F5 ASM - Using Qualys for a Security Policy

I’ve been working with vulnerability assessment tools and F5 ASM these days. In fact, I’ve been configuring F5 ASM with the Qualys Web Application Scanner (WAS). I think this kind of integration is really useful to resolve quickly vulnerabilities found by scanners such as Qualys and HP WebInspect. Actually, there are lots of vulnerabilities assessments tools and WAF appliances but I think the integration is very important to improve security policies and resolve vulnerabilities as soon as possible. You can watch in the next video how to integrate Qualys with F5 ASM!! 

Enjoy!

F5 ASM – Disabling attack signatures checks

I’ve deployed a new WAF appliance with F5 ASM recently where I have to secure web applications which have lots of entities such as URLs, parameters and files. These web applications are already running in a production environment, as a result, I’ve deployed a Rapid Deployment Policy in transparent mode to see and know what’s going on. After a week, I can see lots of attacks in the learning process. Most of them are due to a web application used to store files. Employees can upload whatever they want, thus, they upload PDF files as well as .exe files and source code with javascripts. Therefore, the best to reduce potential false-positive alerts is disabling attack signatures checks for the URL where the application is hosted or the parameter used to upload files.

I’ve recorded a video where we can watch how to disable attack signatures checks for URL and parameters. It’s really easy!!

Drop me a line with the first thing you are thinking!

EDNS(0) – Extension Mechanisms for DNS

I’m reading, working and studying about EDNS(0) because a customer wants something similar to a parental control service that restricts access to particular domains from particular devices, as a result, we need a device-specific identifier. We need a precise client identity information for this requirement. There will be lots of laptops on the Internet and it’s unlikely that we can configure a VPN tunnel for each laptop. Therefore, DNS servers and DNS requests will go through Internet. I’m thinking whether EDNS(0) fits this requirement.

The DNS protocol send messages by UDP and it was restricted to 512 bytes but, in 1999, there was a proposal to extend DNS to allow for new flags and response codes, and to provide support for longer responses. This extension mechanism is EDNS and it has increased the functionalities of the protocol. EDNS adds information to DNS messages in the form of pseudo-Resource Records (“pseudo-RR”). For instance, the OPT pseudo-record provides space for up to 16 flags. One of them is the DNSSEC flag but there are also flags for Client Subnet (ECS) and Device ID.

Review of OPT Option Codes

Firstly, I’ve been reading about DNSSEC which is a security extension to DNS for cryptographic authentication and data integrity, but not confidentiality, which means, all DNSSEC responses are authenticated but not encrypted. Therefore, it was designed to protect applications from using forged or manipulated DNS data, such as that created by DNS cache poisoning. This security extension doesn’t fit the requirement I’m looking for because there is no way to identify the user device.

DNSSEC - Authenticity of DNS records

Another extension I’ve been reading is Client Subnet (ECS). I was already reading about it two years ago when F5 BIG-IP DNS included this feature in v14.0. The BIG-IP places the client IP address into the EDNS0 field to determine the topology proximity of the client. This feature improves too much the use of DNS-based load balancing to select a service address near the client when the client computer is not necessarily near the recursive resolver. However, the ECS feature is not enough either to identify users’ computers.

With EDNS0 Client Subnet Support

Finally, I think I’ve found how to identify the user computer. There is already a DNS EDNS option to carry a client-specific identifier in DNS queries, but it’s still a draft. However, dnsmasq uses EDNS option code 65073 from the “Reserved for Local/Experimental Use” range to pass the client’s MAC address, or the Cisco Umbrella implementation which encodes the client’s MAC address with the option code 26946 from the “Unassigned” range. I can use F5 BIG-IP to authenticate users’ computers as DoH proxy farm and forward the DNS requests with the client identification in the EDNS field to the internal DNS server for analysis, filtering, cache control and recurses the request. What do you think?

Building a private DoH infrastructure

To sum up, EDNS has improved a lot the DNS protocol and it’s really useful for client identification, DNS-based load balancing and DNS Security.

Regards my friends! Have you ever configured EDNS?

F5 LTM – DoH & DoT to DNS Proxy

I’ve come across an F5 class about DNS over HTTPS/DNS over TLS which is really interesting to learn how to configure these services with F5 BIG-IP. I’ve recorded a video where I show how to configure F5 BIG-IP as DoH and DoT to DNS Proxy, which means that BIG-IP translates DoH and DoT requests to DNS requests. You can watch DoH to DNS is a little bit more difficult to configure than DoT to DNS because the first one requires an iRuleLX while the second one only requires an SSL certificate. As a result, DoT to DNS configuration is easier than DoH to DNS. It’s much better you watch the video.

Have a nice day!! Are you configuring these kind of services?