCentral, our community is ready to help you through many of your most challenging application delivery endeavors this year. Like the rooster, we aim to be open and honest about how to accomplish a task with BIG-IP...including when it cannot do something.  In recent weeks we’ve posted mitigations for Mirai bots, the recent PHP 0-days, along with a bunch of iControlREST solutions and an excellent article from Kevin Stewart about TLS Fingerprinting. And we look forward to answering your most perplexing BIG-IP questions. Also our very own Jason Rahm passed his Exam 201 - TMOS Administration so make sure you hit him up for some of your harder questions. The rest of the team will be looking to take the F5 Certified 201 sometime this quarter.

While trends like cloud, mobility, IoT, DevOps and big data will consume your attention, securing those trends and how they map to business objectives will come to roost in 2017 and DevCentral is here to help. Let’s try to be smart, practical, open and honest about our challenges and guard against the vain, boastful and attention grabbing bad guys trying to get the best of us.

The 2017 Rooster arrives January 28, 2017 and we’ll need to be prepared and stay calm when the proverbial fan starts spinning.

ps

Related:

 




F5 DevCentral Asks, ‘How Can We Help in 2017?’

Posted in Uncategorized, f5, big-ip, application delivery, devcentral by psilva on December 14th, 2016

Technical Articles | F5 DevCentral

 




Lock Down Your Login

Posted in Uncategorized, security, f5, big-ip, application security, silva, authentication, banking, malware, devcentral by psilva on September 27th, 2016

login.png

Last week we talked about WebSafe and how it can help protect against phishing attacks with a little piece of code. This is important since malware can steal credentials from every visited web application from an infected machine. This time we’re going to look at how to protect against credential grabbing on a BIG-IP APM login page with WebSafe encryption layer.

You’ll needtwo modules for this, BIG-IP APM andof course, WebSafe FraudProtection Service. The goal is to protect the laptop from any malware thatgrabs sensitive login credentials. In this case, the malware would beconfigured to grab the login page along with the username and passwordparameter fields. Command and control could also be set to retrieve anycredentials from the infected machine at certain intervals, like every 5minutes.

The first goal would be to encrypt the password. Within your BIG-IP admin GUI, you would navigate to Security>Fraud Protection Service> Anti-Fraud Profiles>URL List. APM’s logon page usually ends with ‘/my.policy’.

mfraudurl.jpg

Create then click that URL to open the configuration page and enable Application Layer Encryption.

mapplayerencrypt.jpg

And select the Parameters tab to configure the fields you want to protect. In this case it is password and username.

mparameters.jpg

In the screen grab, you can see ‘Obfuscate’ is selected and to both ‘Encrypt’ and‘Substitute Value’ for the password field.

Now when the user goes to the page, a bit a JavaScript is injected in the page to protect the specified fields. If you run a httpwatch or wire shark on the page, you’ll see that the values for those parameters are obfuscated. This makes it incredibly difficult for the bad actor to determine the correct value.

mobfuscape.jpg

And if the malware also grabs the password, since we set that to encrypt, all they get is useless information.

mpwuseless.jpg

At this point, the BIG-IP will decrypt the password and pass on the traffic to appropriate domain controller for verification. This is a great way to protect your login credentials with BIG-IP. If you’d like to see a demonstration of this, check out F5’s Security Specialist Matthieu Dierick’s demo video. Pretty cool.

ps




Don’t Take the Impostor’s Bait

Posted in Uncategorized, security, f5, big-ip, cybercrime, devcentral, phishing by psilva on September 20th, 2016

detect_phishing_intro.jpg

Phishing has been around since the dawn of the internet. The term was first used in an AOL Usenet group back in 1996 but it wasn’t until 2003 when many baited hooks and lures started dropping. Popular transaction destinations like PayPal and eBay were some of the early victims of these spoofed sites asking customers to update their personal and credit card information. By 2004,it was a full-fledged ‘get rich quick scheme’ with many financial institutions– and their customers – as targets.

Oxford Dictionary defines Phishing as, ‘The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.’

You’ve seen it, the almost perfect looking email with actual logos, images and links to a reputable company only to have it go to a slick looking replica complete with a login form. If you aren’t paying attention and do enter your credentials,you’ve just given a crook access to your money.

The Anti-PhishingWorking Group (APWG) reports a 250 percent jump in the number of detected phishing websites between October 2015 and March 2016. More than in any other three-month span since it begantracking back in 2004. That’s around 230,000 unique phishing campaigns a month.And as recent as last week, AmericanExpress users were hit with a phishing email offering anti-phishing protection. Go figure. If you clicked the link, you were taken to a bogus Amex login page which asks for all the important stuff: SSN, DoB, mother’s maiden, AMEX number plus security code and a few other vitals.

When complete, you’ll be redirected to the authentic site so you think you’ve been there all along. That’s how they work their magic. A very similar domain URL and all the bells of the original, including the real customer service 800 number.

You can combat it however.

F5’s WebSafe Web Fraud Protection can secure your organization (and your customers) against the evolving online fraud and you do not need any special client to detect it. WebSafe inserts an obfuscated JavaScript code which can detect malware like bait, mandatory words or if the fake was loaded from a different domain. It can validate source integrity like comparing fields for multiple users and detect threats like automatic transactions. Alerts are sent to an on premise dashboard and can also be forwarded to F5’sSecurity Operations Center (SOC).

If you are configuring malware protection for the login and transaction pages for a financial application, it’s as simple as adding an Anti-Fraud profile to yourVIP.

First, you create an anti-fraud profile:

anti_fraud.jpg

Then indicate which URL should be watched and the action:

anti_fraud_url.jpg

Then enable Phishing detection:

anti_fraud_pshishing.jpg

And when a phishing attach occurs, both the domain and the username of the victim get reported to the dashboard:

anti_fraud_pshishing.jpg

The code that’s inserted is a little piece of JavaScript added to your website to detect the malicious activity. No action is needed on the part of the user since everything is handled within BIG-IP.

anti_fraud_code_added.jpg

This tiny piece of code will dramatically reduce fraud loss and retain the most important asset in business—customer confidence.

Don't get fooled by a faker.

ps

Related:




I’m Sorry Sir, You’re Obsolete

Is the rate of obsolescence proportionate to the rate of technologyadvances?

ihome.jpg

Afew years ago, those little iHome alarm clocksstarted to appear in hotel rooms. Cool gadgets that you could mount your mobilephone to battery charge or play the music on the device. We also had a few in ourhome. They worked perfectly for the iPhone4 since the connector was that 1 inchprotruding plug. When I got the iPhone6, those clocks instantly became useless.Obsolete. At least the phone connector part lost its value.

I’ve been thinking about this for a while.

The rate of obsolescence. The state when an object,technology, service or practice is no longer needed or wanted…even though itstill may be in good working order. E-waste is the fastestgrowing segment of the waste stream. With the technological advances, notonly are we buying the latest and greatest electronics but we’re also dumpingperfectly good, working devices at silly rates. There was even a story about a CentralPark mugger who rejected a flip phone during a heist.

Sure, the new gadget is shiny, faster, better or does stuff the other onecouldn’t. All commercial things have the typical emerging, growth, maturity anddecline model and I started wondering if the rate of obsolescence isproportionate to the rate of technology advances.

Moore’s Law and Wright’s Law are generally regarded as the bestformulas for predicting how rapidly technology will advance. They offerapproximations of the pace of technological progress. Moore’s Law (1965)describes the rate of improvement in the power of computer chips –essentially, the number of components doubles every 18 months. Generally,the principle can be applied to any technology and says that, depending on thetechnology, the rate of improvement will increase exponentially over time.

Wright’s Law (1936),says that progress increases with experience. Meaning that each percentincrease in cumulative production (in a given industry) results in a fixedpercentage improvement in production efficiency.

A simple web search of ‘rate of technological advancement’returns scores of images that show a huge ramp going up.

rate_of_advancement.jpg

But is there the same rapid decline chart for ‘out of date, lostfreshness’ technologies gone by?

Nothing with a laptop falling off a cliff but there are certainly chartsshowing the rate of e-waste.

e-waste-management-17-728.jpg

The climb is not as dramatic as technology advances (yet) but itis still growing rapidly.

So there doesn’t seem to be (or I simply can’t find it) a direct correlationor chart that incorporates both technology advances and resulting obsoleteness.There are plenty of articles that do cover thingsthat will be obsolete in the next few years (DVD players, landlines, clockradios); the jobsthat will be obsolete (travel agent, taxi driver); and the things thatbecame obsoleteover the last decade.

There is a patent, US7949581B2, which describes a method of determining an obsolescence rate of atechnology yet that looks more at the life of a technology patent and itseventual decay and depreciation rate. Less citations over the years means patentdecay. This is more about the depreciation of a specific patent rather than howsociety embraces and then ultimately tosses the technology.

The funny thing is that nowadays vintage items and antiquesseem to be hot markets. Nostalgia is a big seller. Longing for the simplertimes I guess.

And lastly, the rate of WorldIQ over time. Is there a connection with technology?

world_IQ_over_time.png

If you feel your infrastructure is becoming obsolete with all thatcloudy talk, F5 cancertainly help by providing the critical application delivery servicesconsistently across all your data centers - private clouds, publicclouds, and hybrid deployments - so you can enjoy the same availability,security and performance you've come to expect.

ps

Related:

 

E-waste image courtesy: www.slideshare.net/SuharshHarsha

World IQ image courtesy: http://uhaweb.hartford.edu/BRBAKER/




Is 2016 Half Empty or Half Full?

Updating passwords is a huge trend in 2016

july16.jpg

With 2016 crossing the half way point, let's take a look at some technology trends thus far.

Breaches: Well, many databases are half empty due to the continued rash of intrusions while the crooks are half full with our personal information. According to the Identity Theft Resource Center (ITRC), there have been 522 breaches thus far in 2016 exposing almost 13,000,000 records. Many are health care providers as our medical information is becoming the gold mine of stolen info. Not really surprising since the health care wearable market is set to explode in the coming years. Many of those wearables will be transmitting our health data back to providers. There were also a bunch of very recognizable names getting blasted in the media: IRS, Snapchat, Wendy’s and LinkedIn. And the best advice we got? Don’t use the same password across multiple sites. Updating passwords is a huge trend in 2016.

Cloud ComputingAccording to IDC, public cloud IaaS revenues are on pace to more than triple by 2020.From $12.6 billion in 2015 to $43.6 billion in 2020. The public cloud IaaS market grew 51% in 2015 but will slightly slow after 2017 as enterprises get past the wonder and move more towards cloud optimization rather than simply testing the waters. IDC also noted that four out of five IT organizations will be committed to hybrid architectures by 2018. While hybrid is the new normal remember, The Cloud is Still just a Datacenter Somewhere. Cloud seems to be more than half full and this comes at a time when ISO compliance in the cloud is becoming even more important.

DNS: I’ve said it before and I’ll say it again, DNS is one of the most important components of a functioning internet. With that, it presents unique challenges to organizations. Recently, Infoblox released its Q1 2016 Security Assessment Report and off the bat said, ‘In the first quarter of 2016, 519 files capturing DNS traffic were uploaded by 235 customers and prospects for security assessments by Infoblox. The results: 83% of all files uploaded showed evidence of suspicious activity (429 files).’ They list the specific threats from botnets to protocol anomalies to Zeus and DDoS. A 2014 vulnerability, Heartbleed, still appears around 11% of the time. DevOps is even in the DNS game. In half full news, VeriSign filed two patent applications describing the use of various DNS components to manage IoT devices. One is for systems and methods for establishing ownership and delegation of IoT devices using DNS services and the other is for systems and methods for registering, managing, and communicating with IoT devices using DNS processes. Find that half full smart mug...by name!

IoT: What can I say? The cup runneth over. Wearables are expected to close in on 215 million units shipped by 2020 with 102 million this year alone. I think that number is conservative with smart eyewear, watches and clothing grabbing consumer’s attention. Then there’s the whole realm of industrial solutions like smart tractors, HVAC systems and other sensors tied to smart offices, factories and cities. In fact, utilities are among the largest IoT spenders and will be the third-largest industry by expenditure in IoT products and services. Over $69 billion has already been spent worldwide, according to the IDC Energy Insights/Ericsson report. And we haven’t even touched on all the smart appliances, robots and media devices finding spots our homes. Get ready for Big Data regulations as more of our personal (and bodily) data gets pushed to the cloud. And we’re talking a lot of data.

Mobile: We are mobile, our devices are mobile and the applications we access are mobile. Mobility, in all its iterations, is a huge enabler and concern for enterprises and it'll only get worse as we start wearing our connected clothing to the office. The Digital Dress Code has emerged. With 5G on the way, mobile is certainly half full and there is no empting it now.

dc-logo.jpg

Of course, F5 has solutions to address many of these challenges whether you’re boiling over or bone dry. Our security solutions, including Silverline, can protect against malicious attacks; no matter the cloud -  private, public or hybrid - our Cloud solutions can get you there and back; BIG-IPDNS, particularly DNSExpress, can handle the incredible name request boom as more ‘things’ get connected;and speaking of things, your datacenter will need to be agile enough to handle all the nouns requesting access; and check out how TCP Fast Open can optimize your mobile communications.

That's what I got so far and I'm sure 2016's second half will bring more amazement,questions and wonders. We'll do our year-end reviews and predictions for 2017 as we all lament, where did the Year of the Monkey go?

There's that old notion that if you see a glass half full, you're an optimist and if you see it half empty you are a pessimist. I think you need to understand what state the glass itself was before the question. Was it empty and filled half way or was it full and poured out? There's your answer!

ps 





« Older episodes ·