Lab 1: Deploying Load Balancer, Configuring F5 Distributed Cloud BotDefense

Lab 1 will focus on the deployment and security of an existing hosted application using F5 Distributed Cloud Platform and Services. This lab will be deployed in a SaaS only configuration with no on-premises (public or private cloud) elements. All configurations will be made via the F5 Distributed Cloud Console and within the F5 Distributed Cloud Global Network services architecture.

The overall goal of this set of labs is to showcase how easy it is for F5 Distributed Cloud BotDefense to be enabled. This lab will also act as a quick refresher of how web-based login forms work and how easily they can be exploited by credential stuffing attacks. Once this initial lab is complete, we will expand on the concepts of attacks and security by utilizing the automation toolkit known as OpenBullet.

For the tasks that follow, you should have already noted your individual namespace. If you failed to note it, return to the Introduction section of this lab, follow the instructions provided and note your namespace accordingly. The Delegated Domain and the F5 Distributed Cloud Tenant are listed below for your convenience as they will be the same for all lab attendees.

• Delegated Domain: .lab-sec.f5demos.com

• F5 Distributed Cloud Tenant: https://f5-xc-lab-sec.console.ves.volterra.io

Following the tasks in the prior Introduction Section, you should now be able to access the F5 Distributed Cloud Console, having set your Work Domain Roles and Skill levels. If you have not done so already, please login to your tenant for this lab and proceed to Task 1.

Task 1: Configure Load Balancer, Origin Pool, WAF and BotDefense

Following the Introduction section instructions, you should now be in the Web App & API Protection configuration window. If for some reason you are not in the Web App & API Protection window, use the Select Service in the left-hand navigation, and click Web App & API Protection as shown in the Introduction Section In the left-hand navigation expand Manage and click Load Balancers > HTTP Load Balancers In the resulting screen click the Add HTTP Load Balancer in the graphic as shown.

Using the left-hand navigation and in the sections as shown, enter the following data. Values where <namespace> is required, use the name of your given namespace. Metadata:Name ID: <namespace>-lb Basic Configuration: List of Domains: <namespace>.lab-sec.f5demos.com Basic Configuration: Select Type of Load Balancer: HTTP Basic Configuration: Automatically Manage DNS Records: (Check the checkbox) Basic Configuration: HTTP Port: 80

In the current window’s left-hand navigation, click Origins. Next, click Add Item within the Origin Pools section of Origins.

In the resulting window, use the drop down as shown and click Add Item.

In the resulting window, enter <namespace>-pool in the Name field and click Add Item under Origin Servers

In the resulting window, Public DNS Name of Origin Server should be selected for Select Type of Origin Server. For DNS Name enter the following hostname: airline-backend.f5se.com and then click Apply

After returning to the prior window, make sure Port: under Basic Configuration is configured for 80. Leave all other values as shown while scrolling to the bottom and click, Continue. After returning to the next window and confirming the content, click Apply.

Continuing in the HTTP Load Balancer section, on the left-hand menu click on the Web Application Firewall (WAF) and select Enable.

In the resulting App Firewall drop down select Add Item. Note The “shared/base-appfw” policy is in the “shared namespace” which can be applied to multiple Load Balancer configurations across namespaces, reducing policy sprawl.

In the resulting window’s Metadata field enter <namespace>-appfw for the Name Leaving all other values as default, scroll to the bottom and click Continue.

In the left-hand navigation, click Bot Protection. In the Bot Protection Section, Change the Bot Defense dropdown to Enable.

In the resulting Bot Defense Policy section, click the Configure link.

In the Protected App Endpoints window, click the Configure link under App Endpoint Type. In the resulting window, click the Add Item in the App Endpoint Type section.

In the resulting App Endpoint Type window, input the following values as shown: Metadata:Name: auth-bot HTTP Methods: POST Protocol: BOTH Path:Path Match: Prefix Prefix: /user/vipsignin Bot Traffic Mitigation:Select Bot Mitigation Action: Flag Bot Traffic Mitigation:Include Mitigation Headers: Append Headers* Inference Header Name and Automation Type Header Name as defaults (unchanged). Scroll to the bottom and click Apply

Then click Apply on the App Endpoint Type screen Then click Apply on the Protected App Endpoints screen Observe the Bot Defense Policy is now configured.

Use the left-hand navigation and click Other Settings or scroll to the bottom on the HTTP Load Balancer screen, and click Save and Exit.

Note

The above selection controls how/where the application is advertised. The “Internet”

setting means that this application will be advertised globally using the F5 Distributed

Cloud Global Network utilizing Anycast.

Note the indicated hostname (copy to notepad or note tool) as this will be used in the exercises that follow.

Task 2: Curl - Direct

Run this lab from the JUMPHOST

1. Launch the Chrome Browser and navigate to https://airline-backend.f5se.com/user/vipsignin

2. Once loaded right click on the page and choose Inspect then navigate to the Network tab on the new right hand side window. This will allow you to monitor what content is loaded and submitted during interactions with the site.

3. On the login prompt enter the following testing username: john.smith@nobody.com password: test123 and then click Confirm

4. This should log you into the account but more important look on the right side panel finding the vipsignin POST request. Clicking on this entry and you will see the POST request that was created for your login.

5. Switch to the payload tab and we can see the exact data that was submitted. The Username and Password are expected but we also see a tracking token (though not used here)

6. Right click on the vipsignin entry choose Copy and Copy as cURL (BASH) open Notepad from the windows start menu and paste the contents in. This will allow you to inspect the query in greater detail.

7. Click the Ubuntu icon on the desktop to open a bash prompt. Once open you can paste the same curl data into the bash prompt to execute the query. This example shows just how easy it is as a basic level it is to execute credential stuffing style attacks.

8. Using any scripting language (python, perl, bash) it becomes trivial to be able to test large amounts of username and password combinations.

Task 3: Compare Via Bot Defense

Run this lab from the JUMPHOST

1. Launch the Chrome Browser and navigate to http://namespace.lab-sec.f5demos.com/user/vipsignin (note: HTTP not HTTPS)

2. Once loaded right click on the page and choose Inspect then navigate to the Network tab on the new right hand side window. This will allow you to monitor what content is loaded and submitted during interactions with the site.

3. On the login prompt enter the following testing username: john.smith@nobody.com password: test123 and then click Confirm

4. This should log you into the account but more important look on the right side panel finding the vipsignin POST request. Clicking on this entry and you will see the POST request that was created for your login.

5. Switch to the payload tab and we can see the exact data that was submitted.

6. We can see several additional payload entries. The hardened Javascript silently interrogates the browser and watches as users interact with the page capturing telemetry which is encrypted and sent along with the POST.

End of Lab 1: This concludes Lab 1, feel free to review and test the configuration.