Transcription
CER T IFIEDF5 CANDIDATE-PRODUCED STUDY GUIDEF5 Certified! Solution Expert, Securitywritten by:Darshan Kirtikumar DOSHIEnterprise Network Engineer, F5
STUDY GUIDEF5-CSE, SecurityDisclaimerThe information provided in this document is designed to provide helpful information on F5 401 SecuritySolution Expert exam. This is an independent Study Guide, and should NOT be used as replacement tohands on experience with F5 Security products or official F5 trainings. Also this document is not intended toguarantee a passing grade on the exam.Notice that this is NOT an official F5 document and as such not supported by F5 Networks.CER T IFIEDi
STUDY GUIDEF5-CSE, SecurityIntroductionThis Independent Study Guide is prepared using public F5 resources and other internet resources.The exam is heavily focused on “AFM, ASM, LTM, APM and F5 DNS (formerly known as GTM)” modules.Most of the sections in the document contains hyperlink at the end of the topic. It is highly recommended torefer all the hyperlinks for detailed information about any topic.Note: The guide will be continually improved and suggestions on the content are very welcome.If you have comments or would like to have relevant notes, and materials added to this document,please send an email to darshandkd@gmail.comGood luck!CER T IFIEDii
STUDY GUIDEF5-CSE, SecurityTABLE OF CONTENTSGeneral / System2BIG IP Packet Processing Order2Local Logging Directories4NTP peer server communication5MEMCACHE8Internet Content Adaptation Protocol9Third party Web Application Testing / Security / Auditing Tools13Compliances and Standards18Industry Standard Security terminologies20Local Traffic Manager (LTM)22Secure Socket Layer (SSL)22SSL Troubleshooting with SSLDUMP24GTM27DNS Records types27GTM Load Balancing Methods29Static load balancing methods29Dynamic load balancing methods32DNSSEC33IP Intelligence36Checking the status of the IP intelligence database38The F5 DDoS Protection Reference Architecture40F5 Components and Capabilities41Application Firewall Module (AFM)43Context47Request processing order48Firewall Actions49DoS Protection52WebSafe/MobileSafe54The DOM / Elements and Scripts56DOM Vulnerabilities and Security Concerns57CER T IFIEDiii
STUDY GUIDEF5-CSE, SecurityWebsafe General workflow58License Activation for FPS (Fraud Protection Module)58Application Security Module (ASM)60Data guard Protection60DoS Protection61TPS Based Anomaly Protection61Stress-based DoS protection64About DoS mitigation methods65Securing Web Services66Detecting and Preventing Web Scraping66Prerequisites for configuring web scraping68Web scraping attack types69User and Session TrackingMonitor user and session informationApplication Policy Module (APM)Portal Access70707272Portal access configuration elements72Understanding portal access patching73SAML (Security Assertion Markup Language)BIG IP APM - Secure Web Gateway (SWG)7477BIG IP APM Secure Web Gateway terminology79Flowchart for SWG Configuration80BIG IQ81F5 vulnerability response policy and security audit83Case Studies86Case study 1:86Case study 2:86Case study 3:87Case study 4:87Case study 5:88Case study 6:88Case study 7:88CER T IFIEDiv
STUDY GUIDEF5-CSE, SecurityF5 401 – Study guideThe exam is focused on the following F5 Modules:Sr. NoModule1LTM2AFM3APM4ASM5IPI6WebSafe / MobileSafe7GTM8SWG (Secure Web Gateway)9HSM10DDoS Hybrid defender (Silverline)11Big IQ (formerly known as Enterprise Manager)Tip – If you have Guardian access of F5 University, use university.f5.com to go through various trainingavailable for all the modules listed above.This guide contains references taken from various F5 and other public resources availableon internet.F5 University – ICAP / AFM / ASM / DoS / DNSSEC trainingRFCs – 3507 (ICAP)AskF5ASM Operations guideAFM Operations guideYouTube – Whiteboard Wednesday & DevCentral F5 ChannelDevCentral community – F5Other online referencesCER T IFIED1
STUDY GUIDEF5-CSE, SecurityGENERAL / SYSTEMBIG IP Packet Processing OrderThe following snippet is quite useful to understand the packet processing flow at each layer of BIG-IP.Updated on - December 2015:Source - 5301/TMOS Order of Operations v2.pngCER T IFIED2
STUDY GUIDEF5-CSE, SecurityBIG-IP Traffic Processing OrderA couple of pretty interesting and useful videos on YouTube for Packet Processing Order –for version 11.X - https://www.youtube.com/watch?v bYfcNIndSPQ&t 47sfor version 12.X https://www.youtube.com/watch?v qCLEw5xIZ7sIt is strongly recommended to go through version 12.X YouTube video as it talks about all the modules listedbelow.1.Packet Filter2. AFM3. FLOW INIT (An iRule Event i.e. when FLOW INIT)4. LTM5. APM6. ASMNote:Packet processing at different modules take place if the module is provisioned and configured.FLOW INITThis event is triggered (once for TCP and unique UDP/IP flows) after packet filters, but before AFM, and TMMwork occurs. The use cases for this event are: Override ACL action Bandwidth control on both client/server flows Routing to another Vip Marking qos tos/dscp on both client/server flowsSource - https://devcentral.f5.com/wiki/iRules.FLOW INIT.ashxThe packet is first evaluated by the Packet FilterThe next is FLOW INITThen by AFMThen by LTMThen by APMAnd at last ASM processes the traffic, then hands the traffic back to LTM to finish up with. ASM sits off tothe side and either tells LTM to proceed or hands out a block page.CER T IFIED3
STUDY GUIDEF5-CSE, SecurityLocal Logging DirectoriesSource - 6000/100/sol16197.htmlBIG-IP log typesEach type of event is stored locally in a separate log file, and the information stored in each log file variesdepending on the event type. All log files for these event types are in the /var/log directory.TypeDescriptionLog fileauditThe audit event messages are messages that the BIGIP system logs as a result of changes to the BIG-IPsystem configuration. Logging audit events is optional./var/log/auditbootThe boot messages contain information that is loggedwhen the system boots./var/log/boot.logcronWhen the cron daemon starts a cron job, the daemonlogs the information about the cron job in this file./var/log/crondaemonThe daemon messages are logged by various daemonsthat run on the system./var/log/daemon.logdmesgThe dmesg messages contain kernel ring bufferinformation that pertains to the hardware devices thatthe kernel detects during the boot process./var/log/dmesgGSLBThe GSLB messages pertain to global trafficmanagement events./var/log/gtmhttpdThe httpd messages contain the Apache Web servererror log./var/log/httpd/httpd errorskernelThe kernel messages are logged by the Linux kernel./var/log/kern.loglocal trafficThe local traffic messages pertain specifically to theBIG-IP local traffic management events./var/log/ltmmailThe mail messages contain the log information from themail server that is running on the system./var/log/maillogpacket filterThe packet filter messages are those that result fromthe use of packet filters and packet-filter rules./var/log/pktfiltersecurityThe secure log messages contain information related toauthentication and authorization privileges./var/log/securesystemThe system event messages are based on global Linuxevents, and are not specific to BIG-IP local trafficmanagement events./var/log/messagesTMMThe TMM log messages are those that pertain to TrafficManagement Microkernel events./var/log/tmmuserThe user log messages contain information about alluser level logs./var/log/user.logwebuiThe webui log messages display errors and exceptiondetails that pertain to the Configuration utility./var/log/webui.logCER T IFIED4
STUDY GUIDEF5-CSE, SecurityNTP peer server communicationSource - https://support.f5.com/csp/article/K10240When the BIG-IP system clock is not showing the correct timezone, or the date and time is not synchronizedcorrectly, this could be caused by incorrect NTP configuration or a communication issue with a valid NTP peerserver.When verifying the NTP peer server communication, you can use the ntpq utility. The command generatesoutput with the fields that are explained in the following table:FieldDefinitionprefix tothe remotefield A n asterisk (*) character indicates that the peer has been declared the system peerand lends its variables to the system variables. A plus sign ( ) indicates that the peer is a survivor and a candidate for the combiningalgorithm. A space, x, period (.), dash (-), or hash (#) character indicates that this peer is notbeing used for synchronization because it either does not meet the requirements, isunreachable, or is not needed.remoteThe remote field is the address of the remote peer.refidThe refid field is the Reference ID which identifies the server or reference clock withwhich the remote peer synchronizes, and its interpretation depends on the value ofthe stratum field (explained in the st definition). For stratum 0 (unspecified or invalid),the refid is an ascii value used for debugging. Example: INIT or STEP. For stratum 1(reference clock), the refid is an ascii value used to specify the type of external clocksource. Example: NIST refers to NIST telephone modem. For strata 2 through 15, therefid is the address of the next lower stratum server used for synchronization.stThe st field is the stratum of the remote peer. Primary servers (servers with an externalreference clock such as GPS) are assigned stratum 1. A secondary NTP server whichsynchronizes with a stratum 1 server is assigned stratum 2. A secondary NTP serverwhich synchronizes with a stratum 2 server is assigned stratum 3. Stratum 16 isreferred to as “MAXSTRAT,” is customarily mapped to stratum value 0, and thereforeindicates being unsynchronized. Strata 17 through 255 are reserved.tThe t field is the type of peer: local, unicast, multicast, or broadcast.whenThe when field is the time since the last response to a poll was received (in seconds).pollThe poll field is the polling interval (in seconds). This value starts low (example: 64)and over time, as no changes are detected, this polling value increases incrementallyto the configured max polling value (example: 1024).reachThe reach field is the reachability register. The octal shift register records results ofthe last eight poll attempts.CER T IFIED5
STUDY GUIDEF5-CSE, SecurityFieldDefinitiondelayThe delay field is the current estimated delay; the transit time between these peers inmilliseconds.offsetThe offset field is the current estimated offset; the time difference between thesepeers in milliseconds.jitterThe jitter field is the current estimated dispersion; the variation in delay betweenthese peers in milliseconds.Example of a successful NTP peer server queryIf the local ntpd process can communicate, or attempts to communicate with a declared NTP peer server, theoutput from the ntpq command appears like the following example:# ntpq -npremote refid st t when poll reach delay offset jitter 172.28.4.133 10.10.10.251 4 u 482 1024 377 0.815 -10.010 0.345In the previous example, the remote server information (refid, stratum, delay, offset, jitter) displays,indicating that the servers are successfully exchanging information. The value of 377 in the reach columnindicates that the server was successfully reached during each of the last eight attempts, and the valueof 482 in the when column indicates that the last response was received from the remote peer 482 secondsago, which is within the polling interval of 1024 seconds.Example of a failed NTP peer server queryIf the local ntpd process fails to communicate with an NTP peer server, the output from the ntpq commandmay appear similar to the following example:# ntpq -np remote refid st t when poll reach delay offset jitter 172.28.4.133 .INIT. 16 u - 64 0 0.000 0.000 0000.00Note: An st (stratum) of 16 means that the destination NTP server is unreachable or is not considered aviable candidate.In this example, the remote server information (refid, stratum, delay, offset, jitter) is not available. Thevalue .INIT. in the refid column indicates that NTP is initializing, and the server has not yet been reached. Thevalue of 0 (zero) in the reach column indicates that the server has not been reached during any of the lasteight attempts. The absence of a value in the when column indicates that no data has been received from theremote peer since the local ntpd process was started. The poll value of 64 is still at the MINPOLL value,which indicates that NTP was recently restarted.CER T IFIED6
STUDY GUIDEF5-CSE, SecurityNTP has a MINPOLL and MAXPOLL value, which it uses to determine the optimal time between updates withthe reference server. If jitter is low, and there are no changes in data received, NTP automaticallyincrementally increases the poll value until it reaches MAXPOLL, or 1024 seconds.Example of a successful NTP preferred peer server queryIf the local ntpd process communicates or attempts to communicate with a declared preferred NTP peerserver, the output from the ntpq command appears similar to the following example:# ntpq -npremote refid st t when poll reach delay offset jitter *172.28.4.133 10.10.10.251 4 u 482 1024 377 0.815 -10.010 0.345 172.28.4.134 10.10.10.252 6 u 482 1024 179 0.215 -1.010 0.545In the previous example, 172.28.4.133 is the preferred server, or current time source, and is designated bythe * symbol. Any remaining servers available for use are indicated by the symbol. When initially configured,NTPd can take up to a few minutes to calculate and designate the current preferred time source.CER T IFIED7
STUDY GUIDEF5-CSE, SecurityMEMCACHESource - e-proxy-request-routing-memcachedBy definition, Memcached is a general-purpose distributed memory caching system. It is often used tospeed up dynamic database-driven websites by caching data and objects in RAM to reduce the number oftimes an external data source (such as a database or API) must be read.As an example, Memcache is like load balancing Bluecoat (forward proxy) systems behind F5 systems usingthe CARP algorithm. Where one or Bluecoat Systems as a pool member will be load balanced and Bluecoatwill not only send the web traffic outside, but also caches the responses to serve better experience to theusers. Btw, Bluecoat as a vendor uses Memcache and other variant of the same for serving web contentfaster.Similarly, F5 Administrator can have any other caching server or server farm as pool.A good example of real time MEMCACHED users are facebook, google, salesforce and most of the socialmedia websites.However Memcache also has its own limitation. Any shared instance of memcache is insecure today.memcache doesn’t have a way to Authenticate which means that:user1 can read anything user2 \’caches\’ it also means that user1 can write anything that user2 reads (cachepoisoning)Even with latest version / SASL authentication — you are authenticating to the whole cache, and can still read/poison someone else\’s data.Source - Read thread #5)CER T IFIED8
STUDY GUIDEF5-CSE, SecurityInternet Content Adaptation ProtocolF5 University has quite useful ICAP video training available.ICAP is HTTP like protocol and follow (almost) the same response status code.ICAP Methods (RFC 3507)Sr. NoMethodDescription1OPTIONS2REQMODCan be used to ask ICAP Server to modify Requests3RESPMODCan be used to ask ICAP Server to modify ResponseICAP Response Status Code (from RFC 3507)Sr. NoStatus CodeDescription1100Continue after ICAP Preview, Client is still sending the request to the ICAPServer, and client should send any requests that is queued.2204No modifications needed3400Bad request4404ICAP Server not found5405Method not allowed for service (e.g., RESPMOD requested for servicethat supports only REQMOD).6408Request timeout. ICAP server gave up waiting for a request from an ICAPclient.7500Server error. Error on the ICAP server, such as “out of disk space”.8501Method not implemented. This response is illegal for an OPTIONS requestsince implementation of OPTIONS is mandatory.9502Bad Gateway. This is an ICAP proxy and proxying produced an error.10503Service overloaded. The ICAP server has exceeded a maximumconnection limit associated with this service; the ICAP client should notexceed this limit in the future.11505ICAP version not supported by server.ICAP has similar structure as HTTP.URL Structure example: icap://10.11.12.13:1344/reqmod icap://10.11.12.13/reqmod?mode sanitizeCER T IFIED9
STUDY GUIDEF5-CSE, SecurityICAP URI exampleCER T IFIED10
STUDY GUIDEF5-CSE, SecurityICAP Header contains the type of REQUEST followed by other ICAP headers, and Client/Server requestedURL as a body (i.e. ICAP Payload Origin Client request) as appears in above example. In the same way, whenICAP Response back to the Proxy Server, it indicates the response to Proxy server in ICAP Header, andResponse for Original Client/Server requested URL as a body (.i.e. 403 Forbidden content response).Creating a custom client-side ICAP profileYou create this ICAP profile when you want to use an ICAP server to wrap an HTTP request in an ICAPmessage before the BIG-IP system sends the request to a pool of web servers. The profile specifies the HTTPrequest-header values that the ICAP server uses for the ICAP message.After you create the ICAP profile, you can assign it to an internal virtual server so that the HTTP request thatthe BIG-IP system sends to an ICAP server is wrapped in an ICAP message, as per the settings you specifiedin the ICAP profile.CER T IFIED11
STUDY GUIDEF5-CSE, SecurityCreating a custom Request Adapt profileSource - https://support.f5.com/kb/en-us/products/big-ip tmlYou create a Request Adapt type of profile when you want a standard HTTP virtual server to forward HTTPrequests to an internal virtual server that references a pool of ICAP servers. A Request Adapt type of profileinstructs the HTTP virtual server to send an HTTP request to a named internal virtual server for possiblerequest modification.After you perform this task, the BIG-IP system contains a Request Adapt profile that a standard HTTP virtualserver can use to forward an HTTP request to an internal virtual server for ICAP traffic.CER T IFIED12
STUDY GUIDEF5-CSE, SecurityThird party Web Application Testing / Security / Auditing ToolsThis section talks about generic security, web application testing and auditing tools. None of the tools are F5proprietary, but it helps great to test/audit your web applications and then you can use suitable F5 modules toprotect against. The section is not very detailed, If you want to browse more information you can refer “source”hyperlink or Google is your friend!It isn’t required to have hands on practice for each of them. However to have brief knowledge about each ofthem is mandatory.1. DIGSource - d-examples-usage-syntax/ Use dig command for DNS lookup and to query DNS name servers for various resource record.Syntaxdig Hostnamedig DomaiNameHeredig @DNS-server-name Hostnamedig @DNS-server-name IPAddressdig @DNS-server-name Hostname IPAddress2. DIG for DNSSEC –Source - ation-with-dig/3. NMAPSource - examples-tutorials/ nmap is short for Network Mapper. It is an open source security tool for network exploration, securityscanning and auditing. However, nmap command comes with lots of options that can make the utilitymore robust and difficult to follow for new users. The purpose of this post is to introduce
The exam is focused on the following F5 Modules: Sr. No Module 1 LTM 2 AFM 3 APM 4 ASM 5 IPI 6 WebSafe / MobileSafe 7 GTM 8 SWG (Secure Web Gateway) 9 HSM 10 DDoS Hybrid defender (Silverline) 11 Big IQ (formerly known as Enterprise Manager) Tip – If you have Guardian access of F5 University, use universi
