Tuesday, October 18, 2016

Your SSL Secrets Uncovered

Get Started with SSL Orchestrator

SSL and its brethren TLS is becoming more prevalent to secure IP communications on the internet. It’s not just financial, health care or other sensitive sites, even search engines routinely use the encryption protocol. This can be good or bad. Good, in that all communications are scrambled from prying eyes but potentially hazardous if attackers are hiding malware inside encrypted traffic. If the traffic is encrypted and simply passed through, inspection engines are unable to intercept that traffic for a closer look like they can with clear text communications. The entire ‘defense-in-depth’ strategy with IPS systems and NGFWs lose effectiveness.

F5 BIG-IP can solve these SSL/TSL challenges with an advanced threat protection system that enables organizations to decrypt encrypted traffic within the enterprise boundaries, send to an inspection engine, and gain visibility into outbound encrypted communications to identify and block zero-day exploits. In this case, only the interesting traffic is decrypted for inspection, not all of the wire traffic, thereby conserving processing resources of the inspecting device. You can dynamically chain services based on a context-based policy to efficiently deploy security.

This solution is supported across the existing F5 BIG-IP v12 family of products with F5 SSL Orchestrator and is integrated with such solutions like FireEye NX, Cisco ASA FirePOWER and Symantec DLP.

Here I’ll show you how to complete the initial setup.

A few things to know prior – from a licensing perspective, The F5 SSL visibility solution can be deployed using either the BIG-IP system or the purpose built SSL Orchestrator platform. Both have same SSL intercept capabilities with different licensing requirements.

To deploy using BIG-IP, you’ll need BIG-IP LTM for SSL offload, traffic steering, and load balancing and the SSL forward proxy for outbound SSL visibility. Optionally, you can also consider the URL filtering subscription to enforce corporate web use policies and/or the IP Intelligence subscription for reputation based web blocking. For the purpose built solution, all you’ll need is the F5 Security SSL Orchestrator hardware appliance.

The initial setup addresses URL filtering, SSL bypass, and the F5 iApps template.

URL filtering allows you to select specific URL categories that should bypass SSL decryption. Normally this is done for concerns over user privacy or for categories that contain items (such as software update tools) that may rely on specific SSL certificates to be presented as part of a verification process.

Before configuring URL filtering, we recommend updating the URL database. This must be performed from the BIG-IP system command line. Make sure you can reach download.websense.com on port 80 via the BIG-IP system and from the BIG-IP LTM command line, type the following commands:
modify sys url-db download-schedule urldb download-now false modify sys url-db download-schedule urldb download-now true
To list all the supported URL categories by the BIG-IP system, run the following command:
tmsh list sys url-db url-category | grep url-category

Next, you’ll want to configure data groups for SSL bypass. You can choose to exempt SSL offloading based on various parameters like source IP address, destination IP address, subnet, hostname, protocol, URL category, IP intelligence category, and IP geolocation. This is achieved by configuring the SSL bypass in the iApps template calling the data groups in the TCP service chain classifier rules. A data group is a simple group of related elements, represented as key value pairs. The following example provides configuration steps for creating a URL category data group to bypass HTTPS traffic of financial websites. 

For the BIG-IP system deployment, download the latest release of the iApps template and import to the BIG-IP system.

Extract (unzip) the ssl-intercept-12.1.0-1.5.7.zip template (or any newer version available) and follow the steps to import to the BIG-IP web configuration utility.

From there, you’ll configure your unique inspection engine along with simply following the BIG-IP admin UI with the iApp questionnaire. You’ll need to select and/or fill in different values in the wizard to enable the SSL orchestration functionality. We have deployment guides for the detailed specifics and from there, you’ll be able to send your now unencrypted traffic to your inspection engine for a more secure network.



Wednesday, October 12, 2016

Lightboard Lessons: BIG-IP in Hybrid Environments

A hybrid infrastructure allows organizations to distribute their applications when it makes sense and provide global fault tolerance to the system overall. Depending on how an organization’s disaster recovery infrastructure is designed, this can be an active site, a hot-standby, some leased hosting space, a cloud provider or some other contained compute location. As soon as that server, application, or even location starts to have trouble, organizations can seamlessly maneuver around the issue and continue to deliver their applications.

Driven by applications and workloads, a hybrid environment is a technology strategy to integrate the mix of on premise and off-premise data compute resources. In this Lightboard Lesson, I explain how BIG-IP can help facilitate hybrid infrastructures.



Tuesday, October 11, 2016

F5 Access for Your Chromebook

My 5th grade daughter has a Chromebook for school. She loves it and it allows her access to school applications and educational tools where she can complete her assignments and check her grades. But if 5th grade is a tiny dot in your rear-view and you’re looking to deploy Chromebooks in the enterprise, BIG-IP v12 can secure Chrome device access to enterprise networks and applications using SSL VPN technologies, encrypting those connections to corporate applications. With network access, users can run applications such as RDP, SSH, Citrix, VMware View, and other enterprise applications on their Chrome OS devices.

From an employee’s perspective, it is very easy to get this configured. Log on to a Chromebook, open Chrome Web Store, search for ‘F5 Access’ and press the +ADD TO CHROME button. Add app when the dialogue box pops and F5 Access will appear in your ‘All Apps’ window.

Next, when launched, you’ll need to accept the license agreement and then add a server from the Configuration tab:

Next, give it a unique name, enter the BIG-IP APM server URL and optionally add your username and password. Your password will not be cached unless that’s allowed by the APM Access Policy. You can also select a client certificate if required. Once configured, it’ll appear in the list. You can also have multiple server configurations if needed:

To connect, click the bottom tray bar and select the tile that says, ‘VPN Disconnected.’

And select the server configured when setting up the app. Depending on the configuration, you’ll either get the native login window or the WebTop version:

Once connected, there won’t be any indication in the tray but if you click it, you’ll see the connection status in the same VPN area as above and it’ll show ‘connected’ within the F5 Access app:

As you can see in the above image, you can also check Statistics and Diagnostics if those are of interest. To end the connection, click the try again, select the VPN tile and click Disconnect:

For administrators, it’s as simple as adding a ‘ChromeOS’ branch off the ClientOS VPE action:

Then add a Connectivity Profile to BIG-IP:

In addition to generic session variables, client session variables are also available. Check out the release notes and BIG-IP Access Policy Manager and F5 Access for Chrome OS v1.0.0 manual for more info.



Tuesday, October 4, 2016

Q/A with ExITeam’s Security Engineer Stanislas Piron - DevCentral's Featured Member for October

Stanislas Piron is a Security Engineer for ExITeam. 16 years ago, Stanislas started out with Firewalls, email and Web content security. His first F5 deployment was with LTM and Link Controller 10 years ago and he is DevCentral’s Featured Member for October!

He started to focus on F5 products as pre-sales engineer for a IT security distributor in charge of F5 development. 4 years ago, he joined Exiteam, a small company of two security engineers helping resellers audit, design and deploy security solutions for their customers. To provide real expertise, they both focus their skills on a small set of products. He works with F5 products about 80% of his time.

DevCentral got an opportunity to chat with Stanislas about his work, life and if European organizations have unique security requirements.

DevCentral: You’ve been an active contributor to the DevCentral community and wondered what keeps you involved?
Stanislas Piron: When I started working with F5 products, I created my DevCentral account to search piece of iRules and write my own iRules according to customer’s needs.
As the needs grew, I had some unanswered questions. Searching DevCentral, I found another approaches to solving issues, helping me to solve my own challenges. Each time I find a better way to solve my problems, I try to share my code. 
I often read question and try to solve them thinking, “This can solve an issue of a customer I didn’t think about before” 
DevCentral is a place where every time you help someone, you learn something.

DC: Tell us a little about the areas of BIG-IP expertise you have.
SP: My favorite BIG-IP product is APM (LTM+APM mode), which covers almost everything about authentication. It’s also the product we must configure as simple as possible if we do not want the customer to have headaches reading the access policy.

I often deploy BIG-IP with multiple modules including LTM, APM, AFM, GTM and ASM to offer high datacenter security.
Most of my deployments use the local traffic policies for standard admin tasks, iRules for application compatibility, and the tcl codes in APM to assign variable boxes.

DC: You are a Security Engineer with Exiteam, a security consulting practice. Can you explain how DevCentral helps with your daily challenges? Where does BIG-IP fit in the services you offer or within your own infrastructure?
SP: iRules is a great tool to solve problems BIG-IP is not addressing, but iRules is nothing without the developer’s community. DevCentral experts share experience not only about tcl coding but protocol knowledge, iRule events orders, and working iRules. And on the other side, some IT admins ask about new needs that I may answer for the next customer. 
Each time I have a new challenge, I first search on DevCentral to see if someone already solved it. If not, I’ll create my own iRule.

DC: I understand you are in France and wondered, what are some of the unique information security challenges for European organizations?
SP: Information security challenges are not unique for European organizations as security risks are the same for all countries.

DC: Describe one of your biggest challenges and how DevCentral helped in that situation.
SP: With Microsoft Forefront TMG End of sale, most of my customers migrated to F5 products. 
One of my customers, a SAAS provider, with almost exclusively Microsoft products (TMG, Exchange, Sharepoint, etc.) and with more than 20K concurrent users was evaluating how to migrate to BIG-IP LTM, ASM, APM and AFM.
During POC (and then deployment) we worked to get the same behavior with APM as TMG with SharePoint about office editing documents. I found some question on DevCentral with parts of an answer, but not the full answer. I wrote an iRule optimized for such a deployment (20K users) answering all the customer needs and shared it. Some DevCentral experts, who had the same needs, commented on it to make it simpler, generic and optimized.

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?
SP I don’t remember what I wanted to be when I was child and IT is not a dream job if you don’t evolve. What I expect in my job is to not do the same job as the day before, and I think I found it. Every day, I meet new customers, I have new challenges and I learn something increasing my knowledge.

DC: Thanks Stanislas and congratulations! You can find Stanislas on LinkedIn and also check out his DevCentral contributions.


Wednesday, September 28, 2016

Lightboard Lessons: Secure & Optimize VDI

Virtualization continues to impact the enterprise and how IT delivers services to meet business needs. Desktop Virtualization (VDI) offers employees anywhere, anytime, flexible access to their desktops whether they are at home, on the road, in the office or on a mobile device. In this edition of Lightboard Lessons, I show how BIG-IP can secure, optimize and consolidate your VMware Horizon View environment, providing a secure front end access layer for VMware’s VDI infrastructure.



Tuesday, September 27, 2016

Lock Down Your Login

Last week we talked about WebSafe and how it can help protect against phishing attacks with a little piece of code. This is important since malware can steal credentials from every visited web application from an infected machine. This time we’re going to look at how to protect against credential grabbing on a BIG-IP APM login page with WebSafe encryption layer.

You’ll need two modules for this, BIG-IP APM and of course, WebSafe Fraud Protection Service. The goal is to protect the laptop from any malware that grabs sensitive login credentials. In this case, the malware would be configured to grab the login page along with the username and password parameter fields. Command and control could also be set to retrieve any credentials from the infected machine at certain intervals, like every 5 minutes.

The first goal would be to encrypt the password. Within your BIG-IP admin GUI, you would navigate to Security>Fraud Protection Service> Anti-Fraud Profiles>URL List. APM’s logon page usually ends with ‘/my.policy’.

Create then click that URL to open the configuration page and enable Application Layer Encryption.

And select the Parameters tab to configure the fields you want to protect. In this case it is password and username.

In the screen grab, you can see ‘Obfuscate’ is selected and to both ‘Encrypt’ and ‘Substitute Value’ for the password field.

Now when the user goes to the page, a bit a JavaScript is injected in the page to protect the specified fields. If you run a httpwatch or wire shark on the page, you’ll see that the values for those parameters are obfuscated. This makes it incredibly difficult for the bad actor to determine the correct value.

And if the malware also grabs the password, since we set that to encrypt, all they get is useless information.

At this point, the BIG-IP will decrypt the password and pass on the traffic to appropriate domain controller for verification. This is a great way to protect your login credentials with BIG-IP. If you’d like to see a demonstration of this, check out F5’s Security Specialist Matthieu Dierick’s demo video. Pretty cool.


Wednesday, September 21, 2016

Lightboard Lessons: DNS Scalability & Security

The Domain Name Service (DNS) is one of the most important components in networking infrastructure, enabling users and services to access applications by translating URLs (names) into IP addresses (numbers). Because every icon and URL and all embedded content on a website requires a DNS lookup, loading complex sites necessitates hundreds of DNS queries.

DNS lookups has exploded in recent years with mobile, IoT and the applications to support the growth. It is also a vulnerable target. In my first Lightboard Lesson, I show you how to scale, secure and consolidate your DNS infrastructure.