F5 BIG IP - API Security v15 0

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello thanks for watching this video on the brand new version 15 dot o and on API security solution as you may know I already post an another video on 14.1 API protection so now the goal is just to focus on the new things in version 15 dot o and as you are going to see we merge the woth and the authentication a note relation part of API security so first of all we're gonna use HTTP bin dot org as an API server ok it's a public website we can use it for any demonstrations it's very simple to use and we're gonna use as well of course 15.0 so here have a 15 Oh big IP and let me show you the brand-new solution on API security API security means multiplication authorization and security so let's do it step-by-step first of all let's go to the admin swath so on this device I provision a p.m. and Advent swath and have access to a brand-new template in guided configuration you can see guided configuration version 5.0 I have the recipe I security with open API specification file of swagify so if you remember my previous video I explained what isn't swagify on an open API file okay so for HTTP not arms pretty simple let's go to slash spec the jidan and you get the swagify so you can see all the URI all the parameters the response code and so on so let's start and create a new configuration step by step first of all given name and selectors open API file swagify v1 then I have some options I have an option for rate limiting under the Waffle white listing of or black testing so let's use the rate limiting you can see here in the banner have a new ballot and let's honorable odds for authorization notification as well so next the template breeds the swagger file and create all the entities okay so an entity in in the Waffen a 5yv the UI is metered parameter so as you can see on my own trees and entities and the base pass is /the response close status from the swagify okay so some of them the security settings the web part so as you can see it's very simple because everything is created from the swagify do you hide a metal response oh just blocking our uh transplant let's type blocking orthotic asian an authorization so before the video i created another ad provider template so i just like the one I created it's based on joy token I already uses only joy token it doesn't use OPAC token anymore so I just created an application in my eyes ready talent hi I just get from this configuration an ID and a secret code okay you secret key that's it was very simple so I select my profile and then I had rate limiting so I have a factor has as a neighbor old my factor will be based on the user okay on the source if I don't own able open I'd echo night off I don't own a board v2 my only factor I can use is a source IP address here I have something more flavor mas matter so I'm gonna use a user so perhaps we don't know but in a 5 we have substation vipers or station vipers and ear I need to provide the substation fiber name that I want to use as a factor Ananta fire and I'm gonna use my family name so this information from the joy token okay so I use this factor has an identifier just to cut my request I will number the request quota to five requests for one minute I can enable spy cameras as well okay so spike erases in case of attacks for instance and I can use whitelisting or overriding through specific endpoint or all users okay like 9 min or VP or specific patterns assignment okay so I need to assign this configuration to a VIP I will not do it right now I will do it manually just after - to show you where are the object and at the end let's deploy so the template is creating an APM profile okay with everything around the authorization of application with per ID connect an old v2 with as ready and is creating as well a kind of freak with all the path ok for the for the endpoint and is creating as well a war policy with the methods with a are with the parameters so it's deploy ok perfect so far so good so now I have to assign this this policy to my team ok I want to do it manually just to explain your ideas so here in my VIP and I have a back-end server to the HTTP not org website so now just assign two profiles one is API protection this one is authorization staff and so on and the spike arrest Kota based on the user and the second one is my security proceed okay so the wofe I should not see an injection or scripting in my request that's it now it's done let's make a test so here I have a post map ok postman is a client to make to make API calls so as you can see here I created some some course one isn't based on adders and if I make a call to this slash a diverse I should see a response with all my errors so far so good easy easy to understand so first of all let's let's do something like that without a total kitchen and I can see it's forbidden of course why because if I have a look deeper in my policy let's have a look one here as you can see if I don't do all to protect asian and black reject reject reject so I need to non ticket with with open I declined or with old video so I'll be - ok I will delete the previous token ok and request a new one so what I need of course is information regarding the authorization server it's as ready for my in my case it's a corporate f51 ok so I have to provide some affirmation with a client ID is a great idea that we don't see and I requested ok so it's pretty simple the the postman Connect was ready and as we're ideally like me - something totally Kato in that case it's an it's an APM so is requesting that altercation then ask me if I want to do caching enough ok so I have a token here great you can see an ID token I look like the Kanab all the token that I need and let's use it so now here have an authorization header with my token it passed okay make sense my joy token is valid is visited by 8:00 p.m. and have access to the backend server you can see all the others and you can see my okay if you remember I said five requests for one per minute okay so my my family name is used as a factor okay so I can see when I do more than five requests per minute I'm back so it's very easy okay this is a lot occasion and authorization part of the API security when an API security there is as well the payload the data itself okay in the request so here it's a rough job and in the work is pretty simple I will just enforce my security stuff okay so give me 30 seconds I'm for my policy and then we should be rock you okay the waffle is hidden force okay enforced means I disable the staging okay I learned enough so an API you don't have to learn a lot because we know the method the you are the parameters except the length of parameter value we don't anymore so now the minute pass perfect I can make a new request okay so that's what should we make an attack okay so here is a post as you can see here I would just inject a parameter with value script okay script is an attack signatures and I need to authenticate of course if I don't want to gate will have some issues so let's use the same token and let's try to put in the request and you can see it's block okay so this is a default API blocking page okay it's not a page it just to eat cheese and restaurants and you can see the support ie if I get back to my wife to my log request I should see the world request okay my previous request if you have a look at 2:30 20 seconds this is my slash either request the the alteration token is hidden of course and ear my past with my script tag and it match two signatures okay so this is a this is very simple way to deploy apply security with the guided configuration in the swagify and there is something new as well it's a new dashboard when you deployed you your template as you can see since version 1401 we have a new dashboard in html5 and yield at the API protection dashboard then on this dashboard you select so this is the overview with all your profiles and select the good one okay and and here we are okay so the security event the root access rejection if I made a mistake or if I try to join too rich and poor without old and rate limit rejection as well of course I did one-oh Kate was a reject by Kota not to spike a rest and I have more information regarding the client OS reputation and not have API IP repetition so write it and here are some more information okay so I'm for watching and see you for the next video
Info
Channel: Matthieu Dierick, F5
Views: 4,283
Rating: undefined out of 5
Keywords: api, security, apm, asm, awaf
Id: UVcUAjtyYaY
Channel Id: undefined
Length: 12min 33sec (753 seconds)
Published: Wed Jun 12 2019
Related Videos
API Management and Security with F5 and NGINX
Matthieu Dierick, F5
2K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.4M
How To Speak by Patrick Winston
MIT OpenCourseWare
5.2M
Python Sorting Algorithm Visualizer Tutorial
Tech With Tim
10K
Securing Your APIs with OAuth 2.0 - API Days
OktaDev
45K
The REAL story About the Crash that Killed Concorde! | Air France flight 4590
Mentour Pilot
4.4M
HOW TO MAKE A SUPER EXTENSION CORD! (Perfect for Christmas!)
Stud Pack
1.2M
Our Business Accounting Workflow & Open Source Tools Used
Lawrence Systems
13K
Nginx Controller App Security (CAS) - v3.12
Matthieu Dierick, F5
420
Explaining TLS 1.3
F5 DevCentral
49K
Hackers vs. Developers // CVE-2021-44228 Log4Shell
LiveOverflow
71K
Torch Cutting Basics Everyone Should Know | Oxygen & Acetylene Fuel
WeldTube
713K
Azure integration with F5 APM in v16.0
Matthieu Dierick, F5
1.8K
Perfect Forward Secrecy
F5 DevCentral
52K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.