Lightboard Lessons: Attack Mitigation with F5 Silverline

In this Lightboard Lesson, I describe how F5 Silverline Cloud-based Platform can help mitigate DDoS and other application attacks both on-prem and in the cloud with the Hybrid Signaling iApp. Learn how both on-premises and the cloud can work together to create a composite defense against attacks.



ps

BIG-IP VE on Google Cloud Platform

Hot off Cloud Month, let’s look at how to deploy BIG-IP Virtual Edition on the Google CloudPlatform.

This is a simple single-NIC, single IP deployment, which means that both management traffic and data traffic are going through the same NIC and are accessible with the same IP address.

Before you can create this deployment, you need a license from F5. You can also get a trial license here. Also, we're using BIG-IP VE version 13.0.0 HF2 EHF3 for this example.

Alright, let’s get started.

Open the console, go to Cloud Launcher and search for F5.

Pick the version you want.

Now click Launch on Compute Engine.

I’m going to change the name so the VM is easier to find… For everything else, I’ll leave the defaults.

And then down under firewall, if these ports aren’t already open on your network, you can open 22, which you need so you can use SSH to connect to the instance, and 8443, so you can use the BIG-IP Configuration utility—the web tool that you use to manage the BIG-IP.

Now click Deploy. It takes just a few minutes to deploy.

And Deployed.

When you’re done, you can connect straight from the Google console. This screen cap shows SSH but if you use the browser window, you need to change the Linux username to admin in order to connect.

Once done, you'll get that command line.

If you choose the gcloud command line option and then run in the gcloud shell, you need to put admin@ in front of the instance name in order to connect.

We like using putty so first we need to go get the external IP address of the instance. So I look at the instance and copy the external IP.

Then we go into Metadata > SSH keys to confirm that the keys are there. (Added earlier), Whichever keys you want to use to connect, you should put them here.

BIG-IP VE grabs these keys every minute or so, so any of the non-expired keys in this list can access the instance. If you remove keys from this list, they’ll be removed from BIG-IP and will no longer have access. You do have the option to edit the VM instance and block project-wide keys if you’d like.

Because my keys are already in this list I can open Putty now, and then specify my keys in order to connect.

The reason that we're using ssh to connect is that you need to set an admin password that’s used to connect to the BIG-IP Config utility.

So I’m going to set the admin password here… (and again, you can do these same steps, no matter how you connect to the instance)

tmsh Command is: modify auth modify auth password admin

And then: save sys config to save the change.

Now we can connect and log in to the BIG-IP Config utility by using https, the external IP and port 8443. Now type admin and the password we just set.

Then we can proceed with licensing and provisioning BIG-IP VE.

A few other notes:

• If you’re used to creating a self IP and VLAN, you don’t need to do that. In this single NIC deployment, those things are taken care of for you.
• If you want to start sending traffic, just set up your pool and virtual server the way you normally would. Just make sure if your app is using port 443, for example, that you add that firewall rule to your network or your instance.
• And finally, you most likely want to make your external IP address one that is static, and you can do that in the UI by choosing Networking, then External IP addresses, then Type).
• If you need any help, here's the Google Cloud Platform/BIG-IP VE Setup Guide and/or watch the full video.

ps

DevCentral’s Featured Member for July – Vosko Networking’s Niels van Sluis

For almost two years Niels van Sluis has worked as a Security Engineer for Vosko Networking. Vosko's security team focuses on supporting security solutions from various vendors like F5, Check Point, Cisco and RSA. Niels focuses is on F5 BIG-IP and Check Point. He started his professional career about 20 years ago in the ISP industry as an Unix Administrator, and switched to the public healthcare sector around 2001. In more recent years, he’s moved more towards working on network security and design. Apparently, having a Unix background helps a lot when working with modern security devices, since most of them are running on some flavor of Unix. When not working or spending time on DevCentral, he likes to travel, visit historic places and enjoy nature. And Niels is DevCentral’s Featured Member for July!

DevCentral: Tell us a little about the areas of BIG-IP expertise you have.

Niles: My first encounter with BIG-IP was during my previous job. A colleague had been working with BIG-IP before and introduced it as a replacement for the KEMP load balancer that was currently in use. So, I had to attend the ‘Administering and Configure BIG-IP’ course. It was then – when I learned about iRules – I saw the full potential of this nifty device. But during my days there I didn’t do much with the BIG-IP as in terms to administration. I would only touch the box, if my colleague was on leave. This however changed when I started working for Vosko Networking. Within about a year’s time I’ve gone through the BIG-IP certification program, spend a lot of time on DevCentral and got my hands dirty in the field. The BIG-IP areas I’m most experienced in are LTM and APM. The most fun part for me are iRules (LX).

DC: You are a Security System Engineer at Vosko Networking BV. Can you describe your typical workday?

NS: My typical workday depends whether I’m working on a project or not. When working on projects I often visit customers throughout the country to help them deploy new equipment or configure new services. Recently I’ve migrated quite a few Cisco ACE and Microsoft Forefront TMG deployments to the F5 BIG-IP platform. Other times I help customers upgrading their BIG-IPs or setting up more advanced APM configurations including SAML and SSO. When I’m not working on projects I work on support cases or trying out new stuff in our lab.

DC: You have a number of F5 Certifications including most of the Technology Specialist (LTM, GTM, APM, ASM) certifications. Why are these important to you and how have they helped with your career?

NS: First of all, they are required for Vosko Networking to participate in the F5 Support Partner program. But more important to myself is that the F5 certification program helps to get deeper knowledge in to how the various BIG-IP modules work, how they relate (interact) to each other and what part the BIG-IP plays in modern network infrastructures. The certification program is also very practical; you can directly apply what you have been learning. It helped me to get more comfortable and confident in my day to day job.

DC: Describe one of your biggest BIG-IP challenges and how did DevCentral helped in that situation.

NS: In my experience, there are BIG-IP challenges every day. I think this is the result of the BIG-IP being some kind of network-magic-box, that can do about everything. With most other security devices, one is limited to the functionality and settings the box is shipped with. But with BIG-IP, you can really be creative and think outside the box. If the required functionality is missing, you can build it yourself with iRules. And customers know this. I often go out to customers with a specific need, but when starting out it isn’t always clear if this is something the BIG-IP can do by default. In these situations, access to the DevCentral community is crucial. Even though BIG-IP isn’t an open source project, it’s amazing to see how members share their time, code and knowledge to help each other. For example, some code that really helped me out are Yann Desmarest’s APM Full Step Up Authentication and Stanislas Piron’s APM SharePoint authentication. Besides code, I think the Lightboard Lessons are awesome; very helpful!

DC: Lastly, if you weren’t an IT admin – what would be your dream job? Or better, when you were a kid – what did you want to be when you grew up?

I think I wanted to be an electrician when I was young, but I’m pretty sure that isn’t my dream job. As long as I’m able to learn new things and have new challenges, I’m happy how things are. I think I’m useless for any other job that doesn’t require a keyboard. Thanks for the privilege for being a featured member and thanks for the Lightboard Lessons as well. I really enjoy them.

Thanks Niels! Check out all of Niels' DevCentral contributions, connect with him on LinkedIn and follow Vosko: @vosko.

DevCentral Cloud Month Wrap

Is it the end of June already? At least it ended on a Friday and we can close out DevCentral’s Cloud Month followed by the weekend! First, huge thanks to our Cloud Month authors: Suzanne, Hitesh, Greg, Marty and Lori. Each delivered an informative series (23 articles in all!) from their area of expertise and the DevCentral team appreciates their involvement. We hope you enjoyed the content as much as we enjoyed putting it together.

And with that, that’s a wrap for DevCentral Cloud Month. You can check out the original day-by-day calendar and below is each of the series if you missed anything. Thanks for coming by and we’ll see you in the community.

AWS - Suzanne & Thomas

• Successfully Deploy Your Application in the AWS Public Cloud
• Secure Your New AWS Application with an F5 Web Application Firewall
• Shed the Responsibility of WAF Management with F5 Cloud Interconnect
• Get Back Speed and Agility of App Development in the Cloud with F5 Application Connector

Cloud/Automated Systems – Hitesh

• Cloud/Automated Systems need an Architecture
• The Service Model for Cloud/Automated Systems Architecture
• The Deployment Model for Cloud/Automated Systems Architecture
• The Operational Model for Cloud/Automated Systems Architecture

Azure – Greg

• The Hitchhiker’s Guide to BIG-IP in Azure
• The Hitchhiker’s Guide to BIG-IP in Azure – ‘Deployment Scenarios’
• The Hitchhiker’s Guide to BIG-IP in Azure – ‘High Availability’
• The Hitchhiker’s Guide to BIG-IP in Azure – ‘Life Cycle Management’

Google Cloud – Marty

• Deploy an App into Kubernetes in less than 24 Minutes
• Deploy an App into Kubernetes Even Faster (Than Last Week)
• Deploy an App into Kubernetes Using Advanced Application Services
• What’s Happening Inside My Kubernetes Cluster?

F5 Friday #Flashback – Lori

• Flashback Friday: The Many Faces of Cloud
• Flashback Friday: The Death of SOA Has (Still) Been Greatly Exaggerated
• Flashback Friday: Cloud and Technical Data Integration Challenges Waning
• Flashback Friday: Is Vertical Scalability Still Your Problem?

Cloud Month Lightboard Lesson Videos – Jason

• Lightboard Lessons: BIG-IP in the Public Cloud
• Lightboard Lessons: BIG-IP in the private cloud

#DCCloud17 X-Tra!

• BIG-IP deployments using Ansible in private and public cloud

ps

DevCentral Cloud Month - Week Five

What’s this week about?

This is the final week of DevCentral’s Cloud Month so let’s close out strong. Throughout the month Suzanne, Hitesh, Greg, Marty and Lori have taken us on an interesting journey to share their unique cloud expertise. Last week we covered areas like high availability, scalability, responsibility, inter-connectivity and exploring the philosophy behind cloud deployment models. We also got a nifty Lightboard Lesson covering BIG-IP in the private cloud.

This week’s focus is on maintaining, managing and operating your cloud deployments. If you missed any of the previous articles, you can catch up with our Cloud Month calendar and we’ll wrap up DevCentral's Cloud Month on Friday.


Thanks for taking the journey with us and hope it was educational, informative and entertaining!

ps

Related:

• Cloud Month on DevCentral
• DevCentral Cloud Month - Week Two
• DevCentral Cloud Month - Week Three
• DevCentral Cloud Month - Week Four

DevCentral Cloud Month - Week Four

What’s this week about?

Ready for another week of Cloud Month on DevCentral? Suzanne, Hitesh, Greg, Marty and Lori are ready! Last week we looked at services, security, automation, migration, Ansible and other areas to focus on once you get your cloud running. We also had a cool Lightboard Lesson explaining BIG-IP in the public cloud. This week we go deeper into areas like high availability, scalability, responsibility, inter-connectivity and exploring the philosophy behind cloud deployment models.

Now that we’re half-way through Cloud Month, I thought it’d be fun to share a little bit about our authors.

Suzanne Selhorn is a Sr. Technical Writer with our TechPubs team. Our Technical Communications team are responsible for many of the deployment guides you use and are also the creators of some of the awesome step-by-step technical videos featured on DevCentral’s YouTube channel. She and Thomas Stanley crafted the AWS series.

Hitesh Patel is a Sr. Solution Architect covering Cloud/DevOps. He’s one of the smartest cloud cookies we got and works with F5 customers to get a handle on their cloud deployments. He also loves karaoke.

Greg Coward is a Solution Architect on our Business Development team. The BizDev team works with our many technology partners building out joint solutions. Greg covers Microsoft and how BIG-IP plays in Azure among other solutions.

Marty Scholes is an Applications Architect with our Solutions Marketing team. Traditionally, he writes whitepapers, technical articles and helps the Marketing team understand the technical nuances of various solutions and this month he went deep into GoogleCloud deployments.

Finally, someone you probably are already familiar due to her extensive writing and expertise, F5’s Principal Technical Evangelist Lori MacVittie. User 38 on DevCentral, she is a subject matter expert on emerging technologies and how F5 fits with the internet craze these days. I’ve been fortunate to have known & worked with Lori since her early days at F5 when we were both trailblazing Technical Marketing Managers.

The DevCentral team truly appreciates their contributions to Cloud Month and encourages you to connect with them.


ps

DevCentral Cloud Month - Week Three

We hope you’re enjoying DevCentral’s Month thus far and Suzanne, Hitesh, Greg, Marty and Lori ready to go again this week. Last week we got you deployed in AWS and Kubernetes, learned the basics of Azure, got knee-deep in Cloud/Automated architectures and celebrated SOA’s survival. Now that your cloud is installed and running, this week we look at things like security, migration, services, automation and the challenges of data management.

Monday, Suzanne will help you secure your new AWS application with a F5 WAF; Tuesday, Hitesh will explore the Services Model for cloud architectures; Wednesday, Greg gets into Deployment Scenarios for BIG-IP in Azure; if you thought 24 minutes was quick, on Thursday Marty shows how to deploy an app into Kubernetes even faster; and Lori and her infinite cloud wisdom, wonders if the technical and data integration challenges from 10 years ago (100 in technology years) still exist for #Flashback Friday.

Great content so far and if you need to catch up or see what's coming, check out our Cloud Month Calendar.


ps