F5 powered API security and management
Editor's Note:The F5 Beacon capabilities referenced in this article hosted on F5 Cloud Services are planning a migration to a new SaaS Platform - Check out the latesthere. Introduction Application Programming Interfaces (APIs) enable application delivery systems to communicate with each other. According to a survey conducted by IDC, security is the main impediment to delivery of API-based services.Research conducted by F5 Labs shows that APIs are highly susceptible to cyber-attacks. Access or injection attacks against the authentication surface of the API are launched first, followed by exploitation of excessive permissions to steal or alter data that is reachable via the API.Agile development practices, highly modular application architectures, and business pressures for rapid development contribute to security holes in both APIs exposed to the public and those used internally. API delivery programs must include the following elements : (1) Automated Publishing of APIs using Swagger files or OpenAPI files, (2) Authentication and Authorization of API calls, (3) Routing and rate limiting of API calls, (4) Security of API calls and finally (5) Metric collection and visualization of API calls.The reference architecture shown below offers a streamlined way of achieving each element of an API delivery program. F5 solution works with modern automation and orchestration tools, equipping developers with the ability to implement and verify security at strategic points within the API development pipeline. Security gets inserted into the CI/CD pipeline where it can be tested and attached to the runtime build, helping to reduce the attack surface of vulnerable APIs. Common Patterns Enterprises need to maintain and evolve their traditional APIs, while simultaneously developing new ones using modern architectures. These can be delivered with on-premises servers, from the cloud, or hybrid environments. APIs are difficult to categorize as they are used in delivering a variety of user experiences, each one potentially requiring a different set of security and compliance controls. In all of the patterns outlined below, NGINX Controller is used for API Management functions such as publishing the APIs, setting up authentication and authorization, and NGINX API Gateway forms the data path.Security controls are addressed based on the security requirements of the data and API delivery platform. 1.APIs for highly regulated business Business APIs that involve the exchange of sensitive or regulated information may require additional security controls to be in compliance with local regulations or industry mandates.Some examples are apps that deliver protected health information or sensitive financial information.Deep payload inspection at scale, and custom WAF rules become an important mechanism for protecting this type of API. F5 Advanced WAF is recommended for providing security in this scenario. 2.Multi-cloud distributed API Mobile App users who are dispersed around the world need to get a response from the API backend with low latency.This requires that the API endpoints be delivered from multiple geographies to optimize response time.F5 DNS Load Balancer Cloud Service (global server load balancing) is used to connect API clients to the endpoints closest to them.In this case, F5 Cloud Services Essential App protect is recommended to offer baseline security, and NGINX APP protect deployed closer to the API workload, should be used for granular security controls. Best practices for this pattern are described here. 3.API workload in Kubernetes F5 service mesh technology helps API delivery teams deal with the challenges of visibility and security when API endpoints are deployed in Kubernetes environment. NGINX Ingress Controller, running NGINX App Protect, offers seamless North-South connectivity for API calls. F5 Aspen Mesh is used to provide East-West visibility and mTLS-based security for workloads.The Kubernetes cluster can be on-premises or deployed in any of the major cloud provider infrastructures including Google’s GKE, Amazon’s EKS/Fargate, and Microsoft’s AKS. An example for implementing this pattern with NGINX per pod proxy is described here, and more examples are forthcoming in the API Security series. 4.API as Serverless Functions F5 cloud services Essential App Protect offering SaaS-based security or NGINX App Protect deployed in AWS Fargate can be used to inject protection in front of serverless API endpoints. Summary F5 solutions can be leveraged regardless of the architecture used to deliver APIs or infrastructure used to host them.In all patterns described above, metrics and logs are sent to one or many of the following: (1) F5 Beacon (2) SIEM of choice (3) ELK stack.Best practices for customizing API related views via any of these visibility solutions will be published in the following DevCentral series. DevOps can automate F5 products for integration into the API CI/CD pipeline.As a result, security is no longer a roadblock to delivering APIs at the speed of business. F5 solutions are future-proof, enabling development teams to confidently pivot from one architecture to another. To complement and extend the security of above solutions, organizations can leverage the power of F5 Silverline Managed Services to protect their infrastructure against volumetric, DNS, and higher-level denial of service attacks.The Shape bot protection solutions can also be coupled to detect and thwart bots, including securing mobile access with its mobile SDK.
Blocking Zero-day WordPress Attacks with F5 Essential App Protect
Overview A recent ZDNet article reports that millions of WordPress sites are being probed and compromised due to a vulnerability with the popular "WP File Manager" plugin. Defending against the attacks of this type is one of the fundamental use cases for F5 Essential App Protect, which can block the malicious request and prevents the site from being compromised. This proof-of-concept article demonstrates what happens to a vulnerable WordPress site with and without F5 Essential App Protect. Attack without Essential App Protect Our test WordPress site at http://blog.haxrip.net was previously used in a blog post where we set up protection in less than 5 minutes. For this test we removed the instance that protected our site, and activated an older vulnerable version of the WP File Manager plugin: We’re now ready to send a payload via a Python script that exploits connector.minimal.php on our test site. This results in executing an upload of an arbitrary file and thus exposing possibility of remote code execution as per this vulnerability report. The end-result, the upload of a file: hacked.php, which you can see in this “before” and “after” view of the directory into which we’ll upload an arbitrary file via an exploited vulnerability This allows us to execute remote code by running hacked.php from a browser, which is a bad thing! Besides completely opening this WordPress site to modifications, this exposes potentially sensitive information like passwords, credentials, file structure, certificates & keys, and other info on the remote system, which is likely to enable an attacker to grow their attack footprint. So how can you avoid this? Enter Essential App Protect Now let’s “roll back” our attacked WordPress deployment by removing the hacked.php file from our system, and let’s try the same attack after we deploy an instance of Essential App Protect. This takes just a few minutes, with the below screenshots highlighting the main 3 steps of our deployment (a full deployment walk-through is available in the documentation): 1. Set up protection by using the FQDN of our WordPress site: blog.haxrip.net 2. Confirm the deployment region, use http / port 80 listener (for simplicity), and all of the default configuration options: 3. Use the generated CNAME value to configure the DNS entry for our blog to point traffic to our new Essential App Protect instance: That’s it! We are using Route 53 for our DNS management, so the change propagates in just a few minutes. While that happens we will switch our service from “Monitoring” to “Blocking” mode, to give our vulnerable site the protection it so badly needs! Now we’ll re-run the same Python script that was previously used to explore the vulnerability, which fails as the payload gets detected and blocked by our instance of F5 Essential App Protect. Inside the main dashboard Events View, we can see that our attempt has been flagged, as 4 signatures were picked up to correctly assess this request as an attack and block it. At this point, our site is protected from this and many other attacks based on thousands of signatures that are continuously updated from the F5 Threat Labs. The beauty of this platform is that it also uses predictive intelligence to detects abnormalities in the requests even if that exact attack signature hasn’t been captured yet. This means that we have a much higher chance of successfully detecting and preventing zero-day attacks on web applications. Conclusion F5 Essential App Protect is an effective platform to quickly protect potentially vulnerable instances of WordPress based on the particular exploit that’s making the news rounds this week. Note that in our tests an already exploited site is likely to be vulnerable to this & other attacks, so please set up protection and/or make sure your deployments and all of the plug-ins are up-to-date! Essential App Protect takes just a few minutes to deploy and sits between a hacker and a targeted website, scrubbing the requests across a number of pre-configured attack vectors, using signatures and predictive intelligence that provide holistic protection for externally-facing web apps. Find out more and get a trial set up today!
Export EAP config into NAP config
Hello, I would like to know if it is possible to export an Essential App Protect configuration and import it into a local NGINX App Protect instance in our dev/test environment? Is there a way to use the EAP API to pull a JSON version of currently configured policy out of EAP? Thanks, -Mike
Essential App Protect source IP ranges
Hi, I have setup an app in Essential App Protect and want to restrict my firewall to only allow traffic from the F5 Cloud Services instance. What are the IPs/Ranges that I need to use? I have tried the ones published for DNS but it looks like IP's outside of those ranges are hitting the firewall. Thanks
