Archive for waf

Mitigate L7 DDoS with BIG-IP ASM

Posted in security, f5, big-ip, application security, silva, DoS attack, devcentral, infrastructure, waf, ddos by psilva on November 28th, 2017

Today, let’s look at a couple ways to mitigate an application DDoS attack with BIG-IP ASM.

We’ve logged into a BIG-IP ASM and navigated to Security>DDoS Protection>DDoS Profiles. In the General Settings of Application Security, we’ll activate an application DoS iRule event.

l7d2.png

 

We’ll click TPS-based Detection to see the temporarily lowered TPS thresholds to easily simulate an attack. Often, there are multiple mitigation methods that are sequentially applied as you can see with the Source IP settings.

l7d34.png

 

We can also record traffic packet captures during attacks for post analysis.

l7d5.png

 

When the user requests a web application proxied by BIG-IP ASM, ASM will create a unique identifier or a Device ID. ASM will inject JavaScript to register each client device. You can see X-Device-ID: at the bottom.

l7d6.png

 

And JavaScript incapable clients never make it through.

l7d7.png

 

Now that the unit is ready, let’s enable some packet capture and take a go at that damn vulnerable web application.

l7d8a.png

 

Path for the log files is /var/log/ or /shared/log/…the PCAP folder is empty so let’s see the action.

l7d8b.png

 

Attack commence in 3-2-1. Some quick refreshes should do as our thresholds are low.

l7d8c.png

 

The first mitigation is Client Side Integrity Defense. The system issues a client-side integrity challenge that consumes client computation resources and slows down the attack. Next is Built-in Captcha. The third mitigation is Rate Limiting…

l78de.png

 

..then if they’re still not listening, you can instantly transform into a Honeypot.

pot.png

 

The logs below show the IP address and the type of mitigation technique deployed. First Integrity, then Captcha, then Rate Limiting, then Honeypot if they don't stop. The traffic you recorded will be found in the, now populated, PCAP folders.

dvwa_logs_full.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 




Deploy an Auto-Scaled BIG-IP VE WAF in AWS

Posted in security, f5, big-ip, application security, cloud, privacy, waf, aws by psilva on August 29th, 2017

Today let’s look at how to create and deploy an auto-scaled BIG-IP Virtual Edition Web Application Firewall by using a Cloud Formation Template (CFT) in AWS. CFTs are simply a quick way to spin up solutions that otherwise, you may have to create manually. The idea behind this CFT is it is going to create BIG-IP VE instances for you. These instances function as a firewall in front of your application. Depending on the limits you specify, when more traffic is going to your application, new instances will launch…and when there is less traffic, instances will terminate.

awaf1.jpg

This solution has a few prerequisites:

  • A Virtual Private Cloud (VPC) with at least two subnets, each in its own availability zone
  • An AWS Elastic Load Balancer (ELB), which serves traffic to the BIG-IP VE instances
  • An SSH key pair which you need to access the instances.

I have these already created, so we’ll proceed to deploying the template.

You have two choices on how you want to deploy. You can go to the AWS Marketplace and search ‘f5 waf’ or you can go to the F5 Networks GitHub site. GitHub usually has the latest and greatest, so we’ll use that.

Click on the f5-aws-cloudformation spot.

awaf2.jpg

And then click Supported.

awaf3.jpg

And then click solutions/autoscale.

awaf4.jpg

Then waf.

awaf5.jpg

We scroll down a little bit and click Launch Stack.

awaf6.jpg

We click Next at the Select Template screen and fill out the template.

awaf7.jpg

When you get to the template, the Deployment Name will be appended to all the instances so you can tell which ones are yours. Since we already set up a VPC with two subnets in two zones (not regions), we’ll select those in the VPC ID field. The Restricted Source Address is available if you only want to allow specific IP addresses to your BIG-IP VE instances.

awaf8.jpg

Next is the AWS Elastic Load Balancer name, then choose your SSH key – which is needed to connect to the instances. And we’ll leave the defaults for the rest.

awaf9.jpg

Then you’ll get to the Auto Scaling Configuration section which is where you’ll determine when to create the new WAF instances. You’ll want to configure the Scale Up & Scale Down Bytes Threshold which will, obviously, determine when one gets launched/added and when it is removed.

awaf9a.jpg

Under WAF Virtual Service Configuration, is where you’ll enter the application’s Service Port and DNS. In addition, if you wanted to automatically add application servers to the pool to have traffic will go to those without having to manually configure the BIG-IP, you can also add the Application Pool Tag Values which works great. Next choose your WAF Policy Level (low, medium, high) and click Next and Next.

awaf9b.jpg

Also, click the check box with indicates that you have the appropriate credentials to set some IAM roles and create a S3 Bucket. Click Create and the CFT will start creating resources.

awaf9c.jpg

This process can take about 15 minutes to complete and when it is done, you’ll get the CREATE_COMPLETE on your dashboard. The resources might be available right away but it is recommended to wait at least 30 minutes before digging into things.

awaf9d.jpg

To see what the CFT created and confirm completion, go to: Services>EC2>Auto Scaling Groups. You can see that there is a BIG-IP VE instance created and added to the group. Also, be aware that the default for Scaling Policies is to wait 40 minutes to launch a new instance. You may want to adjust that to your preference. However, to be clear, AWS is always monitoring the traffic and want to know if you are exceeding the limits you’ve set. The Scaling Policies setting simply means that after one instance is launched – you hit the limit and one is up – AWS should wait 40 minutes (or whatever your value is) to launch another. It’ll keep going until you’ve hit the max number of instances specified. We put three.

awaf9e.jpg

While in Services>EC2, you can also inspect the ELB and see that the BIG-IP VE instance is there and in service. Traffic is going through the Load Balancer and then to the BIG-IP VE, then to the application server.

awaf9f.jpg

Lastly, let’s look at the list of instances in Services>EC2>Instances and the instances are there and ready to go!

awaf9g.jpg

And then when there is too much traffic, another is added. Since the limit was exceeded, AWS has launched new instances, up to three.

awaf9h.jpg

And when the traffic falls, the instance shuts down.

awaf9i.jpg

That’s it! Easily scale your BIG-IP application security on AWS. Thanks to our TechPubs group and watch the video demo here.

ps

 




Lightboard Lessons: BIG-IP ASM Layered Policies

Posted in security, f5, big-ip, application security, asm, lightboard, devcentral, waf, policy by psilva on August 23rd, 2017

In this Lightboard Lesson, I light up some use cases for BIG-IP ASM Layered Policies available in BIG-IP v13.

With Parent and Child policies, you can:

  • Impose mandatory policy elements on multiple policies;
  • Create multiple policies with baseline protection settings; and
  • Rapidly push changes to multiple policies.

ps

Watch Now:



Updating an Auto-Scaled BIG-IP VE WAF in AWS

Posted in security, f5, big-ip, cloud computing, infrastructure, waf, aws by psilva on May 23rd, 2017

Update servers while continuing to process application traffic.

Recently we've been showing how to deploy BIG-IP (and F5 WAF) in various clouds like Azure and AWS.

Today, we’ll take a look at how to update an AWS auto-scaled BIG-IP VEBIG-IP VE web application firewall (WAF) that was initially created by using this F5 github template. This solution implements auto-scaling of BIG-IP Virtual Edition (VE) Web Application Firewall (WAF) systems in Amazon Web Services. The BIG-IP VEs have the Local Traffic Manager (LTM) and Application Security Manager (ASM) modules enabled to provide advanced traffic management and web application security functionality. As traffic increases or decreases, the number of BIG-IP VE WAF instances automatically increases or decreases accordingly.

Prerequisites:

asw1.jpg

So, let’s assume you used the CFT to create a BIG-IP WAF in front of your application servers…and your business is so successful that you need to be able to process more traffic. You do not need to tear down your deployment and start over – you can make changes to your current deployment while the WAF is still running and protecting your environment.

For this article, a few examples of things you can change include increasing the throughput limit. For instance, When you first configured the WAF, you choose a specific throughput limit for BIG-IP. You can update that. You may also have selected a smaller AWS instance size and now want to choose a larger AWS instance type and add more CPU. Or, you may have set up your auto-scaling group to launch a maximum of two instances and now you want to be able to update the auto-scaling group attributes and add three.

This is all possible so let’s check it out.

The first thing we want to do is connect to one of the BIG-IP VE instances and save the latest configuration. We open putty, login and run the TMSH command (save /sys ucs /var/tmp/original.ucs) to save the UCS config file.

asw2.jpg

Then we use WinSCP to copy the UCS files to the desktop. You can use whatever application you like and copy the file wherever you like as this is just a temporary location.

asw3.jpg

Once that’s done, open the AWS Management Console and go to the S3 bucket. This bucket was created when you first deployed the CFT and locate yours.

asw456.jpg

When you find your file, click it and then click the Backup folder.

asw7.jpg

Once there, now upload the UCS file into that folder.

asw89.jpg

The USC is now in the folder.

asw91.jpg

The last step is to redeploy the CFT and change the selected options. From the main AWS Management Console, click CloudFormation, select your Stack and under Actions, click Update Stack.

asw9293.jpg

Next, you can see the template we originally deployed and to update, click Next.

asw94.jpg

Scroll down the page to Instance Configuration to change the instance type size.

asw95.jpg

Right under that is Maximum Throughput to update the throughput limit.

asw96.jpg

And a little further down under Auto Scaling Configuration is where you can update the max number of instances. When done click Next at the bottom of the page.

asw97.jpg

It’ll ask you to review and confirm the changes. Click Update.

asw9899.jpg

You can watch the progress and if your current BIG-IP VE instance is actively processing traffic, it will remain active until the new instance is ready.  Give it a little time to ensure the new instance is up and added to the auto scaling group before we terminate the other instance.

asw991.jpg

When it is done, we’ll confirm a few things.

Go to the EC2 Dashboard and check the running instances. We can see the old instance is terminated and the new instance is now available. You can also check the instance size and within the auto scaling group you can see the new maximum for number of instances.

asw99234.jpg

And we’re deployed.

You can follow this same workflow to update other attributes of your F5 WAF. This allows you to update your servers while continuing to process traffic.

Thanks to our TechPubs group, you can also watch the video demo.

ps

Related:

 




Deploying F5’s Web Application Firewall in Microsoft Azure Security Center

Posted in security, f5, big-ip, cloud, cloud computing, silva, microsoft, application delivery, waf, azure by psilva on May 9th, 2017

Use F5’s Web Application Firewall (WAF) to protect web applications deployed in Microsoft Azure.

Applications living in the Cloud still need protection. Data breaches, compromised credentials, system vulnerabilities, DDoS attacks and shared resources can all pose a threat to your cloud infrastructure. The Verizon DBIR notes that web application attacks are the most likely vector for a data breach attack. While attacks on web applications account for only 8% of reported incidents, according to Verizon, they are responsible for over 40% of incidents that result in a data breach. A 2015 survey found that 15% of logins for business apps used by organizations had been breached by hackers.

One way to stay safe is using a Web Application Firewall (WAF) for your cloud deployments.

Let’s dig in on how to use F5’s WAF to protect web applications deployed in Microsoft Azure. This solution builds on BIG-IP Application Security Manager (ASM) and BIG-IP Local Traffic Manager (LTM) technologies as a preconfigured virtual service within the Azure Security Center.

Some requirements for this deployment are:

  • You have an existing web application deployed in Azure that you want to protect with BIG-IP ASM
  • You have an F5 license token for each instance of BIG-IP ASM you want to use

To get started, log into your Azure dashboard and on the left pane, toward the bottom, you’ll see Security Center and click it.

awaf1.jpg

Next, you’ll want to click the Recommendations area within the Security Center Overview.

awaf2.jpg

And from the list of recommendations, click Add a web application firewall.

awaf3.jpg

A list of available web applications opens in a new pane. From the application list, select the application you want to secure.

awaf5.jpg

And from there click Create New. You’ll get a list of available vendors’ WAFs and choose F5 Networks.

awaf7.jpg

A new page with helpful links and information appears and at the bottom of the page, click Create.

awaf8.jpg

First, select the number of machines you want to deploy – in this case we’re deploying two machines for redundancy and high availability. Review the host entry and then type a unique password for that field. When you click Pricing Tier, you can get info about sizing and pricing. When you are satisfied, at the bottom of that pane click OK.

awaf82.jpg

Next, in the License token field, copy and paste your F5 license token. If you are only deploying one machine, you’ll only see one field. For the Security Blocking Level, you can choose Low, Medium or High. You can also click the icon for a brief description of each level. From the Application Type drop down, select the type of application you want to protect and click OK (at the bottom of that pane).

awaf83.jpg

Once you see two check marks, click the Create button.

awaf84.jpg

Azure then begins the process of the F5 WAF for your application. This process can take up to an hour. Click the little bell notification icon for the status of the deployment.

awaf8687.jpg

You’ll receive another notification when the deployment is complete.

awaf88.jpg

After the WAF is successfully deployed, you’ll want to test the new F5 WAF and finalize the setup in Azure including changing the DNS records from the current server IP to the IP of the WAF.

When ready, click Security Center again and the Recommendations panel. This time we’ll click Finalize web application firewall setup.

awaf9.jpg

And click your Web application.

awaf91.jpg

Ensure your DNS settings are correct and check the I updated my DNS Settings box and when ready, click Restrict Traffic at the bottom of the pane.

awaf92.jpg

Azure will give you a notification that it is finalizing the WAF configuration and settings, and you will get another notification when complete.

awaf93.jpg

And when it is complete, your application will be secured with F5’s Web Application Firewall.

Check out the demo video and rest easy, my friend.

ps

Related:




Ask the Expert – Are WAFs Dead?

Posted in security, f5, application security, silva, privacy, waf by psilva on November 2nd, 2015

Brian McHenry, Sr. Security Solution Architect, addresses the notion that Web Application Firewalls are dead and talks about what organizations need to focus on today when protecting their data and applications across a diverse environment. He discusses many of the current application threats, how to protect your data across hybrid environments and the importance of a security policy that is portable across many environments. Move on from the idea of a traditional WAF and embrace hybrid WAF architectures.

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]
Watch Now:



Inside Look: BIG-IP ASM Botnet and Web Scraping Protection

Posted in security, f5, big-ip, application security, silva, video, intellectual property, cybercrime, hackers, waf by psilva on February 21st, 2013

I hang with WW Security architect Corey Marshall to get an inside look at the Botnet detection and Web scraping protection in BIG-IP ASM.

 

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1]  o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]