Wednesday, December 7, 2016

Managing Your Vulnerabilities

I recently recovered from ACDF surgery where they remove a herniated or degenerative disc in the neck and fuse the cervical bones above and below the disk. My body had a huge vulnerability where one good shove or fender bender could have ruptured my spinal cord. I had some items removed and added some hardware and now my risk of injury is greatly reduced.


Breaches are occurring at a record pace, botnets are consuming IoT devices and bandwidth, and the cloud is becoming a de-facto standard for many companies. Vulnerabilities are often found at the intersection of all three of these trends, so vulnerability and risk management has never been a greater or more critical challenge for organizations.

Vulnerabilities come in all shapes and sizes but one thing that stays constant – at least in computer security - is that a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. It is the intersection where a system is susceptible to a flaw; whether an attacker can access that flaw; and whether an attacker can exploit that flaw within the system. For F5, it means an issue that results in a confidentiality, integrity, or availability impact of an F5 device by an unauthorized source. Something that affects the critical F5 system functions - like passing traffic.

You may be familiar with CVE or Common Vulnerabilities and Exposures. This is a dictionary of publicly known information security vulnerabilities and exposures. Each vulnerability or exposure gets a name or CVE ID and allows organizations to reference it in a public way. It enables data exchange between security products and provides a baseline index point for evaluating coverage of tools and services. MITRE is the organization that assigns CVEs. There are also CVE Numbering Authorities (CNA). Instead of sending a vulnerability to MITRE for numbering, a CNA gets a block of numbers and can assign IDs as needed. The total CVE IDs is around 79,398.

Most organizations are concerned about CVEs and the potential risk if one is present in their environment. This is obviously growing with the daily barrage of hacks, breaches and information leaks. Organizations can uncover vulnerabilities from scanner results; from media coverage like Heartbleed, Shellshock, Poodle and others; or from the various security related standards, compliance or internal processes. The key is that scanning results need to be verified for false positives, hyped vulnerabilities might not be as critical as the headline claims and what the CVE might mean for your compliance or internal management.

For F5, we keep a close eye on any 3rd party code that might be used in our systems. OpenSSL, BIND or MySQL are examples. For any software, there may be bugs or researcher’s reports or even non-CVE vulnerabilities that could compromise the system. Organizations need to understand the applicability, impact and mitigation available.

Simply put: Am I affected? How bad is it? What can I do? 


With Applicability, research typically determines if an organization should care about the vulnerability. Things like, is the version of software noted and are you running it. Are you running the vulnerable function within the software? Sometimes older or non-supported versions might be vulnerable but you’ve upgraded to the latest supported code or you are simply not using the vulnerable function at all. The context is also important. Is it being used in default, standard or recommended mode? For instance, many people don’t change the default password of their Wi-Fi device and certain functionality is vulnerable. It gets compromised and becomes part of a botnet. But if the password was changed, as recommended, and it becomes compromised some other way, then that is a different situation to address.



For Impact, there are a couple ways to decide how bad it is. First, you can look at the severity of the vulnerability - is it low, medium, high or critical. You can also see if there is a Common Vulnerability Scoring System (CVSS) score tied to the vulnerability. The CVSS score can give you a gauge to the overall risk. To go a bit deeper, you can look at the CVSS Vector.

There are 3 sections to the CVSS. There are the constant base metrics covering the exploitability of the issue, the impact that it may have and the scope that it is in. There are the temporal metrics, which may change over time, giving the color commentary of the issue. And there are the environmental metrics which look at the specific, individual environment and how that is impacted. Areas explored here include things like the attack vector and complexity; whether elevated privileges are required or any user interaction along with the scope and how it affects the confidentiality, integrity and availability of the system. One can use the CVSS calculator to help determine a vector score. With a few selections you can get a base, temporal and environmental score to get an overall view of the severity. With this, you can get an understanding as to how to handle the vulnerability. Every organization has different levels of risk based on their unique situation. The vulnerability base score may have a critical listing yet based on your environmental score, the severity and risk may be nil.

Lastly, the Mitigation taken is not an exact science and truly depends on the issue and the organization’s situation. Mitigation is not necessarily prevention. For example, compensating controls, such as restricting root level access might mean that a vulnerability simply isn’t exploitable without a privileged account.
Vulnerability management and information security is about managing risk. Risk analysis, risk management, risk mitigation and what that risk means to the business. Patching a vulnerability can introduce other risks, so the old refrain of “patch your $#!+” is not the panacea we’re often led to believe. Risk is not limited to the severity of the vulnerability alone, but also to the required vector for exploiting that vulnerability where it exists within a specific organization’s infrastructure.

It’s important to understand your risk and focus on the important pieces.


ps

Tuesday, November 1, 2016

Q/A with Rackspace Network Architect Vijay Emarose - DevCentral's Featured Member for November

Koman Vijay Emarose works as a Network Architect with the Strategic Accounts team at Rackspace. He has been a “Racker” (Rackspace Employee) for 7+ years and currently he is adapting to a networking world that is pivoting towards a world of automation.

In Odaah's free time, he likes to identify DevCentral site bugs, incessantly torment Chase Abbott to fix them – particularly the badges and he is DevCentral’s Featured Member for November!

Vijay's other hobbies include traveling and has been to more than eleven countries and looking to increase that number in the future. Personal finance blogs and binge watching documentaries are his guilty pleasures.

DevCentral got an opportunity to talk with Vijay about his work, life and blog.

DevCentral: You’ve been an active contributor to the DevCentral community and wondered what keeps you involved?
Vijay Emarose: I have been a passive DevCentral user for quite a while and relied heavily on DevCentral to improve my iRule skills. The continued support for DevCentral community among F5 employees and other BIG-IP administrators provided me with the motivation to start sharing the knowledge that I have gained over the years. Answering questions raised by other members helps me to reinforce my knowledge and opens me up to alternate solutions that I had not considered. Rest assured, I will strive to keep the momentum going.
DC: Tell us a little about the areas of BIG-IP expertise you have.
VE: I started working on F5 during the transition period from 9.x to 10.x code version in 2010. BIG-IP LTM & GTM are my strong points. I have some experience with AFM, APM and ASM but not as much as I would like. Working with clients of various sizes from small scale to large enterprises at Rackspace, exposed me to a wide variety of F5 platforms from the 1600s to the VIPRION.
I am sporadically active in the LinkedIn Community for F5 Certified Professionals. I had taken the beta versions of the F5 Certification exams and I am currently an F5 Certified Technology Specialist in LTM & GTM. I am eagerly looking forward to the upcoming F5 402 Exam.
I have been fortunate enough to work with the F5 Certification Team (Ken Salchow, Heidi Schreifels, et al) in the Item Development Workshop (IDW) for F5’s 201 TMOS Administration Certification Exam and it was an eye-opener to understand the amount of thought and effort that goes into creating a certification exam. 
The 2016 F5 Agility in Chicago was my very first F5 Agility conference and I enjoyed meeting with and learning from Jason Rahm, Chase Abbott and other DevCentral members. I look forward to participating in future F5 Agility Conferences.
DC: You are a Network Architect with Rackspace, the largest managed cloud provider. Where does BIG-IP fit in the services you offer or within your own infrastructure?
VE: Rackspace is a leader in the Gartner Magic Quadrant for Cloud Enabled Managed Hosting and participates in the F5 UNITY Managed Service Provider Partner Program at the Global Gold Level. 
Various F5 platforms from the 1600s to the VIPRIONS are offered to customers requiring a dedicated ADC depending on their requirements. LTM & GTM are widely supported. 

In the past, I have been a member of the RackConnect Product team within Rackspace. “RackConnect” is a product that allows automated hybrid connections between a customer’s dedicated environment and Rackspace’s public cloud. F5 platforms were utilized as the gateway devices in this product. There is a DevCentral article on RackConnect by Lori MacVittie. 
I would like to take this opportunity to thank the F5 employees who support Rackspace that I have had the pleasure of working with - Richard Tocci, Scott Huddy and Kurt Lanthier. They have been of massive help to me whenever I required clarification or assistance with F5.
DC: Your blog, Network-Maven.com, documents your experiences in the field of Network Engineering, Application Delivery, Security and Cloud Computing. What are some of the highlights that the community might find interesting?
VE: This is a recent blog that I started to share my knowledge and experience working in the Networking field. Application Delivery Controllers are a niche area within Networking and I was fortunate enough to learn from some of the best at Rackspace. My idea is to share some of my experiences that could potentially help someone new to the field. 
Working with thousands of customer environments running different code versions on various F5 platforms has provided me with a rich variety of experience that could be of help to fellow F5 aficionados who are executing an F5 maintenance or implementing a new feature/function in their F5 environments.
DC: Describe one of your biggest challenges and how DevCentral helped in that situation.
VE: DevCentral has been a great resource for me on multiple occasions and it is tough to pinpoint a single challenge. I rely on it to learn from other’s experiences and to develop my iRule and iControl REST skills. 
I have benefited from the iRule: 20 Lines or Less series and I am an avid follower of the articles published by community members. For someone starting new with F5, I would certainly recommend following the articles and catching up on the iRules: 20 Lines or less series.
DC: Lastly, if you weren’t working in IT – what would be your dream job?
VE: I haven’t figured it out yet. Tech, finance & travel interest me. May be some combination of these interests would be the answer.
DC: Thanks Vijay and congratulations! You can find Vijay on LinkedIn, check out his DevCentral contributions and follow @Rackspace.

Related:

Tuesday, October 18, 2016

Your SSL Secrets Uncovered

Get Started with SSL Orchestrator

SSL and its brethren TLS is becoming more prevalent to secure IP communications on the internet. It’s not just financial, health care or other sensitive sites, even search engines routinely use the encryption protocol. This can be good or bad. Good, in that all communications are scrambled from prying eyes but potentially hazardous if attackers are hiding malware inside encrypted traffic. If the traffic is encrypted and simply passed through, inspection engines are unable to intercept that traffic for a closer look like they can with clear text communications. The entire ‘defense-in-depth’ strategy with IPS systems and NGFWs lose effectiveness.

F5 BIG-IP can solve these SSL/TSL challenges with an advanced threat protection system that enables organizations to decrypt encrypted traffic within the enterprise boundaries, send to an inspection engine, and gain visibility into outbound encrypted communications to identify and block zero-day exploits. In this case, only the interesting traffic is decrypted for inspection, not all of the wire traffic, thereby conserving processing resources of the inspecting device. You can dynamically chain services based on a context-based policy to efficiently deploy security.

This solution is supported across the existing F5 BIG-IP v12 family of products with F5 SSL Orchestrator and is integrated with such solutions like FireEye NX, Cisco ASA FirePOWER and Symantec DLP.

Here I’ll show you how to complete the initial setup.

A few things to know prior – from a licensing perspective, The F5 SSL visibility solution can be deployed using either the BIG-IP system or the purpose built SSL Orchestrator platform. Both have same SSL intercept capabilities with different licensing requirements.

To deploy using BIG-IP, you’ll need BIG-IP LTM for SSL offload, traffic steering, and load balancing and the SSL forward proxy for outbound SSL visibility. Optionally, you can also consider the URL filtering subscription to enforce corporate web use policies and/or the IP Intelligence subscription for reputation based web blocking. For the purpose built solution, all you’ll need is the F5 Security SSL Orchestrator hardware appliance.

The initial setup addresses URL filtering, SSL bypass, and the F5 iApps template.

URL filtering allows you to select specific URL categories that should bypass SSL decryption. Normally this is done for concerns over user privacy or for categories that contain items (such as software update tools) that may rely on specific SSL certificates to be presented as part of a verification process.

Before configuring URL filtering, we recommend updating the URL database. This must be performed from the BIG-IP system command line. Make sure you can reach download.websense.com on port 80 via the BIG-IP system and from the BIG-IP LTM command line, type the following commands:
modify sys url-db download-schedule urldb download-now false modify sys url-db download-schedule urldb download-now true
To list all the supported URL categories by the BIG-IP system, run the following command:
tmsh list sys url-db url-category | grep url-category

Next, you’ll want to configure data groups for SSL bypass. You can choose to exempt SSL offloading based on various parameters like source IP address, destination IP address, subnet, hostname, protocol, URL category, IP intelligence category, and IP geolocation. This is achieved by configuring the SSL bypass in the iApps template calling the data groups in the TCP service chain classifier rules. A data group is a simple group of related elements, represented as key value pairs. The following example provides configuration steps for creating a URL category data group to bypass HTTPS traffic of financial websites. 


For the BIG-IP system deployment, download the latest release of the iApps template and import to the BIG-IP system.

Extract (unzip) the ssl-intercept-12.1.0-1.5.7.zip template (or any newer version available) and follow the steps to import to the BIG-IP web configuration utility.

From there, you’ll configure your unique inspection engine along with simply following the BIG-IP admin UI with the iApp questionnaire. You’ll need to select and/or fill in different values in the wizard to enable the SSL orchestration functionality. We have deployment guides for the detailed specifics and from there, you’ll be able to send your now unencrypted traffic to your inspection engine for a more secure network.

ps

Resources:




Wednesday, October 12, 2016

Lightboard Lessons: BIG-IP in Hybrid Environments

A hybrid infrastructure allows organizations to distribute their applications when it makes sense and provide global fault tolerance to the system overall. Depending on how an organization’s disaster recovery infrastructure is designed, this can be an active site, a hot-standby, some leased hosting space, a cloud provider or some other contained compute location. As soon as that server, application, or even location starts to have trouble, organizations can seamlessly maneuver around the issue and continue to deliver their applications.

Driven by applications and workloads, a hybrid environment is a technology strategy to integrate the mix of on premise and off-premise data compute resources. In this Lightboard Lesson, I explain how BIG-IP can help facilitate hybrid infrastructures.


ps

Related:

Tuesday, October 11, 2016

F5 Access for Your Chromebook

My 5th grade daughter has a Chromebook for school. She loves it and it allows her access to school applications and educational tools where she can complete her assignments and check her grades. But if 5th grade is a tiny dot in your rear-view and you’re looking to deploy Chromebooks in the enterprise, BIG-IP v12 can secure Chrome device access to enterprise networks and applications using SSL VPN technologies, encrypting those connections to corporate applications. With network access, users can run applications such as RDP, SSH, Citrix, VMware View, and other enterprise applications on their Chrome OS devices.

From an employee’s perspective, it is very easy to get this configured. Log on to a Chromebook, open Chrome Web Store, search for ‘F5 Access’ and press the +ADD TO CHROME button. Add app when the dialogue box pops and F5 Access will appear in your ‘All Apps’ window.

Next, when launched, you’ll need to accept the license agreement and then add a server from the Configuration tab:


Next, give it a unique name, enter the BIG-IP APM server URL and optionally add your username and password. Your password will not be cached unless that’s allowed by the APM Access Policy. You can also select a client certificate if required. Once configured, it’ll appear in the list. You can also have multiple server configurations if needed:

To connect, click the bottom tray bar and select the tile that says, ‘VPN Disconnected.’

And select the server configured when setting up the app. Depending on the configuration, you’ll either get the native login window or the WebTop version:

Once connected, there won’t be any indication in the tray but if you click it, you’ll see the connection status in the same VPN area as above and it’ll show ‘connected’ within the F5 Access app:

As you can see in the above image, you can also check Statistics and Diagnostics if those are of interest. To end the connection, click the try again, select the VPN tile and click Disconnect:

For administrators, it’s as simple as adding a ‘ChromeOS’ branch off the ClientOS VPE action:

Then add a Connectivity Profile to BIG-IP:

In addition to generic session variables, client session variables are also available. Check out the release notes and BIG-IP Access Policy Manager and F5 Access for Chrome OS v1.0.0 manual for more info.

ps

Related:

Tuesday, October 4, 2016

Q/A with ExITeam’s Security Engineer Stanislas Piron - DevCentral's Featured Member for October

Stanislas Piron is a Security Engineer for ExITeam. 16 years ago, Stanislas started out with Firewalls, email and Web content security. His first F5 deployment was with LTM and Link Controller 10 years ago and he is DevCentral’s Featured Member for October!

He started to focus on F5 products as pre-sales engineer for a IT security distributor in charge of F5 development. 4 years ago, he joined Exiteam, a small company of two security engineers helping resellers audit, design and deploy security solutions for their customers. To provide real expertise, they both focus their skills on a small set of products. He works with F5 products about 80% of his time.

DevCentral got an opportunity to chat with Stanislas about his work, life and if European organizations have unique security requirements.

DevCentral: You’ve been an active contributor to the DevCentral community and wondered what keeps you involved?
Stanislas Piron: When I started working with F5 products, I created my DevCentral account to search piece of iRules and write my own iRules according to customer’s needs.
As the needs grew, I had some unanswered questions. Searching DevCentral, I found another approaches to solving issues, helping me to solve my own challenges. Each time I find a better way to solve my problems, I try to share my code. 
I often read question and try to solve them thinking, “This can solve an issue of a customer I didn’t think about before” 
DevCentral is a place where every time you help someone, you learn something.

DC: Tell us a little about the areas of BIG-IP expertise you have.
SP: My favorite BIG-IP product is APM (LTM+APM mode), which covers almost everything about authentication. It’s also the product we must configure as simple as possible if we do not want the customer to have headaches reading the access policy.

I often deploy BIG-IP with multiple modules including LTM, APM, AFM, GTM and ASM to offer high datacenter security.
 
Most of my deployments use the local traffic policies for standard admin tasks, iRules for application compatibility, and the tcl codes in APM to assign variable boxes.

DC: You are a Security Engineer with Exiteam, a security consulting practice. Can you explain how DevCentral helps with your daily challenges? Where does BIG-IP fit in the services you offer or within your own infrastructure?
SP: iRules is a great tool to solve problems BIG-IP is not addressing, but iRules is nothing without the developer’s community. DevCentral experts share experience not only about tcl coding but protocol knowledge, iRule events orders, and working iRules. And on the other side, some IT admins ask about new needs that I may answer for the next customer. 
Each time I have a new challenge, I first search on DevCentral to see if someone already solved it. If not, I’ll create my own iRule.

DC: I understand you are in France and wondered, what are some of the unique information security challenges for European organizations?
SP: Information security challenges are not unique for European organizations as security risks are the same for all countries.

DC: Describe one of your biggest challenges and how DevCentral helped in that situation.
SP: With Microsoft Forefront TMG End of sale, most of my customers migrated to F5 products. 
One of my customers, a SAAS provider, with almost exclusively Microsoft products (TMG, Exchange, Sharepoint, etc.) and with more than 20K concurrent users was evaluating how to migrate to BIG-IP LTM, ASM, APM and AFM.
During POC (and then deployment) we worked to get the same behavior with APM as TMG with SharePoint about office editing documents. I found some question on DevCentral with parts of an answer, but not the full answer. I wrote an iRule optimized for such a deployment (20K users) answering all the customer needs and shared it. Some DevCentral experts, who had the same needs, commented on it to make it simpler, generic and optimized.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?
SP I don’t remember what I wanted to be when I was child and IT is not a dream job if you don’t evolve. What I expect in my job is to not do the same job as the day before, and I think I found it. Every day, I meet new customers, I have new challenges and I learn something increasing my knowledge.

DC: Thanks Stanislas and congratulations! You can find Stanislas on LinkedIn and also check out his DevCentral contributions.

Related:

Wednesday, September 28, 2016

Lightboard Lessons: Secure & Optimize VDI

Virtualization continues to impact the enterprise and how IT delivers services to meet business needs. Desktop Virtualization (VDI) offers employees anywhere, anytime, flexible access to their desktops whether they are at home, on the road, in the office or on a mobile device. In this edition of Lightboard Lessons, I show how BIG-IP can secure, optimize and consolidate your VMware Horizon View environment, providing a secure front end access layer for VMware’s VDI infrastructure.



ps

Related: