F5 BIG IP AFM | Getting Started with BIG IP Advanced Firewall Manager (AFM)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to getting started with big-ip advanced firewall manager AFM is a high-performance stateful full proxy network security solution designed to guard data centers against incoming threats that enter the network on the most widely deployed protocols let's start by taking a high-level look at where AFM is positioned in the f5 product suite and what it contributes to the f5 security solution offerings AFM offers four core areas of functionality network firewall which provides layer three to layer four security by applying policy based firewall rules on network traffic arriving into the big IP device denial of service where AFM checks either on a system or per virtual server basis for potential attacks and then can draw up or rate limit that traffic according to thresholds you configure IP intelligence which can be used to block traffic from known unreliable or questionable IP addresses provided from several sources finally afm reporting and logging provides historical and analytical data for the security administrator take a few moments to read through the list of features provided here and click the next button when you're ready to continue by default the big IP system is a default deny device a firewall in and of itself even without afm provisioned that means that no traffic will be processed through the system until you open it up to listen for application and administrative traffic for application traffic this is typically done by configuring a virtual server access can be controlled by configuring the virtual server with a specific IP address and port and by enabling it only on specific VLANs administrative access to the big IP system can be controlled through port lockdown and IP address allow lists packet filters can be used to define and enforce basic filtering rules for traffic through the TMM switch interfaces eye rules can be applied at the virtual server level to block or allow traffic all the way up into layer seven when you provision afm and your big IP system you give your big IP system additional network firewall capabilities at far more granular levels and with far wider reach than any of the methods just described other Network firewalls AFM does not sit on a separate device in front of an access point and filter traffic coming in and out instead AFM sits on the big IP device and the big IP device is the access point AFM takes full advantage of big eyepiece full proxy architecture blocking traffic first and allowing traffic to continue to flow to the back-end servers only if it passes FM's firewall rules AFM is stateful in that it dynamically compares packets against known active connections if there is no match the packet has passed through a FM's firewall rules AFM is configured on access points such as on a virtual server these are referred to as contexts a context as anywhere an AFM firewall rule can be configured finally reporting screens and logs are linked to the context making it easy to drill down into this information using the configuration utility rather than scrolling through log files to find out what traffic you sent where once you provision AFM it begins working immediately by default it operates in what's called EDC mode also known as application mode in ADC mode all traffic is allowed by default and you gradually tighten controls by creating rules that explicitly block traffic the alternative is to run AFM in firewall mode in firewall mode all traffic is blocked by default and you gradually loosen controls by creating rules that explicitly allow traffic through the majority of f5 customers use ADC mode this is not to suggest that the system is left open or insecure in any way ABC mode does not detract from but augments the existing big IP traffic processing behavior which is default deny AFM uses rules to specify traffic handling actions the context in which the rule is applied is an important part of a rules configuration rules are collected inside policies which can then be applied at a global level on a route domain on a per virtual server level on a self IP address rules for the management port do not require a policy but are defined in line directly on the management port context this distinction is important since the traffic handling actions for policy based rules are managed by teemo's while in line management port rules are handled by the Linux component on the big IP system in this lesson we'll take a look at the configuration steps required in AFM to create a network firewall policy and apply it to a virtual server context on a scheduled basis in this scenario a customer wants to allow a client connecting from a specific IP address access to a web server on port 80 Monday through Friday from 9:00 a.m. until 5:00 p.m. non HTTP access and or other client source IP addresses are to be blocked as is traffic from the one authorized client outside of the specified time period the website will be accessed through a virtual server on their big IP system which is currently running LTM and afm in the scenario afm is configured in firewall mode remember in firewall mode the default action is to reject or drop traffic and rules are created to explicitly accept traffic under certain conditions to accommodate the requirement we'll build an afm firewall policy that includes a schedule of availability the list of IP addresses from which we will accept client traffic and the port the client must connect to in order to access the website the policy will be associated with the virtual server and provide access to the web server only if it's conditional rules are met the configuration steps are as follows first we'll create a schedule that identifies the date ranges days of the week in time ranges when client traffic will be accepted next we'll create an address list and a port list that identify the appropriate source IP address and destination port that will be accepted then we'll consolidate the scheduled address list and port lists together into a firewall policy finally we'll apply the policy to the virtual server context that provides access to the website first we'll create the firewall schedule that will accept traffic only during the Monday through Friday 9 a.m. to 5 p.m. window we navigate to security network firewall schedules and click the create button to create a new schedule on the new schedule screen enter name and description if desired specify a time range by typing in the time directly or by using the slide bar customize the day's valid click finish to complete step 1 schedule configuration in step two to create address and port lists navigate to security network firewall port lists and click the create button to create a new port list at a minimum we must give our port list a name and add at least one port entry to the list in our scenario we want to limit traffic to the HTTP method so type 80 in the port field and click Add then finished port list 1 now appears in the network firewall port list navigate to security network firewall address lists and click the create button to create a new address list type a name description as desired and address or addresses which can include IP address ranges geographic locations and other address lists click finished to complete step to address list configuration address list 1 now appears in the network firewall address list in step three to create a policy navigate to security network firewall policies and click create to name description' if needed then click finished is the first stage for policy creation the name is simply a reference point and the policy itself merely a container for one or more rules that implement firewall actions click on the policy name to select it for configuration this brings up a page where we can configure the policies general properties as well as add rules scroll to the right and click Add and add a new rule to this policy notice that the only required rule setting is the rule name the rest of the settings can be left at their defaults which are to accept all traffic regardless of protocol from any source to any destination and without logging the new rule will be placed last in the list of rules for this policy and the rule will be enabled on the context where it's assigned let's customize some of these settings for our scenario we need to schedule rather than enable this rule on any given context so change state from enabled to scheduled and select the schedule we created earlier since we want to apply this rule to a specific source IP address and a specific destination port we must specify our protocol other than any TCP works just fine for this scenario change the address region setting and source from any to specify then select the address list we created earlier click Add to add it to the list of source IP addresses accepted by this rule scroll down to show destination settings then change the port setting to add the port list created earlier the action setting specifies what we want AFM to do if the rules conditions are met since AFM is in firewall mode it blocks traffic by default and we want this rule to accept traffic that matches the rules conditions click finished to complete step three policy configuration the rule has been added to policy one notice that you can click on any of the objects of the rule to navigate directly to that object's configuration in step 4 apply the policy to a virtual server by navigating to local traffic virtual servers virtual server list select the virtual server then click security policies the network firewall section allows you to specify which firewall policies are enforced and/or staged on the context by default both enforced and staged policies are disabled although a staged policy has no actual effect on passing traffic its potential effect can be tested and recorded in event logs and reports to add our firewall schedule to the virtual server change the enforcement drop-down to enabled then select policy one only one policy may be enforced at any one time click update to begin enforcing the firewall schedule the firewall schedule is now applied to the virtual server context and is being enforced when we access the virtual server using HTTP between the hours of 9:00 a.m. and 5:00 p.m. Monday through Friday our traffic is accepted if not our traffic is rejected afm includes extensive reporting features including the ability to configure logging per application and customize the information logged the instructor-led f5 global training services course configuring big IP afm goes into extensive detail about reporting and logging but following is a high-level view of the type of information available within afm there are numerous ways to view data this shows all the IP addresses we attempted to access from the virtual server context display by hour day week month year or a custom time frame your data will be much more exhaustive than this from our test environment use advanced filters to drill even further into your data and isolate individual elements with so much data available you can customize the reporting by numerous metrics to suit your unique business needs in this section we look at another of the core modules of afm denial of service AFM plays a significant role in f5s application delivery firewall solution together with other modules such as LCM DNS and ASM the big IP system provides das protection features across the entire OSI stack a FM's focus is on detecting and mitigating Network attacks such as sin or connection floods this is accomplished by rate limiting traffic and dropping traffic according to thresholds you set for the big IP afm system as a whole in this next section we'll take a look at how you might configure afm to protect from one particular type of dos attack malformed DNS a customer has been experiencing malformed DNS and other types of attacks on its DNS servers malformed DNS is where the field values inside arriving DNS packets are incorrect the idea is to exhaust receiving system resources by doing unnecessary work inspecting and then trying to deal with broken packets the customer has decided to place its bigg IP system in front of the servers to take advantage of a FM's ability to detect and mitigate against many DNS attack vectors the customer has defined a virtual server that will load balanced queries to its pool of DNS servers and is now ready to configure a FM's automatic DNS security detection and mitigation capabilities on that virtual server the hook to a FM's automatic DNS security protection is made via a custom DNS profile with DNS security set to enabled which is assigned to the virtual server note also that in this scenario afm is set to ADC mode which is a default allow configuration AFM provides a broad range of das protection that can be enabled for various configuration objects throughout the big IP system das protection settings for the system or device as a whole are accessed by navigating to security das protection device configuration the default views of the properties section where you select the log publisher which specifies where logging information is sent when AFM detects one of these attack types for our demonstration will point to the default log publisher on our big IP system which causes AFM to log locally rather than remotely and then commit changes you can add a high-speed logging publisher to your system on the system logs configuration log publisher screen click network security to see categories than the plus and minus icons to view the specific attack type also known as vectors within that category DNS and sip security categories have their own drop-down that displays DNS and sympathic types respectively for each attack type there are three settings that provide the criteria AFM uses to determine that an attack has potentially started and what notification and/or mitigation actions that should take now let's click the DNS malformed attack type and explain its threshold settings as available in a window on the right side of the screen shoulde PPS setting tells afm if he detect an average of over 1,000 malformed dns packets per second over the last minute you may be under attack start logging in reporting the system continues to check every second and marks the threshold as an attack as long as the threshold is exceeded the detection threshold percent setting tells afm if you detect a 500% increase in the number of dns malformed packets as compared to the average rate over the last hour you're under attack start logging and reporting the rate limit threshold PPS setting functions as a high watermark and tells afm drop any dns malformed packets that exceed the threshold of 10,000 per second rate limiting continues until the rate drops below the specific limit again setting any of these values to infinite causes AFM to take no action logging reporting and/or rate limiting for that attack type will purposely set these criteria extremely low to easily demonstrate AFM's attack detection and mitigation functionality click update and the changes are displayed if the dns malformed attack type now we're ready to hook into a FM's attack detection and mitigation functions to do that we've configured a custom DNS profile named my DNS scrolling down to the DNS traffic section we've customized the DNS security parameter changing it from its parent value disabled to the customized value enabled the final step is to assign the custom DNS profile with DNS security enabled to our virtual server change the configuration view from basic to advanced then scroll down to the DNS profile setting and reference a DNS profile with DNS security enabled to test our virtual server under normal conditions we directed an nslookup command to the virtual servers IP address and ask it to resolve the domain WWF v TR n calm since dns security is enabled on this virtual server afm checks the query to ensure it is not malformed finding everything in order l TM that load balances the query to the pool of DNS servers the selected server then processes the query and sends the response back to the client through the big IP system then we test it again this time using a script that simulates a DNS das attack the script sends thousands of malformed DNS queries to a specified IP address in about a second here are some of the results from the attack script as recorded in a FM's event logs AFM creates an attack event assigns it an attack ID and begins logging at the time and attack threshold is exceeded and may also begin rate limiting remember we have our threshold set deliberately low so it doesn't take much for AFM to detect and start an attack event each log record contains the date/time stamp when the event occurred the event that triggered the log record the attack type the action taken depending on the attack characteristics and threshold settings the associated attack ID use this to search for and correlate with attack specifics on a FM's reporting screens the volume of incoming packets per second and the number of packets drops if any AFM continues sampling data from the attack and periodically produces log records depending on characteristics of the attack over time when attack traffic volumes return to sub threshold levels AFM waits a few seconds then stops the event and produces a final event log record due to the nature of attacks and potential volume of log information produced for each event it's recommended to send your AFM event log data off box more detailed reporting is available by navigating to security reporting now let's look at the components that make up AFM IP intelligence and how put together they check traffic coming into the big IP you modern cyber criminals use numerous techniques to hide their identities and activities and keeping them out of your systems requires constant vigilance every packet that traverses the Internet has a source IP address so disabling inbound communications from known malicious IPs is highly effective IP intelligence or IP address intelligence provides this functionality and is a big IP feature common to several f5 products including afm ASM and APM with IP intelligence afm can be configured to block or allow traffic entering the system based on the reputation of the source IP address afm determines reputation using two methods a continuous feed of known or suspected malicious IP addresses provided via a third-party online service web root bright cloud and custom feed lists defined by the afm security administrator that specify IP addresses that have been blacklisted or white listed the bright cloud feed is updated every five minutes by default custom feed lists are unique to the afm product and are pulled at intervals of your choosing these two methods are jointly referred to as IP intelligence and can be used independently or in tandem to filter traffic on the big IP system note that the bright cloud option is licensed separately through f5 and requires Internet connectivity and dns resolution from your big IP system custom feed lists do not IP intelligence can be applied via a firewall policy to the global route domain or virtual server contexts in our customer scenario we'll focus on setting up a custom IP intelligence feed list and applying it to the global context meaning it will affect all traffic that arrives on our big IP system no matter the access point IP address intelligence data is organized into categories that differentiate between types of listed IP addresses a category is a container object on afm and is defined solely by name in a short description what is configured on the feed list on the firewall policy and in the feed file itself that ultimately determines whether an IP address is blacklisted or whitelisted steps to deploy a custom feed list on a context or create the feed file create a custom blacklist category for our feed list create the feed list create an IP intelligence firewall policy and apply the feed list to a context step one create a feed file a feed file is a comma separated value file that contains from one to four command separated fields per line the first field is the IP address that is to be blacklisted or wait-listed and it is the only field that is required in each entry in the file all of the fields are optional the second field is the network mask for the IP address provided the third value specifies whether the IP address is a whitelist or blacklist address the fourth and final field specifies the category name for the entry for the feed list to demonstrate our customer scenario will use a single entry that lists the source IP address 10.10 donal evan dot 30 since category is left blank on the entry it will be determined by the category setting in the feed list configuration on AFM likewise since the whitelist or blacklist references left blank will take the default action as defined in AFM and called this feed file Corp feed file in step two to create a feed list category we've navigated to security network firewall IP intelligence blacklist categories even though these categories are managed on the afm menu tab labeled blacklist categories the category can be used for a whitelist as well instead of using a predefined category we'll create one of our own and see how category fit for step 3 create a feed list we've navigated to security network firewall IP intelligence feed lists already click create and named our list a feed list is the component that makes IP intelligence dynamic it points to one or more feed files or URLs that contain a list of blacklisted and our whitelisted IP addresses since a feed list can be comprised of multiple feed sources each source is given a unique name a feed file resides on a remote server usually a web server you provide the URL and indicate where their accesses via HTTP HTTP or FTP the IP address entries in a feed file can optionally indicate whether the IP address is to be blacklisted or whitelisted if no value is provided on an entry the list type setting in the feed list configuration is used this feed list configuration setting does not override what's in a feed file entry instead it merely provides a default if no value was specified we'll leave this setting at blacklist the blacklist category setting is used to categorize the IP addresses found in the various feed files that make up this feed list the label can be confusing since list type can be whitelist in a category can be used to contain whitelisted IP addresses the contents of a feed file are designed to change the Pol interval setting tells AFM how often to check for updates to the feed file the default and minimum pol interval is 300 seconds or every 5 minutes any updated intelligence is dynamically recorded in the big IP systems memory provide values in the username and password settings as needed click Add then finished to complete feed list configuration for step four create a policy we've navigated to security network firewall IP intelligence policies click to create and named our policy to associate our custom feed list with this policy we move its name Corp feed list from the available column to the selected column set log whitelist overrides and log blacklist category matches to yes select a blacklist category click Add finished in this view of the event logs we see how IP addresses are logged that matched this blacklist in step 5 apply to context we need to link the policy to one or more traffic access points we could apply the policy to one or more virtual servers and block or allow traffic at these specific access points or apply the policy globally to block or allow traffic at all access points it's more typical to check all incoming network traffic against the IP addresses and feed lists in this coincides with our customer scenario to apply the policy globally set IP intelligence policy to our new Corp IPI policy and click update congratulations you have completed getting started with big IP afm in this course you looked at some of the core constituent modules of the afm product saw how to configure and implement a scheduled firewall policy mitigate a toss attack utilize IP intelligence to limit traffic using IP address information and where to find a FM logging and reporting
Info
Channel: Palo Alto Training Video's
Views: 6,482
Rating: 5 out of 5
Keywords: load balancer basics, load balancer redundancy, load balancer single point of failure, keep alive load balancer, load balancer comparison, hardware load balancer comparison, ha load balancer, external load balancer, slb load balancer, apache load balancer, firewall load balancer, load balancer application, network load balancer appliance, simple load balancer, l7 load balancer, redundant load balan, F5 AFM
Id: t8tKxXiWXYA
Channel Id: undefined
Length: 28min 1sec (1681 seconds)
Published: Thu Feb 15 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.