Friday, November 17, 2017

Post of the Week: BIG-IP APM Policy Sync

In this Lightboard Post of the Week, I light up the answer to a question about BIG-IP APM Policy Sync. Posted Question on DevCentral: https://devcentral.f5.com/questions/apm-policy-sync-56330

Thanks to DevCentral user Murali (@MuraliGopalaRao) for the question and special thanks to Leonardo Souza for the answer!



ps

Related:

Tuesday, November 14, 2017

VDI Gateway Federation with BIG-IP

Today let’s look at how F5 BIGIP APM can consolidate, secure and federate all the core VDI gateways technology. For instance, if an organization decides move from one VDI technology to another or if you’re consolidating VDI technologies, BIG-IP can help.

On the BIG-IP we’ve set up three VDI environments. Microsoft RDS/RDP with a broker authentication server, VMware Horizon and Citrix ZenApp. With only a corporate account, a user can authenticate to all of them as needed and access all available desktop content.

In this example, we connect to the BIG-IP APM. This is the default view.

And here we’ve put some advanced security fields like OTP or multifactor authentication for instance.

So here we’d use our username and password and for additional security we'll choose a secondary grid. By default, a grid is not generally available from any of the VDI vendors. When we select grid, BIG-IP APM will present a grid for a PIN entry. This is provided through a partnership with Gemalto. BIG-IP is connecting to Gemalto servers to present the grid to the user. We then enter our confidential PIN.
 Upon auth, we’re presented with our BIG-IP APM Webtop and BIG-IP did the necessary single sign on for all the VDI technologies and environments assigned to us.

With a single, multifactor authentication we’re able to gain access to our federated BIG-IP Webtop and select the specific VDI resource we need.

From an administrative view, here is the full Visual Policy Editor (VPE) for the overall solution. This also shows where the OTP/Grid is if you follow the Host FQDN path.

And here are the specific inspections and criteria for the VDI scenario. You can see a path for each VDI vendor along with specific inspections and actions depending on the situation.

Special thanks to F5 Sr. Security SE Matthieu Dierick for the explanation and you can watch the demo video.

ps


Wednesday, November 1, 2017

Lightboard Lessons: What is DDoS?

Over the last quarter, there were approximately 500 DDoS attacks daily around the world with some lasting as long as 300 hours. In this Lightboard Lesson I light up some #basics about DoS and DDoS attacks.



ps

Related:

DevCentral’s Featured Member for November – Nathan Britton

Nathan Britton works as a Principal Security Consultant in the UK for a security solutions provider called NTT Security, part of the NTT Group. They work with customers to design and implement security solutions and his team specializes in application delivery and security in particular. His specific role is focused on solution design and technical governance. Nathan is a BIG-IP ASM SME, a DevCentral MVP and our Featured Member for November!

DevCentral: You are a very active contributor in the DevCentral community. What keeps you involved?
Nathan: Hands down it’s the best community forum I’ve ever participated in and, over the years, I’ve taken a lot from it. As such, I like to ensure that, time and my knowledge permitting, I give back to the community whenever I can. Also, there are always new things to learn, so being active on DevCentral makes sure I see what other community members are doing to solve other peoples’ issues and I keep on top of new features of the products.
DC: Tell us a little about the areas of BIG-IP expertise you have.
NB: My main background has been BIG-IP LTM and ASM. I was a customer of F5 for around 5 years where we had a number of BIG-IPs load balancing internal applications, and also a pair of ASMs protecting our internet facing web applications. I still recall the day I joined the team and was asked to look after the BIG-IP that had been a little bit neglected and not knowing my F5 from my BIG-IP and what was an application delivery controller anyway! Fortunately, some free F5 University training and some lurking on DevCentral soon got me on track.
DC: You are an Engineer at NTT Security. Can you describe your typical workday and how you manage a work/life balance?
NB: As a consultant there is no typical working day. One day I could be onsite at a customer workshop going through a solution design on the whiteboard, the next day could be working on proposals which we hope will turn into a new customer engagement and other days I could be assisting colleagues with technical governance on one of their projects. Part of the enjoyment of being a consultant, rather than an end user, is the exposure to varied work on a day by day basis.
DC: You have a number of F5 Certifications including Technology Specialist (LTM) certifications. Why are these important to you and how have they helped with your career?
NB: As a consultant working for an F5 partner it is vital for us to have certified members of the team, in fact NTT Security attained the highest partner status in F5’s Guardian Professional Services program. On a personal note I think the certifications have been vital in ensuring I have a breadth of knowledge as you never know what feature or module a customer may choose to implement. To that end, the self-study and lab work needed to achieve the certification has been invaluable. I’ve also helped design questions for the 401 exam so, as you can see, I’m very invested in the certification process. I think Ken and his team, especially Heidi, have done a great job.
DC: Describe one of your biggest BIG-IP challenges and how DevCentral helped in that situation.
NB: My first challenge was the fact that I did not know anything about F5 or BIG-IP when I first got my hands on them. DevCentral, with its 101 series back in the day was a great starting point, and for that I need to thank the likes of Jason, Colin and Joe. Since then the security sessions with Josh and now John are invaluable and useful to my everyday work. Since being more comfortable with the technology DC has helped enormously when presented with very specific use cases to solve by customers, especially if iRules are required, there’s always a codeshare item that can be used as a basis for a custom solution. It saves a lot of time and head scratching.
DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?
NB: Growing up I was fascinated by true crime books and TV shows. So if I had my time again I would definitely be a lawyer, a barrister perhaps…although I’m not sure how the wig would look on me!

Thanks Nathan! Check out all of Nathan's DevCentral contributions, connect with him on Twitter and visit NTT Security or follow on Twitter.

Tuesday, October 24, 2017

Prevent a Spoof of an X-Forwarded-For Request with BIG-IP

Last week, we looked at how to do Selective Compression on BIG-IP with a local traffic policy so this week let’s try something security related using the same procedures.

You can associate a BIG-IP local traffic policy to prevent a spoof of an x-forwarded-for request. This is where bad actors might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP system.

Pre-reqs:
  • We’re using BIG-IP v12 and,
  • We already have a Virtual Server configured to manage HTTP traffic with an HTTP profile assigned to it.
Let’s log into a BIG-IP

The first thing we’ll need to do is create a draft policy. On the main menu select Local Traffic>Policies>Policy List and then the Create or + button.

This takes us to the create policy config screen. Type a unique Policy Name like PreventSpoofOfXFF and optionally, add a description. Leave the Strategy at the default of Execute First matching rule. Click Create Policy.

We’re then directed to the draft policy’s General Properties page and here we can create the rules for the policy. In the Rules area, click Create.

We’ll give the rule a unique name like, StopSpoof and the first condition we need to configure is to match all HTTP traffic with the matching strategy. This means we can use the default setting of All Traffic. Then we’ll tell the policy what to do when the All Traffic condition matches. The new action is to Replace the http header named X-forwarded-for with the value of tcl:[IP::client_addr] (to return the client IP address of the connection) at the request time. Click Save.

Also, save the draft.

And then select the box next to the draft policy and click Publish.

We can now associate the published policy with a virtual server that we’re using to manage http traffic. On the main menu click Local Traffic>Virtual Servers>Virtual Server List and click the name of the virtual server you’d like to associate for the policy.

On the menu bar click Resources and next to Policies click Manage.

Move PreventSpoofOfXFF to the Enabled list and click Finished.

Now, the virtual server with the PreventSpoofOfXFF local traffic policy will prevent any HTTP traffic that attempts to spoof an x-forwarded-for request.

Congrats! You’ve easily added additional security to your local traffic policy! You can also watch the full video demo thanks to our TechPubs team.


ps

Wednesday, October 18, 2017

Tuesday, October 17, 2017

Selective Compression on BIG-IP

BIG-IP provides Local Traffic Policies that simplify the way in which you can manage traffic associated with a virtual server.

You can associate a BIG-IP local traffic policy to support selective compression for types of content that can benefit from compression, like HTML, XML, and CSS stylesheets. These file types can realize performance improvements, especially across slow connections, by compressing them. You can easily configure your BIG-IP system to use a simple Local Traffic Policy that selectively compresses these file types. In order to use a policy, you will want to create and configure a draft policy, publish that policy, and then associate the policy with a virtual server in BIG-IP v12.

Alright, let’s log into a BIG-IP

The first thing you’ll need to do is create a draft policy. On the main menu select Local Traffic>Policies>Policy List and then the Create or + button.

This takes us to the create policy config screen. We’ll name the policy SelectiveCompression, add a description like ‘This policy compresses file types,’ and we’ll leave the Strategy as the default of Execute First matching rule. This is so the policy uses the first rule that matches the request. Click Create Policy which saves the policy to the policies list.

When saved, the Rules search field appears but has no rules. Click Create under Rules.

This brings us to the Rules General Properties area of the policy. We’ll give this rule a name (CompressFiles) and then the first settings we need to configure are the conditions that need to match the request. Click the + button to associate file types.

We know that the files for compression are comprised of specific file types associated with a content type HTTP Header. We choose HTTP Header and select Content-Type in the Named field. Select ‘begins with’ next and type ‘text/’ for the condition and compress at the ‘response’ time. We’ll add another condition to manage CPU usage effectively. So we click CPU Usage from the list with a duration of 1 minute with a conditional operator of ‘less than or equal to’ 5 as the usage level at response time.

Next under Do the following, click the create + button to create a new action when those conditions are met. Here, we’ll enable compression at the response time. Click Save.

Now the draft policy screen appears with the General Properties and a list of rules. Here we want to click Save Draft.

Now we need to publish the draft policy and associate it with a virtual server. Select the policy and click Publish.

Next, on the main menu click Local Traffic>Virtual Servers>Virtual Server List and click the name of the virtual server you’d like to associate for the policy.

On the menu bar click Resources and for Policies click Manage.

Move SelectiveCompression to the Enabled list and click Finished.

The SelectiveCompression policy is now listed in the policies list which is now associated with the chosen virtual server. The virtual server with the SelectiveCompression Local Traffic Policy will compress the file types you specified.

Congrats! You’ve now added a local traffic policy for selective compression! You can also watch the full video demo thanks to our TechPubs team.


ps