Zero Trust - Making use of a Powerful Identity Aware Proxy (Hands on lab)

Introduction

Securing the traditional network perimeter (a.k.a., the moat and castle approach) is no longer sufficient. With the rise of applications being deployed in multi-clouds and the growing mobile workforce, the network perimeter has all but disappeared.
Zero Trust eliminates the idea of a trusted network inside a defined perimeter. Today, you must apply least-privilege user access and scrutinize it as much as possible, assume attackers are already on the network and hiding in it, and get more context and visibility from the control points.
The Zero Trust axiom is, “Never trust, always verify.” Never trust users, even if they’ve already been authenticated, authorized, and granted access to applications and resources. Always verify and scrutinize user identity, device type and integrity, location, the applications and resources to which access is being requested, and more.

F5 does add value and delivers key components you will need in deploying a comprehensive Zero Trust approach. With our robust application security portfolio and ability to secure the new control points in a Zero Trust environment, F5 provides you with the building blocks necessary to address a “Never trust, always verify” approach to securing today’s applications, and also adds a third principle to Zero Trust, “Continuously monitor.”
From F5’s perspective, these are the four control points that you need to secure:
- The endpoints accessing applications.
- The applications (regardless if they are native cloud or SaaS apps, or classic and custom applications).
- The identity service.
- The network infrastructure.

In this article we will have a walk through UDF lab to see how we can apply the princinples of Zero trust with the use of F5 BIG-IP APM Identity Aware Proxy. 

The UDF lab can be accessible through this link, https://udf.f5.com/b/c1e56048-dac7-4fa8-9ae5-667f1a3970da#documentation

And for more use cases, a detailed cloud docs lab series to have a look at, https://clouddocs.f5.com/training/community/iam/html/class2/module1/lab01.html

A walkthrough Youtube video is available as well, that utilizes the Application group concept, https://www.youtube.com/watch?v=LUWvHkchlSY

An Integration of F5 BIG-IP APM with CrowdStrike Falcon, to allow for User and Identity Behavior Analysis (UEBA) integrtion with F5 Identity Aware Proxy to provide enhanced view to end point posture, by J_McInnes  https://community.f5.com/t5/technical-articles/zero-trust-access-with-f5-identity-aware-proxy-and-crowdstrike/ta-p/292615

Guided Configurations settings

Using guided configurations simplify the setup of Identity Aware proxy by allowing us to create the required components in the following sections.

Config. Properties

Device Posture

- CA Trust Certifciate, is the one used to sign data received from F5 Access Guard towards F5 BIG-IP APM.

Virtual Server Settings

User Identity

Authentication settings

In this lab, the servers were created separately outside of the guided configurations and added lateron, we can follow another approach of creating the AD server from within the guided configurations window.

Multi-Factor Authentication (MFA)

Select one of the MFA options below, in our case (we go with Custom Radius based)

Below are the custom radius settings for our MFA setup. 

Single Sign-On Settings

Applications

Under the Applications section we set two values,
- Authentication FQDN, the domain where users are directed to go through the user identity part.
- Application FQDN, and the pool members where the service is hosted.

Webtop settings

Specify Authentication and MFA pointers for webtop setup.

Contextual Access properties

This one can be broken into three areas,

- Rule properties, where we specify the applied rules for authentication, single sign-on and device posture check.

- Assign user groups

- Additional checks

Select the action for adding the MFA step to the flow

Customization Properties

Where we setup the GUI settings, policies and remediation settings.

Session Managemet settings

Summary

Checking the summary and Deploy

User Testing

- Once user writes https://basic.acme.com in the web browser, redirection occurs towards iap1.acme.com to enforce authentication and MFA. 

- Once user pass the Authentication / MFA successfully the user is directed to the application.

 

- Now, we try to turn off the firewall OFF, the device posture checks get an update from F5 Access Guard and based on that block the incoming requests.

 

 

 

 

Updated Oct 27, 2022
Version 3.0