Identity-Aware decisions with JA4+
Introduction JA4+ is a suite of network fingerprints methods. These methods are both human and machine readable to facilitate more effective threat-hunting and analysis. The use cases for these fingerprints include scanning for threat actors, malware detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, grouping of threat actors, reverse shell detection, and many more. Full Name Short Name Description JA4 JA4 TLS Client Fingerprinting JA4Server JA4S TLS Server response / Session Fingerprinting JA4HTTP JA4H HTTP Client Fingerprinting JA4Latency JA4L Latency measurement / Light distance JA4X509 JA4X X509 TLS Certificate Fingerprinting JA4SSH JA4SSH SSH Traffic Fingerprinting JA4TCP JA4T Passive TCP Client Fingerprinting JA4TCPServer JA4TS Passive TCP Server Response Fingerprinting JA4TCPScan JA4TScan Active TCP Server Fingerprinting Identity-enhanced JA4+ F5 BIG-IP Access Policy Manager (APM) and Next Access solutions ability to integrate with different F5 BIG-IP modules and make use of different integrations allows to leverage JA4+ fingerprints and enhance the Identity-based decisions. In this article we are covering three main JA4 fingerprints (JA4, JA4L, JA4H). We are using two main integration points: Policy event trigger Building on a great Devcentral repo by Joe Martin,https://github.com/f5devcentral/f5-ja4 discussing how to implement JA4 fingerprint via F5 BIG-IP iRules, to use Access flow to trigger iRules and obtain required JA4 fingerprints. iRules are modified with additional EventACCESS_POLICY_AGENT_EVENT and an iRule trigger is added to the Access policies. JA4 iRule JA4L iRule JA4H iRule when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "JA4FP" } { ACCESS::session data set session.custom.JA4 $ja4 } } when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "JA4FPL" } { ACCESS::session data set session.custom.JA4l $ja4l ACCESS::session data set session.custom.JA4la [getfield $ja4l "_" 1] ACCESS::session data set session.custom.JA4lb [getfield $ja4l "_" 2] ACCESS::session data set session.custom.JA4lc [getfield $ja4l "_" 3] } } when ACCESS_ACL_ALLOWED { ACCESS::session data set session.custom.JA4h $ja4h_fp } HTTP Connector, sideband calls Initiate a call to JA4 fingerprints database and make use of the obtained ones in the previous iRules to check and match from the database. This database can obtain allowed or blocked fingerprints (malicious browsers, clients, and others). This is not only to cover security use cases but also network and performance use cases, listing below some of the use cases, Network Performance: Using JA4L to get the delay at Client to VPN endpoint and VPN endpoint to backend server, and based on this delay we may direct user to better VPN endpoint to reach specific service. Security use case: Using fingerprints calculated for (JA4, JA4H, others) and match this against JA4 Database to block malicious clients and browsers. Security use case: Using fingerprints calculated for (JA4, JA4H, others) and matching this against JA4 Database to allow specific machines or browsers to access the service. Conclusion JA4+ provides great light-weight insights into passing traffic, knowing not only the traffic reaching the device, but the history of the path that the packet traversed. Enhancing such visibility with the Identity piece from F5 Access solutions allows granular control over traffic not only from a security perspective but also from a performance and optimization point of view. Related content JA4 Database F5 DevCentral JA4DB iRules FOXIO JA4 Github Repo
