Addressing Security Loopholes of Third-Party Browser Plug-ins - UPDATED FEBRUARY 2017
February 2017 Update
Endpoint inspection and network access support with Chrome browser, Firefox, and Edge Browser is now available for BIG-IP v13 . Release notes with details are available here: https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/related/relnote-helper-apps-13-0-0.html.
January 2017 Update
As the popularity of browser-based security attacks and vulnerabilities continue to increase, scrutiny is turning to third-party browser plugins as an attack vector. Java and Flash have both been successful targets, as have certain third-party malicious plugins. As a result, browser vendors are eager to close loopholes that allow control of page content and computer operation outside of the browser context. The longstanding F5 client technique of using browser plugins to allow VPN, application tunnel, and endpoint security checks utilize these functions. To mitigate these concerns, F5 will soon end the use of browser plug-ins. This will support the ability to run the endpoint security checks and connectivity operations such as SSL VPN and app tunnels with client PCs using new versions of popular web browsers - Google Chrome, Firefox, and Microsoft Edge Browser, in addition to Microsoft Internet Explorer and Apple Safari.
F5’s plan is to use components that will be installed by end users that run outside of the browser process, thereby eliminating the security concerns of using browser plug-ins. These client components will register a URI scheme and will be able to be called from the browser when users launch a VPN or app tunnel from BIG-IP APM web portals, endpoint security checks (firewall, antivirus, and OS patch and registry checks). Additionally, a plug-in-less technique will be used to launch native Microsoft Remote Desktop apps or desktops on the user’s device without the traditional use of an ActiveX plugin.
This solution will not require the use of browsers’ NPAPI support. Although end users will be required to download and install components that run outside of the browser process, F5’s most important goal is to keep the user experience as close to the current browser-initiated experience on currently supported browsers as much as possible. Alternatively, the client components may be installed by Microsoft’s SCCM or other automatic software installation systems in end user populations with limited rights on PCs. With this plan, F5 will also be able to support 64-bit versions of browsers specified above as well.
In the meantime, you can use the below instructions to detect unsupported browsers and guide the user to a supported browser with a remediation message.
Handling new Firefox and Chrome browsers in BIG-IP APM.
Client browsers can be detected by their User-Agent header transmitted along with HTTP requests. APM automatically creates a session variable during Access Session creation that contains this value. It’s a simple matter to handle this in an appropriate way.
- Launch the Visual Policy Editor. Access Policy => Access Profiles => (your access policy) => Edit.
The VPE will launch in a new browser tab - Click the + icon to add a new Policy Item. Choose General Purpose => Empty and click Add Item.
The new Policy Item will appear - Name the Policy Item appropriately. (In this example, “Browser Info” was chosen.).
- Select the Branch Rules tab and click Add Branch Rule.
- Name the branch rule “Firefox 43”
- Click Advanced.
- Insert the TCL code:
expr { [mcget "session.user.agent"] contains "Firefox/43" } - Repeat the last 3 steps, this time for Firefox 44.
- Your new Policy Item should look something like this:
10. Click Save to save the changes to the Policy Item.
Now we need to add a user friendly error message.
11. Near the top of the VPE screen, click Edit Endings.
12. Click Add Ending.
13. Name the ending “Unsupported Firefox”
14. Click the + near Customization.
15. Change the text to something appropriate for your users. This is a sample:
16. Because the user should close the browser and use a different one, it doesn’t make sense to display a “Restart Session” link, so we simply hide it using the HTML <!-- and --> tags in the New session text and New session link areas.
17. Click the Deny endings attached from Firefox 43 and 44, and change them to the new “Unsupported Firefox” endings.
18. Review your Access Policy. The new section should appear similar to this (note that this policy is empty -- your normal policy should be attached to the “fallback” branch).
19. Test this with Firefox 43 or 44. You should see an error page similar to this:
If you need to detect additional browsers and are not sure of the user agent, simply add a Message Box Policy Item to the beginning of the policy to log your browser’s User Agent string, like this:
When a browser activates this Policy Item, the User-Agent will be displayed.
We hope this is helpful.
Update January 2017
Currently the latest Firefox version is release 50. Releases 50 and 51 include NPAPI plugin support that is required by F5 endpoint inspection and VPN access. Firefox release 52 will not allow the use of F5 plugin by default. This means that endpoint inspection and VPN will not function with Firefox browser for BIG-IP APM end users. F5 is planning to release BIG-IP version 13.0 that includes the new lite endpoint check and VPN clients that support a seamless end user experience with Firefox, Microsoft Edge Browser, and Chrome Browser. Based on current release schedules from F5 and Mozilla, the BIG-IP v13.0 release may not be available before Firefox 52 is released. If your end users require endpoint inspection or VPN launch capability with Firefox browser, we recommend installing Firefox ESR. This version will include plugin capability until early 2018.
Firefox 51 |
Firefox 52 |
Firefox 53 |
Firefox ESR 52 |
F5 plugin allowed |
F5 plugin not allowed by default
F5 plugin can be enabled via a configuration parameter in Firefox.* |
F5 plugin not allowed.
F5 plugin will not be enabled even with a configuration parameter used in Firefox 52. |
F5 plugin allowed by default until Q2 Calendar Year 2018 |
*Firefox 52 Note: The configuration parameter is called plugin.load_flash_only, and it should be set to false. After this configuration parameter is created and set, the user needs to quit Firefox and delete pluginreg.dat file under profiles folder. Please see https://bugzilla.mozilla.org/show_bug.cgi?id=1269807 for more details.
Note that this is preliminary information about a non-F5 product and is subject to change.
Refer to the information about Firefox ESR:
https://www.mozilla.org/en-US/firefox/organizations/
Information from Mozilla on future NPAPI support:
https://blog.mozilla.org/futurereleases/
- Rash_75385Nimbostratus
"F5’s plan is to use components that will be installed by end users that run outside of the browser process, thereby eliminating the security concerns of using browser plug-ins."
I just had a dig through F5 articles relatin to browser support and issues and this devcentral post is still referenced for information. Is there any update on when these componets will be available and in what release?
Thanks
- Shahar_Perets_2NimbostratusHelpful, many thanks.
- rbirri_78684NimbostratusWhen will be available the new connection method ?
- Walter_KacynskiCirrostratusI think that I am more frustrated by the non-intuitive nature of these these types of simple customizations. It just doesn't pass the sanity test; almost like this is a complete afterthought of the product design. I would have to think that this is some kind of anti-pattern at this point. Obviously going back to improve this process is nearly impossible at this point. I just hope that product engineering is placing a more user-centric focus on development rather than a technical focus.
- Lucas_Thompson_Historic F5 AccountHi Walter, I appreciate the feedback. This was the simplest way to achieve the desired end user experience to not have that "start a new session" link, rather than guide people through editing the HTML directly. APM has both "basic" and "advanced" customization that are sort of mashed together. Essentially the pages are read from the templates OR the Advanced Customization (it replaces the templates if configured), and text-replacements are done from Basic Customization into the predefined areas in the template. It is certainly possible to replace the templates with Advanced Customization to put whatever HTML you prefer. Then the hacky HTML comment tags could be replaced with a more sensible solution. If you have any feedback about desired customization features, or what would work well for your site, we'd love to hear it. In our experience, it seems that few APM administrators have the desire and/or capability to hand the APM pages off to a Web Dev team to make changes. This greatly reduces the overall utility of Advanced Customization, even though it can be used to accomplish essentially anything.
- Walter_KacynskiCirrostratusQuote: so we simply hide it using the HTML tags This is the most ridiculous hack and is sure to be easily broken. From a user's perspective, wouldn't it just make sense to blank out these boxes and the link would disappear? This logic path explains so many of the nuances and difficulties with customizing this product.
- amolariCirrostratusSounds great. Hopefully with a disruption with the legacy (Firepass) code that made client logs analysis hard (without going through F5 support). Hopefully all today's functionalities will be kept and AppTunnel will be integrated in the client (as it was with Firepass and disappeared with APM)