Identity-Aware decisions with JA4+
Introduction
JA4+ is a suite of network fingerprints methods. These methods are both human and machine readable to facilitate more effective threat-hunting and analysis. The use cases for these fingerprints include scanning for threat actors, malware detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, grouping of threat actors, reverse shell detection, and many more.
Full Name |
Short Name |
Description |
JA4 |
JA4 |
TLS Client Fingerprinting |
JA4Server |
JA4S |
TLS Server response / Session Fingerprinting |
JA4HTTP |
JA4H |
HTTP Client Fingerprinting |
JA4Latency |
JA4L |
Latency measurement / Light distance |
JA4X509 |
JA4X |
X509 TLS Certificate Fingerprinting |
JA4SSH |
JA4SSH |
SSH Traffic Fingerprinting |
JA4TCP |
JA4T |
Passive TCP Client Fingerprinting |
JA4TCPServer |
JA4TS |
Passive TCP Server Response Fingerprinting |
JA4TCPScan |
JA4TScan |
Active TCP Server Fingerprinting |
Identity-enhanced JA4+
F5 BIG-IP Access Policy Manager (APM) and Next Access solutions ability to integrate with different F5 BIG-IP modules and make use of different integrations allows to leverage JA4+ fingerprints and enhance the Identity-based decisions. In this article we are covering three main JA4 fingerprints (JA4, JA4L, JA4H).
We are using two main integration points:
Policy event trigger
-
- Building on a great Devcentral repo by Joe Martin, https://github.com/f5devcentral/f5-ja4 discussing how to implement JA4 fingerprint via F5 BIG-IP iRules, to use Access flow to trigger iRules and obtain required JA4 fingerprints.
- iRules are modified with additional Event ACCESS_POLICY_AGENT_EVENT and an iRule trigger is added to the Access policies.
JA4 iRule |
JA4L iRule |
JA4H iRule |
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "JA4FP" } { ACCESS::session data set session.custom.JA4 $ja4
} }
|
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "JA4FPL" } { ACCESS::session data set session.custom.JA4l $ja4l ACCESS::session data set session.custom.JA4la [getfield $ja4l "_" 1] ACCESS::session data set session.custom.JA4lb [getfield $ja4l "_" 2] ACCESS::session data set session.custom.JA4lc [getfield $ja4l "_" 3]
} } |
when ACCESS_ACL_ALLOWED { ACCESS::session data set session.custom.JA4h $ja4h_fp
}
|
HTTP Connector, sideband calls
- Initiate a call to JA4 fingerprints database and make use of the obtained ones in the previous iRules to check and match from the database.
- This database can obtain allowed or blocked fingerprints (malicious browsers, clients, and others).
This is not only to cover security use cases but also network and performance use cases, listing below some of the use cases,
- Network Performance: Using JA4L to get the delay at Client to VPN endpoint and VPN endpoint to backend server, and based on this delay we may direct user to better VPN endpoint to reach specific service.
- Security use case: Using fingerprints calculated for (JA4, JA4H, others) and match this against JA4 Database to block malicious clients and browsers.
- Security use case: Using fingerprints calculated for (JA4, JA4H, others) and matching this against JA4 Database to allow specific machines or browsers to access the service.
Conclusion
JA4+ provides great light-weight insights into passing traffic, knowing not only the traffic reaching the device, but the history of the path that the packet traversed. Enhancing such visibility with the Identity piece from F5 Access solutions allows granular control over traffic not only from a security perspective but also from a performance and optimization point of view.