big-ip data center firewall configuration guide

BIG-IP® Data Center Firewall ConfigurationGuide

Version 11.1

Table of Contents

Legal Notices.....................................................................................................................................5

Acknowledgments............................................................................................................................7

Chapter 1: Introduction to the BIG-IP Data Center Firewall.............................11Overview................................................................................................................................12

Features and benefits.............................................................................................................12

BIG-IP data center firewall packet handling...........................................................................12

Chapter 2: Prerequisites for System Configuration.........................................15List of prerequisite tasks.........................................................................................................16

Chapter 3: Securing BIG-IP Administrative Access.........................................17Overview................................................................................................................................18

Configuring security settings for administrative login.............................................................18

Configuring a password policy for administrative users..........................................................18

Creating a BIG-IP system user account.................................................................................19

Configuring a security level for a self IP address...................................................................19

Chapter 4: Logging..............................................................................................21Overview................................................................................................................................22

Logging server and profile setup............................................................................................22

Specifying Syslog servers...........................................................................................22

Creating a pool of servers for high-speed logging.......................................................22

Configuring a profile for high-speed logging................................................................23

Chapter 5: Access Control Lists........................................................................29Overview................................................................................................................................30

Packet filter configuration.......................................................................................................30

Enabling packet filtering on the BIG-IP system...........................................................30

Creating a packet filter rule to allow traffic...................................................................31

Creating a packet filter rule to deny traffic...................................................................31

Application-specific access control using iRules....................................................................32

Chapter 6: Traffic Listeners................................................................................33Overview................................................................................................................................34

Virtual server configuration....................................................................................................34

3

Table of Contents

Creating a Services profile within LTM........................................................................34

Creating a load balancing pool....................................................................................35

Creating an iRule.........................................................................................................36

Host virtual servers......................................................................................................36

Network virtual servers................................................................................................38

Configuring a SNAT................................................................................................................39

Chapter 7: Advanced Security............................................................................41Overview................................................................................................................................42

Distributed Denial of Service protection.................................................................................42

Configuring adaptive reaping.......................................................................................42

SYN flood protection..............................................................................................................42

Adjusting the SYN Check threshold............................................................................43

ICMP packet handling............................................................................................................43

Limiting ICMP responses.............................................................................................43

Limiting ICMP unreachable packets............................................................................43

IPsec protocol configuration...................................................................................................44

Creating an IKE peer...................................................................................................44

Creating a bidirectional IPsec policy............................................................................45

Creating a bidirectional IPsec traffic selector..............................................................46

Chapter 8: Dynamic Attack Mitigation...............................................................47Overview................................................................................................................................48

Server resource cloaking........................................................................................................48

Protection from Apache Killer attacks....................................................................................48

Chapter 9:

Additional Attack Prevention using BIG-IP PSM and BIG-IP ASM..............49Overview................................................................................................................................50

What is BIG-IP Protocol Security Module?.............................................................................50

Applying protocol security to an LTM profile................................................................50

Advanced Layer 7 protection using BIG-IP Application Security Manager.............................51

4

Table of Contents

Legal Notices

Publication Date

This document was published on March 9, 2012.

Publication Number

MAN-0395-00

Copyright

Copyright © 2012, F5 Networks, Inc. All rights reserved.

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumesno responsibility for the use of this information, nor any infringement of patents or other rights of thirdparties which may result from its use. No license is granted by implication or otherwise under any patent,copyright, or other intellectual property right of F5 except as specifically described by applicable userlicenses. F5 reserves the right to change specifications at any time without notice.

Trademarks

3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, AdvancedRouting, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud Extender, CloudFucious,CMP, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, EdgeGateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN], F5 Management Pack, F5 Networks,F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, IBR, IntelligentBrowser Referencing, Intelligent Compression, IPv6 Gateway, iApps, iControl, iHealth, iQuery, iRules,iRules OnDemand, iSession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local TrafficManager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, ProtocolSecurity Module, PSM, Real Traffic Policy Builder, ScaleN, SSL Acceleration, StrongBox, SuperVIP, SYNCheck, TCP Express, TDR, TMOS, Traffic Management Operating System, TrafficShield, TransparentData Reduction, VIPRION, vCMP, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM,and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries,and may not be used without F5's express written consent.

All other product and company names herein may be trademarks of their respective owners.

Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United Statesgovernment may consider it a criminal offense to export this product from the United States.

RF Interference Warning

This is a Class A product. In a domestic environment this product may cause radio interference, in whichcase the user may be required to take adequate measures.

FCC Compliance

This equipment has been tested and found to comply with the limits for a Class A digital device pursuantto Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmfulinterference when the equipment is operated in a commercial environment. This unit generates, uses, and

can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,may cause harmful interference to radio communications. Operation of this equipment in a residential areais likely to cause harmful interference, in which case the user, at his own expense, will be required to takewhatever measures may be required to correct the interference.

Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authorityto operate this equipment under part 15 of the FCC rules.

Canadian Regulatory Compliance

This Class A digital apparatus complies with Canadian ICES-003.

Standards Compliance

This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable toInformation Technology products at the time of manufacture.

6

Legal Notices

Acknowledgments

This product includes software developed by Bill Paul.

This product includes software developed by Jonathan Stone.

This product includes software developed by Manuel Bouyer.

This product includes software developed by Paul Richards.

This product includes software developed by the NetBSD Foundation, Inc. and its contributors.

This product includes software developed by the Politecnico di Torino, and its contributors.

This product includes software developed by the Swedish Institute of Computer Science and its contributors.

This product includes software developed by the University of California, Berkeley and its contributors.

This product includes software developed by the Computer Systems Engineering Group at the LawrenceBerkeley Laboratory.

This product includes software developed by Christopher G. Demetriou for the NetBSD Project.

This product includes software developed by Adam Glass.

This product includes software developed by Christian E. Hopps.

This product includes software developed by Dean Huxley.

This product includes software developed by John Kohl.

This product includes software developed by Paul Kranenburg.

This product includes software developed by Terrence R. Lambert.

This product includes software developed by Philip A. Nelson.

This product includes software developed by Herb Peyerl.

This product includes software developed by Jochen Pohl for the NetBSD Project.

This product includes software developed by Chris Provenzano.

This product includes software developed by Theo de Raadt.

This product includes software developed by David Muir Sharnoff.

This product includes software developed by SigmaSoft, Th. Lockert.

This product includes software developed for the NetBSD Project by Jason R. Thorpe.

This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com.

This product includes software developed for the NetBSD Project by Frank Van der Linden.

This product includes software developed for the NetBSD Project by John M. Vinopal.

This product includes software developed by Christos Zoulas.

This product includes software developed by the University of Vermont and State Agricultural College andGarrett A. Wollman.

This product includes software developed by Balazs Scheidler ([email protected]), which is protected underthe GNU Public License.

This product includes software developed by Niels Mueller ([email protected]), which is protected underthe GNU Public License.

In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developedby Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operatingsystems includes mainly non-profit oriented systems for research and education, including but not restrictedto NetBSD, FreeBSD, Mach (by CMU).

This product includes software developed by the Apache Group for use in the Apache HTTP server project(http://www.apache.org/).

This product includes software licensed from Richard H. Porter under the GNU Library General PublicLicense (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.

This product includes the standard version of Perl software licensed under the Perl Artistic License (© 1997,1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standardversion of Perl at http://www.perl.com.

This product includes software developed by Jared Minch.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit(http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product contains software based on oprofile, which is protected under the GNU Public License.

This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html)and licensed under the GNU General Public License.

This product contains software licensed from Dr. Brian Gladman under the GNU General Public License(GPL).

This product includes software developed by the Apache Software Foundation (http://www.apache.org/).

This product includes Hypersonic SQL.

This product contains software developed by the Regents of the University of California, Sun Microsystems,Inc., Scriptics Corporation, and others.

This product includes software developed by the Internet Software Consortium.

This product includes software developed by Nominum, Inc. (http://www.nominum.com).

This product contains software developed by Broadcom Corporation, which is protected under the GNUPublic License.

This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser GeneralPublic License, as published by the Free Software Foundation.

This product includes software developed by the Computer Systems Engineering Group at LawrenceBerkeley Laboratory. Copyright ©1990-1994 Regents of the University of California. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted providedthat the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and thefollowing disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and thefollowing disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the followingacknowledgment: This product includes software developed by the Computer Systems EngineeringGroup at Lawrence Berkeley Laboratory.

8

Acknowledgments

4. Neither the name of the University nor of the Laboratory may be used to endorse or promote productsderived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANYDIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes software developed by Sony Computer Science Laboratories Inc. Copyright ©

1997-2003 Sony Computer Science Laboratories Inc. All rights reserved. Redistribution and use in sourceand binary forms, with or without modification, are permitted provided that the following conditions aremet:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and thefollowing disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and thefollowing disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY SONY CSL AND CONTRIBUTORS "AS IS" AND ANY EXPRESSOR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIESOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. INNO EVENT SHALL SONY CSL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUTNOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORYOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

9

BIG-IP® Data Center Firewall Configuration Guide

10

Acknowledgments

Chapter

1

Introduction to the BIG-IP Data Center Firewall

Topics:

• Overview• Features and benefits• BIG-IP data center firewall packet handling

Overview

The BIG-IP® system offers native, high-performance firewall services to protect the entire networkinfrastructure, and operates as a purpose-built, high-performance application delivery controller (ADC)designed to protect data centers. In many cases, the BIG-IP system can replace an existing firewall whilealso offering scale, performance, and persistence.

The BIG-IP system provides a unified view of Layer 3 through Layer 7, as well as integration with SecurityIncident and Event Manager (SIEM) vendors.

Features and benefits

The BIG-IP system includes these firewall features:

The BIG-IP system natively decodes IPv4, IPv6, TCP, HTTP, SIP, DNS,SMTP, FTP, Diameter, and RADIUS. Organizations can control almostevery element of the protocols they deploy.

Protocol security

An integrated architecture enables organizations to combine traditionalfirewall Layers 3 and 4 with application Layers 5 through 7.

DDoS preventioncapabilities

The BIG-IP system protects UDP, TCP, SIP, DNS, HTTP, SSL, and othernetwork attack targets while delivering uninterrupted service for legitimateconnections.

DDoS mitigations

You can offload computationally-intensive SSL functions to the BIG-IPsystem, and gain visibility into potentially harmful encrypted payloads.

SSL termination

iRules® provide a flexible way to enforce protocol functions on bothstandard, and emerging or custom protocols. With iRules, organizations

Dynamic threat mitigation

can create a zero-day dynamic security context to react to vulnerabilitiesfor which an associated patch has not yet been released.

You can prevent leaks of error codes and sensitive content.Resource cloaking andcontent security

BIG-IP data center firewall packet handling

A BIG-IP data center firewall includes three basic mechanisms for controlling packet flow: Packet filters,traffic listeners, and iRules assigned to virtual servers.

12


Figure 1: Basic packet flow through a BIG-IP data center firewall

To effectively configure a BIG-IP system as a data center firewall, you must decide the way that you wantthe BIG-IP system to process any network traffic that the system receives. A BIG-IP system evaluates andacts on network traffic using the following order of operations.

Packet FiltersThe BIG-IP system evaluates network traffic against any packet filters that you have configured, in theexplicit order you define. Once accepted, a packet is not evaluated against additional filters, but is processedby any SNATs, virtual servers or iRules that apply. If a packet is discarded or rejected, a BIG-IP systemdoes not perform any further evaluation of that packet.

Traffic listenersWhen you create local traffic objects (such as virtual servers, NATs, and SNATs) that process networktraffic on the BIG-IP system, the BIG-IP system creates appropriate listeners for the objects that you define.A local traffic object with a destination listener processes requests matching a destination host or networkIP address defined on the BIG-IP system. A local traffic object with a source listener processes requestsoriginating from a host or group of hosts defined on the BIG-IP system. For example, a virtual server witha destination address and a netmask of 192.0.0.0/8:any, takes precedence over a virtual server witha destination address and a netmask of 0.0.0.0/0:80. If the traffic does not match a virtual server andthere is a SNAT in place, processing follows a specific order. For example, a SNAT with an origin addressof 10.10.64.0/24 takes precedence over a SNAT with an origin of default. Additionally, a SNATwith an origin address of 10.10.64.2 takes precedence over a NAT with an origin address of10.10.64.2.

Virtual server-specific ACL using iRulesAny iRules associated with the matched virtual server are processed. iRules are event-driven, so that theorder of events ultimately controls the order in which code blocks are processed. Additionally, you can usepriority statements within iRules to assign execution orders for like events. Lastly, for like events of identicalpriority, iRules are triggered in the order that they are assigned to the virtual server. For each of these BIG-IPfeatures, consult the BIG-IP product documentation and other online resources, such as F5 Networks'DevCentral Wiki, for complete details.

13


14


Chapter

2

Prerequisites for System Configuration

Topics:

• List of prerequisite tasks

List of prerequisite tasks

Before you begin configuring a BIG-IP® system as a data center firewall, ensure that you have:

• Assigned a management IP address to the BIG-IP system• Assigned a host name to the BIG-IP system• Specified passwords for the admin and root accounts• Created the necessary VLANs and associated self IP addresses• Configured the redundancy settings for Sync-Failover device group management (ConfigSync, failover,

and mirroring addresses, as well as the default traffic groups)• Configured the DNS and NTP servers

Also, if you intend to use BIG-IP® Protocol Security Module™ and BIG-IP® Application Security Manager™

on the BIG-IP data center firewall, verify that these modules are licensed and provisioned on the system.

Once you have met these prerequisites, the BIG-IP system is ready to be configured as a data center firewall.

16

Prerequisites for System Configuration

Chapter

3

Securing BIG-IP Administrative Access

Topics:

• Overview• Configuring security settings for

administrative login• Configuring a password policy for

administrative users• Creating a BIG-IP system user account• Configuring a security level for a self IP

address

Overview

There are several tasks that you can perform to control BIG-IP administrative access to the BIG-IP®

Configuration utility or to tmsh. This access control includes not only settings such as the number of failedlogin attempts allowed per user and the maximum amount of allowed idle login time, but also settings tospecify user roles, administrative partition access, and console access.

Configuring security settings for administrative login

Use this procedure to define: the maximum number of concurrent users allowed, the maximum durationthat the Configuration utility can be idle before automatic user logout, and a security message that you wantthe system to display on the BIG-IP Configuration login screen.

1. On the Main tab, click System > Preferences.

2. From the System Settings list, select Advanced.Additional settings appear on the screen.

3. In the field labeled Maximum HTTP Connections To Configuration Utility, retain or revise thedefault value.

4. In the field labeled Idle Time Before Automatic Logout, revise the default value.

F5 Networks recommends a value of 120 seconds.

5. For the setting labeled Show The Security Banner On The Login Screen, verify that the box is checked.This ensures that security message you specify displays on the login screen of the BIG-IP Configurationutility.

6. In the field labeled Security Banner Text To Show On The Login Screen, revise the default securitymessage.

A good security message is one that provides legal protection to the organization, such as a messagestating that unauthorized access is forbidden.

The login screen of the BIG-IP Configuration utility displays the text that you specify in this field.

7. Click Update.

After you have performed these steps, administrative access to the BIG-IP Configuration utility is moresecure.

Configuring a password policy for administrative users

Use this procedure to require BIG-IP® system users to create strong passwords and to specify the maximumnumber of BIG-IP Configuration utility login failures that the system allows before the user is denied access.

1. On the Main tab, click System > Users.

2. On the menu bar, click Authentication.

3. From the Secure Password Enforcement list, select Enabled.Additional settings appear on the screen.

18


4. For the Minimum Length and Required Characters settings, configure the default values, accordingto your organization's internal security requirements.

5. In the Maximum Login Failures field, specify a number.

If the user fails to log in the specified number of times, the user is locked out of the system. Therefore,F5 Networks recommends that you specify a value that allows for a reasonable number of login failuresbefore user lockout.

6. Click Update.

Creating a BIG-IP system user account

Use this procedure to create a user account for a BIG-IP system administrative user. When creating theaccount, you can specify a user role, the partitions to which the user has access, and the type of consoleaccess.

1. On the Main tab, click System > Users .

2. Click Create.The New User properties screen opens.

3. To grant an access level other than No Access, use the Role list to select a user role.

4. From the Partition Access list, select a partition name.

You can select a single partition name, or All.

5. From the Terminal Access list, select a level of console access.

6. Click Finished.

The BIG-IP system includes a new user account for administrative access.

Configuring a security level for a self IP address

You can specify the protocols and services from which a self IP address can accept traffic. Note that havingfewer active protocols enhances the security level of the self IP address and its associated VLANs.

1. On the Main tab, click Network > Self IPs.The Self IPs screen opens.

2. In the Name column, click a self IP address associated with a VLAN on the public network.This displays the properties of that self IP address.

3. From the Port Lockdown list, select a level of security for the self IP address.

Selecting Allow None blocks administrative traffic only, for this self IP address. Specifically, a user isblocked from accessing the BIG-IP system through the BIG-IP Configuration utility or SSH.

4. Click Update.

The BIG-IP system now controls the level of access that administrative users have to the BIG-IPConfiguration utility and through SSH.

19


20


Chapter

4

Logging

Topics:

• Overview• Logging server and profile setup

Overview

There are a number of logging features you can implement as part of a BIG-IP® system firewall configuration.

Logging server and profile setup

When configuring the BIG-IP system as a data center firewall, you might want to implement high-speedlogging and define a group of remote Syslog servers. You can do this by creating a pool of servers, creatinga custom request logging profile that determines log content and references the log server pool, and thenassigning the profile to each virtual server that you create to process application traffic.

Specifying Syslog servers

Use this task to log messages to one or more remote Syslog servers.

1. From the Main tab, click System > Logs.

2. From the Configuration menu, choose Remote Logging.

3. In the Remote IP field, type the IP address of the remote server to which the BIG-IP system will sendthe log messages.

4. In the Remote Port field, retain the default port number or type a different port number.

5. Optionally, in the Local IP field, type the IP address of the local BIG-IP system that is sending the logmessages.

6. Click Add.

7. Repeat steps 3 through 6 for each remote logging server to which you want the BIG-IP system to sendlog messages.

8. Click Update.

The remote Syslog servers are defined on the BIG-IP system.

Creating a pool of servers for high-speed logging

For the LTM firewall configuration, you can create a pool of remote servers for high-speed logging.

1. On the Main tab, click Local Traffic > Pools.The Pool List screen opens.

2. Click Create.The New Pool screen opens.

3. In the Name field, type a unique name for the pool.

4. For the Health Monitors setting, in the Available list, select a monitor type, and click << to move themonitor to the Active list.

Tip: Hold the Shift or Ctrl key to select more than one monitor at a time.

22

Logging

5. From the Load Balancing Method list, select how the system distributes traffic to members of thispool.

The default is Round Robin.

6. For the Priority Group Activation setting, select the way to handle priority groups:

• Retain the default option, Disabled to disable priority groups.• Select Less than, and type the minimum number of members in the Available Members field that

must remain available in each priority group in order for traffic to remain confined to that group.

7. Using the New Members setting, add the IP address for each logging server that you want to includein the pool:

a) Type an IP address in the Address field, or select a node address from the Node List.b) Type a service number in the Service Port field, or select a service name from the list.c) You may type a priority number in the Priority field.d) Click Add.

8. Click Finished.

The new pool containing the remote Syslog servers appears in the Pools list.

After creating the pool, you must create a request logging profile and specify this pool name within theprofile. This eliminates the need for you to assign this pool to a virtual server.

Configuring a profile for high-speed logging

You must have already created a pool that includes logging servers as pool members.

Many sites perform traffic analysis against the log files that their web servers generate. With a RequestLogging profile, you can specify the data and the format for HTTP requests and responses that you wantto include in a log file. If you prefer, you can tailor the information that appears in the logs so that the logswork seamlessly with whatever analysis tools you use for your origin web server’s HTTP log files. Youcan use a request logging profile to log specific data, and then use that information for analysis andtroubleshooting.

1. On the Main tab, click Local Traffic > Profiles > Other > Request Logging .The Request Logging profile list screen opens.

2. Click Create.The New Request Logging Profile screen opens.

3. From the Parent Profile list, select a profile from which the new profile inherits properties.

4. Select the Custom check box for the Request Settings area.The settings in the Request Settings area become available for configuring.

5. In the Request Settings area, from the Request Logging list, select Enabled.

6. In the Template field, type the request logging parameters for the entries that you want to include inthe log file.

7. From the HSL Protocol list, select a high-speed logging protocol.

8. From the Pool Name list, select the pool that includes the logging server as a pool member.

9. (Optional) You can also configure the error response settings.

a) From the Respond On Error list, select Enabled.b) In the Error Response field, type the error response strings that you want to include in the log file.

These strings must be well-formed for the protocol serving the strings.

c) Select the Close On Error check box to drop the request and close the connection if logging fails.

23


10. (Optional) You can also configure the logging request errors settings.

a) From the Log Logging Errors list, select Enabled.b) In the Error Template field, type the request logging parameters for the entries that you want to

include in the log file.c) From the HSL Error Protocol list, select a high-speed logging error protocol.d) From the Error Pool Name list, select a pool that includes the node for the error logging server as

a pool member.

11. Click Update.

This configures a request logging profile to log specified data for HTTP requests.

Request logging parametersThis table lists all available parameters from which you can create a custom logging profile. These are usedto specify entries for the Template and Error Template settings For each parameter, the system writes tothe log the information described in the right column.

Table 1: Request logging parameters

Log file entry descriptionParameter

An entry for the slot number of the blade that handled the request.BIGIP_BLADE_ID

An entry of Cached status: true, if the response came from BIG-IP®

cache, or Cached status: false, if the response came from theserver.

BIGIP_CACHED

An entry for the configured host name of the unit or chassis.BIGIP_HOSTNAME

An entry for the IP address of a client, for example, 192.168.74.164.CLIENT_IP

An entry for the port of a client, for example, 80.CLIENT_PORT

A two-character entry for the day of the month, ranging from 1 (note theleading space) through 31.

DATE_D

An entry that spells out the name of the day.DATE_DAY

A two-digit entry for the day of the month, ranging from 01 through 31.DATE_DD

A three-letter entry for the day, for example, Mon.DATE_DY

A date and time entry in an HTTP format, for example, Tue, 5 Apr2011 02:15:31 GMT.

DATE_HTTP

A two-digit month entry, ranging from 01 through 12.DATE_MM

A three-letter abbreviation for a month entry, for example, APR.DATE_MON

An entry that spells out the name of the month.DATE_MONTH

A date and time entry in an NCSA format, for example,dd/mm/yy:hh:mm:ss ZNE.

DATE_NCSA

A two-digit year entry, ranging from 00 through 99.DATE_YY

A four-digit year entry.DATE_YYYY

The name of the httpclass profile that matched the request, or an emptyentry if a profile name is not associated with the request.

HTTP_CLASS

A flag summarizing the HTTP1.1 keep-alive status for the request:: aYif the HTTP1.1 keep-alive header was sent, or an empty entry if not.

HTTP_KEEPALIVE

24

Logging


An entry that defines the HTTP method, for example, GET, PUT, HEAD,POST, DELETE, TRACE, or CONNECT.

HTTP_METHOD

An entry that defines the HTTP path.HTTP_PATH

The text following the first ? in the URI.HTTP_QUERY

The complete text of the request, for example, $METHOD $URI$VERSION.

HTTP_REQUEST

The numerical response status code, that is, the status response codeexcluding subsequent text.

HTTP_STATCODE

The complete status response, that is, the number appended with anysubsequent text.

HTTP_STATUS

An entry for the URI of the request.HTTP_URI

An entry that defines the HTTP version.HTTP_VERSION

An NCSA Combined formatted log string, for example, $NCSA_COMMON$Referer ${User-agent} $Cookie.

NCSA_COMBINED

An NCSA Common formatted log string, for example, $CLIENT_IP -- $DATE_NCSA $HTTP_REQUEST $HTTP_STATCODE$RESPONSE_SIZE.

NCSA_COMMON

The elapsed time in milliseconds (ms) between receiving the request andsending the response.

RESPONSE_MSECS

An entry for the size of response in bytes.RESPONSE_SIZE

The elapsed time in microseconds (µs) between receiving the request andsending the response.

RESPONSE_USECS

An entry for the IP address of a server, for example, 10.10.0.1.SERVER_IP

An entry for the port of a server, for example, 80.SERVER_PORT

An entry for the self IP address of the BIG-IP-originated connection to theserver when SNAT is enabled, or an entry for the client IP address whenSNAT is not enabled.

SNAT_IP

An entry for the port of the BIG-IP-originated connection to the server whenSNAT is enabled, or an entry for the client port when SNAT is not enabled.

SNAT_PORT

A twelve-hour request-time qualifier, for example, AM or PM.TIME_AMPM

A compact twelve-hour time entry for request-time hours, ranging from 1through 12.

TIME_H12

A twelve-hour time entry for hours, for example, 12 AM.TIME_HRS

A twelve hour entry for request-time hours, ranging from 01 through 12.TIME_HH12

An entry for a compact request time of H:M:S, for example, 12:10:49.TIME_HMS

A twenty-four hour entry for request-time hours, ranging from 00 through23.

TIME_HH24

A two-digit entry for minutes, ranging from 00 through 59.TIME_MM

An entry for the request-time fraction in milliseconds (ms).TIME_MSECS

25



An entry for the time zone, offset in hours from GMT, for example, -11.TIME_OFFSET

A two-digit entry for seconds, ranging from 00 through 59.TIME_SS

A UNIX time entry for the number of seconds since the UNIX epoch, forexample, 00:00:00 UTC, January 1st, 1970.

TIME_UNIX

An entry for the request-time fraction in microseconds (µs).TIME_USECS

An entry for the current Olson database or tz database three-character timezone, for example, PDT.

TIME_ZONE

An entry for the IP address of a virtual server, for example,192.168.10.1.

VIRTUAL_IP

An entry for the name of a virtual server.VIRTUAL_NAME

An entry for the name of the pool containing the responding server.VIRTUAL_POOL_NAME

An entry for the port of a virtual server, for example, 80.VIRTUAL_PORT

The name of the Secure Network Address Translation pool associated withthe virtual server.

VIRTUAL_SNATPOOL_NAME

Undelineated strings return the value of the respective header.NULL

Standard log formats

Log headers appear in the lines at the top of a log file. You can use log headers to identify the type andorder of the information written to each line in the log file. Some log analysis software also uses log headersto determine how to parse a log file.

There are three common conventions for log headers shown here.

DescriptionConvention

Apache™ web servers use this option. By default,Apache web servers write access logs in a formatthat is identical to the NCSA Common format.

No header line

Netscape® servers, and their descendants (such asthe iPlanet™ Enterprise Server) write a log header

NCSA Common or Combined headers

line that is unique to this family of servers. Theseservers generally use either the NCSA Common orCombined log format, and the log header lines arecomposed of keywords. For example:

#format=%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] ....

Most Microsoft® Internet Information Services (IIS)web servers write log files in the extended log fileformat, which is defined by a W3C working draft.

W3C headers

The logging information that is commonly used by origin web servers consists of the following conventions:

• NCSA Common (no log header)• NCSA Common (Netscape log header)

26

Logging

• NCSA Combined (no log header)• NCSA Combined (Netscape log header)• W3C Extended

NCSA Common log format example

This is the NCSA Common log format syntax:

host rfc931 username [date:time UTC_offset] "method URI?query_parameters protocol" status bytes

Here is an example that uses this syntax:

125.125.125.2 - - [03/Apr/2011:23:44:03 -0600] "GET /apps/example.jsp?sessionID=34h76 HTTP/1.1" 200 3045

27


28

Logging

Chapter

5

Access Control Lists

Topics:

• Overview• Packet filter configuration• Application-specific access control using

iRules

Overview

You can implement two kinds of access control on the BIG-IP® system -- Packet filters and iRules®.

Packet filter configuration

Packet filters enhance network security by specifying whether a BIG-IP system interface should accept orreject certain packets based on criteria that you specify. Packet filters enforce an access policy on incomingtraffic. They apply to incoming traffic only.

Packet filtering is global and takes precedence over virtual server access control. However, filtering typicallyworks best when you configure both packet filters and virtual server access control on the system. Whilepacket filters allow or deny traffic based solely on the source of the traffic, regardless of destination, virtualservers can filter traffic destined for a particular IP address. When the traffic reaches the virtual serveraddress, the BIG-IP system uses the assigned iRule to allow or deny the traffic based on some criteriaspecified in the iRule.

You implement packet filtering by creating packet filter rules. The primary purpose of a packet filter ruleis to define the criteria that you want the BIG-IP system to use when filtering packets. Examples of criteriathat you can specify in a packet filter rule are:

• The source IP address of a packet• The destination IP address of a packet• The destination port of a packet

You specify the criteria for applying packet filter rules within an expression. When creating a packet filterrule, you can instruct the BIG-IP system to build an expression for you, in which case you need only choosethe criteria from predefined lists, or you can write your own expression text, using the syntax of the tcpdumputility.

You can also configure global packet filtering that applies to all packet filter rules that you create, such asspecifying a specific MAC address or IP address to accept or reject.

Note: Packet filters generate additional log messages.

Enabling packet filtering on the BIG-IP system

Before creating a packet filtering rule, you must enable packet filtering.

1. On the Main tab, click Network > Packet Filters .The Packet Filters screen opens.

2. From the Packet Filtering list, select Enabled.

3. From the Unhandled Packet Action list, select Accept.

4. Click Update.

Packet filtering is enabled.

30


Creating a packet filter rule to allow traffic

When implementing this firewall implementation, you must create a packet filter rule that specifies an IPaddress for the type of traffic that the BIG-IP system accepts. In the example below, the packet filter iscreated to allow traffic from a specific network, on VLAN external.


2. Click Rules.

3. Click Create.

4. In the Name field, type a name for the rule.

5. From the Order list, select First.

6. From the Action list, select Accept.

7. If rate shaping is enabled, then from the Rate Class list, select a rate class.

8. From the VLAN / Tunnel list, select external.

9. From the Logging list, select Enabled.

10. From the Filter Expression Method list, select Enter Expression Text.This displays the Filter Expression box.

11. In the Filter Expression field, type an expression.For example: ( src net 10.133.96.0/24 )

12. Click Finished.

The BIG-IP system now has a packet filter rule that accepts inbound traffic from network 10.133.96.0/24on VLAN external.

Creating a packet filter rule to deny traffic

When implementing packet filtering, you can create a packet filter rule that rejects all traffic on VLANexternal, except for any traffic to which another packet filter rule is applied. In the example below, thepacket filter is created to deny all traffic except for that on VLAN external, and except that from aparticular network specified in a separate packet filter rule.


2. Click Rules.

3. Click Create.

4. In the Name field, type a name for the rule.

5. From the Order list, select Last.

6. From the Action list, select Reject.

7. From the VLAN / Tunnel list, select external.

8. From the Logging list, select Enabled.

9. From the Filter Expression Method list, select Enter Expression Text.This displays the Filter Expression box.

10. Click Finished.

You now have a packet filter rule that denies all traffic except traffic to which another packet filter rulesapplies.

31


Application-specific access control using iRules

You can create an iRule to assign to a specific virtual server, to protect the network resources for which thevirtual server processes traffic.

A common use of an iRule that you assign to a virtual server is to deny traffic destined for one or morespecified IP addresses. For example, when the following iRule is assigned to a virtual server, any trafficpassing through that virtual server that shows a source IP address of 4.4.4.4 is discarded.

when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 4.4.4.4] }{ discard } else { log local0. "Allowed Traffic" }}

You can assign an iRule to a virtual server either when you create the virtual server or by modifying theproperties of an existing virtual server.

You can find more examples of iRules on F5 Networks DevCentral web site, located athttp://devcentral.f5.com.

32


Chapter

6

Traffic Listeners

Topics:

• Overview• Virtual server configuration• Configuring a SNAT

Overview

Part of configuring the BIG-IP® system to be a data center firewall is to create virtual servers and SNATs.For some virtual servers, you can create iRules® that filter traffic based on specific user-defined criteria.

Virtual server configuration

To complete the deployment of a BIG-IP data center firewall, you must set up your virtual serverconfiguration. A virtual server is an IP address and port specification on the BIG-IP system. The BIG-IPsystem listens for traffic destined for that virtual server, and then directs that traffic either to a specific hostfor load balancing or to an entire network.

A virtual server provides a level of security, similar to an access control list (ACL), because its destinationaddress includes a port specification, causing the virtual server to accept only traffic destined for that port.

When you create a virtual server, you can optionally assign an iRule that functions as another layer ofsecurity, filtering out specific unwanted traffic or allowing specific traffic destined for that virtual server.The virtual server emulates a traditional ACL, while the iRule customizes the virtual server even furtherby filtering out or allowing individual source IP addresses and ports that you specify.

Example 1

This example shows an ACL that you can logically implement using a host virtual server with an assignediRule. In this example, the virtual server has a destination host address of 204.170.25.11:80, with aniRule specifying that only traffic originating from the network 204.170.0.0/24 is allowed:

allow src 204.170.0.0/24 port 80 dst 204.170.25.11 port 80 deny all

In this case, only traffic originating from network 204.107.0.0/24 port 80 and destined for host204.170.25.11:80 is accepted and load balanced, according to the virtual server configuration. Thevirtual server denies all other traffic.

Example 2

This example shows an ACL that you can logically implement using a network virtual server with anassigned iRule. In this example, the virtual server has a destination network address of 204.170.25.0:80,with an iRule specifying that only traffic originating from the network 204.170.0.0/24 is allowed:

allow src 204.170.0.0/24 port 80 dst 204.170.25.0 port 80 deny all

In this case, only traffic originating from network 204.107.0.0/24 port 80 and destined for network204.170.25.0:80 is accepted and forwarded to that network. The virtual server denies all other traffic.

You can find additional examples of how to create a comprehensive iRule for these scenarios on the F5Networks DevCentral web site http://www.devcentral.f5.com.

Creating a Services profile within LTM

One of the Layer 7 tasks that you perform to configure BIG-IP® Local Traffic Manager™ as a data centerfirewall is to create one or more custom application-layer profiles. You create a unique profile for each typeof application traffic, and then assign the profile to a virtual server that specifies that particular service. For

34

Traffic Listeners

example, if the BIG-IP data center firewall must handle HTTP traffic, you can create a custom HTTP profileand then assign that profile to a virtual server that listens for traffic on port 80 on the BIG-IP system. Thisparticular procedure creates an HTTP profile. You can use a variation of this task to create other profilesas well, such as an FTP or SMTP profile.

Important: You can create as many profiles as you need.

1. On the Main tab, click Local Traffic > Profiles > Services > HTTP .The HTTP profile list screen opens.

2. Click Create.The New HTTP Profile screen opens.

3. In the Name field, type a name for the profile.

Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.

4. From the Parent Profile list, retain http.

5. Select the Custom check box.The fields in the Settings area become available for revision.

6. Adjust all settings as required.

You can use the default values or change them to suit your needs.

7. Click Finished.

A custom BIG-IP® LTM™ profile now appears in the relevant profile list in the BIG-IP Configuration utility.

After creating this profile, you must assign the profile to a virtual server.

Creating a load balancing pool

You can create a load balancing pool (a logical set of devices such as web servers that you group togetherto receive and process traffic) to efficiently distribute the load on your server resources.

Note: You must create the pool before you create the corresponding virtual server.

1. On the Main tab, click Local Traffic > Pools.The Pool List screen opens.

2. Click Create.The New Pool screen opens.

3. In the Name field, type a unique name for the pool.

4. For the Health Monitors setting, in the Available list, select a monitor type, and click << to move themonitor to the Active list.

Tip: Hold the Shift or Ctrl key to select more than one monitor at a time.

5. From the Load Balancing Method list, select how the system distributes traffic to members of thispool.

The default is Round Robin.

6. For the Priority Group Activation setting, select the way to handle priority groups:

• Retain the default option, Disabled to disable priority groups.• Select Less than, and type the minimum number of members in the Available Members field that

must remain available in each priority group in order for traffic to remain confined to that group.

35


7. Using the New Members setting, add each resource that you want to include in the pool:

a) Either type an IP address in the Address field, or select a node address from the Node List.b) Type a port number in the Service Port field, or select a service name from the list.c) To specify a priority group, type a priority number in the Priority field.d) Click Add.

8. Click Finished.

The load balancing pool appears in the Pools list.

Creating an iRule

Use this procedure to create an iRule.

1. On the Main tab, click Local Traffic > iRules.

2. Click Create.The New iRule screen opens.

3. In the Name field, type a 1- to 31-character name, such as virtual_acl_irule.

4. In the Definition field, type the syntax for the iRule, using Tool Command Language (Tcl) syntax.

For complete and detailed information on iRules syntax, see the F5 Networks DevCentral web sitehttp://devcentral.f5.com.

5. Click Finished.

Host virtual servers

A host virtual server listens for traffic destined for a specific site, such as an Internet web site or an FTPsite, and then directs that traffic to content servers that are members of a pool. A host virtual server providesa level of security, similar to an access control list (ACL), because its destination address includes a portspecification, causing the virtual server to accept only traffic destined for that port.

Creating a host virtual server

Use this task to create a standard, host type of virtual server for application traffic. A host type of virtualserver listens for traffic destined for the specified destination IP address and service. You must create aseparate virtual server for each destination IP address/service combination. For example, if you want theBIG-IP® firewall device to handle HTTP, SMTP, and FTP traffic, and you want to use the virtual address204.170.25.11, you create three separate virtual servers: 204.170.25.11:80,204.170.25.11:25, and 204.170.25.11:21 on the BIG-IP data center firewall.

1. On the Main tab, click Local Traffic > Virtual Servers .The Virtual Server List screen displays a list of existing virtual servers.

2. Click the Create button.The New Virtual Server screen opens.

3. In the Name field, type a unique name for the virtual server.

4. For the Destination setting, in the Address field, type the host IP address that you want to use for thevirtual server.

This is the IP address on the BIG-IP system to which inbound application traffic is destined.

5. In the Service Port field, type a port number or select a service name from the Service Port list.

6. Assign any LTM® traffic profiles as needed.

36

Traffic Listeners

7. From the Configuration list, select Advanced.

8. From the Request Logging Profile list, select the custom request logging profile that you created earlier.

9. Locate the Resources area of the screen.

10. For the iRules setting, from the Available list, select the name of the iRule that you want to assign, andusing the Move button, move the name into the Enabled list.

This step is optional.

11. From the Default Pool list, select the name of the pool that you created previously.

12. Click Finished.

The BIG-IP system now listens for traffic destined for the specified destination IP address and service, andapplies all assigned profiles and any load balancing pool. Also, all log messages pertaining to the applicationtraffic are logged to the pool of remote logging servers specified in the assign Request Logging profile.

Example 1: Host virtual server configurations

This example shows the BIG-IP data center firewall also functioning as an application delivery controller(ADC). In the illustration shown, the BIG-IP system contains two host virtual servers (FTP VIP and AppVIP) to perform application delivery controller (ADC) functions, while still providing security. Specifically,the two virtual servers perform these functions:

• Load balancing traffic to FTP resources• Load balancing traffic to internal ADCs that handle specific applications. (The illustration shows one

internal ADC named App ADC.)

The benefit of the first function is that you do not need to position the BIG-IP data center firewall betweentwo ADCs before sending traffic to the internal resources. This simplifies the management of the environment.

The second function illustrates the same benefit but also shows that the BIG-IP system can load balancethe request to an internal ADC that is handling the more specialized tasks required for an application, suchas web acceleration, compression, caching, or web optimization.

Figure 2: Host virtual server configurations

37


Network virtual servers

A network virtual server listens for traffic destined for a specific network and simply forwards that trafficto that network. A network virtual server provides a level of security because its destination network addressincludes a port specification, causing the virtual server to accept only traffic destined for that port on thespecified network.

Creating a network virtual server

Use this task to create a standard, network type of virtual server for application traffic. A network type ofvirtual server listens for traffic destined for a specific network. The BIG-IP system then forwards the trafficto that network, to the host specified in the system's routing configuration.

1. On the Main tab, click Local Traffic > Virtual Servers .The Virtual Server List screen displays a list of existing virtual servers.

2. Click the Create button.The New Virtual Server screen opens.

3. In the Name field, type a unique name for the virtual server.

4. For the Destination setting, in the Address field, type the network IP address that you want to use forthe virtual server.

This is the network for which inbound application traffic is destined.

5. In the Service Port field, type a port number or select a service name from the Service Port list.


7. From the Request Logging Profile list, select the custom request logging profile that you created earlier.

8. Locate the Resources area of the screen.

9. For the iRules setting, from the Available list, select the name of the iRule that you want to assign, andusing the Move button, move the name into the Enabled list.

This step is optional.

10. Click Finished.

Now the BIG-IP system listens for traffic destined for the specified destination IP address and service, andapplies all assigned profiles and iRules.

Example 2: Network virtual server configurations

This example shows the BIG-IP data center firewall configured with a network virtual server. Thisconfiguration is generally used when you do not want the BIG-IP data center firewall to perform addresstranslation on incoming requests; instead, the packets are simply forwarded to publicly-accessible resourceswhile still providing security.

As shown, an ADC provides traditional application delivery functionality along with possibly morespecialized functionality behind the BIG-IP data center firewall. The illustration also shows a DNS serverlocated behind the BIG-IP data center firewall, but with a publicly-accessible address. This could be a directDNS server, or even a GTM system providing global DNS services to an infrastructure.

38

Traffic Listeners

Figure 3: Network virtual server configurations

Adding a static route

On the BIG-IP data center firewall, use this task to create a static route to a BIG-IP device on anothernetwork.

1. On the Main tab, click Network > Routes.

2. Click Add.The New Route screen opens.

3. In the Name field, type a unique name for the route.

4. In the Destination field, type the destination IP address in the route.

This address can represent either a host or a network. Also, ifyou are using the route domains and therelevant route domain is the partition default route domain, you do not need to append a route domainID to this address.

5. In the Netmask field, type the network mask for the destination IP address.

6. From the Resource list, select Use Gateway.

The gateway represents a next-hop or last-hop address in the route.

7. For the Gateway Address setting, select IP Address and type an IP address.

8. At the bottom of the screen, click Finished.

Now, packets targeted for the destination address specified in the route can reach that destination.

Configuring a SNAT

To protect IP addresses on the private network from being exposed to nodes on a public network, you candefine a SNAT. A SNAT changes the source IP address on a packet to a SNAT external address located onthe BIG-IP system.

1. On the Main tab, click Local Traffic > SNATs .

39


The SNAT List screen displays a list of existing SNATs.

2. Click Create.

3. Name the new SNAT.

4. In the Translation field, type the IP address that you want to use as a translation IP address.

5. From the Origin list, select Address List.

6. For each client to which you want to assign a translation address, do the following:

a) Select Host.b) Type a client IP address in the Address field.c) Click Add.

7. From the VLAN Traffic list, select Enabled on.

8. For the VLAN List setting, in the Available field, select an external VLAN, and using the Move button,move the VLAN name to the Selected field.

9. Click Finished.

40

Traffic Listeners

Chapter

7

Advanced Security

Topics:

• Overview• Distributed Denial of Service protection• SYN flood protection• ICMP packet handling• IPsec protocol configuration

Overview

You can protect network resources from snooping clients or various Denial of Service (DoS) attacks.

Distributed Denial of Service protection

You can perform certain configuration tasks to prevent Distributed Denial of Service (DDoS) attacks onthe BIG-IP® system.

Configuring adaptive reaping

This procedure configures adaptive reaping. The adaptive connection reaper closes idle connections whenmemory usage on the BIG-IP system increases. This feature allows the BIG-IP system to aggressively reapconnections when the system memory utilization reaches the low-water mark, and to stop establishing newconnections when the system memory utilization reaches the high-water mark percentage.

If the BIG-IP platform includes an LCD panel, an adaptive reaping event causes the BIG-IP system todisplay the following message on the LCD panel:Blocking DoS attack

Caution: The adaptive reaper settings do not apply to SSL connections. However, you can set TCPand UDP connection timeouts that reap idle SSL connections.

1. On the Main tab, click System > Configuration .The General screen opens.

2. From the Local Traffic menu, choose General.

3. In the Properties area of the screen, set the Reaper High-water Mark property to 95.

4. Set the Reaper Low-water Mark property to 85.

5. Click Update.

When aggressive mode is activated on the BIG-IP system, the event is marked in the /var/log/ltm filewith messages similar to these examples:

tmm tmm[PID]: 011e0002:4: sweeper_update: aggressive mode activated. (117504/138240 pages)tmm tmm[PID]: 011e0002:4: sweeper_update: aggressive mode deactivated. (117503/138240 pages)

Important: Setting both of the adaptive reaper values to 100 disables this feature.

SYN flood protection

A SYN flood is a type of Denial of Service attack in which an attacker sends a succession of SYN requeststo a system with the intent of consuming available resources, thereby rendering the system unresponsive.

42

Advanced Security

To prevent flooding on the BIG-IP® system and to preserve memory, you can adjust the SYN Check™

threshold.

Adjusting the SYN Check threshold

You can configure the SYN Check™ feature to prevent the BIG-IP SYN queue from becoming full duringa SYN flood attack. The SYN Check Activation Threshold setting indicates the number of new or untrustedTCP connections that can be established before the BIG-IP activates the SYN Cookies authentication methodfor subsequent TCP connections.

1. On the Main tab, click System > Configuration.

2. From the Local Traffic menu, choose General.

3. In the SYN Check Activation Threshold field, type the number of connections that you want to definefor the threshold.

4. Click Update.

If SYN flooding occurs, the BIG-IP system now protects the BIG-IP SYN queue from becoming full.

ICMP packet handling

One way to reduce the effect of Denial of Service attacks is to configure the way that the BIG-IP systemhandles ICMP packets.

Limiting ICMP responses

The TM.MaxICMPRate bigdb key can reduce the effects of a denial of service attack by allowing you tolimit the number of responses that the BIG-IP® system sends for ICMP errors and ICMP unreachable events.

The TM.MaxICMPRate bigdb key specifies a general rate limit applied to ICMP errors coming from serversback through the BIG-IP system to the clients. Each ICMP event must be associated with an establishedconnection flow.

For example, if a virtual server connection generates ICMP unreachable responses from the pool member,the BIG-IP system passes the ICMP responses back to the clients until the number of ICMP messagesreaches the value specified by the TM.MaxICMPRate bigdb key. Once the number of ICMP messagesreaches this value, the BIG-IP stops sending ICMP responses.

At the tmsh prompt, type the following command: tmsh sys db TM.MaxICMPRate value

The default value for the TM.MaxICMPRate bigdb key is 100. The minimum value allowed is 1 andthe maximum value allowed is 1000.

Limiting ICMP unreachable packets

The TM.MaxRejectRate bigdb key can reduce the effects of a Denial of Service attack by allowing you tolimit the number of ICMP unreachable packets that the BIG-IP system sends in response to incomingclient-side or server-side packets that cannot be matched with existing connections to traffic managementlistener IP addresses, such as virtual servers or SNATs.

At the tmsh prompt, type this command: tmsh sys db TM.MaxRejectRate value

43


The default value for the TM.MaxRejectRate bigdb key, in seconds, is 250. The minimum value allowedis 1 and the maximum value allowed is 1000.

When the TM.MaxRejectRate threshold has been exceeded for ICMP, the BIG-IP system stops sendingICMP unreachable packets in response to unmatched packets, and logs a message to the /var/log/ltmfile that appears similar to the following example:

tmm tmm[1609]: 011e0001:4: Limiting icmp unreach response from 299 to 250 packets/sec

IPsec protocol configuration

You can configure the IPsec and IKE protocols when you want to use a protocol other than SSL to securetraffic that traverses a wide area network (WAN), from one BIG-IP® system to another. More specifically,you configure the IKE protocol to establish a secure channel during Phase 1 negotiation. You also configurethe IPsec protocol for Tunnel mode and dynamic security negotiation, using a custom IPsec policy.

Note: Depending on your network topology, use of this feature is optional.

Creating an IKE peer

Use this procedure to create an IKE peer object on the BIG-IP system. The IKE peer object identifies tothe system you are configuring the other BIG-IP system with which it communicates during Phase 1negotiations. The IKE peer object also specifies the specific algorithms and credentials to be used for Phase1 negotiation. Creating an IKE peer is a required step in the process of establishing a secure channel betweenthe two systems.

Important: Perform this task on each BIG-IP system.

1. On the Main tab, click Network > IPsec > IKE Peers .

2. Click the Create button.The New IKE Peer screen opens.

3. In the Name field, type a unique name for the IKE peer.

4. In the Description field, type a brief description of the IKE peer.

5. In the Remote Address field, type the IP address of the BIG-IP system that is remote to the system youare configuring.

This address must match the value of the Tunnel Remote Address setting in the relevant IPsec policy.

6. For the State setting, retain the default value, Enabled.

7. For the IKE Phase 1 Algorithms area, retain the default values.

8. For the IKE Phase 1 Credentials area, select one of the following:

DescriptionOption

The default authentication method is RSA signature.The default values

Important: If you have your own certificate file, key file, andcertificate authority (CA), it is recommended for securitypurposes that you specify these files, using the Certificate, Key,and Trusted Certificate Authorities settings.

44

Advanced Security

DescriptionOption

This allows you to type a preshared key for use as the authenticationmethod.

The authentication methodPreshared Key.

9. For the Common Settings area, retain all default values.

10. Click Finished.The page refreshes and displays the new IKE peer in the list.

You now have IKE peers defined for establishing a secure channel.

Creating a bidirectional IPsec policy

Use this procedure to create a custom IPsec policy. You create a custom IPsec policy when you want to usea policy other than the default IPsec policy (default-ipsec-policy ordefault-ipsec-policy-isession). A typical reason for creating a custom IPsec policy is toconfigure IPsec to operate in Tunnel rather than Transport mode.

Important: Perform this task on each BIG-IP® system.

1. On the Main tab, click Network > IPsec > IPsec Policies.

2. Click the Create button.The New Policy screen opens.

3. In the Name field, type a unique name for the policy.

4. In the Description field, type a brief description of the policy.

5. From the Mode list, select Tunnel.The screen refreshes to show the Tunnel Local Address and Tunnel Remote Address settings.

6. In the Tunnel Local Address field, type the local IP address of the system you are configuring.Sample tunnel local addresses for BIG-IP A and BIG-IP B are as follows:

Tunnel Local AddressSystem Name

2.2.2.2BIG-IP A

3.3.3.3BIG-IP B

7. In the Tunnel Remote Address field, type the IP address that is remote to the system you are configuring.Sample tunnel remote addresses for BIG-IP A and BIG-IP B are as follows:

Tunnel Remote AddressSystem Name

3.3.3.3BIG-IP A

2.2.2.2BIG-IP B

8. For the Authentication Algorithm setting, retain the default value, AES-GCM128.

9. For the Encryption Algorithm setting, retain the default value, AES-GCM128.

10. For the Perfect Forward Secrecy setting, retain the default value, MODP1024.

11. For the Lifetime setting, retain the default value, 1440.

This is the length of time (in seconds) before the current security association expires.

12. Click Finished.

45


The screen refreshes and displays the new IPsec policy in the list.

You now have an IPsec policy for each IPsec traffic selector.

Creating a bidirectional IPsec traffic selector

Use this procedure to create an IPsec traffic selector that references a custom IPsec policy. The trafficselector you create filters traffic based on the IP addresses and port numbers that you specify, as well asthe custom IPsec policy you assign.

1. On the Main tab, click Network > IPsec > Traffic Selectors .

2. Click Create.The New Traffic Selector screen opens.

3. In the Name field, type a unique name for the traffic selector.

4. In the Description field, type a brief description of the traffic selector.

5. For the Order setting, retain the default value (First).


7. For the Source IP Address setting, click Host or Network, and in the Address field, type an IP address.

This IP address should be the host or network address from which the application traffic originates.

Sample source IP addresses for BIG-IP A and BIG-IP B are as follows:

Source IP AddressSystem Name

1.1.1.0/24BIG-IP A

4.4.4.0/24BIG-IP B

8. From the Source Port list, select a source port, or retain the default value *All Ports.

9. For the Destination IP Address setting, click Host, and in the Address field, type an IP address.

This IP address should be the final host or network address to which the application traffic is destined.

Sample destination IP addresses for BIG-IP A and BIG-IP B are as follows:

Destination IP AddressSystem Name

4.4.4.0/24BIG-IP A

1.1.1.0/24BIG-IP B

10. From the Destination Port list, select a source port, or retain the default value * All Ports.

11. From the Protocol list, select a protocol name.

You can select * All Protocols, TCP, UDP, ICMP, or Other. If you select Other, you must type aprotocol name.

12. From the Direction list, select Both.

13. From the Action list, select Protect.The IPsec Policy Name setting appears.

14. From the IPsec Policy Name list, select the name of the inbound IPsec policy that you previouslycreated.

15. Click Finished.The screen refreshes and displays the new IPsec traffic selector in the list.

You now have an IPsec traffic selector for each BIG-IP system.

46

Advanced Security

Chapter

8

Dynamic Attack Mitigation

Topics:

• Overview• Server resource cloaking• Protection from Apache Killer attacks

Overview

The BIG-IP® data center firewall can provide dynamic attack mitigation through the use of iRules®. Youcan find detailed examples on F5 Networks DevCentral web site, located athttp://devcentral.f5.com.

Server resource cloaking

Server resource cloaking is one way to hide server-specific information from snooping clients. For example,you can write an iRule such as the following to clean web server signatures. This prevents unwantedinformation from being transmitted to hackers attempting to fingerprint the application and servers that runon a web site.

1 when HTTP_RESPONSE { 2 # 3 # Remove all but the given headers. 4 # 5 HTTP::header sanitize "ETag" "Content-Type" "Connection" 6 }

Protection from Apache Killer attacks

You can create iRules to prevent various DDoS attacks from succeeding on the network.

The following shows an example of an iRule that guards against an Apache Killer attack.

when HTTP_REQUEST { if { [HTTP::header exists "Range"] and ([HTTP::header "Range"] matches_regex {(,.*?){40,}}) } { log local0. "## Range attack CVE-2011-3192 detected from [IP::client_addr] on Host [HTTP::host]. [llength [split [HTTP::header "Range"], ","]] ranges requested." HTTP::header remove Range return }

48

Dynamic Attack Mitigation

Chapter

9

Additional Attack Prevention using BIG-IP PSM and BIG-IPASM

Topics:

• Overview• What is BIG-IP Protocol Security Module?• Advanced Layer 7 protection using BIG-IP

Application Security Manager

Overview

You can configuration additional features to prevent attacks, using the BIG-IP® Protocol Security Module™

(PSM™) and BIG-IP® Application Security Manager™ (ASM™) modules.

What is BIG-IP Protocol Security Module?

One of the modules that you can configure to enhance the BIG-IP system's firewall capability is the BIG-IP®

Protocol Security Module™ (PSM). PSM™ offers these benefits:

• Provides advanced protocol security and ensures compliance for common internet protocols.• Protects your web servers, FTP and SMTP servers, masks sensitive data, and blocks spam.• Performs security checks and validation for the HTTP, HTTPS, FTP, and SMTP protocols.• Automatically creates HTTP, FTP, and SMTP profiles within PSM when you enable the Protocol

Security setting on LTM HTTP, FTP, and SMTP profiles. This ensures that when you create LTM®

profiles for those traffic types, you take advantage of PSM security benefits.

Applying protocol security to an LTM profile

Before performing this procedure, verify that you have installed and provisioned BIG-IP® Protocol SecurityModule™ (PSM) on the BIG-IP system.

Use this procedure to apply protocol security to an existing BIG-IP® Local Traffic Manager™ LTM® profile.

Note: This procedure shows how to enable protocol security on an HTTP profile. You can do thisfor FTP and SMTP profiles as well.

1. On the Main tab, click Local Traffic > Profiles > Services > HTTP .The HTTP profile list screen opens.

2. In the Name column, click the name of the profile you want to modify.The properties screen for the selected profile opens.

3. Select the Custom check box for the Settings area.The settings become available for editing.

4. Scroll down to the Protocol Security setting, and select the check box.

5. Click Update.

A corresponding profile appears in PSM.

After creating these profiles, you must assign them to a virtual server.

50

Additional Attack Prevention using BIG-IP PSM and BIG-IP ASM

Advanced Layer 7 protection using BIG-IP Application Security Manager

If you have BIG-IP® Application Security Manager™ (ASM) licensed and provisioned on the system, youcan configure ASM™ to protect against typical Denial of Service (DoS) attacks and Brute Force attacks.

For more information, see the white paper titled Intelligent Layer 7 DoS and Brute ForceProtection for Web Applications on the F5 Networks web site http://www.f5.com.

51


52

Additional Attack Prevention using BIG-IP PSM and BIG-IP ASM

Index

A

access controlconfiguring 19for BIG-IP users 19on per-virtual server basis 32with packet filters and virtual servers 12

access control types 30access policies 30ACLs

examples 34adaptive connection reaping

configuring 42admin account 16administrative access

controlling 18, 19administrative partitions

access to 19Apache Killer attacks 48application fingerprinting 48attack mitigation

and iRules 48

B

BIG-IP ASM 50, 51BIG-IP Configuration utility

controlling access to 18BIG-IP PSM 50Brute Force attacks 51

C

certificates, See x509 certificates.clients

hiding information from 48cloaking 48concurrent connections

for BIG-IP Configuration utility 18connection reaping

configuring 42connection thresholds 43

D

data center protection 12DDoS attacks

preventing 42Denial of Service attacks

preventing 51reducing effects of 42, 43, 48

destination IP addressesfor traffic selectors 46

DNS servers 16

E

expressionsfor packet filtering 30

F

filter ordering 12fingerprinting 48firewall features 12firewalls

and logging 22firewall services 12

H

health monitorsassigning to pools 35

high-speed loggingand firewalls 22and server pools 22

high-water mark thresholds 42host names 16host virtual servers 34, 36HTTP profiles

creating 34HTTP requests and responses

logging 23

I

ICMP error responseslimiting 43

ICMP packet handling 43ICMP unreachable packets

limiting 43idle timeout

for BIG-IP Configuration utility 18IKE Phase 1

configuring 44internet protocols

compliance for 50IPsec IKE peers

creating 44IPsec policies

creating 45IPsec protocol suite

described 44IPsec traffic selectors

creating 46

53

Index

iRulescreating 36for access control 32, 34for Apache Killer attacks 48for dynamic attack mitigation 48for signature cleaning 48for virtual servers 12

L

listenersfor packet handling 12

log contentdetermining 22

log dataanalyzing 23

loggingand pools 22

login failures 18log servers 22low-water mark thresholds 42LTM profiles

creating 50

M

management IP addresses 16memory utilization

and connection thresholds 42monitors

assigning to pools 35

N

network infrastructureprotecting 12

network virtual servers 34, 38NTP servers 16

O

orderof packet evaluation 12

P

packet evaluation 12packet filtering

enabling 30packet filter rules

about 30creating 31

packet filtersabout 30

packet rejection 30parameters

for request logging 24partitions

access to 19

password policies 18passwords

for root and admin 16performance monitors

assigning to pools 35Phase 1 negotiation

and IKE protocol 44pools

creating 35for high-speed logging 22

port lockdown 19profiles

and PSM 50creating for HTTP 34

protocol security 50

R

redundancy settings 16remote logging 22remote servers

for high-speed logging 22request logging

code elements 24request logging profile

and standard log formats 26for NCSA Common 27

Request Logging profiles 23resource cloaking 48root account 16

S

secure channelsestablishing 44

security banner 18security checks

performing with PSM 50security settings

for BIG-IP users 18self IP addresses

and VLANs 19as prerequisite 16creating 19

sensitive datamasking with PSM 50

server fingerprinting 48server resource cloaking 48servers

for high-speed logging 22SIEM vendors 12SNAT precedence 12SNATs

configuring client 39source ports

and traffic selectors 46spam

blocking with PSM 50SSL protocol

alternative to 44

54

Index

static routesadding 39

SYN Check thresholdactivating 43

Syslog serversremote logging to 22

system prerequisites 16

T

traffic listenersfor packet handling 12

traffic selectorscreating 46

U

user accesscontrolling 19

user lockout 18user roles

for system access 19

V

virtual serversand access control 12assigning iRules to 32creating 36, 38examples 37, 38examples of 34

VLANsand self IP addresses 19as prerequisite 16

W

WAN traversalusing IPsec 44

web sitesand fingerprinting 48

X

x509 certificatesand IKE peers 44

55

Index

56

Index

big-ip data center firewall configuration guide

Documents

bigip administrative

bigip system user account

packet filter rule

self ip address

packet filtering

system configuration

highspeed logging

filter configuration