Get Smart with IP Intelligence

There are always threats out there on the big bad internet. The majority of breaches happen at the application layer and many OWASP Top 10s like SQL injection are still malicious favorites to gain entry. Add to that the availability of DDoS tools, anonymous proxies and the rise of hacktivism means networks and systems are bigger targets than ever. Threat detection today relies on a couple elements: Identifying suspicious activity among the billions of data points and refining a large set of suspicious incidents down to those that matter.

Today’s cyber-criminals use various techniques to hide their identities and activity. Keeping them out of your systems requires constant vigilance. Every packet that transverses the internet has a source IP address so disabling inbound communications from known malicious IPs can be highly effective.

You may not know but F5 offers IP Intelligence Services which provides the functionality to block known malicious IP addresses. It is a layer of IP threat protection and an additional way to allow BIG-IP customers to defend against malicious activity and infrastructure attacks. The IP Intelligence service is offered on several BIG-IP platforms. With IP Intelligence, BIG-IP AFM can be configured to block or allow traffic entering the system based on the reputation of the source IP address.

BIG-IP AFM determines reputation using two methods. One is a continuous feed of known or suspected malicious IP addresses provided by a third-party service Webroot BrightCloud. You can also create custom feed lists that specifies IP addresses that have been blacklisted or whitelisted by the organization. The BrightCloud feed is updated every 5 minutes by default and custom feed lists are unique to the AFM and are polled at intervals of your choosing.

These two methods are jointly referred to as IP Intelligence and can be used independently or in tandem to filer traffic on the BIG-IP systems. The BrightCloud option is licensed separately through F5 and requires internet connectivity and DNS resolution from your BIG-IP system. Custom feed lists do not need connectivity since it is local to the BIG-IP.

IP Intelligence can be applied via AFM firewall policy to the Route Domain or Virtual Server. Once enabled, it will affect all traffic that arrives on your BIG-IP system no matter the access point.

The IP Intelligence data is organized into categories that help you differentiate between types of listed IP addresses. There are 11 pre-defined categories including botnets, scanners, infected sources, illegal websites and more. These correspond to the categories in the BrightCloud feed. You can also create up to 51 custom categories to meet your own specific needs.

Networks, infrastructures, systems and applications are all under attack these days. While you can do your best at securing your data, sometimes a little call blocking can go a long way in ensuring these known rascals cannot get through.

Peace of mind is always a secure feeling.

ps

Time It Takes the Fingers to Remember a New Password? About 3 days

Recently I changed some of my passwords. Some due to typical rotation time and a couple due to potential breaches and encouragement from the affected site. No, I’m not going to tell you which ones or how I go about it but I noticed that it took about 3 days for my fingers to key the correct combination.

This has probably happened to you too, where after changing a password, you inadvertently enter the old password a number of times since that is what the fingers and hands remember. Yes, I’m sure many of you have password keepers (which have also been breached) locked by a master and I use one too, but for many of my highly sensitive passwords, I keep those in my head.

As I continued to enter the old password for a couple days only to correct myself, I started thinking about habits and muscle memory. Some adages talk about it taking about 30 days (66 days in this study) to either pick up or drop a habit if done daily. Want to keep an exercise routine? Do it daily for a month and you are more than likely to continue...barring any unforeseen circumstances.

And then there’s muscle memory. Things like riding a bike, signing your name, catching a ball or any repetitious, manual activity that you complete often. Your muscles already know how to do it since they’ve been trained over time. You do not need to think about, ‘OK, as it gets closer, bring your hands together to snag it from the air,’ it just happens. This is one of the reasons why people change or update certain exercise or resistance routines – the muscles get used to it and need a different approach to reach the next plateau.

I wondered if anyone else had thought of this and a quick search proved that it is a bona fide technique for password memory. Artists like musicians use repetitive practice for scale patterns, chords, and melodic riffs and this trains the muscles in the fingers to 'remember' those patterns. It is the same notion with passwords. Choose a password that alternates between left and right hands that have some rhythm to it. After a bit, the hands remember the cadence on the keyboard and you really do not need to remember the random, committed numbers, letters or Shift keys pounced while typing your secret. This is ideal since only your fingers remember not necessarily your mind.

Granted, depending on how your head works this technique might not work for everyone but it is still an interesting way to secure your secrets. And you can brag, 'If you break my fingers, it'll wipe the device.'

ps

Related:

• Memorizing Strong Passwords
• Muscle memory passphrases and passwords
• Muscle Memory: Scientists May Have Unwittingly Uncovered Its Mystery
• Muscle Memory Solved

Connect with Peter:	Connect with F5:

Jumping on the Rails of the Technical Train

I used to be technical, highly technical. You know the kind…more comfortable with CLI rather than GUI, limited use of CAPS at the beginning of sentences and proficient at configuring & troubleshooting a slew of devices from multiple vendors. But after a couple role changes over the years, my technical acumen has slightly diminished. Again, you probably know the drill that if you’re not tapping away at it daily, some of those skills dwindle. Plus, with new technology replacing the stuff you knew 10 years ago, it often feels like starting over.

But don’t fret! As with anything, you can regain some prowess and learn new tricks with a bit of training. Get on that bike and ride!

That’s what I’m going through now.

When I joined the DevCentral team, I quickly realized that our community is much smarter than I when it comes to the intricacies of our solutions. My initial reaction to many of the questions that get posted on DevCentral sound like the ‘Aaaaaahhhhhh, Ahhhhhh,’ from Bevis and Butthead. I have no idea. I’ll Alt-Tab to the AskF5 Knowledge Base to check if there is already an answer and often there is. But when it is a unique situation or something with iRules, I look blankly at the screen and wonder, ‘How can I help, when I don’t even know.’

One of the great things about working at F5 is that they allow us to take whatever training is needed to be proficient at our job. Over the last couple weeks I’ve been doing just that – initially digging in to F5’s free Web Based Training.

F5 has a number of educational programs to help you get acquainted, get fully trained or become a Certified Professional on F5 Solutions. From free online courses to instructor led classroom seminars to challenging your knowledge with a certification, F5 can help you, as it is helping me, understand the inner workings of BIG-IP. I began at F5 University with the Getting Started series and was able to get through a number of modules at my own pace. We have programs for both partners and customers and is a great way to learn the fundamentals of the BIG-IP system.

Next for me, will probably be some classroom training with hands on configuration and the entire DevCentral team will embark on a path to F5 Certification. Hear that Ken? We’re coming for ya!! We’re going to start a mini-study group using many of the resources available and chronicle our progress. The idea is that we’re like you – we know a lot already but want to get deeper in our understanding and for me, better at providing the details of our technical solutions.

Join us over the next bunch of months as we share our experiences of becoming an F5 Certified Professional.


ps

Hello Infiltrators - Our Doors are Wide Open

Image courtesy: https://en.wikipedia.org/wiki/File:Gossamer_restored.jpg

In the 1946 classic ‘Hair Raising Hare,’ Bugs Bunny asks, ‘Have you ever have the feeling you were being watched? Like the eyes of strange things are upon you?’ Like Bugs often did, he breaks the fourth wall and involves the audience directly, invoking a feeling that someone is looking over your shoulder.

Today, it is likely the case that you are being watched by the strange (internet of) things that are starting to infiltrate our homes, cars, bodies and the whole of society. While there is a mad rush by people purchasing these things and a similar rush for companies to develop applications and services around those, many are not pausing to either understand the risks or build security into the products.
From home security systems to surveillance cameras to baby monitors to televisions to thermostats, examples pour in daily about flaws and vulnerabilities that leave you, your family and your home exposed. The way things are going, even if you’ve closed and locked your front door physically, that door is wide open to the digital world.

Here are just a few recent examples.

Might as well start with our dwellings. Security researchers at Rapid7 found flaws in in Comcast’s Xfinity Home Security system that would cause it to falsely report that the home’s windows and doors are closed and secured even if they’ve been opened. It also failed to detect an intruder’s motion inside the house. Attacking the system’s communications protocol, they used radio jamming equipment to block the signals that pass from the door, window, or motion sensor to the home’s baseband hub. The system didn’t notice the communication was breached and essentially, failed open without any alert to the owner. When the jammers were turned off, it took minutes to hours for the sensors to reconnect and still didn’t give any indication that a catastrophe could have occurred.
Next, to some of the things inside the insecure house. Experts are predicting that as more connected, smart-TVs enter the home, this will be an avenue for the bad guys to breach your home network. Almost half of U.S. households already have a smart-TV and close to 70% of the sets sold this year will have connectivity capabilities. A threat researcher with Symantec was able to infect his new Andriod-based smart-tele with some ransomware. Within a few seconds, the TV was locked and unusable with the fear inducing pay-up-pop-up ransom note.

Also giving outsiders a view of the inside, Princeton researchers found that certain IoT thermostats were leaking customer zip codes over the internet in clear text. Fortunately, when the manufacturer was notified they quickly issued a patch. There are many horror stories about strangers watching and talking to children via insecure baby monitors. Add to that, toys that record your kid's conversations puts the whole family at risk.

And out on the road, we’ve seen how researchers were able to control a Jeep and last week, researchers were able to remotely control any of the Nissan Leaf’s functions by using the mobile app’s insecure APIs. The unsecured APIs allowed anyone who knows the VIN of a car to access non-critical features like climate control and battery charge management from anywhere on the Internet. Also, someone exploiting the unauthenticated APIs can see the car's estimated driving range. They too, pulled access to the app until they can properly secure the infrastructure and application that supports the mobile app.

Lastly, if you think this is contained within a consumer based household, think again. A recent Ponemon/Lookout survey revealed that an average of 1,700 malware laced mobile devices per company, connect to an enterprise network. Wait ‘til all the insecure wearables start connecting. Employees are often referred to as the weakest link. Today it is mostly their insecure mobile devices but multiply that by a wardrobe, now the risk is enhanced.

ps

Related:

• IoT Security: Do not ignore the basics
• IoT Effect on Applications
• Internet of Things OWASP Top 10
• The DNS of Things

The Roadblock for Malicious Traffic

I am sure you are aware, the business computing environment is evolving. From all of us and the multitude of devices we now carry and interact with, along with the various ways we access information…to all of the applications and the interdependency among those applications that we request information from…to the infrastructure needed to secure those applications and information being delivered to us. Maintaining security throughout is a challenge.

In a business environment, security is all about risk: Assessment, analysis, management and mitigation. The many IT security trends like IoT, cloud, device proliferation, disappearing perimeter, and so forth are all potential risks to the business. To reduce their risk, organizations need to ensure they can scale to meet the global workforce’s and customer’s data demand; they need to secure their data from targeted attacks, unauthorized access, inadvertent leakage or to comply with regulatory rules; and they need to keep their operational infrastructure simple and efficient.

The BIG-IP platform offers the scale and capacity to meet the deluge, the full proxy security to protect the applications and infrastructure and the operational efficiency to consolidate functions within an application centric security model. The BIG-IP platform is a full proxy architecture – establishing a TCP connection with the client to the BIG-IP and a separate TCP connection from the BIG-IP to the resources themselves. It is able to apply policies on both ends, anywhere along the stack. This allows organizations to inspect, manipulate or simply drop traffic – on the way in or on the way out - if it does not adhere to the policy. Plus, iRules extensibility gives you the power to do almost anything with the traffic.

BIG-IP Advanced Firewall Manager (AFM) is a stateful, full-proxy, ICSA-certified firewall and brings additional network firewall capabilities at a fine granular level allowing administrators to easily protect their infrastructure and understand what types of attacks are infiltrating the network. Logging and reporting are built-in. BIG-IP AFM can be added to any BIG-IP platform and can help reduce those business risks.

Bringing together security and deep application fluency, BIG-IP AFM delivers the most effective network-level security for enterprises and service providers alike. Whether on-premises or in the cloud, BIG-IP AFM tracks the state of network sessions, maintains application awareness, and mitigates threats based on attack details that most traditional network firewalls simply do not have. It helps you respond to threats quickly and with a full understanding of your security posture. In addition, AFM protects your organization from the most aggressive DDoS attacks before they ever reach your data center.

F5 DevCentral has a whole AFM series coming your way over the next few weeks! The schedule includes:

• March 15th: Foundational / Provisioning – This will kick of the series, taking what John tackled in AFM Provisioning and Policy Building and fleshing out more of the finer details in provisioning and basic policy functionality.
• March 17th: Architectural Context – We’ll dive deep into the architecture to define global and local contexts, work through precedence decision trees, and introduce the programmability entrance points.
• March 22nd: Policy Building – Harder, stronger, balanced and more flexible policies to combat all those bad actors out there! Lessons learned and best practices will help you wield a more powerful weapon in the battle.
• March 24th: DDoS Capabilities: AFM shines with DDoS mitigation. You’ll see the many attack vectors handled auto-magically for you, as well as walk through some demos of attack mitigations in action.
• March 29th: Blacklisting Magic - As the title says...
• March 31st: IP Intelligence - Blocking bad actors at the core.
• April 5th: Attack Mitigation Approaches (zero-window / udp flood / Christmas tree / etc.) - We’ll take a look at some of these attacks and show you how to combat them.
• April 7th: Full stack protection – Where does AFM end and ASM begin? You’ll see how these two modules complement each other and provide synergistic protection for all layers of your application and delivery infrastructure.
• April 12th: iRules extensions - Programmability to help stop those tricky attacks.
• April 14th: DNS firewall deployments - We'll show you how to make one mighty powerful firewall for your DNS infrastructure.

Stay tuned for more insight on how to protect your critical infrastructure.


ps