F5 Hybrid Security Architectures (Part 1 - F5's Distributed Cloud WAF and BIG-IP Advanced WAF)
Introduction
For those of you following along with the F5 Hybrid Security Architectures series, welcome back! If this is your first foray into the series and would like some background, have a look at the intro article. This series is using the F5 Hybrid Security Architectures GitHub repo and CI/CD platform to deploy F5 based hybrid security solutions based on DevSecOps principles. This repo is a community-supported effort to provide not only a demo and workshop, but also a stepping stone for using these practices in your own F5 deployments. If you find any bugs or have any enhancement requests, open an issue, or better yet, contribute!
Here in our first example solution, we will be using Terraform to deploy an application server running the OWASP Juice Shop application serviced by a F5 BIG-IP Advanced WAF Virtual Edition. We will supplement this with F5 Distributed Cloud Web App and API Protection to provide complimentary security at the edge. Everything will be tied together using GitHub Actions for CI/CD and Terraform Cloud to maintain state.
Distributed Cloud WAF: Available for SaaS-based deployments in a distributed environment that reduces operational overhead with an optional fully managed service.
BIG-IP Advanced WAF: Available for on-premises / data center and public or private cloud (virtual edition) deployment, for robust, high-performance web application, and API security with granular, self-managed controls.
XC WAF + BIG-IP Advanced WAF Workflow
GitHub Repo:
F5 Hybrid Security Architectures
Prerequisites:
- F5 Distributed Cloud Account (F5 XC)
- Create an F5 XC API certificate
- AWS Account — Due to the assets being created, a free tier will not work.
NOTE: You must be subscribed to the F5 BIG-IP AMI being used in the AWS Marketplace. - Terraform Cloud Account
- GitHub Account
Assets:
- xc: F5 Distributed Cloud WAAP
- bigip-base: F5 BIG-IP Base deployment
- bigip-awaf: F5 BIG-IP Advanced WAF config
- infra: AWS Infrastructure (VPC, IGW, etc.)
- juiceshop: OWASP Juice Shop test web application
Tools:
- Cloud Provider: AWS
- Infrastructure as Code: Terraform
- Infrastructure as Code State: Terraform Cloud
- CI/CD: GitHub Actions
Terraform Cloud:
Workspaces: Create a workspace for each asset in the workflow chosen
Workflow | Workspaces |
xc-bigip | infra, bigip-base, bigip-awaf, juiceshop, xc |
Workspace Sharing: Under the settings for each Workspace, set the Remote state sharing to share with each Workspace created.
Your Terraform Cloud console should resemble the following:
Variable Set: Create a Variable Set with the following values.
IMPORTANT: Ensure sensitive values are appropriately marked.
- AWS_ACCESS_KEY_ID: Your AWS Access Key ID - Environment Variable
- AWS_SECRET_ACCESS_KEY: Your AWS Secret Access Key - Environment Variable
- AWS_SESSION_TOKEN: Your AWS Session Token - Environment Variable
- VOLT_API_P12_FILE: Your F5 XC API certificate. Set this to api.p12 - Environment Variable
- VES_P12_PASSWORD: Set this to the password you supplied when creating your F5 XC API key. - Environment Variable
- ssh_key: Your ssh key for access to created BIG-IP and compute assets. - Terrraform Variable
- admin_src_addr: The source address of your administrative workstation. - Terraform Variable
Environment Variable - tf_cloud_organization: Your Terraform Cloud Organization name - Terraform Variable
Your Variable Set should resemble the following:
GitHub:
Fork and Clone Repo: F5 Hybrid Security Architectures
Actions Secrets: Create the following GitHub Actions secrets in your forked repo
- P12: The base64 encoded F5 XC API certificate
- TF_API_TOKEN: Your Terraform Cloud API token
- TF_CLOUD_ORGANIZATION: Your Terraform Cloud Organization
- TF_CLOUD_WORKSPACE_workspace: Create for each workspace used in your workflow. EX: TF_CLOUD_WORKSPACE_BIGIP_BASE would be created with the value bigip-base
Your GitHub Actions Secrets should resemble the following:
Terraform Local Variables:
Step 1: Rename infra/terraform.tfvars.examples to infra/terraform.tfvars and add the following data
project_prefix = "Your project identifier"
resource_owner = "You"
aws_region = "Your AWS region" ex: us-west-1
azs = "Your AWS availability zones" ex: ["us-west-1a", "us-west-1b"]
#Assets
nic = false
nap = false
bigip = true
bigip-cis = false
Step 2: Rename bigip-base/terraform.tfvars.examples to bigip-base/terraform.tfvars and add the following data
f5_ami_search_name = "F5 BIGIP-16.1.3* PAYG-Adv WAF Plus 25Mbps*"
aws_secretmanager_auth = false
#Provisioning set to nominal or none
asm = "nominal"
apm = "none"
Step 3: Rename bigip-awaf/terraform.tfvars.examples to bigip-awaf/terraform.tfvars and add the following data
awaf_config_payload = "awaf-config.json"
Step 4: Rename xc/terraform.tfvars.examples to xc/terraform.tfvars and add the following data
api_url = "https://<YOUR TENANT>.console.ves.volterra.io/api"
xc_tenant = "Your tenant id available in F5 XC Administration section Tenant Overview"
xc_namespace = "Your XC Namespace"
app_domain = "Your APP FQDN"
xc_waf_blocking = true
Step 4: Commit your changes
Deployment Workflow:
Step 1: Check out a branch for the deploy workflow using the following naming convention
- xc-bigip deployment branch: deploy-xc-bigip
Step 2: Push your deploy branch to the forked repo
Step 3: Back in GitHub, navigate to the Actions tab of your forked repo and monitor your build
Step 4: Once the pipeline completes, verify your assets were deployed to AWS and F5 XC
Note: Check the terraform outputs of the bigip-base job for the randomly generated password for BIG-IP GUI access
F5 BIG-IP Terraform Outputs:
Step 5: Verify your app is available by navigating to the app domain FQDN you provided in the setup.
Note: The autocert process takes time. It may be 5 to 10 minutes before Let's Encrypt has provided the cert
F5 XC Terraform Outputs:
Destroy Workflow:
Step 1: From your main branch, check out a new branch for the destroy workflow using the following naming convention
- xc-bigip destroy branch: destroy-xc-bigip
Step 2: Push your destroy branch to the forked repo
Step 3: Back in GitHub, navigate to the Actions tab of your forked repo and monitor your workflow
Step 4: Once the pipeline completes, verify your assets were destroyed in AWS and F5 XC
Conclusion
In this article, we have shown how to utilize the F5 Hybrid Security Architectures GitHub repo and CI/CD pipeline to deploy a tiered security architecture utilizing F5 XC WAF and BIG-IP Advanced WAF to protect a test web application. While the code and security policies deployed are generic and not inclusive of all use-cases, they can be used as a steppingstone for deploying F5 based hybrid architectures in your own environments.
Workloads are increasingly deployed across multiple diverse environments and application architectures. Organizations need the ability to protect their essential applications regardless of deployment or architecture circumstances. Equally important is the need to deploy these protections with the same flexibility and speed as the apps they protect. With the F5 WAF portfolio, coupled with DevSecOps principles, organizations can deploy and maintain industry-leading security without sacrificing the time to value of their applications. Not only can Edge and Shift Left principles exist together, but they can also work in harmony to provide a more effective security solution.
Article Series:
F5 Hybrid Security Architectures (Intro - One WAF Engine, Total Flexibility)
F5 Hybrid Security Architectures (Part 1 - F5's Distributed Cloud WAF and BIG-IP Advanced WAF)
F5 Hybrid Security Architectures (Part 2 - F5's Distributed Cloud WAF and NGINX App Protect WAF)
F5 Hybrid Security Architectures (Part 3 - F5 XC API Protection and NGINX Ingress Controller)
F5 Hybrid Security Architectures (Part 4 - F5 XC BOT and DDoS Defense and BIG-IP Advanced WAF)
F5 Hybrid Security Architectures (Part 5 - F5 XC, BIG-IP APM, CIS, and NGINX Ingress Controller)
For further information or to get started:
\