Orchestrated Infrastructure Security - Change at the speed of Business
Editor's Note:The F5 Beacon capabilities referenced in this article hosted on F5 Cloud Services are planning a migration to a new SaaS Platform - Check out the latesthere Introduction This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability, Central Management with BIG-IQ, Application Visibility with Beacon and the protection of critical assets using F5 Advanced WAF and Protocol Inspection (IPS) with AFM.It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working. If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series on Implementing SSL Orchestrator here or the CloudDocs Deployment Guide here. This article focuses on using SSL Orchestrator as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process. Configuration files of BIG-IP deployed as Advanced WAF and AFM and can be downloaded fromherefrom GitLab. Please forgive me for using SSL and TLS interchangeably in this article. This article is divided into the following high level sections: ·Create a new Topology to perform testing ·Monitor server statistics – change the weight ratio – check server stats again ·Remove a single AFM device from the Service ·Perform maintenance on the AFM device ·Add the AFM device to the new Topology ·Test functionality with a single client ·Add AFM device back to the original Topology ·Test functionality again ·Repeat to perform maintenance on the other AFM device Create a new Topology to perform testing A new Topology will be used to safely test the Service after maintenance is performed.The Topology should be similar to the one used for production traffic.This Topology can be re-used in the future. From the BIG-IP Configuration Utility select SSL Orchestrator > Configuration.Click Add under Topologies. Scroll to the bottom of the next screen and click Next. Give it a name, Topology_Staging in this example. Select L2 Inbound as the Topology type then click Save & Next. For the SSL Configurations you can leave the default settings.Click Save & Next at the bottom. Click Save & Next at the bottom of the Services List. Click the Add button under Services Chain List.A new Service Chain is needed so we can remove AFM2 from the Production Service and add it here. Give the Service Chain a name, Staging_Chain in this example.Click Save at the bottom. Note: The Service will be added to this Service Chain later. Click Save & Next. Click the Add button on the right to add a new rule. For Conditions select Client IP Subnet Match. Enter the Client IP and mask, 10.1.11.52/32 in this example.Click New to add the IP/Subnet. Set the SSL Proxy Action to Intercept. Set the Service Chain to the one created previously. Click OK. Note: This rule is written so that a single client computer (10.1.11.52) will match and can be used for testing. Select Save & Next at the bottom. For the Interception Rule set the Source Address to 10.1.11.52/32.Set the Destination Address/Mask to 10.4.11.0/24.Set the port to 443. Select the VLAN for your Ingress Network and move it to Selected. Set the L7 Profile to Common/http. Click Save & Next. For Log Settings, scroll to the bottom and select Save & Next. Click Deploy. Monitor server statistics – change the weight ratio – check server statistics again Check the Virtual Server statistics on the BIG-IP we will be performing maintenance on.It’s “AFM2” in this example. Under Local Traffic click Virtual Servers. Then select Statistics > Virtual Server. Set Auto Refresh to 10 seconds. In this example you can see we have 5 Virtual Servers.The statistic counters should increment every time the screen refreshes.These servers appear to be healthy. Change the Weight Ratio Back to the SSL Orchestrator Configuration Utility.Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_IPS in this example. Click the pencil icon to edit the Service. Click the pencil icon to edit the Network Configuration for AFM1. Set the ratio to 65535 and click Done. Note: Alternately you could disable the Pool Member from LTM > Pools. Click Save & Next at the bottom. Click OK if presented with the following warning. Click Deploy. Click OK when presented with the Success message. Check Server Statistics Again Check the Virtual Server statistics on “AFM2” again.With Auto Refresh on, the statistics should no longer increment.Current Connections should eventually reach zero for all Virtual Servers. Remove a single AFM device from the Service Back to the SSL Orchestrator Configuration Utility.Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_IPS in this example. Click the pencil icon to edit the Service. Under Network Configuration, delete AFM2. Click Save & Next at the bottom. Click OK if presented with the following warning. Click Deploy. Click OK when presented with the Success message. Perform maintenance on the AFM device At this point AFM2 has been removed from the Incoming_Security Topology and is no longer handling production traffic.AFM1 is now handling all of the production traffic. We can now perform a variety of maintenance tasks on AFM2 without disrupting production traffic.When done with the task(s) we can then safely test/verify the health of AFM2 prior to moving it back into production. Some examples of maintenance tasks: ·Perform a software upgrade to a newer version. ·Make policy changes and verify they work as expected. ·Physically move the device. ·Replace a hard drive, fan, and/or power supply. Add the AFM device to the new Topology This will allow us to test its functionality with a single client computer, prior to moving it back to production. From the SSL Orchestrator Configuration Utility click SSL Orchestrator > Configuration > Topologies > sslo_Topology_Staging. Click the pencil icon on the right to edit the Service. Click Add Service. Select the Generic Inline Layer 2 Service and click Add. Give it a name or leave the default.Click Add under Network Configuration. Set the FROM and TO VLANS to the following and click Done. Click Save at the bottom. Click the Service Chain icon. Click the Staging_Chain. Move the GENERIC Service from Available to Selected and click Save. Click OK. Click Deploy. Click OK. Test functionality with a single client We created a policy with source IP = 10.1.11.52 to use the new AFM Service that we just performed maintenance on. Go to that client computer and verify that everything is still working as expected. As you can see this is the test client with IP 10.1.11.52. The page still loads for one of the web servers. You can view the Certificate and see that it is not the same as the Production Certificate. To ensure that everything is working as expected you can view the Virtual Server Statistics on AFM2, which was the AFM device removed from the Production network. From Local Traffic select Virtual Servers > Statistics > Virtual Server. Statistics can be cleared by checking the box and selecting Reset.After a reset, you should see Bits and Packets for 10.4.11.56, assuming you reload the browser a few times from the test client. It is advisable to check that all of the Virtual Servers are working this way. Add AFM device back to the original Topology From the SSL Orchestrator GUI select SSL Orchestrator > Configuration > Service Chains. Select the Staging_Chain. Select ssloS_Generic on the right and click the left arrow to remove it from Selected. Click Deploy when done. Click OK. Click OK to the Success message. From the SSL Orchestrator Guided Configuration select SSL Orchestrator > Configuration > Services. Select the GENERIC Service and click Delete. Click OK to the Warning. When that is done click the ssloS_IPS Service. Click the Pencil icon to edit the Service. Under Network Configuration click Add. Set the Ratio to the same value as AFM1, 65535 in this example.Set the From and To VLAN the following and click Done. Click Save & Next at the bottom. Click OK. Click Deploy. Click OK. Test functionality again Make sure AFM2 is working properly. To ensure that everything is working as expected you can view the Virtual Server Statistics on AFM2. From Local Traffic select Virtual Servers > Statistics > Virtual Server. Click Refresh or set Auto Refresh to 10 seconds.When the statistics reload it should look something like the following. Repeat these steps to perform maintenance on the other AFM device (not covered in this guide) Remove a single Adv.WAF device from the Service Monitor server statistics – change the weight ratio – check server statistics again ·Remove a single Adv.WAF device from the Service ·Perform maintenance on the Adv.WAF device ·Add the Adv.WAF device to the new Topology ·Test functionality with a single client ·Add Adv.WAF device back to the original Topology ·Test functionality again ·Repeat to perform maintenance on the other Adv.WAF device Check the Virtual Server statistics on the BIG-IP we will be performing maintenance on.It’s “Adv.WAF2” in this example. Under Local Traffic click Virtual Servers. Then select Statistics > Virtual Server. Set Auto Refresh to 10 seconds. In this example you can see we have 5 Virtual Servers.The statistic counters should increment every time the screen refreshes.These servers appear to be healthy. Change the Weight Ratio Back to the SSL Orchestrator Configuration Utility.Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_AdvWAF in this example. Click the pencil icon to edit the Service. Click the pencil icon to edit the Network Configuration for WAF1. Set the ratio to 65535 and click Done. Click Save & Next at the bottom. Click OK if presented with the following warning. Click Deploy. Click OK when presented with the Success message. Check Server Statistics Again Check the Virtual Server statistics on “Adv.WAF2” again.With Auto Refresh on, the statistics should no longer increment.Current Connections should eventually reach zero for all Virtual Servers. Remove a single Adv.WAF device from the Service Back to the SSL Orchestrator Configuration Utility.Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_AdvWAF in this example. Click the pencil icon to edit the Service. Under Network Configuration, delete WAF2. Click Save & Next at the bottom. Click OK if presented with the following warning. Click Deploy. Click OK when presented with the Success message. Perform maintenance on the Adv.WAF device At this point Adv.WAF2 has been removed from the Incoming_Security Topology and is no longer handling production traffic.Adv.WAF1 is now handling all of the production traffic. We can now perform a variety of maintenance tasks on Adv.WAF2 without disrupting production traffic.When done with the task(s) we can then safely test/verify the health of Adv.WAF2 prior to moving it back into production. Some examples of maintenance tasks: ·Perform a software upgrade to a newer version. ·Make policy changes and verify they work as expected. ·Physically move the device. ·Replace a hard drive, fan, and/or power supply. Add the Adv.WAF device to the new Topology This will allow us to test its functionality with a single client computer, prior to moving it back to production. From the SSL Orchestrator Configuration Utility click SSL Orchestrator > Configuration > Topologies > sslo_Topology_Staging. Click the pencil icon on the right to edit the Service. Click Add Service. Select the Generic Inline Layer 2 Service and click Add. Give it a name or leave the default.Click Add under Network Configuration. Set the FROM and TO VLANS to the following and click Done. Click Save at the bottom. Click the Service Chain icon. Click the Staging_Chain. Move the GENERIC Service from Available to Selected and click Save. Click OK. Click Deploy. Click OK. Test functionality with a single client We created a policy with source IP = 10.1.11.52 to use the new Adv.WAF Service that we just performed maintenance on. Go to that client computer and verify that everything is still working as expected. As you can see this is the test client with IP 10.1.11.52. The page still loads for one of the web servers. You can view the Certificate and see that it is not the same as the Production Certificate. To ensure that everything is working as expected you can view the Virtual Server Statistics on Adv.WAF2, which was the Adv.WAF device removed from the Production network. From Local Traffic select Virtual Servers > Statistics > Virtual Server. Statistics can be cleared by checking the box and selecting Reset.After a reset, you should see Bits and Packets for 10.4.11.56, assuming you reload the browser a few times from the test client. It is advisable to check that all of the Virtual Servers are working this way. Add Adv.WAF device back to the original Topology From the SSL Orchestrator GUI select SSL Orchestrator > Configuration > Service Chains. Select the Staging_Chain. Select ssloS_Generic on the right and click the left arrow to remove it from Selected. Click Deploy when done. Click OK. Click OK to the Success message. From the SSL Orchestrator Guided Configuration select SSL Orchestrator > Configuration > Services. Select the GENERIC Service and click Delete. Click OK to the Warning. When that is done click the ssloS_AdvWAF Service. Click the Pencil icon to edit the Service. Under Network Configuration click Add. Set the Ratio to the same value as Adv.WAF1, 65535 in this example.Set the From and To VLAN the following and click Done. Click Save & Next at the bottom. Click OK. Click Deploy. Click OK. Test functionality again Make sure Adv.WAF2 is working properly. To ensure that everything is working as expected you can view the Virtual Server Statistics on Adv.WAF. From Local Traffic select Virtual Servers > Statistics > Virtual Server. Click Refresh or set Auto Refresh to 10 seconds.When the statistics reload it should look something like the following. Repeat these steps to perform maintenance on the other Adv.WAF device (not covered in this guide) Summary In this article you learned how to use SSL Orchestrator as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process. Next Steps That's it, you're done!Orchestrated Infrastructure Security - Change at the Speed of Business - UDF Lab
Introduction The latest UDF Blueprint can be found here. The UDF Blueprint is different from the Verified Design article.The topology in the UDF Blueprint is Layer 3 Inbound because Layer 2 is not supported in UDF.The High Availability (HA) configuration has been removed.BIG-IQ Centralized Management has also been removed. The AFM/IPS Service is not included. This is due to the UDF environment itself and resource constraints there.The services are deployed in Layer 2, which is unchanged between the UDF and this article. The following Dev/Central article series has helpful configuration information: https://devcentral.f5.com/s/articles/Orchestrated-Infrastructure-Security-Change-at-the-speed-of-Business Differences between the article and UDF Lab will be addressed here. This UDF lab follows the original article high-level sections: ·Create a new topology to perform testing ·Monitor server statistics, change the weight ratio, and check server stats again (follow the procedure in the previous article) ·Remove a single Advanced WAF device from the service (follow the procedure in the previous article) ·Perform maintenance on the Advanced WAF device (follow the procedure in the previous article) ·Add the Advanced WAF device to the new topology ·Test functionality with a single client ·Add Advanced WAF device back to the original topology ·Test functionality again ·Repeat to perform maintenance on the other Advanced WAF device Important Details All VLANs and Self IPs have been created. SSL Orchestrator: bigip-ssl-orchestrator.com Self IPs Inside-vlan 10.1.10.100 Outside-vlan 10.1.20.100 Management: 10.1.1.4 L2 Vlans for Adv.WAF Services Egress1 – 1.3 Ingress1 – 1.4 Egress2 – 1.5 Ingress2 – 1.6 Advanced WAF is preconfigured with the 5 Application Servers (virtual servers): 10.1.10.90 10.1.10.91 10.1.10.92 10.1.10.93 10.1.10.94 Advanced WAF1 L2 VLANs Ingress Egress Management 10.1.1.7 Advanced WAF2 L2 VLANs Ingress Egress Management 10.1.1.8 F5 devices usernames and passwords are admin/admin Ubuntu clients: student/agility Outside – Desktop This desktop simulates an external user accessing the web application. 10.1.20.65 TEST – Client This desktop is external, but is only used for testing.After performing maintenance on an SSL Orchestrator service, this is where you test it to make sure it’s working properly. 10.1.20.99 Application Webservers These are the webservers that are being protected by SSL Orchestrator and Advanced WAF. 10.1.10.90 10.1.10.91 10.1.10.92 10.1.10.93 10.1.10.94 Create a new Topology to perform testing Follow the procedure in the previous article, but instead create an Inbound L3 Topology. When you create an interception rule, be sure to set the Source to 10.1.20.99 as this is the test client for the UDF lab. The Ingress Network should be set to the outside-vlan. The ingress network should be set to the outside-VLAN. When you get to the egress settings, set Manage SNAT Settings to Auto Map. Monitor server statistics – change the weight ratio – check server stats again (Follow the procedure in the previous article) Remove a single Advanced WAF device from the Production Service (Follow the procedure in the previous article) Perform maintenance on the Advanced WAF device (Follow the procedure in the previous article) Add the Advanced WAF device to the new topology Follow the procedure in the previous article. Create a new Generic Inline Layer 2 service. The network configuration should look like this: When you get to the security policy, add a Client IP Subnet Match for 10.1.20.99/32 as this is the external client where we will perform testing. Set the SSL Proxy Action to Intercept. Select the "testing" Service Chain. Test functionality with a single client Use the TEST - Client in UDF to test the Advanced WAF service post-maintenance. Hit Enter to get to the Login screen. Login as the Student. The password is "agility". The TEST – Client desktop will load. Click Activities to access the Firefox browser. Note that a console is also available should you wish to use it. Note that all application web servers are already bookmarked. Click one of them. You will get a security warning. Click Advanced. Click View Certificate. You should see the default certificate that comes with the BIG-IP. When you see the default certificate, you know that your connection is not being routed through the Production-Topology. Click Accept the Risk and Continue. The web page should load. Add the Advanced WAF device back to the original topology First you need to remove the TESTING-SERVICE from the service chain.It should look like the image below. Then you can delete the Service. Now you can add the Service back to the AdvancedWAF Service. Test functionality again You can use the Outside - Desktop to test functionality and make sure the Advanced WAF Services are working properly. Repeat to perform maintenance on the other Advanced WAF device The TESTING-TOPOLOGY was not deleted so you can re-use it for the other Advanced WAF device. The TESTING-CHAIN is empty, so make sure you add the Service to it after it's created. Conclusion You're done! Hopefully you were able to follow along despite the differences in the original article when compared to the UDF Lab.
