Ads 468x60px

29 June 2020

SSL Orchestrator (SSLO)



I didn’t know anything about Network Packet Broker (NPB) till I took a webinar about Gigamon and I understood all the uses cases where this product fits. It was nearly one year ago. Later on, Ariadnex organized talks in Mérida (Spain) to speak about NPB. Since then, I’ve read about NPBs. Gigamon and FireEye are two NPB manufacturers which are able to decrypt SSL traffic, redirect it, and encrypt it again. They work from Layer 1 to Layer 7. However, there is another product, similar to NPBs, which works from layer 2 and it’s able to improve SSL visibility and management. It is SSL Orchestrator (SSLO) by F5 Networks.

A few years ago, nobody read the newspaper online with SSL because all of these websites were HTTP instead of HTTPS. However, today, most newspapers, and also most websites, work with SSL. Therefore, SSL is increasingly used in the Internet. It’s important to highlight SSL is used for privacy. We have to know SSL traffic is encrypted for privacy and not for security. Nobody will see the content of that traffic even when the content is malicious traffic. We need to watch out what's going on even when the traffic is encrypted with SSL.

SSL Adoption
 
Companies should know what kind of traffic is inside SSL packets. Companies need SSL Visibility to know if there are malware inside SSL packets or if there are data leaks. Security engineers need to know what kind of traffic they can decrypt and what kind of traffic is forbidden to decrypt. Most companies, which are worry about this matter, have a daisy-chain of products to decrypt and encrypt again and again SSL traffic regarding what they want to know and what they want to do. Today, the daisy-chain architecture is already deprecated.

Traditional SSL daisy-chain network design
 
Network Packet Brokers such as Gigamon and FireEye, and SSL Orchestrators like F5 SSLO are able to decrypt SSL traffic, classify the traffic, redirect the traffic to another security appliance, such as a Web Gateway, IDS/TAP, DLP/ICAP or IPS/NGFW, to be analysed, and finally re-encrypt the traffic for outgoing. This architecture is easier to configure. We can add and delete security appliances easily. In addition, if one security appliance fails, we can even bypass the failed appliance quickly.

High performance decryption and SSL Orchestration
 
This new architecture is called Dynamic Service Chain because it’s really simple to add appliances dynamically. It allows Dynamic Scaling. For instance, when there is a bottleneck in the IPS/NGFW appliance, it’s easy to add more IPS/NGFW appliances. We only have to configure a pool of appliances with more devices. What’s more, we can also choose what kind of traffic we are going to redirect for analysing with the IDS/TAP and what kind of traffic we don’t want to redirect to any security appliance.

SSL Orchestrator - A functional Overview
 
I think, technologies such as NPB and SSLO are disruptive because we can analyse and we can know the content of SSL traffic. I mean, we have more SSL visibility which is really important for most companies to detect malware, attacks, data leaks, etc.

Have a nice day my friends!

22 June 2020

What’s new in FortiOS 6.4



I attended to a webinar about What’s new in FortiOS 6.4 several weeks ago, and I would like to highlight the most interesting security features from my point of view. There are lots of new features. Some of them more interesting than others. Some of them more useful than others. Anyway, the best is testing by your own. These new security features and improvements will be the trends of many others firewall manufacturers and also the security protection features of many companies.

The new FortiOS 6.4 has improved the SD-WAN functionality and the easy of use. For instance, IPv4 policies and IPv6 policies are consolidated in the same policy configuration. FGSP (FortiGate Session Life Support) supports UTM inspection on asymmetric traffic which is great because it means Fortinet is working to improve this protocol. Who knows if we will be able to configure a cluster with different models in the next version. There is also a bandwidth test button and a bandwidth monitor in WAN interfaces which are really useful for Internet speed tests and monitoring bandwidth in real time. What’s more, we already have an spectrum analysis tool with this new version. It is usually an expensive tool but it's free with FortiOS 6.4. We only need FortiGate + FortiAP. These are some interesting new security features for Security-Driven Networking.

Spectrum Analysis

FortiOS is increasingly integrated with more cloud platforms such as AWS, Azure, Alibaba, OCI or Google Cloud. This new version also supports Rackspace Cloud. Therefore, we already can deploy FortiGate instances in most cloud platforms. We’ll have the same GUI in cloud instances than physical and virtual firewall devices. Moreover, PAYG allows to add more CPU and RAM as we grow.

AWS autoscaling group for dynamic address objects

Zero-Trust Network Access has also two interesting new security features. The first one is FortiGate has a small NAC module which will be really useful for branch offices with small and medium FortiGate devices. Therefore, FortiNAC is not necessary in these small networks. However, FortiSwitch is necessary. The second interesting security feature is the new IoT subscription service which updates the IoT device database automatically. We no longer have to wait for firmware upgrading to detect new IoT devices such as new smartTVs.

FortiSwitch NAC Policies

The last but not the least important is the new features of the Fabric Management Center. FortiView and Monitor disappear. We can add this information from the dashboard with widgets. We no longer have to create a group for each Active Directory group but FSSO connector detect all groups and are ready for use in the firewall policies. There are also new automation action and improvements with Webhook. Actually, there are lots of new features regarding Fabric Management Center which I encourage you to read and test.

Webhook Automation
 
That’s all my friends. Read, test and play with this new FortiOS version.

15 June 2020

F5 WAF – Maximum Protection



If you work as a security engineer, you’ll want the maximum protection for your web services. However, the maximum protection requires more administrative effort. It requires more knowledge about security and more knowledge about the web services you are protecting. You’ll get 90% of applications protected. It’s the maximum security level. Nevertheless, you’ll have to work very hard. In addition to configure all the security features of Good Protection, Elevated Protection and High Protection, you’ll have to configure Data Guard, DAST Integration, Protection from parameter exploits (whitelisting) and Allowed HTTP request methods.

The best protection is blocking attacks in the inbound direction before it can reach web servers. However, it may not be possible to detect every inbound attack, and there may be some problematic outbound traffic. Data Guard help us to protect outbound traffic. It examines outbound traffic for patterns that match common sensitive data types, such as credit card numbers or telephone numbers, and then masks the data or blocks responses containing the data. It’s an advanced security feature for customers who have concerns about leaking sensitive data. If you enable Data Guard in your security policy, by default, credit card and US social security numbers will be masked.

Data Guard to mask sensitive data

Many organizations identify application security vulnerabilities using automated tools such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) or Run-time Application Security Testing (RAST). The BIG-IP ASM system is able to integrate with DAST and services from providers like WhiteHat Security, HP, ImmuniWeb, Qualys, Quotium, and Trustwave. DAST integration provides support for automated, closed-loop remediation of many vulnerabilities identified by these tools. Therefore, the system automatically customizes the security policy to resolve the vulnerabilities.

Vulnerabilities found and verified by WhiteHat Sentinel
 
Blacklisting is a well-known security feature where there are signatures which are malicious and have to be blocked. On the other hand, whitelisting is a list of parameters which always have to be allowed. Blacklisting is easy to configure. However, whitelisting is hard to configure because we have to know explicit parameters used by the application. Whitelisting provides more protection than blacklisting but it requires more administrative effort because each time the application is modified, the security policy have also to be modified.

Parameters List
 
Finally, Allowed HTTP request methods is another security feature for a maximum protection. Most web applications work with the GET and POST method. Therefore, methods such as OPTIONS, DELETE, TRACE or HEAD are not used a lot. Allowing only the GET and POST method is a best practice and significantly reduce the security risk. The BIG-IP ASM system can allow the GET and POST methods and block or trigger a violation when other methods are used.

Allowed HTTP Methods

Regards! You already have all the security features ready for protecting your web applications.

8 June 2020

F5 WAF – High Protection



I’ve already written about Good Protection and Elevated Protection for the last two weeks where I’ve written about lots of useful security features to protect web services. Features such as Attack Signatures and Protocol Compliance are examples of Good Protection, and features such as Bot Protection and CSRF Protection are examples of Elevated Protection. These features are enough for most companies. We are going to block 80% of attacks with these security features. However, there are still 20% of attacks which can be very dangerous for some companies. Therefore, these companies require High Protection. More security features and more sophisticated.

Disallowed File Types is a best practice for Elevated Protection, but if we want to improve and protect better the web services, we’ll also have to create an Allowed URL List. This is going to be a whitelist of allowed URL which will never be blocked. For instance, we should configure /login.jsp as an explicit URL allowed and /products/* as a string pattern allowed. All other URL will be deny. In addition, the User Session Tracking help us to improve the security policy. This security feature is able to track all application traffic during a user session, allowing us to perform user validation and gather insights about users.

Allowed URL List

If you are working with passwords, account numbers, credit card numbers, social security numbers, or other valuable personal data, you’ll be interested in DataSafe. This is a security feature that protects data before users send it from their browser. If you have Advanced WAF, you have the DataSafe feature. On the other hand, sensitive web applications sometimes also obtain and store browser fingerprinting data when you log in to detect Session Hijacking Attacks. However, the BIG-IP ASM system can also protect common web applications against hijacking and other attacks.

Credential Theft Using Malware (DataSafe)
 
Brute Force Attack Protection is also a High Protection feature. Most security devices are able to lock an account when there are unsuccessful authentication attempts repeatedly. Hackers attempt to guess users’ account again and again. Another version of this attack is called “credential stuffing”. Hackers make only one attempt to log in to users’ accounts because they obtain the credentials from a compromised application. The BIG-IP ASM system are able to detect these attacks based on failed login attempts, user device IDs or user IP addresses.

Brute Force Protection Configuration
 
Finally, there are some applications which need to be bypassed, for instance, for testing a new version, penetration testing or using automated scanning tools to identify and resolve vulnerabilities. Therefore, Blocking Mode Override is also an useful security feature. We are going to configure an unique hostname in the host header which will be allowed to bypass Blocking and be handled by Transparent enforcement mode. However, we have to maintain secrecy or ensure regular rotation of this hostname to keep blocking malicious traffic.

Blocking Mode Override
 
Regards! I hope these security features fit your needs.

1 June 2020

F5 WAF - Elevated Protection



I wrote about F5 WAF – Good Protection last week where I wrote down the main security features recommended for a good protection. These features, Attacks Signatures, Transparent enforcement mode, IP Intelligence, Geolocation, Protocol Compliance, Protection from evasion techniques, Protection from parameter exploits and Threat Campaigns, are easy to configure and maintain with a minimal administrative effort and time. However, web servers can be protected better with elevated protection security features, which we are going to see below.

Bot Protection is a elevated security feature which is able to identify and classify benign and malicious bots. The BIG-IP ASM system has a bot detection engine that uses a combination of known bot signatures, JavaScript, CAPTCHA, and rate limiting to block bot traffic. Another interesting security feature for elevated protection is Web Scraping Protection, which is useful for blocking extraction of information from a web application. L7 DoS Attack Protection is also recommended because DoS Attacks are not only volumetric attacks but L7 attacks which can deny your web services with few packets.

Web Scraping Violation

Applications are developed with a language and this language uses a file extension. Therefore, Disallowed File Types is a best practice where we should configure a blacklist and a whitelist of file types. This is the best way to reduce the application attack surface. For instance, if the web application is developed with .jsp files, other extensions other than .jsp should be blocked. On the other hand, External Logging is increasingly configured to send event data to a SIEM system for incident analysis and long term log storage. These systems are able to collect all kind of event data, which are really useful later on for analysis.

Allowed File Types
 
CSRF Protection is also an elevated security feature recommended to block CSRF vulnerabilities. This vulnerability exposes users to fraudulent actions such as money transfers, password changes, and unauthorized product purchases. As a result, BIG-IP ASM is able to apply virtual patching until this vulnerability can be fixed by developers. Another security feature interesting for an elevated protection is HTTP Redirection Protection. This feature will block redirections to another domains which are not allowed. Therefore, we can block attackers who want to redirect users to a forged page on a site that deceptively appears like the one they just left.

CSRF Protection
 
The are two more security features for an elevated protection. The first one is Cookie Tampering Protection which is really useful because most applications utilize cookies to store data. This cookies have to be protected from manipulations. Consequently, we should configure a whitelist of “allowed” cookies. The second one is Behavioral DDoS feature which mitigates DDoS attacks by analysing traffic behaviour, and using machine learning and data analysis. BIG-IP ASM systems monitor application health and apply mitigation techniques such as slowing down a client, a CAPTCHA request, or blocking the request.

DDoS attack summary
 
Regards! Stay at home! Study at home! Test at home!

25 May 2020

F5 WAF – Good Protection



The first time I read about Web Application Firewall (WAF) I thought it would be difficult to install and configure because it’s really different from network firewall. Network firewall policies has mainly IP addresses and services. It’s easy to understand and configure. However, WAF has mainly file types, URL, HTTP methods and headers. It seems more complex than network firewall. Nevertheless, I think the most important thing is to start configuring a basic policy. We have to start small, but most of all, start. We are going to realise that a basic security policy will be a good protection. A basic security policy requires little administration effort. A basic security policy is going to protect a high percentage of applications.

Progressing with application security using the BIG-IP ASM system

We should enable Attack Signatures in a basic security policy for a good protection. An attack signature is a rule or pattern which is able to identify a particular attack. These signatures are updated by the F5 threat research team daily with the new vulnerabilities discovered. The F5 ASM uses these signatures to each HTTP request and response to detect and block known attacks. In addition, the Transparent Enforcement Mode is also really useful because we can apply a security policy in transparent mode to detect attacks but they are not going to be blocked. It’s really useful because we can know how many attacks and what kind of attacks web services are receiving.

Attack Signature List

IP Intelligence is another interesting useful feature for a good protection. IP Intelligence is a subscription-based database where there are lots of malicious IP addresses. Updating manually a blacklist is really difficult because malicious IP addresses are constantly changing. Therefore, configuring IP Intelligence to block malicious IP addresses is easy and a best practice. On the other hand, it’s also a best practice to configure the IP Geolocation feature, which is another database of IPv4 and IPv6 addresses. This database can be used to identify the origin of traffic and, at the same time, we can deny access to a particular country of origin.

IP Intelligence
 
A common attack vector is confusing web servers, web applications, and security products using malicious content hidden in HTTP requests that web servers and simple HTTP proxies often fail to detect. As a result, Protocol Compliance must be mandatory in WAF security policies. For instance, HTTP Protocol Compliance will check Content-Length in POST requests as well as whether there is no Host header in HTTP/1.1 requests. You can see all the validation checks in this K10280. Moreover, Protection from Evasion Techniques, such as using ../ to navigate to a parent directory of interest, is also recommended.

HTTP Protocol Compliance
 
Finally, there are two more security features really useful for a good protection. One of them is Protection from Parameter Exploits - Blacklisting. This feature parses parameters and it validates the values against signature and metacharacter policies to identify known exploit patterns. The other security feature is Threat Campaigns which is a subscription service for Advanced WAF that provides a set of data to evaluate whether incoming requests are malicious.

Threat Campaign
 
Regards! Stay at home! Start protecting your web applications, but most of all, start!

18 May 2020

Destrucción Masiva



I’ve been reading a thrilling book these weeks. I've had to stay at home due to the COVID-19 for almost two months. Therefore, reading is one of the best thing I have done at home. Reading, studying and working are the main tasks I’ve been doing for the last two months. Actually, I listened to Fernando Rueda on the radio at the beginning of the pandemic. He was talking about the last book he had written, “Destrucción Masiva”, and I wrote it down. Last week, I’ve finished reading this book and I think it’s really interesting.

Destrucción Masiva is a book which tells us the true story of Spanish spies who were in Iraq from 2000 to 2003. They were there firstly to get intelligence information for the government and, secondly, for protecting the Spanish army after the U.S. invasion. Spanish spies were persecuted by the terrifying Mujabarat. They had very dangerous meetings with terrorist groups such as Shiites and Sadam Husein government staff. They were working even when they received threat of deaths. What’s more, the government of Spain, with Aznar as a president, didn’t like the high quality information these spies got from the dangerous meetings.

Spanish spies in Baghdad

If you like true stories and you like stories about spies, you have to read this amazing book. You will learn that an spy is not a James Bond but a human being with children, wife or husband, friends and a family. They have feelings such as fears and happiness. They do like his job but they also have to do tasks they don’t like. They miss their families when they are abroad. The most important thing, they are in dangerous missions to get intelligence information and to serve the Spanish government.

Regards! Reading is the best thing to know about the world!

11 May 2020

What’s new in BIG-IP version 15.0



I like reading the features and enhancements of new versions to know what I can configure in new installations. I’m used to installing the last technologies. Therefore, I have to know what it’s the last features that fit with the customers requirements. I wrote about What’s new in BIG-IP version 14.0 and What’s new in BIG-IP version 13.1. I’ll write about what’s new in BIG-IP version 15.0. However, from my point of view, version 14.1.0.6 and 14.1.2.3 are the recommended versions for production right now. Version 15 is cool but only for testing right now.

BIG-IP v15 includes lots of features and enhancements but I’m going to highlight only the security features because I think this new version has lots of security improvements. In fact, I think, there are more security enhancements than anything else. F5 Access Guard is one of them. This is a security feature for F5 APM which is a new client software designed to help administrators validate the security posture of incoming web connections from remote desktop clients. F5 Access Guard allows real-time posture information to be inspected with per-request policy subroutines on APM.

F5 Access Guard

Another interesting security feature is included in F5 Advanced WAF. It is a new dashboard spherically dedicated to OWASP Top 10 compliance that provides a security score relative OWASP top 10 related policies (e.g. injections). It also enable admins to see coverage status of each OWASP top 10 requirement for a selected policy. In addition, admins will be able to improve coverage and perform configuration changes directly from the dashboard. The dashboard also shows overview statistics for policy/application compliance/enforcement status.

OWASP Top 10 Compliance Dashboard
 
F5 SSL Orchestrator (SSLO) is not one of the most F5 device sold but I think we are going to use it more and more from version 15 because it is already supported in VIPRION chassis and vCMP. Therefore, it will be easy to deploy SSLO to optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic, and maximize efficient use of that existing security investment. F5 SSLO along with a network packet broker appliance such as Gigamon will improve and empower cyber security deployments.

F5 BIG-IP SSL Orchestrator
 
There are many more security enhancements in this new version. Enhancements such as Zone-based Firewall Configuration in F5 AFM where we can configure groups of VLANs into zone object to apply efficiently into firewall policies. Enhancements such as new IP Intelligence capabilities that enable the use of FQDNs which simplify policy management. Or enhancements such as Intelligence Asset Discovery which allows auto discovery of active systems and services to simplify DDoS mitigation deployment.

IP Intelligence Policy
 
To sum up, there are lots of new features and enhancements in this new version. It’s up to you testing these new features and be ready to apply them in the near future.

Regards! Stay at home!

4 May 2020

Comparing F5 Advanced WAF and BIG-IP ASM



I’ve worked with F5 LTM, APM, ASM and DNS. I think the first one, LTM, is the most used because it’s really powerful and really easy to use. ASM and APM modules are also interesting for protecting web applications and connecting to virtual private networks. They are increasingly used. The DNS or even AFM modules are also used but less than main modules such as LTM, APM and ASM. What’s really interesting is all of them are easy to use. The GUI is friendly. However, there is a new module we have to know. I think, F5 Advanced WAF is the module which will come to replace F5 ASM.

On one hand, we can protect web applications with F5 ASM from the beginning of the installation. We can start creating a basic security policy with attack signatures and protocol compliance. This simple policy is enough for protecting web applications against 90% of attacks. However, we can also improve the security policy with bot protection, XXE protection, CSRF protection, etc. The more you use your WAF, the better your security policies will be!

Another interesting protection technique for most web applications is L7 DDoS protection. DDoS attacks are very difficult to block. For instance, UDP flooding attacks can use all your bandwidth and your services will be inaccessible. It’s nearly impossible to stop this attack. However, there are many others DDoS attacks which can be blocked with L7 DDoS protections. For instance, lots of small requests from malicious users, which want to consume all resource of web servers, can be detected and blocked.

On the other hand, F5 LTM is one of the main module everyone knows. This module allows us to balance the load of lots of servers. It has many health monitors ready to use such as HTTP, LDAP, MQTT, etc. It has lots of load balancing methods such as round robin, least connections, ratio, etc. It has many profiles persistence such as source address, cookie, hash, etc. It has all you need to balance applications.

F5 Advanced WAF (AWAF) is a combination of BIG-IP ASM, L7 DDoS protection, and a selection of core BIG-IP LTM features. Therefore, F5 AWAF is much more than F5 ASM because we’ll have more L7 DDoS protection and lots of features of the LTM module. It has also more load balancing methods than ASM, and profiles persistence are included, which are not included in ASM. In addition, pool members are not limited, which is limited to 3 in ASM. If you want to get more information, you should read the next KB14231234: Comparing F5 Advanced WAF and BIG-IP ASM profiles and features.

To sum up, if you are looking for a Web Application Firewall with advanced features such as L7 DDoS protection and load balancing methods, AWAF is the best solution. However, if you also need to balance applications other than web applications such as mail application, LDAP or BBDD applications, you will also need the LTM module. What’s more, if you need VPN features or DNS feature, you will also need to deploy the DNS and APM modules.

Have a nice day! Do you already know which F5 module fits your needs?
Related Posts Plugin for WordPress, Blogger...

Entradas populares