WirelessPhreak.com

I like to travel, f*ck with technology, and partake in the occasional tropical drink.
I am also a co-host on The NBD Show podcast.
Follow Me
Showing posts with label F5. Show all posts
Showing posts with label F5. Show all posts

 

So the F5 is a tricky beast often refereed to as the swiss army knife of network appliances. The appliances primary role in many networks is to load balance and is a beast negotiating SSL. That being said its not always easy to determine how to configure the clients SSL profiles to be secure and still service the public. F5s documentation is helpful but designed to be vague because cipher suites and browser support is always changing. https://support.f5.com/csp/article/K8802

 

SSL Labs has become the de-facto to use tool that helps the public understand the nuances of SSL by giving an easy to understand letter grade, https://www.ssllabs.com . The website runs a multitude of tests from insuring your certificate is chained correctly to end device OS and browser simulations, to commonly found vulnerability testing. The down fall of having such a sophisticated tool issuing a simple letter score, is not every environment can be configured for an A or B plus.

 

So I wanted to through an F5 Client SSL Profile out there that at the time of testing got a solid A- and still supported a ton of OS and browser combinations. You will mostly want to keep the defaults but I will highlight what changes you will want to make to get an A. You will need to select Advanced to see some of these settings.


  • The first step is to add your public certificate and the intermediate certificates if applicable as well as the key.
    •  this is what create the certificates chain
  • Next you will want to customize the Ciphers that will be used by the F5 to negotiate SSL with the client. This is where 99% of the magic will happen.
    • DEFAULT:HIGH: (are pre canned cipher settings created by F5, the additional settings are additional customization.
    • !RSA: Do not use RSA ciphers
    • !SSLV3: Do not use SSL version 3
    • !RC4: Do not use RC4 ciphers
    • !EXP: Do not use Cipher length of 40 or 56 bits export strength
    • !DES: Do not use Des or triple Des ciphers
    • !TLSv1_1: Do not use TLS version 1.1
    • !TLSv1: Do not use TlS version 1.0
    • !ADH: Do not use ADH ciphers
    • !EXPORT: Do not use EXPORT grade (weak) ciphers
    • !SHA: Do not use Message Authentication Code SHA 128
  • The complete string looks like this:
    • DEFAULT:HIGH:!RSA:!SSLV3:!RC4:!EXP:!DES:!TLSv1_1:!TLSv1:!ADH:!EXPORT:!SHA
  • Lastly you will want to set up strict SSL renegotiation:
    • Check the  Renegotiation box
    • Next set Secure Renegotiation to "Require Strict"

 

From here save your SSL client profile, apply it to a public accessible virtual server, and run SSL labs against your server. Its kind of fun testing and playing around to see what modifying the cipher settings.

 

Enjoy. 

     


Fun F5 Troubleshooting 

Test your HTTP keep alive from the F5 CLI:
Using curl:
     curl -vvv -H "Host: domain.com" -H "Connection: Close" -H "User-Agent:" -H "Accept:" serverip:port/uripath.html

Using Telnet:
telnet serverip port
Then copy the first half of your keep alive
     GET /uripath.html

From the above listed commands you should see exactly what the F5 is receiving  when it sends a keep alive.  From the returned http request you can determine the best data to use for a receive string.


Since the F5 app for spunk has been abandoned I have been playing around with a simple F5 Splunk dashboard. This dashboard can be a quick one-stop health view for any application being load balanced by the F5.

Prerequisites are:
  • Your F5 LTM and or ASM are logging HSL (high-speed logging) to Splunk. (ASM is not a requirement)
  • Configure an HSL pool that includes the Splunk logging servers.
  • Configure the newest iRule on your F5 for logging to Splunk.
  • Associate the new logging iRule with virtual servers you want to monitor. 
  • Lastly set up an ASM logging profile to sending to Splunk. 

You can reference the documentation below to configure your F5 to log to Splunk.
 https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup

Once that is complete you can create a new dashboard in Splunk. Then copy and paste the dashboard source code I have uploaded on my GitHub repository. Once you save the dashboard you should be able to type in the URL of the application you want to monitor, the corresponding F5 pool name and the time frame you are interested in.

GitHub link:
 https://github.com/wirelessphreak/F5-Dashboard-for-Splunk

If you have improvements or comments please let me know. This is a work in progress and I am always looking to make it better.




Two cool new exploits have been released complete with cool names and graphics. Welcome Meltdown and Spectre, these critical vulnerabilities exploit pretty much all modern processors. Even though these hardware vulnerabilities have been around forever, four independent groups of researchers discovered these vulnerabilities simultaneously. Meltdown and Spectre at a high level allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. But what about our network and security equipment using modern processors, are they vulnerable? Below is a list I put together of links to vendors sites and their responses to the vulnerabilities. I imagine most of them will keep these pages up to date as they discover new information. This is a complicated and low level issue so most vendors are going to need time to really evaluate their products and create patches.

Luckily in most cases it is an attack that is performed through the management access, so if you follow the best practice of limiting device management access from only trusted IPs or networks you should be good until the patches are released.

 PaloAlto Networks

"Our initial review of the vulnerabilities disclosed in the research concludes that all PAN-OS/Panorama platforms are not directly impacted by these attacks. There are no immediate plans to release a software update to PAN-OS in response to these issues at this time"

F5

"Impact
For products with None in the Versions known to be vulnerable column, there is no impact. For products with ** in the various columns, F5 is still researching the issue and will update this article after confirming the required information. F5 Technical Support has no additional information about this issue.

 BIG-IP
All three vulnerabilities require an attacker capable of providing and running binary code of their choosing on the BIG-IP platform. This raises a high bar for attackers attempting to target BIG-IP systems over a network and would require an additional, un-patched, user-space remote code execution vulnerability to exploit these new issues. The only administrative roles on a BIG-IP system that can execute binary code or exploitable analogs, such as JavaScript, are the Administrator and Resource Administrator roles. These users already have nearly complete access to the system and all secrets on the system not protected by hardware-based encryption. F5 believes that the attack with the highest impact may occur in multi-tenancy Virtual Clustered Multiprocessing (vCMP) configurations, running single-core guests owned by different administrative domains on a single BIG-IP system. In this scenario, Spectre Variant 2 may allow an attacker in one administrative domain to collect privileged information from the host or guests owned by another administrative domain, if the attacker's guest is configured as a single-core guest. The BIG-IP system always maps both hyper-threads of a given core to any guest with the "Cores Per Guest" configuration set to 2 or more, but single-core guests may execute on the same processor core as another single-core guest or host code. This threat may be mitigated by setting the "Cores Per Guest" configuration to 2 or more for all guests."

 Cisco

"Cisco is investigating its product line to determine which products may be affected by these vulnerabilities. As the investigation progresses, Cisco will update this advisory with information about affected products, including the Cisco bug ID for each affected product."

 Juniper

"Juniper SIRT is actively investigating the impact on Juniper Networks products and services.”

Brocade

 

Citrix/Netscaler

"Citrix NetScaler SDX: Citrix believes that currently supported versions of Citrix NetScaler SDX are not at risk from malicious network traffic. However, in light of these issues, Citrix strongly recommends that customers only deploy NetScaler instances on Citrix NetScaler SDX where the NetScaler admins are trusted."

Most of the people who have found this post on the internet are already familiar with Palo Alto Firewalls and everything they can do. One of the features I really like is the IPS functionality built into the firewall, but - and its a BIG BUT - if you're terminating SSL after the traffic ingresses your untrusted security zone you're loosing a lot of the PAN's IPS functionality because the traffic is encrypted.

Here is a reference diagram of what I am talking about:

So how do we fix it? PAN has a feature called SSL Inbound Inspection. This feature as of 7.1.x code does not terminate the SSL session or work as a proxy, but at a high-level takes a copy of the traffic and uses your imported certificate and key to inspect the traffic against the policies that have been configured. It's really easy to setup, but there are a couple caveats that I wanted to outline in this post.

SSL and Supported Ciphers: As many of you know the SSL negotiation is determined between the client and the server during the SSL handshake.  Because the firewall does not work as a SSL proxy, or "man in the middle", you have to insure that the client and server negotiate a cipher that the firewall is able to decrypt. This is where we ran into a little confusion.  Much of the documentation on the PAN site is focused around outbound SSL decryption.  This gets confusing when PAN doesn't document what feature they are discussing in an article. For example they have an article of supported decryption ciphers and they did not specify on the document if these were the ciphers used in outbound decryption or inbound inspection.  Then, when I asked for documentation of supported inbound SSL inspection ciphers, they could not point me to a document. FYI if you look at an SSL decryption profile there is a disclaimer in small print that only the listed RSA ciphers are supported for inbound inspection. I was told this was going to fixed.


So to help you out here is what is supported for inbound SSL inspection:

To ensure your firewall can decrypt all inbound SSL traffic it is important you configure your servers or load balancers to only offer ciphers supported by your firewall. If you're using an F5 to terminate SSL here is the string you can define in the cipher list within your SSL client profile.

!DES:!3DES:!SSLv3:!RC4:!EXP:RSA

APP-ID and Application Default Services: Many of you out here have enabled APP-ID on your firewalls and probably leveraged the application default service setting to let the firewall determine the port to allow traffic on.  I have been told application default setting in the services section of a security policy is best practice and, to be honest, I actually like it and use it; but it can break SSL Inbound Inspection. To understand where it breaks we first need to understand how a firewall processes a packet when you have enabled inbound SSL Inspection:

  1. The firewall looks to see if the packet is allowed by the security policy.
  2. The firewall identifies the traffic as SSL
  3. The firewall looks to see if the destination is configured with a SSL decryption policy
  4. If the destination address matches a protected IP address, it is decrypted and processed through the security policies once again as web-browsing still on port 443. 
  5. Bang! Connection is broken.

When you have application default set it is expecting specific ports based on the application that has been identified by APP-ID.  So if you have SSL and web-browsing configured in the APP-ID portion and application default configured in the services portion of your security policy...once the firewall decrypts the packets and runs it back through the security polices as web-browsing traffic on port 443 the firewall drops or resets the connection.

To resolve this issue you can still use APP-ID but you will need to explicitly list the ports the firewall will allow traffic on. This will allow any application, in this case web-browsing traffic on TCP port 443, to be allowed on any of the listed ports.

Configure SSL Inbound Inspection: You can click here to go to the Palo Alto Networks website and they will walk you though the SSL Inbound Inspection configuration.








With HTML5 and other modern web technologies IE has not aged gracefully. If your client base is an enterprise many times clients are locked into an older version of IE, and aren't allowed to install an auto-updating browser like Chrome or Firefox.

This iRule is strait forward, I am redirecting clients accessing a website using an older versions of IE to a browser friendly version. This is done by evaluating the HTTP request and identifying the browsers user-agent string. As part of the redirect the F5 presents a web page that informs the users their browser is unsupported instead of blindly redirecting them. It will auto redirect after a pre determined count down, this example is set for 15 seconds.

Disclaimer Microsoft does not make this easy, Compatibility modes and Document modes in IE can send a different user-agent string.  For example IE 11 users running in Compatibility mode may still be redirected because their browser sends an MSIE 7.0 user-agent string. I am sure your could right variables that would check for compatibility in the user agent string, but iI chose not to.

Here is the iRule:

when RULE_INIT {
    set static::refresh_time 15
set static::notification_page {
        <html lang=\"en_US\">
<head><title>System Notification</title>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=us-ascii\">
<meta http-equiv=\"CACHE-CONTROL\" content=\"NO-CACHE\">
<meta http-equiv=\"PRAGMA\" content=\"NO-CACHE\">
<meta http-equiv=\"refresh\" content=\"15;URL=http://myspace.com">
</head>
<body>
<h1>System Notification</h1>
<hr>
<p>You are using an unsupported browser and will be redirected to Myspace.com</p>
<p>Wait $static::refresh_time seconds to continue, or click <a href=\"http://myspace.com\">here to continue.</a></p>
</body>
</html>
}
}
when HTTP_REQUEST {
 switch -glob [ string tolower [HTTP::header User-Agent]] {
   "*msie 10.0*" -
   "*msie 9.0*" -
   "*msie 8.0*" -
   "*msie 7.0*" -
   "*msie 6.*" {
     HTTP::respond 200 content [subst $static::notification_page] Mime-Type "text/html"
     log local0. "Client  IP:[IP::client_addr]  has been redirected with user agent :[HTTP::header User-Agent]"
   }
   default {
     # go to a default location if nothing matches
   }
 }
}
The iRule below was spawn from a request to block access to specific URIs on a website and only allow access from whitelisted IP networks and hosts. 

In my first attempt I used concatenated OR statements which worked but was less sexy and probably less efficient then the switch I ended up using. 

As for the Data List in this example it's named "AllowedIPDatalist." I created a network data list not because it was efficient, its not, I wanted to make it easier for co workers that didn't feel comfortable editing an iRule a place to enter Networks and Hosts in a format they where used to.

when HTTP_REQUEST {
  switch -glob [string tolower [HTTP::uri]] {
    "*/uri/sample1*" -
    "*/uri/sample2*" -
    "*/uri/sample3*" {
      if { !([matchclass [IP::client_addr] equals AllowedIPDatalist])} {
         reject 
         log local0. "Client IP Discard: \ [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      }
    }  
  }
}

Well they have used up all the awesome vulnerability names, hence the POODLE Attack (Padding Oracle In Downgraded Legacy Encryption). Twitter security chatter has increased around the POODLE Attack and there has been a CVE number assigned CVE20143566.  

Links to both the google paper and the CVE.
High Level Explanation:
The quick and dirty is even if a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around server side interoperability bugs. In the google security advisory, they discuss how attackers can exploit the downgrade dance and break the cryptographic security of SSL 3.0.

The only real work around is to disable SSL 3.0 but for many web admins supporting legacy clients, Window XP running i.e.6 for example, disabling SSL 3.0 is not an option. 

If you end up enabling SSL3.0 you can enable TLS_FALLBACK_SCSV. This forces a more controlled negations of ssl between the client and the server limiting the possibility of clients and servers skipping protocols during the SSL negotion.

I will add more specifics to the F5 and how you would enable the TLS_Fallback command, as well as how to order your SSL protocol and cypher strengths.

***UPDATE***
According to F5 they do not currently support the TLS_FALLBACK_SCSV cipher. There is talk about an engineering hot fix that may include support but there is no solid ETA.  F5 is recommending you disable SSL 3.0 where you can.


OpenSSL command to test if a webserver supports SSL3.0:

openssl s_client -connect target:443 -ssl3
If the command makes you enter more information, then you just made an SSLv3 connection. If the command returns you to a prompt right away, then SSLv3 is disabled on that target host.

If your familiar with F5 you understand the need for a quick and dirty virtual lab on your lap top.  From testing code upgrades to writing and testing iRules you'll quickly learn how important a lab is.

To get started your going to need a few pieces that will make up your virtual lab.  Most of the following will work on a Mac or PC, but I am running a mac, so i apologize in advance if some of the configuration is different.

Software needed:

  • F5 LTM Software: virtual lab edition is $99 you can also ask your F5 sales team for a trial lisc.
  • Hypervisor: I am using VMWare Fusion
  • Virtual Router: Vyatta (Brocade bought them but you can still find the open project iso.)
  • Servers: Use what you feel comfortable with.
Step 1) Install Virtual Software (VMWare)

Step 2) Go to Preferences > Network and create several virtual machine networks.  These vm networks will work like VLANs  and you will assign virtual nics for devices that will operate in those networks.

Step 3) Install and configure your F5 Virtual Lab software.  You will want  to configure at least three network connections, one for management, server side and client side. Make sure you make the gateway IP the IP address you will assign the interface on the Vyatta router.


Step 4) Install and configure your Vyatta virtual router.  This will allow your PC to communicate with all of the networks as well as bridge the server network to the internet for updates and package installs.  Here is a great guide I found for vyatta commands.

Step 5)  Install and configure your servers configuring their nice to participate in the server VLAN.

Step 6) Build a Virtual server on the F5 using an IP address on the client network, and your pool member that exists in the server network.

You should be up and running and able to play with the F5.

Version 2 GeoIP and Network whitelisting iRule.  

Implementing version 1 of the iRule has highlighted a few short comings.  In version 2 I have added a stop gap measures to manually add IP space to an additional data group.  This allows time for F5's Geo-IP database update process and your companies change managment.

Prior to the deployment of version 1 we identified issues with RFC1918 IP space.  Because private IP space is not defined in the Geo-IP database the version 1 irule blocked server to virtual server communication if sourced from a private IP.  

The second short coming is frequency of Geo-IP database updates.  F5 is timely with their  Geo-IP database updates, but unless your running their Application Firewall Module updating is still a manual process. IP space is being reallocated on a daily basis which means you will always be playing catchup.  This is why I added the manual network data group.  This group can be used as a stop gap as well as letting you add any private IP space you may want to add.

Here is the rule:
# Geo-IP_Network_Whitelist_acl_rule
#
# v2.0 - May 9 2014
#
# BIG-IP versions 11.x (tested on 11.3.8)
#
# Purpose:
#   This rule should be added to a network virtual server to catch all requests
#   which  don't match an allowed GeoIP country code or IP network/host.  This
#   creates a white list of networks and hosts that are allowed to connect to
#   the virtual server. By default, log entries are written to /var/log/ltm.
#
#   The rule expects the following two data groups to define which allowed country
#   codes (example: ca, us), or defined allowed networks (example: 10.0.0.0/8)
#   are allowed to connect to the virtual server.
#
#   Clients that match on either the Network or GeoIP data group will be allowed
#   to connect to the default pool. Clients that do not match will be rejected and
#   see a web page not available.
#
#   The data group names should be:
#
#   geo_allowed_country (string Data Group List)
#   geo_allowed_network (network Data Group List)
#
#
#
#
# This event is triggered when a client - BIG-IP TCP connection is established
when CLIENT_ACCEPTED {
 if { [class match [whereis [IP::client_addr] country] equals geo_allowed_country] } {
    # do nothing
         log local0. "Geo-IP Code accepted from client: \
         [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
 } elseif { [class match [IP::client_addr] equals geo_allowed_network] } {
    # do nothing
         log local0. "Network accepted from client: \
         [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
  } else {
  reject
  log local0. "Client request rejected: \
         [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
 }
}


Enjoy!




*Update* Cisco has posted their Security Advisory for the Heartbeat vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

It is curious to see how different company choose to incorporate and document opensource software in their products. But that is a different rant for a different time.

Today is the day engineers around the world hit the internet looking through pages and pages of documentation.  I have done some research and wanted to add what I found to hopefully shorten someones search.

Cisco ASA 8.4 code is running openssl 0.9.8f Safe
F5 LTM 11.3, and 11.4 are running openssl 0.9.8y Safe
  • To view for your self SSH to your LTM log in as root and run "openssl version"
F5 LTM 11.5 is running openssl 1.0.1e-fips Vulnerable

Here are some more links about the Vulnerability



I came across an iRule that identifies multiple connection attempts from an IP address and throttle their connection. Because it is an iRule you can completely configure both the connection limit, timeouts, and even the message your F5 will send the user.


when RULE_INIT {
# This is the max requests allowed during "interval" specified below.
set static::maxRate 125;
# Below is the lifetime of the subtable record in seconds.
# This defines the interval during which requests are tallied. Example: Rate=10 and Timeout=3, allows 10 requests in 3 seconds
# Note: do not use very high timeout because it increases memory utilization especially under high load.
# Note: A rate of 100 in 50 seconds is the same is a rate of 20 in 1 second. But 1 second is a lot easier on memory,
# Because the records expire more quickly and the table does become too large.
set static::timeout 3;}
when HTTP_REQUEST {
set getCount [table lookup -notouch -subtable requests [IP::client_addr]]
    if { $getCount equals "" } {
       # log local0. "New one:  getCount=$getCount [IP::client_addr] [clock seconds]"
       table set -subtable requests [IP::client_addr] "1" $static::timeout $static::timeout
       } else {
    if { $getCount < $static::maxRate } {
       table incr -notouch -subtable requests [IP::client_addr]
       } else {
    if {$getCount == $static::maxRate } {
       log local0. "User @ [IP::client_addr] [clock seconds] has reached $getCount requests in $static::timeout seconds."
       table incr -notouch -subtable requests [IP::client_addr]
       }
   HTTP::respond 501 content "We apologize but your request/sec limit has exceeded the set threshold.  Please wait 30 seconds and refresh the page."
   #drop
   #return

Update coming soon a more advanced irule that accounts for rfc1918 ip space as well as data groups that allow multiple geoip country codes.

This iRule will allow you to block requests to your website from IP address that are not from the US. GeoIP blocking is flexible and a way of white listing traffic to your servers.  It does have it's limitations though.

GeoIP Databases change all the time.  To keep the F5   GeoIP database up to date wouldn't be practical.

Some may consider this a security measure. But to limit IP traffic from a limited geographic area is not an affective security measure. Real bad guys will proxy or use un willing victims to carry out their attacks.

when CLIENT_ACCEPTED {
if {not ([whereis [IP::client_addr] country] eq "US")}{
reject
}
}

The following is a list of Country Codes you can test with.