DevCentral Top 5: Sep 8, 2014
But soft! What light through yonder window breaks? It is the east, and this week's edition of the DevCentral Top 5 is the sun. Yep, you guessed it. The top 5 is back...but unlike Shakespeare's Romeo and Juliet, this is no tragedy. Rather, it's a celebration of the most awesome articles you'll read anywhere on the Internet. Our DevCentral authors have been writing with freakish speed and determination, and they have turned out quality articles that are simply second to none. Choosing only five articles was a tough task given all the great content out there, but here's my take on the top articles since our last posting. F5 SOC Malware Summary Report: Neverquest I literally could have chosen five Lori MacVittie articles for this "top 5" but I resisted the urge and only chose one. In this article, Lori explains the details of a Trojan known as "Neverquest" that has been active since July 2013. Most of us get that warm, fuzzy, secure feeling when using 2-factor authentication because, you know, it's got 2 factors! Maybe automated malware has a shot at cracking one factor, but two? No way. Well, apparently Neverquest has found a way to automate the demise of our beloved 2FA. Lori does a magnificent job of explaining how Neverquest works, and then she discusses the amazing work that was completed by our F5 Security Operations Center in their analysis of this malware (in case you didn't know, F5 has a Security Operations Center that analyzes malware like this and provides amazing reports that are free for anyone to read). Lori provides links to the downloads of the executive summary as well as the full technical analysis of Neverquest. This one is not optional...if you care about anything at all, you gotta read this one. Leveraging BIG-IP APM for seamless client NTLM Authentication Michael Koyfman reminds us why we love the BIG-IP APM...transparent seamless authentication for users. In this article, Michael specifically discusses how to configure the APM to perform client NTLM authentication and use it in the context of sending a SAML assertion to the Office 365 service. This is a step-by-step masterpiece that shows you exactly what to do at every turn. In the end, you point your browser to the FQDN of the APM virtual server and you will be silently authenticated (let's be honest...silent authentication is a bucket-list item for each and every one of us). Michael also reminds us of the SSO options at the end of his article. Webshells Nir Zigler introduces us to Webshells (web scripts that act as a control panel for the server running them), and talks about some of the common uses for these scripts. But you know the story...scripts that were created for good can also be used for evil. After Nir explains all the valid uses for legitimate webshells, he takes us to a place where mere mortals dare not tread...through a webshell attack. He gives us an overview of how a webshell attack works, and then he explains some of the specific tools that are used for these nefarious actions. After walking through the power and functionality of an open source webshell called b374k, Nir shows how this tool can be used to attack an unsuspecting user. But have no fear! Nir finishes up the article by discussing the power of the BIG-IP ASM and how it will detect and prevent webshell attacks. Continuing the DDoS Arms Race How long have DDoS attacks been around, and why are they still news today? Because they are consistently one of the top attack vectors that companies face today. Shauntine'z discusses the DDoS arms race and provides some poignant statistics that remind us of the very real and credible DDoS threat. But the article doesn't stop there...it goes on to provide some excellent tips on what to do to strengthen your DDoS defense posture (it even has a well-placed picture of Professor John Frink...you gotta check this one out). Last, Shauntine'z reveals new features that are loaded in the latest release of the BIG-IP...version 11.6. The AFM and ASM have some new and exciting capabilities that are "must haves" for any company that is serious about securing their applications and critical business functions. (Editors note: the LineRate product has been discontinued for several years. 09/2023) Why ECC and PFS Matter: SSL offloading with LineRate We all know that sensitive data traverses our networks every day. We also know it's critically important to secure this information. We also know that SSL/TLS is the primary method used to secure said information. Andrew Ragone discusses SSL offloading and tells us why Elliptical Curve Cryptography (ECC) and Perfect Forward Secrecy (PFS) are great candidates for securing your information. He highlights the advantages of the software based LineRate solution, and gives great examples of why LineRate is the clear-cut winner over any existing software-based or hardware-based SSL/TLS offload solutions. Andrew also published another series of articles related to this very topic, and in these articles he walks you through the exact steps needed to configure SSL certificates and offload SSL on LineRate. On that subject...if you haven't had a chance to check out LineRate and learn all about the awesomeness that it is, do yourself a favor and visitDevCentral Top 5: Oct 6, 2014
These past two weeks have proven to be more than eventful with the "shock"ing discovery of a critical bash vulnerability that stole the security headlines for several days. Times like these might have you repeating the words of the infamous Ben Jabituya, "I don't know about you, but I am planning to scream and run." Fortunately for all of us, there's no need to scream and run...there's only a need to sit back and read about the most awesome articles that anyone, anywhere has to offer. Check out this edition of the DevCentral Top 5!! CVE-2014-6271 Shellshocked As I stated in the opening paragraph, all our collective worlds got rocked when the Shellshock vulnerability was announced. This vulnerability allows a remote attacker to execute instructions on your computer using a feature of the bash shell. Enter Jeff Costlow; one of the most intelligent guys you'll ever meet when it comes to security. Literally the same day Shellshock was released, Jeff wrote this article to explain all the details of the vulnerability and also outlined ways your BIG-IP could be exploited. In addition, he gave some great advice on how to mitigate the vulnerability using several options available from F5...iRules, LineRate, ASM (with custom signatures), and best practices (like, don't expose your management interface to the Internet). Jeff also participated in a Shellshock guru panel where several F5 security experts talked about the vulnerability, how it works, why it's bad, and how to mitigate it using F5 technology. Sorry, Johnny Five. Yes Disassemble! Jason Rahm takes us back to yesteryear with a metaphor from one of our favorite movies from the 1980s. In that movie, Johnny 5 has a big fear of being disassembled (and rightfully so, I guess). Well, Jason keeps Johnny 5 safe from disassembly, but doesn't afford that same luxury for Tcl code. As you all know, Tcl forms the foundation of several code environments on the BIG-IP (iRules, iCall, iApp, tmsh). Many of us want to know what the Tcl interpreter is actually doing from an instruction standpoint, and Jason shows us that the way to analyze the bytecode is to disassemble it. The command that will show how the interpreter works its magic is tcl::unsupported::disassemble. In one of the most technically-hardcore articles ever written on DevCentral, Jason digs deep into two different solution sets and reminds us that it's always a good idea to fine-tune your code. Less is more. Less objects. Less stack depth. Less instantiation. Reviewing bytecode is good for that, and it's possible with the native Tcl code. APM Security: Protecting Internal Resources Using ACLs Bart Sikkes wrote up a great security solution for the APM in Portal Access mode. The APM in Portal Access mode gives instant access to internal resources for authorized users, but it might also give access to other users if you aren't careful. Bart sets up a test environment using three internal resources: OWA, intranet website, and source code programming website. Two of these should be accessible through the APM but the third should not. Bart walks through some great examples of how someone might find a work around to access the protected internal resource. He also provides a great solution using APM ACLs that will ensure users only access the intended resources. Introducing LineRate Lightning series (and Snippet #1 - HTTP referer blocking) Everyone loves the iRules 20 Lines or Less series, right? LineRate is no exception. The only thing is that the LineRate proxy uses a Node.js scripting engine embedded into the HTTP data path, so it can't directly use iRule scripts. So, the LineRate guys created a new series on DevCentral called "LineRate Lightning" and these articles will contain snippets of code that aim to be quick, powerful, and even a little bit flashy. The inaugural LineRate Lightning post includes a simple snippet of code that does HTTP referrer blocking based on a whitelist of permitted referrers. Simply add the referring domains that you'd like to permit in the domain_whitelist list and change vs_http to match the name of your virtual server. Pretty cool and simple solution, huh?!? Check back often and regularly to read this series that so beautifully complements the iRule 20 LoL! Shellshock mitigation with BIG-IP iRules Some call him the inventor of iControl, some call him the creator of the iRule editor, some call him the most interesting man in the world, I simply call him "Joe the Show." Joe Pruitt fired up two separate iRule solutions to mitigate the Shellshock vulnerability the day after it was released by NIST. This is just another example of the power and flexibility of F5 technology. Who else in the world provides so many options to secure critical infrastructure in such a short amount of time? Joe wrote and tested these Shellshock-mitigating iRules and then posted them on DevCentral for all the world to use. He reminds us that we should set up a plan to ultimately patch the bash shell on all our systems. While you are creating and implementing the patch plan, you can use the iRule solution to protect your servers against attacks.DevCentral Top 5: Feb 25, 2015
The articles on DevCentral have been absolutely fantastic as of late. Understandably, readers can expect to find great F5-related technical content here at DevCentral, but several industry-relevant pieces are also found in this community. These articles provide the perfect blend of technical thought leadership that’s sure to excite and inform. It’s always a fun challenge to select the “top 5” articles, and here are my choices: CVE-2014-3566 POODLE vs. CVE-2014-8730 TLS POODLE In his first DevCentral article, MegaZone lifts the veil of confusion that so prominently exists regarding two recent POODLE CVEs. The first POODLE vulnerability is tied specifically to SSLv3 while the second is tied to TLSv1.x. Officially, F5 refers to the second CVE as the “TLS 1.x Padding Vulnerability” but you know how these things go…many of the scan tools around the world today refer to this CVE as “TLS POODLE” and it’s essentially impossible to put the toothpaste back in the tube on this one. So, as it stands, we have two very different vulnerabilities with two very similar names. Thanks to MegaZone, we also have a fantastic article that explains the differences and even gives mitigation steps for those who are affected by one or both of these critical vulnerabilities. I speak for us all when I say, “Thanks MegaZone…I hope this is the first in a long line of articles we will see from you on DevCentral!” Why You Should Tap the Hardware Random Number Generator in your BIG-IP David Holmes gives us a peek into his existential attitude in this very interesting article about how to achieve true randomness for your cryptography keys. Every time a computer generates a crypto key, it needs hundreds of bytes of entropy. The problem is…computers have a really hard time finding truly random numbers. Some try to make up randomness, but that always turns out to be a bad idea. So, what to do, right? The good news is that you can utilize your BIG-IP to accomplish this much-needed random number generation. David even provides an iRule that will mine the BIG-IP hardware for random data. While humans struggle to find meaning in life, computers struggle to find lack of meaning. Oh, what a tangled web we weave… IE Universal XSS Vulnerability Mitigation Does anyone still use Internet Explorer? Yes they do. Although the usage trend for IE is headed in a downward direction, many thousands of people still use the browser. In this article, Jason Rahm highlights an important and potentially dangerous Cross Site Scripting vulnerability that is known to affect IE 11 (but Jason also confirmed it’s success on IE 10 using Windows 7). The good news is that you can use a simple LTM policy or an iRule to mitigate this vulnerability. You gotta love the flexibility and power of iRules! Who knows when Microsoft will patch this…but you can patch it in about 2 minutes when you follow the steps that Jason lays out in this short but powerful article. Lizard Squad Leaked Database Oz Elisyan is another first-time author on DevCentral…and his article already has 5 upvotes! It’s easy to see why you all like Oz’s inside look at the Lizard Squad database hack. This article is a great example of the breadth of great content you will find on DevCentral because it doesn’t mention F5 at all. It’s just a phenomenal write up about a hack against the not-so-friendly Lizard Squad. Lizard Squad provides a “DDoS for hire” service, and many of their members were recently arrested following a high profile attack against Xbox and others. Well, turnabout is fair play. In this case, someone used several Cross Site Scripting vulnerabilities to gain access to the Lizard Squad database of attacked DDoS targets (dare I suggest that Lizard Squad should have used Jason Rahm’s XSS iRule mentioned in the last article?). Anyway, you can read all about the Lizard Squad database and even check to see if your company is listed among the targets. Great job on this article, Oz! Can network infrastructure be immutable infrastructure? We all love disposable stuff…plates, napkins, contact lenses, batteries, cameras, and…network infrastructure? Lori MacVittie reminds us that we have a tendency to throw away just about everything. As technology trends move from the nucleus of business today - application development - to the very nether regions of the application data path - the network - it makes sense to ask whether or not network infrastructure can ever be immutable? Lori provides a phenomenal, thought-provoking look at reasons you might want to consider implementing a disposable infrastructure (or, at least, pieces of infrastructure) one day.DevCentral Top 5: Dec 15, 2014
It's the most wonderful time of the year, and it's the most wonderful content on DevCentral. Our DevCentral authors never disappoint, and this edition of the Top 5 is sure to please again. Sit back, grab another shot of egg nog, and enjoy the great articles that consistently grace the pages of this community. Snippet #3: LineRate and Response Header Modification Madhu Rajagopal serves up a festive holiday treat with this little LineRate beauty. He points out that many web servers and applications set response headers that reveal software versions and technology type. For example, a server response header might include information like "Apache/2.4.7 (Ubuntu)". This gives would-be attackers a great starting point to begin their nefarious behavior against your web application...they know exactly what software and version you are running, so they can pinpoint vulnerabilities to exploit. Using a few lines of LineRate code, you can remove the "Server" field and "X-Powered-By" field so as to not disclose sensitive and unnecessary information. Thanks for keeping us safe, Madhu! To Comment or Not to Comment? That is the question. And Jason Rahm gives us the answer. We've all been taught to document our code, but some have claimed that adding comments are a veiled admission of a programmers lack of ability of expression. "How can I improve this code so that this comment isn't needed?" said Steve McConnell. Be that as it may, many programmers understand the need to add comments to their code. Jason does a great job of explaining the various syntactical approaches for commenting iRules, and he even points out best practices that will prove useful as you enjoy the Tcl experience. Feel free to #comment on his article and add tell Jason what you think about code documentation. Mobile banking and how to stay secure Gary Newe hits a home run with this very relevant and timely article. When you think about web applications and security, online banking always makes the list. For good reason, banks and other financial institutions put a great deal of emphasis on security, but if the user experience becomes too slow and cumbersome, customers might be inclined to take their business (and money) elsewhere. Certainly, you want to find a good balance between usability and security. Gary reminds us that it's best to forget the end device and concentrate on protecting the data that flows across the network. An additional, transparent layer of protection away from the device increases security for the business without impacting the usability of the application. MASS Cross-Site Defacement Ilya Chernyakov discusses the details of recent defacement attacks on many major websites. F5's security team examined the issue and found that the attack was much simpler than initially expected. The attackers took advantage of a popular customer identity platform called "GIGYA" to add an image of the Syrian Electronic Army (SEA) to these unsuspecting sites. The attackers used social engineering techniques to log in to the GIGYA account on GoDaddy.com and then changed the DNS record to point to their webservers which contained a hostile JavaScript file that shows a popup window and a picture of the SEA banner. Very interesting stuff...this one is a must see! Node.js ABC’s - D is for Debugger Joe Pruitt is nothing if not totally awesome. This is the guy who invented iControl and wrote the iRule editor. Simply put, when Joe speaks, we listen! Joe has embarked on a "journey through the alphabet" to help us all learn about Node.js. In this article, Joe reminds us that a good debugging tool is essential for making sure your code is functioning as expected. Node.js is built on the JavaScript engine "V8" built for Google Chrome, and V8 includes an extensive debugging system. Joe walks through the built-in console debugger and lists the various commands you will need when debugging your code. He also discusses some third party solutions if you don't want to debug using the console. Stay tuned for more excitement as Joe walks through the alphabet of Node.js awesomeness!DevCentral Top 5: Nov 3, 2014
Make sure you grab a tissue, because you will literally weep when you read the awesome content so prominently and consistently delivered in our community. And, even if you don't weep uncontrollably, you'll at least work up a couple of tears. And, for that one guy who has no viable tear ducts in his face...you won't physically create tears while reading these articles, but you will undoubtedly learn something new and amazing. With that, I proudly present this edition of the DevCentral Top 5: The Top Ten Hardcore F5 Security Features in BIG-IP 11.6 I couldn't resist highlighting a "top ten" article inside a "top 5" article. It just makes sense. David Holmes does a great job of picking out 10 of the 29 new security features available in the upcoming BIG-IP 11.6 release. I won't list them all here (since that's kind of the whole point of David's article), but I will tell you that the list includes things like DNS firewall features, hardware DDoS integration, geo-location anomaly detection, flow table sweeper enhancements, and external crypto offloading. What's more, David shows how these new features are built into several different BIG-IP modules (GTM, vCMP, ASM, APM, AFM, LTM). F5 takes security very seriously, and it shows by the way these security features are baked into the core of so many BIG-IP modules. Upgrade to 11.6 and enjoy all these rock-star security features! F5 Proudly Optimizing the Network for Microsoft’s Cloud Platform System Ryan Korock reminds us that the single largest transformation of the traditional data center in recent history is the concept of the "Private Cloud". We all want it, and we want it now! Well, guess what? It's not always that easy to move the "Private Cloud" from vision to reality. A true "Private Cloud" includes aspects of compute, storage, and network...all of which are probably delivered by different vendors who adopted different APIs and management toolsets. It doesn't take long to see how this "Private Cloud" orchestration can get very complex and expensive. Microsoft recently announced a "converged infrastructure" that delivers pre-built offerings that are designed to have all the necessary pieces working together before they ever reach the customer's data center. Microsoft delivered a completely automated solution (called the Cloud Platform System) that includes best of breed technologies on the compute, storage, and network components. The other good news is that Microsoft partnered with F5 to make all this happen. The BIG-IP's RESTful API provides the ability to automate both configuration and device management while the traffic management engine allows flexibility for workflow traffic. It's a match made in heaven! SSLv3 POODLE mitigation recommendations If you need to mitigate a recent security vulnerability (or any security vulnerability for that matter), Jeff Costlow is your guy. In this article, Jeff builds on his discussion of the recent POODLE vulnerability. The best solution to POODLE is to disable SSLv3. Unfortunately, many legacy clients can't disable SSLv3. What to do, right? Well, Jeff and his team of super-smart security experts have investigated the use of RC4 in mitigating POODLE on legacy clients. While RC4 does have a known weakness (an attacker could recover plaintext after several hundred million messages), the POODLE vulnerability allows an attacker to recover plaintext after a few thousand messages. So, if you can't disable SSLv3, it makes more sense to enable RC4-SHA only for use in SSLv3 sessions. This article shows you how to configure your virtual server to do exactly what we just talked about. Jeff reminds us at the end of his article that it is still recommended to disable SSLv3 and RC4 once you are able to remove all legacy clients. Thanks for keeping us safe, Jeff! SDN is important to the Internet of Things if it covers the entire network When it comes to a good debate on SDN and IoT, no one can go more rounds than Lori MacVittie. In this article, Lori discusses SDN as a major enabler of IoT...and she notes that SDN must include the entire network (layers 2-7). The SDN tendency is to remain stuck in the stateless layers 2-4 with a focus on routing and switching and basic forwarding. While that piece works great for dealing with bandwidth issues and peak traffic, it doesn't address scaling out access or security services, or scaling out the apps themselves. For that, you need to reach up the stack and look to stateful layers 4-7. Let's be honest...if/when you're gonna deploy SDN, you need to do it correctly (and completely)! LineRate Performance Tip: Logging in Node.js Andrew Jenkins hits a home run with this technical article on logging behaviors in Node.js (he even includes a classic "Bob Newhart" clip from yesteryear). As you may or may not know, LineRate's Node.js engine lets you program in the datapath with JavaScript. Once you embed business logic in your proxy, you'll need to debug this logic and report on the actions your proxy is taking. Whether your service scales to millions of requests per second, or just a trickle, there are some simple performance considerations that you should keep in mind. Andrew does a great job of outlining several logging tips to consider...things like using log levels, deferring string concatenation, considering stdout/stderr differences, and getting counters on demand. Knowing these tips up front prevents you from learning expensive habits that are harder to fix later. Thanks for the great tips, Andrew!DevCentral Top 5: Sep 22, 2014 [End of Life]
The F5 and Cisco APIC integration based on the device package and iWorkflow is End Of Life. The latest integration is based on the Cisco AppCenter named ‘F5 ACI ServiceCenter’. Visit https://f5.com/cisco for updated information on the integration. Here we are again...that fateful and glorious moment when we get to highlight the "best of the best" articles from DevCentral. As you know, DevCentral produces more awesome content than any other community out there, so sit back, relax, grab that second cup of coffee, and enjoy these amazing articles. You Want Action on a Threshold Violation? Use iCall! You want action? I want iCall! Jason Rahm, the godfather of DevCentral, takes us on an amazing journey of event-based automation with the BIG-IP. As Jason points out in his article, iCall has been around since the glory days of the 11.4 release, yet there seems to be a gap in the awareness of this functionality. A DevCentral member posted a question about toggling interfaces if active pool members in a pool falls below 70% (or whatever percent you choose). Jason used this as motivation to write an iCall script that defines the pools of interest, sets the total number of pool members, sets the available members, checks to see if 70% are available, and then enables/disables the interface based on the result. Jason described each step of the process, and he also shared all the code so you can steal it and use it for yourself! iHealth API Part 2 - An Introduction to REST In his inaugural iHealth article, Jon Gross introduced us to the iHealth API and told us all about the awesome health-check features it includes. Now, in his second article, Jon discusses the REST framework and how it provides a nice clean way of retrieving, modifying, and deleting things using HTTP. Using REST, you can retrieve all sorts of iHealth-related information on your BIG-IP. Jon even uses a goat analogy to make it easy for everyone to understand...get out there and read this one! Under the hood of F5 BIG-IP LTM and Cisco ACI integration – Role of the device package Faraz Siddiqui explains the integration between the Cisco Application Centric Infrastructure (ACI) and F5 BIG-IP LTM. One of the critical components for this integration is the F5 device package, which abstracts the L4-L7 service device in a way that allows the Cisco APIC to automate and provision a network service that attaches to the ACI fabric. Faraz explains the concepts of service graphs, device packages, device scripts, and device package integration workflow with Cisco APIC. We all know that F5 and Cisco are strategic partners, and this article highlights one of the many powerful results of this partnership. The man in your browser What?!? There's a man in my browser?? Seriously, where do these people come from? Lori MacVittie reminds us that, not only is there a man in your browser, it's not good that he's there. Man In The Browser (MITB) is not a new technique, but it's still very dangerous and many instances of powerful Trojan Malware use this capability. Trojans will steal credentials (say, to financial systems) using MITB to inject scripts into legitimate banking web applications. These scripts are dangerous because they become part of the application logic. What's that? You would never fall victim to one of these fake pop-up scripts? Did you know that 73% of users are unable to distinguish between real and fake popup messages? The key to detecting these script-injecting, app modifying monsters is to understand the state of the web application page at the time it's delivered - before the Trojan has a chance to modify it - as well as monitoring for duplicate communication initiated from the web page. Our F5 Security Operations Center (SOC) team has some fantastic analysis of this type of malware...check out all the great things they are doing! 2 Minute Tech Tip: URL Redirects So we started this new video series on DevCentral...it's called "2 minute tech tips." The idea is that, normally, no one has the time to sit through a 30 minute video broadcast to learn all about the greatness of F5 technology. Why not break it into manageable chunks and deliver it 2 minutes at a time? Brilliant, you say? That's exactly what we thought! In this edition of 2 minute tech tips, you can learn how to do URL redirects using BIG-IP Local Traffic Policies. Many people use iRules to redirect URLs, but you can use the built-in functionality of the BIG-IP to do this. iRules are awesome and flexible, but it's always faster and more efficient to use built-in functionality whenever you can. Enjoy the video, and be on the lookout for more 2 minute tech tips in the future!
Top5 07/21/2014
From secrets on how to win at “The Internet of Things” to defending against “ANY” amplification attacks, this Top5 is chalk full of geeky goodness. A little coding, a little security, a little config management and a heaping dose of “Seriously, they can do that too?!” is just what the Doctor ordered. Happy to fill that prescription, I’m here to offer up a tasty dose of Top5 goodness sure to cure what ails you*. Check out what’s on tap this week’s Top5: HTTP 2.0 changes everything https://devcentral.f5.com/s/articles/http-20-changes-everything You’ve heard of HTTP 2.0. I’m sure you have. Whether or not you’ve paid any attention to it is a different matter entirely. With so many acronyms and promised solutions and features swirling about out there its extraordinarily easy to wait and see who delivers. Well HTTP 2.0 looks to be one that does exactly that. Deliver, that is. It will deliver on, hopefully, some really awesome performance improvements, as well as some other potent features. Perhaps the most interesting (terrifying? Exciting? Shocking?) is SSL as a requirement. Not a suggestion, but actually required by the protocol at all levels. That’s … a shift. As Lori points out in this tasty little tidbit of blog post, there are some very real implications of that. There are, of course, multiple ways around them as the post and ensuing comments point out, and that’s really where this is going to spawn a larger conversation. If SSL is a given, how do we do many of the things we take for granted today? How do you monitor, inspect, route on content, etc.? Intriguing and timely to be sure. Config Backup for F5 Review https://devcentral.f5.com/s/articles/config-backup-for-f5-review Looking for a way to automate backups of your BIG-IP device(s) while on a tight budget? Not looking to write up the code to use iControl yourself? Well have no fear, there may be another solution. Jason digs into Config Backup, which is an open source project built by Eric Flores and publicly available on SourceForge. This handy little utility will, as the name suggests, allow you to easily and painlessly create back ups of your BIG-IP config. It does a bit more than that, also, and Jason and John had a chat Eric himself that may be worth checking out. In the mean time take a look at Jason’s post to see just how easy this tool is to set up and use, and see if it might fill the gap for you. DNS iRules: Protect Yourself From “ANY” Amplification Attacks https://devcentral.f5.com/s/articles/dns-irules-protect-yourself-from-amplification-attacks First a matter of grammatical clarity: In his title, the quotes are important. John is talking about a specific type of Amplification attack using the “ANY” record type when querying a DNS system. He’s not claiming to solve all potential amplification attacks. That bit of house keeping out of the way…go read this post! DDoS attacks are a serious issue these days and DNS amplification attacks are one of the nastier, easier to manufacture examples of these things we’re seeing more and more of. The structure is simple, send a tiny request to an open resolver, spoofing your IP address, and the unsuspecting real owner of said IP gets a huge amount (comparatively) of data as a “response”, even though they didn’t make any original request. Do this a few thousand times a second, across a bot net and suddenly you’re thrashing just about anyone out there that can’t properly defend themselves. John goes into more detail so check out the post for the full story. Suffice to say – it can be really nasty. Fortunately iRules specializes in the art of “Protection from badness” fu, and is a black belt. John includes a couple simple snippets of iRule that will solve the problem he’s outing handily without much muss or fuss to manage. This is an excellent example of just why iRules are one of my favorite and most powerful toys in the BIG-IP arsenal. Read on! True DDoS Stories: Why do bulldozers invite DDoS? https://devcentral.f5.com/s/articles/true-ddos-stories-why-do-bulldozers-invite-ddos I know what you’re thinking, “Bulldozers and DDoS? How in the heck are those two things even slightly related?!”. I mean, that’s what I was thinking. Figuring David Holmes, one of our resident security gurus, hadn’t just gone crackpot on us and started spouting gibberish, I figured I’d take a look. I’m glad I did! What I found was a light hearted, amusing and quite interesting take on why all of us should have security and perhaps specifically DDoS prevention in mind these days. The core of the message is that despite who you are or what you do, you might find yourself in the cross airs of such an attack without warning. This even goes for tractor and bulldozer manufacturers. I know, right?! But seriously, there’s good reason for it. Go read the article and start thinking about how you might need to up your security footprint a bit. The Identity (of Things) Crisis https://devcentral.f5.com/s/articles/the-identity-of-things-crisis The Internet of Things is a concept that is advancing faster than an AT-AT on Hoth, and with good reason. People want things to be “wired up” - wirelessly, of course – for a multitude of reasons. There has been a huge amount of talk of the “how’ and the “why” of getting things online. That’s interesting, and I’m sure I’ll talk more about that another time. What has been vexing me, as well as apparently Lori as she’s now posted about it here, is not how you get things online, or why, but how in the heck you manage them once they’re there. You want to put ill ions, billions of devices and “things” online. That’s great, and a huge infrastructure demand to be sure. But then what? You can’t have nameless, faceless, useless devices. They have to belong to someone. A person. A profile. An entity of some sort. Which means you have to have a way to tie each “thing” in the “Internet of Things” to a “who(m)”. That’s … daunting to say the least. Check out Lori’s take on this and see if you agree with her secret to winning the game, as it were. I’m a fan, and frankly glad to hear someone else talking about it. *Note: Top5 will not actually cure illnesses, though it may make you feel better with sheer volume of hawesome contained within.Top5 06/23/2014
Every day that I get to write a Top5 post feels like an auspicious day, as it is rather one of my favorite things to write, I must admit. This is partly because I get to dig into all the cool stuff that everyone else has been up to and posting with the ever lively DevCentral community. It’s partly because I get to write about exactly what I want, not that, you know, I’m a control freak or anything. And it’s partly because there is SO MUCH COOL STUFFhappening to write about. Pardon the shouty caps and all, but man, technology is just freaking cool sometimes. So, clearly in fan boy mode (and not in the slightest ashamed, athankyouverymuch), I bring to you, with excitement, this week’s Top5: From the University of the Obvious: Faster Applications are Better https://devcentral.f5.com/s/articles/from-the-university-of-the-obvious-faster-applications-are-better With what is very possibly the best title in the history of the Top5, I simply could not resist this piece by Robert Haynes. I’m sure precisely zero of you are shocked by this ground breaking revelation upon which he reflects: Faster Applications are Better. Take a moment to absorb that revolutionary data point. Ready? Okay, now in all seriousness, go check out this tongue in cheek, highly entertaining post. He really does hit a particularly annoying nail on the head. Why on earth are all of these reports out there showing nowhere near enough detail to matter, but rather loudly exclaiming “ZOMGZ! YOU GAIZ! FASTER IS BETTER!!” as if we hadn’t figured that out. I prefer rapid downloads, rapid restaurant service, and the pedal on the right. None of this is shocking, I would think. What it really comes down to is the how. How do you make things faster? How do you get the improvements you seek? That’s the meat you’re looking to chew, and Robert and Dawn are looking to team up to provide just such sustenance. I’m excited to see what they come up with, as there’s a host of accelerating to be done within BIG-IP. Stay tuned to see what they pump out, and rest assured it will be more than “Acceleration is good” advice. At least, it better be, or no more beer for Robert. 20 Lines or Less #75: URIs, URIs and More URIs https://devcentral.f5.com/s/articles/20-lines-or-less-75-uris-uris-and-more-uris URIs are a thing. They’re a thing on “the web”. They’re a thing on “the web” that gets mucked with quite a lot, actually. Therefore being able to do said mucking to said thing on said “web” in a rather robust and rapid fashion could most likely be characterized as “a good thing”. This edition of the 20LoL shows three handy ways to do just that kind of thing. Also, in unrelated news, I like “quotes”. This edition of the 20LoL is the first in a targeted attack of hawesome (no, auto-correct, I did notmean ‘awesome’). By focusing on a single type of operation I’m hoping to make these a little more targeted at particular groups of users / community members and perhaps even easier to historically search to find examples of what you’d like to do. Handy? Let me know whether you’re team #singletopic20lol or #randomness20lol and guide my experiment. Otherwise expect to see future installments similarly guided towards a single topic until more data can be gathered. For science! Devops: The Operational Amplifier https://devcentral.f5.com/s/articles/devops-the-operational-amplifier What’s this? A post that is a confluence of electrical engineering concepts and Devops goodness? Surely this must be on the Top5! Sprinkle in a little bit of MacVittie goodness and you’ve got a winner. Herein lies an excellent depiction of precisely why Devops is such a powerful and important movement in modern IT driven businesses. I am immediately in love with the term “Operational Amplifier” as an attempt to describe the role Devops can play. Take the resources you have and turn up the gain to the point that your output far exceeds what seem to be the expected limitations. This is imperative in growing businesses rapidly, especially when attempting to support the plethora of applications that most IT departments are saddled with in today’s app-centric world. Lori dives into this topic and has some excellent commentary that is absolutely worth a read. Go take a look for yourself, you’ll get a real charge out of it I’m sure. Security Sidebar: I Can See Your Browsing History https://devcentral.f5.com/s/articles/security-sidebar-i-can-see-your-browsing-history You know those stories we all heard growing up? The ones that were part horror story and part parable? Something like “If you don’t eat your peas the gremlins will get you!” No? Your parents didm’t use abject terror as a motivational tool? Oh. Well. Uhh..moving on, then. Anyway, this is the kind of thing that just might help you scare your security reluctant friends straight into a security seminar/book/something useful. It’s easy to forget how much data we’re offering up to the world when we do something as simple as browse the web. John takes a moment to remind (and terrify) us that we are giving nearly as much as we get. Sometimes despite our best efforts to the contrary. Your browsing history is a tasty morsel for many companies out there. If you have a history, meaning you don’t delete it every time you close your browser, you may want to take a look at this post to see just what kind of risk you might be running. What are you waiting for? https://devcentral.f5.com/s/articles/what-are-you-waiting-for In this post Dawn Parzych digs into the many benefits of SPDY and HTTP/2. An acceleration post titled “What are you waiting for?” was simply too good to pass up, and I’m glad I didn’t miss this one. There is a huge list of benefits to properly making use of the features offered in more recent years by implementing technologies such as SPDY. Dawn happens to be an expert in such things and shares much of her knowledge with the community here on her blog. Get a taste here, where she’s diving into the timeline of events since SPDY was introduced 5 years ago, some gains that can be expected by swapping over to the newer content delivery mechanisms, and a very handy graphic showing the logical flow differences between HTTP 1, 1.1, and 2. If you’ve struggled to understand why you should care about these things or what you can expect, this is an excellent place to start. Followed immediately by digging into the rest of Dawn’s work.Top5 06/09/2014
This week’s edition of the Top5 is packed from stem to stern with geeky goodness. I suppose that’s not much of a surprise, given that it is the Top5 and all. That’s kind of our M.O. ‘round these parts, and most weeks are similarly packed. It is not every week, however, that we can boast an international array of characters creating content for your consumption. Whenever I go digging through recently posted content on DevCentral I find myself wishing I were posting the Top17, not the Top5, especially now that we have content pouring in from all over the world. That being the case, 5 is the format, so 5 will have to do. And here they are, this week’s outstanding offerings: BER and DER: Why Encoding and Decoding Matter http://bit.ly/1oGjfLH Shameless self promotion though it may be, I feel strongly that some of the things we’re doing with our programmability offerings (iRules, iControl, tmsh, iCall, LineRate, etc.) are beyond cool. They are among the coolest, most interesting, most compellingly powerful gadgets and gizmos of their type, and if that’s not enough, they’re just plain fun to geek out with. We’re always adding to these features and lately there has been some serious momentum building in this arena, for which I’m both stoked and grateful. One such addition is the ability for iRules to natively encode and decode ASN1 formatted data. This makes some things that were just barely on the fringe of being possible (meaning they were technically feasible, but a giant pain…) suddenly a breeze. Check out this primer on why you might care, how this puts us one step closer to applications everywhere, and just why I’m so excited about this new tech. The State of the APAC Cloud - part1 http://bit.ly/1s1FDTw You’ve heard all about the cloud, of that I have no doubt. You’ve heard good, bad, indifferent and otherwise about what it means to different people, how we’re going to leverage it, the concerns, and more. If you’re like me you’re interested, but tired of hearing the same thing over and over, in many cases. That’s why I was excited to see one of F5’s own giving an insider’s take on a more specific and, for me at least, foreign piece of the cloud puzzle - the APAC cloud. Charles Chong digs into what the cloud situation looks like in his area, what the prevailing concerns in that geography are, and how they lend themselves to being addressed. Given that most major businesses are global, or headed that way, I found this to be a tasty tidbit of info, straight from the horse’s mouth, as it were. If you’re curious what cloud issues might attempt to burst your bubble and what you can do about them in this regional hotbed of technological traction, take a look. I’m betting you won’t regret it. The Internet of Things and mobility driving HTTP and cloud http://bit.ly/1mzEXwv “The Internet of Things” - Now there’s a name that bears explaining. The first time I heard that phrase I thought someone had mis-spoken. As it turns out it is far more straight-forward than expected. It is precisely what the name says - a way for things, and I do mean nearly everything, to get on the internet. From TVs to refrigerators to cars and more, more and more devices that are not purpose built computing resources are attaching themselves to the internet for a myriad of reasons. Call-home functionality, data and usage tracking, web enabled features (Who doesn’t want to tweet from their refrigerator while pouring the morning OJ?) - you name it, the “things” are offering capabilities that were, until somewhat recently, restricted to the computing realm. As this trend continues, and all signs point to the fact that it will not only continue but boom in a major way, it has definite implications for the web. Lori takes a look at just what this might mean for HTTP and the cloud world in a way that had me nodding along and curious to hear more, as is so often the case with her writing. This is a movement that is coming whether you’re ready or not, so I suggest penciling in the time to get up to speed. Lori’s post is a good way to get started. I’ll leave the digging up to you from there. Make Your Cache Work For You http://bit.ly/1ljt6FI Dawn Parzych, our resident acceleration PM/Guru extraordinaire, takes some time out of her busy schedule to share with us some ins and outs of cache usage. This “best practices” (my words, not hers) guide gives you the scoop on the different cache settings and features available to AAM users. From what they do, to when to use them, she demystifies the world of object caching right before your eyes. Well, you know, in text. On her blog. On DevCentral. But still, it’s awesome! This stuff is Greek to a lot of people and Dawn’s easy to grok explanations are quite valuable to newbie and nerd core alike. She even struts her geek cred bolstering chops to show off some handy commands that might be of interest to those looking to track the cache stats on their device. Security Sidebar: Plan For Your Data Breach http://bit.ly/1nuVd5c You’ve seen the announcements everywhere you look “Hackers attack”, “Breech suspected”, “Information compromised” and worse. In this day and age it seems to be far less about ifsensitive data will get compromised and far more about when. Or, more specifically, what the heck are you going to do when it happens? This may sound a bit morose, but honestly it’s more pragmatic than pessimistic. Security is a tricky business and staying ahead of the legion of naughty internet denizens out there is an increasingly difficult task, even for the most seasoned security ninja. While beefing up protection and stopping the attacks is always the first order of business in the security world, it isn’t such a bad idea to have a plan in place in case of an actual leak. The only thing worse than being compromised is being unprepared to deal with it should it occur. DevCentral’s own John Wagnon has put together some thoughts and tips on just what constitutes planning for such an event. Check out his post about it here, and make sure you’re on track for handling this situation should sit arise, unfortunate thought it may be. While we all hope it never happens, trust me, you’ll be far happier if you’re prepared.DevCentral Top 5: May 27, 2014
And here we are again...that fateful time when we admire and, yes, celebrate the amazing contributions of our DevCentral authors. The easy part is writing about all the great content; the hard part is picking just 5 articles to highlight. Nonetheless, here they are in no particular order...the DevCentral Top 5: Mitigating sslsqueeze and other no-crypto, brute force SSL handshake attacks If you don't know David Holmes, you pretty much need to stop whatever you are doing and start reading his stuff. In this article, he wows us again with his security expertise and shows us why we all love the flexibility (and programmability) of F5 technology. David wrote an article back in 2011 on an SSL Renegotiation DOS Attack and showed how a client can take advantage of a server in the SSL handshake because an SSL handshake requires at least 10 times more processing power on the server than on the client. Well, David recently found a new class of SSL attacks where the client doesn't do any cryptography at all...the client just sends a bunch of pre-canned packets that look like an SSL handshake. In this attack, the server uses 100 times more processing power than the client! David was able to get a copy of one of the tools (called sslsqueeze) that runs this attack and use it against a real, physical BIG-IP with cryptographic offload accelerators. He was able to take a $200 used computer and overload the BIG-IP with fake SSL handshakes. The good news is that he wrote an iRule (actually 2 iRules for different scenarios) to mitigate this attack. You gotta love the flexibility that iRules provide! The security world is an interesting one...attackers will always find a new vulnerability to exploit, and good guys will find a way to stop them. Thank goodness David Holmes is a good guy. Hybrid DDoS Needs Hybrid Defense It's not if you get DDoS attacked, but when. Lori MacVittie publishes another masterful write-up where she outlines a DDoS approach that many top analysts recommend. In the world of DDoS protection, it's best to implement off-premise detection and mitigation with on-premise protection. A hybrid solution provides the resiliency and scale of cloud based solutions with the granularity and always-on capabilities of on-premise solutions. Many times, when an organization is under attack, the answer is to shut down computationally expensive services to prevent overall service outages. But, this means IPS, firewalls, anti-fraud detection, etc are sometimes eliminated for the sake of keeping the network running. With a hybrid approach, an organization can take advantage of additional capacity in the cloud but still maintain the flexibility of protecting against more frequent and easily managed attacks. Where do you turn for the technology to make all this happen? The good news for everyone is that Defense.Net just joined forces with the F5 family. By combining the cloud-based services of Defense.Net and the on-premise protection of the F5 firewall, organizations will be better armed to detect and mitigate DDoS attacks at the network and application layers...simultaneously! The BIG-IP GTM: Configuring DNSSEC Is it awkward that I'm including one of my own articles in this edition of the Top 5? It's only weird if we let it be weird. So, I'm cool with it if you are. OK, but for real, F5 does some seriously awesome work when it comes to DNS services. We all know that DNS was originally built back in the 1980s, and it was designed with some inherent trust features that bad guys could exploit. When a user types a web address in his browser, he expects to be reliably directed to the correct website. If an attacker is able to manipulate the response from a DNS server, he could send the unsuspecting user to a malicious site that is full of malware. This vulnerability (among others) created the need for a more secure DNS experience. DNSSEC addresses the security problem by validating the response of DNS servers. This is done through a trust relationship that is built with a series of security keys. As you can imagine, validating each DNS response can be computationally expensive, so it's nice if you have custom-built, high powered hardware and software to do this job for you. Well, the BIG-IP GTM does just that. It will authoritatively answer your DNS requests, but it will also sign DNSSEC validated responses. You'll need to configure a few things on the BIG-IP to make this happen, but this article shows you all the steps needed to take care of that. So get out there and configure your BIG-IP GTM and let it handle all your DNS needs. Is OpenStack Ready For Production? Ranjeet Sonone answers THE question that runs through the mind of anyone diving deep on OpenStack. Way back in 2012, OpenStack lacked solid networking design and required significant resource allocation to be implemented in a true production environment. By 2013, OpenStack was gaining momentum and user success stories were helping it grow in popularity. But even then, you needed lots of system knowledge and scripting skills to assemble all the moving parts. So, many people were watching as 2014 approached to see if OpenStack was truly ready for prime time. The answer was given at the recent OpenStack summit in Atlanta, GA where 4,500 networking professionals heard about real world OpenStack success stories. OpenStack is now sufficiently rich in service offerings, and the core components are now stable for production environments...so, yes, it's ready for production! F5 has been investigating OpenStack for several years now, and we joined the OpenStack Foundation last year. Customers are now using F5 plug-ins in their OpenStack labs and sharing workloads between the public cloud and their private cloud. In the end, Ranjeet shows how F5 ensures that our customers have access to our custom built solutions when evaluating cloud platform integrations. Great job Ranjeet! Heartbroken and then Redeemed The Heartbleed vulnerability blew up a little over a month ago, and F5 was right there to help mitigate this significant problem. After the initial press from the Hearbleed bug had calmed down a little, a security researcher named Yngve Pettersen discovered hundreds of new Internet hosts that appeared to be vulnerable to Heartbleed. He called these newly vulnerable hosts "heartbroken" servers. He also noted that a specific characteristic on these servers suggested that they might be F5 devices. Not good, right? Well, our worldwide security evangelist David Holmes contacted Yngve and asked about his research. Yngve was kind enough to share his data with us. After all, he wasn't trying to give F5 a black eye, he was simply stating the results of his research. David (and a host of other F5 security experts) analyzed the data and found that actually none of the devices were F5 equipment. That's good news! Unfortunately, Yngve had already posted a technology blog about his initial findings, but he was gracious to remove the F5 references from his blog and offer an apology to F5 and F5's customers. I think that's really awesome stuff. Yngve is a really smart guy who discovered some very interesting data, but he is also a true professional in that he is willing to admit when he makes a mistake (as we all do). So, kudos to David for asking the clarifying questions, and kudos to Yngve for being a true professional.
