SSL Orchestrator Advanced Use Cases: Integrating F5 Intrusion Prevention System (IPS)

Introduction

Beyond the easy task of TLS decryption and re-encryption at massive scale, SSL Orchestrator dynamically attaches decrypted flows to security devices through rich, policy-based traffic steering, and to a wide variety of security tools. Among those tools are any devices that are inline layer 2, inline layer 3, inline HTTP (proxy), ICAP/DLP, and passive tap, which covers the bulk of network security products today. Also among these are the integrations with other F5 security solutions. Official support for integrating F5 Secure Web Gateway into the decrypted service chain came in BIG-IP 16.1.0, and we’ve talked about the F5 Advanced WAF, F5 Advanced Firewall Manager, and SOCKS proxy integrations in other articles. In this article, I’m going to address an integration with the F5 Intrusion Prevention System (IPS).

IPS performs layer 5-7 inspection of all incoming traffic and protects more than 25 protocols and infrastructure applications against security incidents and exploits. IPS reviews traffic for adherence to protocol standards, matching against hundreds of known attack signatures. Now normally, you would deploy IPS as a function of Advanced Firewall Manager (AFM) on a BIG-IP application virtual. You could do this with or without decryption (with decryption if you want to capture application layer traffic), and for multiple protocols. But in an orchestrated security architecture, you can now layer in IPS with a full set of other tools, sending traffic flows to IPS when it’s needed, and around IPS when it’s not, for a fully layered, defense-in-depth security strategy. Let’s go see what that looks like!

SSL Orchestrator Use Case: Integrating F5 IPS

To start, it’s important to understand that IPS works with lots of protocols. But specifically, it’s the set of decryptable TCP (and UDP) protocols that you’ll be concerned with here. In the following configuration, we will explore a method to integrate IPS for signature and compliance checking inside the decrypted SSL Orchestrator service chain.

Licensing Requirements

Per the AFM Operations Guide (see reference below), protocol inspection requires specific licensing to enable the signature matching and compliance engines, and an optional signature subscription is available. BIG-IP AFM must be the base module to which other modules (BIG-IP LTM, SSLO, APM, AWF, and so on) are added. If BIG-IP AFM is the add-on, you must add a separate license specifically for Protocol Inspection.

Configuring IPS

This article doesn’t begin to explore everything F5 IPS can do. There are much better resources for that. The primary goal here is basically to turn it on and plug it into the SSL Orchestrator service chain. That can be done in the following simple steps.

• Ensure the above licensing requirements are met.
• Create an IPS inspection profile. In the BIG-IP UI, under Security -> Protocol Security -> Inspection Profile, click Add (new).
  • Per your requirements, enable/disable Signature checks.
  • Per your requirements, enable/disable Compliance checks.
  • For Services, select the required protocols (ex. HTTP).
  • Note that inside the SSL Orchestrator service chain, IPS is going to see decrypted traffic coming across the original port. You’ll need to add this port. Under the HTTP bar, for example, click the pencil icon on the far right and add port 443.
  • Commit the changes.
• Optionally create a logging profile. In the BIG-IP UI, under Security -> Event Logs, click Create. Enable Protocol Inspection. Under Publisher, select local-syslog-publisher to send everything to the LTM log. In a real-world scenario you’d probably want to send these logs off-box. Optionally also enable Log Packet Payload.
• To view inspection events, navigate to Security -> Protocol Security -> Inspection Dashboard.

Configuring SSL Orchestrator

Adding F5 IPS to the service chain is a simple maneuver involving manipulation of a TAP service configuration. You’re not creating an actual TAP service; you’re just using this configuration as the base for your IPS integration.

• In the SSL Orchestrator UI, under Services, create a new TAP service. Name that service whatever you want (ex. IPS).
  • For the MAC Address, enter anything here. It won’t be used, but the UI requires something.
  • For the VLAN, select Create New, give it a name, and select an unused interface (and optional tag). Again, this won’t be used, but the UI needs something.
  • Optionally enable the Enable Port Remap option to have SSL Orchestrator convert decrypted HTTPS traffic to the port of your choice. If you leave this disabled, decrypted HTTPS will flow across the IPS on port 443.

Leave everything else as-is, add the new service to a service chain, and deploy.

• If you’re running SSL Orchestrator 9.0 or above, you can skip to the next step. Otherwise, on versions prior to 9.0 you’ll need to disable strictness on the new TAP service. This is the lock icon on the far right of the listed TAP service on the SSL Orchestrator Services tab.
• Head over to Local Traffic -> Virtual Servers in the BIG-IP UI and find the TAP service virtual servers. You’ll see four of these – one for TCP IPv4, one for TCP IPv6, one for UDP IPv4, and one for UDP IPv6. Click on the needed virtual server to edit its properties.
• On the Security tab, under Policies, enable the Protocol Inspection Profile and select your IPS inspection profile.
• Optionally, on this same page, set a custom log profile.

That’s it, you’ve completed the IPS integration. Depending on how you’ve configured your inspection profile you should start seeing traffic logs right away.

A Contrived Example

As previously mentioned, this article does not even attempt to dig into the fine art of Intrusion Prevention. But on the remote chance you’re new to IPS and want to test a somewhat contrived example, here’s something you can try.

• Logging profile: For this example, you’ll want to create a logging profile to locally catch your filtered traffic. In the BIG-IP UI, under Security -> Event Logs, click Create. Enable Protocol Inspection. Under Publisher, select local-syslog-publisher to send everything to the LTM log. Again, this is just an example. In a real-world scenario you’d probably want to send these logs off-box. Optionally also enable Log Packet Payload.
• IPS Signature: Now let’s create a custom IPS signature. In the BIG-IP UI, under Security -> Protocol Security -> Inspection List, create a New Signature.
  • Give that new signature a name and description of your choice.
  • F5 IPS uses a subset of the SNORT rule syntax. Please see the list of resources at the bottom for more information on that syntax. But for this example, let’s do something very simple and set the Signature Definition to capture any HTTP request traffic that contains an “ABC” and “EFG” header (see example below)
  • Set Action to Reject.
  • Set Log to Yes.
  • Set Protocol to TCP
  • Set Service to HTTP

Everything else can be left as-is. Click Save to capture these settings.

 

alert tcp any any -> any any (content:ABC; content:EFG; http_header;)

 

• IPS profile: Now you’ll create a protocol inspection profile. In the BIG-IP UI, under Security -> Protocol Security -> Inspection Profiles, click Add (New).
  • For Services, enable HTTP.
  • On the new HTTP bar, click it to expand. Now very important, decrypted HTTPS traffic flowing through the IPS will still be on port 443 (unless you enabled Port Remap at the TAP service), so you’ll need to add that. Click the pencil icon on the far right of the HTTP bar and add 443 to the list of ports.
  • Now search for your custom IPS signature and make sure the Action and Suggested Action settings are what you want.
• Testing: You’ll want to test this rule with a command line cURL client if that’s available, or any browser tool that allows you to manipulate HTTP request headers. In this example, I’ve integrated IPS with an SSL Orchestrator forward proxy (outbound) topology configuration, but IPS integration will work in either direction.

 

curl -vk https://www.example.com -H "ABC:1" -H "EFG:2"

 

With logging enabled and pointing to local Syslog, you can tail the LTM log while you’re testing:

 

tail -g /var/log/ltm

 

The request should be dropped/rejected, and you should see a log entry like the below. This is an HTTP request from a local client to example.com.

 

Jun 29 11:17:23 sslo1 info tmm[18875]: 27590657 "Jun 29 2022 11:17:23","00027217000186a0","27590657","sslo1.f5labs.com","10.1.10.50","40836","93.184.216.34","443","_ifc_null","93.184.216.34","443","10.1.10.50","40836","_loopback","Unknown","US/Massachusetts","TCP","","0002404116787217","/Common/ssloS_IPS.app/ssloS_IPS-t-4","/Common/ips_test","","","100000","stew-test","medium","low","/Common/http","reject","486f73743a207777772e6578616d706c652e636f6d7c306430617c557365722d4167656e743a206375726c2f372e35382e307c306430617c4163636570743a202a2f2a7c306430617c4142433a317c306430617c454647","","474554202f20485454502f312e310d0a486f73743a207777772e6578616d706c652e636f6d0d0a557365722d4167656e743a206375726c2f372e35382e300d0a4163636570743a202a2f2a0d0a4142433a310d0a4546473a320d0a0d0a"

 

The gobbledygook at the end is the hexadecimal-encoded HTTP request, which you can plug into any online HEX-to-ASCII converter to decode. You can turn this off with the Log Packet Payload option in the logging profile.

Resources

You don’t have to take my word for all of it, so here’s a great set of resources to better understand how to use F5 IPS in your environment.

• F5 IPS overview page
• F5 IPS Community article
• AFM Operations Guide
• F5 SNORT rule reference
• Official SNORT rules reference
• F5 Advanced WAF (AWF) integration
• F5 Advanced Firewall Manager (AFM) integration
• SOCKS proxy integration 

Adding AFM Functions

It may go without saying, but since you’re already licensing AFM to enable IPS, you can also enable AFM in front of SSL Orchestrator as a network firewall to protect the BIG-IP appliance. See the following article for additional details: F5 Advanced Firewall Manager (AFM) integration.

Summary

In just a few short steps you should now be able to wield the full power of a world-class Intrusion Prevention System for signature and compliance checking of decrypted traffic and do so with a fully integrated, better together F5 solution. Pretty cool, yes? And if I haven’t expressed this enough, F5 IPS is extremely powerful. I urge you to spend some time in the AFM Operations Guide and F5 SNORT rule reference pages to get a better understanding of the full set of its capabilities. And with that, I hope you can see some of the immense versatility and power of an integrated SSL Orchestrator and F5 IPS solution. Thanks!