The attack surface related to applications continues to shift. It seems like every day, sometimes every hour, a new security vulnerability needs to be mitigated. The dilemma is more challenging for government agencies because they are also charged with adhering to new and frequent mandates calling for additional security controls on applications. Keeping up with all the applications in an enterprise environment can be difficult even for applications that get updates issued by a vendor that only need to be applied. Add to the situation, custom applications or legacy applications that have been End Of Life’d (EOL) by the original vendor, but continue to be utilized. How do you apply security controls, like Multi-Factor Authentication (MFA), or moving from Secure Sockets Layer (SSL) to Transport Layer Security (TLS), on an application that does not support it, and was written by someone you don’t have access to?

This is the quandary that many government agencies face today.

The situation put forth is an extreme one. However, the same quandary can be found when dealing with applications that have support from either a vendor or Federal System Integrator (FSI), but still require significant efforts on the part of system administrators and security experts inside the government. The question doesn’t change, but now instead of being possible, it becomes nearly impossible with the labor available.

Changing the game with F5 and GuidePoint Security

These problems actually can be addressed fairly easily by deploying, or using already deployed F5 Local Traffic Managers (LTMs). GuidePoint Security has been finding that many government agencies have deployed F5 LTMs for the Web-Application Firewall (WAF) or performance and load balancing benefits, but are not using them for other security benefits inherent in the product.

A recent example is mentioned above. POODLE opened the eyes of the world to how SSL was too weak and old of an encryption standard to be trusted, no matter if it was SSLv1, SSLv2 or SSLv3. TLS was immediately declared the new standard. POODLE was an exploit of the SSLv3 cipher that opened up new vulnerabilities. The information that hackers could gain ranged from passwords and cookies, to other authentication tokens. The hacker could then utilize the information to impersonate the user and access sensitive data. When this security vulnerability was discovered, the mitigation technique most widely used was to disable the SSL ciphers on the application servers. The process to move from SSL to TLS on corporate application servers was very intrusive and arduous.

GuidePoint Security was able to mitigate this vulnerability between the client connections and server connections utilizing the F5 networks Local Traffic Manager’s SSL profiles and full proxy architecture. The full proxy design includes separate client and server connections handled on the same device. In this solution, the client side SSL profile eliminated the vulnerability when negotiating with the SSLv3 standard. The client, in turn, had to use the more secure TLS standard. The server side connections were still able to utilize the SSLv3 ciphers in the server side connection on the F5 LTM. The importance of this mitigation technique was that it allowed server administrators time to eliminate the SSLv3 negotiating ability from the application servers during planned maintenance activities. The servers were able to be patched during the planned maintenance windows and operations continued as normal.

Another important point is that this could be deployed across an entire enterprise comprised of various applications without separately patching each different application until later. Simply pushing out a global configuration update to all the F5 LTM’s in the environment immediately fixed all applications, regardless of the status of support for TLS, or even if they were EOL’d.

“Why do I still have to use pre-Windows 10 IE again???”

This same ease of upgrade can be used to add support for newer versions of web browsers. GuidePoint Security found that many customers were using multiple browsers and versions, some of which are woefully insecure, because they cannot make upgrades to the legacy application, or it is too difficult to do so. Using the F5 LTM, the most secure and recent browsers can be used to access these applications. This is important because the most commonly used browsers (Google Chrome, Mozilla Firefox, and Safari) are now negotiating with the more secure TLS encryption standard only. If a corporate web server is still using SSL standards, the connection will not complete as the web browser will not be able to negotiate an agreeable cipher.

Doing MFA without MFA support

The second example is similar. Many applications or appliances do not, or are not easy to add support for Multi-Factor Authentication (MFA or sometimes referred to as 2-Factor Authentication). The same way TLS support can be added via F5 LTM’s, MFA can be applied to applications or appliances that do not support it. This is important due to the directives released by OMB and the President.

GuidePoint Services

The landscape of security between client and server side connections is always being attacked. The attacks come in many forms ranging from severe to a minor annoyance. The need for an aggressive mitigation plan is essential in order to secure an organization’s applications, in a timely manner. GuidePoint Security can assist government agencies remain compliant and secure by leveraging the often already existing F5 Local Traffic Manager.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.