The Global Leader in Application Delivery Networking

F5 Networks

Subscribe to F5 Networks: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get F5 Networks: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories

Today, let’s look at a couple ways to mitigate an application DDoS attack with BIG-IP ASM. We’ve logged into a BIG-IP ASM and navigated to Security>DDoS Protection>DDoS Profiles. In the General Settings of Application Security, we’ll activate an application DoS iRule event. We’ll click TPS-based Detection to see the temporarily lowered TPS thresholds to easily simulate an attack. Often, there are multiple mitigation methods that are sequentially applied as you can see with the Source IP settings. We can also record traffic packet captures during attacks for post analysis. When the user requests a web application proxied by BIG-IP ASM, ASM will create a unique identifier or a Device ID. ASM will inject JavaScript to register each client device. You can see X-Device-ID: at the bottom. And JavaScript incapable clients never make it through. Now that the unit is re... (more)

Prevent a Spoof of an X-Forwarded-For Request with BIG-IP

Last week, we looked at how to do Selective Compression on BIG-IP with a local traffic policy so this week let’s try something security related using the same procedures. You can associate a BIG-IP local traffic policy to prevent a spoof of an x-forwarded-for request. This is where bad actors might attempt to thwart security by falsifying the IP address in a header, and pass it through the BIG-IP system. Pre-reqs: We’re using BIG-IP v12 and, We already have a Virtual Server configured to manage HTTP traffic with an HTTP profile assigned to it. Let’s log into a BIG-IP The first thing we’ll need to do is create a draft policy. On the main menu select Local Traffic>Policies>Policy List and then the Create or + button. This takes us to the create policy config screen. Type a unique Policy Name like PreventSpoofOfXFF and optionally, add a description. Leave the Strategy... (more)

DevCentral’s Featured Member for November – Nathan Britton

Nathan Britton works as a Principal Security Consultant in the UK for a security solutions provider called NTT Security, part of the NTT Group. They work with customers to design and implement security solutions and his team specializes in application delivery and security in particular. His specific role is focused on solution design and technical governance. Nathan is a BIG-IP ASM SME, a DevCentral MVP and our Featured Member for November! DevCentral: You are a very active contributor in the DevCentral community. What keeps you involved? Nathan: Hands down it’s the best community forum I’ve ever participated in and, over the years, I’ve taken a lot from it. As such, I like to ensure that, time and my knowledge permitting, I give back to the community whenever I can. Also, there are always new things to learn, so being active on DevCentral makes sure I see what oth... (more)

Automatically Update your BIG-IP Pool Using the Service Discovery iApp

Let’s look at how to automatically add members to your BIG-IP pool by using the Service Discovery iApp. Whenever you deploy a BIG-IP Virtual Edition by using one of the templates on the F5 Github site, this iApp is installed on the BIG-IP. The idea behind this iApp is you assign a tag to a virtual machine in the cloud and then BIG-IP automatically discovers it and adds it to the pool. By tagging instances in AWS and Azure, and configuring the iApp, the pool is updated based on an interval you specify. This is especially helpful if you auto-scale your application servers because they are then automatically added and removed. Today, we’ll look how to do this in Azure but you can also do this in AWS. First, we’re going to add a tag to the application sever in Azure. You can assign the tag to either the virtual machine or to the NIC. For auto-scaling you’d tag the sca... (more)

Lightboard Lessons: What is BIG-IQ?

In this Lightboard Lesson, I light up many of the tasks you can do with BIG-IQ, BIG-IQ centralizes management, licensing, monitoring, and analytics for your dispersed BIG-IP infrastructure. If you have more than a few F5 BIG-IP’s within your organization, managing devices as separate entities will become an administrative bottleneck and slow application deployments.  Deploying cloud applications, you’re potentially managing thousands of systems and having to deal with traditionally monolithic administrative functions is a simple no-go.  Enter BIG-IQ. ps Related: What is BIG-IQ? ... (more)

Post of the Week: BIG-IP APM Policy Sync

In this Lightboard Post of the Week, I light up the answer to a question about BIG-IP APM Policy Sync. Posted Question on DevCentral: https://devcentral.f5.com/questions/apm-policy-sync-56330 Thanks to DevCentral user Murali (@MuraliGopalaRao) for the question and special thanks to Leonardo Souza for the answer! ps Related: DevCentral’s Featured Member for May – NTT Security’s Leonardo Souza ... (more)

Selective Compression on BIG-IP

BIG-IP provides Local Traffic Policies that simplify the way in which you can manage traffic associated with a virtual server. You can associate a BIG-IP local traffic policy to support selective compression for types of content that can benefit from compression, like HTML, XML, and CSS style sheets. These file types can realize performance improvements, especially across slow connections, by compressing them. You can easily configure your BIG-IP system to use a simple Local Traffic Policy that selectively compresses these file types. In order to use a policy, you will want to create and configure a draft policy, publish that policy, and then associate the policy with a virtual server in BIG-IP v12. Alright, let’s log into a BIG-IP The first thing you’ll need to do is create a draft policy. On the main menu select Local Traffic>Policies>Policy List and then the Crea... (more)

Lightboard Lessons: What is DDoS?

Over the last quarter, there were approximately 500 DDoS attacks daily around the world with some lasting as long as 300 hours. In this Lightboard Lesson I light up some #basics about DoS and DDoS attacks.   ps Related: DDoS attacks in Q2 2017 DDoS attack – Distributed Denial of Service DDoS Attacks 101: Types, targets, and motivations ... (more)

VDI Gateway Federation with BIG-IP

Today let’s look at how F5 BIGIP APM can consolidate, secure and federate all the core VDI gateways technology. For instance, if an organization decides move from one VDI technology to another or if you’re consolidating VDI technologies, BIG-IP can help. On the BIG-IP we’ve set up three VDI environments. Microsoft RDS/RDP with a broker authentication server, VMware Horizon and Citrix ZenApp. With only a corporate account, a user can authenticate to all of them as needed and access all available desktop content. In this example, we connect to the BIG-IP APM. This is the default view. And here we’ve put some advanced security fields like OTP or multifactor authentication for instance. So here we’d use our username and password and for additional security we’ll choose a secondary grid. By default, a grid is not generally available from any of the VDI vendors. When we... (more)

Add a Data Collection Device to your BIG-IQ Cluster

Gathering and analyzing data helps organizations make intelligent decisions about their IT infrastructure. You may need a data collection device (DCD) to collect BIG-IP data so you can manage that device with BIG-IQ. BIG-IQ is a platform that manages your devices and the services they deliver. Let’s look at how to discover and add a data collection device in BIG-IQ v5.2. You can add a new data collection device to your BIG-IQ cluster so that you can start managing it using the BIG-IP device data. In addition to Event and Alert Log data, you can view and manage statistical data for your devices. From licensing to policies, traffic to security, you’ll see it all from a single pane of glass. But you need a DCD to do that. So, we start by logging in to a BIG-IQ. Then, under the System tab, go to BIG-IQ Data Collection and under that, click BIG-IQ Data Collection Device... (more)

DevCentral’s Featured Member for October – Jad Tabbara

Jad Tabbara has been a Security Engineer with e-Xpert Solutions in Switzerland since 2014. He graduated from INSA de Lyon FRANCE with a master degree in telecommunications and nowadays, work takes the most part of my time, but happy to succeed in his endeavors. As hobbies, he enjoys playing sports (soccer, tennis), traveling, sharing time with family and is DevCentral’s Featured Member for October. Our second Featured Member from e-Xpert Solutions! DevCentral: You are a very active contributor in the DevCentral community. What keeps you involved? Jad: First, I would like to thank you for giving me this opportunity. I have never contributed to a forum other than DevCentral. Compared to other editors, I must admit that DevCentral is well designed such as all other F5 websites, articles and documentations. DevCentral is a great place to learn and a simple access to in... (more)