08-Mar-2023 05:00 - edited 04-Apr-2023 09:20
For those of you following along with the F5 Hybrid Security Architectures series, welcome back! If this is your first foray into the series and would like some background, have a look at the intro article. This series is using the F5 Hybrid Security Architectures GitHub repo and CI/CD platform to deploy F5 based hybrid security solutions based on DevSecOps principles. This repo is a community supported effort to provide not only a demo and workshop, but also a stepping stone for utilizing these practices in your own F5 deployments. If you find any bugs or have any enhancement requests, open a issue or better yet contribute!
APIs are an integral part of our daily routine, facilitating everything from critical to mundane tasks. From banking and ride-sharing apps to the weather updates we check before stepping out, APIs enable these functionalities. Given the sensitive nature of the data that can be exposed by unprotected APIs, the need for effective security cannot be stressed enough. With F5 Distributed Cloud Web App and API protection security teams can discover, inventory, and secure these critical APIs.
Here in this example solution, we will be using DevSecOps practices to deploy an AWS Elastic Kubernetes Service (EKS) cluster running the Arcadia Finance test web application serviced by F5 NGINX Ingress Controller. To secure our application and APIs, we will deploy F5 Distributed Cloud's Web App and API Protection service. This will provide us API Discovery and Security as well as a traditional Web Application Firewall and Malicious User Detection.
Distributed Cloud WAAP: Available for SaaS-based deployments and provides comprehensive security solutions designed to safeguard web applications and APIs from a wide range of cyber threats. This solution utilizes a distributed cloud architecture, which enables it to provide real-time protection and scale to meet the needs of large enterprises.
NIGNX Ingress Controller for Kubernetes: A lightweight software solution that helps manage app connectivity at the edge of a Kubernetes cluster by directing requests to the appropriate services and pods. It provides advanced load balancing, routing, identity, and security, as well as montioring and observability features.
Workspaces: Create a workspace for each asset in the workflow chosen
|xc-nic||infra, eks, nic, arcadia, xc|
Your Terraform Cloud console should resemble the following:
Variable Set: Create a Variable Set with the following values.
IMPORTANT: Ensure sensitive values are appropriately marked.
Your Variable Set should resemble the following:
Fork and Clone Repo: F5 Hybrid Security Architectures
Actions Secrets: Create the following GitHub Actions secrets in your forked repo
Your GitHub Actions Secrets should resemble the following:
Step 1: Check out a branch for the deploy workflow using the following naming convention
xc-nic deployment branch: deploy-xcapi-nic
Step 2: Rename infra/terraform.tfvars.examples to infra/terraform.tfvars and add the following data
project_prefix = "Your project identifier" resource_owner = "You" aws_region = "Your AWS region" ex: us-west-1 azs = "Your AWS availability zones" ex: ["us-west-1a", "us-west-1b"]
Step 3: Rename xc/terraform.tfvars.examples to xc/terraform.tfvars and add the following data
api_url = "https://<YOUR TENANT>.console.ves.volterra.io/api" xc_namespace = "Your XC Namespace" app_domain = "Your APP FQDN" xc_waf_blocking = true
Step 4: Modify line 16 in the .gitignore and comment out the *.tfvars line with # and save the file
Step 5: Commit your changes
Step 1: Push your deploy branch to the forked repo
Step 2: Back in GitHub, navigate to the Actions tab of your forked repo and monitor your build
Step 3: Once the pipeline completes, verify your assets were deployed to AWS and F5 XC
Step 4: Check your Terraform Outputs for XC and verify your app is available by navigating to the FQDN
After leaving the Arcadia Finance test app deployed for a while we can start to see the API graph form. The F5 XC WAAP platform learns the schema structure of the API by analyzing sampled request data, then reverse-engineering the schema to generates an OpenAPI spec. The platform validates what is deploy versus what is discovered and tags any Shadow APIs that are found.
We can also check the dashboards for any attacks that may have occurred while we were waiting for discovery to finish. The internet being what it is, it didn't take long for the platform to protect us against some attacks.
Step 1: From your deployment branch check out a branch for the destroy workflow using the following naming convention
xc-nic destroy branch: destroy-xcapi-nic
Step 2: Push your destroy branch to the forked repo
Step 3: Back in GitHub, navigate to the Actions tab of your forked repo and monitor your build
Step 4: Once the pipeline completes, verify your assets were destroyed
In this article we have shown how to utilize the F5 Hybrid Security Architectures GitHub repo and CI/CD pipeline to deploy a tiered security architecture utilizing F5 XC WAAP and NGINX Ingress Controller to protect a test API running in AWS EKS. While the code and security policies deployed are generic and not inclusive of all use-cases, they can be used as a steppingstone for deploying F5 based hybrid architectures in your own environments.
Workloads are increasingly deployed across multiple diverse environments and application architectures. Organizations need the ability to protect their essential applications regardless of deployment or architecture circumstances. Equally important is the need to deploy these protections with the same flexibility and speed as the apps they protect. With the F5 WAF portfolio, coupled with DevSecOps principles, organizations can deploy and maintain industry-leading security without sacrificing the time to value of their applications. Not only can Edge and Shift Left principles exist together, but they can also work in harmony to provide a more effective security solution.
F5 Hybrid Security Architectures (Intro - One WAF Engine, Total Flexibility)
F5 Hybrid Security Architectures (Part 1 - F5's Distributed Cloud WAF and BIG-IP Advanced WAF)
F5 Hybrid Security Architectures (Part 2 - F5's Distributed Cloud WAF and NGINX App Protect WAF)
F5 Hybrid Security Architectures (Part 3 - F5 XC API Protection and NGINX Ingress Controller)
F5 Hybrid Security Architectures (Part 4 - F5 XC BOT and DDoS Defense and BIG-IP Advanced WAF)
For further information or to get started: