Version 12 of BIG-IP and its glorious cadre of security modules has been released unto the world. It’s a big, big release packed with 194 features. More than half of those are security-related.
Selecting the best of over 100 security features is a daunting task. I had considered using the darts-against-printed-spreadsheets approach, but ultimately just went through them all, one by one, and selected the best, just for you.
Remember, these are the hardcore security doodads, of interest to network operators, security engineers and the paranoid. Let’s get to it.
The Advanced Firewall Manager (AFM) continues to be one of the most prolific modules in the BIG-IP portfolio. I’m not surprised that AFM has the most features in the top ten.
Number 10: (AFM) FQDN Support in ACL rules
A traditional firewall rule lists a source address, a destination address and maybe a port. In version 12, you can now substitute a fully qualified domain name for one of the addresses. “What is this madness, David?” you are asking. “Won’t that kill performance with all the DNS lookups?”
Be calmed. AFM will resolve the address of the FQDN and then cache it for the length of the time-to-live presented by the DNS server. AFM will even keep using the IP even if the DNS server goes down. That brings up a good point.
FQDN means that you have to have your BIG-IP hooked up to a DNS resolver, which many customers avoid doing. Why do they avoid doing that? To keep the F5 running even when DNS is down. That’s a whole different story, let’s save it for next time.
Number 9: (AFM) ACL Flow Idle Timeout
If I’m pimping a feature that includes “idle timeout” then you know it must be hardcore. But check this out, it’s actually pretty slick.
Suppose you want to have shorter TCP timeouts for a certain application. Or suppose you want certain ports to have longer TCP timeouts, or no TCP timeouts. Here’s an example of a timer policy that gives SSH and Mobile SSH (mosh) infinite timeouts, but restricts FTP to a very short timeout.
Yes, it’s true that you could have done all of this before with specific timeout settings attached to each virtual server, but this Timer Policy allows a firewall administrator to do it all in the firewall policy. That way she doesn’t have to touch the application objects that might be owned by the dev or DevOps team.
The new timer policy can be per-rule, so the firewall administrator can make the timeout a function of the source IP address, which is not easy to do at the virtual server.
Read more about the new timer policy in Network Firewall Policies and Implementations.
Number 8: (AFM) Blacklisting Bad Actors in Hardware
Your nemesis is angry. You stole his girlfriend, Cherry, topped his high-score on Galaga, and took customers from his second-rate website. He’s determined to get revenge, so he’s hired a bot army to flood your network with Christmas tree packets, IP fragments, and NXDOMAIN queries on your busiest day of the quarter. Ba-ha! He’s thinking; that will get you!
What he doesn’t know is that you’ve upgraded to BIG-IP version 12, which is going to foil his plan. Version 11.6.0 could automatically identify the IP addresses of bad actors (like each member of the bot army) as they flooded your network.
Version 12 puts the bad actor detection on steroids; as IP addresses get verified, BIG-IP pushes the bad actor IP into the custom firewall silicon for faster processing. By offloading the blacklisting to the silicon, the host CPU is freed to do even more packet analysis and application delivery.
Your nemesis’s plan will be foiled, while you and Cherry are dining at Burger Bistro for lunch. And then, of course, Netflix and chill. Smiley.
Number 7: (AFM) Sub-second IP Reputation Automation
You know how all your ex-girlfriends had terrible credit scores? Except that one, but she had that other issue. Okay maybe I’m talking about my ex-girlfriends. Whatever. Anyway, scoring people by their behavior is a time-honored technique for quantifying risk.
The cyber equivalent of credit scoring is IP reputation. IP addresses on the Internet can do all kinds of stuff; from streaming and browsing to running TOR exit nodes to phishing, hosting malware or running scanners. There are risk-agents out on the Internet scoring each address by their behavior and recording the real-time scores in IP reputation databases.
BIG-IP can make drop decisions based on IP reputation through its IP Intelligence subscription feature. IP Intelligence receives reputation feeds from the risk agents every 10 minutes or so, but what if you had a need for something even faster than that?
V12 now includes programmatic support for feeding IP reputation scores directly into the firewall. When received, the firewall will begin matching the IP and acting on the score within one second. Fast enough for ya?
You can use any of the programmatic interfaces such as iControl (SOAP), REST, pyControl, or the TMOS shell API with this feature. Imagine a day when 3rd-party IPS and DLP sent block requests to the firewall on your load-balancer. Nirvana!
The Access Policy Manager (APM) is among the most mature of all F5 security modules. Recognizing a user, authenticating against a server and connecting them is what APM was born to do. But today, APM is helping connect them to cloud services with SAML federation.
Number 6: (APM) ECP Profile Support for SAML (Office365 Compatibility)
Office365 is the next wave for Microsoft Office. Being properly cloud enabled means supporting the right cloud connectors.
Version 12 of APM brings support for the Office365 ECP Profile into an iApp. So now, deploying a SAML gateway for Office365 is as simple as answering a few questions and pressing a button.
The applications that support the ECP profile include:
· Microsoft Outlook 2010/2013 desktop client
· Apple iPhone
· Various Google Android devices
· Windows phone 7, 7.8, and 8
· Windows 8 and 8.1 mail clients
Say goodbye to annoying logins when you launch into the cloud!
Number 5: (WebSafe) Remote Access Trojan (RAT) Detection
BIG-IP’s WebSafe module specializes in preventing fraud during online banking. For version 12, the development team has integrated Remote Access Trojan (RAT) detection into the WebSafe module to solve a specific problem.
With a remote access Trojan, an attacker compromises a user browser and then piggy backs a connection to the user’s online bank.
The RAT detection in WebSafe detects that second connection. I won’t talk about how exactly WebSafe makes that detection, because the area of online banking fraud has become an active arms race. But if you’re in fintech, know that you have another tool for fighting fraud.
Number 4: (ASM) Login Form Detection
The Application Security Manager (ASM) is BIG-IP’s Web Application Firewall. It’s an anti-hacking device for your apps, yo. Security hardcore feature #4 is another detection thing. Do you sense a theme, here? Security administrators are already overworked, so the more that the infrastructure can do by itself to protect applications, the better right?
ASM can now save you an extra step when you’re defining the policy for a new application. In version 12, ASM can now automatically figure out which pages are login pages while in learning mode. That way it discovers the login pages you forgot, about too (oops, there’s always one more).
To turn it on, follow the instructions for “Creating login pages automatically” on page 50 of the ASM Implementations guide for version 12.
The world is moving towards SSL everywhere, and BIG-IP terminates more SSL traffic than another other commercial vendor. As you would expect, version 12 has critical enhancements for the world’s go-to encryption protocol.
Number 3: Top Secret Ciphers
I would tell you about them, but then I would have to kill you. Haha, just kidding. Version 12 adds support for 384-bit suite B ciphers. Suite B is the recommended set of cipher families for protecting data at various government classification levels. These levels include Confidential, Secret, and Top Secret. Protection at these levels is required for certain U.S. Federal Government institutions. The BIG-IP system now supports the 384-bit prime modulus curve and SHA-384.
Maybe it’s not a big deal for retail, but it’s close enough for government work.
Number 2: SSL Connection Mirroring
Connection mirroring is the process of relaying the state of individual network connections between two devices (typically an active and a standby device) such that if one device fails, the second device can pick up the connection where it left off. This allows for unimpeded flow of traffic and avoids a single-point-of-failure.
Connection mirroring for TCP is fairly common, especially among firewalls. SSL connection mirroring, though, is nearly unheard of. For several reasons: it requires shared SSL keys, it breaks forward secrecy and lastly, most sites don’t actually need it. Hear me out.
Administrators have found that web connection mirroring (SSL or otherwise) is largely unnecessary due to the stateless and temporal nature of HTTP. The performance cost and additional latency added by full connection mirroring is rarely worth the benefit of fully mirrored connections for HTTP. This means that the number of valid applications for connection mirroring is a very small number indeed, and most F5 customers use it only for specific applications.
But for those customers that do have long-lived, low-bandwidth SSL connections, true SSL connection mirroring is finally here. Applications where you could start using it would include:
SSL/VPN tunnels
Automatic Teller Machines (ATM)
VDI or VNC over TLS
The newly published SSL Recommended Practices (co-authored by yours truly) covers the three different ways to handle SSL failovers and helps you select the one that’s right for your application.
Okay, we've gone through nine of the Top Ten Hardcore Security Features of version 12. Are you ready for number one? ARE YOU READY?
Number 1: HTTP Strict Transport Security (HSTS) Easy Button
Years ago, famed hacker Moxie Marlinspike created the sslstrip tool, which silently downgrades browser connections so that they never establish an SSL connection with the target server. The sslstrip attack is simple.
An eavesdropper uses a rogue access point, or ARP poisoning, or some other man-in-the-middle technique to intercepts your mother’s laptop or tablet at the coffee shop. She brings up her browser and types her bank’s name in the address bar. (mombank.com). The eavesdropper watches this happen. Mombank replies with a redirect to the login page, and it instructs her browser to use SSL. The redirect looks like https://www.mombank.com/login.cfm. The eavesdropper intercepts this redirect and simply removes the “s” from “https”.
Your mom’s browser then goes to the unencrypted login page, where she enters her password, which of course is just password1 because, your mom. The attacker sees her username and password, and later logs into mombank and steals all the money that she had set aside for your Christmas present.
The fix for this problem is HTTP Strict Transport Security (HSTS) – it’s just a security header in the HTTP protocol that instructs her browser to always use HTTPS when coming to the site. If mombank used HSTS, and if she had ever visited it before (from a more secure location, such as your house at Thanksgiving), her browser would always use SSL.
We used to implement this with a very simple iRule in BIG-IP, but found that customers weren’t adopting it as quickly as we think they should. So we made HSTS a checkbox.
Version 12's implementation of HSTS doesn’t support the new preload keyword. Preload lets browsers know that they should communicate a site’s willingness to prefer HTTPS to other browsers around the world. Until we get PRELOAD added to BIG-IP (already on the roadmap), you can manually add your site to Chrome’s preload list here.
Whew! There you have it, the Top Ten Hardcore Security Features of BIG-IP 12. We’re already hard at work on the next version, and when it gets RTMed, you can bet I’ll be ready with the next Top Ten list.