F5 FederalSecurity Hardening & RemediationMichael Coleman, Senior Federal Systems Engineer2018
© F5 Networks, Inc 2
© F5 Networks, Inc 3
F5 Security Certifications & Compliance
• (NIST) FIPS 140-2
• NIST SP 800-53r4
• DNSSEC
• USGv6 (IPV6)
• NIAP CC EAL2+ & EAL4+
• JTIC PKE Certification
• DISA UC-APL (TN#1312201): IA Tool
• US Army’s IA- APL
• ICSA Certifications:
• WAF, Network Firewall, IPSEC, SSL-TLS VPN
• C&A (RMF) Current ATO
• F5 Device STIG/SRG
• DISA
• NMCI
• JWICS
• SOCOM & CENTCOM
• ARMY
• USMC
• NAVY
• AF
https://f5.com/about-us/compliance-and-certifications
© F5 Networks, Inc 4
• F5 “Appliance Mode”
• National Institute of Standards and Technology [NIST] 800-53r4
• DoD Instruction 8500 (Certification and Accreditation): DITSCAP, DIACAP, Risk Management Framework[RMF]:
• Security Technical Implementation Guide [STIG] / Security Requirements Guide [SRG]
• Defense Information Security Agency Unified Communications Configuration Office Approved Product List Certification [DISA UCCO APL] Military Unique Deployment
• Traffic Management Operating System [TMOS] Hardening
• Secure Socket Layers [SSL] / Transport Layer Security [TLS] & Federal Information Processing Standard [FIPS] 140-2
• National Information Assurance Partnership [NIAP] Common Criteria [CC] EAL4+
• Common Vulnerability & Exposure [CVE] Scanning, Remediation, False Positives
F5 Device Hardening Topics
© F5 Networks, Inc 5
F5 Appliance Mode (App Mode Lite)
VIPRION PlatformBIG-IP PlatformBIG-IP Virtual Edition
Appliance Mode is a zero-dollar license option, which, when applied, will provide
additional BIG-IP device security by removing access to the advance shell (bash) and
the root account. TMSH will become the default shell once applied.
Appliance Mode has two options:
• Licensed – Forever.
• Enabled – Configurable.
[Platform]
© F5 Networks, Inc 6
• Root is covered automatically by Appliance Mode / App Mode Lite. However [SOL15632]:
• #tmsh modify sys db systemauth.disablerootlogin value true
• #tmsh save sys config
• Admin is used for the GUI, but can be disabled or renamed (recreated with a new name) using the following guidance [SOL14943].
• Create a new Admin user first, via GUI.
• Remove Default Admin, via CLI.
• #userdel admin
Disable / Rename Default Admin Accounts
© F5 Networks, Inc 7
NIST Special Publication 800-53 Revision 4
• F5 iApp [Wizard]:
• https://www.f5.com/pdf/deployment-guides/nist-sp-800-53-r4-dg.pdf
© F5 Networks, Inc 8
• Network / Perimeter / Wireless - Network Infrastructure (Other Network Devices)
• http://iase.disa.mil/stigs/net_perimeter/network-infrastructure/Pages/other.aspx
DoD 8500: Risk Management Framework, SRG & STIG
Download Date Size Format
F5 BIG-IP Access Policy Manager (APM) 11.x STIG 6/11/2015 91 KB ZIP
F5 BIG-IP Advanced Firewall Manager (AFM) 11.x STIG 6/11/2015 241 KB ZIP
F5 BIG-IP Application Security Manager (ASM) 11.x STIG 6/11/2015 245 KB ZIP
F5 BIG-IP Device Management 11.x STIG 6/11/2015 266 KB ZIP
F5 BIG-IP Local Traffic Manager (LTM) 11.x STIG 6/11/2015 268 KB ZIP
F5 BIG-IP STIG Overview, Version 1 6/11/2015 91 KB ZIP
F5 BIG-IP STIGs, Version 1 memo 6/11/2015 68 KB PDF
© F5 Networks, Inc 9
This iApp pre-dates the release of the FINAL F5 STIG / SRG release July 2015, but accounts for the majority of STIG items in Network Device Other, to EXCLUDE the following:
1. NET0700 – this disables bash and root but breaks the rest of the iApp once its enabled. Troubleshooting a workaround. The option is there but the proc is disabled.
2. NET1647 – this adds the “Protocol 2” string as an include to sshd. The tmsh command to set sshdincludes doesn’t allow multiple values (the other is “MaxAuthTries 3”)
3. NET0440 – Some of the required commands are only available in 11.6. Need to adjust for version (remove this option for < 11.6)
4. NET1640 – sets up MCP logging
5. NET0992 – sets up ACLs for the management interface
6. NET0340 – sets up the DoD banner
7. NET0386 – sets up log quota size alerts (need to integrate the script).
STIG iApp – Network Device Other - ~Obsolete
© F5 Networks, Inc 10
• https://github.com/Mikej81/PowerSRG
• Disclaimer: This is not written, nor supported by F5. It is an OpenSourceproject created by an F5 employee attempting to help customers streamline their STIG / SRG and hardening configurations.
But, there is a STIG / SRG Script available!
© F5 Networks, Inc 11
• This document pre-dates the release of the FINAL F5 STIG / SRG July 2015. New versions will be in development, but most likely will focus on TMOS v12.1 release features.
• Contact the DISA UCCO FSO for a copy, or email your F5 Account Team to get the most recent release.
• Current version of document only accounts for 11.6 and does NOT include remediation's for new STIGS / SRGS released in July 2015. YET.
DISA UCCO APL IO Certification – Military Unique Deployment Guide [MUDG] v1.2
© F5 Networks, Inc 12
• F5 has identified the following security recommendations:
• Develop system access policy.
• Develop user and password management.
• Policy monitoring for login failures.
• Monitor indications of DoS/DDoS attacks.
• Join the DevCentral Security Compliance Forum.
• Join the security mailing list.
TMOS Hardening – At a Glance
© F5 Networks, Inc 13
• Switch Module connects to PVA (F5 Custom Engineered ASIC)
• PVA is directly connected to the switch module and traffic never goes any further.
• Traffic NOT handled by PVA is passed to next layer, Traffic Management Micro-Kernel [TMM].
TMOS Hardening - Architecture
F5 TMOS Operations Guide is available now:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-tmos-operations-guide.html
© F5 Networks, Inc 14
TMOS Hardening
• Allow None on Self Ips – Please stop using self-IP’s for management.
• Packet Filtering
• Disable non-required services (but dont)
• Management Web ACL’s
• Management SSH ACL’s
• Secure NTP
© F5 Networks, Inc 15
FIPS 140-2 Compliance
Level 1
•Evaluated crypto algorithms and/or random number generators
•No physical security requirements, can be software only
Level 2 (L1+)•Physical enclosures with pick-resistant locks or
tamper-evident stickers
•Enclosures “opaque in the visible spectrum”
Level 3 (L2+) •Automatic deletion
Level 4 (L3+)•Kevlar jacketing and EMP-like deletion
•Hermetically sealed enclosure
© F5 Networks, Inc 16
• The FIPS Administration Manual contains detailed instructions for initialization of the FIPS HSM for each platform / version.
• https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-platform-fips-administration.pdf
• Keep the security domain name and password in a secure location. You need the domain name and password when you initialize the internal HSM on the peer unit. This information is also required when replacing a unit (for RMA or other reasons).
• Initialization Example:
• #tmsh
• #run util fips-util info
• #run util fips-util –f init
• #restart sys service all
FIPS 140-2 – Key Storage
© F5 Networks, Inc 17
• FIPS 140-2 not only applies to key storage, but also utilizing FIPS compliance ciphers. For a list of supported ciphers on F5, from the CLI run the following command:
• #openssl ciphers –v ‘FIPS’
• A shortened list (NON SSLv3) is included to the right.
• From Local Traffic Manager, under Profiles, ClientSSL, set the view of a profile to Advanced, and change the cipher box to one of the ciphers listed
FIPS 140-2 - CiphersECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD
ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD
ADH-AES128-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
© F5 Networks, Inc 19
• NATIVE:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:!SSLv3:!TLSv1:!EXPORT:!DH:!ADH:!LOW:!MD5:!RC4:RSA+AES:RSA+3DES:@STRENGTH
• !LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT:!DHE:ECDHE+AES-GCM:DHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA:DHE+AES:AES-GCM+RSA:RSA+AES:RSA+3DES:@SPEED
• In 11.6: iRule
• In 12.0: DEFAULT Cipher& Enable HSTS
• Verify Configured ClientSSL Ciphers:
• nmap --script ssl-enum-ciphers -p 443 [virtual server. Eg, www.domain.com]
• Make sure clients support the selected ciphers…
PKI (SSL / TLS): A+ SSL Labs score.
© F5 Networks, Inc 20
• The ccmode command is a command script used during the configuration of a Common-Criteria-evaluation-compliant system to easily make a subset of the required configuration changes.
• This command has no facility for "undoing" the changes it makes. Instead, the administrator must reverse or revise all of the individual commands, reset the DB variables to their defaults, save the new configuration, and restart the BIG-IP.
• From the BIG-IP:#tmsh#ccmode
Common Criteria – EAL4+
© F5 Networks, Inc 21
• Google: site:f5.com [CVE-ID]
• site:f5.com CVE-2015-1793
• Open a Case, Identify CVE
• Reach out to your account team.
Common Vulnerability & Exposure [CVE] Scanning, Remediation, False Positives