F5 BIG-IP APM – Identity-aware proxy (IAP)

I’ve been reading about Identity-Aware Proxy (IAP) this week because it’s a new feature in F5 BIG-IP APM and I wanted to know exactly what the advantages of this solution are. Initially, I was reading and I didn’t understand anything. It were the same as I knew it. Authentication, Single Sign-On (SSO) and a few more things. However, I’ve realised it’s a new feature from the point of view of usability. It’s a new feature for deploying a Zero Trust model validation based on granular context- and identity-awareness, securing every application access request.

Identity Aware Proxy (IAP) delivers secure access to applications based on the principle of “Never Trust, Always Verify”. It means, IAP is a Zero Trust architecture where there is no a secure network perimeter and there is no trusted insider. As a result, everything is untrusted, even users that have already been authenticated, authorized, and granted access to applications and resources. IAP should verify not just at the time a user requests access but also when users have access to the application or resource, and upon every subsequent access request and attempt.

Identity-aware proxy - IAP

IAP grants access to applications by evaluating real-time device posture, user identity and step-up authentication. Thanks to F5 Access Guard, IAP can check the device security posture such as firewall, antivirus, patches, etc from the client-side. Therefore, IAP along with Access Guard go beyond simply checking device integrity at authentication. Instead, they deliver continuous, ongoing device posture checks. As a result, if IAP detects any change in the device integrity, it may either limit or stop the user’s application access.

Define a firewall Posture Assessment

IAP is going to authenticate, authorize and encrypt every access request. We can also add an extra security layer with MFA as well as enable SSO. IAP supports modern authentication and authorization protocols like SAML, OpenID Connect and OAuth. In addition, due to every access request is encrypted, we can use IAP instead of VPN to access the enterprise network because IAP is per request application access while VPNs apply session-based access. Therefore, IAP is more secure than VPNs.

BIG-IP APM is a single, centralized control point for securing and managing user access to applications, wherever they may be hosted

Thanks to Access Guided Configuration (AGC) for version 15 and Simplified Guided Configuration (SGC) for version 16, it is really easy to deploy an IAP architecture. There is a step by step guide where we can easily configure the device security posture, the authentication servers, SSO authentication profiles, etc. It’s the best way to deploy an IAP solution with a Zero Trust model validation.

Access Guided Configuration - Single Proxy

To sum up, I knew most of the features about F5 BIG-IP APM such as Identity federation, MFA, SSO, SSL VPN and API Protection but I didn’t know the Identity-aware proxy (IAP) solution very well until recently. Once I’ve been reading about it, I’m going to take the plunge and I’m going to configure a small lab to see how it is working with the AGC. I think this is the best way to know how IAP works.

F5 BIG-IP APM features

Regards my friends! What have you been doing this Christmas?

Log4Shell

We have lived a really interesting week from the security point of view because we have known the most widespread cybersecurity vulnerabilities in recent years. There are lots of vulnerabilities day in and day out but most of them are not as important as the vulnerabilities discovered last week in a piece of free and open source software called log4j. These vulnerabilities are very important because log4j is widely used by lots of applications as well as the vulnerabilities discovered are really critical.

Log4j is used by thousands of websites and apps. In fact, there are companies who don’t know yet how many websites and apps are using this piece of code, which is really dangerous because they don’t know yet the extent of these vulnerabilities in their services. Actually, log4j is mainly used for logging information which is a functionality needed by most web applications. In addition, these vulnerabilities are extremely easy to exploit but it is also easy to protect against these vulnerabilities because updating servers or disabling log4j is simple.

As I write this article, there are three Log4j vulnerabilities. The first vulnerability publicly disclosed is CVE-2021-44228, which is a Remote Code Execution (RCE) vulnerability and it is the most critical vulnerability. This vulnerability is critical because Apache log4j Java library doesn’t properly validate input thus attackers can execute arbitrary code loaded from LDAP servers. The second vulnerability discovered is CVE-2021-4104, which is also a RCE vulnerability. However, this one is less critical than the first one because this vulnerability only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. In addition, Log4j 1.2 reached end of life in 2015. Finally, the third vulnerability is CVE-2021-45046, which is a Denial of Service (DoS) vulnerability. This is the less critical one.

Source: Swiss Government Computer Emergency Response Team

These three vulnerabilities have to make us think about the software supply chain. There are lots of developers who use libraries which are never updated. In fact, most of them don’t know if they are using vulnerable software. What’s more, there are lots of companies who don’t have a software inventory. Therefore, they don’t know what servers they have to update. In addition, there is now a lack of developer resources that updating software will be longer than it used to be.

I’m wondering where is the Zero Trust that all security companies were telling us in webinars. Why does Log4j have access to outside servers? Log4j should never have been able to communicate with outside servers. We should learn as much as possible with this event. Zero Trust is not a project with a start and a finish because environments are constantly changing. This is why we should always think about inventory. Zero Trust is the new implementation of security but it is a process that will never finish.

To sum up, there is lots of work to do. Updating servers is one task to do. Deploying WAF appliances and upgrading signatures is also a task to do. However, security management is a process where we have to take lots of things into account.

Regards my friends! Do you have any thoughts about this event?

Souvenirs d’un soir d’été

J’ai été hier soir dans un bal d’été dans mon village où j’ai grandi, j’ai joué et j’ai connu mes meilleures amis. C'était un soir très chaud. Je ne me rappelais pas bien les soirs d’été de mon village. Cependant, le bal d’été a été une belle opportunité pour la rencontre de tous mes amis et pour parler de toutes les choses que nous avons fait ensemble quand nous étions adolescents.

Dès que je suis arrivé au bal, je me suis réjoui d’y être allé parce que tous mes amis étaient là-bas. Au fur et à mesure que nous parlions, et nous buvions aussi, nous étions plus ravies. En fait, je crois que je n’ai jamais dansé autant qu’hier soir. Nous étions aux anges de retourner au village même s’il est une fois par an. À mon avis, nous sautions tous de joie de nous revoir.

Une fois que le bal a fini, la tristesse est arrivée à tous les nous. Je voulais rester au bal pendant toute ma vie mais nous devions rentrer chez nous. Donc, la mélancolie et la nostalgie sont revenues dans nos vies. Avant que j’écrive ce journal, j’ai été abattue et j’ai pleuré toutes les larmes de mon corps mais, maintenant que je me rends compte que ces sentiments sont très beaux, je suis joyeux de ma vie, de mes amis et d’être allé au bal d’été.

 

Salut!

F5 AWAF - Securing APIs with BIG-IP

There are lots of web servers on the Internet and most companies know they should protect them against attacks. As a result, companies deploy WAF appliances. However, there are increasingly APIs on the Internet, which are used by apps to request and send data, that we should also protect. API servers are like web servers because they respond to requests using the HTTP protocol. Therefore, we must also protect them.

From my point of view, the API Protection feature included in APM 14.1 along with the API Security feature included in AWAF 15.0 is the best solution for protecting API servers from attackers. API Protection means authentication, authorization and federation services using OAuth, JWT, OpenID Connect or SAML while API Security means security against attacks such as SQLi, XSS or XXE. Therefore, the best way to protect API servers will be to import an OpenAPI Spec 2.0 file into BIG-IP which will add the details of the API such as paths, API servers, responses, API protection profile, etc.

REST API Security - Configuration example

Configuring a WAF policy to protect API servers is really easy. Firstly, we should deploy the AWAF module (formerly ASM module). Secondly, we have to create a security policy where we are going to choose API Security as Policy Template. In addition, we are going to import the OpenAPI file where application-specific configuration is defined such as URLs, parameters and methods. Finally, we have to assign the security policy to the virtual server where the API service is listening. Once the security policy is created, we can see a list of allowed components in the security policy.

API Security template

The API Security template is great because F5 AWAF is going to configure a security policy to protect API services easily for us. However, we can add more security layers to this protection. For instance, I like to add a bot defense profile to prevent all types of malicious bots from accessing the API services. This protection relies on signatures and javascript based challenges. Therefore, it is important to highlight that JS challenges need to be used with caution.

Bot Defense profile

There is another security layer I really like to add to web assets such as API servers. As attackers can send legitimate requests at a high scale, they can bring down an API service. As a result, I like to add a DDoS Defense profile to API servers. There are mainly three protection mechanisms. Firstly, transaction per second (TPS) Based DoS Defense which is the most straightforward mechanism because it measures requests rate. Secondly, the stress-based mechanism is similar to TPS but it only mitigates when the protected asset is under stress. Finally, behavioral anomaly detection (BADoS) mechanism which uses a machine learning algorithm.

DoS Defense profile

To sum up, if you have API services, you will also have to protect them. If you have F5 AWAF, you have almost everything. You only have to enable API Security to your services.

Regards my friends! Do you protect your API servers?

Fortinet FortiSwitch - Secure Simple Scalable

There are several challenges at the access layer today. On one hand, the number of devices is getting bigger and bigger. On the other hand, threats are increasingly complex and breaches more common. In addition, IT management is complex and personnel is scarce and expensive. Therefore, legacy Ethernet LAN’s are at capacity, standard network designs have to add a new security layer and the complexity increases time to resolve issues. Fortinet Fortiswitch helps us to deploy and manage a secure simple scalable model to address Ethernet access.

Most network administrators want to manage the whole network easily. They have lots of switches to manage and they also want visibility of what just happened. This is really difficult to achieve when we use the CLI, instead, we should use a network controller with GUI like FortiGate. Thanks to FortiLink, we can manage Fortinet switches and Fortinet access points from a unique web interface centrally. What’s more, FortiLink works at layer 2 and also at layer 3, which means, we can manage FortiSwitches from the FortiGate controller when they are in the same network (L2) but also when they need routing (L3) to reach each other.

FortiSwitch Deployment Options

There are lots of topologies we can deploy with FortiSwitches. We can deploy a basic one with a single FortiSwitch or a much more complex topology with MCLAG pairs and FortiGate HA Active/Passive cluster. When we deploy a FortiGate HA pair and multiple switches in star topology, we can configure an active FortiLink and also a standby FortiLink for redundancy. However, if we deploy a ring topology, we’ll see easily from the Security Fabric what is the InterSwitchLink (ISL) which is in STP discarding state.

FGT HA A/P with Two 1st-tier MCLAG Pairs

The Security Driven Networking enables a convergence of security and network access, thus, it extends security to the access layer. For instance, switches and APs can automatically quarantine a malicious device at the access layer to minimize attacks. We can also configure micro-segmentation to avoid spreading attacks over the LAN. Dynamic VLAN assignment or 802.1x policy are another two security features really useful which can be applied to FortiSwitches from FortiGate.

FGT NAC Policy

Managing switches and APs from FortiGate is great but when we have a lot of devices to manage, we need something else. FortiManager helps us in large scale deployments because we can assign templates, authorize, restart and upgrade easily all managed switches. In addition, we can assign VLANs and port properties such as 802.1x policy, PoE, DHCP Snooping, STP properties, IGMP Snooping, etc. Therefore, FortiManager is the best solution for large deployments.

FortiSwich Manager Module - Managed Switches

To sum up, network administrators are scarce and expensive, and most of them have lots of tasks to do daily. They want an easy way to manage all access devices from a single web page. In addition, security is already a must in the company. From my point of view, FortiSwitches is a good solution for all of them.

Regards my friends! How are you managing your switches?

F5 BIG-IP APM – Configuring App Tunnels

I really like F5 BIG-IP APM because it has lots of use cases. We can use APM as a secure portal access with lots of resources such as SAML Resources, Webtop Links, Single Sign-On configuration, etc. We can also use APM as a SSL VPN in web mode or tunnel mode. In addition, thanks to the Visual Policy Editor (VPE), it's really powerful and easy to configure applications access from a security perspective.

This week, I’ve been working with the application tunnel feature where I’ve had to configure access to several apps through a tunnel. We didn’t want to use a Network Access, thus, the application tunnel fits the requirement. Therefore, we can watch in the next video how to configure a basic app tunnel to access to the F5’s management interface. However, this configuration is the same for other internal resources such as SSH or Webmail services.

Regards my friends! Did you know the App Tunnel feature?

F5 BIG-IP DNS - Topology Load Balancing

I’ve already written about Data Center Load Balancing where I have even recorded a video with the F5 BIG-IP DNS configuration. I’ve also written about DNS Load Balancing, DNS Security, DNS over HTTPS (DoH) & DNS over TLS (DoT) and how to configure DoH and DoT with F5 LTM. However, I think I still have to learn a lot about this interesting and needed protocol that’s why I’ve been testing the topology algorithm in F5 BIG-IP DNS these weeks.

In fact, I’ve recorded a new video where you can watch how to configure F5 BIG-IP DNS for Global Server Load Balancing (GSLB). Firstly, I’ve created two nodes, two pools and two virtual servers where each of them could be a service hosted in different data centers. Secondly, I’ve created the DNS configuration such as the Wide IP with two pools, Data Center, Server, DNS listeners, Regions and Records. Finally, I’ve tested the configuration where you can watch how F5 DNS resolves DNS queries according to Regions and Records.

 

Actually, there are lots of ways to configure services in high availability using more than one data center. F5 BIG-IP LTM device and BGP protocol allow us to send traffic to several data centers for high availability but F5 BIG-IP DNS is also another way which allows us to configure a genuine GSLB topology.

Regards my friends! How do you design services in high availability between data centers?

Troubleshooting latency by capturing traffic

When someone has network issues such as high latency, packet loss or high jitter I always like using Wireshark and Tcpdump for capturing traffic. I still remember when I learnt how to use it at University. It was my fourth year studying IT engineering. I also learnt about the TCP Window and the network congestion-avoidance algorithm. When we use Wireshark to analyze a packet capture, it’s important to know the flags, the TCP messages and the connection states to understand and optimize TCP performance.

One of the TCP flags, which is really useful, is the TCP Window Full. If a sender transmits a packet which is filling the recipient’s receive window, Wireshark will report this message. It means the sender is reaching the full capacity of the TCP flow, which is limited by the receiver. However, the network may have higher capacity. For instance, there are older operating systems and less powerful devices that have small TCP buffers which can be increased. On the other hand, systems such as F5 BIG-IP allows us to configure the Send Buffer and Receive Window settings easily from GUI.

TCP Window Full

Another interesting flag that we can see when there are performance issues is the TCP Zero Window. This flag is used to tell the TCP sender to stop sending traffic due to the fact that the receiver’s buffer is full. Therefore, the sender is delivering traffic faster than the receiver can process it. If a device advertises Zero Window, we should check the peer flow which usually indicates that throughput is limited by the peer flow. We should also check the system performance because if it is heavily loaded, the system itself can introduce delay.

TCP Zero Window

There is another TCP flag that we can often see when we analyze a packet capture. The TCP Retransmission flag means the ACK packet has not been received within the timeout interval (known as the retransmission timeout or RTO) thus the sender has to retransmit the packet again. This flag indicates network loss but it may not always be an issue because TCP is designed to increase throughput until loss is observed to estimate network capacity.

TCP Retransmission

When we see the TCP Retransmission flag, we can also see the TCP Duplicate ACK message. This message is part of a failure recovery mechanism called TCP Fast retransmit. A duplicate ACK is sent when a receiver receives out-of-order packets. Upon receiving the out-of-order packet, the receiver starts sending duplicate ACKs so the sender would start the fast-retransmision process. It indicates packet loss but this behaviour may not be an issue because TCP is designed to work like that.

TCP Duplicate ACK

To sum up, we should understand how TCP works as well as TCP flags and messages for troubleshooting network issues. Wireshark and Tcpdump will help us to analyze a packet capture. Finally, we will have to configure devices with the right settings for better network performance.

Regards my friends! Do you usually analyze network traffic?

F5 AWAF - Preventing Session Hijacking

I’ve been focused these weeks in preventing session hijacking attacks with F5 BIG-IP AWAF where I’ve had to create a security policy to block this kind of attacks. First of all, it’s important to highlight that this kind of attack is really critical because an attacker can compromise the session token by stealing or predicting a valid session token to gain unauthorized access to the web server. However, from my point of view, session hijacking attacks are not so easy to carry out. Actually, the session token could be compromised in different ways but none of them are easy to carry out. The most common are predictable session token, session sniffing, client-side attacks (XSS, malicious JavaScript codes, trojans, etc), man-in-the-middle attacks or man-in-the-browser attacks.

F5 BIG-IP AWAF mitigates the session hijacking attacks with a JavaScript challenge to obtain a unique device ID which represents the client device. This device ID is encrypted and stored into the ASM cookie which is sent by the client in each HTTP request. Therefore, the BIG-IP AWAF issues the JavaScript challenge to test the validity of the device ID in each HTTP request and if the result of the challenge is different to the device ID stored and encrypted in the ASM cookie, the system will consider the request to be an attack.

Configuring session hijacking protection is really easy in BIG-IP AWAF. Firstly, we have to enable Accept XFF in the HTTP profile when clients are behind an internal or other trusted proxy. Secondly, we have to enable the session hijacking feature which enables the system to send the JavaScript challenge, thus, the security policy blocks client browsers that do not support JavaScript even when the security policy is in transparent mode. Finally, we have to enable blocking modes for session hijacking violations such as “Modified ASM cookie”, “Modified domain cookie(s)” and “ASM Cookie Hijacking”.

I would like to share with you two videos where we can watch how we can configure session hijacking protection with F5 BIG-IP Advanced WAF (formerly ASM). I think these two videos explain really well what a session hijacking attack is, thanks to the hackazon virtual machine, and how to enable the session hijacking protection in F5 AWAF. The first video shows how to block a modified domain cookie while the second one shows how to block an ASM modified cookie.

What’s more, F5 has acquired Shape Security and Volterra recently to sell SaaS security services. As a result, F5 has created a new feature called Device ID+ which is similar to Device ID but the new one is delivered from the cloud and it uses machine learning to assign a unique identifier to each device visiting the web site. All customers have access to this service for free up to 20 millions of devices. Therefore, we should take into account that Device ID+ is not the same as Device ID. However, Device ID is do the same that “client fingerprinting” which is also used for Bot Defense, Brute Force Protection and Web Scraping.

Device ID+ data flow

Regards my friends! Do you have session hijacking vulnerabilities?

Fortinet Secure SD-WAN

This is the third article I write about SD-WAN because I’ve been reading and studying a lot about this kind of networks lately. I had already worked with SD-WAN years ago when I had to configure eight uplinks WANs to send traffic for all of them in a datacenter. It was really easy with this kind of technology. Therefore, I’ve configured lots of SD-WAN since then. However, I’ve had to learn how SD-WAN works in Juniper 128T and Nokia Nuage these days for a new project. This is the main reason I’m also writing about SD-WAN today.

SD-WAN is very interesting when we have lots of WAN uplinks and we want to send different types of traffic for each WAN link. For instance, mail traffic for one link, web traffic for another link and streaming traffic for another one. However, it is also interesting when we have lots of branches or small offices and we need to manage all of them from a centralized platform where we configure and deploy all WAN links easily and quickly. Juniper and Nokia can do it but Fortinet can also do it from the security perspective. In addition to SD-WAN, Fortinet adds NGFW features to the branch.

Secure SD-WAN - All in one SDWAN + Security

SDN architectures are based on the management plane, control plane and data plane where each of them is a component or device. For instance, Nokia Nuage has a real SDN architecture because VSD is the management plane, VSC is the control plane and NSG is the data plane. However, Juniper and Fortinet work like a SDN architecture but they are not a real one because the Conductor is the management plane and the SSR is the control & data planes for Juniper while FortiManager is the management plane and FortiGate is the control & data planes for Fortinet.

Secure SD-WAN architecture components

The provisioning process is really important when there are lots of branches because SD-WAN projects require configuring and deploying each branch remotely and quickly without the need to go there. For example, we can use FortiDeploy along with FortiManager to install FortiGate devices in branch offices quickly. When FortiGate devices are connected to the Internet, we can use FortiDeploy to configure the FortiManager IP address into FortiGate devices, which is from where we are going to manage it centrally. Once we see the branch device from FortiManager, we can deploy the configuration.

Zero Touch Provisioning (ZTP)

Reading and studying about SD-WAN these days, I’ve come across the magic quadrant for WAN Edge Infrastructure where we can see Fortinet and VMware as leaders for SD-WAN. I think Fortinet is a leader because FortiGate adds security features to the branch. With regard to VMware, they are also leaders thanks to the recent VeloCloud acquisition. However, Juniper 128T, who are visionaries, I think the tunnel-less technology is really innovative. Finally, Nokia Nuage is a real SDN solution which works very well and it has already been deployed in many countries.

Fortinet recognized as a leader for WAN Edge Infrastructure

Regards my friends! What SD-WAN solution would you like to deploy?

Nokia Nuage SDN

When someone asks you what SDN is and what the benefits are, sometimes we don’t know what to reply. However, we know how to design a network architecture and we know what devices we have to buy for the customer’s request but, actually, we don’t know sometimes we are deploying an SDN solution. For instance, when a customer with several internet links wants all VoIP traffic use only one link and another one for backup, and the rest of the traffic use another internet link, we know they need an SD-WAN solution, which is actually an SDN solution.

At the beginning of WAN networks, if you wanted a private network between an office and the datacenter, or between two offices, you had to buy a leased line, which was really expensive. Later on, frame relay allowed us to share the same physical network for several customers. Therefore, it was cheaper. Today, IP/MPLS networks are like frame relay but it also allows us better QoS for applications. However, I think SD-WANs are the networks of the future because they are transport independent and we can manage and control the whole network from a centralized perspective.

WAN networks evolution

Nokia Nuage is one of the SD-WAN solutions based on SDN. This solution has mainly four components. The Virtualized Services Directory or VSD is the management console where network administrators are going to design the architecture and they are going to define the network policies. The Virtualized Services Controller or VSC has the network control plane and all branches’ configurations are stored in this device. The Network Service Gateway or NSG is the edge router where the data plane takes place. Finally, the Elastic Search or ES component is a database which is used by VSD to show network statistics.

Nuage Virtualized Network Services (VNS)

The Nokia Nuage is an SDN solution where we can see each component of an SDN architecture very well because data plane, control plane and management plane are each of them a component. The control plane (VSC) and the management plane (VSD) are usually deployed in high availability, thus, a load balancer is needed. In addition, we could install NSG-UBRs to breakout traffic to another network. For example, we can configure a backup private network through the Internet when the main IP/MPLS network fails.

Nuage VNS standard deployment architecture

Finally, if you are going to configure and deploy a Nokia Nuage SD-WAN solution, you have to know how to configure the network topology. First of all, we have to configure an Enterprise, which is a tenant or end user and they are isolated from each other. The Domain is a layer 3 instance, like a VPRN or VRF, and they are also isolated from other domains, although shared domains with route leaking is possible. A Subnet is a layer 2 instance, like VPLS. A Zone is an administrative group of subnets, which shares the same policies. The last component is the Vport which is a virtual interface of a VM (virtual machine) or LAN side port+vlan.

Service abstractions

Regards my friends! What SD-WAN solution do you like?