Protect your Mobile Applications with F5 Distributed Cloud Bot Defense

Introduction

The newly released F5 Distributed Cloud (F5XC) Bot Defense iApp v.3.0.3 Connector for BIG-IP supports the following enhancements:

• Enables Mobile SDK support: Customers can now configure endpoints for web, mobile, or both.
• Independent SNAT configuration: Customers can configure SNAT for access to F5 Security API separately from SNAT for their protected virtual servers. 
• Syslog improvements: Log messages are now distinguished by syslog severity level and can be associated with a specific transaction. Detailed per-transaction log messages are available if desired.  
• SIEM logging: Users can send log messages to an external logserver/SIEM by using BIG-IP’s High Speed Logging (HSL) feature. (This applies to data generated on the BIG-IP and not to data from F5 Cloud dashboards.)  
• Many additional performance and functional improvements. 

In this article, I will show you how to protect an Application with the new iApp and how to enable Moblie SDK.

Getting Started

First login to F5 Distributed Cloud console.

 Click on the Bot Defense Tile

 

Make sure you are working in the correct Namespace.

Click Add Application

 

Give your protected application a Name, Labels and Description.  Select your Application Region and F5 BIG-IP iApp as the Connector Type.

Click Save and Exit

 

Next, we will download the iApp template created for this application and save it in an accessible location to be installed on your BIG-IP.

 Now we will import the template, create the Application Service on the BIG-IP and configure the iApp.

Log in to your BIG-IP.

 

Navigate to iApps, Templates, Click Templates.

 

Next Click Import.

Navigate to the template file you downloaded from F5XC Console.

And click Upload

 

 

Next navigate to Application Services, and click Applications, click Create

 Give your application a Name and select the template you just uploaded.

 

This will display the iApp page where we will configure all the options to protect your mobile applications. I have covered web applications in previous articles that I will link to at the end.

You can select Advanced at the top of the page to see the complete list of options. You must change Mobile SDK options tab shown at the bottom of the image to Yes, to see the correct Security Endpoints.

First, again you will be prompted that you need a F5XC Security Mobile SDK Subscription.  You will supply what headers are expected from your mobile SDK and Enter the Mobile SDK Reload Header Name supplied by F5. This is used for signaling between the Mobile SDK and the F5XC Security service.

Moving to the next section you will cover how the BIG-IP will handle the JS Injections, the URL and/or path and where on the page to inject.

The next section has the newly added features for the iApp version 3.0.3.  You'll notice at the bottom, you configure what URLs to be routed to the F5XC console.  The options are Web, MSDK or Both. I give more details below the image of how to set this up and what to consider when designing your protected endpoints.

When Mobile-SDK support is enabled, there are three types of protected endpoints:

• Web
• MSDK
• Both

Endpoints marked Both can be accessed by either web or MSDK clients. When a client request reaches a Both endpoint, the F5XC Bot Defense iApp assumes the request comes from a web client unless the request includes a Mobile Request ID value shown in the red box above.

There are two types of Mobile Request ID’s:

• ​​​​​​​Special request headers
• Special string values embedded in a request body (typically a POST request)

To recognize Mobile SDK requests by headers, enter regular expressions to recognize the names and acceptable values of those headers. To recognize Mobile SDK requests by one or more keywords embedded in request-bodies, enter a suitable regular expression, using alternation to recognize different keywords if necessary. Beware of partial matches; use regex operators like ^ and $ and [^\w] as needed.

The Actions available for protected endpoints also differ between Web type and MSDK type endpoints. Requests from MSDK clients may be Continued or Blocked but cannot be Redirected or Dropped. Whenever the Action configured for an MSDK request is Redirect or Drop, it is silently converted to Block whenever it is applied to a request from an MSDK client.

The host and path are determined by your application.

Finally, I want to point out a few features under Advanced Features that were highlighted in the opening of this article.

Previous versions of the Bot Defense iApp “borrowed” the SNAT configuration they needed to connect to the F5XC Security Service API server(s) from the virtual-server to which Bot Defense protection was attached. That approach was not optimal, so starting with iApp v3.0.3, a distinct SNAT configuration must be selected. The default option is SNAT Automap:

If configured to do so, iApp v3.0.3 will log an informative message about each transaction (a transaction is a distinct client HTTP request). Transaction logging does not directly incur a performance penalty but sending transaction logs to the local control-plane syslogd will incur a large performance penalty. If you want to log transactions, you should enable HSL (High-Speed Logging) to an external log server:

Many log servers prefer messages in structured (JSON) format, which you may choose in the iApp.

To include some HTTP request headers in transaction log messages (for example, headers which identify site users) specify a regex to match those headers’ names.

 

Make sure you click Finished and you will have deployed your protected application.

Closing:

I wanted to highlight the changes F5 has made and show how easily you can deploy the iApp and take advantage of all the new features.

That is all that you need to configure, to take advantage of F5’s Distributed Cloud Security Service.

Note:

If you are upgrading from an earlier version of the iApp (for example, iApp v.3.0.2 or v.3.0.1), you need take these steps to avoid possible errors:

Prior to installing the v3.0.3 template:

• Reconfigure the current Application Service (iApp instance).
• Set Clean Before Deletion to Yes.
• Select Finished.

Install the v3.0.3 template. Be sure to select the Overwrite existing template checkbox before uploading the new template.

Reconfigure the current Application Service:

• Set Clean Before Deletion to No.
• Check and update configuration as needed.
• Select Finished.