Beyond the easy task of TLS decryption and re-encryption at massive scale, SSL Orchestrator dynamically attaches decrypted flows to security devices through rich, policy-based traffic steering, and to a wide variety of security tools. Among those tools are any devices that are inline layer 2, inline layer 3, inline HTTP (proxy), ICAP/DLP, and passive tap, which covers the bulk of network security products today. Also among these are the integrations with other F5 security solutions. Official support for integrating F5 Secure Web Gateway into the decrypted service chain came in BIG-IP 16.1.0, and we’ve talked about the F5 Advanced WAF, F5 Advanced Firewall Manager, and SOCKS proxy integrations in other articles. In this article, I’m going to address an integration with the F5 Intrusion Prevention System (IPS).
IPS performs layer 5-7 inspection of all incoming traffic and protects more than 25 protocols and infrastructure applications against security incidents and exploits. IPS reviews traffic for adherence to protocol standards, matching against hundreds of known attack signatures. Now normally, you would deploy IPS as a function of Advanced Firewall Manager (AFM) on a BIG-IP application virtual. You could do this with or without decryption (with decryption if you want to capture application layer traffic), and for multiple protocols. But in an orchestrated security architecture, you can now layer in IPS with a full set of other tools, sending traffic flows to IPS when it’s needed, and around IPS when it’s not, for a fully layered, defense-in-depth security strategy. Let’s go see what that looks like!
To start, it’s important to understand that IPS works with lots of protocols. But specifically, it’s the set of decryptable TCP (and UDP) protocols that you’ll be concerned with here. In the following configuration, we will explore a method to integrate IPS for signature and compliance checking inside the decrypted SSL Orchestrator service chain.
Per the AFM Operations Guide (see reference below), protocol inspection requires specific licensing to enable the signature matching and compliance engines, and an optional signature subscription is available. BIG-IP AFM must be the base module to which other modules (BIG-IP LTM, SSLO, APM, AWF, and so on) are added. If BIG-IP AFM is the add-on, you must add a separate license specifically for Protocol Inspection.
This article doesn’t begin to explore everything F5 IPS can do. There are much better resources for that. The primary goal here is basically to turn it on and plug it into the SSL Orchestrator service chain. That can be done in the following simple steps.
Adding F5 IPS to the service chain is a simple maneuver involving manipulation of a TAP service configuration. You’re not creating an actual TAP service; you’re just using this configuration as the base for your IPS integration.
Leave everything else as-is, add the new service to a service chain, and deploy.
That’s it, you’ve completed the IPS integration. Depending on how you’ve configured your inspection profile you should start seeing traffic logs right away.
As previously mentioned, this article does not even attempt to dig into the fine art of Intrusion Prevention. But on the remote chance you’re new to IPS and want to test a somewhat contrived example, here’s something you can try.
Everything else can be left as-is. Click Save to capture these settings.
alert tcp any any -> any any (content:ABC; content:EFG; http_header;)
curl -vk https://www.example.com -H "ABC:1" -H "EFG:2"
With logging enabled and pointing to local Syslog, you can tail the LTM log while you’re testing:
tail -g /var/log/ltm
The request should be dropped/rejected, and you should see a log entry like the below. This is an HTTP request from a local client to example.com.
Jun 29 11:17:23 sslo1 info tmm: 27590657 "Jun 29 2022 11:17:23","00027217000186a0","27590657","sslo1.f5labs.com","10.1.10.50","40836","184.108.40.206","443","_ifc_null","220.127.116.11","443","10.1.10.50","40836","_loopback","Unknown","US/Massachusetts","TCP","","0002404116787217","/Common/ssloS_IPS.app/ssloS_IPS-t-4","/Common/ips_test","","","100000","stew-test","medium","low","/Common/http","reject","486f73743a207777772e6578616d706c652e636f6d7c306430617c557365722d4167656e743a206375726c2f372e35382e307c306430617c4163636570743a202a2f2a7c306430617c4142433a317c306430617c454647","","474554202f20485454502f312e310d0a486f73743a207777772e6578616d706c652e636f6d0d0a557365722d4167656e743a206375726c2f372e35382e300d0a4163636570743a202a2f2a0d0a4142433a310d0a4546473a320d0a0d0a"
The gobbledygook at the end is the hexadecimal-encoded HTTP request, which you can plug into any online HEX-to-ASCII converter to decode. You can turn this off with the Log Packet Payload option in the logging profile.
You don’t have to take my word for all of it, so here’s a great set of resources to better understand how to use F5 IPS in your environment.
It may go without saying, but since you’re already licensing AFM to enable IPS, you can also enable AFM in front of SSL Orchestrator as a network firewall to protect the BIG-IP appliance. See the following article for additional details: F5 Advanced Firewall Manager (AFM) integration.
In just a few short steps you should now be able to wield the full power of a world-class Intrusion Prevention System for signature and compliance checking of decrypted traffic and do so with a fully integrated, better together F5 solution. Pretty cool, yes? And if I haven’t expressed this enough, F5 IPS is extremely powerful. I urge you to spend some time in the AFM Operations Guide and F5 SNORT rule reference pages to get a better understanding of the full set of its capabilities. And with that, I hope you can see some of the immense versatility and power of an integrated SSL Orchestrator and F5 IPS solution. Thanks!