F5 BIG-IP ASM - Brute Force and Web Scraping

Today, I want to write about two mitigation mechanisms that, I think, they are not used enough in enterprises. First, brute force attacks can be stopped easily with the free tool fail2ban but we can also use WAF appliances for blocking this kind of attacks. On the other hand, web scraping attacks can also be stopped easily with WAF appliances but most IT engineers don’t know it and, therefore, their web sites are not protected from competitors. These are two attacks that we can mitigate with F5 BIG-IP ASM.

Brute force attacks are attempts to discover credentials to break into services such as web services, file services or mail services. For example, malicious users and bots may be interested to get into secure areas and, as a result, they’ll need to discover legitimate credentials. How does F5 ASM protect web sites against brute force attacks? We have to define a login page, for instance user_login.php, and, thereafter, we have to apply the brute force protection to the security policy to know what to do when a brute force attack is detected. We can watch the configuration in the next video:

Web scraping attacks are sophisticated attacks whose aim is to obtain large amounts of data from web sites to extract proprietary data directly out of HTML such as price tracking, directory listings to get leads and marketing information, searching images, financial information, etc. How does F5 ASM protect companies against web scraping attacks? We have to enable Bot Detection and, thereafter, we have to configure interval and period times to detect bots. For example, if a client loads 30 different pages in 30 seconds, it will be unusual and it will be defined as a bot. We can watch the configuration in the next video:

However, there are some times that we may also want to deny access by countries because we are detecting too much attacks which come from a specific origin country. Carefully, if we don’t have customers or potential customers in such country, we’ll be able to deny traffic from the “malicious” country. In addition, we’ll be also able to deny traffic from Anonymous Proxies. How does F5 ASM protect web applications by geolocation? It is easy. We’ll define disallowed location and allowed location into the security policy. That’s all! We can watch the configuration in the next video:

Regards my friends and drop me a line with the first thing you are thinking.

WAF - Login Enforcement & Session Tracking

Associates usernames and sessions with application violations provide in-depth blocking and visibility, which is useful for attack understanding and forensics. In addition, if we are able to identify devices for every visitor across multiple IPs and sessions, we’ll increase precision in blocking malicious activities. Therefore, this kind of techniques will help us to identify and block suspicious clients and headless browsers as well as mitigate client side malware.

The first video this week is about Login URL Enforcement which is a mechanism for preventing Forceful Browsing to restricted parts of the web application. By defining a required URL (i.e. login page), the user must pass through it in order to access a certain target URL. This mechanism uses ASM cookies, which are session cookies, to keep information about the prerequisite URL that was accessed successfully. We’ll watch how to create a Login Page and how to configure Login Enforcement in the next video.

The second video is about Session Awareness and how to configure violation detection actions. In fact, we’ll configure ASM to log all requests from the session when the threshold is triggered. However, session awareness can also mitigate Session Hijacking Attacks which occurs when an attacker is able to steal session information from an authenticated user. Session hijacking prevention is based on fingerprinting where client identification is based on screen resolution, time and time zone data, browser attributes such as platform, version, plugins installed, etc. Therefore, we’ll watch in the next video how to enable session awareness and how to log all requests once a violation is detected.

Regards my friends and drop me a line if you configure Login Enforcement and Session Tracking in your security policy.

F5 BIG-IP ASM - Parameter Tampering Attacks

Cookie Tampering Attacks, HTTP Header Tampering Attacks or Parameter Tampering Attacks can’t be blocked from traditional firewalls. Instead, we should deploy a Web Application Firewall (WAF) where we can configure a Positive Security Policy that allows file types, URLs and parameters. If we configure a security policy, which is Learning with Add All Entities, we’ll have granular protection of entities and much more security protection but maintenance efforts will be high. It’s up to you what level of protection you need.

I would like to show how we can configure a policy for Protecting Static Parameters. It’s important to highlight that security engineers will have to work along with developers to understand web application logic because it will be necessary to know the amount of parameters, the type of parameters and their values as well. We can watch in the next video that the “payment” parameter is static and it has four static values, then, when the “payment” value is not one of the values configured, the request is blocked.

I would also like to show how we can configure a policy for Protecting Dynamic Parameters. It’s similar than protecting static parameters but dynamic means we don’t know the value. Therefore, we have to define dynamic parameter extraction properties which depend on how the web application handles parameter name/value pairs. For instance, we can configure extractions searching in links, searching in response bodies, searching entire forms, searching within forms or even searching in XML files. We can watch in the next video that the “nick” parameter is dynamic and it is extracted from “index.php” searching in the entire form.

Regards my friends and drop me a line if you want to configure advanced parameter handling in your security policy.

La région Île de France

Bonsoir. Ici est ma présentation. Je vais parler de les routes historiques et touristiques dans la région Île de France. J’ai choisi ce sujet parce que j’aime beaucoup faire de la randonne. J’adore promenade dans les forets et j’adore aussi visiter jardins et châteaux.

Donc, on va voir quatre routes: la route historique des maisons d’écrivains, la route Normandie-Vexin, la route François 1^er , et le parcours des impressionnistes. Ici, on peut voir la région Île de France dans le nord de la France.

La route historique des maisons d'écrivain

La premier route s’appelle la route historique des maisons d’écrivain où treize célèbre écrivains ont écrit des livres. On verra des grandes maisons et des agréable châteaux aussi. La route commence à Paris et finit à Rouen. On va faire de la randonnée à côté de la rivière de Seine où il y a des beaux paysages qui sont très calme.

Par exemple. Elsa a habité ici avec son mari, qui s’appelle Aragon. Elsa est une femme d’origine russe, et de parents juifs, qui a écrit plus de 25 livres. Maurice a habité ici, dans ce château où il a écrit des poèmes romantiques.

La route Normandie-Vexin

La deuxième route s’appelle La route Normandie-Vexin qui est similaire à la route historique de maisons d’écrivains parce qu’elle commence à Paris et finit à Rouen. La rivière de Seine est aussi à côté de la route. C’est une route très longue d’environ 200km où on peux visiter des jardins et des châteaux du XVème siècle.

Par exemple. Dans la route Normandie-Vexin, on peux voir les jardins et la maison de Claude Monet où il peignait des peintures. Ici, il y a un pont dans son jardin avec beaucoup des fleurs. Dans la photo à droite. On peux voir un château du XVème siècle. Il s’appelle le château de Gaillon qu’il a utilisé comme résidence d’été et après comme prison. Aujourd’hui, il est utilisé comme monument historique.

La route François 1er

La troisième route s’appelle François 1^er où le roi François 1^er avait des résidences à côte de Paris et dans des réserve faunique où il a habité près de Paris et très calme dans le foret.

Par exemple. Au sud-est, le château royal de Fontainebleau, qui a été la résidence favorite de François I^er. Au sud-ouest, le château de Rambouillet, où François I^er est mort, et aujourd’hui résidence d’été des Présidents de la République.

Le parcours des Impressionnnistes

 

La dernière route est le parcours des impressionnistes où on peux voir des peintures à côté de Paris et dans l’Île de la Jatte.

Par exemple. Monet a peint à la Grande Jatte et Van Gogh a peint La Seine avec le pont de la Grande Jatte. Ces peintures se trouve dans le musée mais on peux voir aussi une réplique dans l’île de la Jatte.

 

Merci Beaucoup!!