Integrating OPSWAT MetaDefender with F5 Advanced WAF & BIG-IP ASM
In the age of digital economy, web applications have become the lifeblood of corporations, and protecting them is paramount for productivity and profitability. Many web servers which allow file uploadsare prime targets for malware attackson the client side, server side or both. The uploaded file could contain malicious code in the form of an exploit, virus, Trojan, or malware, and these could be used to gain control of the web server. For example, it is possible to hide PHP code inside an image file and still have it appear to be an ordinary image. When the image is opened, it also executes the code hidden in the file. The file could contain scripts or tags that exploit other well-known web application vulnerabilities, such as Cross-Site Scripting (XSS). A misconfigured web application can also be compromised by uploading a file, executing a web-shell, and moving laterally within the web server to get access to sensitive information and exfiltrate data. In the case of client-side attacks, uploading malicious files can make the website vulnerable to Cross-Site Scripting or Cross-Site Content Hijacking. However, the attack can also be malicious for the client itself while simply using theweb applicationas a distribution channel/vector. Furthermore, advanced attacks can leverage productivity files distributed by your web application. These files areseemingly innocent, however on execution, malware will try to download the malicious payload which will run only in memory (with no trace/residue on disk). This is hard to track, and during the incident response analysis, the typical conclusion may point the finger at the web application even though the traffic was seemingly legitimate. Aworrying trend is the useof PowerShell as an attack vector by using macros as the onboarding mechanism. As an example, in the past two years,attackers have used PowerShell to deploy Trojan.Kotver obfuscated in the registry as a fileless infection to steal financial data. Attackers often use multiple vectors for distributing malicious code.One worrying example is the installation of application backdoors that communicate with their Command and Control (C&C) serversand proceed to exfiltrate data. Moreover, malware in some cases can use application servers to directly communicate with the C&C and thereby bypass the firewall rules. Typical security controls cannot understand and block such clever means of data theft, and, even if they occasionally do, threat actors can establish a foothold behind the firewall, steal credentials, conduct lateral movement and finally exfiltrate data. Without thorough inspection of files(including verification of file type, examination of embedded active objects and ability to verify malware-free content)other security mitigation approaches fall short. To address the challenges posed by file uploads and files attached to emails, F5 has teamed up with OPSWATto allow for comprehensive content analysis andsanitization. All F5 products such as BIG-IP LTM, BIG-IP ASM, Advanced WAF, and SSL Orchestrator that expose ICAP interface can take full Advantage of OPSWAT’s MetaDefendercapabilities.Thesecapabilities include thorough malware scanning using over 30 leading anti-malware enginesas well as Content Disarm and Reconstruction (CDR) services for file sanitization and vulnerability assessment. OPSWAT Deployment In F5 Ecosystem MetaDefender Integration With F5 BIG-IP OPSWAT’s independently-deployable MetaDefender is built on proven technology that offers the in-depth customizable logic of OPSWAT Multiscanning for granular content inspection capability, greater capacity for file type analysis, archive extraction, and the power to remove all traces of detected malware from files without impacting usability or productivity. MetaDefender CDR detects and disables malicious active objects like embedded Macros, scripts (e.g. JavaScript), OLE objects, ActiveX controls and other potentially harmful elements. MetaDefender integrates seamlessly for total protection in file uploads (REQMOD) and file downloads (RESPMOD) while capable of deploying on-premises in cases where secure data workflow is of critical importance. Abstraction Of MetaDefender Platform ICAP performs content manipulation as a servicefor the appropriate client HTTP request or HTTP response. This service is also referred to as "content adaptation." Readymade F5 iApp templates available for MetaDefender provide configuration ease so that profile setting for application services is automated through a wizard. Once the iApp script runs, a profile is established and MetaDefender ICAP pool is defined. All that remains is to enable the profiles in the relevant field on the Virtual Server(s). F5 Advanced WAF/BIG-IP ASM act as anICAP client, which forwards the traffic to the ICAP server (MetaDefender) to support business-critical use cases such as file upload. The ICAP server executes its transformation service on messages and sends back responses to the F5 Advanced WAF/BIG-IP ASM. MetaDefender performs malware detection, data sanitization through CDR and either returns: A blocking page, showing that the content is either malicious or not in accordance withdefined policies Modifieddata (remove the sensitive information and/or potentially malicious payload through CDR) A clean bill of health to examined files Content Disarm and Reconstruction (CDR) In Action One of the greatest benefits of using Metadafender ICAP Server is one-step configuration in the beginning of the integration. All future updates and enhancements may be rolled in without additional integration efforts. Moreover, automation of traffic steering by offloading file inspection to MetaDefender reduces administrative costs and enables DevSecOps to gain more value from investments already made in security services. F5 Advanced WAF and OPSWAT MetaDefender file content security To enable comprehensive malware checking and data sanitization capability in Advanced WAF/BIG-IP ASM, you should configure the system to connect with the OPSWAT MetaDefender ICAP Server. First, import the iApp Template from OPSWAT’s Github account. OPSWAT iApp Template List Second, create an Application by using the newly imported template: opswat_metadefender_icap OPSWAT Template Import This will generate the ICAP profiles and the MetaDefender ICAP Virtual Server (shown in screenshot below): Then, once the previous steps are completed, just apply the new profiles in the web app Virtual Server (Select Advanced) and choose Metadefender ICAP Request and/or Response Adapt Profile, as deemed appropriate (REQMOD or RESPMOD). Application Security Setting MetaDefender ICAP Server works with the default (virus header and URI) values out of the box so that you dont' need toconfigure internal system variables in the Configuration utility. After the above steps are completed, your web applications are protected against malicious files. To test the setup, simply use a test file such as eicar. Last,you can check ICAP History on OPSWAT MetaDefender ICAP Server side to view the archives of file analysis. Viewing File Upload/Download History In MetaDefender User Interface Since ICAP can perform a variety of services including Data Loss Prevention (DLP), deploying OPSWAT MetaDefender services through ICAP provides for seamless service additions without operational disturbance and the need to reconfigure web apps. This can apply to both request (client-to-server) and response (server-to-client) payloads.2.5KViews0likes1CommentIntegrating OPSWAT MetaDefender With F5 SSL Orchestrator
In the age of digital economy, applications have become the lifeblood of corporations, and protecting them is paramount for productivity and profitability. Most applications render services via the Web, and privacy and data protection concerns have fueled growth in encryption use. Whileencryption provides protection for data in transit, it also presents an opportunity for nefarious actors to encrypt their ownpayloads to bypass detection by anti-malware engines and conceal device infections, hide data exfiltration, and obfuscate (Steganography) botnet communications with command and control servers. Moreover, most Anti-Virus vendors don't intercept HTTPS traffic and allow for potential attackers to compromise files. Once inside the SSL/TLS chain of trust, malware can use a variety of tools like TOR to evade security controls and transform encryption tunnels into infection chains. Layered security approaches like daisy-chaining devices and continuous monitoring of activities not only cannot scale but also add to complexity, latency and loss of productivity. But, there's hope...Internet Content Adaptation Protocol (ICAP)services giveus a way to solve these issues.ICAP services use the RFC3507 ICAP protocol to refer HTTP traffic to one or more content adaptation devices to inspect or modify the data. You can add an ICAP service to any TCP service chain, but only HTTP traffic is sent to the chain. Additionally, you can configure up to ten ICAP services using the configuration utility to load-balance across them. To address these challenges, F5 has teamed up with OPSWAT to allow for comprehensive content analysis without compromises. All F5 productsthat expose ICAP interfaces (like BIG-IP ASM and SSL Orchestrator) can take full advantage of OPSWAT’s MetaDefender capabilities. These capabilities include thorough malware scanning using over 30 leading antivirus engines, as well as Content Disarm and Reconstruction (CDR) services for content sanitization and file vulnerability assessment. OPSWAT Deployment In F5 Ecosystem MetaDefender Integration With F5 BIG-IP OPSWAT’s independently deployable MetaDefenderis built on proven technology that offers the in-depth customizable logic of OPSWAT Multiscanning for granular content inspection capability, greater capacity for file type analysis, archive extraction, and the power to remove all traces of malware from fileswithout impacting usability or performance. MetaDefender CDR detects and disables malicious Active Content like embedded Macros.Furthermore, MetaDefender has an application-centric perspective whereby it detects unresolved vulnerabilities in files pertaining to over 20,000 software applications. MetaDefender integrates seamlessly with both reverse and forward proxies for total protection in file uploads and file downloads. Abstraction Of MetaDefender Platform ICAP performs content manipulation as a servicefor the appropriate client HTTP request or HTTP response. This service is also referred to as "content adaptation." Readymade iApp templates in MetaDefender provide configuration ease so that profile setting for application services is automated through a wizard. Once the iApp script runs, a profile is defined and ICAP virtual servers and pools are established. ICAP clients (clients on F5 side) communicate in reverse or forward proxy modes with the BIG-IP ASM or SSLO which sends HTTP messages to ICAP servers (MetaDefender) to support business-critical use cases such as file upload/downloads. The ICAP server executes its transformation service on messages and sends back responses to the F5 proxy with results on TCP port 1334. MetaDefender performs malware detection and data sanitization through CDR andeither returns the payload untouched, modifiesthe data (removes the sensitive information and/or malware payload), or simply indicates that the examined file(s) are free of malicious content. Typically, the adapted messages are either HTTP requests or HTTP responses. Content Disarm and Reconstruction (CDR) In Action One of the greatest benefits of using the Metadefender ICAP Server is the"one-step configuration" in the beginning of the integration. All future updates and enhancements may be rolled in without additional integration efforts. Moreover, automation of traffic steering by offloading file inspection to MetaDefender reduces administrative costs and enables DevSecOps to gain more value from investments already made in security services. F5 SSL Orchestrator and OPSWAT MetaDefender File Upload/Download Security SSL Orchestrator (SSLO) eases the creation and maintenance of such custody chains by determining whether traffic should bypass or be decrypted and sent to one service or another. MetaDefender inspects files using content metanalysis for integrity monitoring and verification of malware-free payload. Through Dynamic Service Chaining -- decrypt once, inspect often, re-encrypt once --operational efficiency is attainable. F5 SSLO provides high-performance decryption of inbound and outbound SSL/TLS traffic, enabling security inspection to expose threats and stop attacks using contextual classification engines. Provisioning and deployment is straightforward and requires configuring MetaDefender. The below screenshots showthe ICAP Server and SSL Orchestrator Management Console interface which accomplishes this configuration. To test the setup, simply use a test file such as eicar over HTTPS.Last,you can check ICAP History on OPSWAT MetaDefender ICAP Server side to view the archives of file analysis (screenshot below). Viewing File Upload/Download History In MetaDefender User Interface Since ICAP can perform a variety of services including Data Loss Prevention (DLP), deploying OPSWAT MetaDefender services through ICAP provides for seamless service additions without operational disturbance and the need to reconfigure web apps. This can apply to both request (client-to-server) and response (server-to-client) payloads.1.1KViews0likes0CommentsLightboard Lessons: F5 BIG-IP and OPSWAT MetaDefender Integration
The OPSWAT MetaDefender advanced threat prevention technologies work seamlessly with F5 BIG-IP reverse proxy to scan file uploads for threats prior to web upload. MetaDefender technology scans files with 30 or more leading anti-malware enginesin addition to data sanitization (Content Disarm and Reconstruction) and vulnerability assessment technologies for protection against known and unknown threats. In this video, John outlines the power of combining the BIG-IP with MetaDefender to keep web applications safe. Enjoy! Related Resources: Installing an OPSWAT Endpoint Security update on BIG-IP iApp to configure LTM and OPSWAT MetaDefender448Views0likes0Comments