DeviceID+ APM Integration Technical Overview - A Free Capability from Shape and F5

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] okay welcome back so if you're landing on this video because you watched the previous high level overview well welcome i'm going to show you how i built this and big ip access policy manager using the new capability device id plus and so you probably have a really good understanding of what device id plus is already kind of how it works let's take a look at the big ip portal actually the f5 cloud services portal first and then get into the big ip okay let's do that now all right so here is the portal and you're going to go to [Music] portal.cloudservices.f5.com i'm going to put that link down in the description so you can log in you're going to have to create a username and password account if you don't already have one as mentioned in the previous video this is where we host all of our sas applications for for security right so things like web application firewall analytics and monitoring global dns etc etc and here you're going to find a device id and so you would click on device id after you logged in right here up in this top left where it says free device id you would click there and then we would get started right and this is super super easy so you click on javasnip java snippet or you click on the big ip to download the i app so there's two ways to get this configured javascript snippet all all that happens when you click here and you click next is and my head's kind of blocking everything here so i'm not going to there's really nothing underneath here it has an area for you to test but basically you just copy and paste this javascript snippet and then you paste it into your big ip or into your application again i mentioned earlier you don't need a big ip to get this working you can put this right on your application so there's two ways to do that there's actually three ways right you can use the javascript put it on the big-ip or on your application or you can develop or deploy the big-ipi app and the big i i i app you would download right here so you can see it's got a download right above my head there download the device id plus app template iap template you get that down upload it to the big ip and then you would start to configure that template and you would use this special unique link that they give you here which is dip dot zero knot dot com and it's got something a whole bunch of garbly stuff in the uri and that's very unique for this javascript and you would paste that into the the i app assign it to your virtual server and boom you're off and running i didn't configure it this way because my demo is a little different i'm using a web top and so i've injected the javascript into the actual web top through a message box and i'm going to show you how that's done right now i'll log out from this all right because i'm going to show you where you find the cookie in a minute if you're not familiar okay so i mentioned that javascript right so if you're familiar with big-ip and i'm going to make some assumptions that you are okay if you're not then reach out to your account team if you have big ips in your organization we can get you some free training we have some great labs which gets you started with access policy manager however let's that's beyond the scope of this video so i'm going to make those assumptions that you have some some knowledge of big-ip and hopefully access policy manager and so this is access policy manager this is where we're going to go here to customize right and so we're going to come into our profiles and policies and we're going to click uh advance customization advanced okay and we're going to go to access profiles this is my profile i have here i'm using a macro so it's going to be under macros so some things are nested here don't let this intimidate you it's just a way that you can customize the big-ip apm standard templates so to speak if that's what you want to call it so big-ip apm is extremely flexible you can customize any everything you see on the page that you log into if you land on a portal what we call our web top and access policy manager all of that's customizable from the icons to the css you can reskin it to make it your own remove all f5 branding and make it your own so it's highly customizable with that being said there are some areas in here that you don't want to fool around with if you're not a front-end developer because you will break you can reset but you will break things if you don't know what you're doing so let's click on our message box and so if you we're going to show the demo again here in minutes i'm going to show you where i see the cookie being delivered and so here is where i'm injecting the javascript and i want to show you where that is so in the instructions in the portal page it tells you to inject it after the head tag in html so if we scroll down this is the head right here right this is what we're instructed to do in this cloud service services portal right it tells us right here again this is like three steps super easy to deploy copy the code below to insert after the head tag and that's the ending head tag right so we come back over here look at our customization i did just that i dumped in that javascript right here right after the head tag i saved it and now i'm completely finished i'm done as far as i'm concerned the the cookie is now going to be delivered to my application and i should be able to act on those secure hash those secure cookies and let's take a look at what that is going to look like so let's open our developer tools and let's go to i'm using i'm using firefox which i normally don't use but that's okay we're going to get what we need out of here right so let's click here let's uh proceed to the application our our identification match is so we're going to be let in now let's let's take a look at one of these gets here right and then let's take a look at our cookies and here's our cookie that we're looking for so we want a match on imp apgr this is the name of the cookie and this is documented right and i actually have an eye roll i'll post this on my github i'm going to dump in a a copy of my policy and a copy of the eye roll that i'm using to one parse out the cookie being returned and then format it and then put it into a session variable and access policy manager so that we can do something with it because you first need to put it into a session variable so that you can act on it right you can do compare compare deny you can do all sorts of different logic conditional logic on it if you have a variable assigned and so we can see here oh you can't see it because hey guess what i'm blocking the let me get my big head out of the way here there we go so if we look at the i am this right here i am p ag this is the cookie and this is the the value so there's two cookies here there is the dia which is what they call the residual and then there's the dib right here which is called the attribute in the previous video i showed that there are two cookies i'm not going to get into again what they totally are we have some documentation that kind of explain them but shake uses two cookies because there are times where a user may upgrade their software they may upgrade their browser or something and the hash is going to change if they do that and so you don't want to create a lot of friction with users if those type of things happen which they do commonly happen so we have two cookies here right so the attribute cookie is much much less chance to really change versus a residual cookie but we use both to really be sure that it is the user and that we're not perhaps creating or we may run into a collision and a collision is where a user or different users present the same hash we don't want that to happen ever can it happen yes but shape is very good at modifying and keeping up with their code and improving it to make sure that never happens right and so these are the cookies and we can see that in the developer tools so you're not familiar with developer tools i highly recommend that you you get used to them get familiar with them excuse me every major browser has one and i'm using firefox here so after we have this what i decided to do is i was gonna hard code i'm going to hard code these hashes into active directory and i chose active directory because i work in dod space they use active directory very much it's just about every organization does every organization i've worked for and enterprise uses after directory but you can store this anywhere you get stores in a any kind of database right it's really up to you this is easy because again after directory is available it is a database and we can query active directory very easily to get this information so now that i have the cookie i have this machine i have the user i can then go into let's open up our rdp session window here all right um let's go to our this adsi edit now i want to go to my user all right so here's my active directory user account and where do i have that here we go so i have hard-coded these attributes or these hashes into two attributes i'm using home and i'm using pager now you could create your own attributes right it requires you modifying the schema i didn't want to mess with any of that i just wanted something simple and easy to do so i used home and i used pager attributes and i stuffed these hard-coded hashes in those attributes and this is what after this is what big-ip access policy manager is calling it's calling this active directory it's calling and checking these two attributes when it does the match of the hashes from the cookie being presented by the client and what's stored in after directory okay oh and you can also see the mobile right you can see my cell phone numbers there so if you want to hey you want to you want to buy some f5 some big-ip you now have my cell phone number so let's move on to let's get out of here we see active directory i'm not going to get in how you create natural graduate server and get it done there are plenty of videos for that i just want to show you where we're pulling the attributes from okay so let's go back to our desktop right and let's take a look at the first let's take a look at the eye rule all right let's let's take a look at the eye roll so hyrule is going to be in local traffic and i've named it log device id and this is the code right so 90 of this i i stole or was given to me from other shape engineers f5 engineers who started work on proof concepts to get something working on a big-ip and so i've added only the two lines which are the access session data set lines and what these do is they're going to take the decoded or the regex that has pulled these cookie hashes out of the cookie and it places them into variables and i've named these variables session.custom.deviceid.a and dot b and what this does is it will place that those values into these custom session variables where i can then make some do some cool things with right so let's take a look at what that looks like right now so i have a i believe i have a current session open yeah i have a few sessions open so let's take a look at this session here and we can see that custom variable being set in access policy manager so if we scroll down to right here we can see our two hashes so where you saw that eye roll that's that's that is firing as soon as an http crest is made it's pulling the cookie it's parsing the cookie and then storing it into this variable two variables and then i store these in the session and now i can do something with it i can do a match right to see if the device id matches with what i have stored for this device in active directory pretty simple all right so let's take a look at our policy i'm going to remove my head because i want you to see the entire thing here let me all right cool now my head's gone disappeared so the policy starts right here it starts with log device id and this is a policy event agent in apm and again apm is fairly intuitive it moves from left to right so a user as they enter into your policy will traverse from left to right to either an end where they're either approved access or they're denied and in this case we put this logging event or this i roll event agent at the very front to grab the cookie parse it and throw it into a session variable so we can use it later so this is what we're doing first and this is all this is is that we use the the id of the i rule the name of the eye rule it's very important that you do that that it matches exactly what's in the eye rule with what you you log as the id the identification here so apm knows that it needs to go out and call that particular eye rule to do what it's got to do all right so then we move on and we've got our message are you a united states government warning banner right and this is what we see when we hit here let me show you again let me log in so we can see and play along at home all right so this right here is this part right here right and we've done some custom work here right so we've we've actually gone in to our policy and did some customization right so we went where we were when we injected our javascript that's where we've got all of this special code that we remember what i said that was very flexible you can customize things so this is much more fancy this is a lot fancier than your typical message box that you're going to get out of the box so if you can develop front ends you can do all sorts of cool things with big-ip and that's that's what you're seeing right here so we're going to click ok to proceed to application and we're logged in right so what we did there is that then we moved on after we clicked we then did an on-demand cert author you didn't see the cert being requested there it's probably because it's cached but what we're doing is we're requesting a cert from the client in this case i'm hard coding a variable because i don't have the right extensions on my cert so again i had to improvise here a little bit then we're doing an 80 query and this is where some of the magic happens right so what we're doing is we're saying hey active directory get me the mobile attribute value get me the home phone value and get me the pager value and these two values right here are the ones that have that stored hash or cookie and this is the one we want to match against right and then the mobile is obviously just my cell phone so when these get pooled by active directory we can see that what happens here back here we go back to our active sessions and we look at our session variables we can see right here mobile right so that's one of the attributes that we want pulled and you can see that apm went out queried it and put it in a variable so we can now use so we have those variables stored now what we do is we do a device id match right here right and what we're doing here is just some very simple logic what we're doing is is we're taking those variables that we've now stored the cookie from the client and what's stored in active directory and we are matching them and if they match then if we look at the branch right the branch is very intuitive they will continue on this branch device id plus is a match it's a success i've got some office 365 logic here it's not part of this solution but then after that they get passed to the web top they get a full resource assigned so then they see they see this they've been authorized now what happens if they don't match well if they don't match they then fall down to let me uh let me get my head back in here right so if they don't match and they come here to the login page which we call a login page you can name you can rename these these boxes and this is where it's asking me for that pin it's asking me for my cell phone number and so we prompt the user and say hey we [Music] we need your cell phone all right put your pin in there and then we have the additional author quest here that says more logic that says if the cell phone member number matches what we have in active directory for their mobile then we're going to say hey they're good to go they are who they say they are and we're going to pass them down the same branch that we saw up here they get access and they're allowed if they don't match then we're going to deny and so that's it from a very high level that's how the policy works those are all the moving parts in access policy manager i will say also that in your local traffic when you create that virtual server you have that virtual server that has the your policy connected to it right so you're going to have resources assigned to it you're going to want to make sure that that log device id i rule an agent you're calling from the policy is attached to the virtual server and so again i will place a copy of the policy and a copy of the i role in a github link below so that you can use it as a template to help you get started and if you have any questions about this please reach out or pop in some questions in the comments below and we'll be certain to to get back to you as soon as you can so hopefully this was helpful and informative and you're able to use this new free feature functionality capability from shape and f5 which i think is super powerful and again is absolutely free where it would normally cost you lots of money a lot of resources a lot of time to develop but it's all being done for you now and so this was just one use case you could do well let your imagination run right you could do all sorts of really cool stuff with this and remember you're getting a cool dashboard in january as well and i can't wait to see that but i'd love to hear your feedback again if you have some some questions concerns if you think this is great if you think this is ho-hum hey let us know put the comments down below and until next time i'll see you then

Info

Channel: F5 Government Solutions

Views: 891

Rating: undefined out of 5

Keywords:

Id: 39M5shyzXSc

Channel Id: undefined

Length: 21min 43sec (1303 seconds)

Published: Fri Dec 11 2020