Orchestrated Infrastructure Security: Protocol Inspection With F5 AFM and AWAF
In this blog
Introduction
The threat landscape is different than it was years ago, emerging technologies are required to protect our networks and data centers from threats and attacks. This article lets us learn how we could configure an F5 AFM and AWAF (Advanced Web Application Firewall) on a BIG-IP device that would help protect the Network and Datacenters from threats and attacks.
F5 AFM (Advanced Firewall Manager)
BIG-IP Advanced Firewall Manager (AFM) is a high-performance, stateful, full-proxy network security module that protects your data centers from threats utilizing the most prevalent protocols.
BIG-IP AFM is based on the F5 Traffic Management Operating System (TMOS) and offers core features for protecting data centers from external network threats and determining the types of threats to which they are vulnerable.
F5 AWAF (Advanced Web Application Firewall)
F5's AWAF is designed to safeguard online applications in on-premises, virtual, and cloud IT environments. The system delivers network device configuration, centralized security policy administration, and easy-to-read audit reports through a single pane of glass, protecting against both known and new vulnerabilities and validating compliance with important regulatory mandates.
AWAF's sophisticated security policies protect web applications from common application layer risks. Security policies are a core component of AWAF's functionality. F5 AWAF comes with policy templates for quickly building security policies for common applications. AWAF can automatically construct a security policy that allows policies to dynamically react to observed traffic. This allows for continually adaptive security controls.
Alternatively, customers can manually create their own security policies giving them the ultimate level of control. F5 AWAF is the most customizable WAF on the market and can secure both standard and non-standard web, mobile apps, and API protection.
AFM configuration
The configuration steps are divided into the following high-level sections:
- Protocol Inspection (IPS) with AFM Network Configuration
- Create an AFM Protocol Inspection Policy
- Attach Virtual Servers to an AFM Protocol Inspection Policy
Protocol Inspection (IPS) with AFM: network configuration
The BIG-IP will be deployed with VLAN Groups. This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out to the other interface.
From the F5 Configuration Utility go to Network > VLANs. Click Create on the right.
Give it a name, ingress1 in this example. Set the Interface to 5.0. Set Tagging to Untagged then click Add. Interface 5.0 (untagged) should be visible like in the image below. Click Repeat at the bottom to create another VLAN.
Note: In this example interface 5.0 will receive decrypted traffic from sslo1.
Give it a name, egress1 in this example. Set the Interface to 6.0. Set Tagging to Untagged then click Add. Interface 6.0 (untagged) should be visible like in the image below. Click Finished when done.
Note: In this example interface 6.0 will receive decrypted traffic from sslo1.
Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure VLANs for the two interfaces connected to sslo2. These VLANs should be named in a way that you can differentiate them from the others. Example: ingress2 and egress2
It should look something like this when done:
Note: In this example Interface 3.0 and 4.0 are physically connected to sslo2.
Click VLAN Groups then Create on the right.
Give it a name, vlg1 in this example. Move ingress1 and egress1 from Available to Members. Set the Transparency Mode to Transparent. Check the box to Bridge All Traffic then click Finished.
Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure a VLAN Group for the two interfaces connected to sslo2. This VLAN Group should be named in a way that you can differentiate it from the other, example: vlg1 and vlg2. It should look like the image below:
For full Layer 2 transparency the following CLI option needs to be enabled:
(tmos)# modify sys db connection.vgl2transparent value enable
Create an AFM Protocol Inspection policy
You can skip this step if you already have an AFM Protocol Inspection policy created and attached to one or more virtual servers. If not, we'll cover it briefly. In this example we configured Protocol Inspection with Signatures and Compliance enabled.
From Security select Protocol Security > Inspection Profiles > Add > New.
Give it a name, IPS in this example. For Services, select the Protocol(s) you want to inspect, HTTP in this example.
Optionally check the box to enable automatic updates and click Commit Changes to System.
Attach Virtual Servers to an AFM Protocol Inspection policy
Attach the Protocol Inspection Profile to the Virtual Server(s) you wish to protect. From Local Traffic select Virtual Servers. Click the name of the Virtual Server you want to apply the profile to, 10.4.11.52 in this example.
Click Security > Policies.
Set the Protocol Inspection Profile to Enabled, then select the Profile created previously, IPS in this example. Click Update when done.
Repeat this process to attach the IPS Profile to the remaining Virtual Servers.
Advanced WAF configuration
The configuration steps are divided into the following high level sections:
- Advanced WAF Network Configuration
- Attach Virtual Servers to an Advanced WAF Policy
AWAF: Network configuration
The BIG-IP will be deployed with VLAN Groups. This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out the other interface. Vwire configuration will be covered later.
From the F5 Configuration Utility go to Network > VLANs. Click Create on the right.
Give it a name, ingress1 in this example. Set the Interface to 2.1. Set Tagging to Untagged then click Add.
Note: In this example interface 2.1 will receive decrypted traffic from sslo1
Interface 2.1 (untagged) should be visible like in the image below. Click Repeat at the bottom to create another VLAN.
Give it a name, egress1 in this example. Set the Interface to 2.2. Set Tagging to Untagged then click Add.
Note: In this example interface 2.2 will send decrypted traffic back to sslo1
Interface 2.2 (untagged) should be visible like in the image below. Click Finished.
Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure VLANs for the two interfaces connected to sslo2. These VLANs should be named in a way that you can differentiate them from the others. Example: ingress2 and egress2
It should look something like this when done:
Note: In this example Interface 2.3 and 2.4 are physically connected to sslo2.
Click VLAN Groups then Create on the right.
Give it a name, vlg1 in this example. Move ingress1 and egress1 from Available to Members. Set the Transparency Mode to Transparent. Check the box to Bridge All Traffic then click Finished.
Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure a VLAN Group for the two interfaces connected to sslo2. This VLAN Group should be named in a way that you can differentiate it from the other, example: vlg1 and vlg2. It should look like the image below:
For full Layer 2 transparency the following CLI option needs to be enabled:
(tmos)# modify sys db connection.vgl2transparent value enable
Attach Virtual Servers to an Advanced WAF policy
You can skip this step if you already have an Advanced WAF policy created and attached to one or more virtual servers. If not, we'll cover it briefly. In this example we configured Comprehensive Protection which includes Bot Mitigation, Layer 7 DoS and Application Security.
Give it a name, App_Protect1 in this example then click Save & Next.
Select the Enforcement Mode and Policy Type. Click Save & Next.
Configure the desired Bot Defense options. Click Save & Next on the lower right.
Configure the desired DoS Profile Properties. Click Save & Next.
Assign the policy to your application server(s) by moving them to Selected. Click Save & Next.
Click Finish/Deploy when done.
Conclusion
In this article, we learned how to configure AFM and AWAF on a BIG-IP device to provide security from threats to the network and datacenters. To learn more about the key features and advantages of F5 AFM and AWAF and how the products could prevent threats and provide security, go through the related links in the references for a brief explanation.
"Check out the lab in the references for a hands-on experience for the steps involved and to work with AWAF as a service."
References
F5 BIG-IP Advanced Firewall Manager (AFM)
Advanced Application Threats Require an Advanced WAF
Leaked Credential Check With Advanced WAF
F5 BIG-IP SSL Orchestrator (SSLO)
F5 BIG-IP Advanced Web Application Firewall (WAF)
F5 BIG-IP Access Policy Manager (APM)
Service Chain Management Process with F5 SSLO