F5 BIG DDoS Umbrella Configuration Guide Jeff Stathatos September 2014
Table of Contents F5 BIG DDoS Umbrella... 1 Configuration Guide... 1 1. Introduction... 3 1.1. Purpose... 3 1.2. Limitations... 3 1.3. Requirements... 4 2. Configuration... 4 2.1. HP VAN SDN Controller... 4 2.1.1. Getting the App... 5 2.1.2. Installing the App... 5 2.1.3. Navigating the App... 5 2.2. F5 BIG DDoS Umbrella... 5 2.2.1. Notification... 6 3. Roadmap... 11 3.1. Future F5 BIG DDoS Umbrella options... 11 3.1.1. UI Log messaging... 11 3.1.2. Enhanced reporting... 11 3.1.3. Integrated remediation... 11 3.1.4. Action options... 11 3.1.5. BIG-IP installation... 11 3.1.6. BIG-IQ component... 11 3.1.7. Multiple instances... 11 3.1.8. Cloud extension... 12 3.2. Future F5 BIG-IP options... 12 3.2.1. iapp Configuration... 12 3.2.2. Additional Module Support... 12 4. Summary... 12 Page 2
1. Introduction This configuration guide is designed to help you understand the F5 BIG DDoS Umbrella and how to implement the configuration. 1.1. Purpose The F5 BIG DDoS Umbrella (the App) is designed to illustrate how the HP VAN SDN Controller can be leveraged to extend network functionality and programmability between these technologies. This framework will help joint end users identify key areas of collaboration for adding intelligent context between F5 BIG-IP and HP VAN SDN. The F5 BIG DDoS Umbrella is a "Community" level App designed to extend the DDoS protection of BIG-IP to the edge of the network, closer to the attacker. This is a framework which the user may openly use for enhancement and improvement. No liability or support is assumed by F5 or the App creator with the use of this App, which is designed and developed for demonstration purposes. This App is available FREE and "AS-IS" with no assumptions of warranty or protection. Adding F5 BIG DDoS Umbrella to your SDN environment does not include any additional DDoS configuration and identification. It is expected DDoS has already been implemented on BIG-IP and the level of additional functionality brought by this configuration will not affect the protection level already implemented. A video for the F5 BIG DDoS Umbrella has been created to walk you through this App. 1.2. Limitations The first implementation of the BIG DDoS Umbrella leverages the Common Event Format (CEF) logging ability of BIG-IP. As such, BIG-IP DDoS integration will be limited to the Application DDoS with F5 BIG-IP Application Security Manager (ASM) and Network DDoS with F5 BIG-IP Advanced Firewall Manager (AFM). Integration for SSL DDoS on F5 BIG-IP Local Traffic Manager (LTM) and DNS DDoS for F5 BIG-IP Global Traffic Manager (GTM) are future possibilities that the community may consider. Page 3
Figure 1. BIG-IP DDoS Modules 1.3. Requirements This configuration guide assumes an existing configuration of DDoS protection on BIG-IP ASM and\or BIG-IP AFM. It is assumed BIG-IP has the necessary modules (ASM and\or AFM) licensed and properly configured for the level of native protection desired on BIG-IP. Support for CEF was added for BIG-IP ASM in F5 TMOS v.10.1, while support for BIG-IP AFM was added in TMOS v11.4.1. Therefore for documentation purposes, TMOS v11.4.1 was used. 2. Configuration The F5 BIG DDoS Umbrella has two main components. First, is the SDN Controller App. This App will add the necessary functionality to the SDN Controller, to interact with BIG-IP. Second, is F5 logging, which will direct BIG-IP messaging towards the SDN Controller. Both components are required for use. 2.1. HP VAN SDN Controller The F5 BIG DDoS Umbrella has been designed to work the HP VAN SDN Controller. Page 4
2.1.1. Getting the App The F5 BIG DDoS Umbrella App is available for download from the HP AppStore on your HP VAN SDN Controller. In addition, the App will be made available on the F5 DevCentral Site for HP. 2.1.2. Installing the App Installation of the App on the SDN Controller is very simple, once you have selected the App. There are no additional configuration components on the App. 2.1.3. Navigating the App Once installed, the App provides the framework for two areas. One area is designed to maintain visibility into the log messages sent to the App. This will help the operator understand what is happing. The second area will provide information on events for reporting analysis to categorize events and provide a timeline with frequency of events. Figure 2. App Navigation 2.2. F5 BIG DDoS Umbrella Designed to leverage native CEF logging of BIG-IP, ASM and AFM configuration is provided. CEF support was leveraged to help simplify the requirements while leveraging the integrated support for HP ArcSight. Page 5
The following illustration provides the components necessary and walks you through the configuration flow overview (Figure 3). Figure 3. Flow Overview 2.2.1. Notification The following steps walk you through the configuration requirements for notifications to be sent to the SDN Controller. This configuration can be simplified by utilizing an iapp template. This option will be discussed further in the "Future F5 BIG-IP options" section of this document. A. Create a pool of SDN Controllers Before creating a pool of servers, identify the IP addresses of the SDN Controller(s) you want to include in the pool. 1. On the Main tab, click Local Traffic > Pools The Pool List screen opens. 2. Click the Create button The New Pool screen opens. 3. In the Name field, type a unique name for the pool. 4. Using the New Members setting, add the IP address for each SDN Controller you want to include in the pool: a) Type an IP address in the Address field. b) Type the service number in the Service Port field. c) Click Add. 5. Click Finished. Once completed, you should have the following items configured: Page 6
Figure 4. Pool List for SDN Controllers Figure 5. Pool Members B. Create a remote high-speed log destination Configure a log destination of the "Remote High-Speed Log" type to specify log messages are sent to a pool 1. On the Main tab, click System > Logs > Configuration > Log Destinations. The Log Destinations screen opens. 2. Click Create. 3. In the Name field, type a unique, identifiable name for this destination. This selection will be provided below in section C.5. 4. From the Type list, select Remote High-Speed Log. 5. From the Pool Name list, select the pool of SDN Controllers. 6. From the Protocol list, select the protocol used. 7. Click Finished. C. Create an ArcSight formatted remote log destination 1. On the Main tab, click System > Logs > Configuration > Log Destinations. The Log Destinations screen opens. 2. Click Create. 3. In the Name field, type a unique, identifiable name for this destination. This name will selected in section D.4 below. 4. From the Type list, select an ArcSight formatted logging destination. 5. From the Forward To list, select the destination that points to the pool of SDN Controllers to which you want the BIG-IP system to send log messages. This will be the same as unique, identifiable name provided from B.3 above. 6. Click Finished. Page 7
Figure 6. Log Destinations D. Create a publisher 1. On the Main tab, click System > Logs > Configuration > Log Publishers. The Log Publisher screen opens. 2. Click Create. 3. In the Name field, type a unique, identifiable name for this publisher. 4. For the Destinations setting, in the Available list, select a destination, and click << to move the destination to the Selected list. This will be the same unique, identifiable name as provided in section C.3 above. 5. Click Finished. Figure 7. Log Publishers Page 8
Figure 8. Log Publisher Destinations E. Create a custom DoS Protection Logging profile 1. On the Main tab, click Security > Event Logs > Logging Profiles. The Logging Profiles list screen opens. 2. Click Create. The New Logging Profile screen opens. 3. In the Name field, type a unique name for the profile. 4. Select the Network Firewall check box. 5. In the Network Firewall area, from the Publisher list, select the Publisher the BIG-IP system uses to log Network Firewall events 6. For the Log Rule Matches setting, select how the BIG-IP system logs packets that match ACL rules. You can select any or all of the following options: 7. Select the Log IP Errors check box, to enable logging of IP error packets. 8. Select the Log TCP Errors check box, to enable logging of TCP error packets. 9. Select the Log TCP Events check box, to enable logging of open and close of TCP sessions. 10. From the Storage Format list, select how the BIG-IP system formats the log. Your choices are: 11. In the IP Intelligence area, from the Publisher list, select the publisher the BIG-IP system uses to log source IP addresses, which according to an IP Address Intelligence database have a bad reputation, and the name of the bad reputation category. OPTIONAL: This step is for BIG-IP systems with IP Address Intelligence licensed and enabled. 12. Click Finished. Assign this custom network firewall Logging profile to a virtual server. Page 9
Figure 9. Logging Profiles F. Configure an LTM virtual server for event logging 1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens. 2. Click the name of the virtual server you want to modify. 3. From the Security menu, select Policies. The screen displays Policy Settings and Rules settings. 4. From the Log Profile list, select Enabled. Then, for the Profile setting, move the profiles that log specific events to specific locations from the Available list to the Selected list.. 5. Click the Update to save your changes. G. Disabling logging In some circumstances, you may need to Disable\Enable Network Firewall event logging when you no longer want the BIG-IP system to log specific events on the traffic handled by specific resources. 1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens. 2. Click the name of the virtual server you want to modify. 3. From the Security menu, select Policies. The screen displays Policy Settings and Rules settings. 4. From the Log Profile list, select Disabled. 5. Click the Update to save your changes. The BIG-IP system will not log the events specified in this profile to the SDN Controller. To reenable, simply change Disabled to Enabled. Page 10
3. Roadmap Having the future in mind when developing the App will help preserve modularity and open up consideration for improvements. The following list of improvements will be addressed with updates to the existing App. Just as there are two components to the App today, this section has two components. This is not exhaustive and provides only a high-level summary. 3.1. Future F5 BIG DDoS Umbrella options One component worth consideration is the App itself. These are updates which can be achieved directly on the SDN Controller. 3.1.1. UI Log messaging The existing structure for the App has designated an area for presenting events. The desire would be to provide attacker information, BIG-IP source information, attack information, along with activity status. 3.1.2. Enhanced reporting Two charts are included in the App. These are provided to give high level feedback for expected reporting requirements. 3.1.3. Integrated remediation When automating remediation functionality, there is always concern for changes made. One area to add functionality within the App is to leverage changes available with other networking components like switches, routers and firewalls. 3.1.4. Action options Blocking traffic is one option for changes in remediation. Other potential choices provided may include things like rate limiting and redirection of traffic of traffic. These options would help to reduce traffic while allowing it to continue throttled, as well as sending traffic to a honey pot or "secure" area for observation. 3.1.5. BIG-IP installation Once this App has matured, packaging the iapp and all configuration components within the App will help simplify implementation. The potential would be to leverage REST APIs on BIG-IP. 3.1.6. BIG-IQ component BIG-IQ is an area where coordination of functionality could help simplify communication between the SDN Controller and BIG-IP. 3.1.7. Multiple instances Having the ability to extend this implementation to multiple instances and multiple sites will further improve the value achieved. Page 11
3.1.8. Cloud extension With some DDoS solutions utilizing Cloud protection, this App could provide additional integrated functionality with Cloud based solutions, helping to orchestrate protection ability, as well as mitigation options. 3.2. Future F5 BIG-IP options Implementation for this App is designed to demonstrate what is achievable through SDN. As the technology grows in adoption, many of the components required will be consolidated to help simplify the goals desired. This section identifies areas on the BIG- IP where simplification and expansion can be achieved. 3.2.1. iapp Configuration An iapp is a templated way to create configuration structures within BIG-IP. Reducing the configuration on the BIG-IP to a simple iapp, which identifies licensed modules and requests SDN Controller information, has begun. This iapp is available upon request, and is not included in the original release. Within the iapp, an Alert mechanism is being designed to notify the SDN Controller of it's presence, along with information for registration to the App. One additional phase for the iapp would be to include a component for activation on BIG-IP directly from the BIG DDoS Umbrella App itself, with "phone home" capability. 3.2.2. Additional Module Support As BIG-IP adds CEF formatted support for GTM and LTM the addition of those modules for this App should be relatively easy to add. 4. Summary The F5 BIG DDoS Umbrella is designed to bring the intelligence of BIG-IP into an SDN environment to provide context and awareness to the SDN Controller. This App framework was designed as a starting point to identify a key area - Security - where context is necessary. The developer of this App provides this document as a guideline to help move forward the adoption of SDN. The desire in providing this App as a Community resource is to further develop the capability achieved, allowing customers and partners to help direct the path. F5 DevCentral provides an HP Partner collaboration site designed to bring resources together to identify and grow integrated solutions with HP. Updates and collaboration with others can be found there. Page 12