F5 ASM – Fundamental Security Policy

I used to write an overview about what I've done in the last year before going on holiday but, this summer, although I’m not going to write in the blog for the next month, I’ve wanted to write about F5 BIG-IP because I’ll take the certification exam on September. Therefore, this small post is about how to create a Fundamental Security Policy in F5 BIG-IP ASM and how to customize the policy with Selective Learning.

Actually, I’ve recorded a video. You know I love it to watch how to configure some architectures. We can watch in the next video how to configure a Fundamental Policy in transparent mode and manual learning. In addition, I’ve checked the “Illegal parameter value length” in the Learning and Blocking Settings. What’s more, I’ve modified the wildcard parameter length to 1 byte. Therefore, thanks to the selective learning, all the parameters greater than 1 byte will be suggested to add it in the security policy. I think, it’s much better you watch the video.

Thanks, take care, enjoy the summer!

F5 ASM – Blocking methods and XSS attack

This summer I have to study French and F5. I have to study French because I couldn’t apply to the exams due to the COVID-19 pandemic. Therefore, I will take the exams on September. In addition, my F5 certifications expire soon. Therefore, I will also have to study F5. I think, it’s going to be an exhausting summer. However, I will try to do my best. I’m going to study for both exams. We’ll see at the end of the summer the results. I’ll let you know!

This weekend I’ve been reading and studying about F5 ASM. I’ll apply for the 303 exam. Therefore, I’ve also recorded a video where you can watch how to block, firstly, the OPTIONS method and, later, an XSS attack. You can watch that attacks are not blocked in transparent mode. However, they are blocked in the blocking mode. In addition, there are Learning Suggestions which help us to configure the security policy. I think, thanks to the event logs and the Traffic Learning, we can build easily a security policy for protecting web services from advanced attacks with F5 ASM.

Thanks my friends!! Enjoy! Study!

F5 SSL Orchestrator - Topologies

You may don’t know you need an SSL Orchestrator (SSLO) till you know what this kind of product can do for you. SSL visibility is mandatory for most companies today. It’s interesting for detecting malware, attacks, data leaks, etc. Therefore, if you want SSL visibility and you are going to install an SSLO, you’ll need to know and understand the six topologies that you can configure. The aim will be that internal client will be able to access remote (Internet) resources through SSLO, providing decrypted, inspectable traffic to the security services.

The configuration dashboard after deployment

 

The L3 Outbound topology (transparent proxy) is the traditional transparent forward proxy while the L3 Explicit Proxy topology is the traditional explicit forward proxy. An explicit forward proxy topology will ultimately create an explicit proxy listener and its relying transparent proxy listener; however, the transparent listener will be bound only to the explicit proxy tunnel. If a subsequent transparent forward proxy topology is configured, it will not overlap the existing explicit proxy objects.

L3 Outbound topology

 

For a reverse proxy “gateway” configuration, the L3 Inbound topology should be selected. In its simplest form, the L3 Inbound topology builds an SSLO environment designed to sit in front of another Application Delivery Controller, ADC, or routed path. Advanced options allow it to define a pool for more directed traffic flow, however, alone it does not provide the same flexibility afforded a typical LTM reverse proxy virtual server. It also must perform re-encryption on egress.

L3 Inbound topology

With L2 Inbound topology and L2 Outbound topology, we insert SSLO as a bump-in-the-wire in an existing routed path, where SSLO presents no IP addresses on its outer edges. The L2 Inbound topology provides a transparent path for inbound traffic flows. However, the L2 Outbound topology provides a transparent path for outbound traffic flows. Therefore, these topologies are the best to enhance the integrity, confidentiality, or reliability of communications across an existing logical link without altering the communications endpoints.

L2 Outbound topology

 

The sixth topology is the Existing Application topology which is designed to work with existing LTM applications. Whereas the L3 Inbound topology provides an inbound gateway function for SSLO, Existing Application works with LTM virtual servers that already perform their own SSL handling and client-server traffic management. The Existing Application workflow proceeds directly to service creation and security policy definition, then exits with an SSLO-type access policy and per-request policy that can easily be consumed by an LTM virtual server.

Existing Application topology

Finally, once we choose which topology fits our requirements, we have to attach security services to SSLO. For instance, the F5 SSLO includes a services catalog which contains common product integrations such as Fortinet Secure Web Gateway HTTP Proxy or Gigamon Inline Layer 2. However, there are also generic services for L2 inline, L3 inline, ICAP, HTTP or TAP connectors.

security services

 

Are you ready to deploy and install F5 SSLO? Go ahead!

F5 AFM Automation with Ansible

Today, I would like to write about Automation. IT Automation is increasingly used in big datacenter with lots of services, lots of servers and lots of appliances. Automation makes sense when we have to run the same operation repeatedly. For instance, we have to add a new malicious IP address to a group of IP addresses, which are denied with a firewall. It’s easy and recommended to do it automatically. Automation also makes sense when we have to add quickly lots of rules to a firewall policy to block an attack. In addition, automation is useful to deploy appliances, such as FortiGate or F5, with the same configuration when we have to deploy lots of them from time to time. You can check Automating F5 configuration with Ansible and FortiGate automation with Ansible.

Ansible & F5 AFM  - Creating a rule for allowing ICMP traffic

These weeks I have to migrate lots of firewall rules from iptables to F5 AFM. I think IT automation is going to help me to migrate all rules. In fact, Ansible is going to help me. It's easier to write all firewall rules in a playbook than creating all rules from the GUI. Once the playbook is completed, we can run the playbook with Ansible to create all rules at a time. It takes less time than creating the firewall rules from the GUI. You can watch in the next video how to write a playbook with a policy and firewall rules for F5 AFM. It’s easy and fast!

Have a nice week my friends!