So we run a penetration testing and we found 2 of our VIPs affected by these:
a. Disable HTTP OPTIONS method
b. Disable TCP Timestamp responses
Is there a way to remediate this? I tried looking in the internet but:
a. Disable HTTP OPTIONS method - i only see to change it globally on the F5 (probably will affect other VIP), is there another way?
b. Disable TCP Timestamp responses - I can't seem to find a proper way to address this, is there a way?
Hoping for help. Thanks!
You can disable HTTP OPTIONS in the HTTP profile in the known methods section. If you want to only disable it for a single VIP then create a new HTTP profile, make the required change and then associate it to your VIP
For TCP Timestamps. Again, if you want to disable, this is in the TCP Profile in the Congestion Control section. Create a new TCP profile, make your change and then associate it to your VIP
a. Like what iaine mentioned, you can use the known methods setting in the HTTP profile to reject/reset the connection. Alternatively you can use an iRule to either reject or return a HTTP 501 response. For more information, refer to https://support.f5.com/csp/article/K34769490. Also if you have ASM module licensed and provisioned, the ASM security policy would block OPTIONS method by default.
b. There is a potential performance tradeoff when TCP Timestamp is disabled in either the TCP profile (Timestamps Extension for High Performance (RFC 1323) setting) or the FastL4 profile (TCP Timestamp Mode setting). You may want to consider randomising the TCP Timestamp instead by enabling this db key tm.tcpsendrandomtimestamp. For more details, you may want to take a look at https://support.f5.com/csp/article/K8072.