Lab 2: Enabling Application Security with Service Policies
The following lab tasks will guide you the configuration of various Service Policies
which can be used to implement a variety of security controls. The goals of this section of the lab will
be to create specific policies to enforce positive and negative enforcement rules based on geo-location,
IP addresses, and custom header properties.
Expected Lab Time: 30 minutes
Task 1: Creating Local Namespace Service Policies
In this task you will add geo-filter and allowed-ip based service policies. This is a common use
which can be utilized to either explicitly deny or allow client traffic based on their location.
Within Web App & API Protection, under the Manage section in the left-hand
navigation menu, click Service Policies. In the flyout menu, click the Service
Policies link.
Observe the existing Service Policies and note they are source from the shared
namespace which means they could be used within any other namespace.
Click Add Service Policy in the top left area as shown.
Note
Using shared namespace Service Policies provides the ability to use API-updated
policy controls to implement common service security across multiple resources.
|
|
In the Metadata section enter geo-filter for the Name and then click Rules
in the left-hand navigation.
Select Denied Sources from the dropdown for Select Policy Rules.
|
|
Locate the Country List input field and begin typing Fiji and then select it from
the list that appears.
Click the dropdown for Default Action. Observe the available options and select
Next Policy then click Save and Exit.
|
|
Observe the resulting added geo-filter Service Policy added in your namespace.
|
|
Open another tab in your browser (Chrome shown), navigate to https://ipinfo.io and note
your IP address as shown. (example provided)
|
|
Return to the Service Policies window and click Add Service Policy.
|
|
In the Metadata section enter allowed-ip for the Name and then click
Rules in the left-hand navigation.
Select Allowed Sources from the dropdown for Select Policy Rules.
|
|
In the updated IPv4 Prefix List section, click Configure link.
Note
The section just below “List of IP Prefix Set” allows you to build a collection of
of various IP lists which can be maintained through API controls.
|
|
Click Add Item and enter your IP address captured in Step 9 above with mask
notation (/32) as shown then click the Apply button.
|
|
In the resulting window, observe IPv4 Prefix List is now configured then scroll to
the bottom of the Rules section.
|
|
Locate and click the dropdown for Default Action, and select Deny then click
Save and Exit.
|
|
Observe the allowed-ip Service Policy has been added in your namespace.
|
|
Task 2: Attaching Service Policies and configuring IP Reputation
The following steps will enable you to attach Service Policies to your configured Load Balancer.
It will also help you understand additional approaches for implementing Service Policies.
Return to the Load Balancer in the F5 Distributed Cloud Console,**Manage > Load Balancer**
> HTTP Load Balancers and use the Action Dots and click Manage Configuration
Click Edit Configuration in the top right-hand corner.
|
|
Click Common Security Controls in the left-hand navigation.
From the Service Policies dropdown, select Apply Specified Service Policies.
In the added menu for Apply Specified Service Policies, click Configure.
|
|
In the resulting Policies window, use the List of Policies dropdown to select
your <namespace>/geo-filter Service Policy then click Apply.
|
|
Returning to the Load Balancer window, you will note the changes shown in your
Service Policies section.
As we are already in this section, we will go ahead and add IP reputation filtering. This
can be added as a Service Policy (shared or local namespace) or as a direct configuration.
To start, the IP Reputation as a direct configuration (on the Load Balancer), locate the
IP Reputation section and click the dropdown menu, then select Enable.
|
|
Using the List of IP Threat Categories to choose you may add any of the available
Threat Categories listed.
Select Spam Sources and Tor Proxy, then click Other Settings in the left-hand
navigation or scroll to the bottom of the window and click the Save and Exit button.
|
|
In your browser (Chrome shown), navigate to your application/Load Balancer configuration:
http://<namespace>.lab-sec.f5demos.com.
You should receive a 403 Forbidden error. This is due to a Service Policy configuration
error. Because we only attached the geo-filter Service Policy and the Default
Action was Next Policy, there is no other or next policy to “Allow” traffic,
therefore, all other traffic is denied producing the 403. This will also show in
the Security Events window.
|
|
Return to Web App & API Protection in the F5 Distributed Cloud Console, Manage >
Load Balancer > HTTP Load Balancers and use the Action Dots and click Manage
Configuration.
Click Edit Configuration in the top right-hand corner.
|
|
Click Common Security Controls in the left-hand navigation.
From the Service Policies section, click Edit Configuration.
|
|
In the resulting window click Add Item as shown. From the added dropdown select the
<namespace>/allowed-ip Service Policy previously created.
Observe the order. Service Policies must be ordered correctly in a order to process
traffic as intended. Click Apply when completed.
Note
Because the “allowed-ip” begins with an allowed ip (yours) and ends in a “Deny” a
positive security model will be applied (denying all other traffic). Similar positive or
negative service policies can be created and applied
|
|
Click Other Settings in the left-hand navigation or scroll to the bottom of the
HTTP Load Balancer configuration and click Save and Exit.
|
|
In your browser (Chrome shown), navigate to your application/Load Balancer configuration:
http://<namespace>.lab-sec.f5demos.com. You should now be able to successfully
access the application.
|
|
Task 3: Create, assign and test a Custom Service Policy
In this task you will add a Custom Policy and assign it to your Load Balancer. Custom Service
Policies provide the flexibility to build Positive or Negative security models and custom
rules or controls.
Through prior lab tasks, Fiji has been Geo-location blocked, your testing resource’s
IP has been allowed, while all other IP addresses have been denied. You will build some additional
blocking/deny rules to illustrate Service Policy controls.
Before beginning this task, re-evaluate your access from your client to the following:
Browser: http://<namespace>.lab-sec.f5demos.com/index.php?page=header
cURL: http://<namespace>.lab-sec.f5demos.com/
cURL: http://<namespace>.lab-sec.f5demos.com/index.php?page=header
The expectation is that all are successful based on the current Service Policies.
Note
cURL is supported on Windows, Mac & Linux platforms.
|
|
Returning to Web App & API Protection, in the left-hand navigation menu, expand the
Manage section and click Service Policies. In the flyout menu, click the
Service Policies link.
Observe the existing Service Policies and note that some are sourced from the shared
namespace which means they could be used within any other namespace.
Click Add Service Policy in the top left area as shown.
|
|
In the Metadata section enter custom-deny for the Name and then click
Rules in the left-hand navigation.
Then select Custom Rule List from the dropdown for Select Policy Rules.
Locate Rules configuration section and click Configure.
|
|
In the Rules window, click Add Item.
In the Metadata section Name field input curl-deny and toggle the
Show Advanced Fields to see extra configuration options in Action section.
In the Action section, select Deny for the Action and then in the left-hand
navigation click Request Match.
|
|
In the HTTP Method section, use the Method List dropdown to select GET.
In the HTTP Headers section click Add Item.
|
|
In the Header Matcher window, input user-agent for Header Name as shown.
Click Add Item under the Regex Values area and input (?i)^.*curl.*$ then
click Apply
|
|
Scroll down to the bottom of the Rule Configuration and click Apply.
|
|
In the custom-deny Service Policy Rule window, click Add Item to add another rule
Note
Multiple Rules can be added to a single Service Policy.
|
|
In the Metadata section Name field input header-page-deny and then click
Request Match in the left-hand navigation.
|
|
In the Request Match section under HTTP Methods, add GET to the method list.
In the HTTP Path area, click the Configure link.
|
|
Click Add Item in Prefix Values area and in the input field type “/index.php”
and then click Apply.
|
|
Observe that the HTTP Path is now Configured.
In section HTTP Query Parameters click Add Item
|
|
In Query Parameter Matcher window, in the Query Parameter Name field, enter
page.
In Match Options section, ensure Match Values is selected and then click Add
Item in the area with Exact Values as shown.
Input header into the Exact Values input field as shown and then click Apply.
|
|
Observe that the HTTP Query Parameters has the value we configured and scroll to the
bottom of the rule configuration and click Apply
|
|
Observe that both configured rules are present and then click Apply.
Note
Rules within the Service Policy can placed in order as needed.
|
|
Observe that the Custom Rule is now configured for custom-deny Service Policy and
click Apply.
|
|
The custom-deny Service Policy is now listed among all Service Policies and has a
Rule Count of 2.
Note
This window also show the Service Policy “Hits” when validating usage.
|
|
Return to Web App & API Protection in the F5 Distributed Cloud Console, Manage >
Load Balancer > HTTP Load Balancers and use the Action Dots and click Manage
Configuration.
Click Edit Configuration in the top right-hand corner.
|
|
Click Common Security Controls in the left-hand navigation.
From the Service Policies section, click Edit Configuration.
|
|
Observe the order of the previously created Service Policies (geo-filter,allowed-ip) and
click Add Item. Use the drop-down as shown and select <namespace>/custom-deny
from the available Service Policy list.
Click the six squares icon to drag <namespace>/custom-deny into the second position
in policy order as shown then click Apply.
|
|
Observe the configured state on Services Polices then click Other Settings or scroll
to the bottom of the HTTP Load Balancer configuration and click Save & Exit.
|
|
Time to reassess your access. Now test the following from your client:
Browser: http://<namespace>.lab-sec.f5demos.com/index.php?page=header
cURL: http://<namespace>.lab-sec.f5demos.com/
cURL: http://<namespace>.lab-sec.f5demos.com/index.php?page=header
What where your results? Copy the support id for further investigation in the next task
|
|
Service Policies provide a powerful framework to implement both positive and negative security models
and you matching criteria from client requests (headers, parameters, paths, request body payload) to
effectively control the access to protected applications and APIs.
Task 4: Security Observability
In this task you utilize the native dashboards in F5 Distributed Cloud to review the security events.
These security events are stored within the F5 platform and can also be streamed to third party
security information and event management solutions (SIEM’s). These dashboards will provide information
on which security control blocked the client from accessing an application based on the support id.
Using the left-hand navigation, click Dashboards and then select Security
|
|
Review the Security Dashboard display (you may have limited data) .
|
|
Scroll to Load Balancers section and click the <namespace>-lb object.
|
|
Note
This is a multi-application view. Here you could get the summary security status of
each application (iw Threat Level, WAF Mode, etc) and then click into one for more*
specific details.
From the Security Dashboard view, using the horizontal navigation, click Security
|
|
Expand your latest security event as shown.
|
|
Note
You may have to adjust your time filter
Note the summary detail provided Information link and identify the Request ID
which is synonymous with Support ID (filterable) from the Security Event Block Page.
|
|
Scroll to the bottom of the information screen to see specific signatures detected and
actions taken during the security event.
Next, click on the Add Filter link just under the Security Analytics title near
the top of the Security Analytics window.
|
|
Type req in the open dialogue window and select req_id from the dropdown.
Next, select In from the Select Operator dropdown.
Finally, select/assign a value that matches one of your copied Support IDs from
earlier as shown. You can also optionally just paste the Support ID in the
value field and click Apply.
|
|
You should now be filtered to a single “Security Event”, as shown with your selected
filter. You can expand and review the request as desired using the arrow icon.
|
Task 5: OPTIONAL - Service Policy Ordering
Service Policies are processed in a top-down manner. In this lab you will investigate how
ordering of the service policies can affect client traffic.
The objective is to expand the denied sources geo-filter by adding an additional
country. Add the country of your current test client.
Returning to Web App & API Protection, in the left-hand navigation menu, expand the
Manage section and click Service Policies. In the flyout menu, click the
Service Policies link.
Next, use the Action Dots for the geo-filter service policy you created earlier and
select Manage Configuration.
Click Edit Configuration in the top right hand corner.
Scroll down to Country List. Fiji should be the only country currently listed. Next to
Fiji, start typing in the country of your test client and select the appropriate country.
United States is shown in the screenshot below.
Scroll down and click Save and Exit.
|
|
Access http://<namespace>.lab-sec.f5demos.com/ from your web browser.
What happened? Investigate utilizing the security dashboard to confirm.
Access the Load Balancer in the F5 Distributed Cloud Console, Manage > Load Balancer
> HTTP Load Balancers and use the Action Dots and click Manage Configuration.
Click Edit Configuration in the top right-hand corner.
Click Common Security Controls in the left-hand navigation.
From the Service Policies section, select Edit Configuration.
Use the Action Dots to reorder the service policies to allow access again.
Click Apply. Then click Save and Exit
Test from your web browser. Is access restored?
|
|
End of Lab 2: This concludes Lab 2, feel free to review and test the configuration.
A Q&A session will begin shortly to conclude the overall lab.
|
|