The Top Ten Hardcore F5 Security Features in BIG-IP 11.6
There are 32 main features in the 11.6 release of the BIG-IP family of products and 29 of those are security features. That’s right; 91% of the features in the 11.6 release are security-related. Many of them are hardcore, infrastructure doodads that go unmentioned in press releases. This is the blog where I’ll try to give these hardcore doodads some public attention.
The selection criteria is somewhat subjective because there’s no IEEE standard for hardcore. The real difficulty with this blog entry is choosing among the 29 features to select only the Top Ten Hardcore Security Features of 11.6.
Number 10: DNS Firewall Services
The 11.6.0 version of GTM includes two DNS security knobs for DNS firewall services. The first is Rapid Response Mode, which instructs GTM to respond more quickly in zones for which it is authoritative and then to drop the rest. The second knob is Response Policy Zones which allows for customized handling of the resolution of domain names. With RPZ, you can filter DNS queries for domains that are known to be malicious and returns custom responses that direct those queries away from the malicious domain.
Brian McHenry, one of F5’s Security Solution Architects says this about the DNS Firewall services: “The world's only wire-rate application layer DNS Firewall now integrates seamlessly with an industry standard. Add to it improvements in DNS flood protection, and the fastest DNS firewall just got faster.”
To read more about the RPZ, see Jonathan George’s blog here.
GTM, The Global Traffic Manager, is F5’s most senior module. It is responsible for global server load-balancing and DNS services
Number 9: Hardware DDoS Integration for vCMP Guests
When vCMP was first developed, each virtual instance was given a slice of access to the underlying cryptographic offload and compression hardware. This feature continues the tradition by giving each virtual instance access to the underlying network DDoS hardware. Not all platforms have the chips that do this. If you want to know which platforms have it, leave a comment and one of my lovely assistants will post a follow-up.
vCMP is the virtual clustered multi-processor technology and is already about as hardcore as it gets. vCMP is F5’s answer to everyone who wants the flexibility of virtualization but the performance of F5 hardware.
Number 8: Geo-location-based anomaly mitigation
Imagine this conversation in the war room.
“Sir, we’re being attacked by Elbonia.”
“Ensign, have you blocked all the traffic coming from Elbonia?”
“Um, no, sir.”
“Well, make it so!”
That’s a conversation that need not happen with this new feature. You can now tell ASM to automatically mitigate DDoS or brute-force anomalies by the geographic location of the source. How cool is that?
The Application Security Manager (ASM) is F5’s web application firewall. This is where advanced application security happens–protection against the hackers, the OWASP Top Ten, brute force, web scraping and application DDoS.
Number 7: Per-request Access Policies
People who have used APM know about its power to effect clientless single-signon (SSO) for web applications. But many applications perform more than one check for authorization or authentication as you navigate further. In versions prior to 11.6, APM relied on the application code and third-party IAM solutions to enforce so-called "step-up authentication." However, with v11.6, APM is now able to make multiple interrogations of the end-user in a single session, making APM a much more powerful piece of an IAM strategy.
The Access Policy Manager (APM) is F5’s combo of Identity and Access Management and SSL VPN. Everything that involves authenticating users, federating their credentials and authorization of their usage belongs to the APM module.
Number 6: Identity is the Perimeter Firewall Capabilities
For years, everyone has been talking about how the security perimeter is changing. One of the best security models now is to define the security perimeter around the users themselves. The new User Identity firewall feature in AFM helps you do exactly that. Now you can make firewall rules specific to users or groups of users:
- Source user match
- Source user-group match
- Destination user match
- Destination user-group match
An example of when you might use this would be to create a “source user-group to IP address” to allow access to your accounting servers, but only for members of the Finance group when they are coming in from the VPN or corporate LAN.
The Advanced Firewall Manager (AFM) is F5’s network firewall module. It is used in enterprises, service providers and anywhere that an ADC and network firewall consolidation make sense. AFM already leads the firewall industry in network DDoS awareness and mitigation thanks to the diligence of the AFM team, which is quietly adding power features such as these:
Number 5: Generic UDP Flood Vector
UDP floods are tricky. The stateless nature of UDP makes it difficult to determine if any particular packet is legitimate. Sometimes a UDP attack will have a certain signature; for example, the payload will be filled with the letter ‘A’ (so unoriginal!), but sometimes a UDP attack won’t be so easy to spot. One way to detect it is to watch for a massive spike in UDP packets. That’s the job of AFM’s new UDP Flood vector. When it detects a spike in UDP traffic at a port level, it can automatically apply mitigation. That’s not the end of the story, though.
One of the heaviest users of UDP is the DNS protocol, and DNS packets have to travel all through the network. When DNS gets blocked, it appears as an outage of some kind, and the IT department starts getting calls from frustrated
redditors copyeditors and other cube denizens. The UDP Flood vector can whitelist DNS traffic and allow it through, even while mitigating a UDP flood around it.
The "single endpoint" sweep DoS vector can be used to rate limit DNS responders that are sending too many responses back (useful for when BIG-IP itself is the target of a reflection attack).
Number 4: Flow Table Sweeper Enhancements
Many denial-of-service attacks target flow-tables throughout the network. For example, one of the oldest attacks, the TCP connection flood, will overwhelm the TCP stack of a firewall or host. These days, it’s not a matter of if your table will overflow, it’s when. And what should be done about it?
F5’s TMOS and other defensive systems will trigger an algorithm called a sweeper to clean out (or evict) different table entries when the table starts to get full. But how should it choose? The oldest? The least busy? The slowest?
This hardcore AFM feature lets you define the methods that the flow table sweeper algorithm will employ when choosing which connections to kick out when the table approaches full. Like many of the other AFM anti-DDoS features, this one should be set based on the parameters of a current attack. If your site is getting hit with a slow-and-low attack, then let the Bias:Bytes method close all those slow connections. If you are getting weird connections from all over the globe, let the Low Priority:Geos method close connections originating from low-priority regions.
The flow table eviction policies can be applied on a per-virtual-server basis. This means that each virtual server can have its own max concurrent flow quota and can have a different behavior when that quota is approached.
Number 3: SSL Session Mirroring
Full SSL handshakes are computationally expensive. This is one of the reasons that enterprises use F5’s LTM as SSL decryption mechanisms. Suppose you are lucky enough to have a site with a lot of SSL traffic. What if something happens and your primary ADC stops receiving traffic and the secondary has to pick up all those active connections? You want the secondary to perform cheap resumption handshakes (based off a shared session ID cache) with all the clients instead of full handshakes.
You can now share SSL session ID caches across traffic groups so that failovers won’t cause massive spikes in full SSL handshakes.
The Local Traffic Manager (LTM) is the base module that does all the fundamental application delivery. It also hosts all the SSL decryption code, which makes it the strategic point of control in SSL for the majority of F5 customers.
Number 2: OCSP Stapling
The Achilles’ heel of the public key infrastructure has always been revocation, i.e. how can the system reject certificates that have been compromised? The Online Certificate Status Protocol (OCSP) was developed to solve this problem. Interested parties can query a special OCSP server for the real-time status of a certificate. Unfortunately, as Google’s Adam Langley explains in his blog, OCSP can work for private networks, but it is suboptimal at best for a global Internet solution.
OCSP Stapling is the tweak that might save the integrity of the system. LTM can now staple the certificate status into each SSL connection that it serves so that interested parties can assure themselves that the a certificate is still good.
Okay, we’ve covered 9 different hardcore features so far. I know you’re thinking how could there be anything more hardcore than OCSP Stapling? Before we reveal the number one most hardcore feature, let’s have a look back at those first nine:
The Top Ten Hardcore F5 Security Features in 11.6
|DNS Firewall Services
|Hardware DDoS integration for vCMP Guests
|Geo-location-based anomaly detection and mitigation
|Per-Request Access Policies
|User-Identity firewall capabilities
|Generic UDP Flood Vector
|Flow Table Sweeper Enhancements
|SSL Session Monitoring
|External Crypto Offloading
And the number one hardcore security feature of 11.6 is…
Number One: External Crypto Offloading
We don’t normally trash-talk competitors (we don’t have to). But Cloudflare’s recent “invention” of what they call “Keyless SSL” had a lot of us security professionals scratching our heads. F5 had been offloading crypto to external devices such as nCipher and Thales for almost two years already. So had Amazon. Everyone who really does global SSL already knew about this technology. Maybe they are out of touch over there at Cloudflare and just doing their own thing. That’s fine. I hope they don’t try to patent that stuff, because nCipher and Thales probably got there first, years and years ago. So Cloudflare, welcome to the party.
The concept is pretty simple: have one device, either on-premises or elsewhere, perform most SSL operations such as bulk decryption, but offload the private-key operations to another device. That other device can be a nCipher or Thales network-attached hardware security module (NetHSM devices) or it could be an F5 physical appliance stuffed with high-performance cryptographic chips.
You can now spin up cheap, fully-virtualized services that direct traffic but don’t need possession of a high-security key.
Brian McHenry would also put this feature near the top of his list. He says that external crypto offloading is “…incredibly innovative…. The applications for this technology are incredibly powerful for emerging hybrid architectures. It could enable a whole new wave of micro-architectures where SSL was previously a non-starter due to management and performance issues."
Several of the features almost made the Top Ten and deserve at least an honorable mention.
WAF CAPTCHA (ASM) – The World’s Best Web Application Firewall can now throw back a user challenge in the form of a CAPTCHA if it suspects that user of trying to brute force or Dos a service.
TLS Extension support for NPN and ALPN (LTM) – These two critical SSL/TLS extensions are now supported. Next Protocol Negotiation (NPN) and the Application Layer Protocol Negotiation (ALPN) help support Google’s SPDY protocol.
So there we are: a dozen hardcore security features in 11.6. If you feel inspired and want to learn more, download 11.6 today and start playing with it. See the 11.6 Release Notes for the complete list of security (and other) features and of course, stay hardcore.