Secure Your Epic Applications in a Flash with F5 FAST Templates & Declarative AWAF Policies

Introduction:

Epic Systems offer a variety of applications for the healthcare industry which play a critical role in patient care, operations, and revenue management. These applications have complex configurations making their management and scaling operations challenging, time-consuming, and prone to errors. These applications also require robust security to protect them from the ever-growing threat landscape of cyberattacks. F5 BIG-IP can help address these challenges by providing advanced security and enabling automation.F5 customers can leverage FAST templates to configure WAF policies to protect Epic applications from security vulnerabilities. The configuration abstraction provided by FAST templates also enables more straightforward automation leading to better management and scaling. This blog post will explore how to use FAST templates to configure F5 BIG-IP Advanced WAF and protect Epic applications.

F5 Application Services Templates (FAST) are pre-built configurations that automate the deployment and management of F5 BIG-IP services, such as load balancing, SSL offloading, and more. These templates are designed to simplify the process of deploying and managing applications on the BIG-IP.

F5 Application Services Templates and their Benefits

F5 Application Services Templates (FAST) are pre-built configurations that automate the deployment and management of F5 BIG-IP services, such as load balancing, SSL offloading, and more. These templates are designed to simplify the process of deploying and managing applications on the BIG-IP.

Some of the benefits of using FAST:

Standardization: Templates are built to follow best practices and standards, enabling organizations to ensure their applications are deployed with a consistent and secure configuration.

 Consistent configuration: Standardization leads to consistency of configuration across multi-cloud applications. Meaning less configuration drift and improved security and compliance.

Reusability: Templates can be customized and reused across different applications, reducing the time and effort required for each deployment.

Faster deployment: FAST enables faster deployment of applications by automating the configuration process, eliminating the need for multiple configuration calls, and reducing the likelihood of errors.

Overall, FAST provides an efficient and consistent way to automate BIG-IP configuration and management, reducing the time and effort required for application deployment and improving security and compliance. You can read more about FAST here.

What's Under the Hood?

Take a look at this sample FAST  template. It's a YAML file that includes various objects, some of which are templatized. When configuring a BIG-IP using this template, only the templatized objects are exposed to the user. This helps ensure that the configuration follows best practices and is consistent across applications, while also simplifying the deployment process.

 title: Epic Interconnect_VS_HTTPS_BackGround
description: template description BackGround
parameters:
  tenant_name: EPIC_InterConnect_VS_BackGround
  virtualAddress: 12.0.0.201
  virtualAddressHS_Events: 12.0.0.203
  server_addresses:
    - 12.1.1.20
    - 12.1.1.21
  service_port: 80
  certificate: default.crt
  privatekey: default.key
  instanceWebsiteName: InstanceWebsiteName
  iCWebsiteName: ICWebsiteName
definitions: 
  tenant_name:
    title: Tenant Name
    type: string
    description: partition on bigip
  virtualAddress:
    title: Virtual Address for BackGround
    description: IP addresses of virtual addresses BackGround

template: | 
  {
    "class": "ADC",
    "schemaVersion": "3.21.0",
    "id": "urn:uuid:6fddcf2d-cf22-48f8-99c0-e8b2ce348f1b",
    "label": "Declaration for InterConnect App",
    "remark": "This is for InterConnect Apps",
    "{{tenant_name}}": {
        "class": "Tenant",
        "Shared": {
            "class": "Application",
            "template": "shared",
            "Interconnect_Pool_HTTPS_BackGround": {
                "loadBalancingMode": "least-connections-member",
                "minimumMonitors": "all",
                "members": [
                    {
                        "addressDiscovery": "static",
                        "servicePort": {{service_port}},
                        "serverAddresses": {{server_addresses::array}},
                        "shareNodes": true
                    }
 ],
                "monitors": [
                    {
                        "use": "Interconnect_Health_HTTPS"
                    },
                    {
                        "use": "Epic_HealthRDS_HTTPS"
                    }
                ],
                "class": "Pool"
            },
            "EPIC_InterConnect_WAF": {
             "class": "WAF_Policy",
             "url": "https://raw.githubusercontent.com/f5businessdevelopment/bd_epic/main/InterConnect/Common_epic-basic.xml?token=GHSAT0AAAAAAB6FM64TZNXCFGZ566TPCH6KY7NFOCA",
             "ignoreChanges": true
            },
..... truncated

In the above template, the templatized variables in {{}} are exposed when the FAST template is rendered. The complete template can be found here

By using templatized objects, we can take advantage of the benefits of FAST templates, such as modular and structured configurations, efficient deployment, and easy management. This approach helps to reduce errors and inconsistencies, while also providing a more streamlined and scalable solution for managing applications on the BIG-IP.

How to Deploy a FAST Template on Your BIG-IP: Step-by-Step?

Now that we have a YAML template that's been templatized, let's walk through the steps needed to deploy it on your BIG-IP.

• Compress or Zip the YAML template and import it on the BIG-IP
• Navigate to Application Services -->  Application LX --> Add Template Set From
• Select and click on the newly added template.
• Provide the required parameters and render the template.

Provide details like Tenant Name, Virtual Server, Pool Members etc. as per your requirements. Once done you can deploy the template by clicking the deploy tab on the top right.

Rendering FAST template

With a FAST template, many configuration objects are automatically configured and don’t require user interaction. Instead, only certain parameters - such as virtual servers, pool members, and other custom-exposed objects - need to be populated

Because all objects within the FAST template are tenant/partition-specific, it's possible to delete them without leaving behind any residual configuration and won’t impact any other BIG-IP partitions

Use Terraform script to deploy FAST templates

You can also deploy the FAST templates using Tools like Terraform and Ansible.  Below is an example of Terraform TF file which can be used to deploy a FAST template.

terraform {
  required_providers {
    bigip = {
      source  = "F5Networks/bigip"
      version = "1.15.1"
    }
  }
}
provider "bigip" {
  address  = "https://${var.address}:${var.port}"
  username = var.username
  password = var.password
}

# generate zip file

data "archive_file" "template_zip" {
  type        = "zip"
  source_file = "../interConnectBackGround_WAF/interConnectBackGround_WAF.yaml"
  output_path = "../interConnectBackGround_WAF/interConnectBackGround_WAF.zip"
}

# deploy fast template

resource "bigip_fast_template" "interConnectBackGround_WAF" {
  name = "interConnectBackGround_WAF"
  source = "../interConnectBackGround_WAF/interConnectBackGround_WAF.zip"
  md5_hash = filemd5("../interConnectBackGround_WAF/interConnectBackGround_WAF.zip")
  depends_on = [data.archive_file.template_zip]
}

resource "bigip_fast_application" "InterConnect_WAF" {
  template        = "interConnectBackGround_WAF/interConnectBackGround_WAF"
  fast_json = <<EOF
{
      "tenant_name": "EPIC_AWAF",
      "virtualAddress": "12.0.0.201",
      "virtualAddressHS_Events": "12.0.0.203"
      "server_addresses": ["12.1.1.20","12.1.1.21"],
      "service_port": "80"
}
EOF
  depends_on = [bigip_fast_template.InterConnect_WAF]
}

 

 

FAST Templates and Declarative AWAF Policies: A Dynamic Duo for Protecting Epic Apps!

AWAF (Advanced Web Application Firewall) policies are pre-built configurations that can be used to protect web applications from a range of common security threats, including SQL injection, cross-site scripting (XSS), and more.  AWAF policies can be customized to suit the specific needs of an organization and are designed to be easily deployed and managed on the F5 BIG-IP.

Some of the benefits of using AWAF policies to protect Epic software include the following:

Comprehensive protection: AWAF policies provide comprehensive protection against a range of common web application security threats, enabling organizations to minimize the risk of data breaches, unauthorized access, and other security incidents.

Customization: AWAF policies can be customized to suit the specific needs of an organization, allowing for fine-grained control over the security posture of Epic applications.

Automation: AWAF policies can be integrated with other automation tools, such as FAST templates, to enable automated deployment and management of web application security.

Centralized management: AWAF policies can be managed centrally enabling organizations to maintain a consistent security posture across their Epic applications.

F5's Advanced Web Application Firewall (AWAF) is an ideal solution to protect Epic applications such as EMR, EpicCare, MyChart, Epic Optime, and Radiant. AWAF provides comprehensive security coverage against various threats, including application-layer attacks, such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities. AWAF also includes advanced threat intelligence, machine learning, and behavioral analytics to detect and mitigate attacks in real time. With a declarative AWAF, administrators can easily create and manage WAF policies to protect their Epic applications from threats, without compromising performance or availability.

Declarative AWAF Policy

Note: We are currently in the process of validating this WAF policy with ALL Epic Applications. If you require assistance in deploying the WAF policy, please feel free to contact us.

An example of declarative AWAF policy is shown below, for the complete policy click here

{
   "policy" : {
      "antivirus" : {
         "inspectHttpUploads" : false
      },
      "applicationLanguage" : "utf-8",
      "behavioral-enforcement" : {
         "behavioralEnforcementViolations" : [
            {
               "name" : "VIOL_CONVICTION"
            },
            {
               "name" : "VIOL_THREAT_ANALYSIS"
            },
            {
               "name" : "VIOL_BLOCKING_CONDITION"
            },
            {
               "name" : "VIOL_THREAT_CAMPAIGN"
            },
            {
               "name" : "VIOL_BLACKLISTED_IP"
            },
            {
               "name" : "VIOL_FILETYPE"
            },
            {
               "name" : "VIOL_URL"
            },
            {
               "name" : "VIOL_GEOLOCATION"
            }
         ],
... 
  "brute-force-attack-preventions" : [
         {
            "bruteForceProtectionForAllLoginPages" : false,
            "captchaBypassCriteria" : {
               "action" : "alarm-and-drop",
               "enabled" : true,
               "threshold" : 5
            },
            "clientSideIntegrityBypassCriteria" : {
               "action" : "alarm-and-captcha",
               "enabled" : true,
               "threshold" : 3
            },
            "detectionCriteria" : {
               "action" : "alarm-and-captcha",
               "credentialsStuffingMatchesReached" : 100,
               "detectCredentialsStuffingAttack" : false,
               "detectDistributedBruteForceAttack" : true,
               "failedLoginAttemptsRateReached" : 100
            },
.... truncated

Conclusion:

FAST templates and declarative AWAF policies can greatly simplify the deployment and management of critical applications like those in the Epic software suite. With the ability to quickly and easily templatize common configurations, administrators can take advantage of best practices and rapidly deploy new applications with minimal effort. 

The added layer of protection provided by AWAF policies can also help safeguard these applications against common web-based attacks, keeping sensitive patient information secure. By combining these two powerful tools, healthcare organizations can achieve a more efficient, secure, and effective application deployment process.

Whether you are a healthcare provider, a software developer, or an IT administrator; consider using FAST templates and AWAF policies to take your application deployment to the next level.