Encryption error - SAML assertion: response is not encrypted
We are trying to configure out APM with Azure SAML authentication. After login on and succedded we can an error and the logs show the following: modules/Authentication/Saml/SamlSPAgent.cpp: 'verifyAssertionSignature()': 5374: Verification of SAML signature #2 succeeded ----------------------- SAML2Websak_act_saml_auth_ag failed to parse assertion, error: Response is not encrypted ...................... a6559abf: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny' As a result the login is Denied. Is this related to the certificate or RSA encryption? We have tried various options but it comes back to the same error
F5 Labs 2019 TLS Telemetry Report Summary
Encryption standards are constantly evolving, so it is important to stay up to date with best practices. The 2019 F5 Labs TLS Telemetry Summary Report by David Warburton with additional contributions from Remi Cohen and Debbie Walkowski expands the scope of our research to bring you deeper insights into how encryption on the web is constantly evolving. We look into which ciphers and SSL/TLS versions are being used to secure the Internet’s top websites and, for the first time, examine the use of digital certificates on the web and look at supporting protocols (such as DNS) and application layer headers. On average, almost 86% of all page loads over the web are now encrypted with HTTPS. This is a win for consumer privacy and security, but it’s also posing a problem for those scanning web traffic. In our research we found that 71% of phishing sites in July 2019 were using secure HTTPS connections with valid digital certificates. This means we have to stop training users to “look for the HTTPS at the start of the address” since attackers are using deceptive URLs to emulate secure connections for their phishing and malware sites. Read our report for details and recommendations on how to bolster your HTTPS connections.How Malware Evades Detection
Malware loves encryption since it can sneak around undetected. F5Labs 2018 Phishing & Fraud Report explains how malware tricks users and evades detection. With the cloning of legitimate emails from well-known companies, the quality of phishing emails is improving and fooling more unsuspecting victims. Attackers disguise the malware installed during phishing attacks from traditional traffic inspection devices by phoning home to encrypted sites. Let's light up how evasion happens & get your F5 Labs 2018 Phishing & Fraud Report today. ps
encryption with AES/CRYPTO - how to securely store the encryption key
Dear All, I need to encrypt/decrypt some sensitive data which is permanently stored in a datagroup. Is there a way to store the encryption key so that it remained accessible from an iRule but at the same time was not present in the code? I anticipate that absolute security is problematic here (if such a thing exists at all :)) but what would be the most secure way of doing this on BigIP? Ideal scenario would be to generate a key programmatically and store it somewhere on the BigIP file system (or separate admin partition) so that it was accessible to a specific iRule (ideally just one rule) but was not accessible from GUI/CLI. The iRule then could be signed with a certificate stored on HSM and any modifications to the iRule would be captured in the audit log, syslog and eventually SIEM which is ran by our SOC. The key needs to be hidden if not from all user accounts but at least from all except one "break-glass" account whose use and credentials would be strictly controlled (administratively). Or maybe I'm trying to invite a bicycle and it may be possible to easily use HSM to store symmetric keys? Any thoughts would be very much appreciated!
ICAP Over HTTPS
So we have some conflicting requirements where our applications that require end to end encryption are also required to ICAP uploaded files to our Content Analysis platform. The Content Analysis platform will sandbox and scan files for malicious content and supports ICAP over HTTPS through port 11344. However as far as I can tell the F5 ASM only supports sending traffic over HTTP to ICAP on 1344 (or other HTTP ports). Is anyone aware of a work around to do ICAP over HTTPS so that these files are never sent in the clear? This is critical if we are going to be able to meet customer requirements. Can any F5 employees chime in if this is a planned future feature? We are currently on 12.1.2.Your SSL Secrets Uncovered
Get Started with SSL Orchestrator SSL and its brethren TLS is becoming more prevalent to secure IP communications on the internet. It’s not just financial, health care or other sensitive sites, even search engines routinely use the encryption protocol. This can be good or bad. Good, in that all communications are scrambled from prying eyes but potentially hazardous if attackers are hiding malware inside encrypted traffic. If the traffic is encrypted and simply passed through, inspection engines are unable to intercept that traffic for a closer look like they can with clear text communications. The entire ‘defense-in-depth’ strategy with IPS systems and NGFWs lose effectiveness. F5 BIG-IP can solve these SSL/TSL challenges with an advanced threat protection system that enables organizations to decrypt encrypted traffic within the enterprise boundaries, send to an inspection engine, and gain visibility into outbound encrypted communications to identify and block zero-day exploits. In this case, only the interesting traffic is decrypted for inspection, not all of the wire traffic, thereby conserving processing resources of the inspecting device. You can dynamically chain services based on a context-based policy to efficiently deploy security. This solution is supported across the existing F5 BIG-IP v12 family of products with F5 SSL Orchestrator and is integrated with such solutions like FireEye NX, Cisco ASA FirePOWER and Symantec DLP. Here I’ll show you how to complete the initial setup. A few things to know prior – from a licensing perspective, The F5 SSL visibility solution can be deployed using either the BIG-IP system or the purpose built SSL Orchestrator platform. Both have same SSL intercept capabilities with different licensing requirements. To deploy using BIG-IP, you’ll need BIG-IP LTM for SSL offload, traffic steering, and load balancing and the SSL forward proxy for outbound SSL visibility. Optionally, you can also consider the URL filtering subscription to enforce corporate web use policies and/or the IP Intelligence subscription for reputation based web blocking. For the purpose built solution, all you’ll need is the F5 Security SSL Orchestrator hardware appliance. The initial setup addresses URL filtering, SSL bypass, and the F5 iApps template. URL filtering allows you to select specific URL categories that should bypass SSL decryption. Normally this is done for concerns over user privacy or for categories that contain items (such as software update tools) that may rely on specific SSL certificates to be presented as part of a verification process. Before configuring URL filtering, we recommend updating the URL database. This must be performed from the BIG-IP system command line. Make sure you can reach download.websense.com on port 80 via the BIG-IP system and from the BIG-IP LTM command line, type the following commands: modify sys url-db download-schedule urldb download-now false modify sys url-db download-schedule urldb download-now true To list all the supported URL categories by the BIG-IP system, run the following command: tmsh list sys url-db url-category | grep url-category Next, you’ll want to configure data groups for SSL bypass. You can choose to exempt SSL offloading based on various parameters like source IP address, destination IP address, subnet, hostname, protocol, URL category, IP intelligence category, and IP geolocation. This is achieved by configuring the SSL bypass in the iApps template calling the data groups in the TCP service chain classifier rules. A data group is a simple group of related elements, represented as key value pairs. The following example provides configuration steps for creating a URL category data group to bypass HTTPS traffic of financial websites. For the BIG-IP system deployment, download the latest release of the iApps template and import to the BIG-IP system. Extract (unzip) the ssl-intercept-12.1.0-1.5.7.zip template (or any newer version available) and follow the steps to import to the BIG-IP web configuration utility. From there, you’ll configure your unique inspection engine along with simply following the BIG-IP admin UI with the iApp questionnaire. You’ll need to select and/or fill in different values in the wizard to enable the SSL orchestration functionality. We have deployment guides for the detailed specifics and from there, you’ll be able to send your now unencrypted traffic to your inspection engine for a more secure network. ps Resources: Ponemon Report: Application Security in the Changing Risk Landscape IDC Report: The Blind State of Rising SSL Traffic
Enterprise Manager - UCS Archive Encryption
Hi all When Enterprise Manager creates a UCS archive of a managed device is there a way to encrypt this file as you can on the other BIG-IP products? From what I can see you can't, which is a pain as our security governance team has stated that if we wish to backup the UCS archives on EM and also backup the private keys, then the UCS archive must at a minimum be encrypted itself. From what I gather EM does not fetch a precompiled UCS archive from the managed device but rather creates a UCS archive itself, yet doesn't provide an option to decrypt. Perhaps I've missed something so would appreciate some advice. Thank youcookie encyption passphrase
I realize this is a pretty basic question so don't skewer me. I want to enable cookie encryption which seems like a very painless process, but I'm just curious as to what the cookie encryption passphrase is used for? is this going to be needed to be given out to users? whats the use and when is it utilized? further configuration needed on other devices for it? any and all help is always appreciated.Ask the Expert – Why SSL Everywhere?
Kevin Stewart, Security Solution Architect, talks about the paradigm shift in the way we think about IT network services, particularly SSL and encryption. Gone are the days where clear text roams freely on the internal network and organizations are looking to bring SSL all the way to the application, which brings complexity. Kevin explains some of the challenges of encrypting all the way to the application and ways to solve this increasing trend. SSL is not just about protecting data in motion, it’s also about privacy. ps Related: Ask the Expert – Are WAFs Dead? RSA2015 – SSL Everywhere (feat Holmes) AWS re:Invent 2015 – SSL Everywhere…Including the Cloud (feat Stanley) F5 SSL Everywhere Solutions Technorati Tags: f5,ssl,encryption,pki,big-ip,security,privacy,silva,video Connect with Peter: Connect with F5:Reencryption, what if the certificate on the server expires ?
We use Re-encryption to a web site. SSL offload and then re-encrypt to web server. The re-encryption is not that important but a requirement, wondered what would happen if the Server certificate should expire ( the last certificate ) client --> LTM --> Server Would LTM still re-encrypt using the expired certificate on the server?
