Happy New Year 2021

Today is the day of Holy Innocents. It seems a lie. We are living a pandemic where lots of people have died from March till today. The world has changed! We wear masks. There are even masks with logos, different colors and designs. Lots of people are working from home and most of us don’t want to meet up with others because we are afraid of getting the virus. Companies have also changed. They have had to install SSL VPN appliances to allow users working from home. Therefore, companies have had to deploy technology, security tools and new procedures to go ahead!!

I think, this 2020 has been the year of F5 BIG-IP APM because I’ve deployed and configured many services on this access management proxy solution. I’ve started the year configuring SSL VPN with Network Access, Configuring Host Checking, OTP Authentication and SSL VPN with Edge Client because of the pandemic. Finally, I’ve finished the year configuring SSO via Kerberos and configuring an In-Line SAML SSO Architecture. I’ve written more than 10 weeks about F5 BIG-IP APM.

I’ve also been working with F5 BIG-IP ASM. I’ve compared F5 Advanced WAF and BIG-IP ASM, and later on, I’ve written about Good Protection, Elevated Protection, High Protection and Maximum Protection using F5 WAF. I ended up as a F5 ASM ReCertified Technology Specialist. Companies have more services on Internet as a result of the pandemic and they have to take care of them. I’ve also written more than 10 weeks about F5 BIG-IP ASM.

As you have realised, I’ve written a lot about F5 BIG-IP. It’s true. I’ve written a lot about F5 because I’m working for a big project where there are lots of F5 BIG-IP appliances. In addition, I’ve been working in many other projects with F5 appliances. As a result, I’ve written about automating F5 configuration with Ansible, BIG-IP AFM, F5 AVR, SSL Orchestrator (SSLO) and even what’s new in BIG-IP version 15.0 and what’s new in BIG-IP version 16.0.

I haven’t been working only with F5 appliances but I’ve also been working with many other tech things. I’ve been working with IoC and MISP, and I’ve written about Cyber Threat Intelligence. I’ve also analysed alarms about Lazarus and MuddyWater, and I’ve written about the Lazarus Group and the MuddyWater Threat Actor. In addition, I’ve been reading Buyology and Destrucción Masiva as well as studying French at Official School of Languages.

To sum up, this has been a year weird and uncommon. We don’t know if this is the new world but we have to going forward. I’ll try to keep learning new things. I’ll try to keep reading books. I’ll try to be my best. I would like keep working with technology and I would like keep meeting with all of you. Have a nice day and ...

Merry Christmas and Happy New Year.

F5 VE - Hardware Acceleration with SmartNIC

Organizations are moving to the software-defined architectures whether it’s for agility, efficiency, reducing total cost of ownership, time to market, etc. BIG-IP VE provides that advanced functionality but in a virtualized form that can be run using commercial hypervisors on Common Off-The-Shelf (COTS) servers. The COTS trades-off in flexibility which comes primarily at the cost of performance. However, there are examples which are more efficiently in hardware such as DDoS mitigation, SYN Cookies, whitelisting, QinQ Tunneling, cryptographic processing, etc. All of these things put significant strain on CPU resources.

F5 and Intel - Accelerating Applications Anywhere

What can we do about that if we don’t have the BIG-IP hardware? What’s the solution? One of the things that we can do it’s using a hardware accelerator. There are two solutions. The Intel FPGA PAC N3000 SmartNIC and the Intel QuickAssist Technology (QAT). For the first solution, we need VE + AFM on 15.1.0.4 or higher and, for the second solution, we need VE on 14.1.0.3 or higher.

F5 VE SmartNIC

The SmartNIC from Intel has a FPGA and it can be programmed to perform specific tasks similar to the TurboFlex FPGA profiles that we have in BIG-IP iSeries appliances. For instance, when we have a COTS server with an hypervisor, a BIG-IP VE and a SmartNIC installed, we can boost BIG-IP VE performance easily for DDoS Mitigation. Clients will send good traffic in through the SmartNIC, which goes up through the hypervisor, and VE will deliver the application. However, when we have a bad actor sending some DDoS traffic into the system, AFM has a threshold defined for the amount of identified traffic and it handles the threshold inquiry through the SmarNIC FPGA to detect and ultimately mitigate the DDoS attack via dropping or rate limiting. Therefore, the SmartNIC is going to cut off the DDoS attack. The SmartNIC is able to mitigate a DDoS attack at 70 times greater in magnitude than with a AFM alone.

DDoS Attack Mitigation

The QuickAssist Technology (QAT) is also a hardware accelerator. When we have a COTS server with an hypervisor, a BIG-IP VE and a QuickAssist Technology card installed, we can offload the crypto on the QAT card and, instead of VE doing the decryption, the QAT card is going to do it. We are not only get significant improvement in SSL TPS but also for bulk encryption because it allows about 35% CPU reduction, which allow BIG-IP VE compute resources to handle other things.

Intel QuickAssist  Adapter

Probably, you didn’t know anything about hardware accelerator like these. Me neither. I’ve been speaking with customers who wanted hardware appliances instead of Virtual Edition because hardware were better for encryption and decryption but we can see it’s no longer like this. Thanks to Intel SmartNIC and Intel QuickAssist Technology, we can boost BIG-IP VE performance significantly. As a result, we now can take advantage of flexibility, as well as speed, with BIG-IP VE and SmartNIC.

Thanks my friends!! Would you like to deploy a BIG-IP VE with SmartNIC. I would like it!!

F5 APM – In-Line SAML SSO Architecture

Federation services along with Single Sign-On (SSO) is increasingly configured by many companies. I think SAML is the most used standard which can be configured in many cloud service providers. For instance, we can configure Application Access with Azure AD easily with F5 APM thanks to the SAML standard. However, we can also configure a little bit more complex architecture such as the In-Line SAML SSO architecture where there are two SAML flows: one from F5 APM to the application with the aim of providing in-line SSO for service providers (SP) not directly reachable by the client, and another flow from clients to F5 APM, which is configured as a service provider (SP), against an external Identity Provider (IdP).

Traffic Flow

The traffic flow for an In-Line SAML SSO architecture has mainly 3 steps. Firstly, the user is redirect to the external SAML IdP and once the user is authenticated at the IdP, the user is redirected back to the F5 APM. Secondly, session variables are assigned and an iRule Event is triggered to establish a sideband connection to another virtual server. Finally, this virtual server gets variable values through execution of another iRule to allow SAML SSO access for clients.

BIG-IP as SAML IdP and SAML SP

The SAML configuration for the In-Line SAML SSO architecture is easy to configure. On one hand, we have to configure the SAML SP Service and the SAML IdP Connector. Binding the SAML SP Service to the IdP Connector. On the other hand, we have to configure the SAML IdP Service and the SAML SP Connector. Binding the SAML IdP Service to the SP Connector. In addition, the SAML IdP Service configuration will be used as SSO configuration for the second SAML traffic flow.

IdP Service

The iRule event triggered is mandatory to establish the TCP based sideband connection to the second virtual server. This iRule converts the APM session variable to a TCL variable and sends a HTTP request over the sideband with the username in a query string. What’s more, this iRule is really important because it is useful to start the second SAML traffic flow from the F5 APM to the internal service provider.

send-sideband iRule

There is another iRule attached to the second virtual server which parses the query string and splits the first parameter name from the value. This value is next stored as the username variable. Finally, the TCL username variable is saved as a session variable which is used in the SSO configuration. For instance, it can be used for Kerberos SSO, NTLM SSO, Form based SSO, etc. This iRule is always triggered when there are requests to the second virtual server.

receive-sideband iRule

To sum up, the In-Line SAML SSO architecture with two SAML traffic flows is a little bit more complex configuration than those configurations which only have one SAML traffic flow. However, this architecture is useful for lots of companies and it is also supported by F5 APM.

Thanks my friends!! Have you ever configured an architecture like this?

What’s new in BIG-IP version 16.0

BIG-IP version 16 is still far away for production environments from my point of view. Today, I usually install version 14 in new deployments and, I think, version 15 will be ready for production next year. However, I like to know new features and enhancements in new version. I wrote about What’s new in BIG-IP version 14.0 and What’s new in BIG-IP version 15 to know new features and enhancements which are used today and it will be used next year. Therefore, I’ve been reading this week about the new BIG-IP version that it will be installed probably in two years.

I’ve already written about HTTP/2 and Moving the Web from TCP to UDP. I’ve also written about Mutipath TCP and MPTCP Security, and I’ve even recorded a POC Multipath TCP. BIG-IP supports HTTP/2 but what’s amazing is BIG-IP version 16 also supports HTTP/3. I’ll write about it deeply next week but I would like to highlight HTTP/3 fixes the performance issues of HTTP/2 and it supports 0-RTT connection resumption. Therefore, BIG-IP version 16 provides a turnkey solution by converting HTTP/3 requests from clients to HTTP/1 and HTTP/2 requests to backend servers.

HTTP/2 vs HTTP/3

BIG-IP version 16 has lots of new features for BIG-IP APM. For instance, the Advanced Guide Configuration has been improved to Simplified Guided Access where we can deploy mission critical apps with Microsoft Azure AD easily. Another interesting feature is Identity Aware Proxy (IAP) Webtop which simplifies application access to end users with a single catalog of their applications. F5 Edge Client has also been improved. The F5 Edge Client supports DTLS 1.2 and it also supports SSO across remote access (SSL VPN) and web applications. There are many improvements in BIG-IP APM.

Identity Aware Proxy Webtop

The BIG-IP version 16 has also been improved a lot the BIG-IP AWAF. The new version supports Web Socket Compression traffic in real time to analyze the payload and recompress without increasing network traffic. This version of Advanced WAF enables HTTP Desync mitigation, which enables customers to protect against Desync or similar attacks. In addition, there is a new role to restrict WAF Log Access. This is an interesting feature to reduce exposure of potentially sensitive WAF log data. There are many more new features for BIG-IP WAF in this new version.

Web Guided Configuration for Micro Services

You can see there are lots of new features and enhancements in the BIG-IP version 16 for APM and WAF but there are also many new features for SSL Orchestrator (SSLO) and BIG-IP AFM. For example, Secure Web Gateway (SWG) as an SSL Orchestrator service can be configured in SSLO and Datagroup is also supported in SSLO. On the other hand, BIG-IP AFM VE with SmartNICs can improve DDoS mitigation capacity by up to 300x compared to High Performance AFM VE on its own. To sum up, BIG-IP version 16 has lots of new improvements which can be already tested but we’ll have to wait at least one year to be ready for production environments.

F5 VE SmartNIC

Thanks my friends!! Would you like to test this new version? I do!