Getting Around the Logon/Legal Banner Issues when using APM PCoIP Proxy and Horizon
If you're using APM's PCoIP Proxy and require a logon banner, you've probably figured out that the PCoIP Proxy integration stops working when you turn on the integrated logon banner from within the Horizon Administrator. Adding to the pain, internal users can't get any logon banner since you had to turn it off in order for your external access to work! Well, the wait is over! With the use of a nifty iRule that you can attach to your internal Horizon Connection Servers virtual server, you can now present a banner BOTH internal users as well as external users who access Horizon resources using APM PCoIP Proxy. Here's how it works: Disable the logon banner through Horizon Administrator - the BIG-IP will handle presenting the banners for internal users (through the iRule) and external users (through the View iApp) instead of Horizon. Modify the text in the iRule with the text you want to show in the logon banner. Apply the iRule to your LTM Virtual Server that services internal Horizon users (either manually to the LTM virtual server or through the View iApp). You're done! A couple of things to think about when you implement this: If you need to present a legal disclaimer your external users using the PCoIP Proxy, you can still do that through the Horizon View iApp. Do not apply this to any virtual server running the APM PCoIP Proxy - it's only for providing the logon banner to internal Horizon users. The banner for PCoIP Proxy can be easily enabled through the iApp It's important to ensure the PCoIP Proxy's Connection Server settings are pointing to the individual connection server(s) and NOT the LTM virtual server that has the Logon Banner iRule applied. The iRule source is below. # Attach iRule to iApp created virtual server named "<iapp_name>_internal_https" # Replace the section “This is a XXX computer system that is FOR OFFICIAL USE ONLY. This # system is subject to monitoring. Therefore, no expectation of privacy is to be assumed. # Individuals found performing unauthorized activities are subject to disciplinary action # including criminal prosecution.” with your desired text. when RULE_INIT { # Debug Level 0=off, 1=on, 2=verbose set static::internal_disclaimer_debug 0 } when CLIENT_ACCEPTED { set log_prefix_cs "[IP::remote_addr]:[TCP::remote_port clientside] <-> [IP::local_addr]:[TCP::local_port clientside]" if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: CLIENT_ACCEPTED" } } when HTTP_REQUEST { set bypass 0 if {[HTTP::uri] starts_with "/portal/info.jsp"} { if { $static::internal_disclaimer_debug > 0 } { log local0. "<$log_prefix_cs>: Portal Info request, bypassing further processing"} set bypass 1 } else { if {[HTTP::header exists "Content-Length"]} { set content_length [HTTP::header "Content-Length"] } else { # If the header is missing, use a sufficiently large number set content_length 5000 } if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: Set content-length to $content_length"} HTTP::collect $content_length if { [HTTP::path] == "/broker/xml" && [HTTP::header Expect] == "100-continue" } { SSL::respond "HTTP/1.0 100 Continue\r\n\r\n" if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: Application requested: client requires 100 continue response, sending 100-continue"} } } } when HTTP_REQUEST_DATA { if { [HTTP::payload] contains "set-locale" and ( not ($bypass)) } { HTTP::respond 200 content {<?xml version="1.0"?><broker version="9.0"><configuration><result>ok</result><broker-guid>aaaaaaaa-bbbb-cccc-ddddddddddddddddd</broker-guid><authentication><screen><name>disclaimer</name><params><param><name>text</name><values><value>This is a XXX computer system that is FOR OFFICIAL USE ONLY. This system is subject to monitoring. Therefore, no expectation of privacy is to be assumed. Individuals found performing unauthorized activities are subject to disciplinary action including criminal prosecution.</value></values></param></params></screen></authentication></configuration><set-locale><result>ok</result></set-locale></broker>} noserver "Connection" "close" "Content-Type" "text/xml;charset=UTF-8" if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: Sending Disclaimer Message"} } if { [HTTP::payload] contains "disclaimer" } { if { $static::internal_disclaimer_debug > 1 } { log local0. "<$log_prefix_cs>: Disclaimer Message Accepted - waiting for credentials."} } } This solution has been tested using Horizon 6.0 (and later) as well as the Horizon 3.0 (and later) Client. Earlier versions of the client and/or Horizon Connection Server could produce unexpected results. Big shout-out to Greg Crosby for his work on the iRule!The Icebox Cometh
Will the Internet of Things turn homes into a House of Cards? Our homes are being invaded...but not with critters that you'd call an exterminator for. Last summer I wrote Hackable Homes about the potential risks of smart homes, smart cars and vulnerabilities of just about any-'thing' connected to the internet. (I know, everyone loves a bragger) Many of the many2014 predictions included the internet of things as a breakthrough technology? (trend?) for the coming year. Just a couple weeks ago, famed security expert Bruce Schneier wrote about how the IoT (yes, it already has it's own 3 letter acronym) is wildly insecure and often unpatchable in this Wired article. And Google just bought Nest Labs, a home automation company that builds sensor-driven, WiFi enabled thermostats and smoke detectors. So when will the first refrigerator botnet launch? It already has. Last week, Internet security firm Proofpoint said the bad guys have already hijacked up to 100,000 devices in the Internet of Things and used them to launch malware attacks. The first cyber attack using the Internet of Things, particularly home appliance botnets. This attack included everything from routers to smart televisions to at least one refrigerator. Yes, The Icebox! As criminals have now uncovered, the IoT might be a whole lot easier to infiltrate than typical PCs, laptops or tablets. During the attack, there were a series of malicious emails sent in 100,000 lots about 3 times a day from December 23 through January 6. they found that over 25% of the volume was sent by things that were not conventional laptops, desktops or mobile devices. Instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and that one refrigerator. These devices were openly available primarily due to the fact that they still had default passwords in place. If people don't update their home router passwords or even update the software, how are they going to do it for the 50+ (give or take) appliances they have in their home? Heck, some people have difficulty setting the auto-brew start time for the coffee pot, can you imagine the conversations in the future? 'What's the toaster's password? I need to change the bagel setting!' Or 'Oh no! Overnight a hacker replaced my fine Kona blend with some decaf tea!' Come on. Play along! I know you got one you just want to blurt out! I understand this is where our society/technology/lives are going and I really like the ability to see home security cameras over the internet but part of me feels, is it really necessary to have my fridge, toaster, blender and toilet connected to the internet? Maybe the fridge alerts you when something buried in back is molding. I partially get the thermostats and smart energy things but I can currently program my thermostat for temperature adjustments without an internet connection. I push a few buttons and done. Plus I don't have to worry about someone firing up my furnace in the middle of July. We have multiple locks on our doors, alarm systems for our dwellings, security cameras for our perimeter, dogs under the roof and weapons ready yet none of that will matter if the digital locks for our 'things' are made of dumpling dough. Speaking of dumplings, the smart-steamer just texted me with a link to see the live feed of the dim sum cooking - from inside the pot! My mind just texted my tummy to get ready. ps Related: Proofpoint Uncovers Internet of Things (IoT) Cyberattack The Internet of Things Is Wildly Insecure — And Often Unpatchable For The First Time, Hackers Have Used A Refrigerator To Attack Businesses The Internet Of Things Has Been Hacked, And It's Turning Nasty Smart refrigerators and TVs hacked to send out spam, according to a new report Here's What It Looks Like When A 'Smart Toilet' Gets Hacked Bricks (Thru the Window) and Mortar (Rounds) Technorati Tags: IoT,internet of things,botnet,malware,household,silva,attacks Connect with Peter: Connect with F5:
SDN: An architecture for operationalizing networks
As we heard at last week’s Open Networking Summit 2014, managing change and complexity in data centers is becoming increasingly difficult as IT and operations are constantly being pressured to deliver more features, more services, and more applications at ever increasing rates. The solution is to design the network for rapid evolution in a controlled and repeatable manner similar to how modern web applications are deployed. This is happening because it is no longer sufficient for businesses to deliver a consistent set of services to their customers. Instead, the world has become hyper-competitive and it has become necessary to constantly deliver new features to not only capture new customers but to retain existing customers. This new world order poses a significant conflict for the operations side of the business as their charter is to ensure continuity of service and have traditionally used careful (often expensive) planning efforts to ensure continuity of service when changes are needed. The underling problem is that the network is not operationalized and instead changes are accomplished through manual and scripted management. The solution for operations is to move towards architectures that are designed for rapid evolution and away from manual and scripted processes. Software Defined Networking address these challenges by defining a family of architectures for solving these types operational challenges and operations teams are latching on with a rarely seen appetite. The key to the success of SDN architectures is the focus on abstraction of both the control and data planes for the entire network via open APIs (not just the stateless Layer 0-4 portions). The first layer of abstraction allows for a centralized control plane system called an SDN Controller, or just Controller, that understands the entire configuration of the network and programmatically configures the network increasing the velocity and fidelity of configurations by removing humans from configuration loop – humans are still needed to teach the Controller what to do. These Controllers allow for introspection on the configuration and allow for automated deployments. As Controllers mature, I expect them to gain the capabilities of a configuration management system (CMS) allowing for network architects to rapidly revert changes virtually instantaneously. The second layer of abstraction allows for network architects or third parties to programmatically extend the capabilities of a data path element. This can be as seemingly simple as adding a match-and-forward rule to a switch (e.g., OpenFlow) or as seemingly complex as intercepting a fully parsed HTTP request, parsing an XML application object contained within, and then interrogating a database for a forwarding decision (e.g., LineRate and F5) based on the parsed application data. However, realizing the fully operational benefits of SDN architectures requires that the entire network be designed with SDN architectural principles including both the stateless components (e.g., switching, routing, and virtual networking) and the stateful components (e.g., L4 firewalls, L7 application firewalls, and advanced traffic mangement). Early on SDN proponents, as SDN evolved from a university research project, proposed pure stateless Layer 2-3 networking ignoring the complexities of managing modern networks that call for stateful L4-7 services. The trouble with this approach is that every additional operational domain disproportionately increases operational complexities, as the domains need to be “manually” kept in sync. Recognizing this need, major Layer 2-4 vendors, including Cisco, have formed partnerships with F5 and other stateful Layer 4-7 vendors to complement their portfolios. With the goal of helping customers operationalize their networks, I offer the following unifying definition of SDN for discussion: “SDN is a family of architectures (not technologies) for operationalizing networks with reduced operating expenses, reduced risks, and improved time to market by centralizing control into a control plane that programmatically configures and extends all network data path elements and services via open APIs.” Over the next few months I’ll dig deeper into different aspects of SDN – stay tuned!HOT OFF THE PRESSES – VMware and F5 Hands-On-Lab Now Available!
VMware and F5 are proud to announce the availability of one of the first partner-centric labs utilizing VMware’s global Hands-On-Lab infrastructure. In close collaboration with the VMware End User Computing Technical Enablement team, the VMware Alliance team at F5 created this lab to create easy-to-use yet rich technical exercises. This lab will show you the ease of configuration and benefits of using the F5 BIG-IP platform in support of your VMware EUC enterprise solutions. This includes Horizon 6, both for virtual desktop infrastructure and application publishing. The lab provides a walkthrough from initial setup of F5 BIG-IP withHorizon 6 to configuring and providing additional security and fault tolerance to your VMware EUC solutions. This 1 st release of the lab includes: Brief overview of intelligent, VMware Horizon-aware system availability, security, and network traffic management capabilities using F5 BIG-IP’s Local Traffic Manager (LTM), Global Traffic Manager (GTM), and Access Policy Manager (APM). Deploying the F5 BIG-IP Virtual Edition on vSphere Running through the basic setup and configuration of the F5 BIG-IP Virtual Edition How to upload certificates and iApps (F5’s interactive, simple-to-use configuration templates) to the F5 BIG-IP Step-by-step instructions on how to load balance multiple Horizon Connection Servers and Security Servers Implementing and configuring F5 Access Policy Manager’s (APM) PCoIP Proxy as a Security Server alternative This lab is designed to provide a comprehensive introduction into the key products, technologies, and solutions VMware and F5 have developed to bring enhanced availability, scalability, and security to your Horizon environment. After completion, you will have gained a solid understanding of how to deploy and configure F5’s BIG-IP Application Delivery Services together with VMware Horizon. Here’s the link that will take you directly to the VMware and F5 Hands-On-Lab: http://vmware.com/go/f5lab Before you start this lab – you’ll first need to register (it’s FREE). After clicking on the link, choose the “Login/Register” tab in the upper right corner of the browser window. Continue following the directions on the subsequent screens to complete the enrollment and then login to the lab. We’re open to any feedback or suggestions - just send you comments or feedback to vmwarepartnership@f5.com! Enjoy the lab!So, you want to use RSA SecurID with APM’s PCoIP Proxy Module…
Customers who leverage Access Policy Manager (APM) for remote access to VMware Horizon 6 (formerly known as VMware View) typically have some level of two-factor authentication (2FA) as an added layer of authentication. It’s especially important when users may be accessing Horizon resources from untrusted devices or networks. One challenge I have found, especially when using F5’s VMware Horizon iApp, is that the iApp requires some settings to be pre-configured to support SecurID for 2FA. This blog post will walk you through the pre-configuration and subsequent iApp setup of RSA SecurID with APM’s PCoIP Proxy using the native RSA integration capabilities of APM. Shout-out to the peeps from VMware’s OneCloud team – big thanks to Simon Long and Aresh Sarkari for helping put this together! The Authentication Flow Let’s start with a quick recap of the authentication flow. Joe User will connect to the F5 virtual server’s public IP using the Horizon client or with F5’s WebTop. Next, he’ll be prompted to enter their RSA SecurID username and the passcode. BIG-IP APM will authenticate the username and passcode against the RSA Server. Once Joe has been validated through the RSA authentication server, he is then prompted for their Active Directory username and password. APM sends the Active Directory username and password to a domain controller. Once the final authentication step is completed, BIG-IP APM will enumerate the authorized desktops and applications through the Horizon Client or F5 WebTop. Joe then securely launches his apps and desktops, all proxied through the APM PCoIP Proxy. Here’s a picture of what the RSA integration looks like with APM in the mix: Setting Up APM and RSA for PCoIP Proxy Now, let’s get down to business. Here’s a quick list of things we’ll assume are already configured: BIG-IP installed and configured RSA Authentication servers installed and configured RSA tokens activated Firewall rules and routing between the BIG-IP and the RSA Authentication servers in place We’ll also focus on the key areas of the VMware Horizon iApp (version 1.2.0) that you will need to change in order to support RSA SecurID - I’ll actually cover the complete setup of the APM PCoIP Proxy with the VMware Horizon iApp in an upcoming blog post and instructional video. Click Here to download the documentation for setting up RSA SecurID with APM PCoIP Proxy. As always, feel free to send any feedback or ideas to our VMware Alliance team at vmwarepartnership@f5.com!
How the cloud can improve your security solutions?
The advantage of being in this industry for a while is that you get to see first hand how things change. Mostly for the better, and usually quite quickly, too. Some of these changes have a knock-on effect on other parts of the industry. One recent example of this is security. In days gone by security was very much focused within a company’s network; all the necessary data and applications sat behind the firewall so that’s where defences were concentrated. These days, that’s simply not the case. Thanks to a raft of industry developments, primarily mobile devices and cloud computing, network perimeters are no longer contained within a company’s (metaphorical) four walls. That’s made security a slightly more difficult task - how can you be expected to use on-premises security solutions to protect apps, data, devices and so on, when they themselves are far beyond the traditional network perimeter? That’s why security solutions delivered via the cloud could help protect today’s businesses. It means workers - and all that important, sensitive data - are protected, no matter where they are, what device they’re using or what service/application they’re connecting to. It simply isn’t feasible for a company to protect each endpoint, inside and outside the perimeter. Using cloud-based security solutions can help with a variety of different threats. Take DDoS attacks, for example. DDoS attacks are getting bigger in scale, and when you’re talking about attacks around 300 Gbps in size (and up), the only way to stop these is with cloud-based technologies, as local network appliances won’t be able to cope with the bandwidth required. Delivering DDoS protection from the cloud also means (depending on the service provided) companies can call on a globally-distributed DDoS mitigation network operated by experts. On-premises DDoS protection is unlikely to be able to say the same. When you think about it, if you need to protect cloud-based devices, applications, data and so on, it makes sense to do that in the cloud, right? Cloud-based security can stop many attacks before they reach a corporate network and can use intelligence from its entire network to spot anomalies and new threats as they emerge. That real-time defence is something that on-premises software can struggle with, as databases have to be updated and new versions rolled out before the corporate network is secure. It’s worth noting that many of the benefits of cloud computing - cost reduction, better scaling, automation and so on - apply when it comes to using cloud-based security services. As we trust more and more of our critical applications, services and systems to the cloud there is no reason why security should not be on that list.
BIG-IP Cluster Upgrade summary
Below is a quick summary for BIG-IP Cluster Upgrade 1- force-offline the standby unit 2- import the new release 3- install the new release 4- reload after installation 5- online the standby unit 6- force-standby the active unit 7- force-offline the standby unit 8- import the new release 9- install the new release 10- reload after installation 11- online the standby unit 12- review cluster configurationKnow your cyber-attacker: profiling an attacker
I remember the days when hacking was something that people did because they could. It wasn’t quite done for fun, but people wanted to show off their computer skills. More often than not, hacking was harmless, someone broke into a system and left a little calling card, but beyond that there was very little damage done. It was for the thrill as much as anything. While I suspect the Hollywood portrayal of hackers being young, socially-awkward men working on their own at a computer in their darkened bedroom was never completely accurate, there was an element of truth to it. These days that’s simply not the case. Hackers and cyber attackers can be highly-funded and well organised, and their targets can range from money to intellectual property (IP) to service disruption. Some cyber attackers are politically motivated. For example, hacktivist groups Anonymous and LulzSec attacked MasterCard, Visa and PayPal in retaliation for blocking payments to WikiLeaks following the release of classified US diplomatic cables. They have also attacked government websites for oppressing their citizens, most notably during the Arab Spring uprisings of 2011. Many of these attacks took the form of a DDoS, a simple but effective way of disrupting a service. Then there are the cyber attackers that are after money. Look at the recent Target data breach, for example. An email containing a piece of malware was apparently sent to an HVAC company that works with Target, one of the biggest retailers in America. Using stolen passwords the cyber attackers accessed the credit and debit card details and other personal information of an estimated 110 million people. Similar attacks have been launched to target IP; blueprints and manufacturing designs are a common target. A more recent development is that of state-sponsored attacks. Governments have turned to cyber attackers (and are funding them quite handsomely in most cases) for service disruption, IP theft, espionage and more. Google, for example, accused the Chinese government of accessing its systems as well as Gmail accounts linked to Chinese dissidents. The attack was dubbed Operation Aurora, and also targeted many other companies such as Adobe, Yahoo and Symantec. The point here is that systems are at risk from a variety of sources for a variety of reasons, and businesses must protect their defences accordingly. While it is not an exact science, most businesses can work out what sort of attacks they are likely to experience; some businesses are more at risk of certain attacks than others. Knowing what attacks a business is likely to face will help with planning how to defend against those attacks. One of the key defences is around access; if a company can control the who, what, where and when of access to key data and applications it will greatly improve their ability to fight off cyber attackers. A good Access Policy Manager will provide valuable insight into who is on your network and what they are doing on it, as well as enforcing policy, so if someone tries to access something they shouldn’t access will be blocked. This ensures data and applications remain secure. There are ways to mitigate against a DDoS attack as well, if a business feels that is what it is most in danger from. A multi-tier approach to DDOS that is application aware, can scrub the network and clean the pipe will all help to ensure your applications will remain available, negating the impact of the attack irrespective of its size or which layer it’s targeting (network, session or application). Profiling your enemy is the first step to building the right kind of defences to stop them and ensure your business keeps operating. Knowing what kind of attacks you are likely to face means you can build appropriate defences.Billionaires, Icons and Movie Stars – Why Geek Is Now Chic
Over the past few years we’ve seen the unstoppable rise of the geek. From popular culture to big business,the geeks have inherited the earth. They’re the billionaires, the modern day rock stars, and their many achievements have resulted in a significant change to their status in popular society. They are now often championed, given the limelight or even imitated- geek is now chic! So let’s take some time out to look how the geek – and our perception of the geek – has evolved… The Geek Revolution Before the dawn of the information age, being an IT expert was associated with social ineptitude, a stereotype amplified by films such as 'Revenge of the Nerds.’ Although this negative stigma has not quite been completely reversed, the rise of the geek has been prolific, driven by the mainstream rise of tech and the acute relevance of previously niche skills. Whether consumers or enterprises, society relies heavily on certain technologies, making IT experts and their knowledge indispensable. Employment of ‘Genius’ assistants in Apple stores show the change in status and dependence of society on the geek, as customers compete for the attention of who can fix their gadgets. The behaviour of geek idols such as Mark Zuckerberg and Bill Gates also helped make geeks cool, by having the audacity to drop out of (a Harvard) education to follow their dreams. The relevance of geek knowledge to businesses has been demonstrated by the scramble to fill the tech skills gap, but it spreads beyond classic computing know-how. Political forecaster Nate Silver received attention after mathematically predicting an Obama victory in 2012, resulting in a call to ‘hire geeks not pundits’ if you want to win a presidential election. The government introduction of compulsory IT-based aspects to school curriculums also shows the value attributed to IT know-how. The Omni-Present Geek Popular culture too is now exploring the techie as an unorthodox hero. This is perhaps most evident on the screen, demonstrated recently through television shows such as 'The Big Bang Theory' and 'The IT Crowd,' which explicitly focus their stories around stereotypical geeks. 'The Social Network' saw an entire film made about the rise of the IT genius. Characters are by no means portrayed with model good looks and bulging muscles, but the idea that the geek can 'win' is becoming more prevalent. In fashion, thick-rimmed, non-prescriptive glasses have become popular as an optional accessory rather than an optical necessity and been embraced by stars and school children alike. T-shirts sold by 'Topshop' emblazoned with the word 'NERD' or 'GEEK' were hugely successful when launched in 2013; it seems the implication of intellect, whether genuine or ironic, is now considered fashionable. Geek Power If society has progressed through the Iron Age and the Industrial Age, we are undoubtedly in the Tech Age. IT geeks have done amazing things with their inventions and innovations: Sir Tim Berners-Lee revolutionised global society by giving life to the World Wide Web; the inventions of Steve Jobs and Apple are omnipresent and envelop popular society and business; Mark Zuckerberg has helped shape a generation through social media – just try to escape social networks today! Despite geeks hitting the headlines for all the right reasons, there remains a significant gap between the level of demand for staff with specialist knowledge and the number of prospective employees who possess it. A number of recent high-profile hacking scandals show that IT experts have the potential to mould the business landscape in a variety of ways and have catapulted the cyber-security skills shortage to up the national agenda. These achievements have not gone unnoticed by businesses or the government, who have increased IT spending budgets and launched recruitment drives. The success of tech companies and individuals has seen expert knowledge come to be associated with entrepreneurial flair, with the stories of innovators like Zuckerberg carrying the geek into the unchartered realms of, dare we say it, coolness. Now that geek is chic, how about meeting some of the F5 geeks keeping businesses current in the age of tech? Why not join us at F5 Agility in Scotland in May? There will be F5 experts on hand to discuss your ideas and answer questions, as well as a host of sessions from a range of executives, from our CTO to our field engineers.
La transition vers HTTP/2, l'envisager, s'y préparer, la réaliser
HTTP/2 est désormais un standard avec son support intégré dans les browsers modernes. Les serveurs Web, proposent aussi dans leurs dernières versions, la compatiliblité avec cette évolution. Ce qu'il faut retenir est qu'HTTP/2 vient accéler le transport du contenu Web en maintenant la confidentialité à travers SSL. Un des bénéfices pour les developpeurs et fournisseurs de contenu est la capacité à se rendre compte des apports de ce protocole sans remettre en cause toute son infrastructure. Les démonstrations montrent bien les gains à travers un browser sur un ordinateur portable, choses encore plus appréciables sur les plateformes mobiles. La version 12.0 de TMOS permet de se comporter comme un serveur HTTP/2 vis à vis des clients tout en continuant à solliciter le contenu en HTTP/1.0 et HTTP/1.1 auprès des serveurs. Pour trouver des raisons de s'interesser à ce protocole, plusieurs sources d'information peuvent y aider : Making the journey to HTTP/2 HTTP/2 home
