Configuring Endpoint Security (Client-Side) Using F5 Access Policy Manager (APM)

In a previous article we discussed how to configure the BIG-IP as an SSL VPN solution which can be found here https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146. I wanted to take this and go a bit further by adding additional security to this solution by requiring certain end point settings, services or even updates be deployed prior to allowing access to internal resources. So, let's get started.

Now that you have saved your organization a ton of money by using the existing F5 BIG-IP in your data center as a VPN solution rather than investing in a yet another security appliance, leadership thinking you're a hero, your local IA shop steps in and says, "we still need a security device to apply network access controls prior to allowing access. Go out and find a NAC solution and by the way, there's no money!"

At this point let's be honest, you only know what you know so you decide to go to your handy dandy search engine to identify a NAC solution. Others who have deployed F5 as a VPN solution have to have used a third-party solution, right? So we start with my personal favorite search method "NAC site:f5.com."

OK, cool there's an article from F5.com discussing my exact use case. No way, F5 provides endpoint security? Let's check it out. From the VPE you built to enable remote access solution, you follow your workflow and select add item after the user has successfully authenticated using directory services. You then identify the Endpoint Security (Client-Side) tab and boom, this is exactly what you need!

In further discussions with the IA team, they require at a minimum Windows firewall be enabled and the organizations approved antivirus program installed and up to date. While we can see from the endpoint security tab you can configure antivirus and firewall checks, can it really be so granular that it will allow me to identify Windows firewall and McAfee AV? Only one way to find out, so let's get to it.

Client-Side Antivirus Checks

We will start with AV to validate the workstation or mobile device is running McAfee VirusScan Professional Version 9, it is enabled and has the latest dat file identified as 8624.

Once you have selected Add Item > Antivirus > Add Item, you will be presented with a second pop up which will allow you to define the Antivirus requirements for a workstation to connect.
Within the platform field we will select Win for this use case.

Next, we will define the Vendor ID which we will select McAfee, Inc. from the drop down.

As you can see the vendor list contains many more antivirus vendors than your typical major products so no need to worry if you are using something like Avast or AVG, we have you covered!

Select the product id from the drop down as I have done in the screenshot below.

For state select enabled from the drop down.

The last portion, if you so choose to define will be the DB version which requires manual entry.

Note: If you notice in the screenshot above, administrators also have the option of continuously checking for compliance of this requirement.

Select Save and the antivirus item will be added to your VPE.

Client-Side Firewall Checks

Next, we will add our Firewall checks which will include validating Windows Firewall is enabled. With that, in the event the client-side check fails we will redirect the user to the Microsoft support page on how to enable this service rather than an immediate deny.

We'll begin the same as with the AV portion by selecting Add Item between Antivirus and Advanced Resource Assign.

Once the pop-up displays, select Endpoint Security (Client-Side) and Add Item which will display a second pop-up allowing you to define firewall requirements.
From the Platform drop down select Win.

Select the Vendor ID drop down and select Microsoft Corp.

Select Microsoft Windows Firewall 10.x, 7, 8, 8.1, Vista, XP SP2+.

For state you will select Enabled and click Save at the bottom of the page.

Modifying Our Access Policy to Utilize Client-Side Checks

Now that we have defined client requirements for AV and Firewall, we will modify the ending for our firewall option so that we can redirect as stated previously in this article.

Navigating back to your VPE, select Edit Endings at the top left of the screen.
Click Add Ending.
For visual assistance and troubleshooting we will rename the ending to Firewall Redirect to Microsoft.
Select Redirect Radio Field
Insert the URL you want to redirect the user to. In this case we will use https://support.microsoft.com/en-us/help/4028544/windows-turn-windows-firewall-on-or-off for the Windows support page.
Select the color pen option and we will define a different color than the existing allow and deny endings.
Click Save

Next we will modify the existing deny ending to the redirect ending created in the previous step.

Navigating back to the VPE, select Deny following the Firewall workflow and modify it to Firewall Redirect to Microsoft.
Click Save

Once you have completed all of the previous steps your VPE should look like the one below.

Apply the access policy by selecting Apply Access Policy from the top left and it's time for testing!

Validating New Client Side Checks

From the workstation you will be using to test this functionality, begin by launching the Webtop URL from a internet browser and login.

During the logon process, you will now see the checks put in place during the previous steps.

Because I currently have my Windows FW disabled I will be directed to the Microsoft support page on how to enable my Windows firewall service.

Once enabled, I attempt to log into my remote access Webtop and whala I’m in!

Just like that you are a hero again!

I hope this was helpful to those looking at remote access solutions and may have F5 in their data center or DMZ already. This article is limited to only firewall and antivirus checks but there is so much more. See a complete list of client-side and server-side checks below. Until next time!

Endpoint Security (Client-Side)

Endpoint Security (Server-Side)

Published Jun 27, 2018

Version 1.0

application delivery

BIG-IP Access Policy Manager (APM)

security

Steve_Lyons

Ret. Employee

Joined May 15, 2019

View Profile

Steve_Lyons

Ret. Employee

Joined May 15, 2019

View Profile

12 Comments

dragonflymr
Cirrostratus
Jul 03, 2018
Hi,

Very nice recap about client-side integrity! One note, not a big deal but it would be helpful to have link to article mentioned (SSL VPN). Sure I can use search in DC but link is nice help for lazy people :-)

Piotr
Steve_Lyons
Ret. Employee
Jul 03, 2018
Any feedback is good feedback. Done and thank you.
Ollo1_376841
Nimbostratus
Nov 28, 2018
This article does not help! The basic idea of why to enable firewall and AV and where are the security risks here not even mentioned. Very poor content.
Ollo1_376841
Nimbostratus
Nov 28, 2018
why adding additional security to this solution prior to allowing access to internal resources? what are the risk if you don't add them?
Steve_Lyons
Ret. Employee
Nov 28, 2018
Ollo1, I'm sorry you feel that way though I believe you might be looking in the wrong place for your answer. These are how-to guides. If you need information on why having client side security enabled is a good idea, a quick google search will result in more content than you can likely consume. If you have a specific question feel free to ask. Luckily this article has helped many of my own customers to date.
Ollo1_376841
Nimbostratus
Nov 28, 2018
Quick google search will not do that and usually every how-to start with why
Ollo1_376841
Nimbostratus
Nov 28, 2018
I asked those questions several times, example for Client-Side Firewall, AV, Patch Mangamnets, OS, IP Geo -location - None of the F5 client side explains the risks and why they think it will help from security risk and NOT user experience.
Steve_Lyons
Ret. Employee
Nov 28, 2018
Outstanding feedback Ollo1, thank you. As you read, the requirement for this made up organization was to provide a NAC solution. NAC can include a broad range of access controls. Maybe wiki can provide the answer you are looking for. This is not an F5 requirement but rather an organizational requirement. F5 doesn't require NAC it was the decision of the cyber team to require client-side checks. Below is an overview of NAC from wiki. Hope this helps.

Network Access Control (NAC) is a computer networking solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network.[citation needed] NAC might integrate the automatic remediation process (fixing non-compliant nodes before allowing access) into the network systems, allowing the network infrastructure such as routers, switches and firewalls to work together with back office servers and end user computing equipment to ensure the information system is operating securely before interoperability is allowed. A basic form of NAC is the 802.1X standard.

Network Access Control aims to do exactly what the name implies—control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.

Example When a computer connects to a computer network, it is not permitted to access anything unless it complies with a business defined policy; including anti-virus protection level, system update level and configuration. While the computer is being checked by a pre-installed software agent, it can only access resources that can remediate (resolve or update) any issues. Once the policy is met, the computer is able to access network resources and the Internet, within the policies defined within the NAC system. NAC is mainly used for endpoint health checks, but it is often tied to Role-based Access. Access to the network will be given according to the profile of the person and the results of a posture/health check. For example, in an enterprise the HR department could access only HR department files if both the role and the endpoint meets anti-virus minimums.

Goals of NAC Because NAC represents an emerging category of security products its definition is both evolving and controversial. The overarching goals of the concept can be distilled as:

Mitigation of non-zero-day attacks Authorization, Authentication and Accounting of network connections. Encryption of traffic to the wireless and wired network using protocols for 802.1X such as EAP-TLS, EAP-PEAP or EAP-MSCHAP. Role-based controls of user, device, application or security posture post authentication. Automation with other tools to define network role based on other information such as known vulnerabilities, jailbreak status etc. The main benefit of NAC solutions is to prevent end-stations that lack antivirus, patches, or host intrusion prevention software from accessing the network and placing other computers at risk of cross-contamination of computer worms. Policy enforcement NAC solutions allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in switches, routers, and network middleboxes. Identity and access management Where conventional IP networks enforce access policies in terms of IP addresses, NAC environments attempt to do so based on authenticated user identities, at least for user end-stations such as laptops and desktop computers.

https://en.wikipedia.org/wiki/Network_Access_Control
Ollo1_376841
Nimbostratus
Nov 28, 2018
This does not answer my question. I am sorry but seem you are not really familiar with APM client side security checks.
Steve_Lyons
Ret. Employee
Nov 28, 2018
I agree Ollo1, I have so much more to learn. With that, let's dig into your question which I have restated below.

"why adding additional security to this solution prior to allowing access to internal resources? what are the risk if you don't add them?"

Remember, any product like F5 is a solution to a problem. That problem is the risk you are looking to identify. To better understand some of these terms and functions, I have provided some additional comments below. I am not going to cover each and every term or end-point though I hope this helps.

What is a VPN?

A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

A VPN in lamens terms.

Typically a VPN provides a secure tunnel from an external endpoint to an organizations private network. This can be accomplished at layer 2 and layer 3. One example is to prevent man in the middle attacks where an attacker can view usernames and passwords in plain text.

What a VPN is not

A VPN does not natively provide security at any other layers. Due to this fact, organizations require a compliance model which incorporates things such as NAC.

What is NAC?

The function of controlling access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.

F5 BIG-IP APM Endpoint checks

BIG-IP APM can enable an inspection of the user’s endpoint device through a web browser or through BIG-IP Edge Client to examine its security posture and determine if the device is part of the corporate domain. Based on the results, it can assign dynamic Access Control Lists (ACLs) to deploy identity-, context-, and application-aware security. BIG-IP APM includes more than a dozen preconfigured, integrated endpoint inspection checks, including OS type, antivirus software, firewall, file, process, registry value validation and comparison (Windows only), as well as device MAC address, CPU ID, and HDD ID. For mobile devices running Apple iOS or Google Android, BIG-IP APM’s endpoint inspection checks the mobile device UDID and jailbroken or rooted status.

Why organizations enforce NAC compliance?

Virus and other malware mitigation.

Antivirus software is a type of utility used for scanning and removing viruses from your computer. While many types of antivirus (or "anti-virus") programs exist, their primary purpose is to protect computers from viruses and remove any viruses that are found.

Reduce attack vector and exposure to other network endpoints.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.[1] A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet.[2]

Firewalls are often categorized as either network firewalls or host-based firewalls. Network firewalls filter traffic between two or more networks and run on network hardware. Host-based firewalls run on host computers and control network traffic in and out of those machines.

Restrict access to known operating system types.

If your organization currently runs on Windows 10, OS detection allows you to prevent a Linux or MacOS for example to access your private network. Why is this important? Many organizations have security controls for some operating systems. If it is not configured to deploy agents or services to additional operating system types, it reduces your security posture as these become easy targets.

Process, file and registry validation. Organizations oftentimes install or require system services, files or registry settings that are unique to that organization. By restricting end-points based on these results that may not be apparent to bad actors, you can easily increase your security posture by restricting a Windows machine that may be allowed based on OS but is not allowed because an AV, FW service is not running or a registry setting that uniquely identifies trusted endpoints is not set.