OneConnect: Saving Resources, Increasing Investment

In a previous blog post, I talked about some common Local Traffic Manager (LTM) features that get overlooked, which can easily increase security posture. In this post, I want to discuss one of the less-known features that is frequently neglected because you may not understand the benefits. This feature is OneConnect.

OneConnect is an awesome addition to any modern application that follows good code and RFC standards such as TCP or HTTP. OneConnect creates a pool of first time TCP connections to each pool member and makes them available for reuse by later connections. This is done by using TCP standards like idle timeouts, keepalives, etc.

When an initial connection is created to a pool member, the BIG-IP holds that connection open and uses it for other TCP flows that are destined for that member. This can drastically reduce the number of connections the web server has to process and allocate resources for, thereby improving the web server’s overall performance.

With an HTTP connection, OneConnect can manage HTTP connection flows and process them much the same way as TCP flows. It first manages the TCP flow for that connection like a TCP app. Because OneConnect is HTTP-aware, thanks to whichever HTTP profile you associated with the virtual server, it can read the HTTP flows and process state for them at the same time. If the TCP connection the HTTP flow was using ages out, when a new TCP flow is connected, it will continue that HTTP flow over the new TCP connection.

The LTM uses HTTP standards like keepalives to maintain state. In the case of non-HTTP/1.1 connections, there is no keepalive and the LTM will intercept “Connection:close headers” and transform them to “x-connection: close headers” so it can process connections the same way. This feature, OneConnect Transformations, has to be enabled in the HTTP profile.

By default, OneConnect makes every connection it processes available for reuse. You can restrict this in your OneConnect profile by changing the subnet mask. The subnet mask sets the groupings that OneConnect will make with the incoming IPs.

For example, maybe you don’t want external client IPs and internal client IPs sharing connections. In this case, you could change the mask to 255.0.0.0 so that your 192’s or 10’s will not mix with 25s or 100s. Of course, if you are using 172.16.x.x internally, you need to use 255.255.0.0 instead. Knowledge of your internal IP structure and your application requirements is important.

A note on SNAT: If you use SNAT Automap on your virtual server, OneConnect gets applied after SNAT; so no matter what your mask is, every flow will be reused regardless of the setting in the OneConnect profile. If you use a SNAT Pool, you could use a 32-bit mask to create more flows, but unless you have a really high connection count, there is no need to do this.

To help illustrate this, here is an example I worked on not long ago. One of the state governments I worked with had a web application that processed healthcare options for “Obamacare.” Day-to-day connections to the application hovered at about 4,000 to each server. When it came time for open enrollment, all of the web servers fell over trying to process more than 25,000 connections each. Users who got connected reported the server was so slow, it could not respond to page requests, and timed out. Once OneConnect was enabled with a default mask, the number of active connections dropped to about a 100 per server! The application bounced back completely, and the developers said the application worked better than in development.

There are some special considerations when utilizing OneConnect within your environment. The application has to use TCP standards for clearly defined flows. OneConnect will not work if your flows do not provide good headers for distinguishing source and destination. If your application is 20-years-old and home-grown, it might not work. Recent applications should not have issues.

Secondly, you are sharing TCP flows. If you are sniffing the wire to look at incoming web server traffic, you might not see the flow you are looking for because it was part of a reuse pool. In this case, try to match the client port. The port should remain the same most of the time, but since you are combining different flows from different IPs, the likelihood of overlap is higher. Also, if your application needs to see client IPs, you will need to enable “x-forward-for” and configure the web server to look at that header instead. Additionally, if you are doing SSL Passthru, this is not an option due to the traffic encryption. OneConnect requires termination. You would have to decrypt and then re-encrypt to the backend.

Lastly, one item of particular note is sizing. Since OneConnect can drastically mask a connection table, you need to incorporate the application’s client activity in with the web server connection load to get a feel for how many web servers you need. You might, over time, find out that you cannot turn OneConnect off because your load will be too much for the existing number of web servers you have.

I hope this post has piqued your interest in OneConnect and what your F5 LTM can do for you. There are many additional features beyond “load balancing” that can enhance your investment, increase your return on investment, and improve end-user experience. GuidePoint Security’s professionals, with years of multifaceted expertise, can meet with you to learn more about your organization’s requirements and help build a customized security plan to best meet your needs.

If you’re a GuidePoint client and have questions about OneConnect, please reach out directly to your personal contact or email us at info@guidepointsecurity.com. If your organization is interested in learning more about OneConnect and if it’s the right tool for you, let us know. You can find out more about GuidePoint and our services at www.guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

From Cyber Analysts to Cyber Hunters: GuidePoint Security Expert to Speak at Anomali Detect

Are you ready to go from your regular job as a cyber analyst to a full-fledged cyber hunter? Join GuidePoint Security at Anomali Detect Sept. 11-13, 2016, at the Westin Washington, D.C. City Center, for a special presentation, “Cyber Hunters: Operationalizing Threat Intelligence for Cyber Analysts.”

GuidePoint Security is a Gold sponsor for the conference, and Matt Keller, our vice president of federal services, will lead a session about how analysts in Security Operation Centers (SOC) can evolve from a detection and response team to proactive cyber hunters who seek out threats before damage occurs.

Matt’s presentation will be from 3:10-4 p.m. Tuesday, Sept. 13, in room National C. He will talk about how to utilize threat feeds to reduce the amount of time it takes to identify incidents and help you plan for responses within the “Cyber Golden Hour.” He will share insight on how your security team can identify threats in real time, moving from cyber analysts to full-fledged cyber hunters.

We’ll also have a table top display set up during Anomali Detect, so be sure to stop by and view a demonstration on our Virtual Security Operations Center (vSOC). By using the cloud to provide dynamic scalability and cost savings, our vSOC analysts can provide validated security incidents so your team can focus on remediation.

For more information about Anomali Detect, visit https://www.anomali.com/anomali-detect. To register for the conference, click here.

For more information about our vSOC and how we can help protect your organization from insider threats, visit www.guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

The Cyber Hunt Is On: Quickly Find New and Emerging Threats

Free webinar explains how you can respond to intrusions faster

Do your security analysts have limited time and resources? Are they bogged down searching through logs instead of actively hunting for potential intrusions on your network?

In a free webinar, “Active Cyber Hunting Revealed: How vSOC Identifies Threats in Your Environment,” security experts from GuidePoint Security and CrowdStrike will show you how you can more efficiently correlate data and begin your own cyber hunt for potential threats to your environment.

This free, educational webinar begins at  2 p.m. EDT Wednesday, Aug. 24, 2016. Register here now.

During the webinar, participants will learn how CrowdStrike Falcon can be integrated into a Virtual Security Operations Center (vSOC) for endpoint monitoring. By using Falcon Connect API to ingest host data into the vSOC monitoring platform, analysts can correlate endpoint data against SIEM security logs. The combination makes it easier to discover new and emerging threats.

Participants will learn how to do ad-hoc searches and queries, quickly conduct comprehensive investigations, identify insider threat activity, and create dashboards and reports.

Following the presentation, there will be a 15-minute question and answer session. Even if your schedule is full and you can’t tune-in live, go ahead and register now and we’ll send you a recording you can watch later.

Presenters will be Stephen Jones, GuidePoint Security’s director of managed services, and Kris Merritt, senior director of hunting operations for CrowdStrike.

Stephen has more than 10 years of experience in information technology and cybersecurity within the Department of Defense and Intelligence Community. His primary focus has been Information Assurance (IA) and Computer Network Defense (CND).

Kris leads CrowdStrike’s internal and external hunting programs. He has more than 10 years of experience in cybersecurity and network defense, mainly in leadership roles of security operations, incident response, digital forensics, signature development, indicator management, and tactical tool development within large enterprise networks.

“I look forward to presenting alongside Stephen on how CrowdStrike Falcon Host’s continuous endpoint visibility immediately enables SOCs and hunters to detect, analyze, and respond to intrusions at a time scale once only dreamed about,” Kris said. “Operating at this time scale has provided unique insights into malicious behavior where a human actor or even malware is involved.”

“CrowdStrike uses these insights, along with rich visibility on the endpoint, to rapidly refine its approach to the threat, Kris explained. “I’m excited about our partnership with a company like GuidePoint who is eager to use the best technology to provide the best service to their customers.”

For more information about GuidePoint and how security experts like Stephen can help you make the most of vSOC services, visit www.guidepointsecurity.com. For more information about CrowdStrike and to connect with Kris and his team, visit www.crowdstrike.com.

Don’t forget to register for this free, interactive webinar here.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

TMM Vulnerability Compromises F5 BIG-IP Availability

GuidePoint urges clients to resolve issue ASAP

Earlier this week, F5 Networks released a security advisory, SOL19784568, alerting users to a network traffic vulnerability involving virtual servers on BIG-IP appliances using TCP profiles.

F5 is classifying this as a high severity issue. Because of the potential risk of a complete outage, GuidePoint Security is heavily urging our clients to resolve this issue as soon as possible.

In a nutshell, because of the vulnerability, an attacker, without being authenticated, can craft a malicious packet and send it to a virtual server using a transmission control protocol (TCP) profile. The result can cause the underlying Traffic Management Operating System (TMOS) to reset and cause an outage for the entire device, not just the targeted application. Once compromised, an attacker can continue this attack and cause total outage for as long as the BIG-IP will accept traffic.

Based on the information provided from F5, this can only be completely mitigated by upgrading to a version that this has already been fixed. As of today there has not been engineering hotfix issued to mitigate.  

F5 has provided some instructions for reducing the overall likelihood of encountering the problem. However this is not a full mitigation method only a vast reduction to a potential threat. Updating the TMOS version is the only supported full mitigation method at this time.  We are working with our F5 peers on this matter to better assist our customers.

There is a CVE reserved for this also, CVE-2016-5023, but no content is currently published on Mitre’s site.

Vulnerable versions:

  • 12.0.0
  • 11.6.0 HF5-HF7
  • 11.5.3 – 11.5.4
  • 11.4.1 HF4-HF10
  • 11.2.1 HF11-HF15

Versions NOT considered vulnerable:

  • 12.1.0
  • 12.0.0 HF3
  • 11.6.1
  • 11.6.0-11.6.0 HF4
  • 11.5.4 HF2
  • 11.5.0-11.5.2
  • 11.4.0-11.4.1 HF3
  • 11.2.1 HF16
  • 11.2.1-11.2.1 HF10
  • 10.2.1-10.2.4

GuidePoint Security acknowledges this is a critical vulnerability and will follow it closely. We will continue to disseminate information going forward, and we welcome questions or concerns you might have. For help, please reach out directly to your GuidePoint Security contact, call 877-889-0132, or email info@guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

Inc. 5000 Names GuidePoint Security One of Nation’s Fastest-Growing Companies

No. 5 on Top Security companies list

GuidePoint Security is one of the nation’s fastest-growing companies, and one of the the top security companies in America.

After an impressive three-year growth at nearly 1,300 percent, GuidePoint is recognized by Inc. Magazine on its 2016 Inc. 5000 List as the No. 5 Top Security company in America, is ranked No. 19 among the top companies in Virginia, and is No. 22 on the list for top companies in Washington, D.C.

The markings earned the company an overall spot as No. 308 on the 5000 List, with 2015 revenue exceeding more than $111 million.

“Wow!” was the reaction of GuidePoint Security’s Founder and Managing Partner, Michael Volk, when he heard the news. “This is outstanding. At GuidePoint, we are proud of hiring the best and brightest in the information security industry. The successes we’ve had since we were founded in 2011 reflects their talent, hard work, and dedication. All of our team members are committed to providing our clients with unprecedented customer service.”

One of the things that makes GuidePoint different from other companies, Volk pointed out, is its organizational structure.

“Our corporate structure means our customers are never more than one step away from a company partner, ensuring we always have a vested interest in our clients’ successes. We want to make sure their goals and expectations are not just met, but exceeded. Our continued referrals and repeat clients reiterate our focus on providing them with the right technologies and professional services that best support their needs.”

From emerging threats to regulatory mandates, GuidePoint’s technology security professionals work side-by-side with clients to provide a complete understanding of their current threat landscape and to implement the best technical and procedural solutions to achieve business goals and objectives.

Inc. called companies like GuidePoint, “superheroes of the U.S. economy.”

“The Inc. 5000 list stands out where it really counts,” said Inc. President and Editor-In-Chief Eric Schurenberg. “It honors real achievement by a founder or a team of them. No one makes the Inc. 5000 without building something great – usually from scratch. That’s one of the hardest things to do in business, as every company founder knows. But without it, free enterprise fails.”

To see all of GuidePoint’s successes on the 5000 list, click here.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

GuidePoint Security Named F5 Networks Federal Partner of the Year

Fourth consecutive year earning honor

GuidePoint Security has been named the 2016 F5 Networks UNITY® Federal Partner of the Year. This is the fourth consecutive year GuidePoint Security has earned the award.

“We are honored to be recognized as F5’s Federal Partner of the Year for the past four years in a row,” said Jim Quarantillo, GuidePoint Security Federal Partner. The award is a reflection of our team’s commitment to outstanding customer service, while being an invaluable technical resource for our clients. As we continue to work with F5, we believe our focus on cloud services and security solutions will continue to enhance our relationship, which is a win-win for all of our customers.”

The award was presented at the F5 Networks Agility 2016 Conference. The Federal Partner of the Year award highlights GuidePoint Security’s dedication to channel partner performance and customer service related to F5’s application delivery and security solutions. It acknowledges GuidePoint Security’s outstanding sales engagement, customer service, and technical expertise.

“We congratulate GuidePoint Security on its fourth consecutive Unity Federal Partner of the Year award,” said David Helfer, VP Worldwide Channels, F5. “GuidePoint Security’s excellent service and engagement is a tremendous benefit for our mutual customers.”

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

About F5

F5 helps organizations seamlessly scale cloud, data center, telecommunications, and software defined networking (SDN) deployments to successfully deliver applications and services to anyone, anywhere, at any time. The world’s largest businesses, service providers, government entities, and consumer brands rely on F5 to stay ahead of cloud, security, and mobility trends. For more information, visit f5.com.

 

GuidePoint Security Earns 14th Spot on CRN’s 2016 Fast Growth 150 List

GuidePoint Security is the 14th fastest growing solution provider in North America, according to CRN’s 2016 Fast Growth 150 List.

The list is CRN’s annual ranking of North America-based technology integrators, solution providers and IT consultants with gross sales of at least $1 million that have experienced significant economic growth during the past two years. The 2016 list is based on gains in gross revenue between 2013 and 2015.

“The growth GuidePoint has seen in the last two years is a reflection of the hard work and dedication of the talented team we’ve assembled and the amazing partnerships we have with the vendors we work with every day,” said Michael Volk, GuidePoint Co-founder and Managing Partner. “At GuidePoint, we’re committed to providing the most comprehensive cybersecurity solutions for our clients, and we accomplish that by designing tailor-made solutions to best meet our client’s mission requirements. The spot on the latest CRN list reflects that commitment to service, quality, and innovation.”

“The companies on our 2016 Fast Growth 150 list are growing at an incredible rate, establishing themselves as clear leaders in today’s IT channel,” added Robert Faletra, CEO of The Channel Company. “Their rapid expansion in a climate of economic uncertainty and unprecedented technological advancement is especially impressive. We congratulate each of the Fast Growth 150 honorees and look forward to their continued success.”

Earlier this year, GuidePoint earned another spot on a CRN list, ranking 192 on the 2016 CRN Solution Provider 500 (SP500) list.

Read more about GuidePoint Security and Fast Growth 150 in the October issue of CRN Magazine at www.crn.com/fastgrowth150.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

Reshape Cyberwar: Flip the Script to Put Attackers on the Defensive

If we’re going to succeed in defending against bad guys, we should admit we are in a cyberwar. We are at odds with people who want to steal, corrupt, and destroy. To succeed against these cyber enemies, let’s draw from the words of Sun Tzu, the ancient Chinese military strategist: “Hold out baits to entice the enemy.”

Many people believe government network defenders only need to make one mistake before they are “pwned” and the bad guys steal sensitive data. As a network defender in this cyberwar, you have to be right 100% of the time; attackers only need to be right once. A missed vulnerability, a misconfigured router, or an overlooked Indicator Of Compromise (IOC) gives attackers the opening they need to cause damage.

To arm yourself in this cyberwar, find a way to flip the script. Do you remember the movie, “Home Alone?” Its message is applicable here: Even if you’re at a disadvantage when you’re defending your “home,” if you prepare for the bad guys, you can flip things to your advantage.

This creates a new category of “deception” technology. To capture the bad guys, this can be anything from basic virtual fake systems to confuse bad actors, to full networks with elaborate fake data, alarms, and traps.

More mature solutions go past simple virtual machines that look like juicy targets. To alert SOCs of potential breaches, they include deception inside Active Directory structures and at real endpoints and servers. By planting worthless administrative-looking credentials inside endpoints and Active Directory, a SIEM can easily alert SOC analysts to illicit behavior.

These solutions create a web of alarms and traps like the ones the “Home Alone” kid set up in his house. When the bad guys find and try to use credentials or scan or log into these fake systems, a spotlight is immediately illuminated on the activity. This shows the SOC that someone is attempting to do something bad; however, instead of a thief screaming about his head being on fire like in the movie, a simple SIEM rule about the use of a non-working credential or deception created system burns a hole in the bad guy.

Instead of fumbling around a network, the bad guys make one mistake and they are caught. This changes the game from the penetrator’s advantage to the defender’s advantage. They must tiptoe around and be careful about what they touch and where they go.

So let’s follow the best ideas from Sun Tzu to Churchill, Po-Ch’eng and even the Hittites and use deception to reshape the battlefield of cyberwar in our favor. Remember, as cliché as it may be, “The best defense is an offense.”

 

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.