Securing APIs with BigIP

Introduction

API servers respond to requests using the HTTP protocol, much like Web Servers. Therefore, API servers are susceptible to HTTP attacks in ways similar to Web Servers.


Previous articles covered how to publish an API using the NGINX platform as an API management gateway. These APIs are still exposed to web attacks and defensive mechanisms are needed to defend the API against web attacks, denial of service, and Bots. The diagram below shows all the layers needed to deliver and defend APIs. BIGIP provides the protection and NGINX Plus provides API management.

Picture 1.


This article covers

  • Advanced Web Application Firewall (AWAF) to protect against HTTP vulnerabilities
  • Unified Bot Defense to protect against bots
  • Behavioral Anomaly DoS Defense to prevent DoS attacks


As shown in Picture 1, above BIG-IP goes in front of the API management gateway as an additional security gateway. The beauty of this approach is that BIG-IP can be initially deployed on the side while the API is being delivered to users through the NGINX Plus gateway directly. Once BIG-IP is configured to forward good requests to NGINX Plus and security policies are in place, BIG-IP can be brought into the traffic flow by simply changing the DNS records for "prod.httpbin.internet.lab" to point to BIG-IP instead of NGINX Plus. From this point on all calls will automatically arrive at BIG-IP for inspection and only those that pass all verifications will be forwarded to the next layer.

Configuring Data Path

Data path configuration for this use case is pretty common for BIG-IP which is historically a load balancer. It includes:

  • Virtual Server (listens for API calls)
  • SSL profile (defines SSL settings)
  • SSL certificate and key (cryptographically identifies virtual server)
  • Pool (destination for passed calls)

Picture below shows how all of the configuration pieces work together.

Picture 3.


At first upload server certificate and key



Setup SSL profile to use a certificate from the previous step



Finally, create a virtual server and a pool to accept API calls and forward them to the backend



From this point IG-IP accepts all requests which go to "prod.httpbin.secured-internet.lab" hostname and forwards them to API management gateway powered by NGINX Plus.


Setting up WAF policy

As you may already know every API starts from the OpenAPI file which describes all available endpoints, parameters, authentication methods, etc. This file contains all details related to API definition and it is widely used by most tools including F5's WAF for self-configuration. Imported OpenAPI file automatically configures policy with all API specific parameters as a list of allowed URLs, parameters, methods, and so on. Therefore WAF configuration narrows down to importing OpenAPI file and using policy template for API security.


Create a policy


Specify policy name, template, swagger file, virtual server and logging profile.


API security template pre-configures WAF policy with all necessary violations and signatures to protect API backend. OpenAPI file introduces application-specific configuration to a policy as a list of allowed URLs, parameters, and methods.



That is it. WAF policy is configured and assigned to the virtual server. Now we can test that only legitimate requests to allowed resources go through.


For example request to URL which does not exist in the policy will be blocked:

ubuntu@ip-10-1-1-7:~$ http -v https://prod.httpbin.secured-internet.lab/urldoesntexist
GET /urldoesntexist HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: prod.httpbin.secured-internet.lab
User-Agent: HTTPie/0.9.2


HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Length: 38
Content-Type: application/json; charset=utf-8
Pragma: no-cache

{
  "supportID": "1656927099224588298"
}


Request with SQL injection also blocked:


Configuring Bot Defense

Starting from BIG-IP release 14.1 proactive bot defense, web scraping, and bot detection features are combined under Bot Defense profile. Therefore current bot defense forms a unified tool to prevent all types of bots from accessing your web asset.

Bot detection and mitigation mechanisms heavily rely on signatures and javascript (JS) based challenges. JS challenges run in a client browser and help to identify client type/malicious activities or apply mitigation by injecting a CAPTCHA or slowing down a client by making a browser perform a heavy calculation.


Since this article is focused on protecting APIs it is important to note that JS challenges need to be used with caution in this case. Keep in mind that robots might be legitimate users for an API. However, robots similar to bots can not execute javascript. So when a robot receives JS it considers JS as API response. Such response does not align with what a robot expects and the application may break. If you know an API is serving automated processes avoid the use of JS-based challenges or test every JS-based feature in the staging environment first.


Configuration to detect and handle many different types of Bots can be simplified by using any of the three pre-configured security modes:

  • Relaxed (Challenge free, mitigates only 100% bad bots based on signatures )
  • Balanced (Let suspicious clients prove good behavior by executing JS challenges or solving CAPTCHA)
  • Strict (Blocks all kinds of bots, verifies browsers, and collects device id from all clients)


It is best to start with the relaxed template and tighten up the configuration as familiarity grows with the traffic that the API endpoints see.


Once the profile is created assign it to the same virtual server at "Local Traffic ›› Virtual Servers : Virtual Server List ›› prod.httpbin.secured-internet.lab ›› Security" page. Such configuration performs bot detection based on data that is available in requests such as URL, user-agent, or header order. This mode is safe for all kinds of API users (browser-based or code-based robots) and you can see transaction outcome on "Security ›› Event Logs : Bot Defense : Bot Requests" page. If there are false positives you can adjust bot status or create a new trusted one for your robots through "Security ›› Bot Defense : Bot Signatures : Bot Signatures List".

Setting Up DDoS Defense

WAF and BOT defenses can detect requests with attack signatures or requests that are generated by malicious clients. However, attackers can send attacks composed of legitimate requests at a high scale, that can bring down an API endpoint.


The following features present in the BIG-IP can be used to defeat Denial of Service attacks against API endpoints.

  • Transaction per second (TPS) Based DoS Defense
  • Stress Based DoS Defense
  • Behavioral Anomaly Based DoS Defense
  • Eviction Policies


TPS-based DoS defense is the most straightforward protection mechanism. In this mode, BigIP measures requests rate for parameters such as Source IP, URL, Site, etc. In case the per minute rate becomes higher than the configured threshold then the attack gets triggered, and selected mitigation modes are applied to ‘all’ requests identified by the parameter.


The stress-based mode works similarly to TPS, but instead of applying mitigation right after the threshold is crossed it only mitigates when the protected asset is under stress. This approach significantly reduces false positives.


Behavioral anomaly detection (BADoS) mode offers the most advanced security and accuracy. This mode does not require the administrator to perform any configuration, other than turning the feature on. A machine learning algorithm is used to detect whether the protected asset is under attack or not. Another machine learning algorithm is used to baseline the traffic in peacetime. When the ‘attack detector algorithm’ identifies that the protected asset is under stress and non-responsive, then the second algorithm stops learning and looks for anomalies. Signatures matching these anomalies are automatically created. Anomalies discovered during attack time are likely nefarious and are eliminated from the traffic by application of dynamically discovered signatures.

BADoS will automatically build a good traffic baseline, detect anomalies and stop them if the API endpoint is under stress.

Conclusion

F5 offers a multi-layered solution for protecting APIs, which is easy to configure.  Please connect with me via comments and keep an eye on more articles in this series.


Good luck!

Published Jan 18, 2020
Version 1.0
  • Victorx this article covers only securing back end API hosted web app using BIGIP as a proxy. I don't think this has any relevance to VMware and others.

  • Hello Mikhail. I access vCenter through f5. I'd like to access my vCenter using Vmware REST API. Would your design be able to help achieve that?