IP Application Security Manager and. VMware vcloud Air

Similar documents
Deployment Guide. Deploying F5 BIG-IP Global Traffic Manager on VMware vcloud Hybrid Service

1. Building Testing Environment

Installing and Configuring vcloud Connector

Web Application Firewall

SOA Software API Gateway Appliance 7.1.x Administration Guide

Installing and Configuring vcloud Connector

vrealize Automation Load Balancing

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

NSi Mobile Installation Guide. Version 6.2

Getting Started with ESXi Embedded

VMware vcenter Support Assistant 5.1.1

vcloud Director User's Guide

Virtual Appliance Setup Guide

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Configuring PA Firewalls for a Layer 3 Deployment

Configuring Single Sign-on from the VMware Identity Manager Service to Amazon Web Services

Installing and Configuring DB2 10, WebSphere Application Server v8 & Maximo Asset Management


Mobile Device Management Version 8. Last updated:

Configuring Security for FTP Traffic

Installing and Configuring vcenter Support Assistant


Microsegmentation Using NSX Distributed Firewall: Getting Started

Polycom CMA System Upgrade Guide

NovaBACKUP xsp Version 15.0 Upgrade Guide

Getting Started with BIG-IP

Reconfiguration of VMware vcenter Update Manager

Introduction to Mobile Access Gateway Installation

VMware vcenter Configuration Manager and VMware vcenter Application Discovery Manager Integration Guide

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v9.x with Microsoft IIS 7.0 and 7.5

Monitoring Hybrid Cloud Applications in VMware vcloud Air

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Introducing the BIG-IP and SharePoint Portal Server 2003 configuration

Copyright 2013, 3CX Ltd.

MadCap Software. Upgrading Guide. Pulse

ThinPrint GPO Configuration for Location-Based Printing

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

HP CloudSystem Enterprise

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Request Manager Installation and Configuration Guide

VMware vcloud Air Networking Guide

Zimbra Connector for Microsoft Outlook User Guide. Network Edition 7.0

Zimbra Connector for Microsoft Outlook User Guide 7.1

VMware Identity Manager Integration with Active Directory Federation Services 2.0

Deploying F5 to Replace Microsoft TMG or ISA Server

Getting Started with Database Provisioning

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

How to Create a Simple Content Management Solution with Joomla! in a vcloud Environment. A VMware Cloud Evaluation Reference Document


VMware Identity Manager Administration

Configuring Global Protect SSL VPN with a user-defined port

Installing and Configuring vcenter Multi-Hypervisor Manager

APNS Certificate generating and installation

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Zimbra Connector for Outlook User Guide. Release 6.0

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Advanced Service Design

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

Integration with Active Directory

TECHNICAL NOTE SETTING UP A STRM UPDATE SERVER. Configuring your Update Server

VMware vcloud Air. Enterprise IT Hybrid Data Center TECHNICAL MARKETING DOCUMENTATION

Installing Microsoft Exchange Integration for LifeSize Control

Managing Multi-Hypervisor Environments with vcenter Server

Where every interaction matters.

Report Designer and Report Designer Add-In Installation Guide Version 1.0

Virtual Appliance for VMware Server. Getting Started Guide. Revision Warning and Disclaimer

Virtual Data Centre. User Guide

Virtual Appliance Setup Guide

ArcMail Technology Defender Mail Server Configuration Guide for Microsoft Exchange Server 2003 / 2000

vrealize Air Compliance OVA Installation and Deployment Guide

Good Share Client User Guide for ios Devices

Setting up Citrix XenServer for 2X VirtualDesktopServer Manual

Setting up Hyper-V for 2X VirtualDesktopServer Manual

User-ID Features. PAN-OS New Features Guide Version 6.0. Copyright Palo Alto Networks

How to set up Outlook Anywhere on your home system

Reconfiguring VMware vsphere Update Manager

Using the vcenter Orchestrator Plug-In for vsphere Auto Deploy 1.0

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

Parallels Plesk Panel

Quick Start Guide For Ipswitch Failover v9.0

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP system v10 with Microsoft Exchange Outlook Web Access 2007

How to Secure a Groove Manager Web Site

Director and Certificate Authority Issuance

Preparing for GO!Enterprise MDM On-Demand Service

Document version: 1.3 What's inside: Products and versions tested Important:

DameWare Server. Administrator Guide

Getting Started with Database-as-a-Service

How to install/upgrade the LANDesk virtual Cloud service appliance (CSA)

ez Agent Administrator s Guide

Deploying F5 with Microsoft Forefront Threat Management Gateway 2010

Microsoft SQL Server Installation Guide

Sophos Mobile Control Installation guide. Product version: 3

Reconfiguring VMware vsphere Update Manager

Transcription:

Securing Web Applications with F5 BIG- IP Application Security Manager and VMware vcloud Air D E P L O Y M E N T G U I D E

Securing Web Applications Migrating application workloads to the public cloud is an essential consideration for many enterprises. The barriers to greater adoption of public clouds have frequently stemmed from lack of enterprise-ready software and network security components, or an immature cloud platform. Threats to applications such as cross-site scripting, brute force attacks, and DDoS attacks can expose an enterprise to outages, data theft, and even lost customers. Ensuring that applications are available and secure in public cloud infrastructures will speed adoption. The benefits of cloud deployments are obvious; however, enterpriseready application delivery components are essential to ensure successful deployments. This guide provides an overview of the setup and deployment of BIG-IP Local Traffic Manager (LTM) and BIG-IP Application Security Manager (ASM) running in front of a vulnerable web application. In this guide, we deploy an application in order to demonstrate the most common Layer 7 exploits and then illustrate how BIG-IP ASM protects against these vulnerabilities. Providing robust web application security is a necessary complement to deploying robust productionready application workloads in vcloud Air, whether for test and development or for new application deployments. V M W A R E V C L O U D A I R A N D F 5 B I G - I P A S M 1

Application Setup Application Version Description DVWA 1.8 DVWA is an application designed specifically to show most common web application exploits BIG-IP Local Traffic Manager (LTM) 11.5.1 Core BIG-IP LTM Functionality BIG-IP Application Security Manager (ASM) 11.5.1 Web Application Firewall Microsoft Windows 2012 Web Server Xamp 1.0.8 Apache Web Server and MSQL Database vcloud Air N/A IaaS Platform Deploy F5 BIG-IP LTM and BIG-IP ASM in vcloud Air Follow these steps to download and set up BIG-IP Virtual Edition and deploy it in vcloud Air. 1. Open a web browser, navigate to https://downloads.f5.com, and then click on BIG-IP v11.x/virtual Edition. 2. From the dropdown menu, choose version 11.5.1, and then click on Virtual-Edition. Follow the download instructions. 3. Once the BIG-IP Virtual Edition is downloaded, upload it into the vcloud Air My Catalog. 4. In vcloud Air, click on Add Virtual Machine, select your resources, and choose the My Catalog tab. Figure 1: Deploy BIG-IP 11.5.1.XX V M W A R E V C L O U D A I R A N D F 5 B I G - I P A S M 2

5. Provide a name for your BIG-IP and ensure a public IP address is assigned to your primary management interface. 6. Set up NAT and firewall rules in vcloud Air to provide access to the management IP address. 7. After the BIG-IP is deployed, navigate to https://bigippublicipaddress and use the default username Admin and the default password Admin to log in. 8. License your BIG-IP using the automatic method. 9. In the Module provisioning section, select BIG-IP LTM and BIG-IP ASM and set license provisioning to Nominal. Figure 2: Provision ASM and LTM Modules on BIG-IP For additional details on deploying BIG-IP VE please go to https://support.f5.com. Provision Internal and External VLANs on the BIG-IP After you complete the initial BIG-IP system setup, you ll need to provision the networking and VLANs. In this example, we will create an Internal and an External VLAN and select interface 1.1 and 1.2 for the VLANs respectively. The BIG-IP system s full proxy architecture mandates that the network virtual servers reside on the External VLAN; communication to the application server will reside on the Internal VLAN. Figure 3: Create VLANs on the BIG-IP System V M W A R E V C L O U D A I R A N D F 5 B I G - I P A S M 3

Assign Self-IP Addresses Once you have created the VLANs, you will need to create at least one self-ip address for each VLAN. A self-ip address is an IP address on the BIG-IP system that you associate with a VLAN so it can access hosts in that VLAN. By virtue of its netmask, a self-ip address represents an address space that is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address. (You can associate self-ip addresses not only with VLANs, but also with VLAN groups.) Self-IP addresses serve two purposes. First, when sending a message to a destination server, the BIG-IP system uses the self-ip addresses to determine the specific VLAN in which the destination server resides. For example, if VLAN Internal has a self-ip address of 10.10.10.100, with a netmask of 255.255.255.0, and the destination server s IP address is 10.10.10.20 (with a netmask of 255.255.255.255), the BIG-IP system recognizes that the server s IP address falls within the range of VLAN Internal s self-ip address and therefore sends the message to that VLAN. More specifically, the BIG-IP system sends the message to the interface that you assigned to that VLAN. If more than one interface is assigned to the VLAN, the BIG-IP system takes additional steps to determine the correct interface, such as checking the Layer 2 forwarding table. Second, a self-ip address can serve as the default route for each destination server in the corresponding VLAN. In this case, the self-ip address of a VLAN appears as the destination IP address in the packet header when the server sends a response to the BIG-IP system. Figure 4: Create Self IP Addresses Deploy Microsoft Windows Server in vcloud Air Log on to the vcloud console by navigating to https://vchs.vmware.com. From the Virtual Machines tab, click on Add Virtual Machine. You will be prompted to select your data center and resources, and then choose a Windows server. For our example, we chose Windows 2012 Server 64bit R2 server (see Fig. 5). We deployed a single interface on this Windows device, in this case, the non-routable internal network. And we chose 10.4.4.x for our network. This correlates to the internal network which we configured on the BIG-IP system. After you have configured this device and assigned the network interface, the Windows server will boot and assign a default password. You will be prompted to immediately change your password at login. Once logged in, you will provide a unique password for the Admin account. Once the Windows server is deployed, navigate to the network settings and change the default gateway to the self-ip for the Internal VLAN on the BIG-IP system. V M W A R E V C L O U D A I R A N D F 5 B I G - I P A S M 4

Figure 5: Deploy Windows 2012 R2 Standard Install Xampp Web Server and MySQL DB Xampp is a free Apache Web Server, PHP, and MySQL DB application that can be downloaded free of charge. In this exercise, we downloaded the Xampp product from https://www.apachefriends.org/index.html. We selected the Windows version 1.8.3 (PHP 5.5.15) and installed this product on our Windows 2012 server. Once you have downloaded the Xampp product, run the installer and accept the default settings, launch the Xampp application, and start the MySQL and Apache Web Server (see Fig. 6). After the Xampp engine is started, open a browser and navigate to http://127.0.0.1, the loopback address of the local machine, in order to validate proper installation. Figure 6: XAMPP Server Control V M W A R E V C L O U D A I R A N D F 5 B I G - I P A S M 5

Install the DVWA Application The DVWA application is designed for security professionals as an aid for testing. It is specifically constructed to be highly vulnerable to many layer 4-7 attack vectors such as cross-site scripting, SQL injection, and brute force attacks. As such, it is an ideal web application to demonstrate the ability of BIG- IP ASM to protect even the most attack-prone web applications against attack. To deploy DVWA, you must first download the DVWA web application from http://www.dvwa.co.uk/. Once the application is downloaded, extract the files and copy the DVWA directory into the c:\xampp\htdocs directory. Remove all existing files contained in this directory and paste the DVWA directory to c:\xampp\htdocs. Figure 7: Copy DVWA to root of c:\xampp\htdocs Once you have copied the DVWA directory to the c:\xampp\htdocs directory on the Windows server, navigate to http://127.0.0.1, which is the default loopback address. Log in with the username: admin and the password: password. In the left-hand sidebar, click Setup, then Create/Reset Database. This will deploy the initial configuration of the DVWA application. Figure 8: DVWA initial configuration and database setup V M W A R E V C L O U D A I R A N D F 5 B I G - I P A S M 6

Configure BIG-IP ASM Security Policy on the BIG-IP System Once you have configured the BIG-IP LTM with its associated VIPs and NAT rules, you will now configure a BIG-IP ASM security policy and associate it with the BIG-IP LTM Virtual Server. Use the automatic policy builder to create a security policy for dvwa_virtual. 1. In the Navigation pane of the BIG-IP Configuration utility, open the Security > Application Security > Security Policies > Active Policies page, and then click Create. 2. Leave Existing Virtual Server selected, and then click Next. Figure 9: Application Security Policy On the Configure Local Traffic Settings page: 1. In the protocol list, select HTTPS. 2. For the HTTPS Virtual Server, leave bigip_webserver_vs selected, and then click Next. 3. Leave Create a policy automatically (recommended) selected, and then click Next. 4. From the Security Policy Language list, select Auto Detect, and then click Next. On the Configure Attack Signatures page: 1. From the Available Systems list, move the following to the Assigned Systems list. Operating Systems > Windows Web Servers > Apache and Apache Tomcat Languages, Frameworks and Applications > PHP Database Servers > MySQL 2. Leave Signature Staging enabled, and then click Next. On the Configure Automatic Policy Building page: 3. From the Policy Type list, select Comprehensive. Slide the Policy Builder learning speed control to Fast. From the Trusted IP Addresses list box, leave Address List selected. In the IP Address box, type xxx.xxx.xxx.xxx or your trusted IP addresses. In the Netmask box, type 255.255.255.0, and then click Add. 4. Click Next, and then click Finish. V M W A R E V C L O U D A I R A N D F 5 B I G - I P A S M 7

Once you have created your security policy, you will need to associate it with your virtual server. 1. From the Configuration utility s welcome page, navigate to Local Traffic > Virtual Servers. 2. Double click on the virtual server BIG-IP_webserver then click on the Resources tab at the top of the window (see Fig. 10). Figure 10: Resources for Virtual SeBIG-IPbigip_webserver_vs 3. Under Policies click Manage. 4. In the dialog box that opens, associate the security policy with your virtual server. Figure 11: Add Security Policy to bigip_webserver_vs Create Trusted Learning Suggestions for Automatic Policy Building In this section, you will verify the functionality of BIG-IP ASM in combination with BIG-IP LTM. As a web application firewall (WAF), BIG-IP ASM pre-stages potential illegal web exploits and enables the WAF administrator to fine tune the blocking of these prospective exploits. This prevents potential false positives and ensures that the application can continue to perform as expected. In the first section, we will navigate to the DVWA server and perform activities such as cross-site scripting and engage in insecure activities such as entering social security numbers. We will then return to the BIG-IP system and fine tune these policies to block these prohibited behaviors. 1. Open a Web browser to access the DVWA virtual server and attempt various well-known attacks against the website to determine its current security state. 2. Open a new tab and go to https://ipaddressofdemolog into DVWA, entering the username: admin and the password: password. 3. On the navigation menu, click Command Execution. At this point, you can enter a hostname or IP address, which will be sent to the Web server. The Web server will then ping the hostname or IP address and display the results. V M W A R E V C L O U D A I R A N D F 5 B I G - I P A S M 8

Password Retrieval Try to retrieve the password list by typing cat /etc/passwd, and then click Submit. Nothing is returned, demonstrating that you are not able to use the cat command to retrieve the password list. Now, specify an IP address by typing xxx.xxx.xxx.xxx; cat /etc/passwd, and then click Submit. By preceding the cat command with an IP address, you are able to expose the contents of the passwd file on this Web server. This is not the intended use of this field, and it is a target for hackers to exploit. SQL Injection The SQL Injection feature in DMWA is designed to display various types of database information. In the following examples, we ll demonstrate how easy it is to extract information (such as ID, first name, and surname of a user) from the database using SQL commands. To reproduce the results of each example, begin by following these steps: 1. From the DVWA Navigation menu, click SQL Injection. 2. Type 1, and then click Submit. In the User ID field, type %' or 1='1, and then click Submit. This displays all of the users in the database. In the User ID field, type %' or 1=1 union select null, database () #, and then click Submit. This displays the database name (dvwa). In the User ID field, type Enter %' or 1=1 union select null, table_name from information_schema.tables #, and then click Submit. Every record after Bob Smith displays a table named from this database server. In the User ID field type %' or 1=1 union select null, concat ( 0x0a, user_id, 0x0a, first_name, 0x0a, last_name, 0x0a, user, 0x0a, password) from users #, and then click Submit. Every record after Bob Smith displays the user ID, first name, last name, user name, and password (in a hash format) of a different user in the users table. As you can see from each example above, the database, without protection, is highly vulnerable. Fine Tune the Security Policy In this section, we will return to the BIG-IP system to fine tune the security policy to block prospective exploits. The potentially illegal behavior was set to Staging first and we will now block the insecure application exploits. 1. In the Configuration utility, open the Security > Application Security > Policy Building > Status (Automatic) page. The policy builder now begins to analyze the traffic. Figure 12. Policy builder traffic analysis 2. In the Details section, click File Types, and then Staging. V M W A R E V C L O U D A I R A N D F 5 B I G - I P A S M 9

Figure 13. Choose the Staging option 3. At the bottom of the page that s displayed, for the css, js, no_ext, php, and png entries, click the corresponding Enforce button. This removes these five file types from staging. 4. In the Details section, select Parameters, and then Staging. Multiple parameters are currently in staging. 5. Open the Settings page. 6. In the Automatic Policy Building Settings section, clear the Real Traffic Policy Builder checkbox, and then click Save. Add some sort of header or divider here to increase readability. For example: Block Insecure Application Exploits. 1. Open the Security > Application Security > File Types > Allowed File Types page. 2. Select the * checkbox, then click Delete, and then click OK. Figure 14. Delete the * file type 1. Open the Security > Application Security > Parameters > Parameters List page. 2. Select the * checkbox, then click Delete, and then click OK. 3. Select the id, ip, and mtxmessage checkboxes, and then click Enforce. This removes these parameters from staging. 4. View the Security > Application Security > URLs > Allowed URLs page. 5. Delete the HTTP and HTTPS wildcard (*) entries. Add header to improve readability; Change Application Signatures 1. Open the Security > Application Security > Attack Signatures > Attack Signatures Configuration page. V M W A R E V C L O U D A I R A N D F 5 B I G - I P A S M 10

2. From the Available Signature Sets list, select Command Execution Signatures, Cross Site Scripting Signatures, and SQL Injection Signatures, and then click <<. 3. Clear the Signature Staging checkbox, and then click Save. Figure 15. Configure attack signatures 1. Open the Security > Application Security > Data Guard page. 2. Select the Data Guard, Credit Card Numbers, U.S. Social Security Numbers, and Mask Data checkboxes, and then click Save. This will mask credit card and social security numbers. Figure 16. Set data guard for credit card and social security numbers 1. Open the Security > Application Security > Blocking > Settings page. 2. In the Negative Security Violations section, clear the Block checkbox for Data Guard, and then click Save. This ensures that credit card numbers and social security numbers will be masked, but the pages that display these masked values will not be blocked by BIG-IP ASM. 3. Click Apply Policy, and then click OK. Figure 17. ADD CAPTION Now that you have fine-tuned your security policy, open a browser and navigate back to the DVWA site. From the Navigation menu, choose XSS Stored, and then enter a number sequence that appears like a social security number. Click sign guestbook and you will see that the number you entered has been masked. This prevents data leakage and ensures that personal information is not compromised. V M W A R E V C L O U D A I R A N D F 5 B I G - I P A S M 11

Conclusion As VMware continues to include a broader portfolio of solutions in its vcloud Air public cloud offering, enterprises are going to transition from test and development to enterprise-ready application deployments. Performance, availability, and security of these applications are crucial to ensuring new application deployments, as well as migration and expansion of existing application workloads. With the addition of the BIG-IP LTM and BIG-IP ASM modules in vcloud Air, enterprise customers now have the ability to deploy new application workloads, have a robust disaster recovery and business continuity strategy, and they can secure their web applications in vcloud Air. Learn More F5 on the vcloud Air Solution Exchange F5 and VMware Technology Alliance V M W A R E V C L O U D A I R A N D F 5 B I G - I P A S M 12

FPO Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here Partner logo and legal information to be added here VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2015 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information