Configuring Endpoint Security (Client-Side) Using F5 Access Policy Manager (APM)

In a previous article we discussed how to configure the BIG-IP as an SSL VPN solution which can be found here https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146. I wan...
Published Jun 27, 2018
Version 1.0
application delivery
BIG-IP Access Policy Manager (APM)
security
Steve_Lyons's avatar
Steve_Lyons
Ret. Employee
Nov 28, 2018

I agree Ollo1, I have so much more to learn. With that, let's dig into your question which I have restated below.

 

"why adding additional security to this solution prior to allowing access to internal resources? what are the risk if you don't add them?"

 

Remember, any product like F5 is a solution to a problem. That problem is the risk you are looking to identify. To better understand some of these terms and functions, I have provided some additional comments below. I am not going to cover each and every term or end-point though I hope this helps.

 

What is a VPN?

 

A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

 

A VPN in lamens terms.

 

Typically a VPN provides a secure tunnel from an external endpoint to an organizations private network. This can be accomplished at layer 2 and layer 3. One example is to prevent man in the middle attacks where an attacker can view usernames and passwords in plain text.

 

What a VPN is not

 

A VPN does not natively provide security at any other layers. Due to this fact, organizations require a compliance model which incorporates things such as NAC.

 

What is NAC?

 

The function of controlling access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.

 

F5 BIG-IP APM Endpoint checks

 

BIG-IP APM can enable an inspection of the user’s endpoint device through a web browser or through BIG-IP Edge Client to examine its security posture and determine if the device is part of the corporate domain. Based on the results, it can assign dynamic Access Control Lists (ACLs) to deploy identity-, context-, and application-aware security. BIG-IP APM includes more than a dozen preconfigured, integrated endpoint inspection checks, including OS type, antivirus software, firewall, file, process, registry value validation and comparison (Windows only), as well as device MAC address, CPU ID, and HDD ID. For mobile devices running Apple iOS or Google Android, BIG-IP APM’s endpoint inspection checks the mobile device UDID and jailbroken or rooted status.

 

Why organizations enforce NAC compliance?

 

  • Virus and other malware mitigation.

Antivirus software is a type of utility used for scanning and removing viruses from your computer. While many types of antivirus (or "anti-virus") programs exist, their primary purpose is to protect computers from viruses and remove any viruses that are found.

 

  • Reduce attack vector and exposure to other network endpoints.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.[1] A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet.[2]

 

Firewalls are often categorized as either network firewalls or host-based firewalls. Network firewalls filter traffic between two or more networks and run on network hardware. Host-based firewalls run on host computers and control network traffic in and out of those machines.

 

  • Restrict access to known operating system types.

If your organization currently runs on Windows 10, OS detection allows you to prevent a Linux or MacOS for example to access your private network. Why is this important? Many organizations have security controls for some operating systems. If it is not configured to deploy agents or services to additional operating system types, it reduces your security posture as these become easy targets.

 

  • Process, file and registry validation. Organizations oftentimes install or require system services, files or registry settings that are unique to that organization. By restricting end-points based on these results that may not be apparent to bad actors, you can easily increase your security posture by restricting a Windows machine that may be allowed based on OS but is not allowed because an AV, FW service is not running or a registry setting that uniquely identifies trusted endpoints is not set.