Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

F5 Hybrid Security Architectures (Part 4 - F5 XC BOT and DDoS Defense and BIG-IP Advanced WAF)

Cameron_Delano
F5 Employee
F5 Employee

on ‎04-Apr-2023 05:00 - edited on ‎06-Apr-2023 11:44 by Community Manager

Introduction

For those of you following along with the F5 Hybrid Security Architectures series, welcome back!  If this is your first foray into the series and would like some background, have a look at the intro article.  This series is using the F5 Hybrid Security Architectures GitHub repo and CI/CD platform to deploy F5 based hybrid security solutions based on DevSecOps principles.  This repo is a community supported effort to provide not only a demo and workshop, but also a stepping stone for utilizing these practices in your own F5 deployments.  If you find any bugs or have any enhancement requests, open an issue, or better yet contribute!

Here in our fourth example solution, we will be using Terraform to deploy an application server running the OWASP Juice Shop application serviced by a F5 BIG-IP Advanced WAF Virtual Edition.  We will supplement this with F5 Distributed Cloud Web App and API Protection to provide BOT and DDoS Defense at the Edge.  Everything will be tied together using GitHub Actions for CI/CD and Terraform Cloud to maintain state.

Distributed Cloud WAAP:  Available for SaaS-based deployments in a distributed environment that reduces operational overhead with an optional fully managed service.  

BIG-IP Advanced WAF:  Available for on-premises / data center and public or private cloud (virtual edition) deployment, for robust, high-performance web application and API security with granular, self-managed controls.

Bot Defense

The F5 Distributed Cloud Bot Defense is an advanced security add-on included with the F5 Web Application and API Protection (WAAP) service, providing seamless integration for real-time safeguarding of your web applications and APIs against a diverse range of attacks. This feature enables enterprises to benefit from advanced bot defense and sophisticated security monitoring to eliminate malicious traffic targeting user accounts, content scraping, and ad fraud.

DDoS Detection

F5 Distributed Cloud WAAP safeguards applications from volumetric L3-L7 DDoS attacks at the network edge, allowing the app to remain globally accessible while avoiding disruption to genuine customers. Additionally, the Distributed Cloud WAAP furnishes insights into both past and ongoing attacks that have been mitigated, empowering proactive measures to thwart malicious individuals.

Architecture - UC-4-detail.jpeg

XC WAF + BIG-IP Advanced WAF Workflow

GitHub Repo: 

F5 Hybrid Security Architectures

Prerequisites:

Assets:

  • xc: F5 Distributed Cloud WAAP
  • bigip: F5 BIG-IP Advanced WAF
  • infra: AWS Infrastructure (VPC, IGW, etc.)
  • juiceshop: OWASP Juice Shop test web application

Tools:

  • Cloud Provider: AWS
  • Infrastructure as Code: Terraform
  • Infrastructure as Code State: Terraform Cloud
  • CI/CD: GitHub Actions

Terraform Cloud:

Workspaces: Create a workspace for each asset in the workflow chosen

Workflow Workspaces
xcbot-bigip infra, bigip, juiceshop, xc

Workspace Sharing: Under the settings for each Workspace, set the Remote state sharing to share with each Workspace created.

Your Terraform Cloud console should resemble the following:

Screen Shot 2023-01-13 at 2.24.16 PM.png

Variable Set: Create a Variable Set with the following values.
IMPORTANT: Ensure sensitive values are appropriately marked.

  • AWS_ACCESS_KEY_ID: Your AWS Access Key ID - Environment Variable
  • AWS_SECRET_ACCESS_KEY: Your AWS Secret Access Key - Environment Variable
  • AWS_SESSION_TOKEN: Your AWS Session Token - Environment Variable
  • VOLT_API_P12_FILE: Your F5 XC API certificate. Set this to api.p12 - Environment Variable
  • VES_P12_PASSWORD: Set this to the password you supplied when creating your F5 XC API key. - Environment Variable
  • ssh_key: Your ssh key for access to created BIG-IP and compute assets. - Terrraform Variable
  • admin_src_addr:  The source address of your administrative workstation. - Terraform Variable
    Environment Variable
  • tf_cloud_organization: Your Terraform Cloud Organization name - Terraform Variable

Your Variable Set should resemble the following:

Screen Shot 2023-01-13 at 6.26.23 AM.png

GitHub:

Fork and Clone Repo: F5 Hybrid Security Architectures 

Screen Shot 2023-01-13 at 2.27.11 PM.png

Actions Secrets: Create the following GitHub Actions secrets in your forked repo

  • P12: The base64 encoded F5 XC API certificate
  • TF_API_TOKEN: Your Terraform Cloud API token
  • TF_CLOUD_ORGANIZATION: Your Terraform Cloud Organization
  • TF_CLOUD_WORKSPACE_workspace: Create for each workspace used in your workflow. EX: TF_CLOUD_WORKSPACE_BIGIP would be created with the value bigip

Your GitHub Actions Secrets should resemble the following:

Screen Shot 2023-01-13 at 6.38.29 AM.png

Deployment Workflow:

Step 1: Check out a branch for the deploy workflow using the following naming convention

  • xc-bigip deployment branch: deploy-xc-bigip 

Screen Shot 2023-01-17 at 8.11.37 AM.png

Step 2: Rename infra/terraform.tfvars.examples to infra/terraform.tfvars and add the following data

project_prefix = "Your project identifier"
resource_owner = "You"
aws_region = "Your AWS region" ex: us-west-1
azs = "Your AWS availability zones" ex: ["us-west-1a", "us-west-1b"]

Step 3: Rename bigip/terraform.tfvars.examples to bigip/terraform.tfvars and add the following data

f5_ami_search_name = "F5 BIGIP-16.1.3* PAYG-Adv WAF Plus 25Mbps*"
aws_secretmanager_auth = false
create_awaf_config = true
awaf_config_payload = "awaf-config.json"

Step 4: Rename xc/terraform.tfvars.examples to xc/terraform.tfvars, add the XC tenant data, and set the WAF, Bot, and DDoS feature flags to `true`.

#XC Tenant and Namespace
api_url = "https://<YOUR TENANT>.console.ves.volterra.io/api"
xc_namespace = "Your XC Namespace"
app_domain = "Your APP FQDN"

#XC WAF
xc_waf_blocking = true

#XC Bot Defense
xc_bot_def = true

#XC DDoS
xc_ddos_pro = true

Step 5: Git Add and Commit your changes

Screen Shot 2023-01-17 at 8.07.35 AM.png

Step 6: Push your deploy branch to the forked repo

Screen Shot 2023-01-17 at 8.12.17 AM.png

Step 7: Back in GitHub, navigate to the Actions tab of your forked repo and monitor your build

Screen Shot 2023-01-13 at 11.57.41 AM.png

Screenshot 2023-03-26 at 7.22.36 AM.png

Step 8: Once the pipeline completes, verify your assets were deployed to AWS and F5 XC
Note: Check the terraform outputs of the bigip job for the randomly generated password for BIG-IP GUI access

F5 BIG-IP Terraform Outputs:

Screen Shot 2023-01-17 at 1.43.38 PM.png

Step 9: Verify your app is available by navigating to the app domain FQDN you provided in the setup.
Note: The autocert process takes time. It may be 5 to 10 minutes before Let's Encrypt has provided the cert

Screenshot 2023-03-26 at 7.23.47 AM.png

F5 XC Terraform Outputs:

Screen Shot 2023-01-18 at 8.48.15 AM.png

Destroy Workflow:

Step 1: From your deploy branch, check out a new branch for the destroy workflow using the following naming convention

  • xc-bigip destroy branch: destroy-xc-bigip

Screen Shot 2023-01-17 at 8.11.58 AM.png

Step 2: Push your destroy branch to the forked repo

Screen Shot 2023-01-17 at 8.14.14 AM.png

Step 3: Back in GitHub, navigate to the Actions tab of your forked repo and monitor your workflow

Screen Shot 2023-01-13 at 11.57.41 AM.png

Screenshot 2023-03-26 at 7.29.17 AM.png

Step 4: Once the pipeline completes, verify your assets were destroyed in AWS and F5 XC

Screenshot 2023-03-26 at 7.28.35 AM.png

Conclusion

In this article we have shown how to utilize the F5 Hybrid Security Architectures GitHub repo and CI/CD pipeline to deploy a tiered security architecture utilizing F5 XC WAF and BIG-IP Advanced WAF to protect a test web application.  We applied advanced BOT and DDoS protection at the Edge and traditional Application Security next to our application.  While the code and security policies deployed are generic and not inclusive of all use-cases, they can be used as a steppingstone for deploying F5 based hybrid architectures in your own environments. 

As workloads are increasingly being deployed in various environments and application architectures, it has become vital for organizations to safeguard their critical applications, regardless of their deployment or architecture. It is equally essential to deploy these protections swiftly and flexibly, just like the applications they are protecting. By utilizing the F5 WAF portfolio in conjunction with DevSecOps principles, organizations can deploy and maintain industry-leading security without affecting the time-to-value of their applications.  Edge and Shift Left principles can coexist to offer a more efficient security solution.

Article Series:

F5 Hybrid Security Architectures (Intro - One WAF Engine, Total Flexibility)
F5 Hybrid Security Architectures (Part 1 - F5's Distributed Cloud WAF and BIG-IP Advanced WAF)
F5 Hybrid Security Architectures (Part 2 - F5's Distributed Cloud WAF and NGINX App Protect WAF) 
F5 Hybrid Security Architectures (Part 3 - F5 XC API Protection and NGINX Ingress Controller) 
F5 Hybrid Security Architectures (Part 4 - F5 XC BOT and DDoS Defense and BIG-IP Advanced WAF)

For further information or to get started:

  • F5 Distributed Cloud Platform (Link)
  • F5 Distributed Cloud WAAP Services (Link)
  • F5 Distributed Cloud WAAP YouTube series (Link)
  • F5 Distributed Cloud WAAP Get Started (Link)
Version history
Last update:
‎06-Apr-2023 11:44
Updated by:
Community Manager
Contributors
Copyright © 2023 Khoros, LLC