The PingIntelligence and F5 BIG-IP Solution for Securing APIs

This article describes the PingIntelligence and F5 BIG-IP solution deployment for securing APIs. The integration identifies and automatically blocks cyber attacks on APIs, exposes active APIs, and provides detailed reporting on all API activity.

Solution Overview

PingIntelligence is deployed in a side-band configuration with F5 BIG-IP. A PingIntelligence policy is installed in F5 BIG-IP and passes API metadata to PingIntelligence for detailed API activity reporting and attack detection with optional client blocking. PingIntelligence software includes support for reporting and attack detection based on usernames captured from JSON Web Token (JWT).

Following is a description of the traffic flow through F5 BIG-IP and PingIntelligence API Security Enforcer (ASE):

1. The client sends an incoming request to F5 BIG-IP
2. F5 BIG-IP makes an API call to send the request metadata to ASE
3. ASE checks the request against a registered set of APIs and looks for the origin IP, cookie, OAuth2 token, or API key in PingIntelligence AI engine generated Blacklist. If all checks pass, ASE returns a 200-OK response to the F5 BIG-IP. If not, a different response code is sent to F5 BIG-IP. The request information is also logged by ASE and sent to the AI Engine for processing.
4. F5 BIG-IP receives a 200-OK response from ASE, then it forwards the request to the backend server pool. A request is blocked only when ASE sends a 403 error code.
5. The response from the back-end server poll is received by F5 BIG-IP.
6. F5 BIG-IP makes a second API call to pass the response information to ASE which sends the information to the AI engine for processing.
7. ASE receives the response information and sends a 200-OK to F5 BIG-IP.
8. F5 BIG-IP sends the response received from the backend server to the client.

Pre-requisites

• BIG-IP system must be running TMOS v13.1.0.8 or higher version.
• Sideband authentication is enabled on PingIntelligence for secure communication with the BIG-IP system.
• Download the PingIntelligence policy from the download site.

Solution Deployment

Step-1: Import and Configure PingIntelligence Policy

• Login to your F5 BIG-IP web UI and navigate to Local Traffic > iRules > LX Workspaces.
• On the LX Workspaces page, click on the Import button.
• Enter a Name and choose the PingIntelligence policy that you downloaded from the Ping Identity download site. Then, click on the Import button.

• This creates LX workspace
• Open the Workspace by clicking on the name. The policy is pre-loaded with an extension named

  oi_ext

  . Edit the ASE configuration by clicking on the ASEConfig.js file. It opens the PingIntelligence policy in the editor:

• Click on this link to understand various ASE variables.

Step-2: Create LX Plugin

• Navigate to Local Traffic > iRules > LX Plugins.
• On the New Plugin page, click on the Create button to create a new plugin with the name pi_plugin.
• Select the workspace that you created earlier from the Workspace drop-down list and click on the Finished button.

Step-3: Create a Backend Server Pool and Frontend Virtual Server (Optional)

If you already created the virtual server, skip this step

Create a Backend Server pool

• Navigate to Local Traffic > Pools > Pool List and click on the Create button.
• In the configuration page, configure the fields and add a new node to the pool.
• When done, click on the Finished button.
• This creates a backend server pool that is accessed from clients connecting to the frontend virtual server

Create a Frontend Virtual Server

• Navigate to Local Traffic > Virtual Server > Virtual Server List and click on the Create button.
• Configure the virtual server details. At a minimum, configure the Destination Address, Client SSL Profile and Server SSL Profile
• When done, click on the Finished button.
• Under the Resource tab, add the backend server pool to the virtual server and click on the Update button.

Step-4: Add PingIntelligence Policy

The imported PingIntelligence policy must be tied to a virtual server. Add the PingIntelligence policy to the virtual server.

• Navigate to Local Traffic > Virtual Servers > Virtual Server List.
• Select the virtual server to which you want to add the PingIntelligence policy.
• Click on the Resources tab.
• In the iRules section, click on the Manage button.
• Choose the iRule under the pi_plugin that you want to attach to the virtual server.
• Move the pi_irule to the Enabled window and click on the Finished button.

Once the solution is deployed, you can gain insights into user activity, attack information, blocked connections, forensic data, and much more from the PingIntelligence dashboard

References

• Ping Intelligence for API Overview
• F5 BIG-IP PingIntelligence Integration