Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Zero Trust - Making use of a Powerful Identity Aware Proxy (Hands on lab)

momahdy
F5 Employee
F5 Employee

‎05-Oct-2022 10:31 - edited ‎27-Oct-2022 09:21

Introduction

Securing the traditional network perimeter (a.k.a., the moat and castle approach) is no longer sufficient. With the rise of applications being deployed in multi-clouds and the growing mobile workforce, the network perimeter has all but disappeared.
Zero Trust eliminates the idea of a trusted network inside a defined perimeter. Today, you must apply least-privilege user access and scrutinize it as much as possible, assume attackers are already on the network and hiding in it, and get more context and visibility from the control points.
The Zero Trust axiom is, “Never trust, always verify.” Never trust users, even if they’ve already been authenticated, authorized, and granted access to applications and resources. Always verify and scrutinize user identity, device type and integrity, location, the applications and resources to which access is being requested, and more.

mmahdy_24-1664630371227.png

F5 does add value and delivers key components you will need in deploying a comprehensive Zero Trust approach. With our robust application security portfolio and ability to secure the new control points in a Zero Trust environment, F5 provides you with the building blocks necessary to address a “Never trust, always verify” approach to securing today’s applications, and also adds a third principle to Zero Trust, “Continuously monitor.”
From F5’s perspective, these are the four control points that you need to secure:
- The endpoints accessing applications.
- The applications (regardless if they are native cloud or SaaS apps, or classic and custom applications).
- The identity service.
- The network infrastructure.

mmahdy_0-1664626443009.png

In this article we will have a walk through UDF lab to see how we can apply the princinples of Zero trust with the use of F5 BIG-IP APM Identity Aware Proxy. 

The UDF lab can be accessible through this link, https://udf.f5.com/b/c1e56048-dac7-4fa8-9ae5-667f1a3970da#documentation

And for more use cases, a detailed cloud docs lab series to have a look at, https://clouddocs.f5.com/training/community/iam/html/class2/module1/lab01.html

A walkthrough Youtube video is available as well, that utilizes the Application group concept, https://www.youtube.com/watch?v=LUWvHkchlSY

An Integration of F5 BIG-IP APM with CrowdStrike Falcon, to allow for User and Identity Behavior Analysis (UEBA) integrtion with F5 Identity Aware Proxy to provide enhanced view to end point posture, by @J_McInnes  https://community.f5.com/t5/technical-articles/zero-trust-access-with-f5-identity-aware-proxy-and-cr...

Guided Configurations settings

mmahdy_1-1664627032026.png

Using guided configurations simplify the setup of Identity Aware proxy by allowing us to create the required components in the following sections.

Config. Properties

mmahdy_2-1664627337828.png

Device Posture

- CA Trust Certifciate, is the one used to sign data received from F5 Access Guard towards F5 BIG-IP APM.

mmahdy_4-1664627604089.png

Virtual Server Settings

mmahdy_5-1664627722231.png

User Identity

mmahdy_6-1664627908401.png

Authentication settings

In this lab, the servers were created separately outside of the guided configurations and added lateron, we can follow another approach of creating the AD server from within the guided configurations window.

mmahdy_7-1664627993220.png

Multi-Factor Authentication (MFA)

Select one of the MFA options below, in our case (we go with Custom Radius based)

mmahdy_8-1664628122961.png

Below are the custom radius settings for our MFA setup. 

mmahdy_9-1664628202728.png

Single Sign-On Settings

mmahdy_10-1664628245131.png

Applications

Under the Applications section we set two values,
- Authentication FQDN, the domain where users are directed to go through the user identity part.
- Application FQDN, and the pool members where the service is hosted.

mmahdy_12-1664628635377.png

mmahdy_11-1664628615722.png

Webtop settings

Specify Authentication and MFA pointers for webtop setup.

mmahdy_13-1664628828893.png

Contextual Access properties

This one can be broken into three areas,

- Rule properties, where we specify the applied rules for authentication, single sign-on and device posture check.

mmahdy_14-1664628958094.png

- Assign user groups

mmahdy_15-1664629020849.png

- Additional checks

Select the action for adding the MFA step to the flow

mmahdy_16-1664629087013.png

Customization Properties

Where we setup the GUI settings, policies and remediation settings.

mmahdy_17-1664629210372.png

Session Managemet settings

mmahdy_18-1664629256316.png

Summary

Checking the summary and Deploy

mmahdy_19-1664629332235.png

User Testing

- Once user writes https://basic.acme.com in the web browser, redirection occurs towards iap1.acme.com to enforce authentication and MFA. 

mmahdy_20-1664629661316.png

- Once user pass the Authentication / MFA successfully the user is directed to the application.

mmahdy_21-1664629723536.png

 

- Now, we try to turn off the firewall OFF, the device posture checks get an update from F5 Access Guard and based on that block the incoming requests.

mmahdy_22-1664629837914.png

 

 

 

 

Comments
Rajiv_Goel
F5 Employee
F5 Employee
‎05-Oct-2022 11:04

Nice work and details (step by step). Thx

Nikoolayy1
MVP
MVP
‎10-Oct-2022 06:30

Great Article!

Version history
Last update:
‎27-Oct-2022 09:21
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC