Secure Your Epic Applications in a Flash with F5 FAST Templates & Declarative AWAF Policies
Introduction:
Epic Systems offer a variety of applications for the healthcare industry which play a critical role in patient care, operations, and revenue management. These applications have complex configurations making their management and scaling operations challenging, time-consuming, and prone to errors. These applications also require robust security to protect them from the ever-growing threat landscape of cyberattacks. F5 BIG-IP can help address these challenges by providing advanced security and enabling automation.F5 customers can leverage FAST templates to configure WAF policies to protect Epic applications from security vulnerabilities. The configuration abstraction provided by FAST templates also enables more straightforward automation leading to better management and scaling. This blog post will explore how to use FAST templates to configure F5 BIG-IP Advanced WAF and protect Epic applications.
F5 Application Services Templates (FAST) are pre-built configurations that automate the deployment and management of F5 BIG-IP services, such as load balancing, SSL offloading, and more. These templates are designed to simplify the process of deploying and managing applications on the BIG-IP.
F5 Application Services Templates and their Benefits
F5 Application Services Templates (FAST) are pre-built configurations that automate the deployment and management of F5 BIG-IP services, such as load balancing, SSL offloading, and more. These templates are designed to simplify the process of deploying and managing applications on the BIG-IP.
Some of the benefits of using FAST:
Standardization: Templates are built to follow best practices and standards, enabling organizations to ensure their applications are deployed with a consistent and secure configuration.
Consistent configuration: Standardization leads to consistency of configuration across multi-cloud applications. Meaning less configuration drift and improved security and compliance.
Reusability: Templates can be customized and reused across different applications, reducing the time and effort required for each deployment.
Faster deployment: FAST enables faster deployment of applications by automating the configuration process, eliminating the need for multiple configuration calls, and reducing the likelihood of errors.
Overall, FAST provides an efficient and consistent way to automate BIG-IP configuration and management, reducing the time and effort required for application deployment and improving security and compliance. You can read more about FAST here.
What's Under the Hood?
Take a look at this sample FAST template. It's a YAML file that includes various objects, some of which are templatized. When configuring a BIG-IP using this template, only the templatized objects are exposed to the user. This helps ensure that the configuration follows best practices and is consistent across applications, while also simplifying the deployment process.
title: Epic Interconnect_VS_HTTPS_BackGround
description: template description BackGround
parameters:
tenant_name: EPIC_InterConnect_VS_BackGround
virtualAddress: 12.0.0.201
virtualAddressHS_Events: 12.0.0.203
server_addresses:
- 12.1.1.20
- 12.1.1.21
service_port: 80
certificate: default.crt
privatekey: default.key
instanceWebsiteName: InstanceWebsiteName
iCWebsiteName: ICWebsiteName
definitions:
tenant_name:
title: Tenant Name
type: string
description: partition on bigip
virtualAddress:
title: Virtual Address for BackGround
description: IP addresses of virtual addresses BackGround
template: |
{
"class": "ADC",
"schemaVersion": "3.21.0",
"id": "urn:uuid:6fddcf2d-cf22-48f8-99c0-e8b2ce348f1b",
"label": "Declaration for InterConnect App",
"remark": "This is for InterConnect Apps",
"{{tenant_name}}": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"Interconnect_Pool_HTTPS_BackGround": {
"loadBalancingMode": "least-connections-member",
"minimumMonitors": "all",
"members": [
{
"addressDiscovery": "static",
"servicePort": {{service_port}},
"serverAddresses": {{server_addresses::array}},
"shareNodes": true
}
],
"monitors": [
{
"use": "Interconnect_Health_HTTPS"
},
{
"use": "Epic_HealthRDS_HTTPS"
}
],
"class": "Pool"
},
"EPIC_InterConnect_WAF": {
"class": "WAF_Policy",
"url": "https://raw.githubusercontent.com/f5businessdevelopment/bd_epic/main/InterConnect/Common_epic-basic.xml?token=GHSAT0AAAAAAB6FM64TZNXCFGZ566TPCH6KY7NFOCA",
"ignoreChanges": true
},
..... truncatedIn the above template, the templatized variables in {{}} are exposed when the FAST template is rendered. The complete template can be found here
| Object | Description |
| {{tenant_name}} | Exposes the BIG-IP Partition to be configured for application |
| {{service_port}} | Exposes the pool member application port |
| {{service_addresses::array}} | Option to add the pool member IP addresses |
| EPIC_InterConnect_WAF | Name of the AWAF |
By using templatized objects, we can take advantage of the benefits of FAST templates, such as modular and structured configurations, efficient deployment, and easy management. This approach helps to reduce errors and inconsistencies, while also providing a more streamlined and scalable solution for managing applications on the BIG-IP.
How to Deploy a FAST Template on Your BIG-IP: Step-by-Step?
Now that we have a YAML template that's been templatized, let's walk through the steps needed to deploy it on your BIG-IP.
- Compress or Zip the YAML template and import it on the BIG-IP
- Navigate to Application Services --> Application LX --> Add Template Set From
- Select and click on the newly added template.
- Provide the required parameters and render the template.
Provide details like Tenant Name, Virtual Server, Pool Members etc. as per your requirements. Once done you can deploy the template by clicking the deploy tab on the top right.
Rendering FAST templateWith a FAST template, many configuration objects are automatically configured and don’t require user interaction. Instead, only certain parameters - such as virtual servers, pool members, and other custom-exposed objects - need to be populated
Because all objects within the FAST template are tenant/partition-specific, it's possible to delete them without leaving behind any residual configuration and won’t impact any other BIG-IP partitions
Use Terraform script to deploy FAST templates
You can also deploy the FAST templates using Tools like Terraform and Ansible. Below is an example of Terraform TF file which can be used to deploy a FAST template.
terraform {
required_providers {
bigip = {
source = "F5Networks/bigip"
version = "1.15.1"
}
}
}
provider "bigip" {
address = "https://${var.address}:${var.port}"
username = var.username
password = var.password
}
# generate zip file
data "archive_file" "template_zip" {
type = "zip"
source_file = "../interConnectBackGround_WAF/interConnectBackGround_WAF.yaml"
output_path = "../interConnectBackGround_WAF/interConnectBackGround_WAF.zip"
}
# deploy fast template
resource "bigip_fast_template" "interConnectBackGround_WAF" {
name = "interConnectBackGround_WAF"
source = "../interConnectBackGround_WAF/interConnectBackGround_WAF.zip"
md5_hash = filemd5("../interConnectBackGround_WAF/interConnectBackGround_WAF.zip")
depends_on = [data.archive_file.template_zip]
}
resource "bigip_fast_application" "InterConnect_WAF" {
template = "interConnectBackGround_WAF/interConnectBackGround_WAF"
fast_json = <<EOF
{
"tenant_name": "EPIC_AWAF",
"virtualAddress": "12.0.0.201",
"virtualAddressHS_Events": "12.0.0.203"
"server_addresses": ["12.1.1.20","12.1.1.21"],
"service_port": "80"
}
EOF
depends_on = [bigip_fast_template.InterConnect_WAF]
}
| Terraform Resource | Description |
|
Provider bigip |
Terraform provider for BIG-IP |
|
data “archive_file” |
Compress YAML template |
|
Resource “bigip_fast_template” |
Import FAST template on BIG-IP |
|
Resource “bigip_fast_application” |
Render application objects using FAST template |
FAST Templates and Declarative AWAF Policies: A Dynamic Duo for Protecting Epic Apps!
AWAF (Advanced Web Application Firewall) policies are pre-built configurations that can be used to protect web applications from a range of common security threats, including SQL injection, cross-site scripting (XSS), and more. AWAF policies can be customized to suit the specific needs of an organization and are designed to be easily deployed and managed on the F5 BIG-IP.
Some of the benefits of using AWAF policies to protect Epic software include the following:
Comprehensive protection: AWAF policies provide comprehensive protection against a range of common web application security threats, enabling organizations to minimize the risk of data breaches, unauthorized access, and other security incidents.
Customization: AWAF policies can be customized to suit the specific needs of an organization, allowing for fine-grained control over the security posture of Epic applications.
Automation: AWAF policies can be integrated with other automation tools, such as FAST templates, to enable automated deployment and management of web application security.
Centralized management: AWAF policies can be managed centrally enabling organizations to maintain a consistent security posture across their Epic applications.
F5's Advanced Web Application Firewall (AWAF) is an ideal solution to protect Epic applications such as EMR, EpicCare, MyChart, Epic Optime, and Radiant. AWAF provides comprehensive security coverage against various threats, including application-layer attacks, such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities. AWAF also includes advanced threat intelligence, machine learning, and behavioral analytics to detect and mitigate attacks in real time. With a declarative AWAF, administrators can easily create and manage WAF policies to protect their Epic applications from threats, without compromising performance or availability.
Declarative AWAF Policy
Note: We are currently in the process of validating this WAF policy with ALL Epic Applications. If you require assistance in deploying the WAF policy, please feel free to contact us.
An example of declarative AWAF policy is shown below, for the complete policy click here
{
"policy" : {
"antivirus" : {
"inspectHttpUploads" : false
},
"applicationLanguage" : "utf-8",
"behavioral-enforcement" : {
"behavioralEnforcementViolations" : [
{
"name" : "VIOL_CONVICTION"
},
{
"name" : "VIOL_THREAT_ANALYSIS"
},
{
"name" : "VIOL_BLOCKING_CONDITION"
},
{
"name" : "VIOL_THREAT_CAMPAIGN"
},
{
"name" : "VIOL_BLACKLISTED_IP"
},
{
"name" : "VIOL_FILETYPE"
},
{
"name" : "VIOL_URL"
},
{
"name" : "VIOL_GEOLOCATION"
}
],
...
"brute-force-attack-preventions" : [
{
"bruteForceProtectionForAllLoginPages" : false,
"captchaBypassCriteria" : {
"action" : "alarm-and-drop",
"enabled" : true,
"threshold" : 5
},
"clientSideIntegrityBypassCriteria" : {
"action" : "alarm-and-captcha",
"enabled" : true,
"threshold" : 3
},
"detectionCriteria" : {
"action" : "alarm-and-captcha",
"credentialsStuffingMatchesReached" : 100,
"detectCredentialsStuffingAttack" : false,
"detectDistributedBruteForceAttack" : true,
"failedLoginAttemptsRateReached" : 100
},
.... truncatedConclusion:
FAST templates and declarative AWAF policies can greatly simplify the deployment and management of critical applications like those in the Epic software suite. With the ability to quickly and easily templatize common configurations, administrators can take advantage of best practices and rapidly deploy new applications with minimal effort.
The added layer of protection provided by AWAF policies can also help safeguard these applications against common web-based attacks, keeping sensitive patient information secure. By combining these two powerful tools, healthcare organizations can achieve a more efficient, secure, and effective application deployment process.
Whether you are a healthcare provider, a software developer, or an IT administrator; consider using FAST templates and AWAF policies to take your application deployment to the next level.