f5 user’s group
DESCRIPTION
F5 User’s Group . Welcome!. Introductions Name Title Company Role Requests (optional). Please introduce yourself Name Title Company Your role Application Network Security Requests? (optional). F5 User’s Group Meeting February 24 th 2012 Agenda. - PowerPoint PPT PresentationTRANSCRIPT
F5 User’s Group
2
I T a g i l i t y. Yo u r w a y.
Welcome!Introductions
NameTitleCompany
RoleRequests (optional)
Please introduce yourself Name Title Company Your role
• Application• Network• Security
Requests? (optional)
3
F5 User’s Group Meeting February 24th 2012Agenda
F5 Technology Update – What’s new in version 11.1
How to use multiple SSL certificates with a single virtual server using SNI & SAN certificates
Demo – Using Device Groups in version 11.x to automatically sync the BIG-IP config from Production to a DR site
Customer speaker: Brian Deitch, Senior Security Engineer from Apollo Group My favorite iRule Cloaking your web presence
Open roundtable discussion – your current and upcoming projects and how others are solving similar problems?
Version 11.1
5
DHCP Relay Configuration
6
Conventional DHCP Relay
7
Chained DHCP Relay Agents
8
Unicast DHCP Lease Renewal
9
DHCP Secondary
10
• What is LLDP (IEEE 802.1ab)?• Enables LAN devices to inform each other about their
configurations• How is LLDP used?
– Troubleshooting• When is LLDP used?
– Typically used in mixed vendor environment to discover other devices and their properties.
Link Layer Discovery Protocol
11
• Basic Management(Type 4) Port Description (ifDescr OID)(Type 5) System Name (sysName OID)(Type 6) System Description (sysDescr OID)(Type 7) System Capabilities (for example bridge or router)(Type 8) Management Address (IP Address of local system)
• IEEE802.1 (OUI 00-80-C2)(Type 127, Subtype 1) Port VLANID (VLAN ID)(Type 127, Subtype 2) PPVLAN ID (Port and Protocol VLAN ID, tagged/untagged)(Type 127, Subtype 3) VLAN Name (dot1QVLANStaticName OID)(Type 127, Subtype 4) Protocol Identity (Protocols Accessible)
• IEEE802.3 (OUI 00-12-0F)(Type 127, Subtype 1) MAC/PHY configuration status (duplex, autoneg etc.)(Type 127, Subtype 3) Link Aggregation (whether enabled)(Type 127, Subtype 4) Max Frame Size (MTU of interface)
• F5 Networks (OUI 00-2F-0D)(Type 127) Product Model (e.g. Viprion)
Optional LLDP TLVs
12
LLDP General Options
13
Remote Syslog Configuration in the GUI
14
V11.1 iRules signed
15
V11.1 Users new roles, iRule Manager and Auditor
V11.0.0
V11.1.0
16
V11.1 iFiles for iRules
17
V11.1 Classification
18
V11.1 Classification
19
Jumbo Frame Support
20
SNMPv3 Encryption
21
What Has Been Missing?BIG-IP Now Certified as Network Firewall
UserAccess
AppSecurity
DataProtection
Network
Security
22
BIG-IP ASM v11.1 • Improve Granular Web Application
Visibility:– Session based enforcement and
reporting (Session Awareness) – Group of violations with Violation
Correlation – View requests as valid or attack with
Response Capturing – Troubleshoot performance and capacity
issues with Virtual Server CPU statistics
• Greater Vulnerability Assessment and Application Protection
– Advanced vulnerability assessment and application protection (new vuln. scanners)• IBM Rational AppScan • Cenzic Hailstorm• Qualys’ QualysGuard WAS • WhiteHat Sentinel (Available since
v10.1)
• Fast Geolocation App. Protection– Geolocation based blocking (down to
state or region)
• Infrastructure Enhancements – ASM 64 bit support – 64bit OS support– IPv6 ASM support – correctly manage
and protect IPv6 traffic– Route Domains support – aligning ASM
with Route Domains
• GUI enhancements – Deployment wizard to secure a Virtual
Server– Dynamic reports definition: (e.g. top
attacked URL out of top websites)– Colors highlight different severities
23
BIG-IP APM v11.1 Simplified Access for Citrix XenApp• Eliminate Web Interface Servers, NetScalers and STA• Single policy and configuration setup, SSO for all clients• Remove troubleshooting complexity
Directory
Mobile Users
Citrix XML Brokers
Auth Mgmt
BIG-IP Local Traffic Manager+ Access Policy Manager
CapExand OpEx
Internal Users
Citrix Receiver
First to support multi-stream ICAEliminates XenApp Services SitesRSA 2-factor with Citrix Receiver
Session reliability for network interruptions
24
BIG-IP APM v11.1 Unified VDI ArchitectureWe deliver VDI just like another application
Directories
BIG-IPAPM
• Present OWA, VMWare View next to Citrix Apps in Portal Mode
• Improved scale and reliability• Better user experience + SSO• Simplified Deployment• Improved quality of real-time
applications
Hyper-V
Virtual Desktops
vSphere
Virtual Desktops
Hypervisor
Virtual DesktopsLocal and Remote Users
25
BIG-IP WebAccelerator v11.1
26
Module Support
400k L7 RPS175K L4 CPS4G L7/L4 TPUT
BIG-IP 3900 600k L7 RPS220K L4 CPS6G L7/L4 TPUT
BIG-IP 6900, 6900F, 6900S
BIG-IP 8900, 8900F, 8950,
8950S Up to 1.9M L7 RPS Up to 800K L4 CPS
Up to 20G TPUT
BIG-IP 11000, 11000F, 11050,
11050F 2.5M L7 RPS
1M L4 CPS Up to 42G TPUT
100k L7 RPS60K L4 CPS
1G L7/L4 TPUT
BIG-IP 1600135k L7 RPS115K L4 CPS2G L7/L4 TPUT
BIG-IP 3600
VIPRION 2400
1M - 4M L7 RPS400K - 1.6M L4 CPS
18G -72G/40G - 160G - L7/L4 TPUT
VIPRION 4400
1.6M - 6.4M L7 RPS700K - 2.8M L4 CPS18G- 72G L7/L4 TPUT
1 G TPUT200M TPUT
Virtual Editions
1 blade
Designation after platform:F = FIPSS = Turbo SSL
LTM + 1
LTM + 2
LTM + 3
LTM + 2
vCMP
SNI and SAN
28
• An extension to Transport Layer Security (TLS)
• Adds ServerName field to Client Hello• RFC 4366
• http://tools.ietf.org/html/rfc4366#section-3.1
• Allows dynamic server certificate selection
What is Server Name Indication (SNI)
29
How SNI Works
https://test01.example.comServerName: test01.example.com
Client Hello
CN=test01.example.com
Server HelloCertificate
https://test02.example.comServerName: test02.example.com
Client Hello
CN=test02.example.com
Server Hello
Certificate
Virtual:10.1.1.1:44
3
30
Client-side Profile Configuration
31
Virtual Configuration
32
Verifying Clientssl Configuration
ltm profile client-ssl test01.example.com { app-service none cert test01.example.com.crt defaults-from clientssl key test01.example.com.key server-name test01.example.com sni-default true sni-require false}
test01.example.com
ltm profile client-ssl test02.example.com { app-service none cert test02.example.com.crt defaults-from clientssl key test02.example.com.key server-name test02.example.com sni-default false sni-require false}
test02.example.com
openssl s_client -servername test01.example.com -connect test01.example.com:443
Server certificatesubject=/C=US/ST=WA/L=Seattle/O=IT/OU=iRule Development/CN=test01.example.comissuer=/C=US/ST=WA/L=Seattle/O=IT/OU=iRule Development/CN=test01.example.com
openssl s_client -servername test02.example.com -connect test02.example.com:443
Server certificatesubject=/C=US/ST=WA/L=Seattle/O=IT/OU=iRule Development/CN=test02.example.comissuer=/C=US/ST=WA/L=Seattle/O=IT/OU=iRule Development/CN=test02.example.com
openssl s_client -servername test02.example.com -connect test01.example.com:443 openssl s_client -connect test03.example.com:443
Why is this responding with test01.example.com?
33
Server-side Profile Configuration
34
Verifying SNI with Wireshark
35
Internet Explorer 7 or later, on Windows Vista or higher. Does not work on Windows XP, even Internet Explorer 8.
Mozilla Firefox 2.0 or laterOpera 8.0 or later (the TLS 1.1 protocol must be enabled)Opera Mobile at least version 10.1 beta on AndroidGoogle Chrome (Vista or higher. OS X 10.5.7 or higher on Chrome 5.0.342.1 or newer)Safari 2.1 or later (Mac OS X 10.5.6 or higher and Windows Vista or higher)Konqueror/KDE 4.7 or laterMobileSafari in Apple iOS 4.0 or laterAndroid default browser on Honeycomb or newerWindows Phone 7
*Windows XP does not have native SNI support
SNI requires browser support
36
New iRule Events
• CLIENTSSL_CLIENTHELLO
• Triggered when a Client Hello is received on a Virtual Server.
Client Side Events
• SERVERSSL_CLIENTHELLO_SEND
• Triggered before a Client Hello message is sent.
• SERVERSSL_SERVERHELLO
• Triggered when a Server Hello is received.
Server Side Events
Client Hello Client Hello
Client PoolMember
BIG-IP Server Hello
37
• SSL::extensions• SSL::extensions count• SSL::extensions -index <extension number>• SSL::extensions -type <extension type value>• SSL::extensions exists -type <extension type
value>• SSL::extensions insert <tcl byte array>
• Valid in CLIENTSSL_CLIENTHELLO and SERVERSSL_CLIENTHELLO_SEND events
New iRule Commands
38
• Subject Alternative Name: an additional field which can be added to an X.509 certificate
• Allows an intermediary to certify whether a particular host is authorized to supply a specific service.
• Multiple hosts can be secured with a single certificate.• Only available for DNS hostnames.• If present it must be populated (RFC 3280)• Authored by engineer at Microsoft
What is a SAN? (RFC 4985)
39
SSL Certificate with SAN
40
SNI, SAN or Wildcard?
• Wildcard certificates are easy– What if you need a different top level domain?
• SNI most flexible but has some browser limitations• SAN certificates has to be the same owner
– What if you host different customers?
• What do you use in your environment? Your thoughts?
HA in version 11
42
HA and Failover v9-v10
ActiveActive
StandbyActive
HA
Current Model (Traditional v9 and v10)
• Only two modes: Active-Standby and Active-Active
• Active-Standby– Traditional and recommended mode under these version– Customer always asked why they had to pay full price for a standby
• Active-Active– Difficult to configure and maintain– Had to assign unit number 1 or 2 to listeners to determine active unit
Two option: Hardware failover and Network Failover
43
• Stateful failover features can mirror the following on active/standby pairs• connections, both TCP and UDP• connection qualities, such as, persistence data
• Once Redundant Pairs is selected the following menu items appear
• Floating IPs– Network > Self IPs > Floating IPs– MAC Masquerading (VLANs GUI)
• Persistence Mirroring– Only persistence records created after the checkbox is selected are mirrored
• SNAT Connect Mirroring– Only SNAT records created after the checkbox is selected are mirrored
• Virtual Server Connection Mirroring– Duplicates the active systems real-time connection and/or persistence
information on the standby system– Mirroring can be resource intensive– For long term sessions (i.e. FTP, TELNET , default gateway pools, etc)
Other High Availability Menu Items
44
• Syncing the failover pair – System>>High Availability>>ConfigSync– By default the synchronization process uses the admin account
• The admin password must be the same on both BigIPs in a pair– Sync is NOT automatic, can be push of pull
• How synchronization works:– An archive of the configuration (.ucs file) is created on the desired BigIP– The archive is transferred to the BigIP to be synchronized– The BigIP to be synchronized runs the restore process on the archive received– bigip_base.conf (base network config) is not part of the config sync restore process
Synchronizing Configurations in v9 and v10
45
How Things Have Changed
Active Standby
HA
Active Standby StandbyActive
New Model1. Active/Standby2. Active/Active3. Active/Active/Standby
Current Model (Traditional)1. Active/Standby2. Active/Active
And more; many, many more.4. Active/Active/Active/Active5. Active/Active/Active/Standby6. Active/Active/Active/Standby/Standby
Not really new, just … extended.
Active
Device Service Cluster (DSC)
46
Device Objects By default, each device will start with a “bigip1” Device Object
If you change the name of the device
Via the Set Up utility Or the GUI
Reset Trust Domain to regenerate local certificate Only necessary if the name of the object changed
47
Device Trust Group Once a device object is configured it can be added to a trust group
Trust group is a relationship between BIG-IP device objects based on mutual authentication and certificate exchange
Foundation for all things of an inter-device in nature Configuration Synchronization and Failover
Centralized trust management in a distributed manner It is a full-mesh For this release, F5 recommends
• Using the default “Root” domain• Making all devices “Peer Authorities”
Established communication channel and standard API
48
Device Trust - ConfigurationTrust is created on the requesting device
And the peer device
49
Device GroupsLogical grouping of trusted device objects
All or part of the configuration is sync’d across device sets
Two types Sync Only Sync-Failover
Device Group
Trust Domain
50
Sync Only Device GroupsAllows flexible membership
Different hardware platforms Different license/modules
Can be configured to auto-sync objects
Max of 32 Sync-Only groups are supported
Device trust uses built-in “device_trust_group” Auto-sync enabled Adding devices to trust-domain auto-adds to device_trust_group
Sync Only Device Group
GTM EM
ASM
ATM + GTM
51
Device Groups: Sync OnlySync of common objects in the configuration
Certificates CRL Data groups External monitors iApps iRules Policies Profiles
52
Sync-Failover Device GroupsLogical grouping of HA devices
F5 provides N+M redundancy• N Active units + M standby units
Mirroring allows only two devices be in the Device Group
Requires homogenous device group Same hardware Same license/modules Not strictly enforced
Only one per deviceSync and Failover Device Group (N+M)
Active
Active Active
Standby
53
Inter-Device CommunicationsConfiguration synchronization
Requires configsync IP on each device in the device-group Uses TCP port 4353 No longer use archive files, now MCPs send out just the changes
Failover (HA) Either unicast or multicast IP
• Multicast still restricted to mgmt interface (eth0) Defaults to UDP port 1026 Can be configured with multiple unicast addresses
• Increases HA resilience (e.g., link failure)
Both configsync and failover are connected in full-mesh The Self IPs used must allow these ports
54
Device GroupsDevice group is created on all device objects in groupOther configsync information is NOT pushed overThe full configsync needs manual interventation
Remember in sync-failover groups synchronization is manual
55
Traffic GroupsAre an entirely new concept with no predecessor
A collection of listeners for failover
Basis for what objects failover where Keeps related objects grouped together logically Allows for granular failover
56
Traffic GroupsA group of listeners (IP addresses)
Virtual address GTM Listener Self IP address SNAT NAT Anything previously assigned a unit ID
Two different types Non-floating Floating
Used to provide HA of application
57
Non-floating Traffic GroupsOnly one per device; traffic-group-local-only
Listeners which are explicitly bound to the device
Objects stored in bigip_base.conf In v10, bigip_base.conf and bigip_local.conf
Other listeners can be place here
58
Floating Traffic GroupsListeners which float between devices (HA)
traffic-group-1 is built-in Each traffic group is active on a single unit at a time Means listener should only be active on a single unit
A traffic group can support multiple listeners
MAC masquerade is configured on the traffic group
Max 15 traffic groups per device-group This is enforced in the product
Configured under “Network” in GUI
59
Configuring Traffic Groups“traffic-group-1” is created by default
And by default, listeners are assigned to traffic-group-1
60
Assigning Listeners to Traffic GroupsAssign virtual servers via “virtual address” properties
61
Other Listeners to Traffic Groups
62
I T a g i l i t y. Yo u r w a y.
Active/Standby (A/S)
V10 Upgrades use this scenario
A sync-failover device group will be created with the device and its HA pair included
All traffic objects (VIPS, SNATs, NATs and self-IPs) will be assigned to a single traffic group
The active unit will be marked as the default device
Mirroring is allowed
Traffic Group - 1VIP - 4
VIP - 3VIP - 2
VIP - 1
Default device:Device 1
Device 1 Device 2
Device Group – 2 Type: Sync - Failover
63
I T a g i l i t y. Yo u r w a y.
Active/Active (A/A)
Create secondary traffic group
Assign traffic objects to the new group
Set new traffic group to default to device 2
Traffic Group - 1VIP - 2
VIP - 1
Default device:Device 1
Device 1 Device 2
Device Group – 2 Type: Sync - Failover
Traffic Group - 2VIP - 4
VIP - 3
Default device:Device 2
Remember all traffic objects associated with an application should be members of the same traffic group
64
I T a g i l i t y. Yo u r w a y.
Clustering (A/A/S…. And Beyond!)
Set up the configsync and HA configuration and add the new device to the trust Assign the new to the sync-failover device group and sync to the new device Adjust traffic group membership and default devices accordingly
Reminders:• GTM can only monitor
device groups of two or fewer LTMs.
• State mirroring is only supported between two devices.
Traffic Group - 1
VIP - 4VIP - 3
VIP - 2VIP - 1
Default device:Device 1
Traffic Group - 2
VIP - 8VIP - 7
VIP - 6VIP - 5
Default device:Device 1
Traffic Group - 3
VIP - 12VIP - 11
VIP - 10VIP - 9
Default device:Device 3
Device 1 Device 2 Device 3
Device Group – 2 Type: Sync - Failover
65
I T a g i l i t y. Yo u r w a y.
Demo sync-only Device Group
1. Assign objects to a Sync-Only Device Groupa. Partitions b. Module configuration – ASM Policy
Synchronizationc. Folders – via tmsh
66
I T a g i l i t y. Yo u r w a y.
I want to learn more
http://f5university.com
67
I T a g i l i t y. Yo u r w a y.
Introduction
Brian DeitchSr. Security Engineer
68
I T a g i l i t y. Yo u r w a y.
Topics:• My favorite iRule• Cloaking your web presence
69
I T a g i l i t y. Yo u r w a y.
My favorite iRule
History of what happened
70
I T a g i l i t y. Yo u r w a y.
My favorite iRule
when HTTP_REQUEST { #look for the problematic cookie if { [HTTP::cookie exists “__utmz”] } {
#Insert cookie with the old cookie nameHTTP::cookie insert “F5 Modification” value [HTTP::cookie value “__utmz”]#Delete the problematic cookieHTTP::cookie remove “__utmz”
}}
71
I T a g i l i t y. Yo u r w a y.
Cloaking your web presence
Why would you want to do this?Information found in HTTP Headers
• Type of Web Server• Type of Server Operating System• Application Version e.g. .net, php, ect• And more…
72
I T a g i l i t y. Yo u r w a y.
Cloaking your web presence
curl -I -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30” http://somewebsite.com
73
I T a g i l i t y. Yo u r w a y.
Cloaking your web presence
Looking at Netflix first
74
I T a g i l i t y. Yo u r w a y.
Cloaking your web presence
United Airlines
75
I T a g i l i t y. Yo u r w a y.
Cloaking your web presence
Capital One
76
I T a g i l i t y. Yo u r w a y.
Cloaking your web presence
Microsoft Live & MSN
77
I T a g i l i t y. Yo u r w a y.
Cloaking your web presence
78
I T a g i l i t y. Yo u r w a y.
Cloaking your web presence
ING Direct
79
I T a g i l i t y. Yo u r w a y.
Cloaking your web presence
Rename the default F5 cookie
80
I T a g i l i t y. Yo u r w a y.
Cloaking your web presence
Scrubbing the response with an iRulewhen HTTP_RESPONSE { # Remove all instances of the Server header HTTP::header remove Server
# Remove all headers starting with x- foreach header_name [HTTP::header names] { if {[string match -nocase x-* $header_name]}{ HTTP::header remove $header_name } }}
Source: http://devcentral.f5.com/wiki/iRules.remove_x_headers_from_web_server_response.ashx
when HTTP_RESPONSE { # Remove all instances of the Server header HTTP::header remove Server HTTP::cookie remove “k”
# Remove all headers starting with x- foreach header_name [HTTP::header names] { if {[string match -nocase x-* $header_name]}{ HTTP::header remove $header_name } }}
Source: http://devcentral.f5.com/wiki/iRules.remove_x_headers_from_web_server_response.ashx
when HTTP_RESPONSE { # Remove all instances of the Server header HTTP::header remove Server HTTP::header insert Server value “'; DROP TABLE servertypes; --”
# Remove all headers starting with x- foreach header_name [HTTP::header names] { if {[string match -nocase x-* $header_name]}{ HTTP::header remove $header_name } }}
Source: http://devcentral.f5.com/wiki/iRules.remove_x_headers_from_web_server_response.ashx
81
I T a g i l i t y. Yo u r w a y.
Discussion Q & A
Open Roundtable Discussion
VDIPCI
DR
SSOExchange migration
Mobile Access
DDoS
Thank You!
Please fill out a survey