Securing the traditional network perimeter (a.k.a., the moat and castle approach) is no longer sufficient. With the rise of applications being deployed in multi-clouds and the growing mobile workforce, the network perimeter has all but disappeared. Zero Trust eliminates the idea of a trusted network inside a defined perimeter. Today, you must apply least-privilege user access and scrutinize it as much as possible, assume attackers are already on the network and hiding in it, and get more context and visibility from the control points. The Zero Trust axiom is, “Never trust, always verify.” Never trust users, even if they’ve already been authenticated, authorized, and granted access to applications and resources. Always verify and scrutinize user identity, device type and integrity, location, the applications and resources to which access is being requested, and more.
F5 does add value and delivers key components you will need in deploying a comprehensive Zero Trust approach. With our robust application security portfolio and ability to secure the new control points in a Zero Trust environment, F5 provides you with the building blocks necessary to address a “Never trust, always verify” approach to securing today’s applications, and also adds a third principle to Zero Trust, “Continuously monitor.” From F5’s perspective, these are the four control points that you need to secure: - The endpoints accessing applications. - The applications (regardless if they are native cloud or SaaS apps, or classic and custom applications). - The identity service. - The network infrastructure.
In this article we will have a walk through UDF lab to see how we can apply the princinples of Zero trust with the use of F5 BIG-IP APM Identity Aware Proxy.
Using guided configurations simplify the setup of Identity Aware proxy by allowing us to create the required components in the following sections.
- CA Trust Certifciate, is the one used to sign data received from F5 Access Guard towards F5 BIG-IP APM.
Virtual Server Settings
In this lab, the servers were created separately outside of the guided configurations and added lateron, we can follow another approach of creating the AD server from within the guided configurations window.
Multi-Factor Authentication (MFA)
Select one of the MFA options below, in our case (we go with Custom Radius based)
Below are the custom radius settings for our MFA setup.
Single Sign-On Settings
Under the Applications section we set two values, - Authentication FQDN, the domain where users are directed to go through the user identity part. - Application FQDN, and the pool members where the service is hosted.
Specify Authentication and MFA pointers for webtop setup.
Contextual Access properties
This one can be broken into three areas,
- Rule properties, where we specify the applied rules for authentication, single sign-on and device posture check.
- Assign user groups
- Additional checks
Select the action for adding the MFA step to the flow
Where we setup the GUI settings, policies and remediation settings.
Session Managemet settings
Checking the summary and Deploy
- Once user writes https://basic.acme.com in the web browser, redirection occurs towards iap1.acme.com to enforce authentication and MFA.
- Once user pass the Authentication / MFA successfully the user is directed to the application.
- Now, we try to turn off the firewall OFF, the device posture checks get an update from F5 Access Guard and based on that block the incoming requests.