Ads 468x60px

30 March 2020

F5 APM - SSL VPN - Edge Client

I remember when I finished the University, I didn’t know anything about VPN. Nobody told me about how it works, till I started working at Ariadnex. I’ve worked with many VPN since then. I’ve configured layer 2, layer 3 and layer 4 VPN. I’ve configured MPLS VPN, IPsec VPN and SSL VPN. MPLS is used a lot by Internet providers, IPsec is right for LAN to LAN VPN, and SSL VPN is the best technology for endpoints.

I really like SSL VPN for endpoints because it’s easy to configure for a non-technological user. I mean, I think everybody would be able to configure a SSL VPN in a laptop. Actually, there are two kind of SSL VPN: Web mode and Tunnel mode. The first one is easiest to configure than the second one because we only need a browser. However, tunnel mode is also widely used although it requires a client software.

BIG-IP Edge Client is the SSL VPN software of F5 Networks. I’ve configured a Network Access profile and a Secure Connectivity profile in F5 APM to show you how to install and use this SSL VPN software. You will watch it’s really easy!!

Regards my friends! What kind of SSL VPN you use in your company?

23 March 2020

F5 APM - SSL VPN - OTP Authentication

Coronavirus is changing the world. It’s changing the way we work. It’s opening barriers. Teleworkers can work as they were in the office. Companies want people work from house. However, security engineers should stay alert. They should install and configure security tools, such as SSL VPN, for teleworkers. They should also think about how to secure the remote access to the company. Security engineers should enable secure protocols such as TLS 1.2 and TLS 1.3 for remote access. They can configure host checking to allow only updated computers. What’s more, we can enable two-factor authentication (2FA) to get remote access with something we know (password) and something we have (token).

I configured 2FA in F5 APM last week and I would like to share this configuration with you. We can send the one time password (OTP) by SMS or by mail. Sending the OTP by SMS is a little bit more complex because we have to configure HTTP Authentication. In addition, if we have to protect the HTTP Auth with SSL, we’ll have to setup a virtual server with the SMS API’s destination IP address listening on port 80 and a SSL server profile, we’ll have to create a pool with a member on service port 443, and we’ll also have to create a node using the API’s hostname with FQDN auto populate. Therefore, HTTP Authentication will be on port 80 and when F5 APM wants to send a POST action to the HTTP Auth server, actually, it will be sent on port 443 with SSL. I said, it’s a little bit more complex!

OTP Macro

However, sending the OTP by mail is much easier. Firstly, we have to configure the mail server in APM. Secondly, we have to configure the OTP Generate box with the OTP length and OTP timeout in seconds. Thirdly, we have to configure the Email box to send the OTP password to the remote user. Fourthly, we have to configure the OTP logon page where users have to insert the password received by mail. Finally, we have to configure the OTP Verify box to check if the password inserted is the same than the password sent by mail. Therefore, you can watch, it’s easy to configure and it’s easy to add security to your remote users.

Regards my friends! Have you added extra security to your SSL VPN with 2FA?

16 March 2020

F5 APM - Configuring Host Checking

Teleworking is used a lot these days due to Coronavirus. There are lots of companies that have configured SSL VPN services for employees to work from home. In fact, I worked a lot last week to configure a SSL VPN service where users can access to the office’s computer from home. It is a secure web portal where users log in with the corporate credentials and, once inside the web portal, there is a bookmark which is used to access to the office’s computer. I’ve configured LDAP Authentication, LDAP Query and SSO in this web portal.

However, security is really important. We don’t know if users’ computers, which are in their house, are compromised. Therefore, security measures should be applied in the SSL VPN. For instance, we only allow Windows computers which has an antivirus enabled as well as firewall enabled. Nevertheless, there are no security checks for Linux computers. There are many more security measures which can be applied for improving the security of SSL VPN services such as 2 Factor Authentication (2FA), checking updated antivirus, etc.

Regards my friends! Have you configured host checking in your SSL VPN?

9 March 2020

F5 APM- SSL VPN – Network Access

I’m used to working with Virtual Private Networks (VPN). I’ve learnt how to improve SSL VPN performance with DTLS and I’ve even configured layer 2 VPN with E-Line VPWS and E-LAN VPLS. I think, VPNs are really useful because we can connect branch offices to the datacenter easily and cheaper than leased lines. In addition, VPNs are also used to connect remote workers or teleworkers to the office. Today, this is quite used due to the coronavirus!

IPsec VPN is a layer 3 VPN which is increasingly used to connect branch offices to the datacenter because broadband networks, such as FTTH, are really reliable. What’s more, there are broadband networks till 1 Gbps which is enough for most companies. Thanks to IPsec VPN and the reliable broadband networks, along with SD-WAN, we can connect branch offices to the datacenter securely, reliable and cheaper than leased lines.

SSL VPN is a layer 7 VPN which is increasingly used to connect remote users to the datacenter because it’s easy to use and easier to configure than IPsec VPN. Mainly, there are two configuration modes. Tunnel Mode which requires a VPN client software installed in the user laptops and Portal Mode which is clientless. You can watch in the next video how to configure a SSL VPN in Portal Mode with F5 APM.

Regards my friends! What kind of VPN you use to connect to your office?

2 March 2020

F5 - Redirect users to a maintenance page

When we have a load balancer where lots of websites going through, it’s a best practice to redirect users to a maintenance page containing text and images when pool’s members are down. Configuring this feature is really easy and useful. I think, this configuration should be mandatory for most companies in all production virtual servers because users should see and load whatever when the website is down. This is the best way for users to know something is wrong with the website and they are going to wait accordingly for a while.

One of the most used configuration is with an iRule. Firstly, we have to upload images and logos to the F5 device. Secondly, we have to create an iRule with the HTML maintenance page. Finally, we have to add the iRule to the Virtual Server. I think, this is the best configuration to send a maintenance page, hosted into the load balancer, to users when there are no members online. You will watch in the next video it's really easy to develop a basic maintenance page in a iRule.

There is another configuration useful for redirecting users to a maintenance page. The Fallback Host feature send an HTTP 302 response to users when all nodes are down. Therefore, users are redirected to another website or maintenance page when pool’s members are down. This is easier to configure than the iRule because we only have to insert an URL where users are redirected. Therefore, this is the easier and the faster configuration to have a maintenance page.

HTTP 302 response

Regards my friends! Do you have maintenance pages in your virtual servers?

24 February 2020

FortiGate Automation with Ansible

I recorded a video about Automating F5 configuration with Ansible last week. I want to know how to do the same with FortiGate firewalls. Therefore, I’ve been reading and testing with a FortiGate firewall and Ansible since then. I think it’s really interesting the automation and orchestration when there are lots of devices in the company. We can change the configuration in all devices quickly. For instance, there are Ansible Modules for FortiGate, FortiManager and FortiMail devices where we can configure security profiles, addresses, policies, etc easily.

Fortinet's Ansible Modules
I’ve recorded a new video about Automating FortiGate configuration with Ansible. We have to take into account two important things before executing the playbook. Firstly, we have to configure and execute the playbook with Python3 instead of Python2. Therefore, we have to install the fortiosapi for python3 with pip3. Secondly, we have to declare the ANSIBLE_LIBRARY with the 40ansible library to be able to use the fortiosconfig module. Finally, we should modify parameters accordingly, such as interfaces and password. Once the YAML file is OK, we are ready to execute the playbook.

Regards my friends! Are you ready to automate processes?

17 February 2020

Automating F5 configuration with Ansible

When we have lots of devices such as lots of firewalls, lots of load balancers or lots of switches, it’s really interesting and necessary the process automation. Automation and orchestration are increasingly used in large deployments and cloud infrastructures where there are lots of network devices around the world. For instance, we can automate initial configurations on BIG-IP such as DNS, NTP, etc. We can also automate deployments of HTTP and HTTPS applications or we can even manage Virtual Servers, Pools or Monitors.

Automating with Ansible

Ansible is one of the most known automation and orchestration tool. It’s an open-source software provisioning, configuration management, and application-deployment tool. We can install Ansible on many Unix-like systems such as Ubuntu and Debian. It’s really easy the process installation. It only requires Python. In addition, there are modules to automate lots of devices. For example, there are modules for FortiOS devices, F5 devices, Radware devices, etc.

I’ve recorded a video where I’ve used the playbook from F5 Networks located at their git repository. Firstly, I’ve created the necessary directories and files. Secondly, I’ve set the connection variables and I’ve added a pool, two pool members and a virtual server to the playbook YAML file. Finally, I’ve run the playbook and we can see the Virtual Server, pool and associate pool members on the F5 GUI. You will watch the configuration and execution is easy although it’s important to take into account the indentation and spaces.

Regards my friends! Are you ready to automate processes?

10 February 2020


I’ve worked with lots of Network Firewalls. Mainly, I’ve worked with Fortinet FortiGate firewalls. However, I also have to know about Checkpoint or Palo Alto firewalls from time to time, or even about pfSense or iptables firewalls. I’ve also installed Web Application Firewalls (WAF). Mainly, I’ve installed F5 BIG-IP ASM. However, I’ve also installed FortiGate WAF from time to time. Therefore, I would like to write about F5 BIG-IP AFM today, which is the Network Firewall of F5 Networks.

F5 BIG-IP AFM offers four core areas of functionalities. Network Firewall which provides layer 3 to layer 4 security by applying policy-based firewall rules on network traffic arriving into the BIG-IP device. Denial of Service where AFM checks either on the system or per virtual server for potential attacks and then can drop or rate limit that traffic according the thresholds you can configure. IP Intelligence which can be used to block traffic from known unreliable or questionable IP addresses provided from several sources. Finally, AFM Reporting and Logging provides historical and analytical data for the security administrator.

AFM Functionality

Creating a firewall in AFM is done in four steps. Firstly, create an schedule that identify the day ranges, days of the week and time ranges when client traffic would be accepted. Secondly, It can consolidate the schedule, address lists and port lists together into a firewall policy. Thirdly, creating an address list and a port list that identify the appropriate source IP address and destination port that would be accepted. Finally, applying the policy to the virtual server context that provides access to the website.

Creating a Scheduled Network Firewall Policy
AFM plays a significant role in F5 application delivery firewall solution. Together with other modules such as LTM, DNS and Advanced WAF, the BIG-IP system provides protection features across the entire OSI stack. AFM detects and mitigates network attacks such as SYN or connection floods. This is accomplished by rate limiting traffic and dropping traffic according the threshold you set for the BIG-IP AFM system as an whole.

DDoS Detection and Mitigation
Modern cyber criminals use numerous techniques to hide their identities and activities. However, every packet that traverses the Internet has a source IP address. Therefore, disabling inbound communication from known malicious IP is highly effective. IP Intelligence provides this functionality. With IP Intelligence, AFM can be configured to block or allow traffic entering the system based on the reputation of the source IP address.

IP Intelligence
F5 Networks is a company with good products. From my point of view, LTM, ASM and APM are the best modules for load balance, WAF and VPN. However, AFM and the Network Firewall is a little bit basic for network protection. It’s really useful for virtual server protection but it’s not made for user protection. Therefore, if you want to protect users, you’ll have to install a NGFW appliance.

Regards my friends! Drop me a line with the first thing you are thinking.

3 February 2020

FortiGate WAF

I’ve already written a lot about Web Application Firewall (WAF). I’ve configured AWS Shield & AWS WAF in the Amazon Cloud. I’ve also configured F5 BIG-IP WAF and I’ve even recorded some videos such as L7 DDoS Mitigation and CSRF Protection. I’ve written about the differences between WAF vs IPS as well as I’ve configured the Fortinet FortiWeb. However, although I knew FortiOS allowed to enable the WAF feature years ago. In fact, it can be enabled from FortiOS 5.4. I had never configured the WAF feature in FortiGate till now.

Firstly, it’s important to know WAF is not an Intrusion Detection System. An IDS is not going to block attacks. An IDS is going to alert us about attacks. I recommend installing an IDS in your network to know and detect attacks as well as misconfigurations and bad practices. Maybe an IDS is going to alert us about attacks which are not truth. They are false positives. It’s doesn’t matter! IDS are very sensitive and that’s why every suspicious packet can send alerts. However, it’s a best practice to install IDS probes in your network.

Secondly, it’s also important to highlight WAF is not like an IPS. An Intrusion Prevention System is going to block attacks but only well-known attacks. IPS use signatures to detect and block attacks. Therefore, signatures should be updated everyday. When there is a new vulnerability, the signature database is updated. It’s highly recommended installing IPS to all services they are reachable from Internet. For instance, web, mail and file services should have an IPS profile to protect these services from attackers who want to exploit vulnerabilities.

From my point of view, IDS and IPS are recommended to detect and block attacks. However, if you have web services and they are reachable from Internet, you should also install a WAF. You are going to realise a WAF is much better than an IPS because web services will also be protected from sophisticated attacks. You’ll be able to configure URLs, file types, cookies, redirections, etc in the WAF profile. I’ve recorded a new video where you can watch how to configure WAF in a FortiGate firewall.

Regards my friends! Have a nice day!

27 January 2020

Basic custom F5 APM Login Page

I’m working a lot with F5 APM these days. Last month, I’ve learnt how F5 APM & SAML works and I’ve also configured OAuth with Facebook. I’ve configured an AWS Connector and a Salesforce Connector in the F5 APM. In addition, I’ve learnt how to configure a AutoLaunch SAML resource in F5 APM. Last week, I’ve been reading how to customize the APM login page to change colours and logos from the GUI.

I would like to highlight today how to configure a basic and easy custom login page from the GUI. It’s really easy. We’ll watch in the next video we can customize the login page in two steps. Firstly, we’ll change the main image and the transcription from the Visual Policy Editor (VPE). Finally, we’ll change logo and colours from the Basic Customization section. Two steps. Really easy!

However, we can also develop a custom web page and upload it to the F5 APM. There is an advanced customization section in the APM module which is useful to make custom login page.

Advanced custom F5 APM Login Page
Regards my friends! Drop me a line with the first thing you are thinking!

20 January 2020

Windows Server 2016 forensics

There are lots of information on the net for learning about forensics. Last year, I recorded a video about Fileless malware forensics because I wanted to know how this kind of malware works. It was easy to learn about it because there was a video about Fileless malware forensics in CCN-Cert channel. This week, I’ve wanted to learn more about forensics. Therefore, I’ve watched a new video in the CCN-Cert channel where there is a new forensics laboratory, thus I’ve recorded the first episode where a Windows Server 2016 is analysed. This lab has been funny and it has helped me to reinforce my knowledge about forensics.

We can watch in the video how we can check digital evidences and how we can get information from the Windows Registry and event logs. The aim of this forensics is to know how and who has leaked confidential information.

Have a nice day! Keep learning and keep studying!

13 January 2020


J’aime beaucoup lire. Donc, j’ai lu le livre Buyology de Martin Lindstrom pendant mes vacances de Nöel. C’est un livre très intéressant qui est basé sur un étude de neuromarketing où le cerveau des consommateurs sont scanné avec des scanners cérébraux à résonances magnétiques pour savoir qui se passe avant et pendant l’acte d’achat.

Il y a beaucoup des études dans ce livre. Je voudrais souligner un étude qui dit comme le cerveau des consommateurs qui achètent produits de la marque Apple a le même points en commun que les religieuses quand elles prient. C’est incroyable ! Il y a un autre étude qui dit comme des chercheurs, qui sont très intelligents, refusent d’essayer un pull quand quelqu’un leur dit que ce pull était d’un criminel. Même si est un mensonge.

À mon avis, c’est un livre très intéressant pour savoir pourquoi des personnes achètent souvent quelques choses dont ils n’ont pas besoin. Je vous encourage à le découvrir vous-même. Lisez ce magnifique livre !

Bonne journée!

6 January 2020

Fileless click-fraud malware

It’s holiday today. Lots of kids will be opening presents and playing with new toys. However, I’m here as every week. I’m reading and writing about malware. I read the the evolution of the fileless click-fraud malware Poweliks last week and I wanted to read it deeply and write about it. I think this is the best way to learn and get knowledge about this kind of malware. I’ve already written about fileless malware forensics. Therefore, I know a little bit how these malware work. Today, I’m going to deep down in tricks and innovations of the fileless click-fraud malware Poweliks.

The first innovation is the registry protection. It’s a trick used by this fileless malware which inserts an extra registry subkey. This subkey contains an entry with the 0x06 byte and the 0x08 byte, which are not Unicode printable character sets, thus it is difficult to read and delete properly. For instance, we won’t be able to read and delete this subkey with the default Windows Registry Editor. Therefore, we’ll need another registry tool to handle these special characters. In addition, administrative users won’t be able to delete this subkey thus permissions must be modified in order to delete the unreadable entry.

Extra registry subkey to protect Poweliks in memory

Another innovation is the CLSID hijacking. A CLSID or Class Identifier is a globally unique identifier that is used to represent a specific instance of a program. It allows operating systems and software to detect and access software components without identifying them by their names. CLSID hijacking is used by fileless malware to implant DLLs. These DLLs will be launched legitimately by trusted and whitelisted processes such as explorer.exe, chrome, iexplorer, etc.

The third trick or innovation is the fileless persistence. Lots of malware hide a malicious executable on the compromised computer which is then executed. However, fileless malware don’t store anything on disk. They save malicious code in the Windows Registry which is executed to load malicious DLLs. For instance, the fileless malware Poweliks executes rundll32.exe with several parameters, one of them is a JavaScript code used to load the malware into the memory.

Loading JavaScript code through the registry
Most fileless malware need an exploit to insert the code into the Windows Registry. For instance, Poweliks was using a Windows zero-day exploit for privilege escalation. Thanks to this zero-day vulnerability, Poweliks run regedit to insert the malicious code into the Windows Registry. In addition, Poweliks was using this vulnerability to run a batch file.

Finally, how these malware put the money in the pocket? A fileless click-fraud malware is going to click lots of ads. However, the victim doesn’t know the computer is clicking too many ads. Meanwhile, attackers generates money to be paid by the advertiser to the publisher. In addition, this kind of malware can also download more malware. For instance, one of the websites visited by Poweliks resulted in Cryptowall being installed on the computer.

Poweliks advertisement request
To sum up. It’s holiday. There are lots of gifts and presents today. I wish you many and lots this year. However, open the eyes! Be caution! Protect your systems!!

Have a nice day!
Related Posts Plugin for WordPress, Blogger...

Entradas populares