Technical Blog

Learn about the latest in technical Cyber Security news, information, techniques and more with original posts by GuidePoint’s seasoned technical personnel.

 

New F5 ASM Version 12.x Features Improve Performance

In today’s blog, we will discuss the newest features of F5’s Web Application Firewall (WAF), Application Security Manager (ASM). ASM has been around for quite some time, but with recent updates I thought it is worth discussion.

F5 Networks recently released version 12.1.1, the first long-term support release for version 12. If you haven’t read through the release notes, take a few minutes and do so. I am really excited by some of the most recent features and I would like to share some of them with you.

I was ecstatic to see Unified Policy Building in 12.0 because now you have one screen to view all learning suggestions. This makes it far easier to sort through. If your policy builds automatically or statically based on your custom thresholds, you now have only one screen to manage.

Following the style already set in ASM, there is a dropdown menu that allows you to select the policy for which you want to see suggestions. Tabbed across the top is also Enforcement Readiness, and they moved Learning and Blocking Settings here as well. This makes the overall flow better while making it easier to see which settings you have for each selected policy — no more bouncing around the mouseover menus.

Next up in 12.0 is Proactive Bot Defense. This is a set of additional features added to the Denial of Service (DoS) functions ASM already used. F5 added improved defense against unwanted browsers and browsing agents that are non-human initiated. CAPTCHA and javascript insertion does this, but with some caveats. If you use CORS (Cross-Origin Resource Sharing), like with AJAX calls, you will have issues and you should add those URLs to the bot whitelist.

F5 Networks also added malicious bot signatures. Now when you update your ASM application signatures, bot signatures are classified as malicious or benign. Just like with application signatures, you can create your bot signatures as well. You even have the ability to create signature sets with either malicious or benign classifications. This gives you greater control. Once created and applied via a “dos” profile, traffic is automatically classified and either accepted or discarded as configured.

Version 12.1 was not outshined by 12.0, and really cranked up the dial. It added more dos enhancements with the ability to track using device IDs. Now device IDs can use dos, brute force, and session hijacking. You can define bad behavior and set thresholds to classify traffic from them and either log or block them. F5 even extended Analytics to sort by these IDs. More reporting is always a good thing!

Using a similar set of metric definitions, you can now automatically blacklist IPs attacking your layer 7 resources and increase your dos footprint. This does not require use of IP intelligence or any other classification engine. This dos feature is through your config definitions. Adding IP intelligence, however, is a good thing in my opinion. I encourage you to look at it as more than just ASM.

Two huge new features in ASM are the ability to define methods per URL and support websockets per URL. In previous versions, methods were globally defined for an application. This is great news. For apps that might have only one page that support a POST, you can define it only for that page.

Websockets are new altogether. Websocket protocol allows client and server to stream data bidirectionally indefinitely. Websockets create a connection over HTTP, but then switch to a single TCP connection using message frames. This allows full duplex and low latency transport. Chances are you used these in your last internet chat. When you think of what could be hiding in one of those, protection really matters.

The last feature I want to mention is the ability for ASM to automatically detect and configure login pages in your application. If you have spent time parsing through someone else’s code to define a login page, you will welcome this feature. Now, that alone would be cool, but if you defined policy settings for brute force and session tracking, it will automatically add those options to the login forms it creates. This is a rockstar feature!

These are some of the main features ASM received in 12.0 and 12.1. There are still others like improved policy building, reduced policy building resource consumption, etc. Once again, if you have not reviewed the release notes, you should. I hope this generates a little interest in seeing what ASM has to offer now, and that you continue to find success in using F5 Networks Application Security Manager.

If you don’t already have ASM, consider what ASM can do for you. If you are already a Guidepoint Security customer and want to know more, reach out to your representative. If you are not a customer and would like to learn more, please feel free to contact us. We have several ASM certified engineers to answer your questions. For more information, email info@guidepointsecurity.com.

About GuidePoint Security
GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

F5 Networks’ ASM: Secure Your Applications, Don’t Give Away Your Kingdom

It occurred to me while I was writing another blog that we need to talk about Web Application Firewalls (WAF). We think everyone should use one. Your current network and security infrastructure is the castle and drawbridge, whereas WAF is your portcullis. Not securing your applications is like giving away the keys to your kingdom.

What is a WAF?

WAFs are the first and last line of defense for your application. A WAF takes over at layer 4 of the Open Systems Interconnection (OSI) model, moves up to layer 7, and looks at the request, response, and payload. It validates data and the package it’s carried in, and its authenticity. In essence, a WAF applies a set of security rules to all aspects of an HTTP conversation.

The difference from your next-generation firewalls (NGFW) and IDS/IPS units, which only inspect packet-by-packet, is that a WAF digs into HTTP content and conversations, and validates the content request, response, and payload against white and black lists. Using predefined signatures or behavioral baselines, the WAF takes appropriate countermeasures based on configured policy elements. WAFs also include enhanced logging, alerting, connection intermediation, and even content manipulation to mitigate the impacts of attacks, mislead attackers, or inject content designed to raise confidence levels for WAF detection mechanisms.

A WAF validates traffic and payloads by learning the way the application should work, prevents bad input or manipulations, and prevents dangerous query/responses. A WAF maintains HTTP RFC compliance on all aspects of the session, and enforces session rules and session flows. It is a multifaceted tool.

F5 Networks Application Security Manager (ASM), in my opinion, is the right tool for the job. It is a tool that complements the F5 Global Traffic Manager (GTM) and Local Traffic Manager (LTM) devices you already use. To illustrate this, let us look at the traffic flow.

First, the GTM picks up the DNS request. Utilizing GTM, you can create a high-speed query frontend with DNS Express and can secure that zone with DNSSEC. GTM also evaluates your DNS request and traffic-shapes your response based on a host of criteria and settings, sending your session on to the network.

Sure, you have a firewall at your internet edge. It might even be next-gen, performs packet inspection, and has some signatures to eliminate some bad traffic. The same might also be true of your IPS/IDS, but these are packet-by-packet inspections and not the whole HTTP conversation (for the most part) and bad traffic gets by.

Here is where the F5 picks up and starts defending. LTM gets the traffic first and blocks malicious IPs, sorts out countries you may or may not want, defends against DDoS, and mitigates ciphers that are too weak or broken, all while restricting IP/port/landing page. LTM also traffic shapes it handoff to the next level, ASM.

ASM starts slow and builds in levels based on policy. It receives that traffic and checks if it matches the defined site. Then it checks to see if it is a new session. From there, it starts checking everything. It checks against signatures, RFC compliance, session-tracking info, methods, request timing, number of requests, header information, etc. And this is only the initial request. We haven’t even gotten to response!

ASM comes with quick-start policy templates for a ton of popular application templates like Exchange, Sharepoint, PeopleSoft, SAP, etc. If one of those doesn’t fit your build, ASM ships with an auto-policy builder. Fire this up and you turn your ASM device into Sherlock Holmes. It watches traffic pass through and automatically starts writing its own suggestions. When those suggestions get enough hits, ASM makes them into policy. The longer it runs, the better the policy.

If you change the application or add to it, it automatically picks that up and starts the building piece again. You can even build policy without affecting users. By keeping it out of blocking mode, you can mature the policy and reduce the likelihood that false alarms will create negative impact for users.

The ASM comes with other cool features, too, such as preventing forceful browsing, where attackers try to gain access to pages not part of the site that might have admin access. You can keep users from bookmarking deep into the app and redirect them to login pages you defined first to define flow. This keeps the application more secure and enables the organization to track sessions to support security, problem resolution, and compliance use-cases.

With this information, you can restrict application access to secondary login pages or other admin-related content by enforcing application flows and protect against webscraping. Brute force protection will even keep those login pages safe by adding a layer of protection including limiting login attempts, identifying automated attacks and more for these critical security entry points for the application.

DataGuard is an awesome feature as well. It protects sensitive fields like credit card numbers, Social Security numbers, and other administrator-defined sensitive data from passing through clear text. Instead, it utilizes masking to overwrite these values in responses with ‘****’. ASM will also mask these in the logs so you don’t have to worry about admins having access to that info as well.

There are so many other features, including signatures and security responses for common web application security threats such as cross-site request forgery (CSRF), cross-site scripting (XSS), clickjacking, cookie manipulation, etc. Any of these topics, as well as the mechanisms ASM utilizes to protect against them, would be worthy of their own blog post.  

I hope this blog has sparked a little more interest in your traffic and maybe even a hard look into the available security measures you can take. If you are already a Guidepoint Security customer, reach out to your representative to learn more. If you are not a customer and would like to learn more, please feel free to reach out to us. We have several ASM certified engineers to answer your questions. For more information, email info@guidepointsecurity.com.

About GuidePoint Security
GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Automation Tools Help with Real-Time Incident Response and Protection

Free webinar: Real-world examples of how to keep your environment secure from attacks, accelerate remediation

If you’re an information security professional responsible for incident response, you may feel frustrated and overburdened by all the manual processes needed to keep your environment safe.

You’re not alone.

In a recent Enterprise Strategy Group survey, more than 60 percent of information technology professionals say their organization has taken steps to automate incident response, but 91 percent say those processes are not effective or efficient.

Did you know there are resources and tools available to help facilitate some of these key processes for your organization? GuidePoint Security’s Virtual Security Operations Center (vSOC) analysts and incident responders have real-world experience using these types of tools. One such tool, Carbon Black, helps power GuidePoint’s vSOC enabling analysts and responders to hunt for incidents in real time, visualize the complete attack kill chain, and efficiently defend environments from attacks.

Here are some examples of how they have successfully used Carbon Black to stop incidents and monitor endpoints:

PowerShell Watchlist

Recently, GuidePoint analysts used Carbon Black to create a PowerShell watchlist for an unauthorized user attempt. Once alerted, analysts tracked down a malicious remote address and shut down unauthorized privileges on the host.

Environment audits

In another instance, vSOC analysts used Carbon Black to audit an environment to limit privilege account credentials. The audit alerted analysts to a possible vulnerability that could have allowed unrestricted access to a domain.

PUA/PUP activity

vSOC analysts recently used Carbon Black to create a custom watchlist for PUA/PUP activity. They found an instance that stood out from others and located an unapproved IE toolbar, which was loaded without approval on multiple workstations. The toolbar was isolated as a threat because it had the ability to monitor web-browsing behaviors.

Would you like to know more about these real-world incident response examples and how you can move from playing incident response catch-up to proactively hunting for threats?

Join GuidePoint and Carbon Black for a free, interactive webinar, “Conquering Challenges of Incident Response: Real-Time Hunting and Response,” at 2:30 p.m. Thursday, Nov. 17. The session will last about 45 minutes, with a chance to interact with the presenters, Stephen Jones, GuidePoint’s director of managed services, and Justin Scarpaci, technical solutions lead, Carbon Black.

Register online here.

About the presenters

Stephen Jones has more than 10 years of experience in information technology and cyber security. He specializes in security operations and has extensive experience working within the Department of Defense and the Intelligence Community.

Justin Scarpaci is a technical account manager on the Partner Success team at Carbon Black. In that role, he assists IR/MSSP partners with operationalizing Carbon Black as part of their service offerings. Justin served in the Marine Corps and has worked in multiple security roles for a defense contractor. He has a master’s degree in information security and forensics.

Can’t make the webinar? No worries. Go ahead and register now and we will send you a recording after the live presentation.

About GuidePoint Security

Headquartered in Herndon, Virginia, GuidePoint Security provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

DDoS Attacks and How You Can Protect Yourself From Joining the Bot Army

If you were online last Friday, chances are you encountered a slowdown across the internet as a Distributed Denial of Services (DDoS) attack launched against Dyn, a company that manages domain registrations.

The attack, according to Dyn, enlisted “up to 100,000 malicious endpoints.” It slowed down access to many popular websites including Amazon, Twitter, Spotify, and more.

While research continues to determine who was behind the attack, Dyn says it happened across multiple vectors and internet locations. Dyn confirms a “significant volume of the attack traffic originated from Mirai-based botnets,” malware that facilitates large-scale network attacks like the one encountered last week.

Denial of service attacks typically occur when a single computer tries to consume the resources a target computing resource needs to perform its job. The malicious behaviors often seek to consume all available bandwidth, attack timing or session-based conditions, attack vulnerabilities in software that cause crashes, or consume so much processing power the target can no longer perform its function.

DDoS attacks enlist tens, hundreds, thousands, even millions or billions of devices as attackers. With the advent of Internet of Things (IoT) and existing low-security devices like VoIP phones, printers, DVRs, home routers, and other IP-connected devices, this creates a rich environment for unknowing targets to join the “bot army.”

Since DNS is part of the core infrastructure that makes the internet work the way we use it today, attacks like the Dyn DNS DDoS impact the entire internet.

A DDoS attack doesn’t just make it difficult to resolve a website’s hostname (the reason you may have timed out trying to access sites during the attack). Today’s applications dynamically load content from third-party sites using DNS to locate resources. This may include third-party javascripts, resource lookups, ad networks, or other capabilities that can impact a web application’s functionality.

Mobile apps consume APIs that use DNS to communicate with web services. Many security protections prohibit direct IP connections because this is frequently a sign of an attack. It also locks in specific IP communication in an ever changing IP system. When DNS fails, there is often no way to communicate.

DNS DDoS attacks primarily work in two ways (although there are others):

DNS Amplification

DDoS attackers can spoof a requesting IP for DNS resolution, which then results in a flood of responses directed to the intended target server. Although the target server never requested a lookup, it suddenly has to deal with a large volume of responses. To further amplify the attack, requests can use DNS protocol extensions or Domain Name System Security Extensions (DNSSEC) to increase the message size. That makes it even more difficult for the target to process the request.

DNS Flood

DDoS attackers use scripts to automate large numbers of queries to exhaust server resources. Since these are User Datagram Protocol (UDP) packets, they are easily spoofed and never need to rely on a response to consume the DNS server resources.

An alternate form of this attack is the NXDOMAIN attack, which intentionally creates malformed requests or requests for nonexistent resources. This makes the DNS server spend computing cycles on lookups that may never resolve or it fills the cache with bad data, preventing legitimate lookups.

It is currently unknown which technique attackers used in the recent Dyn DNS attack, but Mirai malware that created DDoS bots in recent attack against Brian Krebs (a security journalist and blogger), was likely involved in some of the hosts in this attack. This further showcases the need for enhanced IoT security because these devices are typically not designed for security and are frequently not updated when vulnerabilities are discovered.

So what can you do to protect your network? F5 Networks has robust DDoS protections:

  • Local Traffic Manager (LTM) and Advanced Firewall Manager (AFM) provide robust layer 3 and layer 4 protections
  • F5 DNS, previously known as Global Traffic Manager (GTM), can help mitigate DNS-based DDoS attacks by providing greater flexibility in request forwarding and caching, and is several times faster than a BIND server
  • Application Security Manager (ASM) can help with layer 7 attacks
  • The new F5 Hybrid DDoS Defender creates an integration with F5’s Silverline Content Delivery Network (CDN) scrubbing service to offload local DDoS conditions to the F5 Silverline cloud where a larger set of resources and purpose-built protections can help mitigate, or Silverline can be used as a standalone solution.

GuidePoint has several F5 Certified Technology Specialists available to help your team secure your environment from potential DDoS attacks. Our team can help you maximize your installs potential and secure your resources.

For more information about F5’s BIG-IP DNS solution, check out our previous blog.

Other hardware solutions are available from Radware, Arbor Networks, A10, Fortinet and others. They have comprehensive solutions for your organization’s data center as well.

DDoS is one of the primary use cases for cloud-based inline protections like Incapsula, Silverline, Akamai, Cloudflare, and others. GuidePoint Security’s technology professionals have extensive experience in DDoS attack prevention and CDN solutions.

If you’re a GuidePoint client and have questions about CDN solutions and how we can help, please reach out directly to your representative or email us at info@guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Hack to the Basics: Patch Vulnerabilities Before Attackers Exploit Them

victorbmc

White hat hacker illustrates how vulnerabilities can give unwanted access into your environment

While patching vulnerabilities may seem like a basic component of any organization’s information security plan, many often overlook this important step.

Hackers know this and are quick to search for exploits not long after vulnerabilities are discovered. Did you know that while it takes an average organization almost 200 days to patch a vulnerability, nearly half of all exploits happen 10 to 100 days after a vulnerability is published?

A recent co-presentation between GuidePoint Security and BMC takes a look at challenges vulnerabilities create for operations and security teams, explores how attackers use these vulnerabilities to exploit their way into environments, and discusses tools to quickly prioritize remediation and build a defense.

In “Hack to the Basics,” Brian Brush, regional partner with GuidePoint, says operations and security teams must do more work to bridge the gap between them.

“Most organizations still struggle with this,” he said.

Among the challenges are manual processes teams often use to find vulnerabilities.

“Hackers are already automated,” Brian said.

Seth Corder, automation specialist with BMC, emphasized Brian’s point by saying known vulnerabilities are often how attackers get into environments.

“They are looking for the easy stuff,” Seth said, adding that 80 percent of the potential attack surface is known vulnerabilities, even though 99.9 percent of the time there is a solution to fix it.

Automation tools like BMC’s BladeLogic Threat Detector can do just that.

Brian and Seth encourage operations and security teams to remember the value of fundamentals. Patch both internal and external vulnerabilities and focus on remediation. With a solid strategy for vulnerability hunting and patching, teams can direct their attention on making it harder for attackers to enter an environment and cause damage.

To see the full presentation and learn more about how vulnerabilities are a risk to your organization’s overall security, check out the video on BMC’s YouTube channel.

When an attacker breaches the perimeter

Victor Wieczorek, GuidePoint managing security consultant, is a white hat hacker who knows firsthand how easy it is to exploit systems where vulnerabilities are not patched and remediated.

In the same presentation with BMC, Victor demonstrates how quickly attackers can gain access to vulnerable systems.

“Hackers look for openings,” he said, clarifying they go after the easy things, like known vulnerabilities, first.

In a hands-on demonstration, Victor explains how, with a few scripts and automated tools, he can access a system where a vulnerability remains unpatched, long after a fix is available.

Attackers use the same vulnerability and automated scanning tools as security teams, Neil Parisi, BMC principal software consultant said. Playing the role of the “good guy” in the demonstration, Neil says it’s a race to the finish line between security/operations teams and attackers.

“Can you patch before they penetrate?”

In part two of the video series, “Hacker Breaches the Perimeter,” Victor uses easily downloadable and free tools to successfully access the demo environment, while Neil shows how BladeLogic can quickly patch and repair the vulnerability.

But, like most tenacious hackers, Victor doesn’t give up. Using information obtained before detection of the vulnerability, he moves on to secure a username and credentials for part three, “Breached! Hacker Moves on to Exploit the Center.”

In the fourth and final part of the video series, “Hacker Goes for Admin Rights,” Victor continues to move around in the environment undetected. How does he do it? By using the username he detected in the previous exploit and rolling the dice on his gamble the user had the same password for multiple systems. The result? Victor gains admin credentials and masks his malicious activities like an approved user. Watch the full video to find out how much access Victor gets as he exposes vulnerabilities and how the BMC team uses BladeLogic to stop the attack.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

About BMC

BMC is a global leader in innovative software solutions that enable businesses to transform into digital enterprises for the ultimate competitive advantage. Its digital enterprise management solutions make digital business fast, seamless, and optimized from mainframe to mobile to cloud and beyond. BMC digital IT transforms 82 percent of the Fortune 500 and serves more than 10,000 customers worldwide. For more information, visit www.bmc.com.

Use Cases Demonstrate How F5 Analytics Can Increase Visibility Into Your Applications

In a previous blog post, I introduced you to F5 Analytics and how it can enable you to gain more visibility into your F5 application delivery controller infrastructure. (If you missed part one, you can check it out here.) This blog post continues where I left off and provides two more exciting use cases for you to explore.

Viewing application page load times

This is a ground-breaking feature that really makes F5 stand out from its competition. Basically, this information is useful for tracking user experience by displaying how long it takes for your application web pages to load on client-side browsers.

Client-side browsers must meet the following requirements:

  • Support navigation timing by W3C
  • Accept cookies from visited application sites
  • Enable JavaScript® for the visited application sites

The BIG-IP Client Side Performance Monitoring (CSPM) feature generates the page load time data. According to F5 Networks, “To calculate the client-side load time for a web resource, the CSPM feature injects a piece of JavaScript code into the HTTP response that it sends to the client. When the client browser executes the JavaScript, it calculates the specific timing values needed by the CSPM feature, and reports those values back to the BIG-IP system in a cookie.”

There are three requirements for CSPM injection in an HTTP response. They are:

  • HTTP content is not compressed
  • HTTP content-type is text/html
  • HTTP content contains an HTML <head> tag

Application page load times are viewable in the F5 Analytics charts. Alerts are configured there as well. Page load time is measured by how long in milliseconds it takes for an end-user to make a request for a web page until the web page finishes loading on the client-side browser. Think of how amazing this is! You’re literally reaching out to your end-user, wherever he or she may be, and gathering statistics of their experience just by enabling a checkbox.

Troubleshooting applications by capturing traffic

This is typically used only for troubleshooting an active issue. I don’t recommend setting this up and leaving it on for eternity. This is not traffic capture like a tcpdump would do, but more of a layer-seven-type capture. I’ll explain that later.

The information captured is stored locally or remotely via syslog or a SIEM, like Splunk. If captured locally, the system stores the first 1,000 transactions. If using a VIPRION system, the system stores the first 1,000 transactions times the number of blades in the system. I recommend capturing the transactions remotely to syslog or Splunk where you are only limited by the storage of the remote destination.

So, what did I mean by layer-seven-type capture? Well, instead of capturing raw data like a tcpdump would, you can capture actual traffic, such as requests, responses, or both. The data contained by those may include:

  • None
  • Headers
  • Body
  • All

You can configure a traffic filter for captured traffic to include filtering by:

  • Virtual servers
  • Nodes
  • Response status codes
  • HTTP methods
  • URL
  • User agent
  • Client IP addresses
  • Request containing string
  • Response containing string

As you can see, this is different than doing a tcpdump and exporting to Wireshark for analysis, which may be fine for certain cases. My point here is to show you a new tool that you can use for troubleshooting an issue with your F5 BIG-IP application delivery controller environment that may rapidly provide you with more relevant data to solve an issue.

I hope this post stimulates your interest in F5 Analytics. It is a powerful (and free) tool to use in your F5 BIG-IP application delivery controller infrastructure.

In addition to F5 Analytics, there are many features available with F5’s application delivery controllers that can enhance your investment, increase your return on investment, and improve end-user experience. If you would like to learn more, GuidePoint’s security professionals have years of experience with F5 application delivery controllers, as well as integrating them with other solutions. We can help you develop a customized security plan to best meet your organization’s needs.

If you’re a GuidePoint client and have questions about F5 Analytics, please reach out directly to your personal contact or email us at info@guidepointsecurity.com. If your organization wants to learn more about F5 Analytics and if it’s the right tool for you, let us know. You can find out more about GuidePoint and our services at www.guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is  with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

F5 Analytics: Increasing Visibility Into Your Applications

Have you ever wanted to learn more about what your F5 BIG-IP application delivery infrastructure is doing? Sure, there are basic statistics like throughput, number of sessions, and active connections, but as layer four load balancers have evolved into layer seven application delivery controllers, shouldn’t the available performance metrics evolve as well?

In this blog post, I want to bring visibility to a great tool included in every F5 Networks BIG-IP platform. That tool is the F5 Analytics module (otherwise known as Application, Visibility, and Reporting or simply AVR). It’s already included with BIG-IP, you just need to provision it and set it up. (One quick note on provisioning, you should provision the AVR module with “minimum” resources.)

So, what is F5 Analytics? Well, it is a fantastic new way of discovering more information about your applications and infrastructure through graphical charts, and you can drill down for more specific details about performance-related statistics.

F5 Networks provides excellent documentation on the features and configuration of F5 Analytics on its support site, but I want to point out a few of the use cases. I hope to highlight its feature set so you can incorporate it into your own F5 BIG-IP application delivery controller infrastructure.

Troubleshooting applications by capturing statistics

This core F5 Analytics functionality is suitable for everyday use. F5 Analytics is configurable to capture a variety of great statistics. They include metrics, such as:

  • Max TPS and throughput
  • Page load time
  • User sessions

And entities, such as:

  • URLs
  • Countries
  • Client IP addresses
  • Client subnets
  • Response codes
  • User agents
  • HTTP methods

All of these metrics and entities are viewable in the administrative GUI. For instance, if a user calls in and says an application is broken, you can filter the transaction statistics by client IP address and then narrow the filter by virtual server and time period to view the actual request/response metadata. It is pretty cool to troubleshoot a problem with an application just by drilling down into some graphs to isolate the issue. In addition to collecting statistics locally on BIG-IP, you can collect data remotely via syslog or a SIEM, such as Splunk and view the data there.

Investigating server latency

This is F5 Analytics key feature and may provide valuable information to your server and application teams. F5 Analytics measures server latency in milliseconds from the time the request reaches the BIG-IP, for it to proceed to the application server, and return a response to the BIG-IP system.

In my experience as a BIG-IP administrator, one of the most common misconceptions was that the LTM was somehow adding latency to server response times. Fingerpointing was often directed at the LTM, and I frequently had to run tcpdumps to exonerate the LTM as the culprit of server latency.

In addition to providing server latency statistics, F5 Analytics provides the ability to set an alert threshold in milliseconds and issue an alert via syslog, SNMP, or via email. This information helps to proactively track latency issues with web servers, application servers, database servers, etc. This is a big deal because you can now isolate where slower components may exist in your web stack all from a simple GUI.

I hope this posts stimulates an interest in F5 Analytics. It is a powerful (and free) tool to use in your F5 BIG-IP application delivery controller infrastructure.

In addition to F5 Analytics, there are many features available with F5’s application delivery controllers that can enhance your investment, increase your return on investment, and improve end-user experience. If you would like to learn more, GuidePoint’s security professionals have years of experience with F5 application delivery controllers, as well as integrating them with other solutions. We can help you develop a customized security plan to best meet your organization’s needs.

If you’re a GuidePoint client and have questions about F5 Analytics, please reach out directly to your personal contact or email us at info@guidepointsecurity.com. If your organization wants to learn more about F5 Analytics and if it’s the right tool for you, let us know. You can find out more about GuidePoint and our services at www.guidepointsecurity.com.

Check out part two of this series on F5 Analytics here.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Extending Your Security Infrastructure to Include DNS

For years, F5 has been a key player in DNS with its BIG-IP Global Traffic Manager (GTM). Today, F5 continues the development that has made it an industry leader, focusing on GTM, making it feature-rich, and renaming it BIG-IP DNS. Now through the BIG-IP DNS product you can add speed, reliability, and security to your DNS infrastructure improving both your end-user experience and your company security stance.

Global availability is still an important feature for BIG-IP DNS, but serving and protecting your DNS infrastructure has also taken center stage within this module.

BIG-IP DNS is a proxy like Local Traffic Manager (LTM), but it only services DNS. It consumes incoming DNS queries, parses the request against its configuration, or sends the request on to another server. Like LTM, BIG-IP DNS leverages purpose-built hardware to enhance, accelerate, and secure your DNS service. BIG-IP also offers flexibility and scalability for small to large companies protecting against surges and sudden growth.

On the front line, BIG-IP DNS protects against DNS DDOS by answering queries faster than most traditional DNS installs. Most BIND installs tap out at about 50,000 requests per second (RPS). A good DNS install provides in the neighborhood of 200,000 to 250,000 RPS. A BIG-IP DNS appliance can handle 10,000,000. Add in geolocation and/or IP intelligence, and you can selectively answer queries based on IP, city, state, country, region etc. Deploy BIG-IP DNS in an active sync group and sleep better at night.

Once BIG-IP DNS sorts through incoming queries, it can safely and efficiently address requests.  This is where DNS Cache, DNS Express, and DNSSEC come into play

DNS caching is the initial level for increased DNS performance. BIG-IP DNS can be a transparent cache for your existing infrastructure, adding single point of control and reducing administration overhead. Since you won’t need to run a cache engine on each individual server, this frees up more resources and reduces load on DNS servers. BIG-IP DNS also decreases lookup times by using purpose-built hardware and serving records from memory. This decreases response times and increases end user experience.

In my opinion, DNS Express™ is the highlight feature of BIG-IP DNS. In a nutshell, DNS Express sets up a virtual DNS server in RAM, transfers your DNS zone into it, and provides high speed queries to all of your records. It does this by pulling in new records created in your infrastructure and constantly checking in with the DNS Master just like a secondary server.

DNS Express acts authoritatively for this zone and has unhandled query functions. DNS Express also handles Zone transfers and can be secured using TSIG keys. Additionally, it handles both IPv4 and IPv6 traffic. A key benefit to this is it runs only a subset of BIND, so it’s not susceptible to most vulnerabilities and makes your install even more secure.

If more security is requested or required, BIG-IP DNS supports DNSSEC. This nifty little industry standard allows signing of DNS responses and protections against things like cache poisoning and phishing. It does this by using zone signing keys and, yes, they can be HSM keys.

The signing key setup can be made to automatically roll over based on user-defined thresholds. This adds even more security. Both of these apply to the key-signing keys as well. You can run the HSM locally, in appliances, or offload to a network-based model. Lastly, performance is not an issue here since you use purpose-built hardware for the DNS piece and the keys stored locally.

Overall, BIG-IP DNS goes a long way to filling a strong security role in your infrastructure. For those of you using ‘Better’ or ‘Best’ licensing models, you should have the needed licensing to utilize these capabilities today. If you have an older SKU for GTM, you may need add-on licenses for these features.

GuidePoint’s team of professionals can review your use case and speak to you regarding your solution options. We have several F5 Certified Technology Specialists in GTM to assist you and can help you maximize your installs potential and secure your resources.

If you’re a GuidePoint client and have questions about BIG-IP DNS, please reach out directly to your personal contact or email us at info@guidepointsecurity.com. If your organization is interested in learning more about BIG-IP DNS and if it’s the right tool for you, let us know. You can find out more about GuidePoint and our services at www.guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

OneConnect: Saving Resources, Increasing Investment

In a previous blog post, I talked about some common Local Traffic Manager (LTM) features that get overlooked, which can easily increase security posture. In this post, I want to discuss one of the less-known features that is frequently neglected because you may not understand the benefits. This feature is OneConnect.

OneConnect is an awesome addition to any modern application that follows good code and RFC standards such as TCP or HTTP. OneConnect creates a pool of first time TCP connections to each pool member and makes them available for reuse by later connections. This is done by using TCP standards like idle timeouts, keepalives, etc.

When an initial connection is created to a pool member, the BIG-IP holds that connection open and uses it for other TCP flows that are destined for that member. This can drastically reduce the number of connections the web server has to process and allocate resources for, thereby improving the web server’s overall performance.

With an HTTP connection, OneConnect can manage HTTP connection flows and process them much the same way as TCP flows. It first manages the TCP flow for that connection like a TCP app. Because OneConnect is HTTP-aware, thanks to whichever HTTP profile you associated with the virtual server, it can read the HTTP flows and process state for them at the same time. If the TCP connection the HTTP flow was using ages out, when a new TCP flow is connected, it will continue that HTTP flow over the new TCP connection.

The LTM uses HTTP standards like keepalives to maintain state. In the case of non-HTTP/1.1 connections, there is no keepalive and the LTM will intercept “Connection:close headers” and transform them to “x-connection: close headers” so it can process connections the same way. This feature, OneConnect Transformations, has to be enabled in the HTTP profile.

By default, OneConnect makes every connection it processes available for reuse. You can restrict this in your OneConnect profile by changing the subnet mask. The subnet mask sets the groupings that OneConnect will make with the incoming IPs.

For example, maybe you don’t want external client IPs and internal client IPs sharing connections. In this case, you could change the mask to 255.0.0.0 so that your 192’s or 10’s will not mix with 25s or 100s. Of course, if you are using 172.16.x.x internally, you need to use 255.255.0.0 instead. Knowledge of your internal IP structure and your application requirements is important.

A note on SNAT: If you use SNAT Automap on your virtual server, OneConnect gets applied after SNAT; so no matter what your mask is, every flow will be reused regardless of the setting in the OneConnect profile. If you use a SNAT Pool, you could use a 32-bit mask to create more flows, but unless you have a really high connection count, there is no need to do this.

To help illustrate this, here is an example I worked on not long ago. One of the state governments I worked with had a web application that processed healthcare options for “Obamacare.” Day-to-day connections to the application hovered at about 4,000 to each server. When it came time for open enrollment, all of the web servers fell over trying to process more than 25,000 connections each. Users who got connected reported the server was so slow, it could not respond to page requests, and timed out. Once OneConnect was enabled with a default mask, the number of active connections dropped to about a 100 per server! The application bounced back completely, and the developers said the application worked better than in development.

There are some special considerations when utilizing OneConnect within your environment. The application has to use TCP standards for clearly defined flows. OneConnect will not work if your flows do not provide good headers for distinguishing source and destination. If your application is 20-years-old and home-grown, it might not work. Recent applications should not have issues.

Secondly, you are sharing TCP flows. If you are sniffing the wire to look at incoming web server traffic, you might not see the flow you are looking for because it was part of a reuse pool. In this case, try to match the client port. The port should remain the same most of the time, but since you are combining different flows from different IPs, the likelihood of overlap is higher. Also, if your application needs to see client IPs, you will need to enable “x-forward-for” and configure the web server to look at that header instead. Additionally, if you are doing SSL Passthru, this is not an option due to the traffic encryption. OneConnect requires termination. You would have to decrypt and then re-encrypt to the backend.

Lastly, one item of particular note is sizing. Since OneConnect can drastically mask a connection table, you need to incorporate the application’s client activity in with the web server connection load to get a feel for how many web servers you need. You might, over time, find out that you cannot turn OneConnect off because your load will be too much for the existing number of web servers you have.

I hope this post has piqued your interest in OneConnect and what your F5 LTM can do for you. There are many additional features beyond “load balancing” that can enhance your investment, increase your return on investment, and improve end-user experience. GuidePoint Security’s professionals, with years of multifaceted expertise, can meet with you to learn more about your organization’s requirements and help build a customized security plan to best meet your needs.

If you’re a GuidePoint client and have questions about OneConnect, please reach out directly to your personal contact or email us at info@guidepointsecurity.com. If your organization is interested in learning more about OneConnect and if it’s the right tool for you, let us know. You can find out more about GuidePoint and our services at www.guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

The Cyber Hunt Is On: Quickly Find New and Emerging Threats

Free webinar explains how you can respond to intrusions faster

Do your security analysts have limited time and resources? Are they bogged down searching through logs instead of actively hunting for potential intrusions on your network?

In a free webinar, “Active Cyber Hunting Revealed: How vSOC Identifies Threats in Your Environment,” security experts from GuidePoint Security and CrowdStrike will show you how you can more efficiently correlate data and begin your own cyber hunt for potential threats to your environment.

This free, educational webinar begins at  2 p.m. EDT Wednesday, Aug. 24, 2016. Register here now.

During the webinar, participants will learn how CrowdStrike Falcon can be integrated into a Virtual Security Operations Center (vSOC) for endpoint monitoring. By using Falcon Connect API to ingest host data into the vSOC monitoring platform, analysts can correlate endpoint data against SIEM security logs. The combination makes it easier to discover new and emerging threats.

Participants will learn how to do ad-hoc searches and queries, quickly conduct comprehensive investigations, identify insider threat activity, and create dashboards and reports.

Following the presentation, there will be a 15-minute question and answer session. Even if your schedule is full and you can’t tune-in live, go ahead and register now and we’ll send you a recording you can watch later.

Presenters will be Stephen Jones, GuidePoint Security’s director of managed services, and Kris Merritt, senior director of hunting operations for CrowdStrike.

Stephen has more than 10 years of experience in information technology and cybersecurity within the Department of Defense and Intelligence Community. His primary focus has been Information Assurance (IA) and Computer Network Defense (CND).

Kris leads CrowdStrike’s internal and external hunting programs. He has more than 10 years of experience in cybersecurity and network defense, mainly in leadership roles of security operations, incident response, digital forensics, signature development, indicator management, and tactical tool development within large enterprise networks.

“I look forward to presenting alongside Stephen on how CrowdStrike Falcon Host’s continuous endpoint visibility immediately enables SOCs and hunters to detect, analyze, and respond to intrusions at a time scale once only dreamed about,” Kris said. “Operating at this time scale has provided unique insights into malicious behavior where a human actor or even malware is involved.”

“CrowdStrike uses these insights, along with rich visibility on the endpoint, to rapidly refine its approach to the threat, Kris explained. “I’m excited about our partnership with a company like GuidePoint who is eager to use the best technology to provide the best service to their customers.”

For more information about GuidePoint and how security experts like Stephen can help you make the most of vSOC services, visit www.guidepointsecurity.com. For more information about CrowdStrike and to connect with Kris and his team, visit www.crowdstrike.com.

Don’t forget to register for this free, interactive webinar here.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.