Orchestrated Infrastructure Security: Protocol Inspection With F5 AFM and AWAF

Introduction

The threat landscape is different than it was years ago, emerging technologies are required to protect our networks and data centers from threats and attacks. This article lets us learn how we could configure an F5 AFM and AWAF (Advanced Web Application Firewall) on a BIG-IP device that would help protect the Network and Datacenters from threats and attacks.

F5 AFM (Advanced Firewall Manager)

BIG-IP Advanced Firewall Manager (AFM) is a high-performance, stateful, full-proxy network security module that protects your data centers from threats utilizing the most prevalent protocols.

BIG-IP AFM is based on the F5 Traffic Management Operating System (TMOS) and offers core features for protecting data centers from external network threats and determining the types of threats to which they are vulnerable.

F5 AWAF (Advanced Web Application Firewall)

F5's AWAF is designed to safeguard online applications in on-premises, virtual, and cloud IT environments. The system delivers network device configuration, centralized security policy administration, and easy-to-read audit reports through a single pane of glass, protecting against both known and new vulnerabilities and validating compliance with important regulatory mandates.

AWAF's sophisticated security policies protect web applications from common application layer risks. Security policies are a core component of AWAF's functionality. F5 AWAF comes with policy templates for quickly building security policies for common applications. AWAF can automatically construct a security policy that allows policies to dynamically react to observed traffic. This allows for continually adaptive security controls.

Alternatively, customers can manually create their own security policies giving them the ultimate level of control. F5 AWAF is the most customizable WAF on the market and can secure both standard and non-standard web, mobile apps, and API protection.

AFM configuration

The configuration steps are divided into the following high-level sections:

Protocol Inspection (IPS) with AFM Network Configuration
Create an AFM Protocol Inspection Policy
Attach Virtual Servers to an AFM Protocol Inspection Policy

Protocol Inspection (IPS) with AFM: network configuration

The BIG-IP will be deployed with VLAN Groups. This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out to the other interface.

From the F5 Configuration Utility go to Network > VLANs. Click Create on the right.

Give it a name, ingress1 in this example. Set the Interface to 5.0. Set Tagging to Untagged then click Add. Interface 5.0 (untagged) should be visible like in the image below. Click Repeat at the bottom to create another VLAN.

Note: In this example interface 5.0 will receive decrypted traffic from sslo1.

Give it a name, egress1 in this example. Set the Interface to 6.0. Set Tagging to Untagged then click Add. Interface 6.0 (untagged) should be visible like in the image below. Click Finished when done.

Note: In this example interface 6.0 will receive decrypted traffic from sslo1.

Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure VLANs for the two interfaces connected to sslo2. These VLANs should be named in a way that you can differentiate them from the others. Example: ingress2 and egress2

It should look something like this when done:

Note: In this example Interface 3.0 and 4.0 are physically connected to sslo2.

Click VLAN Groups then Create on the right.

Give it a name, vlg1 in this example. Move ingress1 and egress1 from Available to Members. Set the Transparency Mode to Transparent. Check the box to Bridge All Traffic then click Finished.

Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure a VLAN Group for the two interfaces connected to sslo2. This VLAN Group should be named in a way that you can differentiate it from the other, example: vlg1 and vlg2. It should look like the image below:

For full Layer 2 transparency the following CLI option needs to be enabled:

(tmos)# modify sys db connection.vgl2transparent value enable

Create an AFM Protocol Inspection policy

You can skip this step if you already have an AFM Protocol Inspection policy created and attached to one or more virtual servers. If not, we'll cover it briefly. In this example we configured Protocol Inspection with Signatures and Compliance enabled.

From Security select Protocol Security > Inspection Profiles > Add > New.

Give it a name, IPS in this example. For Services, select the Protocol(s) you want to inspect, HTTP in this example.

Optionally check the box to enable automatic updates and click Commit Changes to System.

Attach Virtual Servers to an AFM Protocol Inspection policy

Attach the Protocol Inspection Profile to the Virtual Server(s) you wish to protect. From Local Traffic select Virtual Servers. Click the name of the Virtual Server you want to apply the profile to, 10.4.11.52 in this example.

Click Security > Policies.

Set the Protocol Inspection Profile to Enabled, then select the Profile created previously, IPS in this example. Click Update when done.

Repeat this process to attach the IPS Profile to the remaining Virtual Servers.

Advanced WAF configuration

The configuration steps are divided into the following high level sections:

Advanced WAF Network Configuration
Attach Virtual Servers to an Advanced WAF Policy

AWAF: Network configuration

The BIG-IP will be deployed with VLAN Groups. This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out the other interface. Vwire configuration will be covered later.

From the F5 Configuration Utility go to Network > VLANs. Click Create on the right.

Give it a name, ingress1 in this example. Set the Interface to 2.1. Set Tagging to Untagged then click Add.

Note: In this example interface 2.1 will receive decrypted traffic from sslo1

Interface 2.1 (untagged) should be visible like in the image below. Click Repeat at the bottom to create another VLAN.

Give it a name, egress1 in this example. Set the Interface to 2.2. Set Tagging to Untagged then click Add.

Note: In this example interface 2.2 will send decrypted traffic back to sslo1

Interface 2.2 (untagged) should be visible like in the image below. Click Finished.

It should look something like this when done:

Note: In this example Interface 2.3 and 2.4 are physically connected to sslo2.

Click VLAN Groups then Create on the right.

Give it a name, vlg1 in this example. Move ingress1 and egress1 from Available to Members. Set the Transparency Mode to Transparent. Check the box to Bridge All Traffic then click Finished.

For full Layer 2 transparency the following CLI option needs to be enabled:

(tmos)# modify sys db connection.vgl2transparent value enable

Attach Virtual Servers to an Advanced WAF policy

You can skip this step if you already have an Advanced WAF policy created and attached to one or more virtual servers. If not, we'll cover it briefly. In this example we configured Comprehensive Protection which includes Bot Mitigation, Layer 7 DoS and Application Security.

Give it a name, App_Protect1 in this example then click Save & Next.

Select the Enforcement Mode and Policy Type. Click Save & Next.

Configure the desired Bot Defense options. Click Save & Next on the lower right.

Configure the desired DoS Profile Properties. Click Save & Next.

Assign the policy to your application server(s) by moving them to Selected. Click Save & Next.

Click Finish/Deploy when done.

Conclusion

In this article, we learned how to configure AFM and AWAF on a BIG-IP device to provide security from threats to the network and datacenters. To learn more about the key features and advantages of F5 AFM and AWAF and how the products could prevent threats and provide security, go through the related links in the references for a brief explanation.

"Check out the lab in the references for a hands-on experience for the steps involved and to work with AWAF as a service."