What’s new in BIG-IP version 13.1

I like to know about technology trends to take advantage of new features and enhancements because if we don’t keep studying, we won’t know how to deal new technology requirements. If we don’t read and study new features and enhancements, we’ll be out of market. This is the reason why I’ve written about what’s new in FortiOS 5.6 and what’s new in FortiOS 6.0. In addition, I like testing technologies and architectures such as Multipath TCP, Data Center Load Balancing, Web Application Firewalls (WAF), etc. Today, I would like to write about the new BIG-IP version 13.1.

The most known module is LTM or Local Traffic Manager which is useful for traffic load balancing. The BIG-IP version 13.1 has included new features like test button for monitor, iRule execution tracing features for debugging, TCPDUMP remote output, configuration load independent of licensing, etc. For instance, we can check monitors before assigning to nodes or pools, we can know the time-consuming iRules and we can also mirror traffic to a remote analysis tool.

Test Button for Monitors

Another interesting module is ASM or Application Security Manager which is useful to defeat sophisticated and complex threats for protecting web applications. The BIG-IP version 13.1 has also included new features to this module like simplified attack signature creation, remove inactive file types, passive deployment policy template, brute force mitigation improvements, etc. For instance, we can already write attack signatures easily, we can accept suggestion of removing inactive entities, we can apply a fully transparent policy without interfering with traffic and we can also improve brute force mitigation attacks by username, IP addresses and device IDs.

Passive Policy Deployment Template

 

F5 BIG-IP ASM has different kind of security policy templates which can be used for protecting Virtual Servers. For instance, if we want to apply a negative security policy where attack signatures detect and block known attacks and where we don’t want to configure manually entities such as file types, parameters, URLs, cookies, redirection, etc, we can configure a Rapid Deployment Policy which is easy to accomplish this task.

F5 BIG-IP APM or Access Policy Manager is another useful module which can be used for unifying application accesses securely. The BIG-IP version 13.1 has included many improvements like Microsoft Office forms based authentication, Citrix StoreFront, Microsoft Intune, Microsoft Active Directory Federation Services proxy, native application tunnel for macOS and Linux, update Edge client without BIG-IP upgrade, privileged OPSWAT checks, SAML attribute consuming service, etc.

Microsoft Active Directory Federation Services Proxy Support

 

As we can see, there are many new features and enhancements in BIG-IP version 13.1. Therefore, it is up to us to test this new features and enjoy of the new version.

Regards my friends; new version, new features, go ahead.

F5 BIG-IP WAF

There are lots of Web Application Vulnerabilities which traditional firewalls and network firewalls aren’t able to detect and block. For instance, traditional firewalls aren’t able to detect bots, web scraping attacks or cookie manipulation attacks. Therefore, if we want to detect and block layer 7 vulnerabilities, like those highlighted by OWASP Top 10, we’ll need to deploy a Web Application Firewall which can protect web applications from advanced attacks such as forceful browsing attacks, field manipulation attacks, command injection attacks, etc. I’ve already written about AWS Shield & AWS WAF but, this time, I want to write about F5 BIG-IP ASM.

ASM or Application Security Manager is a powerful WAF that protect web applications from known and unknown threats, defends against bots and virtually patches application vulnerabilities. It is a WAF which is able to detect and mitigate layer 7 attacks such as DoS/DDoS, brute force, SQLi, XSS, remote file inclusion, cookie poisoning, session hijacking, etc as well as it is able to associate usernames with application violation, automatically correlate multiple attacks, prevent loss of sensitive data or identify suspicious clients.

F5 BIG-IP WAF Architecture

From my point of view, F5 WAF is the best solution to protect applications because we can apply immediately a firewall policy to web applications to block known attacks. This firewall policy, called Rapid Deployment Policy, is based in negative security model where attack signatures detect and block known attacks. However, we can also customize firewall policies with a positive security model that we should apply it for better protection. In addition, I think F5 WAF is the best solution, as Gartner Magic Quadrant says, along with Imperva WAF and Akamai WAF.

Magic Quadrant for Web Application Firewalls

If you are used to configuring network firewalls, you know about IPv4/IPv6 firewalling policies where we allow traffic by TCP/IP. This is easy if you know about networking. However, WAF works with file types, URLs, parameters, cookies, redirections, etc instead of IP addresses and TCP/UDP ports. Therefore, WAF administrators should know about security and developing to configure and customize WAF policies. In addition, F5 WAF administrator should know about the learning process of the BIG-IP as well as the different types of policies such as Fundamental Policy, Comprehensive Policy, Passive Deployment Policy, etc, etc.

F5 BIG-IP ASM

 

As you can see, a multidisciplinary team is needed for deploying and configuring a WAF where the security team is going to be talking with the development team day in day out asking for file types and parameters. However, we can get a good security baseline from the beginning thanks to attack signatures but if we want better protection, we’ll need to spend time customizing policies.

Security vs Time

 

Maybe, you are wondering how to start configuring F5 WAF. First, we should apply a negative security policy for blocking signature attacks while the learning process analyse file types, parameters, URLs, etc. Once, we know what file types, URLs and parameters use the web application, we can apply a positive security policy for better protection.

Regards my friend and remember, drop me a line with the first thing you are thinking!!

Fortinet integration with SDN environments

If you are creating your virtual Data Center or Software-Defined Data Center (SDDC) where there are virtual networks everywhere, maybe, you are thinking about working with SDN ecosystems. Today, virtualization goes forward Private Cloud, as well as going forward Public Cloud or Hybrid Cloud, where security engineers have to think about how to protect these new environments. Therefore, security infrastructures should become agile and elastic, just like compute, storage and networking, and it must also integrate with underlying SDx infrastructure such as cloud and SDN platforms.

Fortinet solutions for Software-Defined Network Security (SDNS) have a complete security ecosystem with optimized orchestration connectors for OpenStack, Cisco ACI or Nuage Networks as well as for VMware NSX which add value of security integration in SDDC thanks to L7 security, multi-tenancy, identity based policies, Micro-Segmentation, Zero Trust, control of east-west traffic, inter and intra VM security, logical security zones (multi-tier), etc, etc, etc. As we can see, Fortinet FortiGate solutions are not just stateful firewalls like Amazon EC2 Security Groups but UTM firewalls with advanced features for SDN ecosystems as well.

Fortinet Solutions for Software-Defined Network Security (SDNS)

 

For instance, if we have deployed VMware NSX into our Data Center and we want L7 security even between virtual machines of the same network, as well as control, visualization and analysis of traffic flows, we could deploy FortiGate-VMX Service Manager along with FortiGate-VMX Security Appliances for a complete security ecosystem. Therefore, service groups created in NSX Manager automatically get sent to the FortiGate-VMX and are available for policy creation.

Fortinet FortiGate-VMX Solution Interaction

 

Another SDN platform supported by Fortinet is Cisco-ACI which can be used in a CLOS/Leaf and Spine architecture instead of in a full virtualizacion platform like VMware NSX does. Fortinet has developed a device package to be imported in APIC where FortiGate configuration is managed. Thus, network configuration (VLAN, IPs, Routes, etc …) and security configuration (Firewall Policies, Security Profiles, etc) is managed from APIC.

Cisco ACI - Device Packet Integration

 

OpenStack is a software platform for cloud computing which is also supported by Fortinet. The Open Source OpenStack and Commercial OpenStack solutions like HP Helion, PlumGrid, Nuage Networks, NetCracker, BluePlanet, Nokia CloudBand and UBiqube are supported by the Fortinet SDN ecosystem. For example, we can configure an SD-WAN/Zero Touch deployment with Ubiqube and FortiGate-VM where security is delivered as a service by the service provider and enterprise security administrator can protect services easily.

Fortinet - Nuage Deployment Models

I think SDN is here to stay for a period of time, who knows till when? Meanwhile, some datacenters have already deployed SDN solutions to take advantages of auto-scaling and auto-provision for elastic workloads, Micro-Segmentation in Consolidated Data Centers, securing Inter-VM traffic in virtual environments, or SD-WAN efficiencies with service chains. Therefore, we can start thinking about how we are going to protect our services with the new paradigm of Software-Defined Network Security.

Secure Inter-VM Traffic in Virtual Environments

 

Regards my friend and remember, keep studying!!

Data Center Load Balancing

If your services have to be up & running for 99,999% of the time,, maybe, you should configure Global Server Load Balancing and DNS Load Balancing for your services. We can configure F5 BIG-IP DNS along with F5 BIG-IP LTM for Data Center Load Balancing or we can also use Amazon CloudFront services along with Amazon Route 53. Anyway, GSLB topologies are increasingly deployed for large IT infrastructures where availability is a must. Therefore, I’ve uploaded a video where we can watch how to configure GSLB for Data Center Load Balancing using F5 BIG-IP DNS along with LTM.

This is the topology used for the PoC:

Topology

And this is the video where you can watch the configuration needed for Data Center Load Balancing:

 

Regards my friend and remember, drop a line with the first thing you're thinking.

Spanning Tree Protocol

I’m working on a switches deployment project these weeks where redundancy and high capacity is important. Of course!! Who don’t want redundancy and high capacity? It depends on who you are talking with but there are people who think switches can be deployed with the configuration by default and switches only have to be connected to the network, which means their networks are flat without layer 2 segmentation or loop avoidance configuration. There are also people who think they can’t mix switches of different vendors due to Spanning Tree compatibility. However, if you are a network engineer, you’ll know switches should be configured, for instance, for loop avoidance to control topology changes and get redundancy and high capacity.

The Spanning Tree Protocol (STP), originally standardized as IEEE 802.1D, is easy to understand and it should be known by network engineers. It is an ancient protocol for building loop-free logical topologies to prevent bridge loops and broadcast radiation. This protocol is easy to understand because switch ports can only be either a root port (RP), a designated port (DP) or a blocked port (BP). However, this protocol is no longer used because it can take 30 to 50 seconds to respond to a topology change, which is too much time.

IEEE 802.1D - STP

STP improved to RSTP (Rapid Spanning Tree Protocol). Standardized as IEEE 802.1w. RSTP is backwards-compatible with the standard STP as well as it is faster after a topology change because it takes few seconds (default: 3 times 2 seconds). On the other hand, RSTP port roles has been increased to five (root, designated, alternate, backup, disabled) instead of STP’s original three. In addition, Cisco has released STP alternatives such as PVST, PVST+ and RPVST which support Per-VLAN Spanning Tree.

IEEE 802.1w - RSTP

The next step was to develop the Multiple Spanning Tree Protocol (MSTP). Standardized as IEEE 802.1s. It is a protocol backwards-compatible with RSTP and STP but it also supports Per-VLAN Spanning Tree, where we can configure group of VLANs as multiple spanning tree instances (MSTI). This protocol has improved the redundancy and capacity of links because we can send traffic for all links at the same time while there is also an alternate path to the root bridge.

IEEE 802.1s - MSTP

 

If we are going to install new switches in a network where there are already switches installed, from my point of view, the new ones don’t have to be mandatory of the same vendor but we should choose switches with the same STP compatibility. Therefore, it’s a best practice to configure standard protocols like MSTP or RSTP instead of proprietary protocols.

Finally, most top of rack (ToR) switches also support Shortest Path Bridging (SPB), standardized as IEEE 802.1aq, which has better performance, reliability and real layer 2 multipathing. However, Multi-Chassis Link Aggregation like the implemented by HPE IRF, Aruba VSF and Cisco VSS can also help us to build loop-free logical topologies with much better performance than traditional STP protocols.

IEEE 802.1aq - SPB

 

Regards my friend and remember, drop a line with the first thing you're thinking.