Securing Your Applications with F5 BIG-IP IDS/IPS
Are you taking advantage of F5 BIG-IP’s built in IDS/IPS? IDS systems monitor traffic for anomalies, where IPS systems react to those events.
Since BIG-IP version 13.1.0, you have had the ability to process traffic running through your BIG-IP with an IPS/IDS engine that we call Protocol Inspection. Enabling IDS/IPS on your BIG-IP will allow you to increase your defense-in-depth posture using your existing BIG-IP investment.
This is the first article in the series where I will provide background and describe the features and functionality. The following articles will review:
- Features and functionality
- Deep dive into features
- Configurations and best practices
First, some details explaining the differences and how F5 fits in the puzzle.
Intrusion detection systems (IDS) are passive devices that monitor and log events on the network and can be configured to send alerts to an Administrator. These IDSs come in Network IDSs and Host based IDSs. This article will focus on Network based IDSs.
Intrusion preventions systems (IPS) on the other hand have response capabilities. The responses range from dropping traffic, resetting the connection or passing the traffic to a sandboxed environment. The terms are used interchangeably, by most, so from now on I will refer to the systems as IDS/IPS.
These IDS/IPS devices are usually placed in strategic ingress or egress locations such as security zones, data centers or the edge of the network to capture and analyze critical traffic. Generally, these systems operate on signatures developed from known attacks or custom rules, protocol analysis and content matching.
If your organization is running a BIG-IP, it most likely sits in one of these strategic locations within your network, protecting your most valuable assets. This enables you to take advantage of the built-in functionality of BIG-IP IDS/IPS engine instead of passing off the process to a 3rd party device which adds additional latency.
The BIG-IP IDS/IPS capability is delivered as two major features:
- Protocol Inspection Engine
- Subscription Service
BIG-IP Advanced Firewall Manager and Protocol Inspection
BIG-IP’s Advanced Firewall Manager (AFM) is the module that allows you to take advantage of the IDS/IPS feature. When enabled, the Protocol Inspection Engine does both application protocol compliance checks and signature matching. The concept behind protocol match is the following:
- Drop traffic if it does not conform to protocol standards
- Drop traffic based on a signature match
The versatility of the BIG-IP allows Protocol inspection to be applied as an AFM rule to all contexts (global/route/domain or virtual server) or directly to a virtual server. The beauty of this approach is in the processing of traffic. You can inspect the traffic pre-decryption or post- decryption based on polices, politics, or design. Want to step it up a notch further? Apply it to both an AFM rule and a virtual server.
Protocol Inspection offers several features and functionality including the following:
- Granular Protocol Compliance Checks
- TCP, SCTP and UDP
- Learning and Staging
- Subscription Service
- Protocol Inspection and Signature Updates
Granular Protocol Compliance Checks
At the heart of F5s IDS/IPS is the Protocol Inspection Profile, seen below:
After naming the profile, you have all the configuration options available to you. You enable or disable if this profile uses signatures, compliance checks, if will you collect stats for reporting in Application Visibility Reporting (AVR) and what services you are inspecting. We support 30 services currently.
When you select one or multiples of services to inspect, you will have the option to see and further refine which signatures are used.
Additional configuration selections of Suggestion Properties and Update Settings will be covered in another article.
The F5 signatures are based on a subset of Snort rules syntax. When looking at signatures, you will notice they have been assigned a classification or grouping based on what the exploit is attempting to execute (see below):
Additionally, signatures are broken down and grouped into “services” to assist in finding the specific signature you might look for.
Drilling even further down into an exploit/signature, you can click the signature name and additional information becomes available. I’d like to call attention to the Last Refreshed date and the Hyperlinks to the References; CVE and Bugtraq ID.
The Last Refreshed date indicates when the signature was last modified.
Clicking either hyperlink takes you to the related article. Here is an example of the CVE article.
Here is an example of the Bugtraq article.
When AFM is initially downloaded and installed it comes with a base set of protocol inspections and signatures. In order to take advantage and receive regular timely updates to both the protocol inspection profiles and signatures, you need to add the IPS Subscription Service.
Protocol Inspection and Signature Updates
AFM allows the ability to manually check for and import updated files when you decide or have time. Or for the easy button, the ability to automatically check, download and deploy updated for updated files. You have the option to select whether to “Download” or “Download and Deploy” and the frequency of updating, daily, weekly or monthly. Additionally, you get visibility into what is available to install and what is available to deploy. . Review the example screenshot below.
In this article we discussed the features and functionality of BIG-IP AFMs IDS/IPS, configuration and updates of the Protocol Engine and signatures. In the next article we will look deeper into protocol compliance, inspections and signatures.