For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hakam24's avatar
Hakam24
Icon for Nimbostratus rankNimbostratus
Oct 18, 2024

Best Solution For Unencrypted Cookies

Unencrypted Cookies: The Hidden Gateway for Cyber Reconnaissance in F5 BIG-IP Systems.

  1. https://thehackernews.com/2024/10/cisa-warns-of-threat-actors-exploiting.html?m=1
  2. https://www.infosecurity-magazine.com/news/cisa-urges-encryption-cookies-f?utm_source=twitterfeed&utm_medium=twitter
  3. https://www.bleepingcomputer.com/news/security/cisa-hackers-abuse-f5-big-ip-cookies-to-map-internal-servers/
  4. https://www.security.nl/posting/861650/CISA+meldt+misbruik+onversleutelde+ cookies+F5+BIG-IP+Local+Traffic+Manager?channel=twitter
  5. https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure-big-ip-ltm-systems-encrypt-http-persistence-cookies

 

Just want to ask the best solution.

1. Configuring cookie encryption within the HTTP profile :https://my.f5.com/manage/s/article/K14784

2. Configuring cookie encryption for BIG-IP persistence cookies from the cookie persistence profile :https://my.f5.com/manage/s/article/K23254150

 

If using HTTP profile. When applied to the virtual server. with HTTP Profile need to apply ?
1. HTTP Profile (Client) 
2. HTTP Profile (Server)

But Currently, we using HTTP Profile(Client) for x-forwarded-for. Can we using HTTP Profile(Server)?

If using persistence cookies, we already have the default Persistence profile by "source_addr" so need to change to cookie encryption ?



What other solution to solve this?

security
No RepliesBe the first to reply