Security Automation with F5 BIG-IP and Event Driven Ansible
Updated (September 19th 2023) INTRODUCTION TO EVENT DRIVEN SECURITY: Event Driven Security is one of the projects I have been working on for the last year or so. The idea of creating automated security that can react similarly to how I would react in situations is fascinating to me, and then comes the BIG Question.... "Can I code it?" Originally our solution we had utilized ELK (Elastic Logstash Kibana) where Elasticsearch was my logging and monitoring tool, Kibana was the frontend GUI for helping me visualize and set up my watchers for my webhook triggers, Logstash would be an intermediary to receive my webhooks to help me execute Ansible related code. While using Logstash, if the Ansible code was simple it had no issues, however when things got more complex (i.e., taking payloads from Elastic and feeding them through Logstash to my playbooks), I would sometimes get intermittent results. Some of this could be my lack of knowledge of the software but for me it needed to be simple! As I want to become more complex with my Event Driven Security, I needed a product that would follow those needs. And luckily in October 2022 that product was announced "Event Driven Ansible" it made it so I didn’t need Logstash anymore i could call Ansible related code directly, it even took in webhooks (JSON based) to trigger the code, so I was already half way there! CODE FOR EVENT DRIVEN SECURITY: So now I have setup the preface let’s get down to the good stuff! I have setup a GitHub repository for the code i have been testing withhttps://github.com/f5devcentral/f5-bd-ansible-eda-demowhich is free for all to use and please feel free to take/fork/expand!!! There are some cool things worth noting in the code specifically the transformation of the watch code into something usable in playbooks. This code will take all the times the watcher finds a match in its filter and then then copies the Source IP from that code and puts it into a CSV list, then it sends the list as a variable within the webhook along with the message to execute the code. Here is the code I am mentioning above about transforming and sending the payloads in an elastic watcher. See the Full code in the GitHub repo. (Github Repo --> elastic -->watch_blocked_ips.json) "actions": { "logstash_exec": { "transform": { "script": { "source": """ def hits = ctx.payload.hits.hits; def transform = ''; for (hit in hits) { transform += hit._source.src_ip; transform += ', ' } return transform; """, "lang": "painless" } }, "webhook": { "scheme": "http", "host": "10.1.1.12", "port": 5000, "method": "post", "path": "/endpoint", "params": {}, "headers": {}, "body": """{ "message": "Ansible Please Block Some IPs", "payload": "{{ctx.payload._value}}" }""" } } } } In the Ansible Rulebook the big thing to note is that from the Pre-GA code (which was all CLI ansible-rulebook based) to the GA version (EDA GUI) rulebooks now are setup to call Ansible Automation Platform (AAP) templates. In the code below you can see that its looking for an existing template "Block IPs" in the organization "Default" to be able to run correctly. (Github Repo --> rulebooks -->webhook-block-ips.yaml) --- - name: Listen for events on a webhook hosts: all ## Define our source for events sources: - ansible.eda.webhook: host: 0.0.0.0 port: 5000 ## Define the conditions we are looking for rules: - name: Block IPs condition: event.payload.message == "Ansible Please Block Some IPs" action: run_job_template: name: "Block IPs" organization: "Default" This shows my template setup in Ansible Automation Platform 2.4.x, there is one CRITICAL piece of information i wanted to share about using EDA GA and AAP 2.4 code is that within the template you MUSTtick the checkbox on the "Prompt on launch" in the "variables section". This will allow the payload from EDA (given to it from Elastic) to pass on to the playbook. In the Playbook you can see how we extract the payload from the event using the ansible_eda variable, this allows us to pull in the event we were sent from Elastic to Event Driven Ansible and then sent to the Ansible Automation Platform template to narrow down the specific fields we needed (Message and Payload) from there we create an array from that payload so we can pass it along to our F5 code to start adding Blocked IPs to the WAF Policy.(Github Repo --> playbooks -->block-ips.yaml) --- - name: ASM Policy Update with Blocked IPs hosts: lb connection: local gather_facts: false vars: Blocked_IPs_Events: "{{ ansible_eda.event.payload }}" F5_VIP_Name: VS_WEB F5_VIP_Port: "80" F5_Admin_Port: "443" ASM_Policy_Name: "WAF-POLICY" ASM_Policy_Directory: "/tmp/f5/" ASM_Policy_File: "WAF-POLICY.xml" tasks: - name: Setup provider ansible.builtin.set_fact: provider: server: "{{ ansible_host }}" user: "{{ ansible_user }}" password: "{{ ansible_password }}" server_port: "{{ F5_Admin_Port }}" validate_certs: "no" - name: Blocked IP Events From EDA debug: msg: "{{ Blocked_IPs_Events.payload }}" - name: Create Array from BlockedIPs ansible.builtin.set_fact: Blocked_IPs: "{{ Blocked_IPs_Events.payload.split(', ') }}" when: Blocked_IPs_Events is defined - name: Remove Last Object from Array which is empty array object ansible.builtin.set_fact: Blocked_IPs: "{{ Blocked_IPs[:-1] }}" when: Blocked_IPs_Events is defined ... All of this combined, creates a well-oiled setup that looks like the following diagram below, with the code and the flows setup we can now create proactive event based security! Here is the flow of the code that is in the GitHub repo when executed. The F5 BIG-IP is pushing all the monitoring logs to Elastic. Elastic is taking all that data and storing it while utilizing a watcher with its filters and criteria, The Watcher finds something that matches its criteria and sends the webhook with payload to Event Driven Ansible. Event Driven Ansible's Rulebook triggers and calls a template within Ansible Automation Platform and sends along the payload given to it from Elastic. Ansible Automation Platforms Template executes a playbook to secure the F5 BIG-IP using the payload given to it from EDA (originally from Elastic). In the End we go Full Circle, starting from the F5 BIG-IP and ending at the F5 BIG-IP! Full Demonstration Video: Check out our full demonstration video we recently posted (Sept 13th 2023) is available on-demand viahttps://www.f5.com/company/events/webinars/f5-and-red-hat-3-part-demo-series This page does require a registration and you can check out our 3 part series. The one related to this lab is the "Event-Driven Automation and Security with F5 and Red Hat Ansible" Proactive Securiy with F5 & Event Driven Ansible Video Demo LINKS TO CODE: https://github.com/f5devcentral/f5-bd-ansible-eda-demo2KViews10likes0CommentsA Makeover for DevCentral.
UPDATE: This maintenance has been moved to Jan 24th starting at approximately 8AM Pacific time. --- DevCentral Community, TL;DR - I am announcing some updates coming to the DevCentral community website in a few days - January 17th.24th. This is a mid-sized reboot, some upgrades that we expect will make our online environment a bit nicer to use now and enable more epic-ness to come. ***This update WILL include a maintenance downtime of up to 6 hours starting around 8AM PT (-8 UTC).*** A huge shoutout. I speak for everyone on our team when I say the DevCentral community rocks! We on the DevCentral team are inspired and motivated by your creativity and willingness to share. The depth of your capabilities and the mutual respect you have for individual learning never ceases to amaze. Asyou, collectively, work through increasingly complex problem-spaces we are always working to support your progress. Our recent observations and your suggestions have been buzzing in our ears for several months and so the changes you'll see soon represent next steps for what we think will make your DevCentral community truly exceptional. An updated UI is just the start. Interface updates will be the most obvious, but these are evolutionary rather than revolutionary - a paint job and some new tech. The new tech includes a simpler set of stylesheets, more configurable page templates, some advanced features in the editors, and an overall reductive approach to some historical bloat. One of my design tenets is best summarized as comfortably information dense. DevCentral is a functional website, mostly used during your workweek, and we are looking to strike a balance between engaging with the content quickly and easily (e.g., less scrolling and more filters) without getting eyestrain or needing to know where you are on the site. I'll get into a bit more detail next week and after we launch, I expect to produce some guided walkthroughs you can use to discover some gems. If you are coming to AppWorld in San Jose in February - be sure to stop by our booth and look me up - I can give you a personalized tour.Mention this article and I'll be forced to find some special swag for you too!😎 Wait. Did you say "reductive"? Yes. In a world where everyone backs up everything a subtractive mindset seems nutty. I'm no expert (case-in-point, the length of this announcement) but I embrace the subtractive sentiment and as such I have been ruthless about driving this upgrade for a host of reasons and that *may* have come at the expense of some existing features. Some things won't be present at launch (like Badges and Event calendars) but on-balance I'm sure we will be better off. That said, if something you love disappears - let me know in a comment, in a DM, or on the Suggestions page. I can't promise everything, butI do promise my level-best and that everything is done with intent: sharing valuable and useful technical information with you. Temporary Outage Most important, for now, is to plan for a short outage the morning of Jan 17th approximately 8AM Pacific Time (-8H UTC) for up to about 6 hours. Next: A reminder on Monday, Jan 15th 🚀519Views8likes7Comments2022 DevCentral MVP Announcement
Congratulations to the 2022 DevCentral MVPs! Without users who take time from their busy days to share their experience and knowledge for others, DevCentral would be more of a corporate news site and not an actual user community. To that end, the DevCentral MVP Award is given annually to the outstanding group of individuals – the experts in the technical F5 user community who go out of their way to engage with the user community. The award is our way of recognizing their significant contributions, because while all of our users collectively make DevCentral one of the top community sites around and a valuable resource for everyone, MVPs regularly go above and beyond in assisting fellow F5 users.We understand that 2021 was difficult for everyone, and we are extra-grateful to this year's MVPs for going out of their ways to help others. MVPs get badges in their DevCentral profiles so everyone can see that they are recognized experts. This year’s MVPs will receive a glass award, certificate, exclusive thank-you gifts, and invitations to exclusive webinars and behind-the-scenes looks at things like roadmaps, new product sneak-previews, and innovative concepts in development. The 2022 DevCentral MVPs are: Aditya K Vlogs AlexBCT Amine_Kadimi Austin_Geraci Boneyard Daniel_Wolf Dario_Garrido David.burgoyne Donamato 01 Enes_Afsin_Al FrancisD iaine jaikumar_f5 Jim_Schwartzme1 JoshBecigneul JTLampe Kai Wilke Kees van den Bos Kevin_Davies Lionel Deval (Lidev) LouisK Mayur_Sutare Neeeewbie Niels_van_Sluis Nikoolayy1 P K Patrik_Jonsson Philip Jönsson Rob_Carr Rodolfo_Nützmann Rodrigo_Albuquerque Samstep SanjayP ScottE Sebastian Maniak Stefan_Klotz StephanManthey Tyler.Hatton1.2KViews8likes0CommentsAgility sessions announced
Good news, everyone! This year's virtual Agilitywill have over 100 sessions for you to choose from, aligned to 3 pillars. There will be Breakouts (pre-recorded 25 minutes, unlimited audience) Discussion Forums (live content up to 45 minutes, interactive for up to 75 attendees) Quick Hits (pre-recorded 10 minutes, unlimited audience) So, what kind of content are we talking about? If you'd like to learn more about how to Simplify Delivery of Legacy Apps, you might be interested in Making Sense of Zero Trust: what’s required today and what we’ll need for the future (Discussion Forum) Are you ready for a service mesh? (breakout) BIG-IP APM + Microsoft Azure Active Directory for stronger cybersecurity defense (Quick Hits) If you'd like to learn more about how to Secure Digital Experiences, you might be interested in The State of Application Strategy 2022: A Sneak Peak (Discussion Forum) Security Stack Change at the Speed of Business (Breakout) Deploy App Protect based WAF Solution to AWS in minutes (Quick Hits) If you'd like to learn more about how to Enable Modern App Delivery at Scale, you might be interested in Proactively Understanding Your Application's Vulnerabilities (Discussion Forum Is That Project Ready for you? Open Source Maturity Models (Breakout) How to balance privacy and security handling DNS over HTTPS (Quick Hits) The DevCentral team will be hosting livestreams, and the DevCentral lounge where we can hang out, connect, and you can interact directly with session presenters and other technical SMEs. Please go to https://agility2022.f5agility.com/sessions.html to see the comprehensive list, and check back with us for more information as we get closer to the conference.439Views7likes1CommentOffice Hours - Let's do some home lab stuff!
The week between Christmas and New Year's here in the US is often a little slow. Ok, a lot slow. I always like to work this week because it allows me to clean my "work" house: trying to salvage my inbox, organizing files, shredding docs. It also affords me some time to plan and strategize for the new year, and to work on some projects that are hard to fit in during normal weeks. One of those projects will be to give my home lab some much-needed attention. If you are in the same boat and just need a dedicated block of time, why don't you join me and we can do a community dojo office hours and chat while we make progress on our labs, and share what we're struggling with, what we're excited about, and just enjoy a little community time? Come late and/or leave early; just come! Details Date: Dec 28th, 2023 Time: 9am - 12pm PST Link:https://f5networks.zoom.us/j/9056331793?pwd=S3pKRUc4NWwvSUpaQXBaZms0VENSQT09391Views6likes0CommentsMay the Fourth and Security Trivia on DevCentral with a Chance to Win Prizes
DevCentral is hosting two trivia games to celebrate National Password Day AND May The Fourth (Star Wars Day). Come show off your Star Wars security, password security, and F5 security knowledge in this live event hosted by the DevCentral team and some special guests. There will be three rounds of questions during this hour, with prizes for the winners of each round as well as one lucky random player per game. Get details on how to join by clicking on Option 1:8-9pm Pacific on Thursday, May 3 (7am in the UAE, 8:30am in Bangalore, 11am in Singapore, noon in Tokyo, 1pm in Melbourne and Sydney on May 4 th ) or Option 2:8-9am Pacific on Thursday, May 4(4pm BST, 5pm CET, 6pm EEST, and 7pm GST on May 4 th )838Views6likes1CommentDevCentral Community Lab - A&O Toolchain 212: Application Deployments with BIG-IP and AS3
DevCentral is hosting a lab for the Community! Lab Details We will be going through "A&O Toolchain 212: Application Deployments with BIG-IP and AS3" This topic was chosen by the members of the DevCentral Connects Group. How To Sign Up To sign up, simply mark yourself as attending this event and the email address from your profile will be used for the training platform. If you would like to use an alternative email address, just DM me with the email you'd like to use. Important Dates / Time December 13, 2022 9:30am - 10:30am Pacific - DevCentral Connects hosts will be on a live stream and walk through the start of the lab and get everyone logged in. For the following 3 days, the lab environment will remain open so you have plenty of time to start and complete the lab! How to get help throughout the lab For questions, you will be able to interact with the lab team online via a thread Community.f5.com (will be posted here). The lab team may also jump on live streams, as needed, to address questions as well.2KViews6likes3CommentsHanging with DevCentral at RSA Conference 2023
AubreyKingF5andbuulamspent last week at RSA Conference 2023 in San Franciscoconnecting with security professionals and colleagues. And, of course, they filmed a lot of those talks to share with the community. Buu connected with Tanya Janca at B-Sides San Francisco, Jason Haddix (BuddoBot), and Joel Violette (IBM) who shares his thoughts on ChatGPT (AI was a hot topic this year across the board). Aubrey shared hisRSA Keynote takeaways, interviewed Alyssa Miller before her panel on CISO challenges, and connected with a ton of other organizations across the expo room floor. Also making an appearance:Scheff,Kyle_Roberts, and Cameron_Delanowho all shared insights from their conversations at the F5 booth. Check out the full playlist of RSA 2023 content here!564Views5likes1CommentThat's A Wrap From BlackHat 2022 - API Security, it's time to shine
We hit the road and we hit it HARD! Between the editing and interviews, it was hard to find a lot of time for sleep. This was a truly immersive experience, heading out there. Coming back to producing another show immediately, I've had some time to reflect on our trip to BlakHat USA 2020. There were some resounding themes, for sure. Firstly, it is an API world. If you look at the summary article of BlackHat 2022 announcements I talked about on DevCentral Connects yesterday, you see a trend: I am THRILLED to see the rest of the security industry finally taking an interest on the segment that we've led in terms of industry deployment numbers for 15 years. In 2007, TMOS 9.2.4 delivered an XML firewall to our customers - able to ingest a WSDL for schema baselines - that learned expected API usage over time like any other http delivered application. SOAP followed shortly, thereafter and, of course, REST shortly after that. This was just an evolution of WAF here at F5. Watching NGINX+ delivery of API gateways add on NGINX App Protect features with the F5 WAF engine showed me that we continue to value this level of API defense at every scale, as well. When I saw Gartner and other vendors starting to call the segment 'WAAP,' it bothered me a bit, as we at f5 have always understood WAF to encompass APIs. I really hope that we can capitalize on our pedigree in this space to deliver our customers the most reliable and scalable API Security solutions there are. Regarding the f5 booth,it's been a minute since I've been at a trade show for f5. The thing that stuck out the most for me was the lack of the term 'load balancing.' What I heard more of was 'API Security,' and 'Multi-Cloud Networking'. What struck me the most was that customers seemed to understand that multi-cloud was really our thing now, and I think that having partners like RedHat has helped us to be viewed as a software company, rather than a big iron vendor. This speaks volumes to our ongoing transformation and our ability to get that message out there. Kudos to our sales teams for really making that apparent. Be sure to follow us all on the socials for content, in addition to YouTube: DevCentral handles:https://www.linkedin.com/showcase/f5-devcentral/| https://twitter.com/devcentral Peter Silva: https://www.linkedin.com/in/psilvas/ | https://twitter.com/psilvas Buu Lam: https://www.linkedin.com/in/buulam/ | https://twitter.com/buulam Aubrey King: https://www.linkedin.com/in/aubreyking | https://twitter.com/aubreykingf5 Content summary: BlackHat USA 2022 Playlist:https://www.youtube.com/playlist?list=PLyqga7AXMtPPL3Xw0qrWO3sZnsbL4amP5871Views5likes1Comment