New F5 ASM Version 12.x Features Improve Performance

In today’s blog, we will discuss the newest features of F5’s Web Application Firewall (WAF), Application Security Manager (ASM). ASM has been around for quite some time, but with recent updates I thought it is worth discussion.

F5 Networks recently released version 12.1.1, the first long-term support release for version 12. If you haven’t read through the release notes, take a few minutes and do so. I am really excited by some of the most recent features and I would like to share some of them with you.

I was ecstatic to see Unified Policy Building in 12.0 because now you have one screen to view all learning suggestions. This makes it far easier to sort through. If your policy builds automatically or statically based on your custom thresholds, you now have only one screen to manage.

Following the style already set in ASM, there is a dropdown menu that allows you to select the policy for which you want to see suggestions. Tabbed across the top is also Enforcement Readiness, and they moved Learning and Blocking Settings here as well. This makes the overall flow better while making it easier to see which settings you have for each selected policy — no more bouncing around the mouseover menus.

Next up in 12.0 is Proactive Bot Defense. This is a set of additional features added to the Denial of Service (DoS) functions ASM already used. F5 added improved defense against unwanted browsers and browsing agents that are non-human initiated. CAPTCHA and javascript insertion does this, but with some caveats. If you use CORS (Cross-Origin Resource Sharing), like with AJAX calls, you will have issues and you should add those URLs to the bot whitelist.

F5 Networks also added malicious bot signatures. Now when you update your ASM application signatures, bot signatures are classified as malicious or benign. Just like with application signatures, you can create your bot signatures as well. You even have the ability to create signature sets with either malicious or benign classifications. This gives you greater control. Once created and applied via a “dos” profile, traffic is automatically classified and either accepted or discarded as configured.

Version 12.1 was not outshined by 12.0, and really cranked up the dial. It added more dos enhancements with the ability to track using device IDs. Now device IDs can use dos, brute force, and session hijacking. You can define bad behavior and set thresholds to classify traffic from them and either log or block them. F5 even extended Analytics to sort by these IDs. More reporting is always a good thing!

Using a similar set of metric definitions, you can now automatically blacklist IPs attacking your layer 7 resources and increase your dos footprint. This does not require use of IP intelligence or any other classification engine. This dos feature is through your config definitions. Adding IP intelligence, however, is a good thing in my opinion. I encourage you to look at it as more than just ASM.

Two huge new features in ASM are the ability to define methods per URL and support websockets per URL. In previous versions, methods were globally defined for an application. This is great news. For apps that might have only one page that support a POST, you can define it only for that page.

Websockets are new altogether. Websocket protocol allows client and server to stream data bidirectionally indefinitely. Websockets create a connection over HTTP, but then switch to a single TCP connection using message frames. This allows full duplex and low latency transport. Chances are you used these in your last internet chat. When you think of what could be hiding in one of those, protection really matters.

The last feature I want to mention is the ability for ASM to automatically detect and configure login pages in your application. If you have spent time parsing through someone else’s code to define a login page, you will welcome this feature. Now, that alone would be cool, but if you defined policy settings for brute force and session tracking, it will automatically add those options to the login forms it creates. This is a rockstar feature!

These are some of the main features ASM received in 12.0 and 12.1. There are still others like improved policy building, reduced policy building resource consumption, etc. Once again, if you have not reviewed the release notes, you should. I hope this generates a little interest in seeing what ASM has to offer now, and that you continue to find success in using F5 Networks Application Security Manager.

If you don’t already have ASM, consider what ASM can do for you. If you are already a Guidepoint Security customer and want to know more, reach out to your representative. If you are not a customer and would like to learn more, please feel free to contact us. We have several ASM certified engineers to answer your questions. For more information, email info@guidepointsecurity.com.

About GuidePoint Security
GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

F5 Networks’ ASM: Secure Your Applications, Don’t Give Away Your Kingdom

It occurred to me while I was writing another blog that we need to talk about Web Application Firewalls (WAF). We think everyone should use one. Your current network and security infrastructure is the castle and drawbridge, whereas WAF is your portcullis. Not securing your applications is like giving away the keys to your kingdom.

What is a WAF?

WAFs are the first and last line of defense for your application. A WAF takes over at layer 4 of the Open Systems Interconnection (OSI) model, moves up to layer 7, and looks at the request, response, and payload. It validates data and the package it’s carried in, and its authenticity. In essence, a WAF applies a set of security rules to all aspects of an HTTP conversation.

The difference from your next-generation firewalls (NGFW) and IDS/IPS units, which only inspect packet-by-packet, is that a WAF digs into HTTP content and conversations, and validates the content request, response, and payload against white and black lists. Using predefined signatures or behavioral baselines, the WAF takes appropriate countermeasures based on configured policy elements. WAFs also include enhanced logging, alerting, connection intermediation, and even content manipulation to mitigate the impacts of attacks, mislead attackers, or inject content designed to raise confidence levels for WAF detection mechanisms.

A WAF validates traffic and payloads by learning the way the application should work, prevents bad input or manipulations, and prevents dangerous query/responses. A WAF maintains HTTP RFC compliance on all aspects of the session, and enforces session rules and session flows. It is a multifaceted tool.

F5 Networks Application Security Manager (ASM), in my opinion, is the right tool for the job. It is a tool that complements the F5 Global Traffic Manager (GTM) and Local Traffic Manager (LTM) devices you already use. To illustrate this, let us look at the traffic flow.

First, the GTM picks up the DNS request. Utilizing GTM, you can create a high-speed query frontend with DNS Express and can secure that zone with DNSSEC. GTM also evaluates your DNS request and traffic-shapes your response based on a host of criteria and settings, sending your session on to the network.

Sure, you have a firewall at your internet edge. It might even be next-gen, performs packet inspection, and has some signatures to eliminate some bad traffic. The same might also be true of your IPS/IDS, but these are packet-by-packet inspections and not the whole HTTP conversation (for the most part) and bad traffic gets by.

Here is where the F5 picks up and starts defending. LTM gets the traffic first and blocks malicious IPs, sorts out countries you may or may not want, defends against DDoS, and mitigates ciphers that are too weak or broken, all while restricting IP/port/landing page. LTM also traffic shapes it handoff to the next level, ASM.

ASM starts slow and builds in levels based on policy. It receives that traffic and checks if it matches the defined site. Then it checks to see if it is a new session. From there, it starts checking everything. It checks against signatures, RFC compliance, session-tracking info, methods, request timing, number of requests, header information, etc. And this is only the initial request. We haven’t even gotten to response!

ASM comes with quick-start policy templates for a ton of popular application templates like Exchange, Sharepoint, PeopleSoft, SAP, etc. If one of those doesn’t fit your build, ASM ships with an auto-policy builder. Fire this up and you turn your ASM device into Sherlock Holmes. It watches traffic pass through and automatically starts writing its own suggestions. When those suggestions get enough hits, ASM makes them into policy. The longer it runs, the better the policy.

If you change the application or add to it, it automatically picks that up and starts the building piece again. You can even build policy without affecting users. By keeping it out of blocking mode, you can mature the policy and reduce the likelihood that false alarms will create negative impact for users.

The ASM comes with other cool features, too, such as preventing forceful browsing, where attackers try to gain access to pages not part of the site that might have admin access. You can keep users from bookmarking deep into the app and redirect them to login pages you defined first to define flow. This keeps the application more secure and enables the organization to track sessions to support security, problem resolution, and compliance use-cases.

With this information, you can restrict application access to secondary login pages or other admin-related content by enforcing application flows and protect against webscraping. Brute force protection will even keep those login pages safe by adding a layer of protection including limiting login attempts, identifying automated attacks and more for these critical security entry points for the application.

DataGuard is an awesome feature as well. It protects sensitive fields like credit card numbers, Social Security numbers, and other administrator-defined sensitive data from passing through clear text. Instead, it utilizes masking to overwrite these values in responses with ‘****’. ASM will also mask these in the logs so you don’t have to worry about admins having access to that info as well.

There are so many other features, including signatures and security responses for common web application security threats such as cross-site request forgery (CSRF), cross-site scripting (XSS), clickjacking, cookie manipulation, etc. Any of these topics, as well as the mechanisms ASM utilizes to protect against them, would be worthy of their own blog post.  

I hope this blog has sparked a little more interest in your traffic and maybe even a hard look into the available security measures you can take. If you are already a Guidepoint Security customer, reach out to your representative to learn more. If you are not a customer and would like to learn more, please feel free to reach out to us. We have several ASM certified engineers to answer your questions. For more information, email info@guidepointsecurity.com.

About GuidePoint Security
GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

GuidePoint Security Honored by Washington Business Journal

GuidePoint Security is honored by Washington Business Journal as one of the fastest-growing companies in the Greater Washington, D.C. area.

Each year, the Journal recognizes the top 50 fastest-growing companies. GuidePoint is No. 30 on the 2016 list, based on average percent revenue growth between 2013, 2014, and 2015.

GuidePoint was also recently recognized as No. 3 on the Journal’s Security Technology Companies list based on 2015 metro-area revenue.

All 50 fastest-growing companies were honored at a special awards reception Oct. 27 at The Ritz-Carlton, Tysons Corner. The winners were included in a special Journal publication Oct. 28.

“This is a tremendous honor,” said Michael Volk, GuidePoint Security’s Founder and Managing Partner. “At GuidePoint, we pride ourselves in hiring the best and brightest information security professionals and support team members. Our continued successes, not just in terms of revenue growth, but in overall customer satisfaction, is a reflection of the team’s hard work, laser focus on cyber security solutions, and our core value of always ‘wowing’ our clients.”

Founded in 2011 by cyber security industry veterans, GuidePoint is a trusted security expert for security technologies and professional services. The company differentiates itself through its organizational structure, technological expertise, unrivaled customer service, and a vendor-agnostic approach.

“This allows us to provide the best security services and solutions possible,” Volk said. “Our tagline is a reflection of GuidePoint principles, ‘Your mission. Secured.’”

The latest recognition from Washington Business Journal is part of a growing list of awards and honors for the company this year. Among its other 2016 accolades are:

  • No. 5 Top Security Company, Inc. 5000 List
  • No. 19 Top Virginia Companies, Inc. 5000 List
  • No. 22 Top Washington, D.C. Companies, Inc. 5000 List
  • No. 308 overall 2016, Inc. 5000 List
  • SmartCEO Future 50
  • F5 Federal Partner of the Year
  • No. 14 on CRN Fast Growth 150 List
  • No. 192 on CRN Solution Provider 500 list

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Hack to the Basics: Patch Vulnerabilities Before Attackers Exploit Them

victorbmc

White hat hacker illustrates how vulnerabilities can give unwanted access into your environment

While patching vulnerabilities may seem like a basic component of any organization’s information security plan, many often overlook this important step.

Hackers know this and are quick to search for exploits not long after vulnerabilities are discovered. Did you know that while it takes an average organization almost 200 days to patch a vulnerability, nearly half of all exploits happen 10 to 100 days after a vulnerability is published?

A recent co-presentation between GuidePoint Security and BMC takes a look at challenges vulnerabilities create for operations and security teams, explores how attackers use these vulnerabilities to exploit their way into environments, and discusses tools to quickly prioritize remediation and build a defense.

In “Hack to the Basics,” Brian Brush, regional partner with GuidePoint, says operations and security teams must do more work to bridge the gap between them.

“Most organizations still struggle with this,” he said.

Among the challenges are manual processes teams often use to find vulnerabilities.

“Hackers are already automated,” Brian said.

Seth Corder, automation specialist with BMC, emphasized Brian’s point by saying known vulnerabilities are often how attackers get into environments.

“They are looking for the easy stuff,” Seth said, adding that 80 percent of the potential attack surface is known vulnerabilities, even though 99.9 percent of the time there is a solution to fix it.

Automation tools like BMC’s BladeLogic Threat Detector can do just that.

Brian and Seth encourage operations and security teams to remember the value of fundamentals. Patch both internal and external vulnerabilities and focus on remediation. With a solid strategy for vulnerability hunting and patching, teams can direct their attention on making it harder for attackers to enter an environment and cause damage.

To see the full presentation and learn more about how vulnerabilities are a risk to your organization’s overall security, check out the video on BMC’s YouTube channel.

When an attacker breaches the perimeter

Victor Wieczorek, GuidePoint managing security consultant, is a white hat hacker who knows firsthand how easy it is to exploit systems where vulnerabilities are not patched and remediated.

In the same presentation with BMC, Victor demonstrates how quickly attackers can gain access to vulnerable systems.

“Hackers look for openings,” he said, clarifying they go after the easy things, like known vulnerabilities, first.

In a hands-on demonstration, Victor explains how, with a few scripts and automated tools, he can access a system where a vulnerability remains unpatched, long after a fix is available.

Attackers use the same vulnerability and automated scanning tools as security teams, Neil Parisi, BMC principal software consultant said. Playing the role of the “good guy” in the demonstration, Neil says it’s a race to the finish line between security/operations teams and attackers.

“Can you patch before they penetrate?”

In part two of the video series, “Hacker Breaches the Perimeter,” Victor uses easily downloadable and free tools to successfully access the demo environment, while Neil shows how BladeLogic can quickly patch and repair the vulnerability.

But, like most tenacious hackers, Victor doesn’t give up. Using information obtained before detection of the vulnerability, he moves on to secure a username and credentials for part three, “Breached! Hacker Moves on to Exploit the Center.”

In the fourth and final part of the video series, “Hacker Goes for Admin Rights,” Victor continues to move around in the environment undetected. How does he do it? By using the username he detected in the previous exploit and rolling the dice on his gamble the user had the same password for multiple systems. The result? Victor gains admin credentials and masks his malicious activities like an approved user. Watch the full video to find out how much access Victor gets as he exposes vulnerabilities and how the BMC team uses BladeLogic to stop the attack.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

About BMC

BMC is a global leader in innovative software solutions that enable businesses to transform into digital enterprises for the ultimate competitive advantage. Its digital enterprise management solutions make digital business fast, seamless, and optimized from mainframe to mobile to cloud and beyond. BMC digital IT transforms 82 percent of the Fortune 500 and serves more than 10,000 customers worldwide. For more information, visit www.bmc.com.

Use Cases Demonstrate How F5 Analytics Can Increase Visibility Into Your Applications

In a previous blog post, I introduced you to F5 Analytics and how it can enable you to gain more visibility into your F5 application delivery controller infrastructure. (If you missed part one, you can check it out here.) This blog post continues where I left off and provides two more exciting use cases for you to explore.

Viewing application page load times

This is a ground-breaking feature that really makes F5 stand out from its competition. Basically, this information is useful for tracking user experience by displaying how long it takes for your application web pages to load on client-side browsers.

Client-side browsers must meet the following requirements:

  • Support navigation timing by W3C
  • Accept cookies from visited application sites
  • Enable JavaScript® for the visited application sites

The BIG-IP Client Side Performance Monitoring (CSPM) feature generates the page load time data. According to F5 Networks, “To calculate the client-side load time for a web resource, the CSPM feature injects a piece of JavaScript code into the HTTP response that it sends to the client. When the client browser executes the JavaScript, it calculates the specific timing values needed by the CSPM feature, and reports those values back to the BIG-IP system in a cookie.”

There are three requirements for CSPM injection in an HTTP response. They are:

  • HTTP content is not compressed
  • HTTP content-type is text/html
  • HTTP content contains an HTML <head> tag

Application page load times are viewable in the F5 Analytics charts. Alerts are configured there as well. Page load time is measured by how long in milliseconds it takes for an end-user to make a request for a web page until the web page finishes loading on the client-side browser. Think of how amazing this is! You’re literally reaching out to your end-user, wherever he or she may be, and gathering statistics of their experience just by enabling a checkbox.

Troubleshooting applications by capturing traffic

This is typically used only for troubleshooting an active issue. I don’t recommend setting this up and leaving it on for eternity. This is not traffic capture like a tcpdump would do, but more of a layer-seven-type capture. I’ll explain that later.

The information captured is stored locally or remotely via syslog or a SIEM, like Splunk. If captured locally, the system stores the first 1,000 transactions. If using a VIPRION system, the system stores the first 1,000 transactions times the number of blades in the system. I recommend capturing the transactions remotely to syslog or Splunk where you are only limited by the storage of the remote destination.

So, what did I mean by layer-seven-type capture? Well, instead of capturing raw data like a tcpdump would, you can capture actual traffic, such as requests, responses, or both. The data contained by those may include:

  • None
  • Headers
  • Body
  • All

You can configure a traffic filter for captured traffic to include filtering by:

  • Virtual servers
  • Nodes
  • Response status codes
  • HTTP methods
  • URL
  • User agent
  • Client IP addresses
  • Request containing string
  • Response containing string

As you can see, this is different than doing a tcpdump and exporting to Wireshark for analysis, which may be fine for certain cases. My point here is to show you a new tool that you can use for troubleshooting an issue with your F5 BIG-IP application delivery controller environment that may rapidly provide you with more relevant data to solve an issue.

I hope this post stimulates your interest in F5 Analytics. It is a powerful (and free) tool to use in your F5 BIG-IP application delivery controller infrastructure.

In addition to F5 Analytics, there are many features available with F5’s application delivery controllers that can enhance your investment, increase your return on investment, and improve end-user experience. If you would like to learn more, GuidePoint’s security professionals have years of experience with F5 application delivery controllers, as well as integrating them with other solutions. We can help you develop a customized security plan to best meet your organization’s needs.

If you’re a GuidePoint client and have questions about F5 Analytics, please reach out directly to your personal contact or email us at info@guidepointsecurity.com. If your organization wants to learn more about F5 Analytics and if it’s the right tool for you, let us know. You can find out more about GuidePoint and our services at www.guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is  with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

F5 Analytics: Increasing Visibility Into Your Applications

Have you ever wanted to learn more about what your F5 BIG-IP application delivery infrastructure is doing? Sure, there are basic statistics like throughput, number of sessions, and active connections, but as layer four load balancers have evolved into layer seven application delivery controllers, shouldn’t the available performance metrics evolve as well?

In this blog post, I want to bring visibility to a great tool included in every F5 Networks BIG-IP platform. That tool is the F5 Analytics module (otherwise known as Application, Visibility, and Reporting or simply AVR). It’s already included with BIG-IP, you just need to provision it and set it up. (One quick note on provisioning, you should provision the AVR module with “minimum” resources.)

So, what is F5 Analytics? Well, it is a fantastic new way of discovering more information about your applications and infrastructure through graphical charts, and you can drill down for more specific details about performance-related statistics.

F5 Networks provides excellent documentation on the features and configuration of F5 Analytics on its support site, but I want to point out a few of the use cases. I hope to highlight its feature set so you can incorporate it into your own F5 BIG-IP application delivery controller infrastructure.

Troubleshooting applications by capturing statistics

This core F5 Analytics functionality is suitable for everyday use. F5 Analytics is configurable to capture a variety of great statistics. They include metrics, such as:

  • Max TPS and throughput
  • Page load time
  • User sessions

And entities, such as:

  • URLs
  • Countries
  • Client IP addresses
  • Client subnets
  • Response codes
  • User agents
  • HTTP methods

All of these metrics and entities are viewable in the administrative GUI. For instance, if a user calls in and says an application is broken, you can filter the transaction statistics by client IP address and then narrow the filter by virtual server and time period to view the actual request/response metadata. It is pretty cool to troubleshoot a problem with an application just by drilling down into some graphs to isolate the issue. In addition to collecting statistics locally on BIG-IP, you can collect data remotely via syslog or a SIEM, such as Splunk and view the data there.

Investigating server latency

This is F5 Analytics key feature and may provide valuable information to your server and application teams. F5 Analytics measures server latency in milliseconds from the time the request reaches the BIG-IP, for it to proceed to the application server, and return a response to the BIG-IP system.

In my experience as a BIG-IP administrator, one of the most common misconceptions was that the LTM was somehow adding latency to server response times. Fingerpointing was often directed at the LTM, and I frequently had to run tcpdumps to exonerate the LTM as the culprit of server latency.

In addition to providing server latency statistics, F5 Analytics provides the ability to set an alert threshold in milliseconds and issue an alert via syslog, SNMP, or via email. This information helps to proactively track latency issues with web servers, application servers, database servers, etc. This is a big deal because you can now isolate where slower components may exist in your web stack all from a simple GUI.

I hope this posts stimulates an interest in F5 Analytics. It is a powerful (and free) tool to use in your F5 BIG-IP application delivery controller infrastructure.

In addition to F5 Analytics, there are many features available with F5’s application delivery controllers that can enhance your investment, increase your return on investment, and improve end-user experience. If you would like to learn more, GuidePoint’s security professionals have years of experience with F5 application delivery controllers, as well as integrating them with other solutions. We can help you develop a customized security plan to best meet your organization’s needs.

If you’re a GuidePoint client and have questions about F5 Analytics, please reach out directly to your personal contact or email us at info@guidepointsecurity.com. If your organization wants to learn more about F5 Analytics and if it’s the right tool for you, let us know. You can find out more about GuidePoint and our services at www.guidepointsecurity.com.

Check out part two of this series on F5 Analytics here.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Extending Your Security Infrastructure to Include DNS

For years, F5 has been a key player in DNS with its BIG-IP Global Traffic Manager (GTM). Today, F5 continues the development that has made it an industry leader, focusing on GTM, making it feature-rich, and renaming it BIG-IP DNS. Now through the BIG-IP DNS product you can add speed, reliability, and security to your DNS infrastructure improving both your end-user experience and your company security stance.

Global availability is still an important feature for BIG-IP DNS, but serving and protecting your DNS infrastructure has also taken center stage within this module.

BIG-IP DNS is a proxy like Local Traffic Manager (LTM), but it only services DNS. It consumes incoming DNS queries, parses the request against its configuration, or sends the request on to another server. Like LTM, BIG-IP DNS leverages purpose-built hardware to enhance, accelerate, and secure your DNS service. BIG-IP also offers flexibility and scalability for small to large companies protecting against surges and sudden growth.

On the front line, BIG-IP DNS protects against DNS DDOS by answering queries faster than most traditional DNS installs. Most BIND installs tap out at about 50,000 requests per second (RPS). A good DNS install provides in the neighborhood of 200,000 to 250,000 RPS. A BIG-IP DNS appliance can handle 10,000,000. Add in geolocation and/or IP intelligence, and you can selectively answer queries based on IP, city, state, country, region etc. Deploy BIG-IP DNS in an active sync group and sleep better at night.

Once BIG-IP DNS sorts through incoming queries, it can safely and efficiently address requests.  This is where DNS Cache, DNS Express, and DNSSEC come into play

DNS caching is the initial level for increased DNS performance. BIG-IP DNS can be a transparent cache for your existing infrastructure, adding single point of control and reducing administration overhead. Since you won’t need to run a cache engine on each individual server, this frees up more resources and reduces load on DNS servers. BIG-IP DNS also decreases lookup times by using purpose-built hardware and serving records from memory. This decreases response times and increases end user experience.

In my opinion, DNS Express™ is the highlight feature of BIG-IP DNS. In a nutshell, DNS Express sets up a virtual DNS server in RAM, transfers your DNS zone into it, and provides high speed queries to all of your records. It does this by pulling in new records created in your infrastructure and constantly checking in with the DNS Master just like a secondary server.

DNS Express acts authoritatively for this zone and has unhandled query functions. DNS Express also handles Zone transfers and can be secured using TSIG keys. Additionally, it handles both IPv4 and IPv6 traffic. A key benefit to this is it runs only a subset of BIND, so it’s not susceptible to most vulnerabilities and makes your install even more secure.

If more security is requested or required, BIG-IP DNS supports DNSSEC. This nifty little industry standard allows signing of DNS responses and protections against things like cache poisoning and phishing. It does this by using zone signing keys and, yes, they can be HSM keys.

The signing key setup can be made to automatically roll over based on user-defined thresholds. This adds even more security. Both of these apply to the key-signing keys as well. You can run the HSM locally, in appliances, or offload to a network-based model. Lastly, performance is not an issue here since you use purpose-built hardware for the DNS piece and the keys stored locally.

Overall, BIG-IP DNS goes a long way to filling a strong security role in your infrastructure. For those of you using ‘Better’ or ‘Best’ licensing models, you should have the needed licensing to utilize these capabilities today. If you have an older SKU for GTM, you may need add-on licenses for these features.

GuidePoint’s team of professionals can review your use case and speak to you regarding your solution options. We have several F5 Certified Technology Specialists in GTM to assist you and can help you maximize your installs potential and secure your resources.

If you’re a GuidePoint client and have questions about BIG-IP DNS, please reach out directly to your personal contact or email us at info@guidepointsecurity.com. If your organization is interested in learning more about BIG-IP DNS and if it’s the right tool for you, let us know. You can find out more about GuidePoint and our services at www.guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

OneConnect: Saving Resources, Increasing Investment

In a previous blog post, I talked about some common Local Traffic Manager (LTM) features that get overlooked, which can easily increase security posture. In this post, I want to discuss one of the less-known features that is frequently neglected because you may not understand the benefits. This feature is OneConnect.

OneConnect is an awesome addition to any modern application that follows good code and RFC standards such as TCP or HTTP. OneConnect creates a pool of first time TCP connections to each pool member and makes them available for reuse by later connections. This is done by using TCP standards like idle timeouts, keepalives, etc.

When an initial connection is created to a pool member, the BIG-IP holds that connection open and uses it for other TCP flows that are destined for that member. This can drastically reduce the number of connections the web server has to process and allocate resources for, thereby improving the web server’s overall performance.

With an HTTP connection, OneConnect can manage HTTP connection flows and process them much the same way as TCP flows. It first manages the TCP flow for that connection like a TCP app. Because OneConnect is HTTP-aware, thanks to whichever HTTP profile you associated with the virtual server, it can read the HTTP flows and process state for them at the same time. If the TCP connection the HTTP flow was using ages out, when a new TCP flow is connected, it will continue that HTTP flow over the new TCP connection.

The LTM uses HTTP standards like keepalives to maintain state. In the case of non-HTTP/1.1 connections, there is no keepalive and the LTM will intercept “Connection:close headers” and transform them to “x-connection: close headers” so it can process connections the same way. This feature, OneConnect Transformations, has to be enabled in the HTTP profile.

By default, OneConnect makes every connection it processes available for reuse. You can restrict this in your OneConnect profile by changing the subnet mask. The subnet mask sets the groupings that OneConnect will make with the incoming IPs.

For example, maybe you don’t want external client IPs and internal client IPs sharing connections. In this case, you could change the mask to 255.0.0.0 so that your 192’s or 10’s will not mix with 25s or 100s. Of course, if you are using 172.16.x.x internally, you need to use 255.255.0.0 instead. Knowledge of your internal IP structure and your application requirements is important.

A note on SNAT: If you use SNAT Automap on your virtual server, OneConnect gets applied after SNAT; so no matter what your mask is, every flow will be reused regardless of the setting in the OneConnect profile. If you use a SNAT Pool, you could use a 32-bit mask to create more flows, but unless you have a really high connection count, there is no need to do this.

To help illustrate this, here is an example I worked on not long ago. One of the state governments I worked with had a web application that processed healthcare options for “Obamacare.” Day-to-day connections to the application hovered at about 4,000 to each server. When it came time for open enrollment, all of the web servers fell over trying to process more than 25,000 connections each. Users who got connected reported the server was so slow, it could not respond to page requests, and timed out. Once OneConnect was enabled with a default mask, the number of active connections dropped to about a 100 per server! The application bounced back completely, and the developers said the application worked better than in development.

There are some special considerations when utilizing OneConnect within your environment. The application has to use TCP standards for clearly defined flows. OneConnect will not work if your flows do not provide good headers for distinguishing source and destination. If your application is 20-years-old and home-grown, it might not work. Recent applications should not have issues.

Secondly, you are sharing TCP flows. If you are sniffing the wire to look at incoming web server traffic, you might not see the flow you are looking for because it was part of a reuse pool. In this case, try to match the client port. The port should remain the same most of the time, but since you are combining different flows from different IPs, the likelihood of overlap is higher. Also, if your application needs to see client IPs, you will need to enable “x-forward-for” and configure the web server to look at that header instead. Additionally, if you are doing SSL Passthru, this is not an option due to the traffic encryption. OneConnect requires termination. You would have to decrypt and then re-encrypt to the backend.

Lastly, one item of particular note is sizing. Since OneConnect can drastically mask a connection table, you need to incorporate the application’s client activity in with the web server connection load to get a feel for how many web servers you need. You might, over time, find out that you cannot turn OneConnect off because your load will be too much for the existing number of web servers you have.

I hope this post has piqued your interest in OneConnect and what your F5 LTM can do for you. There are many additional features beyond “load balancing” that can enhance your investment, increase your return on investment, and improve end-user experience. GuidePoint Security’s professionals, with years of multifaceted expertise, can meet with you to learn more about your organization’s requirements and help build a customized security plan to best meet your needs.

If you’re a GuidePoint client and have questions about OneConnect, please reach out directly to your personal contact or email us at info@guidepointsecurity.com. If your organization is interested in learning more about OneConnect and if it’s the right tool for you, let us know. You can find out more about GuidePoint and our services at www.guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

From Cyber Analysts to Cyber Hunters: GuidePoint Security Expert to Speak at Anomali Detect

Are you ready to go from your regular job as a cyber analyst to a full-fledged cyber hunter? Join GuidePoint Security at Anomali Detect Sept. 11-13, 2016, at the Westin Washington, D.C. City Center, for a special presentation, “Cyber Hunters: Operationalizing Threat Intelligence for Cyber Analysts.”

GuidePoint Security is a Gold sponsor for the conference, and Matt Keller, our vice president of federal services, will lead a session about how analysts in Security Operation Centers (SOC) can evolve from a detection and response team to proactive cyber hunters who seek out threats before damage occurs.

Matt’s presentation will be from 3:10-4 p.m. Tuesday, Sept. 13, in room National C. He will talk about how to utilize threat feeds to reduce the amount of time it takes to identify incidents and help you plan for responses within the “Cyber Golden Hour.” He will share insight on how your security team can identify threats in real time, moving from cyber analysts to full-fledged cyber hunters.

We’ll also have a table top display set up during Anomali Detect, so be sure to stop by and view a demonstration on our Virtual Security Operations Center (vSOC). By using the cloud to provide dynamic scalability and cost savings, our vSOC analysts can provide validated security incidents so your team can focus on remediation.

For more information about Anomali Detect, visit https://www.anomali.com/anomali-detect. To register for the conference, click here.

For more information about our vSOC and how we can help protect your organization from insider threats, visit www.guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

Reshape Cyberwar: Flip the Script to Put Attackers on the Defensive

If we’re going to succeed in defending against bad guys, we should admit we are in a cyberwar. We are at odds with people who want to steal, corrupt, and destroy. To succeed against these cyber enemies, let’s draw from the words of Sun Tzu, the ancient Chinese military strategist: “Hold out baits to entice the enemy.”

Many people believe government network defenders only need to make one mistake before they are “pwned” and the bad guys steal sensitive data. As a network defender in this cyberwar, you have to be right 100% of the time; attackers only need to be right once. A missed vulnerability, a misconfigured router, or an overlooked Indicator Of Compromise (IOC) gives attackers the opening they need to cause damage.

To arm yourself in this cyberwar, find a way to flip the script. Do you remember the movie, “Home Alone?” Its message is applicable here: Even if you’re at a disadvantage when you’re defending your “home,” if you prepare for the bad guys, you can flip things to your advantage.

This creates a new category of “deception” technology. To capture the bad guys, this can be anything from basic virtual fake systems to confuse bad actors, to full networks with elaborate fake data, alarms, and traps.

More mature solutions go past simple virtual machines that look like juicy targets. To alert SOCs of potential breaches, they include deception inside Active Directory structures and at real endpoints and servers. By planting worthless administrative-looking credentials inside endpoints and Active Directory, a SIEM can easily alert SOC analysts to illicit behavior.

These solutions create a web of alarms and traps like the ones the “Home Alone” kid set up in his house. When the bad guys find and try to use credentials or scan or log into these fake systems, a spotlight is immediately illuminated on the activity. This shows the SOC that someone is attempting to do something bad; however, instead of a thief screaming about his head being on fire like in the movie, a simple SIEM rule about the use of a non-working credential or deception created system burns a hole in the bad guy.

Instead of fumbling around a network, the bad guys make one mistake and they are caught. This changes the game from the penetrator’s advantage to the defender’s advantage. They must tiptoe around and be careful about what they touch and where they go.

So let’s follow the best ideas from Sun Tzu to Churchill, Po-Ch’eng and even the Hittites and use deception to reshape the battlefield of cyberwar in our favor. Remember, as cliché as it may be, “The best defense is an offense.”

 

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.