401 Study Notes

Tips

1. Get a good hold on Silver line. Deployment mode, etc. When to use which mode, pros and cons etc.

2. DDoS concepts are tested extensively, w.r.t AFM, ASM and device DDoS

3. Understanding Kerberos and NTLM authentication and related security flaws while understanding how APM can help

4. SAML use cases

5. Read customer success stories on f5.com - https://www.f5.com/customer-stories

6. Read all reference architecture guides on F5 - https://www.f5.com/services/resources/deployment-guides

7. SSLO

8. Finally be prepared to reading lengthy problem descriptions

9. -

10. For Threat modeling, I study the STRIDE/DREAD model of Microsoft. Also the Owasp docs on the same subjects

11. For design, I study the roles on each components and security features, customer stories on F5 website, light board..

12. For operation, diagnosis notes on askf5 and lot of labs

13. For incident response, study all reference guide (DDOS...) and be able to determine the right solution for a case.

14. And practice always, read what you can to be sure to understand well the solutions (Maybe too much...)

15. websafe, Silverline, WAF and knowing when to use it

NTP

Example of a failed NTP peer server query

# ntpq -np

remote refid st t when poll reach delay offset jitter

==============================================================================

172.28.4.133 .INIT. 16 u - 64 0 0.000 0.000 0000.00

Note: An st (stratum) of 16 means that the destination NTP server is unreachable or is not considered a viable candidate.

Example of a successful NTP preferred peer server query

If the local ntpd process communicates or attempts to communicate with a declared preferred NTP peer server, the output from the ntpq command appears similar to the following example:

# ntpq -np

remote refid st t when poll reach delay offset jitter

==============================================================================

*172.28.4.133 10.10.10.251 4 u 482 1024 377 0.815 -10.010 0.345

+172.28.4.134 10.10.10.252 6 u 482 1024 179 0.215 -1.010 0.545

In the previous example, 172.28.4.133 is the preferred server, or current time source, and is designated by the * symbol. Any remaining servers available for use are indicated by the + symbol. When initially configured, NTPd can take up to a few minutes to calculate and designate the current preferred time source.

Note: Pay attention to the first character for remote. A successful query that has a space as the first character is not used to synchronize time on the device. Although the response may appear successful, the space indicates that it is not acceptable for use.

NTP output details

prefix to the remote field

• An asterisk (*) character indicates that the peer is declared the system peer and lends its variables to the system variables.

• A plus sign (+) indicates that the peer is a survivor and a candidate for the combining algorithm.

• A space, x, period (.), dash (-), or hash (#) character indicates that this peer is not being used for synchronization because it either does not meet the requirements, is unreachable, or is not needed.

• remote The address of the remote peer.

refid

The reference ID identifying the server or reference clock with which the remote peer synchronizes. The interpretation depends on the value of the stratum field (explained in the st definition). For stratum 0 (unspecified or invalid), the refid is an ASCII value used for debugging. Example: INIT or STEP. For stratum 1 (reference clock), the refid is an ASCII value used to specify the type of external clock source. Example: NIST refers to NIST telephone modem. For strata 2 through 15, the refid is the address of the next lower stratum server used for synchronization.

st

The stratum of the remote peer. Primary servers (servers with an external reference clock such as GPS) are assigned stratum 1. A secondary NTP server which synchronizes with a stratum 1 server is assigned stratum 2. A secondary NTP server which synchronizes with a stratum 2 server is assigned stratum 3. Stratum 16, referred to as MAXSTRAT, is customarily mapped to stratum value 0 and therefore indicates that it is unsynchronized. Strata 17 through 255 are reserved.

t

The type of peer: local, unicast, multicast, or broadcast.

when

The time since the last response to a poll was received (in seconds).

poll

The polling interval (in seconds). This value starts low (example: 64) and, over time, if no changes are detected, this polling value increases incrementally to the configured max polling value (example: 1024).

reach

The reachability register. The octal shift register records results of the last eight poll attempts.

delay

The current estimated delay, which is the transit time between these peers in milliseconds.

offset

The current estimated offset, which is the time difference between these peers in milliseconds.

jitter

The current estimated dispersion, which is the variation in delay between these peers in milliseconds.

DDoS

The Four Categories of DDoS

1. Volumetric—Flood-based attacks that can be at layer 3/4 or 7.

Attacks that consume all available bandwidth across the network link that connects an application to the Internet or other networks.

Mitigation - Cloud-Based Scrubbing Service / Web Application Firewall.

2. Asymmetric—Attacks designed to invoke timeouts or session-state changes. Layer 7

Attacks that mimic legitimate application requests but attempt to overload web server resources such as CPU or memory.

Mitigation - Web Application Firewall

3. Computational—Attacks designed to consume CPU and memory. Layer 3/4

Attacks that attempt to exhaust infrastructure resources, such as firewall state tables, leading to crashing or degraded performance.

Mitigation - Application Delivery Controller (LTM) / Network Firewall (AFM)

4. Vulnerability-based—Attacks that exploit software vulnerabilities / weaknesses. Layer 3/4, 7

Mitigation - IP Reputation Database (IPI)/ Intrusion Prevention/Detection Systems (IDS/IPS) (ASM)/ Application Delivery Controller (LTM)

----

Application Services DDoS Attacks

HTTP Flood (Layer7)

In an HTTP flood, the attacker exploits seemingly legitimate HTTP GET or POST requests to attack a web server or application. These attacks typically consume less bandwidth than others but focus on triggering complex server-side processing to bring down the targeted site or app. HTTP floods can sometimes trigger responses from web servers that can turn it into a pipe-saturating volumetric attack.

Heavy URL (Layer7)

During the reconnaissance phase, an attacker will map out the most computationally expensive URLs on a site or application, also known as heavy URLs. Heavy URLs include any URL causing greater server load upon request. The initial HTTP request is relatively small but can take a long time to complete or yield large response sizes. These requests can require the server to load multiple large files or run resource-intensive database queries.

Slowloris (Layer7)

Slowloris works by opening multiple connections to a web server and sending HTTP requests, none of which are ever completed. Periodically, the attacker sends subsequent HTTP headers for each request, but never actually completes the request. Ultimately, the target server’s maximum concurrent connection pool is filled and legitimate connections are denied.

Slow Post (Layer7)

An attacker begins by sending a legitimate HTTP POST request to a web server, in which the header specifies the exact size of the message body that will follow. However, that message body is then sent at an extremely slow rate. Because the message is technically correct and complete, the targeted server attempts to follow all specified rules. If an attacker establishes enough of these POST attacks simultaneously, they consume server resources to the extent legitimate requests are denied.

Access DDoS Attacks

Brute-Force Login Attack (Layer7)

An attacker tries multiple username and password combinations, often using a dictionary of words or commonly used passwords to gain unauthorized access to an application or website. A common mitigation is to temporarily lock out user accounts with multiple failed login attempts. However, this can result in a denial of service for those affected accounts.

TLS DDoS Attacks (LTM ADC)

SSL Renegotiation (Layer 7)

This attack takes advantage of an asymmetric workload by requesting a secure connection, and then continuously renegotiating it. This requires a lot of CPU power from the server and can slow current or new connections or even take down the server.

SSL Flood (Layer 7)

Attackers send numerous TLS/SSL connection requests with the client never closing the connection. Once the concurrent connection limit is reached, the TLS termination point stops processing traffic, including legitimate requests.

SSL Squeeze (Layer 7)

A variant of an SSL renegotiation attack, the squeeze attack continuously attempts to renegotiate the connection handshake, forcing the server to decrypt “junk” requests. Typical renegotiation attacks multiplex SSL handshakes, which can be mitigated by disabling renegotiation on the server. However, SSL squeeze opens new TCP connections for each request, eventually consuming I/O.

Common Application Attacks

Mitigation BIG IP LTM + iRule OR BIG-IP ASM

• Slowloris (Nuclear DDoSer, Slowhttptest)

• Keep-Dead

• Slow POST (R-U-Dead-Yet, Tor Hammer, Nuclear DDoSer, Slowhttptest)

• HashDoS

• Apache Killer (Slowhttptest)

• HTTP GET Flood, Recursive GET Flood (Web Scraping)Dirt Jumper (HTTP Flood)

Mitigation BIG-IP ASM

• exploits SQLi / OWASP Top 10 vulnerability as entry

• XML Bomb (DTD Attack), XML External Entity DoS

DNS DDoS Attacks

DNS Flood

DNS servers rely on the UDP protocol for name resolution, which (unlike TCP queries) is connection-less. Because confirmation that UDP packets have been received isn’t required, spoofing is easily accomplished. This scripted botnet attack attempts to overwhelm server resources, ultimately affecting the DNS servers’ ability to direct legitimate requests. The attack can consist of valid UDP traffic from multiple sources or randomized packet data. This helps this attack type evade basic DDoS protection techniques like IP filtering.

NXDomain Flood

A variant of the DNS flood, an attacker floods the DNS server with requests for invalid or nonexistent records. Then, the DNS server spends its resources looking for something that doesn't exist instead of serving legitimate requests. The result is that the cache on the DNS server gets filled with bad requests and clients can't find the servers they’re looking for.

DNS Amplification

DNS amplification is a type of reflection attack that manipulates vulnerable internet facing DNS servers, causing them to flood an internet resource with an influx of large UDP packets. An attacker-controlled botnet is scripted to send small, but specially formed, DNS queries to any publicly available DNS resolver. This elicits a disproportionate response from the DNS resolver. The packet headers also include a spoofed IP address, the IP address of the DDoS target. Upon receiving the query, the open DNS resolvers provide an extremely large response to the target of the attack, which eventually consumes the bandwidth of the internet resource.

Network DDoS Attacks

SYN Flood

Every client-server conversation begins with a standard three-way handshake. The client sends a SYN packet, the server responds with a SYN-ACK, and the TCP connection is established with a final client ACK. In a SYN flood attack the client sends massive numbers of SYN requests, and never responds to the SYN-ACK messages from the server. This leaves the server with open connections waiting for responses from the client. Each of these half-open connections is tracked in the TCP connection table, eventually filling the table and blocking additional connection attempts, legitimate or otherwise.

UDP Flood

UDP is a standard communication protocol across IP networks. Because UDP packets are stateless, they require less error checking and validation in contrast to TCP. A UDP flood attack attempts to overload a server with requests by saturating the connection tables on every accessible server port. Filling the connection table with these requests prevents legitimate requests from being processed.

Memcached Amplification (Example John outlines the details of the DDoS attack that targeted the popular GitHub website.)

*Memcache issue is that it dos not have any way of authenticating

An amplification attack is a type of reflection attack that takes advantage of the ability to send small spoofed packets to services that, as part of their normal operation, will reply back to the target with a much larger response.

Memcached is a database caching system for speeding up websites and networks. Attackers can spoof requests to a vulnerable internet-facing memcached server, which then floods a target with traffic, potentially overwhelming their resources. While the target’s infrastructure is overloaded, new requests can’t be processed and regular traffic can’t access the Internet resource, resulting in denial-of-service.

Other types of amplification attacks include NTP, SSDP, SNMPv2, CharGEN, QOTD, and more.

IP Fragmentation

IP fragmentation is a process established by design of the IP protocol that breaks packets or datagrams into smaller fragments, so they can pass through network links that have a smaller maximum transmission unit (MTU) limit. The host or stateful security devices receiving the fragments reassembles them into the original datagram. The packets’ or datagrams’ IP header tells the receiver how to reassemble the datagram.

These attacks come in various forms, but all variations attempt to use fragmentation to overwhelm the target server or network node.

#note # Amplification Example - request 100mb , response maybe 10 times that!!!

ref;

The F5 DDoS Protection Reference Architecture

F5 DDoS Protection: Recommended Practices

Mitigating DDoS attacks with F5

Real Attack Stories: Financial Botnet

Notes

syn, syn, syn ,syn attack (mitigate computational attacks such as SYN floods with On-Premises Network Defence)

get index.asp multiple times attack (Mitigating GET floods / Asymmetric DDoS with ASM On-Premises Application Defence.

• Mitigations strategies for GET floods include:

• The login-wall defense

• DDoS protection profiles

• Real browser enforcement

• CAPTCHA Request-throttling

• iRules Custom iRules

LTM-ADC DDoS

Application Delivery Controllers (ADCs) provide strategic points of control in the network. When chosen, provisioned, and controlled properly, they can significantly strengthen a DDoS defense. For example, the full-proxy nature of the F5 ADC reduces computational and vulnerability-based threats by validating common protocols such as HTTP and DNS. For these reasons, F5 recommends a full-proxy ADC.

Big-IP TCP / SSL sizing

Platform Series TCP Connection Table Size SSL Connection Table Size
VIPRION Chassis 12–144 million 1–32 million
High-End Appliances 24–36 million 2.5–7 million
Mid-Range Appliances 24 million 4 million
Low-Range Appliances 6 million 0.7–2.4 million
Virtual Edition 3 million 0.7 million

SMALL-TO-MEDIUM ENTERPRISES BIG-IP i2000 / i4000 series

MID-TO-LARGE ENTERPRISES BIG-IP i5000 / i7000 / i10000 series

LARGE ENTERPRISES AND SERVICE PROVIDERS BIG-IP i11000 / i15000 series

DNS / GTM

Static load balancing methods

• Drop packet - GTM drops packet

• Fallback IP - GTM returns the IP

• Global Availability - Sent to first available pool

• None - skip that method

• Ratio - Round Robin in pool based on the configured ratio

• Return to DNS - Send to BIND

• Round Robin

• Static Persist - Mask-base persistence

• Topology

Dynamic load balancing methods

• Completion Rate - VS with lowest failures

• CPU - VS with lowest CPU usage

• Hops - VS with lowest hops from client

• Kbs - VS with lowest Kbs in responses

• Least Connections - VS with least connections

• Packet Rate - VS with least packet rate

• Quality of Service - lowest performance metrics

• Round Trip Time - from VS to client

• Virtual Server Score - VS based on configured ranking

• Virtual Server Capacity - Sent to pool with most free VS in it

DNSSEC

Chain of trust ............

DNSSEC Overview Video

DNSSEC Flags

requesting a DNSSEC singed DNS domain with the DO-Flag set (DNSSEC OK) should return an answer including the AD-Flag (Authenticated answer) set in the header

• flags: do

• flags: qr rd ra ad; (Authenticated answer)

Flags:

• QR: 0=Query, 1=response

• OPCODE: 0000=query

• AA: Authoritative Answer (set by the server)

• TC: message is TrunCated (set by the server)

• RD: Recursion Desired (set by the client and copied to the response)

• RA: Recursion Available (set by the server)

• AD: Authenticated Data, DNSSEC flag (set by the server)

• CD: Checking Disabled, DNSSEC flag (set by the client, copied to the response)

• RCODE, 4-bits: 0000=NOERROR.

trying to resolve a domain that has DNSSEC issues should only return a SERVFAIL returncode without any DNS data

• status: SERVFAIL

non-DNSSEC domains are resolved normally

DXDOMAIN - Domain doesn't exist

Ref;

A Short Practical Tutorial of dig, DNS and DNSSEC

DNSSec Explained

F5 VCMP

#notes

Using VCMP allows the flexability on seperations that virtuals provide but also allows utilisation of the hardware for things like TLS acceleration

IP Intelligence IPI

IP-Intelligence datasheet

IP Intelligence identifies IP addresses, compares them to the global IP Intelligence database, and allows or blocks connections based on current known risks. IPI can be used along with LTM, AFM and ASM and updates the IPI database every 5 mins.

Ensure IP threat protection

• Deliver contextual awareness and analysis to block threats from a dynamic set of high-risk IP addresses.

• Improve visibility into threats frommultiple sources

• Detect malicious activity and IP addresseswith help from a global threat-sensor network and IP intelligence database.

• Enable granular threat reporting and automated blocking

• Reveal communication with malicious IP addresses to create more effective security policies.

• Optimize protection with real-time updates

• Automatically refresh the threat database as often as every five minutes

The IP Intelligence service identifies and blocks IP addresses associated with a variety of threat sources, including:

• Windows exploits: Includes active IP addresses offering or distributing malware, shell code, rootkits, worms, or viruses. Web attacks: Includes cross-site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force.

• Botnets: Includes botnet command and control channels and infected zombie machines controlled by the bot master.

• Scanners: Includes all reconnaissance, such as probes, host scan, domain scan, and password brute force.

• Denial of service: Includes DoS, DDoS, anomalous SYN flood, and anomalous traffic detection.

• Reputation: When enabled, denies access to IP addresses currently known to be infected with malware or to contact malware distribution points.

• Phishing: Includes IP addresses hosting phishing sites or other kinds of fraud activities, such as click fraud or gaming fraud.

• Proxy: Includes IP addresses providing proxy and anonymization services, as well as The Onion Router (TOR) anonymizer addresses.

#Notes

IPI blocks four main attacks at the edge - Phishing, Anonymous Attackers, Botnet and Scanners.

Using IPI with ASM - It acts like an entity and can be alarmed, blocked excluded and learned against.

IPI helps with DoS mitigation by allowing blocking against IPs which originate the attacks.

IPI can also block egress traffic like infected PC's that call home to Botnet C&C node on IPI known address.

Use IPI with AFM, ASM or irules

lookup IPI database iprep_lookup 1.2.3.4

ASM

ASM DoS Protections

• JavaScript (Client-Side Integrity Defense) - if JS is executed in response to BIG-IP test, client is slowed down.

• CAPTCHA - CAPTCHA is issued

• Request Blocking - Blocks requests when protection is active

ASM XML profile helps prevent illegal usage of XML parameters by client by enforcing limits defined by the application.

User and Session tracking - ASM can track via login pages and APM via usernames for sessions. Various alerts, limits and thresholds can be configured on them with a variety of variables like IP, number of sessions etc.

Common types of application (L7) DoS attacks the ASM can block

• HTTP GET and page flood attacks.

• HTTP GET asks for all resources like images and scripts while page flood requests for specific URLs over and over.

Advanced Web Application Firewall (WAF)

• Proactive Bot Defence (PBD) - e.g. user is acting like a bot and will be limited / blocked

• Brute Force Protection

• DataSafe (websafe / application layer encryption) uses JavaScript to encrypt at the application

  • Malware and fraud detection

  • Phishing

  • application layer encryption (real-time) (key log protection )

  • auto transactions

  • device behaviour

• Anti-bot Mobile SDK (mobile safe) - e.g. This is used if the mobile application can't support JavaScript Easy: Anti-Bot for Mobile APIs

• Behavioural DDoS (layer 7 DDoS) (Unlimited)

• Upstream Signalling (redirect traffic to Silverline)

• Credential Stuffing (have I been pwned / stolen credentials)

• Threat Campaigns (Also needs threat campaign subscription, little to no false positives )

• Device Indication

• API Security

Layer 7 DoS Bot Protection

Layer 7 Bot defence is enabled by creating a ASM DoS profile, enabling application security then enabling proactive bot defence and bot signatures. this uses a JavaScript challenge and bot signatures to identify bots.

Layer 7 DoS Bot Protection TPS

Layer 7 Bot defence is enabled by creating a ASM DoS profile, enabling application security then enabling TPS-based Detection by changing the mode to blocking. this can be trigger by a number of factors, for example soure IP, devie, ID, geo-loation, etc , plus thresholds.

Suspicious Web Browsers

Suspicious Web Browsers will also be blocked if the above profile is enabled as "block requests from suspicious browsers" is enabled by default.

FPS is WebSafe Fraud Protection Service

WebSafe & MobileSafe

Websafe uses HTML and the Document Object Model (DOM)

Websafe detection and protection

• Phishing detection

• Malware detection

• Application layer encryption

• Automated transaction protection

DAST

Dynamic Application Security Testing is a suite of tools that is given an site or URL as input and performs a series of scans, probes and and attacks to determine the vulnerability of the target. ASM blocks most of this activity.

Positive security - Defines what is allowed and everything else is rejected."Default Deny"

Negative security - Defines what isn't allowed and everything else is accepted."Default Accept"

Payment Card Industry Data Security Standard PCI-DSS

The PCI Compliance Report lists each security measure required to comply with PCI-DSS 3.0, and indicates which measures are relevant, or not relevant, to the Application Security Manager. For security measures that are relevant to the Application Security Manager, the report indicates whether this Application Security Manager appliance complies with PCI-DSS 3.0. For security measures that are not relevant to the Application Security Manager, the report explains what action you must take to make this Application Security Manager appliance comply with PCI-DSS 3.0.

Build and maintain a secure network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

The previous versions are no longer considered safe for data transmission compared to the encryption security provided by TLS 1.3 and even TLS 1.2.

The Payment Card Industry Security Standards Council’s (PCI) final deadline for TLS 1.0 was in March 2018. Moreover, the PCI Data Security Standard (PCI DSS) mandates that users disable the utilization of all SSL/TLS 1.0 applications by no later than June 30, 2018. Although PCI will still accept TLS 1.1, users are strongly encouraged to adopt the utilization of newer versions of TLS protocol.

Faster Speed

Compared to TLS 1.2, TLS 1.3 offers improved speed. The faster speed for encrypted connections stems from features such as Zero Round Trip Time (0-RTT) and TLS false start. In the past, TLS 1.2 required two round-trips to finish a TLS handshake. In contrast, TLS 1.3 only needs to complete one round-trip. This reduces encryption latency by one-half. With this feature, users will be able to browse websites faster and with greater security.

Enhanced Security

Compared to TLS 1.2, which webmasters and system administrators struggled to consistently configure properly and thus made connections to websites vulnerable to attacks such as the RC4 and BEAST exploits, TLS 1.3 has removed the deprecated features that caused these issues, including SHA-1, RC4, DES and AES-CBC, among others. With this streamlined approach, Web developers and administrators are now less susceptible to misconfiguring protocols, thus making websites safer for users in terms of confidentiality and integrity as well as reducing the risk of cyberattacks.

FIPS

Federal Information Processing Standard

• Ensure computer security and interoperability , such as ANSI / IEEE / ISO

HTTP Strict Transport Security (HSTS)

This can be set in the HTTP profile

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks[1] and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections,[2] and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

Session Cookie Hijacking Protection

TS cookie

The ASM Feature cookie name is constructed with eight hexadecimal characters and three decimal characters (TSxxxxxxxxd). The d in the name represents the type of feature being triggered in the BIG-IP ASM policy.

The ASM Proactive cookie format varies depending on the BIG-IP ASM enabled feature. The structure is as follows:

The ASM Proactive cookies related to client-side challenges begin with the TSPD_101 prefix by default.

The ASM Proactive cookies related to cross-domain flow begin with the TSPD prefix by default.

The ASM Feature cookies are set for client requests when one or more BIG-IP ASM features are activated or enabled, such as the following policy features:

• Login/Logout page enforcement

• CSRF enforcement

• Session tracking

• Dynamic parameters

• CAPTCHA enforcement

Brute Force

If an attack can get a valid username then he can easily preform Brute force attacks until he gets a valid login. ASM can protect against this by using , Sessions and login pages, creating a login page, with URL, username and password field along with the unsuccessful login string and the HTTP response code. The login names will now be logged along with the login result. Now that these details are logged, the anomaly detection -> brute force configuration needs added to the policy with the appropriate values set.

Cookie Modification (session hijacking)

An attack could hijack a user session and modify the cookies. ASM can protect against that by learning and enforcing in " headers then cookie list"

Proactictive Bot defence

Attack like HTTP get login.asp hundreds of times is a layer 7 DDoS attack, this can be mitigated by ASM Proactive Bot Defense

ref; https://clouddocs.f5.com/training/community/waf/html/class1/module4/module4.html

Cross Site Scripting Attacks

Generally cross site scripting attacks are performs by the attacker entering scripts into user input fields. This can be easily protected by ASM using a basic signature based ASM policy.

SQL Injection

Generally cross SQL injection attacks are performs by the attacker entering scripts into user input fields that query the SQL database backend and expose sensitive information. This can be easily protected by ASM using a basic signature based ASM policy.

Data Guard

This feature allows you to configure response scrubbing for sensitive user information, such as credit card numbers or social security numbers.This pervents information leakage and is need for PCI (Payment Card Industry) compliance. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.

The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.

This basicly just needs enabled by checking the datagaurd checkbox in the ASM profile, if the license permits.

File Type Enforcement

Forceful browsing is used to gain access to restricted pages of sensitive pages by accessing the URL directly.

File type enforcement can mitigate forceful browsing. ASM can limit file types by creating a file type whitelist. (Allways not *) (Learn then enforce) further learning can be enabled)

Parameter Enforcement

Protect against malicious user input, with allowed URL configured, parameters can be enforced.(Allways not *) (Learn then enforce )

• data type and length

Parameter Tampering

Protect against man in the middle attacks. This is done by creating dynamic parameter values in the ASM policy.

CSRF Protection (Cross-site request forgery)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. This can be protected by enabling an ASM policy the CSRF checkbox enabled on the CSRF page. By default this enables protection for all URLs, this can be edited to just protect the URLs that need this protection.

Web Scraping

Web scraping, web harvesting, or web data extraction is data scraping used for extracting data from websites. ASM can protect against this by using anomaly detection and web scrapping and enable bot detection to alarm and block.

Login Page Enforcement (forceful browsing)

An Attacker may try to bypass the login page of a web application. ASM security policy can prevent this by using the, Sessions and login pages, creating a login page, with URL, username and password field along with the unsuccessful login string and the HTTP response code, then configure the login enforcement page with authenticated URLs. These URLs with now only be available if the user has successful authenticated. Any force browsing attempt will be blocked.

Ref;

F5 Networks WW Field Enablement

#FACTS

When a cookie has the HttpOnly flag it can only be used for HTTP, meaning it can't be used for something else like JavaScript. This makes it harder to steal.

The secure flag restricts the cookie to only being sent over HTTPS so it is secure.

Licensing Model

Good

BIG-IP Local Traffic Manager

Software services - · Advanced routing (BGP, RIP, OSPF, ISIS, BFD)

Better

BIG-IP DNS

BIG-IP Advanced Firewall Manager

Best

BIG-IP Application Security Manager

BIG-IP Access Policy Manager

SWG

Secure Web Gateway filters outbound traffic based on URL categorisation and scans packets for malicious content (malware inspection).

F5 DC Agent is a Windows app that attempts to identify users based on their Windows logon domain and informs SWG.

The IF MAP server resides on thew BigIP and contains the maps of usernames to IPs

#notes

URLF is URL Filtering

Web Application Testing / Security / Auditing Tools

HTTP watch - Capturing HTTP data from client to server from the client before it is encrypted and after it is decrypted like Fiddler.

Fiddler - Captures HTTP/HTTPS traffic to review like HTTPWatch

Cain and Able - Network password sniffing and Microsoft password recovery, it can generate a DoS attack with the amount of fake packets it generates.

THC Hydra - Login cracker for passwords like John the Ripper but online. Performs brute force guessing so it generates a Brute Force Attack.

John the Ripper - Password cracker for passwords like THC Hydra but offline. Also generates a Brute Force Attack in its cracking attempts.

OWASP ZAP/Zed Attack Proxy - DAST/Web Application Security Scanner that does scanning and vulnerability testing like Burp Suite. Also able to proxy and manipulate proxied traffic.

Burp Suite - Java-based DAST/Web Application Security Scanner like Zed Attack Proxy.

W3af - Web application security scanner.

HTTrack - Web crawler/web scraper

Cases Studies

Case study 1: An organisation has following Challenges:

• High volumes of SSL traffic during online promotions -LTM

• Securing service availability in heavy traffic - LTM

• Protecting against web vulnerabilities and DDoS attack - ASM / Silverline /AFM / GTM/ IPI

Answer the following questions based on above case study.

1. Which modules of F5 can help customer to overcome the described challenges? LTM ASM AFM / Silverline

2. Which DDoS feature can help customer to mitigate the attack?

3. Would you advise Web Scrapping or bot defense? Bot Defense

4. Can Websafe be helpful? If yes, which features of Websafe you can incorporate? Yes , Application layer encryption, Malware detection, Automated transaction protection

Case study 2: An organization has following challenges:

Limited rack space for moving into private cloud - VE's / VCMP

Authentication for email system on Office 365 - APM

Replace old authentication and SSL VPN systems - APM

Answer the following questions based on above case study.

1. Which modules of F5 are suitable for the requirement? APM / LTM

2. Which platform do you recommend to customer considering limited rack space? VE's / VCMP

3. Which multi-factor authentication can be helpful for secure web application access? ???? token / Push /

4. How would you design your VPE for this requirement in APM?

5. Which multi factor auth would you suggest?

Case study 3: An organization has following challenges:

Deliver fast, quality services for customers

Ensure high application availability - LTM

Adapt to support new applications and business growth

Answer the following questions based on above case study.

1. Which modules of F5 can help to resolve all the challenges? LTM / ASM

2. How can you ensure highest possible uptime and low latency to the users while accessing real time applications? LTM / AFM / ASM

3. How can you ensure high availability and low latency of the application for the users coming from different geo locations? GTM / Anycast

Case study 4: An organization has following challenges:

Customer demand for faster services

Firewall bottlenecks in the current system

Continued support for multihoming and ISP line redundancy

Need for enhanced security

Answer the following questions based on above case study.

1. Which module of modules of F5 can help to resolve all the challenges? ASM / LTM / GTM

2. CGNET or PEM can be helpful? Yes? How? No? which other features can accommodate all the needs?

3. For enhanced security, what additional features can be leveraged? Silverline

Case study 5: An organization has following challenges:

Ensure constant security, reliability and data integrity, with attention to those transmitted to suppliers and customers and published externally through web services (such as portals for the PA)

Reduce costs and rationalize the management of resources

Enhance the performance of a growing number of services, eliminating potential downtime or operational delays.

Answer the following questions based on above case study.

1. Which module of modules of F5 can help to resolve all the challenges? APM / LTM / AFM / Silverline

2. Which features of APM can be useful? Yes Can you use SSL VPN? Yes Portal access with/without rewrite? With

3. How would you advise on AAA? AD

Case study 6: An organization has following challenges:

Downtime caused by DDoS activity

Limited in-house cloud security expertise

Inadequate visibility into attacks

Answer the following questions based on above case study.

1. Which services or modules would you advise to address listed challenges? Silverline

2. Which DDoS solutions offered by F5 can be useful to mitigate the attack as described in the case study? Silverline

3. Would you advise customer to use Session tracking in ASM? no

4. Can Silverline DDoS defense be helpful to mitigate the attack? yes