Forum Discussion

SteveEason's avatar
SteveEason
Icon for Cirrus rankCirrus
May 01, 2020

Cookie Encyrption Question - I'm confused

Recently we were notified by our Security team that the F5 cookies were not secure and needed to be adjusted.

 

F5 BIG-IP Cookie Remote Information Disclosure (20089) (Tenable scan)

 

I started digging into the documentation to see how to do this and then I discovered that there are 2 settings to encrypt cookies on the F5. One for the F5 cookies and one for the persistence cookies? And vague references to cookies that come from servers? This is where the confusion comes in. The documentation isn't completely clear on this.

 

The first location is found here: Local Traffic - Profiles : Services : HTTP

 

This I assume is for the F5 cookies. In this area there are 3 boxes related to Cookie encryption.

 

1) Encrypt Cookies

2) Cookie Encryption Passphrase

3) Confirm Cookie Encryption Passphrase

 

The second location is found here: Local Traffic - Profiles : Persistence

 

I assume this is for cookie persistence, and would not be related to the reported issue by security. (Also because on this site, persistence is disabled)

 

This area has 2 boxes related to Cookie encryption.

 

1) Cookie Encryption Use Policy - disabled

2) Encryption Passphrase

 

QUESTIONS:

 

1) So to properly mitigate the issue reported to use, I believe I have determined that we have to go to the HTTP profile and enable cookies there. Do I need to put anything in box 1) Encrypt Cookies? Or is that just used for cookies coming from the webservers? They mention in the documentation about entering the list of cookies separated by commas. But we only are concerned about the F5 BIG-IP Cookie.

 

2) And depending the answer to that question, do we enter a randomly generated encryption passphrase, or should we use a common one, which we document in our password vault?

 

3) That being if we understand the correct way to mitigate this issue, should we do this in the parent profile so that all our sites have cookie encryption enabled by default? So that way all F5 cookies are encrypted from the beginning?

 

4) And if the answer to that is yes, that would mean just updating the HTTP profile called 'http' to include these changes? Will we need to refresh or do anything to the child profiles for them to see the changes.

 

Hopefully that lays out enough information to provide you with enough to answer the question. Thanks in advance for any information.

 

 

 

BIG-IP
devops
LTM

3 Replies

Sort By
  • Kareemmd's avatar
    Kareemmd
    Icon for Nimbostratus rankNimbostratus
    May 02, 2020

    1. Enabling cookie persistence in F5 HTTP profile will encrypt all the cookies which are coming from backend servers.

    2. You can use any password.

    3​. I would recommend to use new HTTP profile rather using the default HTTP profile.

    4. If you do changes on the parent profile it will automatically reflect on the child profile. No need to refresh.

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    May 03, 2020

    if you read the Tenable article:

    https://www.tenable.com/plugins/nessus/20089

     

    then it does seem to indicate this is about the persistence cookie, so it is weird you say persistence isn't used.

     

    can the security team perhaps show some "proof" about which cookie and for which virtual server this is?

     

    if it is about the F5 cookie, then you don't have to change anything on the http profile, as that is for the backend server cookies.

  • Heino's avatar
    Heino
    Icon for Cirrus rankCirrus
    May 06, 2020

    As you say you are only interested in the BIGIP cookie: encrypt it in the cookie profile instead of http. It is easier to maintain there, and you don't risk interfering with an applications cookies.

    If you only want to encrypt the BIGIP cookie, but use the http profile to do it, it seems you need to take the name of your cookie and add that to the http profile as well.

    Choose a randomly generated key/passphrase for it (a long one) and store it in your password vault. You never know what you might need in future troubleshooting scenarios.