Ads 468x60px

21 September 2020

F5 ASM - Comprehensive Security Policy

The comprehensive security policy help us to provide the maximum security with all violations, features and learning suggestions to a website. This is a security policy recommended for expert users because it required deep knowledge of security and F5 ASM. In addition, a comprehensive security policy required much more administrative effort than other security policy such as fundamental security policy. Therefore, If you are a beginner, I will recommend the Fundamental Security Policy

Overview of BIG-IP ASM security policy templates
Overview of BIG-IP ASM security policy templates

I’ve recorded a video while I was testing with a comprehensive security policy. Firstly, I’ve adjusted the learning options for file types, URLs and parameters to the Always mode. This is the best way to learn all entities. Secondly, I’ve generated traffic and I’ve seen there were entities on the whitelists. Thirdly, I’ve adjusted the learning speed to stabilize the security policy. It was stabilized when most entities were no longer in Staging and wildcards were removed from the whitelists. Finally, I’ve configured the learning mode to Manual instead of Automatic. Therefore, once the security policy was stabilized and it was in manual learning mode, attacks were detected and blocked.

Thanks, have a nice day!

14 September 2020

F5 ASM – Compact Mode

I’ve already written about learning with Add All Entities, learning with Never (Wildcard Only) and learning with Selective in the F5 BIG-IP ASM – Positive Security Policy Building post two years ago. However, updates to Policy Builder in BIG-IP 13.0 include a new learning mode, which is the Compact mode. I would like to highlight how this new mode works which is between Never (wildcard only) mode and Selective mode for maintenance efforts and granular protection. Therefore, Compact mode is used to reduce policy complexity and simplify maintenance.

You can watch in the video I’ve recorded how Compact mode works. Firstly, I’ve created a fundamental security policy which I’ve modified manually the learning new parameters to Compact mode. In addition, I’ve added my IP address as a trusted IP address because this is the best way the score becomes 100% in the learning process. Secondly, I’ve configured the wildcard parameter with a maximum length of 10 bytes. This is a requirement to trigger security violations and it’s the best option for learning suggestions. In fact, we can watch, finally, a new parameter is learnt and there is no longer new learning suggestions for parameters.

Thanks, drop me a line with the first thing you are thinking!!

7 September 2020

F5 ASM – Bot Defense

I wrote about F5 BIG-IP ASM – Bot Protection two years ago when I was studying for the F5 BIG-IP ASM Certified Technology Specialist exam. It was great because I passed the exam. Today, I’m studying again for the recertification exam. Therefore, I’ve recorded two new videos about Bot Defense but, this time, with the BIG-IP version 14.1.2. You can watch two videos. The first one for blocking bot requests, and the second one for whitelisting bot requests.

The first video is about blocking bot requests. We can watch firstly how to create a bot logging profile and a bot defense profile. Secondly, we run the curl tool against a web service where we can watch the curl tool is identified as an Untrusted Bot, which is alarmed, and the Nikto vulnerability scanner is identified as Malicious Bot, which is blocked. Thirdly, we have configured the mitigation setting CAPTCHA for malicious bot where we can watch there is a challenge when we run the curl tool with the Nikto user agent. Finally, we have configured the TCP Reset mitigation setting for Nikto.

The second video is about whitelisting bot requests. We can watch firstly how to create a bot logging profile and a bot defense profile. Secondly, we run the curl tool against a web service where we can watch the curl tool is identified as an Untrusted Bot, which is alarmed. Thirdly, we have configured an exception for curl where we can watch traffic is not alarmed. Finally, we have configured rate limiting for Unknown Bot and we can watch that even though we have whitelisted the curl bot we can still ensure that it is rate-limited to prevent stress on the application.

Thanks, it’s your turn!

27 July 2020

F5 ASM – Fundamental Security Policy

I used to write an overview about what I've done in the last year before going on holiday but, this summer, although I’m not going to write in the blog for the next month, I’ve wanted to write about F5 BIG-IP because I’ll take the certification exam on September. Therefore, this small post is about how to create a Fundamental Security Policy in F5 BIG-IP ASM and how to customize the policy with Selective Learning.

Actually, I’ve recorded a video. You know I love it to watch how to configure some architectures. We can watch in the next video how to configure a Fundamental Policy in transparent mode and manual learning. In addition, I’ve checked the “Illegal parameter value length” in the Learning and Blocking Settings. What’s more, I’ve modified the wildcard parameter length to 1 byte. Therefore, thanks to the selective learning, all the parameters greater than 1 byte will be suggested to add it in the security policy. I think, it’s much better you watch the video.

Thanks, take care, enjoy the summer!

20 July 2020

F5 ASM – Blocking methods and XSS attack

This summer I have to study French and F5. I have to study French because I couldn’t apply to the exams due to the COVID-19 pandemic. Therefore, I will take the exams on September. In addition, my F5 certifications expire soon. Therefore, I will also have to study F5. I think, it’s going to be an exhausting summer. However, I will try to do my best. I’m going to study for both exams. We’ll see at the end of the summer the results. I’ll let you know!

This weekend I’ve been reading and studying about F5 ASM. I’ll apply for the 303 exam. Therefore, I’ve also recorded a video where you can watch how to block, firstly, the OPTIONS method and, later, an XSS attack. You can watch that attacks are not blocked in transparent mode. However, they are blocked in the blocking mode. In addition, there are Learning Suggestions which help us to configure the security policy. I think, thanks to the event logs and the Traffic Learning, we can build easily a security policy for protecting web services from advanced attacks with F5 ASM.

Thanks my friends!! Enjoy! Study!

13 July 2020

F5 SSL Orchestrator - Topologies

You may don’t know you need an SSL Orchestrator (SSLO) till you know what this kind of product can do for you. SSL visibility is mandatory for most companies today. It’s interesting for detecting malware, attacks, data leaks, etc. Therefore, if you want SSL visibility and you are going to install an SSLO, you’ll need to know and understand the six topologies that you can configure. The aim will be that internal client will be able to access remote (Internet) resources through SSLO, providing decrypted, inspectable traffic to the security services.

The configuration dashboard after deployment
The L3 Outbound topology (transparent proxy) is the traditional transparent forward proxy while the L3 Explicit Proxy topology is the traditional explicit forward proxy. An explicit forward proxy topology will ultimately create an explicit proxy listener and its relying transparent proxy listener; however, the transparent listener will be bound only to the explicit proxy tunnel. If a subsequent transparent forward proxy topology is configured, it will not overlap the existing explicit proxy objects.

L3 Outbound topology
For a reverse proxy “gateway” configuration, the L3 Inbound topology should be selected. In its simplest form, the L3 Inbound topology builds an SSLO environment designed to sit in front of another Application Delivery Controller, ADC, or routed path. Advanced options allow it to define a pool for more directed traffic flow, however, alone it does not provide the same flexibility afforded a typical LTM reverse proxy virtual server. It also must perform re-encryption on egress.

L3 Inbound topology

With L2 Inbound topology and L2 Outbound topology, we insert SSLO as a bump-in-the-wire in an existing routed path, where SSLO presents no IP addresses on its outer edges. The L2 Inbound topology provides a transparent path for inbound traffic flows. However, the L2 Outbound topology provides a transparent path for outbound traffic flows. Therefore, these topologies are the best to enhance the integrity, confidentiality, or reliability of communications across an existing logical link without altering the communications endpoints.

L2 Outbound topology
The sixth topology is the Existing Application topology which is designed to work with existing LTM applications. Whereas the L3 Inbound topology provides an inbound gateway function for SSLO, Existing Application works with LTM virtual servers that already perform their own SSL handling and client-server traffic management. The Existing Application workflow proceeds directly to service creation and security policy definition, then exits with an SSLO-type access policy and per-request policy that can easily be consumed by an LTM virtual server.

Existing Application topology

Finally, once we choose which topology fits our requirements, we have to attach security services to SSLO. For instance, the F5 SSLO includes a services catalog which contains common product integrations such as Fortinet Secure Web Gateway HTTP Proxy or Gigamon Inline Layer 2. However, there are also generic services for L2 inline, L3 inline, ICAP, HTTP or TAP connectors.

security services
Are you ready to deploy and install F5 SSLO? Go ahead!

6 July 2020

F5 AFM Automation with Ansible

Today, I would like to write about Automation. IT Automation is increasingly used in big datacenter with lots of services, lots of servers and lots of appliances. Automation makes sense when we have to run the same operation repeatedly. For instance, we have to add a new malicious IP address to a group of IP addresses, which are denied with a firewall. It’s easy and recommended to do it automatically. Automation also makes sense when we have to add quickly lots of rules to a firewall policy to block an attack. In addition, automation is useful to deploy appliances, such as FortiGate or F5, with the same configuration when we have to deploy lots of them from time to time. You can check Automating F5 configuration with Ansible and FortiGate automation with Ansible.

Ansible & F5 AFM  - Creating a rule for allowing ICMP traffic

These weeks I have to migrate lots of firewall rules from iptables to F5 AFM. I think IT automation is going to help me to migrate all rules. In fact, Ansible is going to help me. It's easier to write all firewall rules in a playbook than creating all rules from the GUI. Once the playbook is completed, we can run the playbook with Ansible to create all rules at a time. It takes less time than creating the firewall rules from the GUI. You can watch in the next video how to write a playbook with a policy and firewall rules for F5 AFM. It’s easy and fast!

Have a nice week my friends!

29 June 2020

SSL Orchestrator (SSLO)

I didn’t know anything about Network Packet Broker (NPB) till I took a webinar about Gigamon and I understood all the uses cases where this product fits. It was nearly one year ago. Later on, Ariadnex organized talks in Mérida (Spain) to speak about NPB. Since then, I’ve read about NPBs. Gigamon and FireEye are two NPB manufacturers which are able to decrypt SSL traffic, redirect it, and encrypt it again. They work from Layer 1 to Layer 7. However, there is another product, similar to NPBs, which works from layer 2 and it’s able to improve SSL visibility and management. It is SSL Orchestrator (SSLO) by F5 Networks.

A few years ago, nobody read the newspaper online with SSL because all of these websites were HTTP instead of HTTPS. However, today, most newspapers, and also most websites, work with SSL. Therefore, SSL is increasingly used in the Internet. It’s important to highlight SSL is used for privacy. We have to know SSL traffic is encrypted for privacy and not for security. Nobody will see the content of that traffic even when the content is malicious traffic. We need to watch out what's going on even when the traffic is encrypted with SSL.

SSL Adoption
Companies should know what kind of traffic is inside SSL packets. Companies need SSL Visibility to know if there are malware inside SSL packets or if there are data leaks. Security engineers need to know what kind of traffic they can decrypt and what kind of traffic is forbidden to decrypt. Most companies, which are worry about this matter, have a daisy-chain of products to decrypt and encrypt again and again SSL traffic regarding what they want to know and what they want to do. Today, the daisy-chain architecture is already deprecated.

Traditional SSL daisy-chain network design
Network Packet Brokers such as Gigamon and FireEye, and SSL Orchestrators like F5 SSLO are able to decrypt SSL traffic, classify the traffic, redirect the traffic to another security appliance, such as a Web Gateway, IDS/TAP, DLP/ICAP or IPS/NGFW, to be analysed, and finally re-encrypt the traffic for outgoing. This architecture is easier to configure. We can add and delete security appliances easily. In addition, if one security appliance fails, we can even bypass the failed appliance quickly.

High performance decryption and SSL Orchestration
This new architecture is called Dynamic Service Chain because it’s really simple to add appliances dynamically. It allows Dynamic Scaling. For instance, when there is a bottleneck in the IPS/NGFW appliance, it’s easy to add more IPS/NGFW appliances. We only have to configure a pool of appliances with more devices. What’s more, we can also choose what kind of traffic we are going to redirect for analysing with the IDS/TAP and what kind of traffic we don’t want to redirect to any security appliance.

SSL Orchestrator - A functional Overview
I think, technologies such as NPB and SSLO are disruptive because we can analyse and we can know the content of SSL traffic. I mean, we have more SSL visibility which is really important for most companies to detect malware, attacks, data leaks, etc.

Have a nice day my friends!

22 June 2020

What’s new in FortiOS 6.4

I attended to a webinar about What’s new in FortiOS 6.4 several weeks ago, and I would like to highlight the most interesting security features from my point of view. There are lots of new features. Some of them more interesting than others. Some of them more useful than others. Anyway, the best is testing by your own. These new security features and improvements will be the trends of many others firewall manufacturers and also the security protection features of many companies.

The new FortiOS 6.4 has improved the SD-WAN functionality and the easy of use. For instance, IPv4 policies and IPv6 policies are consolidated in the same policy configuration. FGSP (FortiGate Session Life Support) supports UTM inspection on asymmetric traffic which is great because it means Fortinet is working to improve this protocol. Who knows if we will be able to configure a cluster with different models in the next version. There is also a bandwidth test button and a bandwidth monitor in WAN interfaces which are really useful for Internet speed tests and monitoring bandwidth in real time. What’s more, we already have an spectrum analysis tool with this new version. It is usually an expensive tool but it's free with FortiOS 6.4. We only need FortiGate + FortiAP. These are some interesting new security features for Security-Driven Networking.

Spectrum Analysis

FortiOS is increasingly integrated with more cloud platforms such as AWS, Azure, Alibaba, OCI or Google Cloud. This new version also supports Rackspace Cloud. Therefore, we already can deploy FortiGate instances in most cloud platforms. We’ll have the same GUI in cloud instances than physical and virtual firewall devices. Moreover, PAYG allows to add more CPU and RAM as we grow.

AWS autoscaling group for dynamic address objects

Zero-Trust Network Access has also two interesting new security features. The first one is FortiGate has a small NAC module which will be really useful for branch offices with small and medium FortiGate devices. Therefore, FortiNAC is not necessary in these small networks. However, FortiSwitch is necessary. The second interesting security feature is the new IoT subscription service which updates the IoT device database automatically. We no longer have to wait for firmware upgrading to detect new IoT devices such as new smartTVs.

FortiSwitch NAC Policies

The last but not the least important is the new features of the Fabric Management Center. FortiView and Monitor disappear. We can add this information from the dashboard with widgets. We no longer have to create a group for each Active Directory group but FSSO connector detect all groups and are ready for use in the firewall policies. There are also new automation action and improvements with Webhook. Actually, there are lots of new features regarding Fabric Management Center which I encourage you to read and test.

Webhook Automation
That’s all my friends. Read, test and play with this new FortiOS version.

15 June 2020

F5 WAF – Maximum Protection

If you work as a security engineer, you’ll want the maximum protection for your web services. However, the maximum protection requires more administrative effort. It requires more knowledge about security and more knowledge about the web services you are protecting. You’ll get 90% of applications protected. It’s the maximum security level. Nevertheless, you’ll have to work very hard. In addition to configure all the security features of Good Protection, Elevated Protection and High Protection, you’ll have to configure Data Guard, DAST Integration, Protection from parameter exploits (whitelisting) and Allowed HTTP request methods.

The best protection is blocking attacks in the inbound direction before it can reach web servers. However, it may not be possible to detect every inbound attack, and there may be some problematic outbound traffic. Data Guard help us to protect outbound traffic. It examines outbound traffic for patterns that match common sensitive data types, such as credit card numbers or telephone numbers, and then masks the data or blocks responses containing the data. It’s an advanced security feature for customers who have concerns about leaking sensitive data. If you enable Data Guard in your security policy, by default, credit card and US social security numbers will be masked.

Data Guard to mask sensitive data

Many organizations identify application security vulnerabilities using automated tools such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) or Run-time Application Security Testing (RAST). The BIG-IP ASM system is able to integrate with DAST and services from providers like WhiteHat Security, HP, ImmuniWeb, Qualys, Quotium, and Trustwave. DAST integration provides support for automated, closed-loop remediation of many vulnerabilities identified by these tools. Therefore, the system automatically customizes the security policy to resolve the vulnerabilities.

Vulnerabilities found and verified by WhiteHat Sentinel
Blacklisting is a well-known security feature where there are signatures which are malicious and have to be blocked. On the other hand, whitelisting is a list of parameters which always have to be allowed. Blacklisting is easy to configure. However, whitelisting is hard to configure because we have to know explicit parameters used by the application. Whitelisting provides more protection than blacklisting but it requires more administrative effort because each time the application is modified, the security policy have also to be modified.

Parameters List
Finally, Allowed HTTP request methods is another security feature for a maximum protection. Most web applications work with the GET and POST method. Therefore, methods such as OPTIONS, DELETE, TRACE or HEAD are not used a lot. Allowing only the GET and POST method is a best practice and significantly reduce the security risk. The BIG-IP ASM system can allow the GET and POST methods and block or trigger a violation when other methods are used.

Allowed HTTP Methods

Regards! You already have all the security features ready for protecting your web applications.

8 June 2020

F5 WAF – High Protection

I’ve already written about Good Protection and Elevated Protection for the last two weeks where I’ve written about lots of useful security features to protect web services. Features such as Attack Signatures and Protocol Compliance are examples of Good Protection, and features such as Bot Protection and CSRF Protection are examples of Elevated Protection. These features are enough for most companies. We are going to block 80% of attacks with these security features. However, there are still 20% of attacks which can be very dangerous for some companies. Therefore, these companies require High Protection. More security features and more sophisticated.

Disallowed File Types is a best practice for Elevated Protection, but if we want to improve and protect better the web services, we’ll also have to create an Allowed URL List. This is going to be a whitelist of allowed URL which will never be blocked. For instance, we should configure /login.jsp as an explicit URL allowed and /products/* as a string pattern allowed. All other URL will be deny. In addition, the User Session Tracking help us to improve the security policy. This security feature is able to track all application traffic during a user session, allowing us to perform user validation and gather insights about users.

Allowed URL List

If you are working with passwords, account numbers, credit card numbers, social security numbers, or other valuable personal data, you’ll be interested in DataSafe. This is a security feature that protects data before users send it from their browser. If you have Advanced WAF, you have the DataSafe feature. On the other hand, sensitive web applications sometimes also obtain and store browser fingerprinting data when you log in to detect Session Hijacking Attacks. However, the BIG-IP ASM system can also protect common web applications against hijacking and other attacks.

Credential Theft Using Malware (DataSafe)
Brute Force Attack Protection is also a High Protection feature. Most security devices are able to lock an account when there are unsuccessful authentication attempts repeatedly. Hackers attempt to guess users’ account again and again. Another version of this attack is called “credential stuffing”. Hackers make only one attempt to log in to users’ accounts because they obtain the credentials from a compromised application. The BIG-IP ASM system are able to detect these attacks based on failed login attempts, user device IDs or user IP addresses.

Brute Force Protection Configuration
Finally, there are some applications which need to be bypassed, for instance, for testing a new version, penetration testing or using automated scanning tools to identify and resolve vulnerabilities. Therefore, Blocking Mode Override is also an useful security feature. We are going to configure an unique hostname in the host header which will be allowed to bypass Blocking and be handled by Transparent enforcement mode. However, we have to maintain secrecy or ensure regular rotation of this hostname to keep blocking malicious traffic.

Blocking Mode Override
Regards! I hope these security features fit your needs.

1 June 2020

F5 WAF - Elevated Protection

I wrote about F5 WAF – Good Protection last week where I wrote down the main security features recommended for a good protection. These features, Attacks Signatures, Transparent enforcement mode, IP Intelligence, Geolocation, Protocol Compliance, Protection from evasion techniques, Protection from parameter exploits and Threat Campaigns, are easy to configure and maintain with a minimal administrative effort and time. However, web servers can be protected better with elevated protection security features, which we are going to see below.

Bot Protection is a elevated security feature which is able to identify and classify benign and malicious bots. The BIG-IP ASM system has a bot detection engine that uses a combination of known bot signatures, JavaScript, CAPTCHA, and rate limiting to block bot traffic. Another interesting security feature for elevated protection is Web Scraping Protection, which is useful for blocking extraction of information from a web application. L7 DoS Attack Protection is also recommended because DoS Attacks are not only volumetric attacks but L7 attacks which can deny your web services with few packets.

Web Scraping Violation

Applications are developed with a language and this language uses a file extension. Therefore, Disallowed File Types is a best practice where we should configure a blacklist and a whitelist of file types. This is the best way to reduce the application attack surface. For instance, if the web application is developed with .jsp files, other extensions other than .jsp should be blocked. On the other hand, External Logging is increasingly configured to send event data to a SIEM system for incident analysis and long term log storage. These systems are able to collect all kind of event data, which are really useful later on for analysis.

Allowed File Types
CSRF Protection is also an elevated security feature recommended to block CSRF vulnerabilities. This vulnerability exposes users to fraudulent actions such as money transfers, password changes, and unauthorized product purchases. As a result, BIG-IP ASM is able to apply virtual patching until this vulnerability can be fixed by developers. Another security feature interesting for an elevated protection is HTTP Redirection Protection. This feature will block redirections to another domains which are not allowed. Therefore, we can block attackers who want to redirect users to a forged page on a site that deceptively appears like the one they just left.

CSRF Protection
The are two more security features for an elevated protection. The first one is Cookie Tampering Protection which is really useful because most applications utilize cookies to store data. This cookies have to be protected from manipulations. Consequently, we should configure a whitelist of “allowed” cookies. The second one is Behavioral DDoS feature which mitigates DDoS attacks by analysing traffic behaviour, and using machine learning and data analysis. BIG-IP ASM systems monitor application health and apply mitigation techniques such as slowing down a client, a CAPTCHA request, or blocking the request.

DDoS attack summary
Regards! Stay at home! Study at home! Test at home!
Related Posts Plugin for WordPress, Blogger...

Entradas populares